Repo to collect the things I do to practice with Istio.
This guide is written with the assumption that the reader already understands and uses Docker and Kubernetes.
The guide has been developed using Linux and MacOS. Not so sure about Windows. Your mileage may vary.
This guide uses tools that you can run on your local development machine. For a version that uses AWS EKS, go here
You need the following tools installed. Links have been provided to documentation on how to install them.
git clone https://github.com/RothAndrew/istio-practice.git
cd istio-practice
kind create cluster --config kind-config.yaml
Your kube context should automatically be switched. Run kubectl get nodes
to make sure.
-
Install the operator
istioctl operator init
-
Install the Istio
demo
configuration profilekubectl create ns istio-system kubectl apply -f - <<EOF apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: namespace: istio-system name: example-istiocontrolplane spec: profile: demo EOF
Note: This costs actual money (around $5 per month per LoadBalancer if you keep it running)
-
Set up a DigitalOcean account and create an access token
-
Save the token in a text file
-
Install Inlets using
arkade
TOKEN_FILE="PathToYourTokenFileHere" arkade install inlets-operator \ --helm3 \ --provider digitalocean \ --region lon1 \ --token-file "$TOKEN_FILE"
-
Wait for the operator to automatically create a DigitalOcean droplet. You'll know when it is ready when the
istio-ingressgateway
service in namespaceistio-system
transitions fromPending
toActive
and shows a public IP address.
-
Deploy the app
kubectl create ns bookinfo kubectl label ns bookinfo "istio-injection=enabled" kubectl -n bookinfo apply -f "https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml"
-
Create a Gateway and VirtualService
kubectl -n bookinfo apply -f "https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml"
-
Ensure the app is reachable from the internet by going to
http://<YourPublicIPAddress>/productpage
. Use the public IP address associated with theistio-ingressgateway
service. -
Refresh the page a few times. Notice that the stars ratings change from black to red and disappear. This is because there are 3 versions of the "reviews" service. Later we will use destination rules to fix that.
To force mTLS cluster-wide for all services managed in the istio mesh, run
kubectl apply -n istio-system -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
spec:
mtls:
mode: STRICT
EOF
This section is WIP...
Next, let's configure Istio to accept HTTPS traffic, and to redirect HTTP traffic to HTTPS.
-
Update istio's configuration to turn on SDS and HTTPS
kubectl apply -f - <<EOF apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: namespace: istio-system name: example-istiocontrolplane spec: profile: demo values: gateways: istio-ingressgateway: sds: enabled: true global: k8sIngress: enabled: true enableHttps: true gatewayName: ingressgateway EOF
-
Install
cert-manager
arkade install cert-manager
-
TBD
-
Delete the kind cluster
kind delete cluster
-
Delete the DigitalOcean droplet