You can create an Ingress resource to control web access to your deployed containers.
This task does not apply if you are using Red Hat OpenShift Cloud Platform or ROKS for your
deployment.
Before you begin
This task assumes that you have a type of Ingress controller as part of your certified Kubernetes
environment.
Optional: You can install a DNS controller in your certified Kubernetes
environment to automatically sync your custom hostname to the DNS provided on your Kubernetes Cloud
Platform.
Optional: You can install an SSL Certificate controller in your certified
Kubernetes environment to automatically create, renew, and use custom SSL certificates that are
assigned to your Ingress routes.
- Cert-Manager
- https://cert-manager.io/docs/.
About this task
You create an Ingress resource that works with your Ingress controller to manage external access
to the services in your cluster. The Ingress resource provides a list of rules to use when you are
assessing incoming access requests. The steps provided demonstrate how to create Ingress resources
for the following scenarios through Operator deployment:
- Creating a single endpoint resource for both Content Platform Engine and IBM Content
Navigator.
- Create a custom hostname to host your FNCM deployment.
- Create NodePort type services.
- Enable HTTPS on your Ingress controller with a custom SSL certificate.
- Add custom annotations to your Ingress.
- Add rules for your External Share IDP redirect URLs.
Procedure
-
Enable automatic Ingress creation in your CR (Custom Resource)
shared_configuration:
sc_ingress_enable: true
- Set the Service Type that the Operator creates to NodePort.
NodePort is the type of service that is required for the Ingress Object to redirect traffic.
Note: The default service type is “ClusterIP”.
shared_configuration:
sc_service_type: NodePort
- Set the hostname used for your Ingress Object.
shared_configuration:
sc_deployment_hostname_suffix: <custom-hostname>
- Determine the correct annotations needed for your Ingress controller.
These annotations control the behavior of the Ingress that is created by the operator.
Follow the specific documentation for your Kubernetes Cloud Platform for the required
annotations.
Annotation must be added to your deployment CR (Custom Resource) under the following sections:
shared_configuration:
sc_ingress_annotations:
See the following examples for the two Ingress controllers.
AWS Load Balancer controllershared_configuration:
sc_ingress_annotations:
- alb.ingress.kubernetes.io/scheme: internet-facing
- alb.ingress.kubernetes.io/target-type: ip
- external-dns.alpha.kubernetes.io/hostname: <custom-hostname>
- alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
- alb.ingress.kubernetes.io/certificate-arn: <aws-cerificate-arn>
- alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig":
{ "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
- alb.ingress.kubernetes.io/ssl-redirect: "443"
- alb.ingress.kubernetes.io/backend-protocol: HTTPS
- kubernetes.io/ingress.class: alb
- alb.ingress.kubernetes.io/target-group-attributes: stickiness.enabled=true,stickiness.lb_cookie.duration_seconds=300
- alb.ingress.kubernetes.io/auth-session-timeout: "86400"
Some important aspects of the Ingress Annotations:
- kubernetes.io/ingress.class: alb
- Controls the Ingress class that is used to create the Ingress Object. In this case ALB is
used.
- alb.ingress.kubernetes.io/certificate-arn
- Used in AWS EKS environment, and uses Route53 certificate. Provide the ARN of the certificate to
have it automatically attach to the ingress.
- external-dns.alpha.kubernetes.io/hostname
- Annotation needed for ExternalDNS to automatically control the DNS record entries.
NGINX Ingress controller
shared_configuration:
sc_ingress_annotations:
- nginx.ingress.kubernetes.io/affinity: cookie
- cert-manager.io/cluster-issuer: letsencrypt
- nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
- nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
- nginx.ingress.kubernetes.io/secure-backends: "true"
- nginx.ingress.kubernetes.io/session-cookie-name: route
- nginx.ingress.kubernetes.io/session-cookie-hash: sha1
- kubernetes.io/ingress.class: nginx
Some important aspects of the Ingress Annotations:
- kubernetes.io/ingress.class: nginx
- Controls the Ingress class that is used to create the Ingress Object. In this case NGINX is
used.
- cert-manager.io/cluster-issuer
- Used in an environment with a cert-manager installed. Follow the specific documentation for the
values needed for your Kubernetes Cloud Platform.
- Optional:Add a TLS secret.
If your TLS certificate is not supplied through annotations, you need to specify the secret
name.
shared_configuration:
sc_ingress_tls_secret_name: ""
- Optional: If you have an
open_id_connect_providers
section that is configured on your CR, the Ingress is created with the Redirect URL’s, by using the
provider name. Add the following section to your CR:
shared_configuration:
open_id_connect_providers:
- provider_name: <my-provider>
Your Ingress is created with the following
context paths:
- backend:
service:
name: fncmdeploy-cpe-svc
port:
numr: 9443
path: /oidcclient/redirect/<my-provider>CPE
pathType: Prefix
- backend:
service:
name: fncmdeploy-cmis-svc
port:
number: 9443
path: /oidcclient/redirect/<my-provider>CMIS
pathType: Prefix
- backend:
service:
name: fncmdeploy-graphql-svc
port:
number: 9443
path: /oidcclient/redirect/<my-provider>GRAPHQL
pathType: Prefix
- backend:
service:
name: fncmdeploy-navigator-svc
port:
number: 9443
path: /oidcclient/redirect/<my-provider>NAV
pathType: Prefix
- backend:
service:
name: fncmdeploy-es-svc
port:
number: 9443
path: /oidcclient/redirect/<my-provider>ES
pathType: Prefix
- Apply your CR (Custom Resource) for Operator create your Ingress Object.
Results
Verify your generated Ingress object.
-
kubectl get ingress -n <namespace>
NAME CLASS HOSTS ADDRESS PORTS AGE
fncmdeploy-fncm-ingress alb <custom-hostname> <generated-address> 80 22d
- See the context paths to your specific product by using the
fncmdeploy-fncm-access-info
configmap
kubectl get cm fncmdeploy-fncm-access-info -n <namespace> -o yaml
apiVersion: v1
data:
cmis-access-info: |-
Content Management Interoperability Services for FNCM: <custom-hostname>/openfncmis_wlp
cpe-access-info: |-
Content Platform Engine administration: <custom-hostname>/acce/
Content Platform Engine health check: <custom-hostname>/P8CE/Health
Content Platform Engine ping page: <custom-hostname>/FileNet/Engine
FileNet Process Services ping page: <custom-hostname>/peengine/IOR/ping
FileNet Process Services details page: <custom-hostname>/peengine/IOR/admin/help
FileNet P8 Content Engine Web Service page: <custom-hostname>/wsi/FNCEWS40MTOM/
FileNet Process Engine Web Service(PEWS) page: <custom-hostname>/pewsi/ProcessEngineWS-I
Content Search Services health check: <custom-hostname>/P8CE/Health/CBRDashboard
graphql-access-info: |-
Content Services GraphQL: <custom-hostname>/content-services-graphql/
navigator-access-info: |-
Business Automation Navigator for FNCM: <custom-hostname>/navigator/
taskmanager-access-info: |-
Task Manager: <custom-hostname>/taskManagerWeb/api/v1