Privacy Dynamics Self-hosted

Create ingresses

Overview

The following steps make the installed privacy software available via the public app endpoint. Privacy Dynamics has made the installation process easier by consolidating the files needed into a GitHub repository. The steps below download the files directly.

  1. Nginx ingress
  2. Install whoami
  3. Install cert-manager
  4. Create ingresses

Tip

Helm is used to install the tools needed for ingress to the cluster and it must be installed. You can follow the Helm installation instructions.

Install Ingress Nginx

$ kubectl apply -f \
 https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml

namespace/ingress-nginx created
serviceaccount/ingress-nginx created
k serviceaccount/ingress-nginx-admission created
….
ingressclass.networking.k8s.io/nginx created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created

Install whoami

whoami is installed as a container into its own namespace within the cluster and it's used to resolve DNS challenges necessary for Let's Encrypt. Whether you are downloading AWS or GCP specific versions, each values.yaml file must be modified with your environment name before proceeding. In each file, replace pvcy.customer.com with your host name.

$ kubectl create namespace whoami
$ 
$ namespace/whoami created
$ curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/aws/whoami/values.yaml \
 -o whoami-values.yaml

With the whoami-values.yaml file downloaded and updated with the correct hostname, install the whoami Helm chart.

$ helm install whoami-release cowboysysop/whoami \
 --values=whoami/values.yaml -n whoami

Install cert-manager

cert-manager is used for certificate management within the cluster. Different steps are required based on the cloud provider being used.

$ kubectl apply \
 -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml

namespace/cert-manager created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
……
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created.

Create ClusterIssuer resource

ClusterIssuers are Kubernetes resources that represent certificate authorities (CAs) that are able to generate signed certificates. The ClusterIssuer makes it possible for the Privacy Dynamics web UI to use HTTPS.

$ curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/aws/issuer-lets-encrypt-prod.yaml -o issuer-lets-encrypt-prod.yaml

Make the following changes to issuer-lets-encrypt-prod.yaml

  1. pvcy.customer.com with your subdomain name.
  2. test@customer.com with your email address.
  3. hostedZoneId Z08xxxxHK with the Route 53 hostedZoneId of your subdomain name.
$ kubectl apply -f issuer-lets-encrypt-prod.yaml 
$ 
$ clusterissuer.cert-manager.io/letsencrypt-production created

Create service ingresses

Create API ingress

The ingress creation step will create a DNS A record for api within the pvcy.customer.com zone added earlier.

$ curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/aws/api-ingress.yaml -o api-ingress.yaml

Modify pvcy.customer.com in api-ingress.yam to the customer subdomain.

$ kubectl apply -f api-ingress.yaml

Create application ingress

This will create an ingress for the Privacy Dynamics web UI. The service is called analyzer-app-service-ingress.

The ingress creation step will create a DNS A record for app within the pvcy.customer.com zone added earlier.

curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/aws/app-ingress.yaml -o app-ingress.yaml

Modify pvcy.customer.com in app-ingress.yaml to the customer subdomain.

$ kubectl apply -f app-ingress.yaml

Create KotsAdm ingress

curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/aws/kots-ingress.yaml \
 -o kots-ingress.yaml

Modify pvcy.customer.com in kots-ingress.yaml to the customer subdomain.

$ kubectl apply -f kots-ingress.yaml

Finally, verify that the ingresses are created.

$ kubectl get ingresses -n pvcy

NAME                           CLASS    HOSTS                       ADDRESS                             PORTS   AGE
analyzer-app-service-ingress   <none>   app.pvcy.customer.com       a4c78.us-west-2.elb.amazonaws.com   80, 443 3d4h
kots-ingress                   <none>   kotsadm.pvcy.customer.com   a4c84.us-west-2.elb.amazonaws.com   80, 443 3d4h
nginx-api-ingress              <none>   api.pvcy.customer.com       a4c86.us-west-2.elb.amazonaws.com   80, 443 3d4h
Previous
Configure DNS