Important Disclosures
RapidFort is not responsible for istio in any way. For istio support and the most up-to-date information see istio's website. Alternatively, consult with the istio Big Bang documentation, such as their control plane and operator instructions. This is purely to aid RapidFort customers by illustrating a very basic set-up that shows RapidFort works well within an istio service mesh. It was tested with version 1.16.1-bb.0 of each.
Set-up
Create a cluster by following the Big Bang Quickstart guide. steps 1-6
There were no networking limitations as described in the parent page.
S3 bucket created with the correct permissions
Deploy Istio Operator
Brief Introduction
Istio operator consists of an application deployed to the Kubernetes cluster and a custom resource called IstioOperator that describes the desired state of your Istio installation. The operator uses the IstioOperator resource to manage and maintain your Istio service mesh installation.
Deployment Steps
1. Clone Git Repository
mkdir -p ironbank
pushd ironbank
git clone https://repo1.dso.mil/platform-one/big-bang/apps/core/istio-operator.git
popd
2. Create istio-operator namespace.yaml at ironbank/istio-operator/namespace.yaml with below content
cat <<EOF > ironbank/istio-operator/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: istio-operator
labels:
istio-operator-managed: Reconcile
istio-injection: disabled
app.kubernetes.io/name: istio-operator
app.kubernetes.io/component: "core"
EOF
3. Apply namespace.yaml to create namespace
kubectl apply -f ironbank/istio-operator/namespace.yaml
# verify namespace has correct annotation
kubectl get namespace -L app.kubernetes.io/name
4. Update variable REGISTRY1_PASSWORD and REGISTRY1_USERNAME and Create image pull secret using below.
Verify registry credentials beforehand to save Image Pull errors and having to recreate secrets etc.
sudo docker login registry1.dso.mil --username $REGISTRY1_USERNAME --password $REGISTRY1_PASSWORD
Explicitly set the key in the Harbor UI otherwise rotated keys could break below.
set +H
NS=istio-operator
kubectl create secret docker-registry private-registry --docker-server=registry1.dso.mil --docker-username=${REGISTRY1_USERNAME} --docker-password=${REGISTRY1_PASSWORD} -n ${NS}
set -H
5. Create ironbank/istio-operator/chart/values-override.yaml file with content below.
cat <<EOF > ironbank/istio-operator/chart/values-override.yaml operatorNamespace: istio-operator
# create namespace manually.
createNamespace: false
imagePullSecrets:
- private-registry
EOF
6. Install helm chart for Istio Operator.
pushd ironbank/istio-operator/chart
helm upgrade --install istio-operator ./ -f values-override.yaml -n istio-operator
popd
Deploy Istio Control Plane
Brief Introduction
An Istio control plane manages traffic within the mesh by providing each proxy with the list of service endpoints. In order to make this work in a multicluster scenario, each control plane must observe endpoints from the API Server in every cluster.
Deployment Steps
1. Clone Git Repository
kdir -p ironbank
pushd ironbank 3 git clone https://repo1.dso.mil/big-bang/apps/core/istio-controlplane.git
popd
2. Create ironbank/istio-controlplane/namespace.yaml with below content
cat <<EOF > ironbank/istio-controlplane/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: istio-system
labels:
istio-injection: disabled
# below label is required for rapidfort service to connect to istiod service for bootstrap.
app.kubernetes.io/name: istio-controlplane
EOF
3. Apply ironbank/istio-controlplane/namespace.yaml to create namespace
kubectl apply -f ironbank/istio-controlplane/namespace.yaml
3.1 Confirm the label attached to istio-system namespace as below
kubectl get namespace -L app.kubernetes.io/name
4. Update variable EMAIL, REGISTRY1_PASSWORD and REGISTRY1_USERNAME and Create image pull secret using below.
Verify registry credentials beforehand to save Image Pull errors and having to recreate secrets etc.
sudo docker login registry1.dso.mil --username $REGISTRY1_USERNAME --password $REGISTRY1_PASSWORD
Explicitly set the key in the Harbor UI otherwise rotated keys could break below.
sudo docker login registry1.dso.mil --username $REGISTRY1_USERNAME --password $REGISTRY1_PASSWORD
set +H
NS=istio-system
kubectl create secret docker-registry private-registry --docker-server=registry1.dso.mil --docker-username=${REGISTRY1_USERNAME} --docker-password=${REGISTRY1_PASSWORD} -n ${NS}
set -H
5. Create ironbank/istio-controlplane/chart/values-override.yaml file with content below.
cat <<EOF > ironbank/istio-controlplane/chart/values-override.yaml
# -- The domain to use for the default gateway
domain: rapidfort.io
imagePullSecrets:
- private-registry
EOF
6. Install helm chart for Istio Control Plane.
pushd ironbank/istio-controlplane/chart/
helm upgrade --install istio-system ./ -f values-override.yaml -n istio-system
popd
7. Get your SSL certificate and Create Secret for SSL Certificate.
i.e. replace the --key and --cert with your real ket and cert.
kubectl create secret tls wildcard-cert --key=privkey2.pem --cert=fullchain2.pem -n istio-system
Deploy RapidFort
Brief Introduction
We have a running cluster as per the Big Bang Quickstart, and we have istio deployed on that. Now we have the simple task of deploying RapidFort.
Deployment Steps
1. Clone Git Repository
mkdir -p ironbank
pushd ironbank
git clone https://repo1.dso.mil/platform-one/big-bang/apps/third-party/rapidfort.git
popd
2. Create ironbank/rapidfort/namespace.yaml with below content
cat <<EOF > ironbank/rapidfort/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: rapidfort
labels:
istio-injection: enabled
app.kubernetes.io/name: rapidfort
EOF
3. Apply ironbank/rapidfort/namespace.yaml to create namespace
kubectl apply -f ironbank/rapidfort/namespace.yaml
4. Update variable EMAIL, REGISTRY1_PASSWORD and REGISTRY1_USERNAME and Create image pull secret using below.
set +H
NS=rapidfort
kubectl create secret docker-registry private-registry --docker-server=registry1.dso.mil --docker-username=${REGISTRY1_USERNAME} --docker-password=${REGISTRY1_PASSWORD} -n ${NS}
set -H
5. Create ironbank/rapidfort/chart/values-override.yaml file with content below.
cat <<EOF > ironbank/rapidfort/chart/values-override.yaml
secret:
aws_access_key_id: "<update here>"
aws_secret_access_key: "<update here>"
aws_default_region: "<update here>"
s3_bucket: "<update here>"
# -- This value must be a syntax valid email (doesn't need to be a real one, though it should be for production)
rf_app_admin: "<update here>"
rf_app_admin_passwd: "<update here>"
# -- This field is used to provide the rapidfort service FQDN (if FQDN is not available use IP ADDRESS) to internal service
rf_app_host: "rf-fips.rapidfort.io"
global:
# -- This field is used to update the host name in the ingress.
rf_app_host: "rf-fips.rapidfort.io"
allowed_rf_host: "api.rapidfort.com"
domain: rf-fips.rapidfort.io
istio:
enabled: true
mtls:
mode: PERMISSIVE
rapidfort:
enabled: true
gateways:
# istio_namespace=istio-system
# confirm the gateway name using - kubectl get gateway -n ${istio_namespace}
# - <istio-namespace>/<gateway name>
- istio-system/main
hosts:
- rf-fips.rapidfort.io
keycloak:
initContainers:
init_mysql:
enabled: false
networkPolicies:
enabled: true
# confirm the ingress Labels. You can find the labels for istio ingress gateway using below command
# kubectl get deploy -n <istio-namespace> -o wide.
# confirm the selector
ingressLabels:
app: istio-ingressgateway
istio: ingressgateway
# -- IP range of api.rapidfort.com
rapidfortApiIpRange: ""
# -- test
controlPlaneCidr: ""
EOF
6. Install helm chart for RapidFort.
pushd ironbank/rapidfort/chart
helm upgrade --install rapidfort . -f values-override.yaml -n rapidfort
popd