Set up Istio Certificate Authority (CA)
Version 2 of the guestbook application uses an external service (tone analyzer) which is not Istio-enabled. Thus, you will disable mTLS globally and enable it only for communication between internal cluster services in this lab.
kubectl get deployment -l istio=citadel -n istio-system
This is the expected output:
cat <<EOF | istioctl create -f -
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: mtls-to-analyzer
namespace: default
spec:
targets:
- name: analyzer
peers:
- mtls:
EOF
Created config policy/default/mtls-to-analyzer at revision 3934195
kubectl get policies.authentication.istio.io
cat <<EOF | istioctl create -f -
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: route-with-mtls-for-analyzer
namespace: default
spec:
host: "analyzer.default.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
Created config destination-rule/default/route-with-mtls-for-analyzer at revision 3934279
However, I run into the following error when I try to run the 2nd command:
Error: unknown command "create" for "istioctl"
When I use "install" rather than create:
cat <<EOF | istioctl install -f -
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: mtls-to-analyzer
namespace: default
spec:
targets:
- name: Tone Analyzer-qy
peers:
- mtls:
EOF
I get the following error:
Error: failed to apply manifests: unknown field "peers" in v1alpha1.IstioOperatorSpec:
Could anyone provide some input on how I could modify the YAML so that the mTLS authentication service could be defined properly? I get the correct expected output on the first step, but I get the same "unknown field" error on the fourth step.
istioctl
is mainly used to install and debug istio.
To create istio objects should use kubectl
I think what You wanted to use is kubectl
instead of istioctl
like in example below:
cat <<EOF | kubectl create -f -
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: route-with-mtls-for-analyzer
namespace: default
spec:
host: "analyzer.default.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
Depending on version of kubernetes cluster kubectl create
can be depreciated and kubectl apply
should be used in its place. So the command would look like this.
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: route-with-mtls-for-analyzer
namespace: default
spec:
host: "analyzer.default.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
For more information review kubernetes documentation.
Hope it helps.