OpenShift Service Mesh (Istio)

Introduction

Deployed projects designed and implemented with IBM Industry Solutions Workbench now support OpenShift Service Mesh (Istio). Istio makes it easy to create a network of deployed services with load balancing, service-to-service authentication, monitoring, and more, with few or no code changes in service code. Having Istio enabled the services can communicate secured by mutualTLS.

Prerequisites

  • OpenShift Service Mesh (version 2.0.2 and above)

Enable OpenShift Service Mesh

The enablement of OpenShift Service Mesh can be set during the creation of a k5-project. The variation in setting up additional steps are described below.

  1. Create an OpenShift project (see Creating new Deployment Targets)

  2. Assign Permissions

  3. Create service mesh member roll for the new k5-project

    • Switch to istio-system project: Home > Projects > istio-system
    • Navigate to: Operators > Installed Operators > Red Hat OpenShift Service Mesh > Istio Service Mesh Member Roll
    • Replace your-project with the created OpenShift project/s as described below
    apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
    name: default
    namespace: openshift-operators
spec:
    members: - your-project - another-of-your-projects

  4. Create an instance of the custom resource k5-project

     istio:
     enabled: true
     strictMtls: true
    Warning:

While creating a new k5-project using CRD, enable Istio (required) and strictMtls (optional). But we recommend enabling strictMtls mode for security reasons.

Update certificates for Istio Service Mesh

You can either update the certificates manually or use the Cert Manager. See descriptions below.

Using manual way

You need to have certificates for Istio. then using below the command you can apply those certificates:

oc create secret tls istio-ingressgateway-certs --key tls.key --cert tls.crt -n istio-system
Warning:

Make sure the instance of Istio Service Mesh Control Plane is created and to update your certificates whenever they expire. Don't use certificates of OpenShift Ingress for Istio and use domain specific secrets instead of wildcard certificates.

Warning:

Make sure to update the certificates once they expire.

Using Cert Manager

Prerequisites:

Cert Manager should be installed and configured

  1. Login to OpenShift Admin Console
  2. Navigate to: Administration > Custom Resource Definitions
  3. Search and select Certificate CRD
  4. Navigate to: Instances
  5. Click on Create Certificate
  6. Use following sample as template and save CRD

Sample Certificate CRD instance

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: <Some-Name>
namespace: istio-system
spec:
dnsNames:
- <k5-project-name>.<your suffix URL>
    issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-clusterissuer-prod
    secretName: istio-ingressgateway-certs

Verification:

  1. Select istio-system project
  2. Navigate to: Workloads > Secrets
  3. Search and select the secret istio-ingressgateway-certs
  4. Check for tls.crt and tls.key
Tip:

If there are certificates not reflecting the update, then delete istio-ingressgateway-<suffix> from istio-system namespace