4/23/2023

Using Istio Service Mesh To Have mTLS Connections Between Applications

 


https://istio.io/latest/docs/concepts/security/arch-sec.svg



The purpose of this post is to explain how we can have mTLS connections between applications, using Istio service mesh with the local Minikube server.


To learn more about Istio, please refer to this blog post.

Prerequisites : Please install below software in you machine


I have mentioned the versions that I have used for this setup.


  1. Minikube : 1.30.1

  2. Istioctl : 1.16.4

  3. Helm : 3.11.3

  4. Kubectl : 1.26.0

  5. Jq : 1.6

  6. Cert-manager : 1.11.1



One of the main components of this stack is cert-manager. Cert-manager will manage the full life cycle of certificates from a variety of Issuers.




Installing cert-manager


Setup Helm


helm repo add jetstack https://charts.jetstack.io

helm repo update


Install cert-manager CRDs


$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.1/cert-manager.yaml





Check the installation



Create a cert-manager Issuer and Issuing Certificate





Create istio-system namespace, to place certificates.


kubectl create namespace istio-system


An Issuer must be created in the istio-system namespace to sign Istiod and mesh workload certificates.  We'll create a self-signed root CA in our cluster because it's really simple to configure.



kubectl apply -f https://raw.githubusercontent.com/cert-manager/website/master/content/docs/tutorials/istio-csr/example/example-issuer.yaml



Save Root Certificate to a file


kubectl get -n istio-system secret istio-ca -ogo-template='{{index .data "tls.crt"}}' | base64 -d > ca.pem




Create secret to keep the root certificate in cert-manager namespace


kubectl create secret generic -n cert-manager istio-root-ca --from-file=ca.pem=ca.pem



Installing istio-csr



The istio-csr project installs an agent that is responsible for verifying incoming certificate signing requests from Istio mesh workloads, and signs them through cert-manager via a configured Issuer.



helm install -n cert-manager cert-manager-istio-csr jetstack/cert-manager-istio-csr \

--set "app.tls.rootCAFile=/var/run/secrets/istio-csr/ca.pem" \

--set "volumeMounts[0].name=root-ca" \

--set "volumeMounts[0].mountPath=/var/run/secrets/istio-csr" \

--set "volumes[0].name=root-ca" \

--set "volumes[0].secret.secretName=istio-root-ca"



You can see that istio-csr is installed successfully.




Installing Istio



We are going to use, custom manifest file to install istio.


The custom manifest does the following:


  • Disables the CA server in istiod,

  • Ensures that Istio workloads request certificates from istio-csr,

  • Ensures that the istiod certificates and keys are mounted from the Certificate created when installing istio-csr.



curl -sSL https://raw.githubusercontent.com/cert-manager/website/master/content/docs/tutorials/istio-csr/example/istio-config-getting-started.yaml > istio-install-config.yaml


Install istio using custom configuration file.


$ istioctl install --set profile=demo -f istio-install-config.yaml


Let’s enable istio injection to namespace default


kubectl label namespace default  istio-injection=enabled --overwrite

Validating the installation



kubectl get pods -n istio-system




Test mTLS


All workload certificates will now be requested through cert-manager using the configured Issuer.


Let’s deploy two applications and test.


kubectl create ns foo

kubectl label ns/foo istio-injection=enabled


Install these minikube addons


  1. storage-provisioner 

  2. default-storageclass

  3. metrics-server



Run the sample sleep and httpbin workloads.



ISTIO_VERSION=1.16.4


kubectl apply -n foo -f https://raw.githubusercontent.com/istio/istio/release-$ISTIO_VERSION/samples/sleep/sleep.yaml


kubectl apply -n foo -f https://raw.githubusercontent.com/istio/istio/release-$ISTIO_VERSION/samples/httpbin/httpbin.yaml



Verify the sleep and httpbin deployments have successfully rolled-out.





Verify the sidecar proxy was injected for each workload. Each workload pod should show 2/2 containers are READY.


Apply this Istio configuration to make sure that workloads will use mTLS.


kubectl apply -n foo -f - <<EOF

apiVersion: security.istio.io/v1beta1

kind: PeerAuthentication

metadata:

  name: "default"

  namespace: foo

spec:

  mtls:

    mode: STRICT

EOF



Test mTLS from the sleep pod to the httpbin pod. It should return http 200 code.


kubectl -n foo exec -it deploy/sleep -c sleep -- curl -o /dev/null -s -w '%{http_code}\n' http://httpbin.foo:8000/headers




Visualize mTLS


Optionally, you can run Kiali to visualize the mTLS connections.



kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-$ISTIO_VERSION/samples/addons/prometheus.yaml


kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-$ISTIO_VERSION/samples/addons/kiali.yaml




Verify the Kiali and Prometheus deployments successfully rolled-out.


for i in prometheus kiali; do kubectl rollout status -n istio-system deploy/$i; done



Open Kiali dashboard


istioctl dashboard kiali



As in the image below, when you go to the application overview page you can see the traffic graph with padded lock symbol on the arrows.
at

No comments:

Post a Comment