This is a repository of my learning results about Istio Service Mesh.
- Kubernetes Cluster
- Helm
- Helmfile
Here are the components that are included in this repository:
- Istio
- mTLS
- Ingress Gateway
- Authentication with JWKS
- Kiali Dashboard
- Prometheus
- Grafana
- Jaeger Tracing
-
Clone the repo
git clone https://github.com/rizalord/belajar-istio.git
-
Move to chart directory
cd belajar-istio/chart
-
Install all chart dependencies
helmfile apply --concurrency=1
-
Set label to default namespace
kubectl label namespace default istio-injection=enabled --overwrite
-
Install main chart
helm install belajar-istio .
-
Get the status of kiali installation
kubectl get kiali kiali -n istio-system -o jsonpath='{.status}'
-
Wait until property progress.message is equal to "7. Finished all resource creation".
-
Port forward kiali service
kubectl port-forward svc/kiali 20001:20001 -n istio-system
-
Open browser and go to http://localhost:20001
- Coming soon
While working on this project, I have learned a few things and here are some of my highlights:
-
Istio provide mTLS feature that can be used to secure communication between services. This feature can be enabled by default with no configuration needed.
-
Istio will automatically inject a sidecar container to every pod that has the label
istio-injection=enabled
. This sidecar container will be used to intercept the traffic and do the mTLS. -
When we want to add a JWT Authentication, we can't use the symmetric approach. We have to use the asymmetric approach which is using JWKS. With this approach, all service that need authentication will have to fetch the JWKS from the JWKS URL. Instead of having to fetch JWKS for every incoming request, it's better to use a cache to store JWKS data.
-
Istio provide a dashboard called Kiali that can be used to visualize the traffic between services. To install Kiali, we must install Prometheus first. After that we need to install Grafana and Jaeger (optional). After all of the components are installed, we can install Kiali.
-
Workload in Istio means a pod, not a deployment.
-
Gateway basically is an Ingress. So when we deploy it (eg. GKE), it will create a Load Balancer. Then when we want from outside (public) to access our cluster, we need to create a DNS record that points to the Load Balancer IP.