istio-ified fortio - acme auto https (demo) setup

fortio/Makefile

@@ -0,0 +1,26 @@
+
+deploy-fortio:
+	istioctl kube-inject --debug=false -f fortio.yaml | kubectl apply -f -
+
+all: cert-setup ingress-setup cert-issue deploy-fortio
+
+cert-setup:
+	# TODO: more granular rbac roles
+	-kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default
+	helm init
+	helm repo update
+	helm install stable/cert-manager
+
+ingress-setup:
+	kubectl apply -f ingress.yaml
+
+cert-issue:
+	kubectl apply -f cert.yaml
+
+#   dangerous as it deletes the cert and secret and if using the production
+#   letsencrypt server, rate limits may mean you can't get a new cert until
+#   the following week. uncomment if you understand the risks:
+#force-reissue:
+#	kubectl delete secret -n istio-system istio-ingress-certs
+
+.PHONY: deploy-fortio cert-setup ingress-setup cert-issue all

fortio/README.md

@@ -0,0 +1,54 @@
+# Fortio on Istio
+
+Experimental istio on istio deployment:
+
+[https://fortio.istio.io/](https://fortio.istio.io/) is running an istio deployment of the `fortio report` application
+
+Using envoy directly as the internet facing istio ingress. SSL certificates are
+automatically provisioned and renewed for multiple domains
+([https://istio.fortio.org/](https://istio.fortio.org/) being the second one for the sake of this demonstration).
+
+The data presented is pulled from a configurable google cloud storage or aws s3 bucket.
+
+## Initial setup:
+
+One time setup:
+
+- Istio itself
+  ```
+  # Istio 'perf' mode installation:
+  sh -c 'sed -e "s/_debug//g" install/kubernetes/istio-auth.yaml | egrep -v -e "- (-v|\"2\")" | kubectl apply -f -'
+  ```
+
+- Cert-manager
+
+  This installs the [cert-manager](https://github.com/jetstack/cert-manager)
+  ```
+  make cert-setup
+  ```
+
+- Ingress
+
+  You can run this step separately for instance if you change ingress rules
+  in ingress.yaml.
+  ```
+  make ingress-setup
+  ```
+
+- Get SSL certs
+
+  You can run this step separately for instance if switching from staging to
+  prod or editing cert.yaml to add new domains for instance.
+  ```
+  make cert-issue
+  ```
+  (check pod logs at each step etc)
+
+## Fortio report app
+
+Install fortio report app:
+```
+make deploy-fortio # or just 'make'
+```
+
+You can also delete the fortio-report pods to upgrade to latest fortio

fortio/cert.yaml

@@ -0,0 +1,116 @@
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: letsencrypt-staging
+  namespace: istio-system
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: ldemailly@google.com
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging-secret
+    # Enable the HTTP-01 challenge provider
+    http01: {}
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: letsencrypt-prod
+  namespace: istio-system
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v01.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: ldemailly@google.com
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod-secret
+    # Enable the HTTP-01 challenge provider
+    http01: {}
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: fortio-cert-prod
+  namespace: istio-system
+spec:
+  secretName: istio-ingress-certs
+  issuerRef:
+    name: letsencrypt-prod
+  commonName: fortio.istio.io
+  dnsNames:
+  - fortio.istio.io
+  - istio.fortio.org
+  acme:
+    config:
+    - http01:
+        # This class doesn't exist on purpose so we'll use the less specific
+        # istio ingress one because we need the auth off annotation on the svc
+        ingressClass: not-there
+      domains:
+      - fortio.istio.io
+      - istio.fortio.org
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: cert-manager-ingress1
+  namespace: istio-system
+  annotations:
+    auth.istio.io/8089: NONE
+spec:
+  ports:
+  - port: 8089
+    name: http-certingr
+  selector:
+    certmanager.k8s.io/domain: fortio.istio.io
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: cert-manager-ingress2
+  namespace: istio-system
+  annotations:
+    auth.istio.io/8089: NONE
+spec:
+  ports:
+  - port: 8089
+    name: http-certingr
+  selector:
+    certmanager.k8s.io/domain: istio.fortio.org
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: istio
+    certmanager.k8s.io/acme-challenge-type: http01
+    certmanager.k8s.io/issuer: letsencrypt-prod
+# not working:
+#    kubernetes.io/ingress.global-static-ip-name: fortio-prod-ip
+  name: istio-ingress-certs-mgr
+  namespace: istio-system
+spec:
+  rules:
+  - http:
+      paths:
+        # cert-manager adds its own rules to the ingress but we need our
+        # rule because we have to selectively disable auth for the service
+        # and route to the service and not a nodeport
+      - path: /.well-known/acme-challenge/.*
+        backend:
+          serviceName: cert-manager-ingress1
+          servicePort: http-certingr
+    # Unfortunately host isn't an array and there are no "*" allowed for all
+    host: fortio.istio.io
+  - http:
+      paths:
+      - path: /.well-known/acme-challenge/.*
+        backend:
+          serviceName: cert-manager-ingress2
+          servicePort: http-certingr
+    host: istio.fortio.org

fortio/fortio.yaml

@@ -0,0 +1,90 @@
+---
+# Service definition
+apiVersion: v1
+kind: Service
+metadata:
+  name: fortio-report
+spec:
+  ports:
+  - port: 8080
+    name: http-report
+  - port: 8081
+    name: http-redir
+  selector:
+    app: fortio-report
+---
+# Deployment - 2 pods for miminal HA
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: fortio-report-deployment
+spec:
+  replicas: 2 # tells deployment to run 2 pods matching the template
+  template: # create pods using pod definition in this template
+    metadata:
+      # a unique name is generated from the deployment name
+      labels:
+        app: fortio-report
+    spec:
+      containers:
+      - name: fortio-report
+        image: istio/fortio:latest
+        ports:
+        - containerPort: 8080 # main serving port
+        - containerPort: 8081 # redirection to https port
+        args:
+          - report # report only (readonly) mode
+          - -sync
+          # http...443 is not a typo, this is to work with egress
+          - http://storage.googleapis.com:443/fortio-data?prefix=fortio.istio.io/
+          #- -loglevel
+          #- verbose
+        volumeMounts:
+          - mountPath: /var/lib/istio/fortio
+            name: fortio-data
+      volumes:
+        - name: fortio-data
+          emptyDir:
+            medium: Memory
+---
+# Service definition
+apiVersion: v1
+kind: Service
+metadata:
+  name: fortio-debug
+spec:
+  ports:
+  - port: 8080
+    name: http-debug
+  selector:
+    app: fortio-debug
+---
+# Deployment (volume definition is in fortio-volume.yaml)
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: fortio-debug-deployment
+spec:
+  replicas: 1 # tells deployment to run 1 pods matching the template
+  template: # create pods using pod definition in this template
+    metadata:
+      # a unique name is generated from the deployment name
+      labels:
+        app: fortio-debug
+    spec:
+      containers:
+      - name: fortio-debug
+        image: istio/fortio:latest
+        ports:
+        - containerPort: 8080
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: EgressRule
+metadata:
+  name: cloud-storage-egress-rule
+spec:
+  destination:
+    service: "storage.googleapis.com"
+  ports:
+    - port: 443
+      protocol: https

fortio/ingress.yaml

@@ -0,0 +1,75 @@
+# https version:
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: istio
+# Not working:
+#    kubernetes.io/ingress.global-static-ip-name: fortio-prod-ip
+# Also not working:
+    kubernetes.io/ingress.allow-http: "false"
+  name: istio-ingress-https
+spec:
+  tls:
+    - secretName: istio-ingress-certs # currently ignored/must be this
+  rules:
+  - http:
+      paths:
+      - path: /debug
+        backend:
+          serviceName: fortio-debug
+          servicePort: http-debug
+      - path: /.*
+        backend:
+          serviceName: fortio-report
+          servicePort: http-report
+    # Unfortunately host isn't an array and there are no "*" allowed for all
+    host: fortio.istio.io
+  - http:
+      paths:
+      - path: /debug
+        backend:
+          serviceName: fortio-debug
+          servicePort: http-debug
+      - path: /.*
+        backend:
+          serviceName: fortio-report
+          servicePort: http-report
+    host: istio.fortio.org
+---
+# http version (and catch all for all hosts/ips/...)
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: istio
+# not working:
+#    kubernetes.io/ingress.global-static-ip-name: fortio-prod-ip
+  name: istio-ingress-http
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /debug
+        backend:
+          serviceName: fortio-debug
+          servicePort: http-debug
+      - path: /.*
+        backend:
+          serviceName: fortio-report
+          servicePort: http-report
+# duplication needed because of #2573
+  - http:
+      paths:
+      - path: /.*
+        backend:
+          serviceName: fortio-report
+          servicePort: http-redir
+    host: fortio.istio.io
+  - http:
+      paths:
+      - path: /.*
+        backend:
+          serviceName: fortio-report
+          servicePort: http-redir
+    host: istio.fortio.org