Skip to content

Ingress Configuration

This guide demonstrates how to configure Ingress. Ingress can be configured in numerous ways. Configurations for the most popular controllers are outlined below.

Kubernetes namespace

The following section(s) presume the Immuta Enterprise Helm chart was deployed into namespace immuta and that the current namespace is immuta.

The Immuta web service listens on the following ports:

Port Protocol Description Optional
443 TCP HTTPS False
80 TCP HTTP (redirects to HTTPS) True
Ingress hostname

This is the fully qualified domain name (FQDN) as defined by RFC 3986 used to access the Immuta UI. If a FQDN has yet to be determined set Secure's ingress hostname to immuta.local.

Ingress NGINX Controller

  1. Edit the immuta-values.yaml file to include the following Helm values.

    immuta-values.yaml
    secure:
      ingress:
        hostname: <immuta-fqdn>
        ingressClassName: nginx
        annotations:
          nginx.ingress.kubernetes.io/force-ssl-redirect: 'true'
    
  2. Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

    helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.3
    

Additional resources

Refer to the Ingress-Nginx Controller documentation for further assistance.

GKE Ingress Controller

  1. Edit immuta-values.yaml to include the following Helm values.

    immuta-values.yaml
    secure:
      ingress:
        hostname: <immuta-fqdn>
        annotations:
          # Determines which type of load balancer is provisioned
          #   gce-internal
          #   gce
          kubernetes.io/ingress.class: gce
          # Listen on both 80 and 443
          kubernetes.io/ingress.allow-http: 'true'
          # Redirect traffic from 80 to 443
          cloud.google.com/frontend-config: immuta
    
  2. Create a file named frontendconfig.yaml with the following content.

    frontendconfig.yaml
    apiVersion: networking.gke.io/v1beta1
    kind: FrontendConfig
    metadata:
      name: immuta
    spec:
      redirectToHttps:
        enabled: true
        responseCodeName: RESPONSE_CODE
    
  3. Apply the FrontendConfig CRD.

    kubectl apply -f frontendconfig.yaml
    
  4. Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

    helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.3
    

Additional resources

Refer to the Google Cloud documentation for further assistance.

AWS Load Balancer Controller

  1. Edit immuta-values.yaml to include the following Helm values.

    immuta-values.yaml
    secure:
      ingress:
        hostname: <immuta-fqdn>
        ingressClassName: alb
        annotations:
          # Determines which type of load balancer is provisioned
          #   internal
          #   internet-facing
          alb.ingress.kubernetes.io/scheme: internet-facing
          alb.ingress.kubernetes.io/target-type: ip
          # Listen on both 80 and 443
          alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
          # Redirect traffic from 80 to 443
          alb.ingress.kubernetes.io/ssl-redirect: '443'
    
  2. Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

    helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.3
    

Additional resources

Refer to the AWS Load Balancer Controller documentation for further assistance.

AKS Application Gateway Ingress Controller

  1. Edit immuta-values.yaml to include the following Helm values.

    immuta-values.yaml
    secure:
      ingress:
        hostname: <immuta-fqdn>
        ingressClassName: webapprouting.kubernetes.azure.com
        # https://azure.github.io/application-gateway-kubernetes-ingress/annotations/
        annotation:
          appgw.ingress.kubernetes.io/ssl-redirect: 'true'
    
  2. Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

    helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.3
    

Additional resources

Refer to the Application Gateway Ingress Controller documentation for further assistance.

Traefik

  1. Edit immuta-values.yaml to include the following Helm values.

    immuta-values.yaml
    secure:
      ingress:
        hostname: <immuta-fqdn>
        ingressClassName: traefik
        annotations:
          # Listen on ports 80 and 443
          traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
          # Redirect HTTP to HTTPS
          # When referencing middleware you must prefix the name with its namespace
          # <namespace>-<middleware-name>@kubernetescrd
          traefik.ingress.kubernetes.io/router.middlewares: immuta-https-redirectscheme@kubernetescrd
    
  2. Create a file named middleware.yaml with the following content.

    middleware.yaml
    apiVersion: traefik.containo.us/v1alpha1
    kind: Middleware
    metadata:
      name: https-redirectscheme
    spec:
      redirectScheme:
        scheme: https
        permanent: true
    
  3. Apply the Middleware CRD.

    kubectl apply -f middleware.yaml
    
  4. Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

    helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.3
    

Additional resources

Refer to the Traefik documentation for further assistance.

OpenShift Ingress Operator

  1. Edit immuta-values.yaml to include the following Helm values. Because the Ingress resource will be managed by the OpenShift route you create and not the Immuta Enterprise Helm chart, ingress is set to false below.

    immuta-values.yaml
    secure:
      ingress:
        enabled: false
    
  2. Get the service name for Secure.

    oc get service --selector "app.kubernetes.io/component=secure" --output template='{{ .metadata.name }}'
    
  3. Create a file named route.yaml with the following content. Update all placeholder values with your own values.

    route.yaml
    apiVersion: route.openshift.io/v1
    kind: Route
    metadata:
      name: immuta
    spec:
      host: <immuta-fqdn>
      to:
        kind: Service
        name: immuta-secure
      port:
        targetPort: http
      tls:
        termination: edge
        insecureEdgeTerminationPolicy: Redirect
    
  4. Apply the Route CRD.

    oc apply -f route.yaml
    
  5. Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

    helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.3
    

Additional resources

Refer to the Red Hat OpenShift documentation for further assistance.