Developing POC for ISTIO with Cert-Manager. The configs and source codes are for "Amazon EKS with ISTIO" POC and not suitable for the production.
Note that the Terraform implementation required to be optimized (this is quite a static implementation) since the implementation is focused on the maximum readability for learning
In a scenario where you need to scale the EKS. Change the node count.
- Terraform
- AWS Account
- Clone the repo
git clone https://github.com/krishanthisera/istio-certman-poc.git
- cd into the terraform directory and execute terraform plan
Please do mind to change the worker group config using main.tfterraform init terraform plan -out=istio.tfplan
- Apply terraform plan
terraform apply "istio.tfplan
Afterwards, grab the name server IP addresses by using the tf-output and configure your domain registrar to point your ROUT53 zone,
terraform output name_servers
- Configure EKS config
terraform output kubectl_config > ~/.kube/config
- Install istioctl
curl -sL https://istio.io/downloadIstioctl | sh -
export PATH=$PATH:$HOME/.istioctl/bin
istioctl x precheck
- The output should be like this,
Checking the cluster to make sure it is ready for Istio installation... #1. Kubernetes-api ----------------------- Can initialize the Kubernetes client. Can query the Kubernetes API Server. #2. Kubernetes-version ----------------------- Istio is compatible with Kubernetes: v1.18.9-eks-d1db3c. #3. Istio-existence ----------------------- Istio will be installed in the istio-system namespace. #4. Kubernetes-setup ----------------------- Can create necessary Kubernetes configurations: Namespace,ClusterRole,ClusterRoleBinding,CustomResourceDefinition,Role,ServiceAccount,Service,Deployments,ConfigMap. #5. SideCar-Injector ----------------------- This Kubernetes cluster supports automatic sidecar injection. To enable automatic sidecar injection see https://istio.io/v1.8/docs/setup/additional-setup/sidecar-injection/#deploying-an-app ----------------------- Install Pre-Check passed! The cluster is ready for Istio installation.
- Install ISTIO
istioctl install --set profile=default
The output will be like this,
This will install the Istio default profile with ["Istio core" "Istiod" "Ingress gateways"] components into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Installation complete
- Add DNS for records
- Uncomment
route53_records.tf
sed 's/^.//g' -i route53_records.tf
- Apply the changes
terraform plan -out=istio.tfplan
terraform apply "istio.tfplan"
- Create the Cert-Manager Namespace and (enable sidecar injection - optional)
kubectl create ns cert-manager
kubectl label namespace cert-manager istio-injection=enabled
- Install Cert-Manger
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml
- Enable ISTIO Proxy(envoy) side car injection and Deploy the demo app
kubectl label namespace default istio-injection=enabled
kubectl apply -f demo-app/bookinfo.yaml
- Configure the Gateway and VirtualService - optional
kubectl apply -f demo-app/bookinfo.yaml
kubectl apply -f demo-app/ingress.yaml # Change the port to port 80 prior to run
-
Verify using the browser
http://book.d3v0ps.com.au/
-
Delete the Gateway resource - optional
kubectl delete -f demo-app/ingress.yaml
- Create the issuer
kubectl apply -f cert-manager-configs/lets-enc-staging-issuer.yaml
- Verify the issuer
kubectl describe issuer -n istio-system
if issuer is ready - Create
istio-autogenerated-k8s-ingress
to convert ingress objects to ISTIO resources
kubectl apply -f cert-manager-configs/istio-autogenerated-k8s-ingress.yaml
- Create the certificate
kubectl apply -f cert-manager-configs/book-cert.yaml
- Rerun the gateway configs for book-info
kubectl apply -f demo-app/ingress.yaml
- Test the Connectivity using browser
- Create the production issuer
kubectl apply -f cert-manager-configs/lets-enc-prod-issuer.yaml
- Verify the issuer
kubectl describe Issuer -n istio-system letsencrypt-prod
- Create a new certificate referring the production issuer
kubectl apply -f cert-manager-configs/book-cert-prod.yaml
- Test the connectivity using browser
- kubectl apply -f istio-addons/mTLS.yaml
- Prometheus
- Install Prometheus
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.8/samples/addons/prometheus.yaml
- Access Prometheus
kubectl port-forward svc/prometheus 9090:9090 -n istio-system
- Install Prometheus
- Kiali
Note that Prometheus should be installed to Kiali to operate
- install Kiali
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.8/samples/addons/kiali.yaml
- Access Kiali
kubectl port-forward svc/kiali 20001:20001 -n istio-system
- install Kiali
- Jaeger
- Install Jaeger
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.8/samples/addons/jaeger.yaml
- Access Jaeger
istioctl dashboard jaeger
- Install Jaeger