Showcase Istio TLS and ACL via a set of Eclipse Vert.x applications.
- Openshift 3.10 cluster with Istio. For local development, download the latest release from Maistra and run:
# Set oc to be the Maistra one
oc cluster up --enable="*,istio"
oc login -u system:admin
# Apply a configuration that enables auth
oc apply -f istio-install.yaml -n istio-operator
oc get pods -n istio-system -wWait until the openshift-ansible-istio-installer-job-xxxx job has completed. It can take several minutes. The OpenShift console is available on https://127.0.0.1:8443.
- Create a new project/namespace on the cluster. This is where your application will be deployed.
oc login -u system:admin
oc adm policy add-cluster-role-to-user admin developer --as=system:admin
oc adm policy add-scc-to-user privileged -z default -n $(oc project -q)
oc login -u developer -p developerExecute the following command to build the project and deploy it to OpenShift:
mvn clean fabric8:deploy -PopenshiftConfiguration for FMP may be found both in pom.xml and src/main/fabric8 files/folders.
This configuration is used to define service names and deployments that control how pods are labeled/versioned on the OpenShift cluster.
find . | grep openshiftio | grep application | xargs -n 1 oc apply -f
oc new-app --template=vertx-istio-security-name -p SOURCE_REPOSITORY_URL=https://github.com/openshiftio-vertx-boosters/vertx-istio-security-booster -p SOURCE_REPOSITORY_REF=master -p SOURCE_REPOSITORY_DIR=vertx-istio-security-name oc new-app --template=vertx-istio-security-greeting -p SOURCE_REPOSITORY_URL=https://github.com/openshiftio-vertx-boosters/vertx-istio-security-booster -p SOURCE_REPOSITORY_REF=master -p SOURCE_REPOSITORY_DIR=vertx-istio-security-greeting
Configure the ingress gateway with:
oc apply -f rules/gateway.yamlThis scenario demonstrates a mutual transport level security between the services.
- Open the booster’s web page via Istio ingress route
echo "http://$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}{"\n"}' -n istio-system)/"
- "Hello, World!" should be returned after invoking
greetingservice. - Now modify greeting deployment to disable sidecar injection by replacing the 2 occurrences of
sidecar.istio.io/injectvalues tofalseThe pod is going to restart.oc edit deploymentconfigs/vertx-istio-security-greeting
- Got back to the booster page, and without reloading, try to invoke the service. The invocation failed. The
Greetingservice invocation fails with a reset connection, because thegreetingservice has to be inside a service mesh in order to access thenameservice. - Cleanup by setting
sidecar.istio.io/injectvalues to true (the 2 occurrences)The pod is going to restart.oc edit deploymentconfigs/vertx-istio-security-greeting
This scenario demonstrates access control when using mutual TLS. In order to access a name service, calling service has to have a specific label and service account name.
- Open the booster’s web page via Istio ingress route
echo "http://$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}{"\n"}' -n istio-system)/"
- "Hello, World!" should be returned after invoking
greetingservice. - Configure Istio Mixer to block
greetingservice from accessingnameserviceoc apply -f rules/block-greeting-service.yaml
Greetingservice invocations to thenameservice will be forbidden.- Configure Istio Mixer to only allow requests from
greetingservice and withsa-greetingservice account to accessnameserviceoc apply -f <(sed -e "s/TARGET_NAMESPACE/$(oc project -q)/g" rules/require-service-account-and-label.yaml) - "Hello, World!" should be returned after invoking
greetingservice. - Cleanup
oc delete -f rules/require-service-account-and-label.yaml
mvn fabric8:undeployThis will delete the project from the OpenShift cluster
oc delete project <your project name>