Search…
Accessing the UI
This page describes how to access the user interface of TrilioVault for Kubernetes.
There are 4 simple steps that a user needs to perform to enable UI access to the cluster:
    1.
    Enable UI access via NodePort or LoadBalancer
    2.
    Set FQDN (Fully Qualified Domain Name) for UI service
    3.
    Create a DNS record for the FQDN
    4.
    Launch the TVK UI
Note: If you installed the product via the Upstream Operator instructions and provided the

UI Components

Before proceeding with UI access it is imperative to understand the architecture behind the UI. When TVK is installed the following deployments and services are created with it. Deployments:
1
$ kubectl get deployments
2
NAME READY UP-TO-DATE AVAILABLE AGE
3
triliovault-operator-k8s-triliovault-operator 1/1 1 1 11d
4
k8s-triliovault-web-backend 1/1 1 1 11d
5
k8s-triliovault-exporter 1/1 1 1 11d
6
k8s-triliovault-ingress-gateway 1/1 1 1 11d
7
k8s-triliovault-web 1/1 1 1 11d
8
k8s-triliovault-control-plane 1/1 1 1 11d
9
k8s-triliovault-admission-webhook 1/1 1 1 11d
Copied!
Services:
1
$ kubectl get svc
2
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
3
k8s-triliovault-backend-svc ClusterIP 100.158.23.239 <none> 80/TCP 11d
4
k8s-triliovault-ingress NodePort 100.158.16.210 <none> 80:31200/TCP,443:30452/TCP 11d
5
k8s-triliovault-ingress-admission ClusterIP 100.158.19.252 <none> 443/TCP 11d
6
k8s-triliovault-web-svc ClusterIP 100.158.15.172 <none> 80/TCP 11d
7
k8s-triliovault-webhook-service ClusterIP 100.158.12.240 <none> 443/TCP 11d
Copied!
For exposing the UI the ingress-controller deployment and k8s-triliovault-ingress service is responsible.
By default the k8s-triliovault-ingress is always NodePort and a random port in range 30000-32767 will be allotted to the ingress service

Step 1: Enable UI Access

The first step to launch the user console is enabling access to the TVK UI service. Access can be enabled either via NodePort or via LoadBalancer or via Port Forwarding.

Via Port Forwarding

Access to the management console can be established by port forwarding the ingress-gateway pod traffic to your local system.
1
kubectl port-forward --address 0.0.0.0 svc/k8s-triliovault-ingress-gateway 80:80 &
Copied!
The above command will start forwarding TVK management console traffic to the localhost IP of 127.0.0.1 via port 80

Via NodePort

Node port access may be common with self-managed clusters. Self-managed clusters are those that are generally created via kubeadm, kops or ones where the worker nodes infrastructure is managed and accessible by the user.
    Expose the NodePort range for Nodes in Worker and Master groups (30000-32767) via firewall rules.
    This will relay the NodePorts via kube-proxy to all the nodes in worker and master
      If you need a fixed port, edit the ingress service

Via LoadBalancer

LoadBalancer access may be common with provider-managed clusters, clusters in a public cloud provider, or on-premise clusters where a LoadBalancer is available. Provider managed Kubernetes clusters are generally those where the user does not manage or have access to the worker node infrastructure. Example - AWS EKS, GCP GKE/Anthos, Azure AKS, or OpenShift (managed service through cloud providers).
    Edit the ingress service kubectl edit <svc_name>
      Change default value spec.type from NodePort to LoadBalancer -> this will create a LoadBalancer in the cloud that forwards traffic to ingress service.
      A LoadBalancer Public IP will be allotted to the service (kubectl get svc) in the field EXTERNAL-IP

Step 2: Assign FQDN for TVK UI

After the access setup is complete, the next step is to ensure that the TVK UI can be accessed via an FQDN. FQDN access is a must to reach the TVK UI service.
When TVK is installed, there are two ingress resources that are created:
    1.
    Master ingress containing only the host
    2.
    Minion ingress containing the ingress rules
1
NAME CLASS HOSTS ADDRESS PORTS AGE
2
k8s-triliovault-ingress-master <none> default.k8s-tvk.com 80 4m18s
3
k8s-triliovault-ingress-minion <none> default.k8s-tvk.com 80 4m18s
Copied!
By default, the master ingress has a host value set to: spec.rules[0].host: <install-namespace>.k8s-tvk.com This will be the hostname by which the TVK management console will be accessible through a web browser. In order to change the value for the host in the spec, edit the master ingress resource:
1
kubectl edit ingress k8s-triliovault-ingress-master
Copied!
Hostname change is required in the master ingress. Do not update the minion ingress resource as it will get automatically updated based on the master ingress resource
If using OpenShift clusters and the TVK management console hostname is set to the same domain name as the OpenShift Console (example - https://console.apps.mycluster.acmecorp.com and https://tvk-ui.apps.mycluster.acmecorp.com), then all incoming traffic gets routed from the default OCP ingress controller to the Trilio pods. As a result, the following command must be run on the default ingress controller to ensure smooth operations. More information can be found within the OCP documentation oc -n openshift-ingress-operator patch ingresscontroller/default --patch '{"spec":{"routeAdmission":{"namespaceOwnership":"InterNamespaceAllowed"}}}' --type=merge

Step 3: Create a DNS record

After the desired FQDN has been set, create a DNS record for it so that the UI can be accessed. If TVK is being leveraged in a non-production environment, then access via etc/host file is possible.

DNS enabled environments

    1.
    Create an A-Record in Route53 (AWS) or Google DNS service (GCP) or any other DNS manager of your choice
    2.
    Map <install-namespace>.k8s-tvk.com (depending on the host value specified above) to the {PUBLIC_NODE_IP} for NodePort or {LB_IP} for Load Balancer.

Non-DNS or Local environments

For custom environments do the following on your local machine:
Note: This only works for a single system.
    edit file sudo vi /etc/hosts
    create an entry in /etc/hosts file for the IPs, so your file should look like this
1
...
2
127.0.0.1 localhost
3
....
4
5
xx.xx.xx.xx <install-namespace>.k8s-tvk.com
6
7
# The following lines are desirable for IPv6 capable hosts
8
::1 ip6-localhost ip6-loopback
9
fe00::0 ip6-localnet
10
ff00::0 ip6-mcastprefix
11
ff02::1 ip6-allnodes
12
ff02::2 ip6-allrouters
Copied!
For access via Port Forwarding use 127.0.0.1 <FQDN from step 2>
1
127.0.0.1 default.k8s-tvk.com
Copied!

Step 4: Launch the TVK Management Console

After completing steps 1-3, access the UI console using one of the following methods:

Access over HTTP

Launch via LoadBalancer

Ports do not need to be specified for LoadBalancers

Launch via NodePort

The service example above shows port 80:31200 for ingress service

Access over HTTPS

If TVK UI is not accessible over HTTPS by default, the SSL certificate need to be specified as a part of master ingressk8s-triliovault-ingress-master .
Note: Users can use their own custom SSL certificate to generate a secret and provide it as a part of ingress resource. Create a newsecret ssl-certs using custom SSL certificate tls.crt and key tls.key in the tvk-namespacenamespace where TVK is deployed
1
kubectl create secret tls ssl-certs --cert tls.crt --key tls.key -n tvk-namespace
Copied!
In order to add the secretName value of SSL certificate in the ingress spec, edit the ingress resource:
1
kubectl edit ingress k8s-triliovault-ingress-master
Copied!
Add below section of tls: to the ingress resource in parallel to the existing rules: section and save the updated ingress resource.
1
specs:
2
rules:
3
<Keep the details for HTTP as it is>
4
tls:
5
- hosts:
6
- default.k8s-tvk.com
7
secretName: k8s-triliovault-ingress-tls-certs
Copied!
k8s-triliovault-ingress-tls-certsr is a default certificate generated during TVK deployment. User can and should also provide a custom secret created as explained above.

Launch via LoadBalancer

Ports do not need to be specified for LoadBalancers

Launch via NodePort

The service example above shows port 443:30452 for ingress service
After accessing the above URL in browser, you would be able to see the authentication page.
TVK Management Console Authentication Page
Last modified 14d ago