Istio - Anthos - Service Mesh

- Enable mTLS in namespace

- Istio Gateway

- Istio Envoy Filters

- MTLS scheme for Anthos

- Istio mTLS

a) the certificates are handle into control plane by citadel.

b) into the date plane upperpart we can see the ingress into the service mesh upper left and the egress from service mesh upper right. The communication between the envoy proxy is done through mTLS.

- ASM 

a) kube-rbac-proxy: kube-rbac-proxy

b) canonical-service-controller: canonical-service-controller

- Istio rollout restart

kubectl rollout restart deployment istio-ingressgateway -n istio-system

- Istio Gateway 

a) the gateway is an entrypoint to the cluster

b) it assures the connection of the cluster with the exterior 

c) istio service mesh is composed of sidecar pods with envoy proxy

d) there are 2 types of gateway (ingress gateway and egress gateway)

e) each gateway is a envoy proxy and has a istio proxy

f) the advantages of the proxy is that we can attach virtual services and destination rules to the envoy proxy and use them as routing rules.

h) to check the values from the name space use kubectl get svc -n istio-system

i) istio ingress has ClusterIP and egress has Load Balancer type

j) At istio ingress the ip is of type cluster IP and the port mappings are of type nodeport.

k) create gateway yaml

- Check istio endpoints

istioctl proxy-config endpoints deploy/authservicr -n asm-user-auth

kubectl get pods -n asm-user-auth

kubectl get istiooperator -n istio-system 

kubectl edit podname -n istio-system

kubectl get nodes -check kube version

- What is a service mesh

- Istio Setup in Kubernetes | Step by Step Guide to install Istio Service Mesh

- Service mesh is the communication within cluster.

- What is a sidecar proxy?

- Ingress gateway is the external communication

- Node port entry point

- Istio ingress gateway vs Kubernetees gateway

- Kubernetees ingress requires 3 components

Install minikube and istio

 $curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:--   0 91.1M    0  734k    0     0   975k      0  0:01:35  18 91.1M   18 17.2M    0     0  9779k      0  0:00:09  33 91.1M   33 30.9M    0     0  11.2M      0  0:00:08  47 91.1M   47 43.0M    0     0  11.4M      0  0:00:07  69 91.1M   69 63.3M    0     0  13.1M      0  0:00:06  81 91.1M   81 74.6M    0     0  12.9M      0  0:00:07  95 91.1M   95 86.6M    0     0  12.7M      0  0:00:07 100 91.1M  100 91.1M    0     0  12.9M      0  0:00:07  0:00:07 --:--:-- 14.1M

$sudo install minikube-linux-amd64 /mnt/kube/minikube

$./minikube 

$cd bin/

$export PATH=$PWD/bin:$PATH

$istioctl install --set profile=demo -y

 $./istioctl install --set profile=demo

Error: check minimum supported Kubernetes version: error getting Kubernetes version: Get "http://localhost:8080/version?timeout=5s": dial tcp [::1]:8080: connect: connection refused

Istio Training : 

https://www.udemy.com/course/istio-hands-on-for-kubernetes/learn/lecture/23922456#content

Section 4|13 Enabling Sidecar Injections:

- proxy are called data plane in istio
- istio is implemented into the business container with via a sidecar pod

- the sidecar container is implemented in istiod

- istio is implemented into the namespace via labels

   kubectl describe ns default

- in order to add the label to the namespace:

   kubectl label namespace default istio-injection=enabled

  kubectl describe ns default