/vertx-istio-security-booster

A booster demonstrating Istio mutual TLS between two services
  1. HTML 94.0%
  2. Java 6.0%
Switch branches/tags
Nothing to show
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching Xcode...

If nothing happens, download Xcode and try again.

Launching Visual Studio...

If nothing happens, download the GitHub extension for Visual Studio and try again.

Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
rules
src/licenses
vertx-istio-security-greeting
vertx-istio-security-name
.editorconfig
.gitignore
LICENSE
README.md
pom.xml

README.md

Eclipse Vert.x / Istio Security Booster

Purpose

Showcase Istio TLS and ACL via a set of Eclipse Vert.x applications.

Prerequisites

  • Openshift 3.10 cluster with Istio. For local development, download the latest release from Maistra and run:
# Set oc to be the Maistra one
oc cluster up --enable="*,istio"
oc login -u system:admin
# Apply a configuration that enables jaeger
oc apply -f oc apply -f https://gist.githubusercontent.com/cescoffier/6502ae00bcb1487bef4325837d2e2b80/raw/d92d78565478e20b6cf86d15d2aa46b2c49b5d9e/istio-installation-distributed-tracing.yaml -n istio-operator -n istio-operator
oc get pods -n istio-system -w

Wait until the openshift-ansible-istio-installer-job-xxxx job has completed. It can take several minutes. The OpenShift console is available on https://127.0.0.1:8443.

  • Create a new project/namespace on the cluster. This is where your application will be deployed.
oc login -u system:admin
oc adm policy add-cluster-role-to-user admin developer --as=system:admin
oc login -u developer -p developer
oc new-project <whatever valid project name you want> # not required

Build and deploy the application

With Fabric8 Maven Plugin (FMP)

Execute the following command to build the project and deploy it to OpenShift:

mvn clean fabric8:deploy -Popenshift

Configuration for FMP may be found both in pom.xml and src/main/fabric8 files/folders.

This configuration is used to define service names and deployments that control how pods are labeled/versioned on the OpenShift cluster.

With S2I Build

find . | grep openshiftio | grep application | xargs -n 1 oc apply -f

oc new-app --template=vertx-istio-security-name -p SOURCE_REPOSITORY_URL=https://github.com/openshiftio-vertx-boosters/vertx-istio-security-booster -p SOURCE_REPOSITORY_REF=master -p SOURCE_REPOSITORY_DIR=vertx-istio-security-name oc new-app --template=vertx-istio-security-greeting -p SOURCE_REPOSITORY_URL=https://github.com/openshiftio-vertx-boosters/vertx-istio-security-booster -p SOURCE_REPOSITORY_REF=master -p SOURCE_REPOSITORY_DIR=vertx-istio-security-greeting

Use Cases

Configure the ingress gateway with:

oc apply -f rules/gateway.yaml

Scenario #1. Mutual TLS

This scenario demonstrates a mutual transport level security between the services.

  1. Open the booster’s web page via Istio ingress route 
    echo "http://$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}{"\n"}' -n istio-system)/"
  2. "Hello, World!" should be returned after invoking greeting service.
  3. Now modify greeting deployment to disable sidecar injection by replacing the 2 occurrences of sidecar.istio.io/inject values to false 
    oc edit deploymentconfigs/vertx-istio-security-greeting
    The pod is going to restart.
  4. Got back to the booster page, and without reloading, try to invoke the service. The invocation failed. The Greeting service invocation fails with a reset connection, because the greeting service has to be inside a service mesh in order to access the name service.
  5. Cleanup by setting sidecar.istio.io/inject values to true (the 2 occurrences) 
    oc edit deploymentconfigs/vertx-istio-security-greeting
    The pod is going to restart.

Scenario #2. Access control

This scenario demonstrates access control when using mutual TLS. In order to access a name service, calling service has to have a specific label and service account name.

  1. Open the booster’s web page via Istio ingress route 
    echo "http://$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}{"\n"}' -n istio-system)/"
  2. "Hello, World!" should be returned after invoking greeting service.
  3. Configure Istio Mixer to block greeting service from accessing name service 
    oc apply -f rules/block-greeting-service.yaml
  4. Greeting service invocations to the name service will be forbidden.
  5. Configure Istio Mixer to only allow requests from greeting service and with sa-greeting service account to access name service 
    oc apply -f <(sed -e "s/TARGET_NAMESPACE/$(oc project -q)/g" rules/require-service-account-and-label.yaml)
  6. "Hello, World!" should be returned after invoking greeting service.
  7. Cleanup 
    oc delete -f rules/require-service-account-and-label.yaml

Undeploy the application

With Fabric8 Maven Plugin (FMP)

mvn fabric8:undeploy

Remove the namespace

This will delete the project from the OpenShift cluster

oc delete project <your project name>