Skip to content

Latest commit

 

History

History

istio-operator

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
istio
istio
 
 
jaeger-operator
jaeger-operator
 
 
jaeger
jaeger
 
 
kiali
kiali
 
 
operator
operator
 
 
profiles
profiles
 
 
MAINTENANCE.md
MAINTENANCE.md
 
 
README.md
README.md
 
 

README.md

Istio Operator Package

For mTLS with NGINX

Ingress Controller NGINX

  1. label the ingress-nginx with the istio-injection=enabled
  2. crete the following CRD:
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
  name: "default"
spec:
  mtls:
    mode: PERMISSIVE
  1. put the following annotation in the Daemonset in /spec/template:
annotations:
  traffic.sidecar.istio.io/excludeInboundPorts: 80,443
  traffic.sidecar.istio.io/includeInboundPorts: ""

Microservice with mTLS strict

  1. in the namespace of your applications just put this CRD:
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
  name: "default"
spec:
  mtls:
    mode: STRICT
  1. For each ingress you create for exposing your service, remember to add those 2 annotations in it:
# this is the way: 1 service, 1 ingress for making Mtls working with the annotation above
nginx.ingress.kubernetes.io/service-upstream: "true"
nginx.ingress.kubernetes.io/upstream-vhost: productpage.test.svc.cluster.local

This will enable the traffic from the ingress to a service deployed in a namespace with mTLS in STRICT mode.

Enable Tracing for application using NGINX ingress controller

Is pretty tricky to preserve both ingress NGINX functionality and in the same keep of Istio tracing advantages, but somehow is possible to do that.

Given the application "hello" in a namespace "test", you have to do the following stuff:

  1. create VirtualService for your app
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: hello
  namespace: test
spec:
  gateways:
    - hello-gateway
  hosts:
    - "*"
  http:
    - match:
        - uri:
            exact: /productpage
        - uri:
            prefix: /static
        - uri:
            exact: /login
        - uri:
            exact: /logout
        - uri:
            prefix: /api/v1/products
      route:
        - destination:
            host: productpage # => service name of your app
            port:
              number: 9080
  1. create the destinationRule for your app
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: hello
  namespace: test
spec:
  host: productpage
  subsets:
    - labels:
        version: v1
      name: v1
  1. create an external service that points to the ingressGateway Service (that is deployed in a separate ns):
kind: Service
apiVersion: v1
metadata:
  name: hello-istio-ingress
spec:
  type: ExternalName
  externalName: istio-ingressgateway.istio-system.svc.cluster.local
  1. fix your ingress accordingly with that:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/service-upstream: "true"
    nginx.ingress.kubernetes.io/upstream-vhost: productpage # => the name of the virtualservice that the ingressGateway is expecting to match
  name: productpage
  namespace: test
spec:
  rules:
    - host: productpage.sighup-staging.localdomain
      http:
        paths:
          - backend:
              service:
                name: hello-istio-ingress # the name of the external service that we did before
                port:
                  number: 80
            path: /
            pathType: Prefix

In this way this is what is going to happen:

nginx-istio-flow