Cloud native application comprehensive exercise

The previous classification introduces the knowledge of each module , This blog will carry out comprehensive exercises , Examples of exercises are Istio Official website bookinfo The application of .bookinfo The architecture of is as follows , You can see that different services use different technology stacks , But by image Deploy , It can shield the deployment differences caused by different technology stacks .

productpage Would call details and reviews Two microservices , Used to generate front-end pages .
details It contains information about books .
reviews It contains comments about books , It will be called ratings Microservices .
ratings It contains rating information composed of book reviews .
reviews Yes 3 A version , It can be used to show the link call relationship between services
v1 Version will not call ratings service .
v2 Version will call ratings service , And use 1 To 5 A black icon shows the rating information .
v3 Version will call ratings service , And use 1 To 5 A red icon shows the scoring information .

Comprehensive exercises will cover 9 A small case exercise , The specific exercises are as follows ：

   One ： Next, let's start with the first Task practice ： take bookInfo The application is published to Istio Ingress gateway .

1.1： Use the following command to install Istio.

curl -L https://istio.io/downloadIstio | sh -
cd istio-1.xx.0
cp bin/istioctl /usr/local/bin
istioctl install --set profile=demo -y

1.2： take Istio Official website Under the BookInfo Application and gateway configuration copy To come over , Deploy to cluster ,yaml The address of the document is as follows

samples/bookinfo/platform/kube/bookinfo.yaml
samples/bookinfo/networking/bookinfo-gateway.yaml

bookinfo-gateway.yaml The configuration of the file is as follows , You can see VirtualService Import traffic to the backend productpage On the application .

 1.3： see Istio Ingress Of svc Port information .

1.4： Through the Internet node node IP Address +svc Port information access bookinfo In application productpage, The results are as follows , It indicates that the application has been successfully released to the gateway .

Two ： Next, proceed to the second Task, Add security , take http The access mode is changed to https

2.1: Generate x509 And store it in secret Inside the object . Because it's through node node IP Access your application , All certificates are generated Inc./CN=node node IP.

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=cncamp Inc./CN=node node IP' -keyout bookinfo.key -out bookinfo.crt
kubectl create -n istio-system secret tls bookinfo-credential --key=bookinfo.key --cert=bookinfo.crt

2.2: Configure the new Gateway,Gateway Inside configuration https Of credentials.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
        - '*'
      port:
        name: https-bookinfo
        number: 443
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: bookinfo-credential

2.3: stay safari through https Way to access the application , After trusting the website , Successful visit . give the result as follows ( remarks ： If you use chrome The visit will fail , Because it is a self issued certificate ). the reason being that https The way , So this is node node IP Add 31287 port .

3、 ... and ： Next, start the third Task, Turn on mTLS

3.1: adopt productpage Of SVC Address access app , Successful visit .

3.2: stay isto-system root namespace Create PeerAuthentication object .

(kubectl apply -f mtls.yaml -n istio-system)

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: "default"
spec:
  mtls:
    mode: STRICT

 3.3: Through again SVC Address application , The visit will fail ,request By peer reset 了 .

  Browser pass https To access the application , Still succeed .

You can see that by starting the full link mTLS, It's not here Istio Direct access to backend applications within the control is unsuccessful , But browser access is still successful , Because the browser sends the request to Istio Ingress Gateway,Gateway Then forward to the back-end service . From browser to Ingress Gateway Is one-way TLS visit ,Gateway To the back-end service is mTLS, This enhances the security of access .

Fourth ： Then enter the fourth Task, Authenticate and authorize applications , Ensure that only allowed clients can access the application .

4.1: establish RequestAuthentication and AthorizationPoliy.RequestAuthentication If access details service , Need to verify token.AuthorizationPoliy The client that accesses the service defined in must bring “[email protected]/[email protected]” Issued by Token To allow access to .

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: "details"
spec:
  selector:
    matchLabels:
      app: details
  jwtRules:
    - issuer: "[email protected]"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.12/security/tools/jwt/samples/jwks.json"

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: require-jwt
spec:
  selector:
    matchLabels:
      app: details
  action: ALLOW
  rules:
    - from:
        - source:
            requestPrincipals: ["[email protected]/[email protected]"]

4.2: see ProductPage service , This service is accessed Details service .

4.3: After creating the above authentication and authorization objects , Revisit productpage service , You can see details The service is no longer accessible . because productpage During a visit to details I didn't bring it with me during the service token Visit .

4.4: If you want to revisit details service , that productpage The service needs code modification , Take effective token visit details Talent . From the above example, you can see that authentication and authorization are configured , The access between microservices needs to be effective token Talent , And the client is getting token when , You can authenticate and authorize the client . In this way, the access between microservices is more secure .

5、 ... and ： Next, I'll show you if you enter http, How to automatically jump to https access , Make the customer experience better

5.1： To configure Gateway, increase https redirect Jump to complete automatic jump .

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
        - '*'
      port:
        name: https-bookinfo
        number: 443
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: bookinfo-credential
    - hosts:
        - '*'
      port:
        name: http-bookinfo
        number: 80
        protocol: HTTP
      tls:
        httpsRedirect: true

5.2： In the cluster , adopt ingress gateway Of svc Of IP Address access productpage, use http Access to ,http Mapping to 80 port , You can see that it will automatically jump to 443 On port , That is to say https Access to .

The above is the practice of the previous five scenes , In the next blog post, we will talk about the following 4 Practice in scenes .