Ingress Configuration
This guide demonstrates how to configure Ingress. Ingress can be configured in numerous ways. Configurations for the most popular controllers are outlined below.
Kubernetes namespace
The following section(s) presume the Immuta Enterprise Helm chart was deployed into namespace immuta and that the current namespace is immuta.
The Immuta web service listens on the following ports:
| Port | Protocol | Description | Optional |
|---|---|---|---|
| 443 | TCP | HTTPS | False |
| 80 | TCP | HTTP (redirects to HTTPS) | True |
Ingress hostname
This is the fully qualified domain name (FQDN) as defined by RFC 3986 used to access the Immuta UI. If a FQDN has yet to be determined set Secure's ingress hostname to immuta.local.
Ingress NGINX Controller
-
Edit the
immuta-values.yamlfile to include the following Helm values.immuta-values.yamlsecure: ingress: hostname: <immuta-fqdn> ingressClassName: nginx annotations: nginx.ingress.kubernetes.io/force-ssl-redirect: 'true' -
Perform a Helm upgrade to apply the changes made to
immuta-values.yaml.helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.3
Additional resources
Refer to the Ingress-Nginx Controller documentation for further assistance.
GKE Ingress Controller
-
Edit
immuta-values.yamlto include the following Helm values.immuta-values.yamlsecure: ingress: hostname: <immuta-fqdn> annotations: # Determines which type of load balancer is provisioned # gce-internal # gce kubernetes.io/ingress.class: gce # Listen on both 80 and 443 kubernetes.io/ingress.allow-http: 'true' # Redirect traffic from 80 to 443 cloud.google.com/frontend-config: immuta -
Create a file named
frontendconfig.yamlwith the following content.frontendconfig.yamlapiVersion: networking.gke.io/v1beta1 kind: FrontendConfig metadata: name: immuta spec: redirectToHttps: enabled: true responseCodeName: RESPONSE_CODE -
Apply the
FrontendConfigCRD.kubectl apply -f frontendconfig.yaml -
Perform a Helm upgrade to apply the changes made to
immuta-values.yaml.helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.3
Additional resources
Refer to the Google Cloud documentation for further assistance.
AWS Load Balancer Controller
-
Edit
immuta-values.yamlto include the following Helm values.immuta-values.yamlsecure: ingress: hostname: <immuta-fqdn> ingressClassName: alb annotations: # Determines which type of load balancer is provisioned # internal # internet-facing alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/target-type: ip # Listen on both 80 and 443 alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' # Redirect traffic from 80 to 443 alb.ingress.kubernetes.io/ssl-redirect: '443' -
Perform a Helm upgrade to apply the changes made to
immuta-values.yaml.helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.3
Additional resources
Refer to the AWS Load Balancer Controller documentation for further assistance.
AKS Application Gateway Ingress Controller
-
Edit
immuta-values.yamlto include the following Helm values.immuta-values.yamlsecure: ingress: hostname: <immuta-fqdn> ingressClassName: webapprouting.kubernetes.azure.com # https://azure.github.io/application-gateway-kubernetes-ingress/annotations/ annotation: appgw.ingress.kubernetes.io/ssl-redirect: 'true' -
Perform a Helm upgrade to apply the changes made to
immuta-values.yaml.helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.3
Additional resources
Refer to the Application Gateway Ingress Controller documentation for further assistance.
Traefik
-
Edit
immuta-values.yamlto include the following Helm values.immuta-values.yamlsecure: ingress: hostname: <immuta-fqdn> ingressClassName: traefik annotations: # Listen on ports 80 and 443 traefik.ingress.kubernetes.io/router.entrypoints: web,websecure # Redirect HTTP to HTTPS # When referencing middleware you must prefix the name with its namespace # <namespace>-<middleware-name>@kubernetescrd traefik.ingress.kubernetes.io/router.middlewares: immuta-https-redirectscheme@kubernetescrd -
Create a file named
middleware.yamlwith the following content.middleware.yamlapiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: https-redirectscheme spec: redirectScheme: scheme: https permanent: true -
Apply the
MiddlewareCRD.kubectl apply -f middleware.yaml -
Perform a Helm upgrade to apply the changes made to
immuta-values.yaml.helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.3
Additional resources
Refer to the Traefik documentation for further assistance.
OpenShift Ingress Operator
-
Edit
immuta-values.yamlto include the following Helm values. Because the Ingress resource will be managed by the OpenShift route you create and not the Immuta Enterprise Helm chart,ingressis set tofalsebelow.immuta-values.yamlsecure: ingress: enabled: false -
Get the service name for Secure.
oc get service --selector "app.kubernetes.io/component=secure" --output template='{{ .metadata.name }}' -
Create a file named
route.yamlwith the following content. Update all placeholder values with your own values.route.yamlapiVersion: route.openshift.io/v1 kind: Route metadata: name: immuta spec: host: <immuta-fqdn> to: kind: Service name: immuta-secure port: targetPort: http tls: termination: edge insecureEdgeTerminationPolicy: Redirect -
Apply the
RouteCRD.oc apply -f route.yaml -
Perform a Helm upgrade to apply the changes made to
immuta-values.yaml.helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.3
Additional resources
Refer to the Red Hat OpenShift documentation for further assistance.