ApiSix Deployment for EF CX

ApiSix is used primarily as an API Security implementation which provides both ingress and API Gateway security features for north-south traffic flow. ApiSIx allows to manages and provides extensive ecosystem flexible plugins to integrate with almost any sort Accounting, Authorization and Accounting implementations.

Expertflow CX is backed by 2 layers, when the traffic enter the kubernetes cluster.

RKE2 ingress-nginx controller performs 2 steps 1) terminates the TLS and 2)forwards all the incoming traffic toApiSix on https
ApiSix, sits next to the rke2-ingress-controller and intercepts all the endpoints for which the traffic is filtered through based on per specified path per plugin, which means the /agent-manager and /agent-manager/assets are considered as 2 separate paths and both can have completely different authentication and authorization specifications in place.

Prerequisites

When upgrading the existing solution to use ApiSix, please delete all the ingress resources ( previously managed by rke2-ingress-nginx )

CODE

kubectl -n expertflow delete ingress cx-agent-desk-grafana cx-agent-desk-unified-agent-ingress cx-agent-desk-unified-agent-ingress-assets cx-campaigns-campaign-studio-ingress cx-campaigns-campaigns-backend-ingress cx-campaigns-scheduled-activities-ingress cx-channels-connect360-ingress cx-channels-email-connector-ingress cx-channels-facebook-connector-ingress cx-channels-instagram-connector-ingress cx-channels-linkedin-connector-ingress cx-channels-ms-email-connector-ingress cx-channels-smpp-connector-ingress cx-channels-telegram-connector-ingress cx-channels-twilio-connector-ingress cx-channels-twitter-connector-ingress cx-channels-viber-connector-ingress cx-channels-whatsapp-connector-ingress cx-channels-youtube-connector-ingress cx-eleveo-eleveo-api-ingress cx-eleveo-eleveo-runner-ingress cx-surveys-survey-backend-ingress cx-surveys-survey-studio-ingress ef-cx-agent-manager-ingress ef-cx-bot-framework-ingress ef-cx-business-calendar-ingress ef-cx-ccm-ingress ef-cx-cim-customer-ingress ef-cx-conversation-manager-ingress ef-cx-conversation-monitor-ingress ef-cx-customer-widget-ingress ef-cx-customer-widget-ingress-assets ef-cx-file-engine-ingress ef-cx-historical-reports-ingress ef-cx-license-manager-ingress ef-cx-realtime-reports-ingress ef-cx-routing-engine-ingress ef-cx-team-announcement-ingress ef-cx-unified-admin-ingress ef-cx-unified-admin-ingress-default ef-cx-web-channel-manager-ingress

Edit/update ingresses for Core

Optionally, you can enable the API authentication in Core by following these steps

Add the following configuration under apisixRoutes to true for the following components.
CODE
```
plugins:
  enableAuth: true
```
Follow the guides mentioned under the APISIX configurations section of this document.

Edit/update ingresses for Agent-Desk

Edit/update ingresses for Channels

Edit/update ingresses for Campaigns

Edit/update ingresses for Surveys

Edit/update ingresses for Eleveo

Ingress Controller Selection

Default ingressClass is set to “nginx” in all helm charts' global section. if you prefer to use other ingress controller, please update the ingressClassName to appropriate value.
All helm charts served at expertflow helm repository ( CX groups/components and external components ) by default are compatible with ingress-nginx ingress controller using ingress-nginx annotations. Should there be requirement for any other ingress controller like traefik, HA-Proxy or contour etc, please adjust the annotations for all components accordingly. A coordinated guide for using Traefik as Ingress Controller is available for CX solution’s compatibility at Using Traefik as Ingress Controller

Add TLS Certificates

For Self Signed please use this guide Create self-signed certificates for ingress in ef-external namespace
For Commercial Certificates, please import them as tls.crt and tls.key and create secret with the name of ef-ingress-tls-secret in ef-external namespace
For LetsEncrypt based TLS Certificates please consult LetsEncrypt SSL for EF-CX

NOTE:

When using LE based TLS Certificates, you will have to enable correct annotations in all the relevant values file. For example, for CX, after downloading the <COMPONENT>-custom-values.yaml file, you can run

sed -i -e 's/#cert-manager.io\/cluster-issuer: /cert-manager.io\/cluster-issuer: /g' <COMPONENT>-custom-values.yaml to enable it.

This procedure is required for both externals and all CX group charts being deployed.

Deployment

Add helm repository

CODE

helm repo add expertflow https://expertflow.github.io/charts/

update helm repo

CODE

helm repo update expertflow

clone the values file to update the required parameters for ApiSix

CODE

helm show values expertflow/apisix --version 4.2.2 > helm-values/apisix-custom-values.yaml

change the default value of global.ingressRouter to the valid value of the EF-CX FQDN

CODE

global:
  ingressRouter: <DEFAULT-FQDN>

Deploy apisix helm chart

CODE

helm upgrade --install --namespace ef-external --values helm-values/apisix-custom-values.yaml apisix expertflow/apisix --version 4.2.2

wait for the apisix-data-plane, apisix-control-plane and apisix-etcd to bootstrap completely.

once the deployment is completed and all the components are running, you should be able to list all the apisixroutes using

CODE

kubectl -n expertflow get apisixroutes

at this point there should be only 2 ingress resources available ( in addition to others for example transflux and superset have their own ingress resources which are not managed by apisix )

for example

CODE

# kubectl get ing -A
NAMESPACE     NAME                CLASS   HOSTS              ADDRESS         PORTS     AGE
ef-external   apisix-data-plane   nginx   <FQDN>             192.168.2.243   80, 443   7d3h
ef-external   keycloak            nginx   <FQDN>             192.168.2.243   80, 443   9d