Skip to content

Commit

Permalink
Merge pull request #10 from tetrateio/1.7.x-release
Browse files Browse the repository at this point in the history 
1.7.x updates
  • Loading branch information
@smarunich
smarunich authored Oct 26, 2023
2 parents 1b2cf4a + 9017b41 commit 1d07761
Show file tree
Hide file tree
Showing 7 changed files with 479 additions and 424 deletions.
150 changes: 64 additions & 86 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# TSB Demo Helm Installation

## Tetrate Service Bridge (TSB) 1.6.0
## Tetrate Service Bridge (TSB) 1.7.X
Review the TSB components in the docs [here](https://docs.tetrate.io/service-bridge/1.6.x/en-us/setup/components). This page will explain in details TSB components and external dependencies that you have to provision and connect to be able to run TSB.

## Firewall Rules Requirements
Expand All @@ -18,9 +18,9 @@ Please refer to [Certificates Setup](https://docs.tetrate.io/service-bridge/1.6.

```sh
export FOLDER="."
export TSB_FQDN="r160helm.sandbox.tetrate.io"
export TSB_FQDN="r17xhelm.sandbox.tetrate.io"
export ORG="tetrate"
export VERSION="1.6.0"
export VERSION="1.7.2"
./certs-gen/certs-gen.sh
```

Expand All @@ -29,15 +29,14 @@ The output will consist of:
- `ca.crt` - self-signed CA
- `tsb_certs.crt, tsb_certs.key` - TSB UI certificate
- `xcp-central-cert.crt, xcp-central-cert.key` - XCP Central certificate
- `istiod_intermediate_ca.crt` - Custom CA certificate for istiod

### Prepare Helm values for Management Plane installation - `managementplane_values.yaml`

```sh
export FOLDER="."
export REGISTRY="gcr.io/r160helm-hqdp-1"
export REGISTRY="gcr.io/r17xhelm-hqdp-1"
export ORG="tetrate"
export VERSION="1.6.0"
export VERSION="1.7.2"
export ADMIN_PASSWORD="Tetrate123"
./prep_managementplane_values.sh
cat managementplane_values.yaml
Expand All @@ -57,43 +56,42 @@ helm install mp tetrate-tsb-helm/managementplane -n tsb \

```sh
❯ helm ls -A
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
managementplane tsb 1 2023-03-06 22:30:56.640144 -0500 EST deployed managementplane-1.6.0 1.6.0
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
mp tsb 1 2023-10-25 21:18:10.768315 -0400 EDT deployed managementplane-1.7.2 1.7.2

> kubectl get pod -n tsb
NAME READY STATUS RESTARTS AGE
central-596fc4cfcf-dwgvf 1/1 Running 0 3m52s
elasticsearch-0 1/1 Running 0 9m27s
envoy-764f68b69f-2qqq8 1/1 Running 0 8m41s
envoy-764f68b69f-jz4zx 1/1 Running 0 8m42s
envoy-764f68b69f-nkcdk 1/1 Running 0 85s
iam-84c66848bc-k8s7z 1/1 Running 0 8m42s
ldap-899b76846-rdhwv 1/1 Running 0 9m26s
mpc-8548678f5-z2c87 1/1 Running 6 (5m32s ago) 8m42s
oap-cc9bd8949-hxpzr 1/1 Running 0 8m41s
otel-collector-558c64499c-hfjwt 1/1 Running 0 8m41s
postgres-85cc4868f6-r78lt 1/1 Running 0 9m27s
tsb-598c577f64-ndzh5 1/1 Running 0 8m42s
tsb-operator-management-plane-5d774dc978-5h446 1/1 Running 0 9m55s
web-5b94dbb867-9dmpm 1/1 Running 0 8m41s
xcp-operator-central-c85b549f4-zmz6w 1/1 Running 2 (4m29s ago) 8m42s

NAME READY STATUS RESTARTS AGE
central-586695f45f-v68g8 1/1 Running 0 22s
elasticsearch-0 1/1 Running 0 3m30s
envoy-5d8d8d9656-gcn68 1/1 Running 0 79s
envoy-5d8d8d9656-lwm5x 1/1 Running 0 79s
iam-8d69d4c4c-gdcgt 1/1 Running 0 79s
ldap-64bd7d7c8d-jd25q 1/1 Running 0 3m31s
mpc-c4f64dcfb-tmdbn 1/1 Running 0 79s
oap-7b7d89f86b-7x6z6 1/1 Running 0 79s
otel-collector-5f85668c85-qg7xk 1/1 Running 0 79s
postgres-54589fcf97-rschw 1/1 Running 0 3m31s
teamsync-first-run-4h6mc 0/1 Completed 0 79s
tsb-75545fc964-6vdfj 1/1 Running 0 79s
tsb-operator-management-plane-cb94ddcb-24p48 1/1 Running 0 4m19s
web-5899b6cbcb-9658h 1/1 Running 0 79s
xcp-operator-central-76b8cb66ff-mgft8 1/1 Running 0 79s
❯ kubectl -n tsb get service envoy -o=jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}"
20.232.52.49
34.82.201.78
```
## Connect using `tctl`

> https://docs.tetrate.io/service-bridge/1.6.x/en-us/reference/cli/guide/index
> https://docs.tetrate.io/service-bridge/reference/cli/guide/index
After downloading the version for your OS, please run the command 'tctl version' to verify you have 1.6.0.
After downloading the version for your OS, please run the command 'tctl version' to verify you have 1.7.2.

```sh
export TSB_FQDN="r160helm.sandbox.tetrate.io"
export TSB_FQDN="r17xhelm.sandbox.tetrate.io"
export ADMIN_PASSWORD="Tetrate123"


# Consult docs on how to install https://docs.tetrate.io/service-bridge/1.6.x/en-us/setup/tctl_connect
# export VERSION="1.6.0"
# Consult docs on how to install https://docs.tetrate.io/service-bridge/reference/cli/guide/index#installation
# export VERSION="1.7.2"
# export DISTRO="linux-amd64"
# curl -Lo "/usr/local/bin/tctl" "https://binaries.dl.tetrate.io/public/raw/versions/$DISTRO-$VERSION/tctl"

Expand All @@ -107,26 +105,26 @@ tctl config profiles set-current helm

```sh
❯ tctl version
TCTL version: v1.6.0-heads/tags/1.6.0
TSB version: v1.6.0
TCTL version: v1.7.2
TSB version: v1.7.2
❯ tctl get org
NAME DISPLAY NAME DESCRIPTION
pnc pnc
NAME DISPLAY NAME DESCRIPTION
tetrate tetrate
```

## Onboarding Application Cluster into TSB Service Mesh, i.e. Control Plane Deployment on the target cluster

Please refer to [Requirements and Download Page](https://docs.tetrate.io/service-bridge/latest/en-us/setup/requirements-and-download) and [Deploying TSB Control Plane using Helm](https://docs.tetrate.io/service-bridge/latest/en-us/setup/helm/controlplane)
Please refer to [Requirements and Download Page](https://docs.tetrate.io/service-bridge/setup/requirements-and-download) and [Deploying TSB Control Plane using Helm](https://docs.tetrate.io/service-bridge/setup/helm/controlplane)

### Prepare Helm values for Control Plane installation the `controlplane_values.yaml` and `dataplane_values.yaml`
### Prepare Helm values for Control Plane installation the `controlplane_values.yaml`

```sh
export FOLDER="."
export TSB_FQDN="r160helm.sandbox.tetrate.io"
export REGISTRY="gcr.io/r160helm-hqdp-1"
export TSB_FQDN="r17xhelm.sandbox.tetrate.io"
export REGISTRY="gcr.io/swlab17-cwli-1"
export ORG="tetrate"
export CLUSTER_NAME="app-cluster1"
export VERSION="1.6.0"
export VERSION="1.7.2"
./prep_controlplane_values.sh
cat "${CLUSTER_NAME}-controlplane_values.yaml"
```
Expand All @@ -139,69 +137,49 @@ helm repo update
helm install cp tetrate-tsb-helm/controlplane -n istio-system \
--create-namespace -f "${CLUSTER_NAME}-controlplane_values.yaml" \
--version $VERSION --devel
helm install dp tetrate-tsb-helm/dataplane -n istio-gateway \
--create-namespace -f dataplane_values.yaml \
--version $VERSION --devel
```

### Install custom ca certificate for istiod for cross-cluster connectivity

Please refer for more details: https://tetrate.io/blog/how-are-certificates-managed-in-istio/

```sh
kubectl create secret generic cacerts -n istio-system \
--from-file=ca-cert.pem="${FOLDER}/istiod_intermediate_ca.crt" \
--from-file=ca-key.pem="${FOLDER}/istiod_intermediate_ca.key" \
--from-file=root-cert.pem="${FOLDER}/ca.crt" \
--from-file=cert-chain.pem="${FOLDER}/istiod_intermediate_ca.crt"
```

### Validate installation

```sh
❯ helm ls -A
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
cert-manager cert-manager 1 2023-03-06 22:45:00.590569 -0500 EST deployed cert-manager-v1.9.2 v1.9.2
controlplane istio-system 1 2023-03-06 22:56:49.229615 -0500 EST deployed controlplane-1.6.0 1.6.0
dataplane istio-gateway 1 2023-03-06 22:56:59.459548 -0500 EST deployed dataplane-1.6.0 1.6.0
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
cp istio-system 1 2023-10-25 21:28:13.216254 -0400 -0400 deployed controlplane-1.7.2 1.7.2

❯ kubectl get pod -n istio-system
NAME READY STATUS RESTARTS AGE
edge-8569f6446b-hv4c5 1/1 Running 0 42s
istio-operator-79d6569c5-8qwv8 1/1 Running 0 2m37s
istio-system-custom-metrics-apiserver-5c8d4d5576-trf2x 1/1 Running 0 2m27s
istiod-6b6db55f4-7rsgr 1/1 Running 0 111s
oap-deployment-5459bcffdf-tbb8m 3/3 Running 0 102s
onboarding-operator-7854c6d999-68hw7 1/1 Running 0 2m27s
otel-collector-689f4b8bc9-68j4d 2/2 Running 0 2m27s
tsb-operator-control-plane-7db45c95bc-zqhf5 1/1 Running 0 3m20s
vmgateway-54794c6749-trrh7 1/1 Running 0 111s
xcp-operator-edge-79689d5994-2nb2k 1/1 Running 0 2m27s

❯ kubectl get pod -n istio-gateway
NAME READY STATUS RESTARTS AGE
istio-operator-6f668464f7-z2bv2 1/1 Running 0 2m21s
tsb-operator-data-plane-59c7bd4474-x26xv 1/1 Running 0 3m3s

❯ tctl x status cluster app-cluster2 -o yaml
NAME READY STATUS RESTARTS AGE
edge-7c9846f7cd-jvgn6 1/1 Running 0 2m7s
istio-operator-6bdbbc6c8c-g7gx8 1/1 Running 0 2m8s
istio-operator-prod-stable-6b45d44bd8-gd569 1/1 Running 0 2m8s
istio-system-custom-metrics-apiserver-845fd8ccd4-mbpdn 1/1 Running 0 2m22s
istiod-6999bf6c64-k949j 1/1 Running 0 109s
istiod-prod-stable-6f6cdd8574-d9np2 1/1 Running 0 110s
oap-deployment-6bd4bd8797-r72n9 3/3 Running 0 90s
onboarding-operator-77899d59f4-dhgph 1/1 Running 1 (2m ago) 2m22s
otel-collector-76b7bdcb55-gsm9s 2/2 Running 0 2m22s
tsb-operator-control-plane-6898d66f74-nd7wh 1/1 Running 0 2m56s
vmgateway-7d45b7fc99-bgpqn 1/1 Running 0 101s
wasmfetcher-55487bf44d-b2flb 1/1 Running 0 2m22s
xcp-operator-edge-694dc77c55-dn87j 1/1 Running 0 2m22s

❯ tctl x status cluster app-cluster1 -o yaml
apiVersion: api.tsb.tetrate.io/v2
kind: ResourceStatus
metadata:
name: app-cluster2
organization: pnc
name: app-cluster1
organization: tetrate
spec:
configEvents:
events:
- etag: '"gZxRhi5xlo8="'
timestamp: "2023-03-07T03:56:26.578820917Z"
- etag: '"qbSWRU3JzZQ="'
timestamp: "2023-10-26T01:27:35.724676312Z"
type: XCP_ACCEPTED
- etag: '"gZxRhi5xlo8="'
timestamp: "2023-03-07T03:56:26.548583572Z"
- etag: '"qbSWRU3JzZQ="'
timestamp: "2023-10-26T01:27:35.679592291Z"
type: MPC_ACCEPTED
- etag: '"gZxRhi5xlo8="'
timestamp: "2023-03-07T03:56:25.453170857Z"
- etag: '"qbSWRU3JzZQ="'
timestamp: "2023-10-26T01:27:34.287485286Z"
type: TSB_ACCEPTED
message: Cluster onboarded
status: READY

```
61 changes: 29 additions & 32 deletions certs-gen/certs-gen.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,10 +129,7 @@ extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
# you will have to use the following DNS name and URI because it will be checked by the TSB
[ alt_names ]
DNS.1 = xcp.tetrate.io
URI.1 = spiffe://xcp.tetrate.io/central
DNS.2 = ${TSB_FQDN}
DNS.3 = ${TSB_FQDN}:9443
EOF

create_cert xcp-central-cert \
Expand All @@ -141,33 +138,33 @@ create_cert xcp-central-cert \
"${FOLDER}/ca.crt" \
"${FOLDER}/ca.key"

cat >"${FOLDER}/istiod_intermediate_ca.cnf" <<EOF
# all the fields in this CNF are just example, Client should follow its own PKI practice to configue it properly. only key useage keycertsign is needed for istio to sign the workload certs
[ req ]
encrypt_key = no
utf8 = yes
default_bits = 4096
default_md = sha256
prompt = no
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = req_ext
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = CA
organizationName = Example
commonName = ISTIO Intermediate CA
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = istiod.istio-system.svc
EOF
# cat >"${FOLDER}/istiod_intermediate_ca.cnf" <<EOF
# # all the fields in this CNF are just example, Client should follow its own PKI practice to configue it properly. only key useage keycertsign is needed for istio to sign the workload certs
# [ req ]
# encrypt_key = no
# utf8 = yes
# default_bits = 4096
# default_md = sha256
# prompt = no
# distinguished_name = req_distinguished_name
# req_extensions = req_ext
# x509_extensions = req_ext
# [ req_distinguished_name ]
# countryName = US
# stateOrProvinceName = CA
# organizationName = Example
# commonName = ISTIO Intermediate CA
# [ req_ext ]
# subjectKeyIdentifier = hash
# basicConstraints = critical, CA:true, pathlen:0
# keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
# subjectAltName = @alt_names
# [ alt_names ]
# DNS.1 = istiod.istio-system.svc
# EOF

create_cert istiod_intermediate_ca \
"${FOLDER}" \
"${FOLDER}/istiod_intermediate_ca.cnf" \
"${FOLDER}/ca.crt" \
"${FOLDER}/ca.key"
# create_cert istiod_intermediate_ca \
# "${FOLDER}" \
# "${FOLDER}/istiod_intermediate_ca.cnf" \
# "${FOLDER}/ca.crt" \
# "${FOLDER}/ca.key"
Loading

0 comments on commit 1d07761

Please sign in to comment.