Enabling httpbin for simple TLS

To enable our httpbin application so that it can use simple TLS authentication, follow these simple steps:

  1. Define a virtual service for httpbin.istio.io so that the gateway knows how to route the traffic for httpbin requests:
# Script : 02-create-virtual-service-for-httpbin.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - httpbin.istio.io
  gateways:
  - mygateway
  http:
  - match:
    - uri:
        prefix: /
    - uri:
        prefix: /status
    - uri:
        prefix: /delay
    route:
    - destination:
        host: httpbin.istio-lab.svc.cluster.local
        subset: v1
        port:
          number: 8000
        weight: 100

  1. Create the preceding virtual service in the istio-system namespace:
$ kubectl -n istio-system apply -f 02-create-virtual-service-for-httpbin.yaml
virtualservice.networking.istio.io/httpbin created
  1. Let's use the curl command to send the request. To do this, we will use the hostname by setting the header, using the resolve parameter to set the IP address, and setting the cacert parameter:
$ rm -fr ~/.pki ## Reset local NSS database

$ curl -HHost:httpbin.istio.io --resolve httpbin.istio.io:$INGRESS_PORT:$INGRESS_HOST --cacert $HOME/step/istio.crt https://httpbin.istio.io/status/418

    -=[ teapot ]=-

       _...._
     .'  _ _ `.
    | ."` ^ `". _,
    \_;`"---"`|//
      |       ;/
      \_     _/
        `"""`

$ curl -HHost:httpbin.istio.io --resolve httpbin.istio.io:$INGRESS_PORT:$INGRESS_HOST --cacert $HOME/step/istio.crt https://httpbin.istio.io/ip
{
  "origin": "192.168.142.101"
}

Notice that in the preceding code, we enabled edge authentication to the frontend microservice without having to make any code changes in the original application. This is because of the loosely coupled architecture of the Istio service mesh.

An HTTP 418 status gives us the output I'm a teapot. httpbin returns a text picture of a teapot. 
  1. Check the TLS implementation:
$ HTTPBIN=$(kubectl -n istio-lab get pods -l app=httpbin -o jsonpath={.items[0].metadata.name}) ; echo $HTTPBIN 
httpbin-v1-b9985cc7d-4wmcf

$ istioctl authn tls-check $HTTPBIN.istio-lab httpbin.istio-lab.svc.cluster.local 
HOST:PORT                                 STATUS  SERVER    ---
httpbin.istio-lab.svc.cluster.local:8000  OK      HTTP/mTLS ---

--- CLIENT    AUTHN POLICY     DESTINATION RULE
--- HTTP      default/         httpbin/istio-lab

TLS is permissive as it shows HTTP/mTLS at the server level. The external client protocol is HTTP. You can run istioctl proxy-status to check the sync status of the Envoy proxy from Pilot, which is useful if you wish to diagnose issues.

  1. The PERMISSIVE policy is desired when not all services use a proxy sidecar or the process of migration is still continuing. This can be done cluster-wide by modifying the mesh policy from PERMISSIVE to STRICT, and it will enforce across all user-defined services. In such a case, the output below SERVER will only show mTLS. Note that STRICT mode can be done at a cluster level, a namespace level, or a service level:
$ kubectl get meshpolicies default -o yaml

apiVersion: authentication.istio.io/v1alpha1
kind: MeshPolicy
metadata:
[... removed ...]
 name: default
spec:
 peers:
 - mtls:
 mode: PERMISSIVE

The destination rule defines the CLIENT mode. We defined the destination rule for httpbin in the previous chapter. Run the kubectl -n istio-lab get dr httpbin -o yaml command to check the subsets that have been defined and then run kubectl -n istio-lab get vs httpbin -o yaml to find out which subset is used as a destination for the httpbin service. 

Allow developers to focus only on business logic and leave security implementation to the application infrastructure team.

Next, we will enable simple TLS for the bookinfo application.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.223.114.142