Privacy Dynamics Self-hosted
Create ingresses
Overview
The following steps make the installed privacy software available via the public app endpoint. Privacy Dynamics has made the installation process easier by consolidating the files needed into a GitHub repository. The steps below download the files directly.
- Nginx ingress
- Install whoami
- Install cert-manager
- Create ingresses
Tip
Helm is used to install the tools needed for ingress to the cluster and it must be installed. You can follow the Helm installation instructions.
Install Ingress Nginx
$ kubectl apply -f \
https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
k serviceaccount/ingress-nginx-admission created
….
ingressclass.networking.k8s.io/nginx created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created
Install whoami
whoami is installed as a container into its own namespace within the cluster and it's used to resolve DNS challenges necessary for Let's Encrypt. Whether you are downloading AWS or GCP specific versions, each values.yaml
file must be modified with your environment name before proceeding. In each file, replace pvcy.customer.com
with your host name.
$ kubectl create namespace whoami
$
$ namespace/whoami created
$ curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/aws/whoami/values.yaml \
-o whoami-values.yaml
With the whoami-values.yaml
file downloaded and updated with the correct hostname, install the whoami Helm chart.
$ helm install whoami-release cowboysysop/whoami \
--values=whoami/values.yaml -n whoami
Install cert-manager
cert-manager is used for certificate management within the cluster. Different steps are required based on the cloud provider being used.
$ kubectl apply \
-f https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml
namespace/cert-manager created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
……
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created.
Create ClusterIssuer
resource
ClusterIssuers are Kubernetes resources that represent certificate authorities (CAs) that are able to generate signed certificates. The ClusterIssuer
makes it possible for the Privacy Dynamics web UI to use HTTPS.
$ curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/aws/issuer-lets-encrypt-prod.yaml -o issuer-lets-encrypt-prod.yaml
Make the following changes to issuer-lets-encrypt-prod.yaml
pvcy.customer.com
with your subdomain name.test@customer.com
with your email address.- hostedZoneId
Z08xxxxH
K with the Route 53 hostedZoneId of your subdomain name.
$ kubectl apply -f issuer-lets-encrypt-prod.yaml
$
$ clusterissuer.cert-manager.io/letsencrypt-production created
Create service ingresses
Create API ingress
The ingress creation step will create a DNS A
record for api
within the pvcy.customer.com
zone added earlier.
$ curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/aws/api-ingress.yaml -o api-ingress.yaml
Modify pvcy.customer.com
in api-ingress.yam
to the customer subdomain.
$ kubectl apply -f api-ingress.yaml
Create application ingress
This will create an ingress for the Privacy Dynamics web UI. The service is called analyzer-app-service-ingress
.
The ingress creation step will create a DNS A
record for app
within the pvcy.customer.com
zone added earlier.
curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/aws/app-ingress.yaml -o app-ingress.yaml
Modify pvcy.customer.com
in app-ingress.yaml
to the customer subdomain.
$ kubectl apply -f app-ingress.yaml
Create KotsAdm ingress
curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/aws/kots-ingress.yaml \
-o kots-ingress.yaml
Modify pvcy.customer.com
in kots-ingress.yaml
to the customer subdomain.
$ kubectl apply -f kots-ingress.yaml
Finally, verify that the ingresses are created.
$ kubectl get ingresses -n pvcy
NAME CLASS HOSTS ADDRESS PORTS AGE
analyzer-app-service-ingress <none> app.pvcy.customer.com a4c78.us-west-2.elb.amazonaws.com 80, 443 3d4h
kots-ingress <none> kotsadm.pvcy.customer.com a4c84.us-west-2.elb.amazonaws.com 80, 443 3d4h
nginx-api-ingress <none> api.pvcy.customer.com a4c86.us-west-2.elb.amazonaws.com 80, 443 3d4h