7 / component pack / Connections

HCL Component Pack 7 – Multiple Namespaces – Ingress Controller

Posted by

My goal is to run multiple HCL Connections Component Packs 7 (CP7) on 1 Kubernetes Cluster.
Taking a quick look on a working environment with one CP7 instance, you’ll notice the nginx ingress controller.
As soon as I would try to install CP7 into another namespace, this controller would request the same port number or refuse to install at all (I did not try it). I decided to replace this with a traefik ingress controller. At the moment I use version 2.6 with it’s nice dashboard.


Converting the ingress from nginx to traefik ingressroute is very easy. The only thing I had check was this annotation:
nginx.ingress.kubernetes.io/rewrite-target: /$1. This requires the stripPrefix middleware in traefik.

Traefik uses 3 ports (http, https and tcp traffic) globally. Customizer is mapped to https, appreg and orient-me are routed through http and ElasticSearch uses the tcp port.

Putting customizer on https required me to add the cert-manager.io to my k8s environment. As it is my lab environment I only use self sigend certs for interservice traffic.

Adding the tls section results in this ingressroute for the mw-proxy.

---
#kubectl -n connect6 get svc mw-proxy -o jsonpath={.spec.ports[0].nodePort}
#
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: mw-proxy-ingressroute
  namespace: connect6
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`connect6.domain.local`)
      kind: Rule
      priority: 5
      services:
        - name: mw-proxy
          kind: Service
          namespace: connect6
          port: 80
          passHostHeader: true
          scheme: http
  tls:
    secretName: mw-proxy-secret

After that I switch the mw-proxy service from NodePort to ClusterIP.

Encrypting the traffic for orient-me would require to set the SSLProxyEngine on in the IHS config. And this will only work if the certificates are in the ihs trust/key store. I’ll skip this step for now.

The only thing that does not seem to work at the moment is the haproxy-redis traffic. I was not able to route that through traefik. That part still requires a seperate port.

After all this I use 3 global ports for traefik and 1 port for the redis traffic per namespace.