ApiSix is used primarily as an API Security implementation which provides both ingress and API Gateway security features for north-south traffic flow. ApiSIx allows to manages and provides extensive ecosystem flexible plugins to integrate with almost any sort Accounting, Authorization and Accounting implementations.
Expertflow CX is backed by 2 layers, when the traffic enter the kubernetes cluster.
-
RKE2 ingress-nginx controller performs 2 steps 1) terminates the TLS and 2)forwards all the incoming traffic toApiSix on https
-
ApiSix, sits next to the rke2-ingress-controller and intercepts all the endpoints for which the traffic is filtered through based on per specified path per plugin, which means the /agent-manager and /agent-manager/assets are considered as 2 separate paths and both can have completely different authentication and authorization specifications in place.
Prerequisites
When upgrading the existing solution to use ApiSix, please delete all the ingress resources ( previously managed by rke2-ingress-nginx )
kubectl -n expertflow delete ingress cx-agent-desk-grafana cx-agent-desk-unified-agent-ingress cx-agent-desk-unified-agent-ingress-assets cx-campaigns-campaign-studio-ingress cx-campaigns-campaigns-backend-ingress cx-campaigns-scheduled-activities-ingress cx-channels-connect360-ingress cx-channels-email-connector-ingress cx-channels-facebook-connector-ingress cx-channels-instagram-connector-ingress cx-channels-linkedin-connector-ingress cx-channels-ms-email-connector-ingress cx-channels-smpp-connector-ingress cx-channels-telegram-connector-ingress cx-channels-twilio-connector-ingress cx-channels-twitter-connector-ingress cx-channels-viber-connector-ingress cx-channels-whatsapp-connector-ingress cx-channels-youtube-connector-ingress cx-eleveo-eleveo-api-ingress cx-eleveo-eleveo-runner-ingress cx-surveys-survey-backend-ingress cx-surveys-survey-studio-ingress ef-cx-agent-manager-ingress ef-cx-bot-framework-ingress ef-cx-business-calendar-ingress ef-cx-ccm-ingress ef-cx-cim-customer-ingress ef-cx-conversation-manager-ingress ef-cx-conversation-monitor-ingress ef-cx-customer-widget-ingress ef-cx-customer-widget-ingress-assets ef-cx-file-engine-ingress ef-cx-historical-reports-ingress ef-cx-license-manager-ingress ef-cx-realtime-reports-ingress ef-cx-routing-engine-ingress ef-cx-team-announcement-ingress ef-cx-unified-admin-ingress ef-cx-unified-admin-ingress-default ef-cx-web-channel-manager-ingress
Edit/update ingresses for Core
Optionally, you can enable the API authentication in Core by following these steps
-
Add the following configuration for
nameSuffix: "main"andnameSuffix: "main-secured"under apisixRoutes to true for the following components.plugins: enableAuth: true -
Follow the guides mentioned under the APISIX configurations section of this document.
Edit/update ingresses for Agent-Desk
Edit/update ingresses for Channels
Edit/update ingresses for Campaigns
Edit/update ingresses for Surveys
Edit/update ingresses for Eleveo
Ingress Controller Selection
-
Default ingressClass is set to “nginx” in all helm charts' global section. if you prefer to use other ingress controller, please update the ingressClassName to appropriate value.
-
All helm charts served at expertflow helm repository ( CX groups/components and external components ) by default are compatible with ingress-nginx ingress controller using ingress-nginx annotations. Should there be requirement for any other ingress controller like traefik, HA-Proxy or contour etc, please adjust the annotations for all components accordingly. A coordinated guide for using Traefik as Ingress Controller is available for CX solution’s compatibility at Using Traefik as Ingress Controller
Add TLS Certificates
-
For Self Signed please use this guide Create self-signed Certificates for Ingress in
ef-externalnamespace -
For Commercial Certificates, please import them as
tls.crtandtls.keyand create secret with the name ofef-ingress-tls-secretinef-externalnamespace -
For LetsEncrypt based TLS Certificates please consult LetsEncrypt SSL for EF-CX
NOTE:
When using LE based TLS Certificates, you will have to enable correct annotations in all the relevant values file. For example, for CX, after downloading the <COMPONENT>-custom-values.yaml file, you can run
sed -i -e 's/#cert-manager.io\/cluster-issuer: /cert-manager.io\/cluster-issuer: /g' <COMPONENT>-custom-values.yaml to enable it.
This procedure is required for both externals and all CX group charts being deployed.
Deployment
Add helm repository
helm repo add expertflow https://expertflow.github.io/charts/
update helm repo
helm repo update expertflow
clone the values file to update the required parameters for ApiSix
helm show values expertflow/apisix --version 4.2.2 > helm-values/apisix-custom-values.yaml
change the default value of global.ingressRouter to the valid value of the EF-CX FQDN
global:
ingressRouter: <DEFAULT-FQDN>
Deploy apisix helm chart
helm upgrade --install --namespace ef-external --values helm-values/apisix-custom-values.yaml apisix expertflow/apisix --version 4.2.2
wait for the apisix-data-plane, apisix-control-plane and apisix-etcd to bootstrap completely.
once the deployment is completed and all the components are running, you should be able to list all the apisixroutes using
kubectl -n expertflow get apisixroutes
at this point there should be only 2 ingress resources available ( in addition to others for example transflux and superset have their own ingress resources which are not managed by apisix )
for example
# kubectl get ing -A
NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE
ef-external apisix-data-plane nginx <FQDN> 192.168.2.243 80, 443 7d3h
ef-external keycloak nginx <FQDN> 192.168.2.243 80, 443 9d