Skip to content

Latest commit

 

History

History
160 lines (117 loc) · 4.3 KB

README.md

File metadata and controls

160 lines (117 loc) · 4.3 KB

istio-practice

Repo to collect the things I do to practice with Istio.

This guide is written with the assumption that the reader already understands and uses Docker and Kubernetes.

The guide has been developed using Linux and MacOS. Not so sure about Windows. Your mileage may vary.

This guide uses tools that you can run on your local development machine. For a version that uses AWS EKS, go here

Prerequisites

You need the following tools installed. Links have been provided to documentation on how to install them.

Clone this repository

git clone https://github.com/RothAndrew/istio-practice.git
cd istio-practice

Create a Kubernetes cluster using kind

kind create cluster --config kind-config.yaml

Your kube context should automatically be switched. Run kubectl get nodes to make sure.

Install Istio using Istio Operator

  1. Install the operator

    istioctl operator init
  2. Install the Istio demo configuration profile

    kubectl create ns istio-system
    kubectl apply -f - <<EOF
    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      namespace: istio-system
      name: example-istiocontrolplane
    spec:
      profile: demo
    EOF

Set up Inlets to get a public IP for the Ingress Gateway

Note: This costs actual money (around $5 per month per LoadBalancer if you keep it running)

  1. Set up a DigitalOcean account and create an access token

  2. Save the token in a text file

  3. Install Inlets using arkade

    TOKEN_FILE="PathToYourTokenFileHere"
    arkade install inlets-operator \
      --helm3 \
      --provider digitalocean \
      --region lon1 \
      --token-file "$TOKEN_FILE"
  4. Wait for the operator to automatically create a DigitalOcean droplet. You'll know when it is ready when the istio-ingressgateway service in namespace istio-system transitions from Pending to Active and shows a public IP address.

BookInfo Demo App

  1. Deploy the app

    kubectl create ns bookinfo
    kubectl label ns bookinfo "istio-injection=enabled"
    kubectl -n bookinfo apply -f "https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml"
  2. Create a Gateway and VirtualService

    kubectl -n bookinfo apply -f "https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml"
  3. Ensure the app is reachable from the internet by going to http://<YourPublicIPAddress>/productpage. Use the public IP address associated with the istio-ingressgateway service.

  4. Refresh the page a few times. Notice that the stars ratings change from black to red and disappear. This is because there are 3 versions of the "reviews" service. Later we will use destination rules to fix that.

Mutual TLS

To force mTLS cluster-wide for all services managed in the istio mesh, run

kubectl apply -n istio-system -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
  name: "default"
spec:
  mtls:
    mode: STRICT
EOF

HTTPS (Optional, requires inlets-pro license)

This section is WIP...

Next, let's configure Istio to accept HTTPS traffic, and to redirect HTTP traffic to HTTPS.

  1. Update istio's configuration to turn on SDS and HTTPS

    kubectl apply -f - <<EOF
    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      namespace: istio-system
      name: example-istiocontrolplane
    spec:
      profile: demo
      values:
        gateways:
          istio-ingressgateway:
            sds:
              enabled: true
        global:
          k8sIngress:
            enabled: true
            enableHttps: true
            gatewayName: ingressgateway
    EOF
  2. Install cert-manager

    arkade install cert-manager
  3. TBD

Cleanup

  1. Delete the kind cluster

    kind delete cluster
  2. Delete the DigitalOcean droplet