My goal is to run multiple HCL Connections Component Packs 7 (CP7) on 1 Kubernetes Cluster.
Taking a quick look on a working environment with one CP7 instance, you’ll notice the nginx ingress controller.
As soon as I would try to install CP7 into another namespace, this controller would request the same port number or refuse to install at all (I did not try it). I decided to replace this with a traefik ingress controller. At the moment I use version 2.6 with it’s nice dashboard.
Converting the ingress from nginx to traefik ingressroute is very easy. The only thing I had check was this annotation:
nginx.ingress.kubernetes.io/rewrite-target: /$1. This requires the stripPrefix middleware in traefik.
Traefik uses 3 ports (http, https and tcp traffic) globally. Customizer is mapped to https, appreg and orient-me are routed through http and ElasticSearch uses the tcp port.
Putting customizer on https required me to add the cert-manager.io to my k8s environment. As it is my lab environment I only use self sigend certs for interservice traffic.
Adding the tls section results in this ingressroute for the mw-proxy.
--- #kubectl -n connect6 get svc mw-proxy -o jsonpath={.spec.ports[0].nodePort} # apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: mw-proxy-ingressroute namespace: connect6 spec: entryPoints: - websecure routes: - match: Host(`connect6.domain.local`) kind: Rule priority: 5 services: - name: mw-proxy kind: Service namespace: connect6 port: 80 passHostHeader: true scheme: http tls: secretName: mw-proxy-secret
After that I switch the mw-proxy service from NodePort to ClusterIP.
Encrypting the traffic for orient-me would require to set the SSLProxyEngine on in the IHS config. And this will only work if the certificates are in the ihs trust/key store. I’ll skip this step for now.
The only thing that does not seem to work at the moment is the haproxy-redis traffic. I was not able to route that through traefik. That part still requires a seperate port.
After all this I use 3 global ports for traefik and 1 port for the redis traffic per namespace.