Configuring Ingress Creation

You can create an Ingress resource to control web access to your deployed containers. This task does not apply if you are using Red Hat OpenShift Cloud Platform or ROKS for your deployment.

Before you begin

This task assumes that you have a type of Ingress controller as part of your certified Kubernetes environment.

You can install the following examples of Ingress controllers on your certified Kubernetes environment.
AWS Load Balancer controller
Used on AWS EKS clusters. https://kubernetes-sigs.github.io/aws-load-balancer-controller/
NGINX Ingress controller
Can be installed on most certified Kubernetes environment. https://docs.nginx.com/nginx-ingress-controller/
Note: For NGINX Ingress controller, you need to add enable-underscores-in-headers configuration option. For more information, see NGINX configuration option enable-underscores-in-headers.

Optional: You can install a DNS controller in your certified Kubernetes environment to automatically sync your custom hostname to the DNS provided on your Kubernetes Cloud Platform.

You can install the following examples of DNS controller on your certified Kubernetes environment.
ExternalDNS
https://github.com/kubernetes-sigs/external-dns.

Optional: You can install an SSL Certificate controller in your certified Kubernetes environment to automatically create, renew, and use custom SSL certificates that are assigned to your Ingress routes.

Cert-Manager
https://cert-manager.io/docs/.

About this task

You create an Ingress resource that works with your Ingress controller to manage external access to the services in your cluster. The Ingress resource provides a list of rules to use when you are assessing incoming access requests. The steps provided demonstrate how to create Ingress resources for the following scenarios through Operator deployment:

  • Creating a single endpoint resource for both Content Platform Engine and IBM Content Navigator.
  • Create a custom hostname to host your FNCM deployment.
  • Create NodePort type services.
  • Enable HTTPS on your Ingress controller with a custom SSL certificate.
  • Add custom annotations to your Ingress.
  • Add rules for your External Share IDP redirect URLs.

Procedure

  1. Enable automatic Ingress creation in your CR (Custom Resource)
    shared_configuration:
      sc_ingress_enable: true
  2. Set the Service Type that the Operator creates to NodePort.
    NodePort is the type of service that is required for the Ingress Object to redirect traffic.
    Note: The default service type is “ClusterIP”.
    shared_configuration:
      sc_service_type: NodePort
  3. Set the hostname used for your Ingress Object.
    shared_configuration:
      sc_deployment_hostname_suffix: <custom-hostname>
  4. Determine the correct annotations needed for your Ingress controller.

    These annotations control the behavior of the Ingress that is created by the operator.

    Follow the specific documentation for your Kubernetes Cloud Platform for the required annotations.

    Annotation must be added to your deployment CR (Custom Resource) under the following sections:

    shared_configuration:
      sc_ingress_annotations:
    See the following examples for the two Ingress controllers.
    AWS Load Balancer controller
    shared_configuration:
      sc_ingress_annotations:
        - alb.ingress.kubernetes.io/scheme: internet-facing
        - alb.ingress.kubernetes.io/target-type: ip
        - external-dns.alpha.kubernetes.io/hostname: <custom-hostname>
        - alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
        - alb.ingress.kubernetes.io/certificate-arn: <aws-cerificate-arn>
        - alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig":
            { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
        - alb.ingress.kubernetes.io/ssl-redirect: "443"
        - alb.ingress.kubernetes.io/backend-protocol: HTTPS
        - kubernetes.io/ingress.class: alb
        - alb.ingress.kubernetes.io/target-group-attributes: stickiness.enabled=true,stickiness.lb_cookie.duration_seconds=300
        - alb.ingress.kubernetes.io/auth-session-timeout: "86400"
    Some important aspects of the Ingress Annotations:
    kubernetes.io/ingress.class: alb
    Controls the Ingress class that is used to create the Ingress Object. In this case ALB is used.
    alb.ingress.kubernetes.io/certificate-arn
    Used in AWS EKS environment, and uses Route53 certificate. Provide the ARN of the certificate to have it automatically attach to the ingress.
    external-dns.alpha.kubernetes.io/hostname
    Annotation needed for ExternalDNS to automatically control the DNS record entries.
    NGINX Ingress controller
    shared_configuration:
      sc_ingress_annotations:
          - nginx.ingress.kubernetes.io/affinity: cookie
          - cert-manager.io/cluster-issuer: letsencrypt
          - nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
          - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
          - nginx.ingress.kubernetes.io/secure-backends: "true"
          - nginx.ingress.kubernetes.io/session-cookie-name: route
          - nginx.ingress.kubernetes.io/session-cookie-hash: sha1
          - kubernetes.io/ingress.class: nginx
    Some important aspects of the Ingress Annotations:
    kubernetes.io/ingress.class: nginx
    Controls the Ingress class that is used to create the Ingress Object. In this case NGINX is used.
    cert-manager.io/cluster-issuer
    Used in an environment with a cert-manager installed. Follow the specific documentation for the values needed for your Kubernetes Cloud Platform.
  5. Optional:Add a TLS secret.
    If your TLS certificate is not supplied through annotations, you need to specify the secret name.
    shared_configuration:
    sc_ingress_tls_secret_name: ""
    
  6. Optional: If you have an open_id_connect_providers section that is configured on your CR, the Ingress is created with the Redirect URL’s, by using the provider name.
    Add the following section to your CR:
    shared_configuration:
      open_id_connect_providers:
        - provider_name: <my-provider>
    Your Ingress is created with the following context paths:
          - backend:
              service:
                name: fncmdeploy-cpe-svc
                port:
                  numr: 9443
            path: /oidcclient/redirect/<my-provider>CPE
            pathType: Prefix
          - backend:
              service:
                name: fncmdeploy-cmis-svc
                port:
                  number: 9443
            path: /oidcclient/redirect/<my-provider>CMIS
            pathType: Prefix
          - backend:
              service:
                name: fncmdeploy-graphql-svc
                port:
                  number: 9443
            path: /oidcclient/redirect/<my-provider>GRAPHQL
            pathType: Prefix
          - backend:
              service:
                name: fncmdeploy-navigator-svc
                port:
                  number: 9443
            path: /oidcclient/redirect/<my-provider>NAV
            pathType: Prefix
          - backend:
              service:
                name: fncmdeploy-es-svc
                port:
                  number: 9443
            path: /oidcclient/redirect/<my-provider>ES
            pathType: Prefix
  7. Apply your CR (Custom Resource) for Operator create your Ingress Object.

Results

Verify your generated Ingress object.

  1. kubectl get ingress -n <namespace>
    NAME                      CLASS    HOSTS                                 ADDRESS                                                                   PORTS   AGE
    fncmdeploy-fncm-ingress   alb   <custom-hostname>         <generated-address>   80      22d
  2. See the context paths to your specific product by using the fncmdeploy-fncm-access-info configmap
    kubectl get cm fncmdeploy-fncm-access-info -n <namespace> -o yaml
    apiVersion: v1
    data:
      cmis-access-info: |-
        Content Management Interoperability Services for FNCM: <custom-hostname>/openfncmis_wlp
    
      cpe-access-info: |-
        Content Platform Engine administration: <custom-hostname>/acce/
        Content Platform Engine health check: <custom-hostname>/P8CE/Health
        Content Platform Engine ping page: <custom-hostname>/FileNet/Engine
        FileNet Process Services ping page: <custom-hostname>/peengine/IOR/ping
        FileNet Process Services details page: <custom-hostname>/peengine/IOR/admin/help
        FileNet P8 Content Engine Web Service page: <custom-hostname>/wsi/FNCEWS40MTOM/
        FileNet Process Engine Web Service(PEWS) page: <custom-hostname>/pewsi/ProcessEngineWS-I
    
        Content Search Services health check: <custom-hostname>/P8CE/Health/CBRDashboard
    
      graphql-access-info: |- 
        Content Services GraphQL: <custom-hostname>/content-services-graphql/
    
      navigator-access-info: |-
        Business Automation Navigator for FNCM: <custom-hostname>/navigator/
    
      taskmanager-access-info: |-
        Task Manager: <custom-hostname>/taskManagerWeb/api/v1