@@ -74,20 +74,15 @@ Verify installation of SPIRE by checking if all pods are running and containers
7474
7575Use the command given below, and you will get the output as shown.
7676
77- ** ` kubectl get pods -n spire ` **
78-
7977``` shellsession
8078k8s-spiffe-integ-master-7j7fh-m67q9:~ kubectl get pods -n spire
8179NAME READY STATUS RESTARTS AGE
8280spire-agent-5tlck 3/3 Running 2 (31d ago) 31d
8381spire-agent-gnwbj 3/3 Running 1 (31d ago) 31d
8482spire-agent-mghnw 3/3 Running 2 (31d ago) 31d
8583spire-server-574474c7dc-42kln 2/2 Running 4 (4d1h ago) 31d
86-
8784```
8885
89-
90-
9186### Step 3: Install Istio
9287
93881 . #### Download the latest release:
@@ -162,11 +157,8 @@ istio-ingressgateway-6448bcfb6-d7gcw 1/1 Running 0 31d
162157istiod-d5bc8669c-jhstc 1/1 Running 0 31d
163158kiali-648847c8c4-h5nmh 1/1 Running 0 31d
164159prometheus-7b8b9dd44c-s76kc 2/2 Running 0 31d
165-
166160```
167161
168-
169-
170162#### Step 4: Deploying Sample Application
171163
172164Now that our SPIRE and Istio are integrated, the identities to workloads must be issued by SPIRE.
@@ -221,7 +213,6 @@ spec:
221213 - kubernetes
222214status :
223215 phase : Active
224-
225216` ` `
226217
227218**4.4** Create and apply a ClusterSPIFFEID CRD with namespace selector.
@@ -238,7 +229,6 @@ spec:
238229 namespaceSelector :
239230 matchLabels :
240231 spiffe.io/spire-managed-identity : " true"
241-
242232` ` `
243233
244234After editing your clusterSPIFFEID, apply it using kubectl.
@@ -252,7 +242,6 @@ kubectl apply -f <your_clusterSPIFFEID_name>
252242``` yaml
253243annotations :
254244 inject.istio.io/templates : " sidecar,spire"
255-
256245` ` `
257246
258247You can patch it to workload or just add this to your deployment manifest at **{spec:{template:{metadata:{ annotation:}}}}** as shown below.
@@ -308,7 +297,6 @@ replicaset.apps/ratings-v1-65cd6fbcd8 1 1 1 37d
308297replicaset.apps/reviews-v1-55f769fb78 1 1 1 37d
309298replicaset.apps/reviews-v2-6b7c798cc8 1 1 1 37d
310299replicaset.apps/reviews-v3-695c7f59db 1 1 1 37d
311-
312300```
313301
314302Once everything is up, all workloads would get registered under SPIRE server.
@@ -332,11 +320,8 @@ istioctl proxy-config secret <pod_name> -n <namespace_name> -o json | jq -r '.dy
332320``` shellsession
333321k8s-spiffe-integ-master-7j7fh-m67q9:~ openssl x509 -in chain.pem -text | grep SPIRE
334322 Subject: C = US, O = SPIRE, x500UniqueIdentifier = e2f9c35b9198e1824373e874b13287d0
335-
336323```
337324
338-
339-
340325You should also check the same for ingress-gateway pod in Istio-system namespace and verify that your deployed workloads and ingress-gateway has the same issuer.
341326
342327#### Step 5: Open the application outside traffic
@@ -355,22 +340,16 @@ kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml -n bookinfo
355340k8s-spiffe-integ-master-7j7fh-m67q9:~ # istioctl analyze -n bookinfo
356341
357342✔ No validation issues found when analyzing namespace: bookinfo.
358-
359343```
360344
361-
362-
363345** 5.3** Execute the following command to determine if your Kubernetes cluster is running in an environment that supports external load balancers:
364346
365347``` shellsession
366348k8s-spiffe-integ-master-7j7fh-m67q9:~ kubectl get svc istio-ingressgateway -n istio-system
367349NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
368350istio-ingressgateway LoadBalancer 10.105.191.32 172.16.17.5 15021:30189/TCP,80:30392/TCP,443:30566/TCP 32d
369-
370351```
371352
372-
373-
374353If the EXTERNAL-IP value is set, your environment has an external load balancer; if not, then set the external load balancer first then follow further steps.
375354
376355For this cluster we are using metallb.
@@ -406,7 +385,6 @@ istio-ingressgateway LoadBalancer 10.105.191.32 172.16.17.5 15021:30189/
406385istiod ClusterIP 10.101.27.65 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 32d
407386kiali LoadBalancer 10.103.14.197 172.16.17.6 20001:32116/TCP,9090:31950/TCP 32d
408387prometheus ClusterIP 10.98.101.102 <none> 9090/TCP 32d
409-
410388```
411389
412390![ ] ( /img/manual_proxy.png )
@@ -446,11 +424,8 @@ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
446424``` shellsession
447425k8s-spiffe-integ-master-7j7fh-m67q9:~ echo "$GATEWAY_URL"
448426172.16.17.5:80
449-
450427```
451428
452-
453-
454429Curl into productpage using gateway URL using following command.
455430
456431``` shellsession
@@ -466,12 +441,8 @@ k8s-spiffe-integ-master-7j7fh-m67q9:~ curl -v http://$GATEWAY_URL/productpage
466441> Accept: * /*
467442> Proxy-Connection: Keep-Alive
468443>
469-
470-
471444```
472445
473-
474-
475446You can generate traffic on product page by just reaching out to shown http URL.
476447
477448** Note:** Before reaching out to this page and kiali in further step, ensure that you have followed step 5.5 properly.
0 commit comments