All external access to Fusion services should be routed through the Fusion proxy service, which serves as an API gateway and provides authentication and authorization. The most common approach is to set up a Kubernetes Ingress that routes requests to Fusion services to the proxy service as shown in the example ingress definition below. Moreover, it is also common to do TLS termination at the Ingress so that all traffic to/from the K8s cluster is encrypted but internal requests happen over unencrypted HTTP.
apiVersion: v1 items: - apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: ... labels: ... name: <RELEASE>-api-gateway namespace: <NAMESPACE> spec: rules: - host: <HOSTNAME> http: paths: - backend: serviceName: proxy servicePort: 6764 path: "/*" tls: - hosts: - <HOSTNAME> secretName: <RELEASE>-api-gateway-tls-secret status: loadBalancer: ingress: - ip: <SOME_IP>
If running on GKE or AKS, the setup scripts in the
fusion-cloud-native repo provide the option to create the Ingress and TLS cert (using Let’s Encrypt). Otherwise, refer your specific K8s provider’s documentation on creating an Ingress and TLS certificate.