managed asm

Author: Mathieu Benoit

content/deploy-workloads/ingress-gateway.md

@@ -7,7 +7,6 @@ In this section, you will deploy the Ingress Gateway in its own namespace as you
 Init variables:
 ```Bash
 export INGRESS_GATEWAY_NAMESPACE=asm-ingress
-export ASM_VERSION=$(kubectl get deploy -n istio-system -l app=istiod -o jsonpath={.items[*].metadata.labels.'istio\.io\/rev'}'{"\n"}')
 export INGRESS_GATEWAY_NAME=asm-ingressgateway
 export INGRESS_GATEWAY_LABEL="asm: ingressgateway"
 ```
@@ -19,6 +18,8 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: ${INGRESS_GATEWAY_NAMESPACE}
+  annotations:
+    mesh.cloud.google.com/proxy: '{"managed": true}'
   labels:
     name: ${INGRESS_GATEWAY_NAMESPACE}
     istio.io/rev: ${ASM_VERSION}

content/deploy-workloads/onlineboutique.md

@@ -6,7 +6,14 @@ In this section, you will deploy the [OnlineBoutique](https://github.com/GoogleC
 
 ```Bash
 export ONLINEBOUTIQUE_NAMESPACE=onlineboutique
-kubectl create namespace $ONLINEBOUTIQUE_NAMESPACE
+cat <<EOF | kubectl apply -n $ONLINEBOUTIQUE_NAMESPACE -f -
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ${ONLINEBOUTIQUE_NAMESPACE}
+  labels:
+    name: ${ONLINEBOUTIQUE_NAMESPACE}
+EOF
 curl -LO https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/master/release/kubernetes-manifests.yaml > ~/$WORKING_DIRECTORY/onlineboutique.yaml
 kubectl apply -f ~/$WORKING_DIRECTORY/onlineboutique.yaml -n $ONLINEBOUTIQUE_NAMESPACE
 ```

content/enable-asm/onlineboutique.md

@@ -6,8 +6,17 @@ In this section, you will enable ASM for OnlineBoutique.
 
 Inject the Istio/ASM proxy within the OnlineBoutique namespace:
 ```Bash
-ASM_VERSION=$(kubectl get deploy -n istio-system -l app=istiod -o jsonpath={.items[*].metadata.labels.'istio\.io\/rev'}'{"\n"}')
-kubectl label namespace $ONLINEBOUTIQUE_NAMESPACE istio-injection- istio.io/rev=$ASM_VERSION --overwrite
+cat <<EOF | kubectl apply -n $ONLINEBOUTIQUE_NAMESPACE -f -
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ${ONLINEBOUTIQUE_NAMESPACE}
+  annotations:
+    mesh.cloud.google.com/proxy: '{"managed": true}'
+  labels:
+    name: ${ONLINEBOUTIQUE_NAMESPACE}
+    istio.io/rev: ${ASM_VERSION}
+EOF
 kubectl rollout restart deployments -n $ONLINEBOUTIQUE_NAMESPACE
 ```
 

content/install-asm/install-asm.md

@@ -9,49 +9,57 @@ curl https://storage.googleapis.com/csm-artifacts/asm/asmcli_1.12 > ~/asmcli
 chmod +x ~/asmcli
 ```
 
+Enable Managed ASM on your current project:
+```Bash
+gcloud container hub mesh enable
+```
+
 Run the `asmcli install` command:
 ```Bash
-cat <<EOF > distroless-proxy.yaml
----
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
-  meshConfig:
-    defaultConfig:
-      image:
-        imageType: distroless
-EOF
+ASM_CHANNEL=rapid
+ASM_LABEL=asm-managed
+export ASM_VERSION=$ASM_LABEL-$ASM_CHANNEL
 ~/asmcli install \
   --project_id $PROJECT_ID \
   --cluster_name $GKE_NAME \
   --cluster_location $ZONE \
   --enable-all \
-  --option cloud-tracing \
-  --option cni-gcp \
-  --custom_overlay distroless-proxy.yaml
+  --managed \
+  --channel $ASM_CHANNEL \
+  --use_managed_cni
 ```
 
-Ensure that all deployments are up and running:
+Apply the following Mesh configs (`distroless` container image for the proxy and Cloud Tracing):
 ```Bash
-kubectl wait --for=condition=available --timeout=600s deployment --all -n istio-system
-kubectl wait --for=condition=available --timeout=600s deployment --all -n asm-system
+cat <<EOF | kubectl apply -n istio-system -f -
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+---
+apiVersion: v1
+data:
+  mesh: |-
+    defaultConfig:
+      image:
+        imageType: distroless
+      tracing:
+        stackdriver:{}
+kind: ConfigMap
+metadata:
+  name: istio-${ASM_VERSION}
+EOF
 ```
 
-_Not part of the workshop, but here below is the routine when you will need to run to [upgrade to a newer version of ASM](https://cloud.google.com/service-mesh/docs/unified-install/plan-upgrade):_
+Ensure that all deployments are up and running:
 ```Bash
-# Grab the current ASM version before upgrading to the new version
-OLD_ASM_VERSION=$(kubectl get deploy -n istio-system -l app=istiod -o jsonpath={.items[*].metadata.labels.'istio\.io\/rev'}'{"\n"}')
-# Doownload the new version of the `asmcli` tool
-curl https://storage.googleapis.com/csm-artifacts/asm/asmcli_1.12 > ~/asmcli
-chmod +x ~/asmcli
-# Run the same `asmcli install` command we ran for the installation
-~/asmcli install...
-# Update the asm/istio labels of your namespaces
-kubectl rollout restart deployments -n FIXME
-# Once you have verified that your workloads and ASM is working properly, you could complete the upgrade of ASM by removing the the components of the old version
-kubectl delete Service,Deployment,HorizontalPodAutoscaler,PodDisruptionBudget istiod-$OLD_ASM_VERSION -n istio-system --ignore-not-found=true
-kubectl delete IstioOperator installed-state-$OLD_ASM_VERSION -n istio-system
+kubectl get controlplanerevision -n istio-system
+kubectl get dataplanecontrols
+kubectl get daemonset istio-cni-node -n kube-system
+kubectl wait --for=condition=available --timeout=600s deployment --all -n asm-system
 ```
 
 Resources:
-- [Install ASM](https://cloud.google.com/service-mesh/docs/unified-install/install)
+- [ASM Release Notes](https://cloud.google.com/service-mesh/docs/release-notes)
+- [Configure Managed Anthos Service Mesh](https://cloud.google.com/service-mesh/docs/managed/service-mesh)
+- [Managed ASM Release Channel](https://cloud.google.com/service-mesh/docs/managed/release-channels)

content/overview/before-you-begin.md

@@ -14,8 +14,8 @@ cd $WORKING_DIRECTORY
 ```
 
 Install the required tools:
-- `gcloud`
-- `kubectl`
+- [`gcloud`](https://cloud.google.com/sdk/docs/install)
+- [`kubectl`](https://kubernetes.io/docs/tasks/tools/#kubectl)
 - `istioctl`
 - `curl`
 

content/overview/objectives.md

@@ -9,7 +9,7 @@ This workshop is not an introduction to Istio nor Anthos Service Mesh (ASM), if
 
 Agenda:
 - Create a GKE cluster
-- Install a secure ASM (Istio CNI, `distroless` proxy container image)
+- Install a secure Managed ASM (Managed Control Plane, Managed Data Plane, Istio CNI and `distroless` proxy container image)
 - Deploy workloads (OnlineBoutique)
 - Enable ASM for workloads (sidecar proxy injection)
 - Configure mTLS STRICT

content/secure-ingress/asm-ingress.md

@@ -88,4 +88,8 @@ spec:
 EOF
 ```
 
+```Bash
+kubectl get managedcertificate ${INGRESS_GATEWAY_NAME} -ojsonpath='{.status.certificateStatus}' -n $INGRESS_GATEWAY_NAMESPACE
+```
+
 FIXME - add a section with unprivileged deployment too + Rk about PSC/Internal LB.

content/secure-ingress/cloud-armor.md

@@ -25,4 +25,7 @@ export SSL_POLICY_NAME=$SECURITY_POLICY_NAME
 gcloud compute ssl-policies create $SSL_POLICY_NAME \
     --profile COMPATIBLE  \
     --min-tls-version 1.0
-```
+```
+
+Resources:
+- [Google Cloud Armor WAF rule to help mitigate Apache Log4j vulnerability](https://cloud.google.com/blog/products/identity-security/cloud-armor-waf-rule-to-help-address-apache-log4j-vulnerability)