istio-practice

Repo to collect the things I do to practice with Istio.

This guide is written with the assumption that the reader already understands and uses Docker and Kubernetes.

The guide has been developed using Linux and MacOS. Not so sure about Windows. Your mileage may vary.

This guide uses tools that you can run on your local development machine. For a version that uses AWS EKS, go here

Prerequisites

You need the following tools installed. Links have been provided to documentation on how to install them.

• docker
• kubectl
• kind
• istioctl
• helm 3+
• arkade

Clone this repository

git clone https://github.com/RothAndrew/istio-practice.git
cd istio-practice

Create a Kubernetes cluster using kind

kind create cluster --config kind-config.yaml

Your kube context should automatically be switched. Run kubectl get nodes to make sure.

Install Istio using Istio Operator

1. Install the operator

   istioctl operator init

2. Install the Istio demo configuration profile

   kubectl create ns istio-system
   kubectl apply -f - <<EOF
   apiVersion: install.istio.io/v1alpha1
   kind: IstioOperator
   metadata:
     namespace: istio-system
     name: example-istiocontrolplane
   spec:
     profile: demo
   EOF

Set up Inlets to get a public IP for the Ingress Gateway

Note: This costs actual money (around $5 per month per LoadBalancer if you keep it running)

1. Set up a DigitalOcean account and create an access token

2. Save the token in a text file

3. Install Inlets using arkade

   TOKEN_FILE="PathToYourTokenFileHere"
   arkade install inlets-operator \
     --helm3 \
     --provider digitalocean \
     --region lon1 \
     --token-file "$TOKEN_FILE"

4. Wait for the operator to automatically create a DigitalOcean droplet. You'll know when it is ready when the istio-ingressgateway service in namespace istio-system transitions from Pending to Active and shows a public IP address.

BookInfo Demo App

1. Deploy the app

   kubectl create ns bookinfo
   kubectl label ns bookinfo "istio-injection=enabled"
   kubectl -n bookinfo apply -f "https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml"

2. Create a Gateway and VirtualService

   kubectl -n bookinfo apply -f "https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml"

3. Ensure the app is reachable from the internet by going to http://<YourPublicIPAddress>/productpage. Use the public IP address associated with the istio-ingressgateway service.

4. Refresh the page a few times. Notice that the stars ratings change from black to red and disappear. This is because there are 3 versions of the "reviews" service. Later we will use destination rules to fix that.

Mutual TLS

To force mTLS cluster-wide for all services managed in the istio mesh, run

kubectl apply -n istio-system -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
  name: "default"
spec:
  mtls:
    mode: STRICT
EOF

HTTPS (Optional, requires inlets-pro license)

This section is WIP...

Next, let's configure Istio to accept HTTPS traffic, and to redirect HTTP traffic to HTTPS.

1. Update istio's configuration to turn on SDS and HTTPS

   kubectl apply -f - <<EOF
   apiVersion: install.istio.io/v1alpha1
   kind: IstioOperator
   metadata:
     namespace: istio-system
     name: example-istiocontrolplane
   spec:
     profile: demo
     values:
       gateways:
         istio-ingressgateway:
           sds:
             enabled: true
       global:
         k8sIngress:
           enabled: true
           enableHttps: true
           gatewayName: ingressgateway
   EOF

2. Install cert-manager

   arkade install cert-manager

3. TBD

Cleanup

1. Delete the kind cluster

   kind delete cluster

2. Delete the DigitalOcean droplet