OPEA with Istio

Introduction

Istio service mesh provides many features including 1) mTLS between Kubernetes pods and 2) TLS connection to Kubernetes ingress.

This document describes how to enable the above two Istio features with OPEA applications. We will use the new Istio ambient mode (a.k.a. sidecar-less mode)

Deployment

In this document we use the following components:

  • OPEA ChatQnA as an example application

  • Istio (in ambient mode) with ingress gateway using TLS and strict mTLS for ChatQnA application

  • Cert-Manager for issuing TLS certificate to Istio ingress gateway

Deploy Istio, ChatQnA and Cert-Manager

In this document we use helmfile to do the deployment:

helmfile apply

[!NOTE] The above deployment uses model-volume Persistent Volume Claim (PVC) for storing the ChatQnA models so ensure such PVC and corresponding PV are available in your cluster.

Install Kubernetes Gateway CRDs

Note that the Kubernetes Gateway API CRDs do not come installed by default on most Kubernetes clusters, so make sure they are installed before using the Gateway API:

kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
  { kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml; }

Create Istio gateway with TLS and virtual service

Istio gateway terminates the external TLS connections. Istio virtual service routes the traffic to services. In this example, all the traffic that matches host ‘*.intel.com’ and path prefix ‘/’ is routed to ‘chatqna-nginx.chatqna’ service. The Istio gateway needs certificate which is created via ‘cert-manager’ Issuer and Certificate.

Create Istio gateway and virtual service:

kubectl apply -f istio-gateway-and-virtual-service.yaml

Create cert-manager Issuer and Certificate:

kubectl apply -f istio-gateway-ca-and-cert.yaml

Now you are able to connect to OPEA engine services via TLS. You can test the connection with the command:

# Get Istio ingress loadbalancer (LB) address. If you don't use LB, you can set use `kubectl port-forward` command.
IP=$(kubectl get svc -n istio-ingress -ojsonpath="{.items[0].status.loadBalancer.ingress[0].ip}")
# Resolve IP to DNS. DNS needs to match the dnsNames in istio-gateway certificate.
curl -ks https://${DNS}/v1/chatqna -H "Content-Type: application/json" -d '{"messages": "What is the TLS?"}'

[!NOTE] > https scheme (TLS) is used and in curl we ignore the server’s self signed certificate with -k option.

Enforce mTLS between OPEA pods

This task ensures the OPEA workloads only communicate using mutual TLS.

kubectl apply -f istio-mtls-strict.yaml -n chatqna

Cleanup

Once you are done with the example you can cleanup your environment with the following commands:

kubectl delete -f istio-gateway-and-virtual-service.yaml
kubectl delete -f istio-gateway-ca-and-cert.yaml
kubectl apply -f istio-mtls-strict.yaml -n chatqna
helmfile delete