Prerequisites for deploying and protecting services
This article provides the prerequisites for deploying and protecting services both with the HTTP and gRPC methods.
Install the Kubernetes cluster with Istio
Prerequisites
-
Kubernetes version required is 1.14 or subsequent.
-
Istio version required is 1.9 or subsequent.
Procedure
-
You can set up a Kubernetes cluster locally using kind.
GO111MODULE="on" go get sigs.k8s.io/kind@v0.9.0 && kind create cluster
-
Install Istio.
curl -L https://istio.io/downloadIstio | sh - cd istio-1.8.2 export PATH=$PWD/bin:$PATH istioctl install --set profile=demo -y kubectl label namespace default istio-injection=enabled ✔ Istio core installed ✔ Istiod installed ✔ Egress gateways installed ✔ Ingress gateways installed ✔ Installation complete
-
Define the authorizer
-
Edit the mesh config with the following command:
kubectl edit configmap istio -n istio-system
-
Define acp authorizer using extension providers, for example:
data: mesh: |- extensionProviders: - name: "acp-authorizer" envoyExtAuthzGrpc: service: "istio-authorizer.acp-system.svc.cluster.local" port: "9001"
-
Restart Istio to apply the changes:
kubectl rollout restart deployment/istiod -n istio-system
-
Select the workspace
-
In your browser, navigate to ACP and log in with your credentials.
-
In the Workspace Directory view, select a workspace that you want to enter.
Create the Istio gateway
-
In the workspace, select APIs from the sidebar.
-
Select the GATEWAYS tab.
-
Select ADD GATEWAY.
-
Select Istio, enter the name and the description for your gateway, and select NEXT.
-
In the Gateway Management view, go to the QUICK START tab and proceed as follows:
-
Select Download Package to download the zipped Istio Authorizer package. Unzip the package locally and enter the extracted folder.
Note
The package includes
-
manifest.yaml
listing API details -
kustomization.yaml
defining resources and secret generator inputs. -
parse-body.yaml
that can be used to indicate that the request body is going to be parsed. You can use JSON validators to check the request body assertions.
-
-
To deploy Istio Authorizer, execute command
kubectl apply -k .
Result
Istio Authorizer scans deployments in configured namespaces and funnels information about discovered APIs to ACP.
-
Back in the ACP administrator portal (Gateway Management > QUICK START), select CONNECT API GROUPS to connect APIs and enable enforcement policies.
Result
The predefined set of API groups has been imported and displayed in the APIs tab of the Gateway Management view. The API groups are ready to be connected to services.
-