Showcase Istio TLS and ACL via a set of Spring Boot applications.

1. Openshift 3.10 cluster

2. Istio 1.0.x installed on the aforementioned cluster using the Istio Operator.

   1. Follow these instructions for more information about the Operator

3. Login to the cluster with the admin user

Create a new project/namespace on the cluster. This is where your application will be deployed.

With Fabric8 Maven Plugin (FMP)

mvn clean fabric8:deploy -Popenshift

With Source to Image build (S2I)

find . | grep openshiftio | grep application | xargs -n 1 oc apply -f

oc new-app --template=spring-boot-istio-security-name -p SOURCE_REPOSITORY_URL=https://github.com/snowdrop/spring-boot-istio-security-booster -p SOURCE_REPOSITORY_REF=master -p SOURCE_REPOSITORY_DIR=spring-boot-istio-security-name
oc new-app --template=spring-boot-istio-security-greeting -p SOURCE_REPOSITORY_URL=https://github.com/snowdrop/spring-boot-istio-security-booster -p SOURCE_REPOSITORY_REF=master -p SOURCE_REPOSITORY_DIR=spring-boot-istio-security-greeting

This application uses v1alpha3 routing API. Execute the following command to configure gateway and virtual service:

This scenario demonstrates a mutual transport level security between the services.

1. Open the booster’s web page via Istio gateway route

   echo http://$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}{"\n"}' -n istio-system)/

2. "Hello, World!" should be returned after invoking greeting service.

3. Now modify greeting deployment to disable sidecar injection by replacing both sidecar.istio.io/inject values to false

   oc edit deploymentconfigs/spring-boot-istio-security-greeting

4. Open the booster’s web page via greeting service’s route

   echo http://$(oc get route spring-boot-istio-security-greeting -o jsonpath='{.spec.host}{"\n"}' -n $(oc project -q))/

5. Greeting service invocation will fail with a reset connection, because the greeting service has to be inside a service mesh in order to access the name service.

6. Cleanup by setting sidecar.istio.io/inject values to true

   oc edit deploymentconfigs/spring-boot-istio-security-greeting

This scenario demonstrates access control when using mutual TLS. In order to access a name service, calling service has to have a specific label and service account name.

1. Open the booster’s web page via Istio gateway route

   echo http://$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}{"\n"}' -n istio-system)/

2. "Hello, World!" should be returned after invoking greeting service.

3. Configure Istio Mixer to block greeting service from accessing name service

   oc apply -f rules/block-greeting-service.yml

4. Greeting service invocations to the name service will be forbidden.

5. Configure Istio Mixer to only allow requests from greeting service and with sa-greeting service account to access name service

   oc apply -f <(sed -e "s/TARGET_NAMESPACE/$(oc project -q)/g" rules/require-service-account-and-label.yml)

6. "Hello, World!" should be returned after invoking greeting service.

7. Cleanup

   oc delete -f rules/require-service-account-and-label.yml

With Fabric8 Maven Plugin (FMP)

mvn fabric8:undeploy

With Source to Image build (S2I)

oc delete all --all
find . | grep openshiftio | grep application | xargs -n 1 oc delete -f

Remove the namespace

oc delete project <your project name>

To run integration tests, create a new namespace and run maven job