Configuring External Access for PCM using Ingress (Kubernetes)

You can configure external access using ingress for PCM deployments on Kubernetes clusters.

Prerequisites

Ensure the following prerequisites are met before configuring external access using ingress:
  • Administrator access for the user configuring external access.
  • An ingress controller installed in the Kubernetes cluster.
  • PEM Community Manager deployed in a Kubernetes cluster.

Configurations for Kubernetes Ingress

Configure one of the following options:
  • Enable and configure ingress on the applicable endpoints and set the service type to ClusterIP. Run the command:
    kubectl patch service <service-name> -p '{"spec":{"type":"ClusterIP"}} -n <namespace>
    Note: This configuration method is recommended and is enabled by default.
  • Enable and configure frontend service by setting the service type to LoadBalancer or NodePort. In case of LoadBalancer, configure an instance of the cloud provider and assign a public IP. In case of NodePort, you can access the application using the node IP and the node port configured by the service.
    Note: Using NodePort is not recommended, especially for production environments.
Note: To test PCM deployment on a Kubernetes non-production environment, expose the deployment to access the application by creating NodePort services for each deployment using the command:
kubectl expose deployment <deployment-name> --port <application-port> --type NodePort -n <namespace>

Configuring External Access using Kubernetes Ingress

Update the following ingress.yaml parameters to set the required properties for your Kubernetes environment.
  • ingress.enabled: Enables ingress when set to true. The default value is true.
  • ingress.controller: Update the parameter and specify the type of ingress controller installed on the Kubernetes cluster. For example, nginx, haproxy, and so on.
  • ingress.annotations: Update the parameter and, if required, specify additional annotations for the specific ingress controller in key:value pairs.
  • communitymanager.nonprod.hostname/communitymanager.prod.hostname: Fully qualified private or internal virtual domain names for PCM servers that resolve to the IP address of the Kubernetes clusters proxy node or router.
    Note: Depending on your network settings, multiple virtual domain names might resolve to the same IP address of the proxy node or router. You can use any of these domain names. For example, example.com or test.example.com or test.apps.k8.example.com.

Configuring TLS for Kubernetes Ingress (Production Environments)

For production environments, it is recommended to obtain a CA certified TLS certificate and manually create a secret for each host.

The parameter communitymanager.prod.ingress.tls.secretName in ingress block of values.yaml must be set to the host's secret value to configure TLS.

To do this, follow the steps:
  1. Obtain a CA certified TLS certificate for the given host communitymanager.prod.hostname in the form of key (tls.key) and certificate (tls.crt) files.
  2. Create the secret using the key and certificate files from Step 1 by running the command:
    kubectl create secret tls <Release-name>-pcm-ingress-secret --key <file containing key> --cert <file containing certificate> -n <namespace>
  3. In values.yaml, set communitymanager.prod.ingress.tls.secretName parameter to the value of the secret from Step 2.
  4. Apply the changes on your Kubernetes cluster by proceeding with the Helm installation.

Configuring TLS for Kubernetes Ingress (Non-Production Environments)

The parameter communitymanager.nonprod.ingress.tls.secretName in ingress block of values.yaml must be set to the host's secret value to configure TLS.

To do this, follow the steps:
  1. Obtain a CA certified TLS certificate for the given host communitymanager.nonprod.hostname in the form of key (tls.key) and certificate (tls.crt) files.
  2. Create the secret using the key and certificate files from Step 1 by running the command:
    kubectl create secret tls <Release-name>-pcm-ingress-secret --key <file containing key> --cert <file containing certificate> -n <namespace>
  3. In values.yaml, set communitymanager.nonprod.ingress.tls.secretName parameter to the value of the secret from Step 2.
  4. Apply the changes on your Kubernetes cluster by proceeding with the Helm installation.