From 4f3cbf7fad6302a96631a4ae31885dbce48f5b13 Mon Sep 17 00:00:00 2001 From: Sakari Poussa Date: Wed, 15 Jan 2025 13:37:35 +0200 Subject: [PATCH 1/2] Add istio mTLS and ingress gateway with TLS example Signed-off-by: Sakari Poussa --- kubernetes-addons/istio/README.md | 81 +++++++++++++++++++ kubernetes-addons/istio/helmfile.yaml | 62 ++++++++++++++ .../istio-gateway-and-virtual-service.yaml | 42 ++++++++++ .../istio/istio-gateway-ca-and-cert.yaml | 22 +++++ .../istio/istio-mtls-strict.yaml | 7 ++ 5 files changed, 214 insertions(+) create mode 100644 kubernetes-addons/istio/README.md create mode 100644 kubernetes-addons/istio/helmfile.yaml create mode 100644 kubernetes-addons/istio/istio-gateway-and-virtual-service.yaml create mode 100644 kubernetes-addons/istio/istio-gateway-ca-and-cert.yaml create mode 100644 kubernetes-addons/istio/istio-mtls-strict.yaml diff --git a/kubernetes-addons/istio/README.md b/kubernetes-addons/istio/README.md new file mode 100644 index 000000000..a39288e78 --- /dev/null +++ b/kubernetes-addons/istio/README.md @@ -0,0 +1,81 @@ +# OPEA with Istio + +## Introduction + +Istio service mesh provides many features including 1) [mTLS between Kubernetes pods](#enforce-mtls-between-opea-pods) and 2) [TLS connection to Kubernetes ingress](#create-istio-gateway-with-tls-and-virtual-service). + +This document describes how to enable the above two Istio features with OPEA applications. We will use the new Istio ambient mode (a.k.a. sidecar-less mode) + +## Deployment + +In this document we use the following components: + +- OPEA ChatQnA as an exmaple application +- Istio (in ambient mode) with ingress gateway using TLS and strict mTLS for ChatQnA application +- Cert-Manager for issuing TLS certificate to Istio ingress gateway + +### Deploy Istio, ChatQnA and Cert-Manager + +In this document we use [helmfile](https://helmfile.readthedocs.io/en/latest/) to do the deployment: + +```bash +helmfile apply +``` +> [!NOTE] +> The above deployment uses `model-volume` Persistent Volume Claim (PVC) for storing the ChatQnA models so ensure such PVC and corresponding PV are available in your cluster. + +### Install Kubernetes Gateway CRDs + +Note that the Kubernetes Gateway API CRDs do not come installed by default on most Kubernetes clusters, so make sure they are installed before using the Gateway API: + +```bash +kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \ + { kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml; } +``` + +## Create Istio gateway with TLS and virtual service + +Istio gateway terminates the external TLS connections. Istio virtual service routes the traffic to services. In this example, all the traffic that matches host '*.intel.com' and path prefix '/' is routed to 'chatqna-nginx.chatqna' service. The Istio gateway needs certificate which is created via 'cert-manager' Issuer and Certificate. + +Create Istio gateway and virtual service: + +```bash +kubectl apply -f istio-gateway-and-virtual-service.yaml +``` + +Create cert-manager Issuer and Certificate: + +```bash +kubectl apply -f istio-gateway-ca-and-cert.yaml +``` + +Now you are able to connect to OPEA engine services via TLS. You can test the connection with the command: + +```bash +# Get Istio ingress loadbalancer (LB) address. If you don't use LB, you can set use `kubectl port-forward` command. +IP=$(kubectl get svc -n istio-ingress -ojsonpath="{.items[0].status.loadBalancer.ingress[0].ip}") +# Resolve IP to DNS. DNS needs to match the dnsNames in istio-gateway certificate. +curl -ks https://${DNS}/v1/chatqna -H "Content-Type: application/json" -d '{"messages": "What is the TLS?"}' +``` +> [!NOTE] +> `https` scheme (TLS) is used and in curl we ignore the server's self signed certificate with `-k` option. + + +## Enforce mTLS between OPEA pods + +This task ensures the OPEA workloads only communicate using mutual TLS. + +```bash +kubectl apply -f istio-mtls-strict.yaml -n chatqna +``` + +## Cleanup + +Once you are done with the example you can cleanup yuor environment with the following commands: + +```bash +kubectl delete -f istio-gateway-and-virtual-service.yaml +kubectl delete -f istio-gateway-ca-and-cert.yaml +kubectl apply -f istio-mtls-strict.yaml -n chatqna +helmfile delete +``` diff --git a/kubernetes-addons/istio/helmfile.yaml b/kubernetes-addons/istio/helmfile.yaml new file mode 100644 index 000000000..49e6d7c49 --- /dev/null +++ b/kubernetes-addons/istio/helmfile.yaml @@ -0,0 +1,62 @@ +repositories: +- name: opea + url: ghcr.io/opea-project/charts + oci: true +- name: jetstack + url: https://charts.jetstack.io +- name: istio + url: https://istio-release.storage.googleapis.com/charts + oci: false + +releases: +- name: chatqna + chart: opea/chatqna + namespace: chatqna + version: 1.1.0 + values: + - global: + HUGGINGFACEHUB_API_TOKEN: {{ env "HF_TOKEN" }} + modelUsePVC: model-volume + https_proxy: {{ env "https_proxy" }} + +- name: cert-manager + chart: jetstack/cert-manager + namespace: cert-manager + version: "v1.16.1" + set: + - name: crds.enabled + value: true + +- name: istio-base + chart: istio/base + namespace: istio-system + set: + - name: defaultRevision + value: default + +- name: istiod + chart: istio/istiod + namespace: istio-system + wait: true + set: + - name: profile + value: ambient + +- name: istio-cni + chart: istio/cni + namespace: istio-system + wait: true + set: + - name: profile + value: ambient + +- name: ztunnel + chart: istio/ztunnel + namespace: istio-system + wait: true + +- name: istio-ingress + chart: istio/gateway + namespace: istio-ingress + needs: + - istio-system/istiod diff --git a/kubernetes-addons/istio/istio-gateway-and-virtual-service.yaml b/kubernetes-addons/istio/istio-gateway-and-virtual-service.yaml new file mode 100644 index 000000000..8499437c8 --- /dev/null +++ b/kubernetes-addons/istio/istio-gateway-and-virtual-service.yaml @@ -0,0 +1,42 @@ +apiVersion: networking.istio.io/v1 +kind: Gateway +metadata: + name: opea-gateway +spec: + selector: + app: istio-ingress + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + tls: + httpsRedirect: true # sends 301 redirect for http requests + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - "*.intel.com" + tls: + mode: SIMPLE + credentialName: istio-gateway +--- +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: opea +spec: + gateways: + - opea-gateway + hosts: + - "*" + http: + - match: + - uri: + prefix: / + route: + - destination: + host: chatqna-nginx.chatqna.svc.cluster.local diff --git a/kubernetes-addons/istio/istio-gateway-ca-and-cert.yaml b/kubernetes-addons/istio/istio-gateway-ca-and-cert.yaml new file mode 100644 index 000000000..8b664829c --- /dev/null +++ b/kubernetes-addons/istio/istio-gateway-ca-and-cert.yaml @@ -0,0 +1,22 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: ca-issuer + namespace: istio-ingress +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: istio-gateway + namespace: istio-ingress # ceritificate must be in the same namespace as istio ingress gw +spec: + commonName: "Istio ingress for OPEA services" + dnsNames: + - "*.intel.com" # adjust to your environment + issuerRef: + group: cert-manager.io + kind: Issuer + name: ca-issuer + secretName: istio-gateway diff --git a/kubernetes-addons/istio/istio-mtls-strict.yaml b/kubernetes-addons/istio/istio-mtls-strict.yaml new file mode 100644 index 000000000..4357ed853 --- /dev/null +++ b/kubernetes-addons/istio/istio-mtls-strict.yaml @@ -0,0 +1,7 @@ +apiVersion: security.istio.io/v1 +kind: PeerAuthentication +metadata: + name: default +spec: + mtls: + mode: STRICT From b49f851f5af67fff314dd277ef665c335fa94672 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Thu, 16 Jan 2025 09:46:01 +0000 Subject: [PATCH 2/2] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- kubernetes-addons/istio/README.md | 14 +++++++------- kubernetes-addons/istio/helmfile.yaml | 3 +++ .../istio/istio-gateway-and-virtual-service.yaml | 3 +++ .../istio/istio-gateway-ca-and-cert.yaml | 3 +++ kubernetes-addons/istio/istio-mtls-strict.yaml | 3 +++ 5 files changed, 19 insertions(+), 7 deletions(-) diff --git a/kubernetes-addons/istio/README.md b/kubernetes-addons/istio/README.md index a39288e78..b3c583550 100644 --- a/kubernetes-addons/istio/README.md +++ b/kubernetes-addons/istio/README.md @@ -2,7 +2,7 @@ ## Introduction -Istio service mesh provides many features including 1) [mTLS between Kubernetes pods](#enforce-mtls-between-opea-pods) and 2) [TLS connection to Kubernetes ingress](#create-istio-gateway-with-tls-and-virtual-service). +Istio service mesh provides many features including 1) [mTLS between Kubernetes pods](#enforce-mtls-between-opea-pods) and 2) [TLS connection to Kubernetes ingress](#create-istio-gateway-with-tls-and-virtual-service). This document describes how to enable the above two Istio features with OPEA applications. We will use the new Istio ambient mode (a.k.a. sidecar-less mode) @@ -10,7 +10,7 @@ This document describes how to enable the above two Istio features with OPEA app In this document we use the following components: -- OPEA ChatQnA as an exmaple application +- OPEA ChatQnA as an example application - Istio (in ambient mode) with ingress gateway using TLS and strict mTLS for ChatQnA application - Cert-Manager for issuing TLS certificate to Istio ingress gateway @@ -21,6 +21,7 @@ In this document we use [helmfile](https://helmfile.readthedocs.io/en/latest/) t ```bash helmfile apply ``` + > [!NOTE] > The above deployment uses `model-volume` Persistent Volume Claim (PVC) for storing the ChatQnA models so ensure such PVC and corresponding PV are available in your cluster. @@ -35,7 +36,7 @@ kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \ ## Create Istio gateway with TLS and virtual service -Istio gateway terminates the external TLS connections. Istio virtual service routes the traffic to services. In this example, all the traffic that matches host '*.intel.com' and path prefix '/' is routed to 'chatqna-nginx.chatqna' service. The Istio gateway needs certificate which is created via 'cert-manager' Issuer and Certificate. +Istio gateway terminates the external TLS connections. Istio virtual service routes the traffic to services. In this example, all the traffic that matches host '\*.intel.com' and path prefix '/' is routed to 'chatqna-nginx.chatqna' service. The Istio gateway needs certificate which is created via 'cert-manager' Issuer and Certificate. Create Istio gateway and virtual service: @@ -52,14 +53,13 @@ kubectl apply -f istio-gateway-ca-and-cert.yaml Now you are able to connect to OPEA engine services via TLS. You can test the connection with the command: ```bash -# Get Istio ingress loadbalancer (LB) address. If you don't use LB, you can set use `kubectl port-forward` command. +# Get Istio ingress loadbalancer (LB) address. If you don't use LB, you can set use `kubectl port-forward` command. IP=$(kubectl get svc -n istio-ingress -ojsonpath="{.items[0].status.loadBalancer.ingress[0].ip}") # Resolve IP to DNS. DNS needs to match the dnsNames in istio-gateway certificate. curl -ks https://${DNS}/v1/chatqna -H "Content-Type: application/json" -d '{"messages": "What is the TLS?"}' ``` -> [!NOTE] -> `https` scheme (TLS) is used and in curl we ignore the server's self signed certificate with `-k` option. +> [!NOTE] > `https` scheme (TLS) is used and in curl we ignore the server's self signed certificate with `-k` option. ## Enforce mTLS between OPEA pods @@ -71,7 +71,7 @@ kubectl apply -f istio-mtls-strict.yaml -n chatqna ## Cleanup -Once you are done with the example you can cleanup yuor environment with the following commands: +Once you are done with the example you can cleanup your environment with the following commands: ```bash kubectl delete -f istio-gateway-and-virtual-service.yaml diff --git a/kubernetes-addons/istio/helmfile.yaml b/kubernetes-addons/istio/helmfile.yaml index 49e6d7c49..9fb3f8ab7 100644 --- a/kubernetes-addons/istio/helmfile.yaml +++ b/kubernetes-addons/istio/helmfile.yaml @@ -1,3 +1,6 @@ +# Copyright (C) 2025 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + repositories: - name: opea url: ghcr.io/opea-project/charts diff --git a/kubernetes-addons/istio/istio-gateway-and-virtual-service.yaml b/kubernetes-addons/istio/istio-gateway-and-virtual-service.yaml index 8499437c8..08bd49aaf 100644 --- a/kubernetes-addons/istio/istio-gateway-and-virtual-service.yaml +++ b/kubernetes-addons/istio/istio-gateway-and-virtual-service.yaml @@ -1,3 +1,6 @@ +# Copyright (C) 2025 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + apiVersion: networking.istio.io/v1 kind: Gateway metadata: diff --git a/kubernetes-addons/istio/istio-gateway-ca-and-cert.yaml b/kubernetes-addons/istio/istio-gateway-ca-and-cert.yaml index 8b664829c..0d8050870 100644 --- a/kubernetes-addons/istio/istio-gateway-ca-and-cert.yaml +++ b/kubernetes-addons/istio/istio-gateway-ca-and-cert.yaml @@ -1,3 +1,6 @@ +# Copyright (C) 2025 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + apiVersion: cert-manager.io/v1 kind: Issuer metadata: diff --git a/kubernetes-addons/istio/istio-mtls-strict.yaml b/kubernetes-addons/istio/istio-mtls-strict.yaml index 4357ed853..27cfc8064 100644 --- a/kubernetes-addons/istio/istio-mtls-strict.yaml +++ b/kubernetes-addons/istio/istio-mtls-strict.yaml @@ -1,3 +1,6 @@ +# Copyright (C) 2025 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + apiVersion: security.istio.io/v1 kind: PeerAuthentication metadata: