From 1651e9fdc4f51cc14f5ff9f925ed1e7cfdb2521c Mon Sep 17 00:00:00 2001 From: Rowena Date: Tue, 18 Feb 2025 17:33:20 +0100 Subject: [PATCH 1/3] feat(tutorial): add tuto for istio and k8s --- .../index.mdx | 169 ++++++++++++++++++ .../proxy-protocol-v2-load-balancer/index.mdx | 4 + 2 files changed, 173 insertions(+) create mode 100644 tutorials/deploy-istio-kapsule-proxy-protocol/index.mdx diff --git a/tutorials/deploy-istio-kapsule-proxy-protocol/index.mdx b/tutorials/deploy-istio-kapsule-proxy-protocol/index.mdx new file mode 100644 index 0000000000..06f93e6320 --- /dev/null +++ b/tutorials/deploy-istio-kapsule-proxy-protocol/index.mdx @@ -0,0 +1,169 @@ +--- +meta: + title: Deploying Istio on a Kubernetes Kapsule with ProxyProtocol v2 support + description: Learn how to deploy Istio on a Kubernetes Kapsule cluster with Proxy Protocol v2 support. Follow our step-by-step tutorial to set up a secure and scalable service mesh infrastructure. +content: + h1: Deploying Istio on a Kubernetes Kapsule with ProxyProtocol v2 support + paragraph: Learn how to deploy Istio on a Kubernetes Kapsule cluster with Proxy Protocol v2 support. Follow our step-by-step tutorial to set up a secure and scalable service mesh infrastructure. +categories: + - kubernetes + - load-balancer +tags: kubernetes load-balancer proxy-protocol istio +dates: + validation: 2025-02-18 + posted: 2025-02-18 +--- + +Istio is an open source service mesh that lets you run distributed, microservices-based apps anywhere. It helps you manage and connect the different microservices in your Scaleway Kubernetes cluster, making it easier to build and maintain complex applications. + +This tutorial describes the steps required to deploy Istio on a Scaleway Kubernetes Kapsule cluster, and configure it to support [Proxy Protocol v2](/load-balancer/concepts/#proxy-protocol). This enables connection information from a client (e.g. their IP address) to be passed through the cluster's Load Balancer onto the target pod or service, via the Istio service mesh. + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- A [Kubernetes Kapsule cluster](/kubernetes/how-to/create-cluster/) with a Scaleway [Load Balancer service](/kubernetes/reference-content/kubernetes-load-balancer/) +- Set up [kubetcl](/kubernetes/how-to/connect-cluster-kubectl/) and [Helm](/tutorials/kubernetes-package-management-helm/) + +## Install Istio with Helm + +1. Add the Istio Helm repository: + + ``` + helm repo add istio https://istio-release.storage.googleapis.com/charts + helm repo update + ``` + +2. Install the Istio control plane: + + ``` + helm install istiod istio/istiod -n istio-system --create-namespace + ``` + +3. Install the Istio ingress Gateway: + + ``` + helm install istio-ingressgateway istio/gateway -n istio-system + ``` + +## Verify the ingress Gateway Service + +An ingress Gateway service acts as an exntry point for external traffic into the cluster. It is exposed via a Kubernetes LoadBalancer Service, which in our case uses a Scaleway Load Balancer. The Load Balancer forwards external traffic to the ingress Gateway Pod. + +1. Run the following command to retrieve the service configuration + + ``` + kubectl get svc istio-ingressgateway -n istio-system -o yaml + ``` + +2. Verify that the service is of type `LoadBalancer`, and that a Scaleway Load Balancer is associated with it. + +## Add annotations for Proxy Protocol + +Add the necessary annotations for Proxy Protocol: + + ``` + kubectl annotate -n istio-system svc istio-ingressgateway "service.beta.kubernetes.io/scw-load-balancer-proxy-protocol-v2=false" --overwrite + kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec": {"externalTrafficPolicy": "Local"}}' + ``` + +## Configure Envoy to support Proxy Protocol + +Envoy is a proxy server used by Istio to manage and control the flow of traffic between services in the Kubernetes cluster. It is responsible for routing the traffic between services. + +1. Create an EnvoyFilter to enable Proxy Protocol support: + + ```yaml + apiVersion: networking.istio.io/v1alpha3 + kind: EnvoyFilter + metadata: + name: proxy-protocol + namespace: istio-system + spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: LISTENER + patch: + operation: MERGE + value: + listener_filters: + - name: envoy.filters.listener.proxy_protocol + - name: envoy.filters.listener.tls_inspector + ``` + +2. Apply the configuration: + + ``` + kubectl apply -f proxy-protocol.yaml + ``` + +## Enable X-Forwarded-For + +1. Create a file named `ingressgateway-settings.yaml` with the following content: + + ```yaml + apiVersion: networking.istio.io/v1alpha3 + kind: EnvoyFilter + metadata: + name: ingressgateway-settings + namespace: istio-system + spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + listener: + filterChain: + filter: + name: envoy.http_connection_manager + patch: + operation: MERGE + value: + name: envoy.http_connection_manager + typed_config: + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager" + skip_xff_append: false + use_remote_address: true + xff_num_trusted_hops: 1 + ``` + +2. Apply the configuration: + + ``` + kubectl apply -f ingressgateway-settings.yaml + ``` + +3. Update the ingress Gateway service to use the new configuration: + + ``` + kubectl annotate -n istio-system svc istio-ingressgateway "service.beta.kubernetes.io/scw-load-balancer-proxy-protocol-v2=false" --overwrite + kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec": {"externalTrafficPolicy": "Local"}}' + ``` + +## Restart the Istio ingress Gateway pod + +Restart the pod to apply the changes: + + ``` + kubectl delete pod -l istio=ingressgateway -n istio-system + ``` + +## Verify the configuration + +1. Retrieve the public IP address of the Load Balancer: + + ``` + kubectl get svc istio-ingressgateway -n istio-system + ``` + +2. Test access using curl: + ``` + curl -v http:///get + ``` + + If the configuration is correct, the response should include the `X-Forwarded-For` and `X-Envoy-External-Address` headers. + + +For further support with Istio, read their [dedicated documentation](https://istio.io/latest/docs/). + \ No newline at end of file diff --git a/tutorials/proxy-protocol-v2-load-balancer/index.mdx b/tutorials/proxy-protocol-v2-load-balancer/index.mdx index 1af1f9c734..4014f661ef 100644 --- a/tutorials/proxy-protocol-v2-load-balancer/index.mdx +++ b/tutorials/proxy-protocol-v2-load-balancer/index.mdx @@ -18,6 +18,10 @@ dates: This tutorial shows you how and why to enable Proxy Protocol on your Scaleway Load Balancer, and how to configure your backend server application to correctly handle the protocol. + +If you are looking to deploy Istio on a Scaleway Kubernetes Kapsule, with a Load Balancer configured for Proxy Protocol v2, see our [dedicated tutorial](/tutorials/deploy-istio-kapsule-proxy-protocol/) + + - A Scaleway account logged into the [console](https://console.scaleway.com) From c020f546f5ffd8ba17688f262ccd489ad7e950a4 Mon Sep 17 00:00:00 2001 From: Rowena Date: Tue, 18 Feb 2025 17:35:33 +0100 Subject: [PATCH 2/3] fix(tuto): improve wording --- tutorials/proxy-protocol-v2-load-balancer/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tutorials/proxy-protocol-v2-load-balancer/index.mdx b/tutorials/proxy-protocol-v2-load-balancer/index.mdx index 4014f661ef..43152ca0aa 100644 --- a/tutorials/proxy-protocol-v2-load-balancer/index.mdx +++ b/tutorials/proxy-protocol-v2-load-balancer/index.mdx @@ -19,7 +19,7 @@ dates: This tutorial shows you how and why to enable Proxy Protocol on your Scaleway Load Balancer, and how to configure your backend server application to correctly handle the protocol. -If you are looking to deploy Istio on a Scaleway Kubernetes Kapsule, with a Load Balancer configured for Proxy Protocol v2, see our [dedicated tutorial](/tutorials/deploy-istio-kapsule-proxy-protocol/) +If you are looking to configure Proxy Protocol via Istio on a Scaleway Kubernetes Kapsule, see our [dedicated tutorial](/tutorials/deploy-istio-kapsule-proxy-protocol/) From 38544ef8f4efc322630319f8650536af1605e929 Mon Sep 17 00:00:00 2001 From: Rowena Jones <36301604+RoRoJ@users.noreply.github.com> Date: Wed, 19 Feb 2025 09:19:43 +0100 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: Benedikt Rollik --- tutorials/deploy-istio-kapsule-proxy-protocol/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tutorials/deploy-istio-kapsule-proxy-protocol/index.mdx b/tutorials/deploy-istio-kapsule-proxy-protocol/index.mdx index 06f93e6320..2ebadd064b 100644 --- a/tutorials/deploy-istio-kapsule-proxy-protocol/index.mdx +++ b/tutorials/deploy-istio-kapsule-proxy-protocol/index.mdx @@ -48,7 +48,7 @@ This tutorial describes the steps required to deploy Istio on a Scaleway Kuberne ## Verify the ingress Gateway Service -An ingress Gateway service acts as an exntry point for external traffic into the cluster. It is exposed via a Kubernetes LoadBalancer Service, which in our case uses a Scaleway Load Balancer. The Load Balancer forwards external traffic to the ingress Gateway Pod. +An ingress gateway service acts as an entry point for external traffic into the cluster. It is exposed via a Kubernetes LoadBalancer Service, which, in our case, uses a Scaleway Load Balancer. The Load Balancer forwards external traffic to the ingress Gateway Pod. 1. Run the following command to retrieve the service configuration @@ -141,7 +141,7 @@ Envoy is a proxy server used by Istio to manage and control the flow of traffic kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec": {"externalTrafficPolicy": "Local"}}' ``` -## Restart the Istio ingress Gateway pod +## Restart the Istio ingress gateway pod Restart the pod to apply the changes: