Commit 56a335ed authored by kiranveerapaneni's avatar kiranveerapaneni
Browse files

Splitting Istio Profile and Installation into mutiple charts

parent 954d5fe7
# infra-azure-provisioning-Istio setup
Istio auth templates provision
1- Istio authorization configuration
## Istio authorization configuration
Istio authorization configuration to authorize requests based on configured rules.With out authorization rule Istio will allow requests without token ,
So it is required to configure these rules to block requests without token.
Currently rules are configured for each service to deny request without principal and with some exceptions for sawgger pages etc.
For more details refer [here](https://istio.io/latest/docs/reference/config/security/authorization-policy/)
# Copyright © Microsoft Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v2
name: istio
appVersion: "latest"
description: Helm Chart for installing istio profile, sidecar and authentication on osdu services.
version: 0.1.0
type: application
# infra-azure-provisioning-Istio setup
Istio profile templates provision
1- Istio profile configuration
2- Istio sidecar injection
3- Istio Request authentication configuration
4- Istio Peer authentication configuration
## Istio profile configuration
Istio can be configured different profiles to fit into different requirements.Current configured
default profile is recommended for production deployments and for primary clusters in a multicluster mesh.For more details refer [here](https://istio.io/latest/docs/setup/additional-setup/config-profiles/)
### Istio sidecar injection
Istio sidecar injection is enabling istio to deploy sidecar proxy for the pods running in the namespace it got enabled.
These sidecar proxies can be used for run authentication rules.For more details refer [here](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/)
### Istio Request authentication configuration
Istio Request authentication kind is to configure JWT rules for authenticating token.For more details on request aunthentication refer [here](https://istio.io/latest/docs/reference/config/security/request_authentication/)
Define the list of JWTs that can be validated at the selected workloads’ proxy. A valid
token will be used to extract the authenticated identity. Each rule will be
activated only when a token is presented at the location recorgnized by the rule.
The token will be validated based on the JWT rule config. If validation fails,
the request will be rejected.
Currently configured to authenticate token, forward original token and forward base 64 encoded payload. For more details on Jwt rules refer [here](https://istio.io/latest/docs/reference/config/security/jwt/)
### Istio Peer authentication configuration
Istio peer authentication kind is to allow mTLS traffic for all workloads under specified namespace.
There are different modes to configure mTLS communication, currently configured as Permissive to allow plain traffic from gateway and encrypted traffic from other pods.
For more details [here](https://istio.io/latest/docs/reference/config/security/peer_authentication/)
# infra-azure-provisioning-Istio setup
Istio templates provision
1- Namespace creation for Istio resources
2- Istio installation
## Namespace creation for Istio resources
It creates new namespace where istio service will be installed using kind namespace.
## Istio installation
The template is used to install Istio in the namespace we created using Istio operator.
In this template we have the version to install and configurations for istio proxies are provided.
###Istio Installion yaml template generation steps
1. Download istio [here](https://github.com/istio/istio/releases/tag/1.6.7), choose the right version tag you need.
2. Run the command to generate template yaml
######Command
helm template manifests/charts/istio-operator/ --set hub=docker.io/istio --set tag=<release_version> --set operatorNamespace=istio-operator --set istioNamespace=<istio_namespace> > /tmp/istio-operator-install.yaml
######example
helm template manifests/charts/istio-operator/ --set hub=docker.io/istio --set tag=1.6.7 --set operatorNamespace=istio-operator --set istioNamespace=istio-system > /tmp/istio-operator-install.yaml
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment