Currently, it deploys to local kind cluster the istio bookinfo example. The four workloads from the example (details, productpage, ratings, and reviews) are deployed in the default namespace.
- 4 CPUs
- 8 GB RAM
- 20 GB (for POC only)
- docker
Install the kubernetes client for your operating system
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.10.1 sh -
Should work with istio 1.9.1 and 1.10.1.
Follow kind install instructions
Follow aws cli install and configure instructions
./create-kind-cluster.shIn order to run the POC locally,
TAG=stable_20211022 \
HUB=public.ecr.aws/e4m8j0n8/mithril \
./deploy-all.shWait for all pods are to reach Running state:
kubectl get pods -AExpected output:
NAMESPACE NAME READY STATUS RESTARTS AGE
default details-v1-c658fff7-cvj8d 2/2 Running 0 6m19s
default productpage-v1-5f85c6d9d8-mb6jm 2/2 Running 0 6m18s
default ratings-v1-66db75fdb9-jv4ln 2/2 Running 0 6m19s
default reviews-v1-dbcbb4f7c-jzkh5 2/2 Running 0 6m19s
default reviews-v2-64854577cd-cw7zw 2/2 Running 0 6m18s
default reviews-v3-bd5fcc875-8b722 2/2 Running 0 6m18s
istio-system istio-ingressgateway-849d55784b-fwz7m 1/1 Running 0 6m36s
istio-system istiod-5c79c669f9-7qx5m 1/1 Running 0 6m49s
kube-system coredns-74ff55c5b-pl5wd 1/1 Running 0 19m
kube-system coredns-74ff55c5b-zq798 1/1 Running 0 19m
kube-system etcd-kind-control-plane 1/1 Running 0 19m
kube-system kindnet-cxrzk 1/1 Running 0 19m
kube-system kube-apiserver-kind-control-plane 1/1 Running 0 19m
kube-system kube-controller-manager-kind-control-plane 1/1 Running 0 19m
kube-system kube-proxy-xzjgd 1/1 Running 0 19m
kube-system kube-scheduler-kind-control-plane 1/1 Running 0 19m
local-path-storage local-path-provisioner-78776bfc44-4dp4x 1/1 Running 0 19m
spire spire-agent-w9jfd 1/1 Running 0 6m21s
spire spire-server-0 2/2 Running 0 6m24s
The SPIRE entries can be checked using the following command:
kubectl exec -i -t pod/spire-server-0 -n spire -c spire-server -- /bin/sh -c "bin/spire-server entry show -socketPath /run/spire/sockets/server.sock"
kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpageThe output is an HTML page that should not have any error sections.
Forward host port 8000 to port 8080 (ingressgateway pod port) inside the cluster:
./forward-port.sh
Forwarding from 127.0.0.1:8000 -> 8080
Forwarding from [::1]:8000 -> 8080Make a request from the host:
curl localhost:8000/productpageOr open in the browser localhost:8000/productpage.
The output is an HTML page that should not have any error sections.
Forward host port 7000 to port 7080 (ingressgateway-mtls pod port) inside the cluster:
> ./forward-secure-port.sh
Forwarding from 127.0.0.1:7000 -> 7080
Forwarding from [::1]:7000 -> 7080Mint SVID in the trust domain domain.test:
> kubectl exec --stdin --tty -n spire2 spire-server-0 -- /opt/spire/bin/spire-server x509 mint -spiffeID spiffe://domain.test/myservice -socketPath /run/spire/sockets/server.sockCopy the X509-SVID section of the output to a file svid.pem.
Copy the Private key section of the output to a file key.pem.
> curl --cert svid.pem --key key.pem -k -I https://localhost:8000/productpage
HTTP/2 200
content-type: text/html; charset=utf-8
content-length: 5183
server: istio-envoy