Developing POC for ISTIO with Cert-Manager. The configs and source codes are for "Amazon EKS with ISTIO" POC and not suitable for the production.

Note that the Terraform implementation required to be optimized (this is quite a static implementation) since the implementation is focused on the maximum readability for learning

In a scenario where you need to scale the EKS. Change the node count.

1. Terraform
2. AWS Account

1. Clone the repo
   git clone https://github.com/krishanthisera/istio-certman-poc.git
2. cd into the terraform directory and execute terraform plan
   Please do mind to change the worker group config using main.tf

   terraform init
   terraform plan -out=istio.tfplan

3. Apply terraform plan
   terraform apply "istio.tfplan
   Afterwards, grab the name server IP addresses by using the tf-output and configure your domain registrar to point your ROUT53 zone,
   terraform output name_servers
4. Configure EKS config
   terraform output kubectl_config > ~/.kube/config
5. Install istioctl
   • curl -sL https://istio.io/downloadIstioctl | sh -
   • export PATH=$PATH:$HOME/.istioctl/bin
   • istioctl x precheck
   • The output should be like this,

     Checking the cluster to make sure it is ready for Istio installation...
     
     #1. Kubernetes-api
     -----------------------
     Can initialize the Kubernetes client.
     Can query the Kubernetes API Server.
     
     #2. Kubernetes-version
     -----------------------
     Istio is compatible with Kubernetes: v1.18.9-eks-d1db3c.
     
     #3. Istio-existence
     -----------------------
     Istio will be installed in the istio-system namespace.
     
     #4. Kubernetes-setup
     -----------------------
     Can create necessary Kubernetes configurations: Namespace,ClusterRole,ClusterRoleBinding,CustomResourceDefinition,Role,ServiceAccount,Service,Deployments,ConfigMap. 
     
     #5. SideCar-Injector
     -----------------------
     This Kubernetes cluster supports automatic sidecar injection. To enable automatic sidecar injection see https://istio.io/v1.8/docs/setup/additional-setup/sidecar-injection/#deploying-an-app
     
     -----------------------
     Install Pre-Check passed! The cluster is ready for Istio installation.

6. Install ISTIO
   istioctl install --set profile=default
   The output will be like this,

This will install the Istio default profile with ["Istio core" "Istiod" "Ingress gateways"] components into the cluster. Proceed? (y/N) y
✔ Istio core installed                                                                                                                                                                                             
✔ Istiod installed                                                                                                                                                                                                 
✔ Ingress gateways installed                                                                                                                                                                                       
✔ Installation complete 

8. Add DNS for records

• Uncomment route53_records.tf
sed 's/^.//g' -i route53_records.tf
• Apply the changes

terraform plan -out=istio.tfplan
terraform apply "istio.tfplan"

10. Create the Cert-Manager Namespace and (enable sidecar injection - optional)

kubectl create ns cert-manager  
kubectl label namespace cert-manager istio-injection=enabled

11. Install Cert-Manger
    kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml

1. Enable ISTIO Proxy(envoy) side car injection and Deploy the demo app

kubectl label namespace default istio-injection=enabled
kubectl apply -f demo-app/bookinfo.yaml

2. Configure the Gateway and VirtualService - optional

    kubectl apply -f demo-app/bookinfo.yaml
    kubectl apply -f demo-app/ingress.yaml # Change the port to port 80 prior to run

3. Verify using the browser
   http://book.d3v0ps.com.au/

4. Delete the Gateway resource - optional
   kubectl delete -f demo-app/ingress.yaml

1. Create the issuer
   kubectl apply -f cert-manager-configs/lets-enc-staging-issuer.yaml
2. Verify the issuer
   kubectl describe issuer -n istio-system
   if issuer is ready
3. Create istio-autogenerated-k8s-ingress to convert ingress objects to ISTIO resources
   kubectl apply -f cert-manager-configs/istio-autogenerated-k8s-ingress.yaml
4. Create the certificate
   kubectl apply -f cert-manager-configs/book-cert.yaml

1. Rerun the gateway configs for book-info
   kubectl apply -f demo-app/ingress.yaml
2. Test the Connectivity using browser

1. Create the production issuer
   kubectl apply -f cert-manager-configs/lets-enc-prod-issuer.yaml
2. Verify the issuer
   kubectl describe Issuer -n istio-system letsencrypt-prod
3. Create a new certificate referring the production issuer
   kubectl apply -f cert-manager-configs/book-cert-prod.yaml
4. Test the connectivity using browser

1. kubectl apply -f istio-addons/mTLS.yaml

• Prometheus
  1. Install Prometheus
     kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.8/samples/addons/prometheus.yaml
  2. Access Prometheus kubectl port-forward svc/prometheus 9090:9090 -n istio-system
• Kiali Note that Prometheus should be installed to Kiali to operate
  1. install Kiali
     kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.8/samples/addons/kiali.yaml
  2. Access Kiali
     kubectl port-forward svc/kiali 20001:20001 -n istio-system
• Jaeger
  1. Install Jaeger
     kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.8/samples/addons/jaeger.yaml
  2. Access Jaeger
     istioctl dashboard jaeger