Privacy Dynamics Self-hosted
Create ingresses
Overview
The following steps make the installed privacy software available via the public app endpoint. Privacy Dynamics has made the installation process easier by consolidating the files needed into a GitHub repository. The steps below download the files directly.
- Install NGINX Ingress Controller
- Install cert-manager
- Create ingresses
Tip
Helm is used to install the tools needed for ingress to the cluster and it must be installed. You can follow the Helm installation instructions.
Install Ingress Nginx
The NGINX Ingress Controller can be installed automatically onto the cluster using the KOTS Admin Console by selecting "Install ingress controller" under "Auxiliary Software" (see Install Privacy Dynamics). Alternatively, you can install the Helm chart directly to take advantage of all configuration options. For more information, see the official NGINX Ingress Controller installation guide.
Tip
In order for the NGINX Ingress Controller to properly create a load balancer on AWS, the AWS Load Balancer Controller must be installed (see Provision Kubernetes cluster).
Install cert-manager
cert-manager is an optional component for certificate management within the cluster. It can be installed directly onto the cluster using the KOTS Admin Console by selecting "Install certificate manager" under "Auxiliary Software" (see Install Privacy Dynamics) Alternatively, you can install the Helm chart directly to take advantage of all configuration options. See the official cert-manager website for installation instructions.
Create ClusterIssuer
resource
ClusterIssuers are Kubernetes resources that represent certificate authorities (CAs) that are able to generate signed certificates. The ClusterIssuer
makes it possible for the Privacy Dynamics web UI to use HTTPS. It can be created from the KOTS Admin Console by selecting "Configure CertIssuer" under "Certificate Manager Settings." If the default ClusterIssuer
(using Let's Encrypt and a DNS01 challenge) does not meet your needs, you can configure an alternative ClusterIssuer
or Issuer
by following the steps in the official cert-manager documentation.
Tip
For AWS clusters, you will need to create a service account that is authorized to manage DNS records in order to complete the ClusterIssuer
's DNS01 challenge'. See detailed steps on how to setup the service account here.
Create service ingresses
If you are using the bundled versions of the NGINX Ingress Controller and Cert Manager, along with our recommended CertIssuer, ingresses can be created automatically by selecting "Automatically Create Ingresses" under "Certificate Manager Settings." Otherwise, follow the steps below to create ingresses.
Create API ingress
If you've installed the ExternalDNS controller, the ingress creation step will create a DNS A
record for api
within the pvcy.customer.com
zone added earlier. If you prefer to create the records manually, the external address for the load balancer is displayed in the final verification step.
$ curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/aws/api-ingress.yaml -o api-ingress.yaml
Modify pvcy.customer.com
in api-ingress.yam
to the customer subdomain.
$ kubectl apply -f api-ingress.yaml
Create application ingress
This will create an ingress for the Privacy Dynamics web UI. The service is called analyzer-app-service-ingress
.
If you've installed the ExternalDNS controller, the ingress creation step will create a DNS A
record for app
within the pvcy.customer.com
zone added earlier. If you prefer to create the records manually, the external address for the load balancer is displayed in the final verification step.
curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/aws/app-ingress.yaml -o app-ingress.yaml
Modify pvcy.customer.com
in app-ingress.yaml
to the customer subdomain.
$ kubectl apply -f app-ingress.yaml
Create KotsAdm ingress
curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/aws/kots-ingress.yaml \
-o kots-ingress.yaml
Modify pvcy.customer.com
in kots-ingress.yaml
to the customer subdomain.
$ kubectl apply -f kots-ingress.yaml
Finally, verify that the ingresses are created.
$ kubectl get ingresses -n pvcy
NAME CLASS HOSTS ADDRESS PORTS AGE
analyzer-app-service-ingress <none> app.pvcy.customer.com a4c78.us-west-2.elb.amazonaws.com 80, 443 3d4h
kots-ingress <none> kotsadm.pvcy.customer.com a4c84.us-west-2.elb.amazonaws.com 80, 443 3d4h
nginx-api-ingress <none> api.pvcy.customer.com a4c86.us-west-2.elb.amazonaws.com 80, 443 3d4h