Service mesh architecture with Istio

Benjamin Sanvoisin — Fri, 17 Jan 2020 13:00:25 +0000

Service mesh offers granular control over your infrastructure network, allowing for smoother deployments, extra security, and observability on all your traffic. These features are useful for fast development rate in agile environment and allow developers to focus on the feature of their application.

Service mesh allows for teams to quickly understand an infrastructure due to standardization of policies. Allowing big infrastructure to easily manage turnover and lose of knowledge.

A couple of service mesh implementation exist like Isitio, Linkerd, Consul, and Kong. We will focus today on Istio which was introduced by Google and IBM in 2017 and is the most featureful service mesh.

Istio is a service mesh that is made up of two planes: the data plane and the control plane.

To find out more about these planes go checkout the rest of the article here : https://www.padok.fr/en/blog/service-mesh-architecture-istio

How to set up HTTPS with Istio and Kubernetes on GKE

Benjamin Sanvoisin — Sat, 07 Dec 2019 10:01:53 +0000

You would typically use annotations on Kubernetes ingress to set up HTTPS and static IP with GKE. Istio set up its own ingress load balancer which is of type ‘Service’ but GKE is not compatible with annotations of that type.
If you are not familiar with Kubernetes you can check out this article : https://www.padok.fr/en/blog/kubernetes-essentials-components-pods-services or if you want to live test this article setup your own Kubernetes cluster on GKE by following this article : https://www.padok.fr/en/blog/kubernetes-google-cloud-terraform-cluster

Cert-Manager with Kubernetes and GCP
You can use cert-manager with Kubernetes to set up HTTPS, the process is fairly straightforward. We’ll go through setting it up.
Setup Istio to work with cert-manager

istioctl manifest apply \
  --set values.gateways.istio-ingressgateway.sds.enabled=true \
  --set values.global.k8sIngress.enabled=true \
  --set values.global.k8sIngress.enableHttps=true \
  --set values.global.k8sIngress.gatewayName=ingressgateway

Setup certificate, make sure to set all env variables

cat <<EOF | kubectl apply -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: ingress-cert
  namespace: istio-system
spec:
  secretName: ingress-cert
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  commonName: $INGRESS_DOMAIN
  dnsNames:
  - $INGRESS_DOMAIN
  acme:
    config:
    - http01:
        ingressClass: istio
      domains:
      - $INGRESS_DOMAIN
---
EOF

Done!

If you require a production level certificate you can change the issuerRef name to letsencrypt instead of letsencrypt-staging
For more details on this setup you can go see their official documentation: https://istio.io/docs/tasks/traffic-management/ingress/ingress-certmgr/
And cert-manager documentation: https://docs.cert-manager.io/en/latest/

The rest of the article is avaible here : https://www.padok.fr/en/blog/https-istio-kubernetes

DEV Community: Benjamin Sanvoisin

Service mesh architecture with Istio

How to set up HTTPS with Istio and Kubernetes on GKE