Create a new Kubernetes cluster
Lets create a new Kubernetes cluster. You can use KIND or K3D.
Step 1. Create the cluster
//k3d cluster create demo-cluster-1 --volume /Users/carl.bourne/development/Istio-firefly/config:/config
kind create cluster --name demo-cluster-2
Step 2. Get cluster information
Step 1. Create a cluster
1. Create the cluster
We'll use KinD to create a quick cluster for our demo.
2. Get cluster information
3. Get cluster get contexts
Step 2. Install cert-manager
1. Install cert-manager
Step 3. Create a new namespace
1. Create a new Venafi namespace
Step 4. Store the trustcahin/bundle
1. Store the trustcahin/bundle for either the TLSPC built in CA or ZTPKI as a generic secret
command
# Store the certificate chain in K8s secrets
# Remember to use either the ztpki_certificate_chain.cer for ZTPKI or the built-in_certificate_chain.cer cert chains depending on the Firefly configuration.
kubectl create secret generic -n cert-manager root-cert --from-file=root-cert.pem=../crypto/ztpki_certificate_chain.cer
Step 5. Store the trustcahin/bundle
#### Step 6. Store the private key for the TLSPC service account as a generic secret
Step 5. Install Firefly
Step 1. Install Firefly using the Helm chart
Step 6. Test Firefly
1. Test Firefly
Step 7. Install Istio-CSR
1. Create a new namespace for Istio
2. Install Istio-CSR using Helm
Step 7. Install Istio
1. Install Istio
#### 1. Enable istio side-car injection
Step 8. Install Some demo apps
1. Install Some Demo Apps
#kubectl delete -f ../samples/curl.yaml -n bar
#k#ubectl delete -f ../samples/curl.yaml -n foo
#kubectl delete -f ../samples/httpbin.yaml -n bar
#kubectl delete -f ../samples/httpbin.yaml -n foo
#kubectl create ns foo
#kubectl label namespace foo istio-injection=enabled
#kubectl apply -f <(istioctl kube-inject -f ../samples/httpbin.yaml) -n foo
#kubectl apply -f <(istioctl kube-inject -f ../samples/curl.yaml) -n foo
kubectl create ns bar
#kubectl label namespace bar istio-injection=enabled
kubectl apply -f <(istioctl kube-inject -f https://raw.githubusercontent.com/istio/istio/refs/heads/master/samples/httpbin/httpbin.yaml) -n bar
kubectl apply -f <(istioctl kube-inject -f https://raw.githubusercontent.com/istio/istio/refs/heads/master/samples/curl/curl.yaml) -n bar
max=1
for i in `seq 2 $max`
do
for from in "foo" "bar" "legacy"; do for to in "foo" "bar"; do kubectl exec "$(kubectl get pod -l app=curl -n ${from} -o jsonpath={.items..metadata.name})" -c curl -n ${from} -- curl http://httpbin.${to}:8000/ip -s -o /dev/null -w "curl.${from} to httpbin.${to}: %{http_code}\n"; done; done
done
kubectl apply -n bar -f - <<EOF
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: mtls-on
spec:
mtls:
mode: STRICT
EOF
kubectl get peerauthentication --all-namespaces
#kubectl delete peerauthentication -n istio-system mtls-on
#kubectl delete peerauthentication -n bar mtls-on
#kubectl delete peerauthentication -n foo mtls-on
#kubectl delete peerauthentication -n legacy mtls-on
kubectl apply -f ../istio/samples/addons/kiali.yaml
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.24/samples/addons/prometheus.yaml
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.24/samples/addons/grafana.yaml
#kubectl delete -f ../istio/samples/addons/kiali.yaml --ignore-not-found
kubectl create ns legacy
kubectl label namespace legacy istio-injection=enabled
kubectl apply -f ../utils/traffic-foo-bar.yaml
#kubectl create -f ./utils/traffic.yaml
istioctl pc secret $(kubectl get pod -n bar -l app=httpbin -o jsonpath={.items..metadata.name}) \
-n bar -o json | \
jq -r '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | \
base64 --decode | \
certigo dump
Delete some pods
kubectl delete pod $(kubectl get pod -n foo -l app=httpbin -o jsonpath={.items..metadata.name}) -n foo
kubectl delete pod $(kubectl get pod -n bar -l app=httpbin -o jsonpath={.items..metadata.name}) -n bar