To create certificates and keys, follow these simple steps:
- Create secrets for the httpbin.istio.io and bookinfo.istio.io domains so that they have a certificate and key. These secrets will be watched for any changes:
$ kubectl -n istio-system create secret generic httpbin-keys --from-file=key=$HOME/step/httpbin.key --from-file=cert=$HOME/step/httpbin.crt
secret/httpbin-keys created
$ kubectl -n istio-system create secret generic bookinfo-keys --from-file=key=$HOME/step/bookinfo.key --from-file=cert=$HOME/step/bookinfo.crt
secret/bookinfo-keys created
The certificate and key will be pushed down the container memory of ingress-sds through the SDS, hence avoiding the need for us to mount the certificates and keys, which would make them vulnerable.
- Add the httpbin.istio.io and bookinfo.istio.io hosts to our existing Istio mygateway using the httpbin-keys secret:
# Script : 01-add-bookinfo-https-to-mygateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mygateway
spec:
...
servers:
- port:
number: 80
protocol: HTTP
...
tls:
mode: SIMPLE
credentialName: bookinfo-keys
hosts:
- bookinfo.istio.io
- port:
number: 443
name: httpbin
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: httpbin-keys
hosts:
- httpbin.istio.io
In the preceding yaml file, note the following:
- Plain HTTP traffic is allowed for all hosts on port 80.
- HTTPS traffic is allowed for bookinfo.istio.io and httpbin.istio.io.
- The certificate and key for each host(s) is kept in a secret in the istio-system namespace or other admin namespaces where an application does not have access. The certificate and key will be mounted in memory of the istio-proxy for the pod through SDS since we enabled it in the previous step.
- Through the definition we defined at the Istio Ingress gateway, the protocol for the hosts is defined as SIMPLE TLS, which means that the client establishes the authenticity of the server, but the server does not check the credentials of the client. This is something that happens a lot on the internet today.
Apply the preceding definition to add both hosts to the existing mygateway. We have set TLS mode to SIMPLE, which is one way to authenticate, that is, the client authenticates the server.
- Create a gateway for the bookinfo application:
$ cd ~/istio/scripts/02-security
$ kubectl -n istio-system apply -f 01-add-bookinfo-https-to-mygateway.yaml
gateway.networking.istio.io/mygateway created
As soon as the gateway definition has been defined, the secrets are mounted in-memory through SDS.
- Check the log again in the ingress-sds container of the Istio Ingress gateway:
$ kubectl -n istio-system logs -l app=istio-ingressgateway -c ingress-sds
<<removed>>
2019-08-03T17:09:08.518098Z info SDS: push key/cert pair from node agent to proxy: ---
2019-08-03T17:09:08.518123Z info SDS: push key/cert pair from node agent to proxy: ---
--- "router~192.168.230.230~istio-ingressgateway-7db95cf64-hb7bq. ---
--- "router~192.168.230.230~istio-ingressgateway-7db95cf64-hb7bq. ---
--- istio-system~istio-system.svc.cluster.local-1"
--- istio-system~istio-system.svc.cluster.local-2"
- [Optional: The c only do if necessary] If you do not see SDS
,
push the message, wait for a few seconds, and check the logs again. If it does not refresh, recycle the Istio Ingress gateway, wait for the pod to become ready, and check the logs again:
$ export INGRESS_GW=$(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}')
$ kubectl -n istio-system delete pod $INGRESS_GW
Now that we've SDS, we will enable our httpbin application so that it can use simple TLS authentication.