HCL Component Pack 7 – Multiple Namespaces – Ingress Controller

Posted by

My goal is to run multiple HCL Connections Component Packs 7 (CP7) on 1 Kubernetes Cluster.
Taking a quick look on a working environment with one CP7 instance, you’ll notice the nginx ingress controller.
As soon as I would try to install CP7 into another namespace, this controller would request the same port number or refuse to install at all (I did not try it). I decided to replace this with a traefik ingress controller. At the moment I use version 2.6 with it’s nice dashboard.

Converting the ingress from nginx to traefik ingressroute is very easy. The only thing I had check was this annotation:
nginx.ingress.kubernetes.io/rewrite-target: /$1. This requires the stripPrefix middleware in traefik.

Traefik uses 3 ports (http, https and tcp traffic) globally. Customizer is mapped to https, appreg and orient-me are routed through http and ElasticSearch uses the tcp port.

Putting customizer on https required me to add the cert-manager.io to my k8s environment. As it is my lab environment I only use self sigend certs for interservice traffic.

Adding the tls section results in this ingressroute for the mw-proxy.

#kubectl -n connect6 get svc mw-proxy -o jsonpath={.spec.ports[0].nodePort}
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
  name: mw-proxy-ingressroute
  namespace: connect6
    - websecure
    - match: Host(`connect6.domain.local`)
      kind: Rule
      priority: 5
        - name: mw-proxy
          kind: Service
          namespace: connect6
          port: 80
          passHostHeader: true
          scheme: http
    secretName: mw-proxy-secret

After that I switch the mw-proxy service from NodePort to ClusterIP.

Encrypting the traffic for orient-me would require to set the SSLProxyEngine on in the IHS config. And this will only work if the certificates are in the ihs trust/key store. I’ll skip this step for now.

The only thing that does not seem to work at the moment is the haproxy-redis traffic. I was not able to route that through traefik. That part still requires a seperate port.

After all this I use 3 global ports for traefik and 1 port for the redis traffic per namespace.