From 9af39e2f0e0a0d0f24bccd26904000bd7e8c3486 Mon Sep 17 00:00:00 2001 From: John Howard Date: Thu, 16 Apr 2020 13:20:33 -0700 Subject: [PATCH] Use standard ports for telemetry exposure (#7069) * Use standard ports for telemetry exposure Blocker for https://github.com/istio/istio/issues/22911 * Full update and include HTTPS * Fix link * Remove from ports table * Apply suggestions from code review Co-Authored-By: Rachael Graham Co-authored-by: Rachael Graham --- .../docs/ops/deployment/requirements/index.md | 4 - .../tasks/observability/gateways/index.md | 228 ++++++------------ 2 files changed, 75 insertions(+), 157 deletions(-) diff --git a/content/en/docs/ops/deployment/requirements/index.md b/content/en/docs/ops/deployment/requirements/index.md index b47f234fb9..4c52b93cfe 100644 --- a/content/en/docs/ops/deployment/requirements/index.md +++ b/content/en/docs/ops/deployment/requirements/index.md @@ -73,10 +73,6 @@ The following ports and protocols are used by Istio. | 8080 | HTTP | Istiod | Debug interface | | 443 | HTTPS | Istiod | Webhooks | | 15014 | HTTP | Citadel, Citadel agent, Galley, Mixer, Istiod, Sidecar Injector | Control plane monitoring | -| 15029 | HTTP | Kiali | Kiali User Interface | -| 15030 | HTTP | Prometheus | Prometheus User Interface | -| 15031 | HTTP | Grafana | Grafana User Interface | -| 15032 | HTTP | Tracing | Tracing User Interface | | 15443 | TLS | Ingress and Egress Gateways | SNI | | 9090 | HTTP | Prometheus | Prometheus | | 42422 | TCP | Mixer | Telemetry - Prometheus | diff --git a/content/en/docs/tasks/observability/gateways/index.md b/content/en/docs/tasks/observability/gateways/index.md index e7842368b2..d6bb5f38f4 100644 --- a/content/en/docs/tasks/observability/gateways/index.md +++ b/content/en/docs/tasks/observability/gateways/index.md @@ -17,21 +17,7 @@ two basic access methods: secure (via HTTPS) and insecure (via HTTP). The secure recommended* for any production or sensitive environment. Insecure access is simpler to set up, but will not protect any credentials or data transmitted outside of your cluster. -### Option 1: Secure access (HTTPS) - -A server certificate is required for secure access. Follow these steps to install and configure -server certificates for a domain that you control. - -You may use self-signed certificates instead. Visit our -[Securing Gateways with HTTPS](/docs/tasks/traffic-management/ingress/secure-ingress/) -for general information on using self-signed certificates to access in-cluster services. - -{{< warning >}} -This option covers securing the transport layer *only*. You should also configure the telemetry -addons to require authentication when exposing them externally. -{{< /warning >}} - -1. [Install cert-manager](/docs/ops/integrations/certmanager/) to manage certificates automatically. +For both options, first follow these steps: 1. [Install Istio](/docs/setup/install/istioctl) in your cluster. @@ -42,72 +28,44 @@ addons to require authentication when exposing them externally. * Prometheus: `--set values.prometheus.enabled=true` * Tracing: `--set values.tracing.enabled=true` -1. Configure the DNS records for your domain. +1. Set up the domain to expose addons. In this example, you expose each addon on a subdomain, such as `grafana.example.com`. - 1. Get the external IP address of the `istio-ingressgateway`. - - {{< text bash >}} - $ kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}' - - {{< /text >}} - - 1. Set an environment variable to hold your target domain. - - {{< text bash >}} - $ TELEMETRY_DOMAIN= - {{< /text >}} - - 1. Point your desired domain at that external IP address via your domain provider. - - The mechanism for achieving this step varies by provider. Here are a few example documentation links: - - * Bluehost: [DNS Management Add Edit or Delete DNS Entries](https://my.bluehost.com/hosting/help/559) - * GoDaddy: [Add an A record](https://www.godaddy.com/help/add-an-a-record-19238) - * Google Domains: [Resource Records](https://support.google.com/domains/answer/3290350?hl=en) - * Name.com: [Adding an A record](https://www.name.com/support/articles/115004893508-Adding-an-A-record) - - 1. Verify that the DNS records are correct. - - {{< text bash >}} - $ dig +short $TELEMETRY_DOMAIN - - {{< /text >}} - -1. Generate a server certificate + * If you have an existing domain pointing to the external IP address of `istio-ingressgateway`: {{< text bash >}} - $ cat < {{< /text >}} -1. Wait until the server certificate is ready. + * If you do not have a domain, you may use [`nip.io`](https://nip.io/) which will automatically resolve to the IP address provided. This is not recommended for production usage. - {{< text syntax="bash" expandlinks="false" >}} - $ JSONPATH='{range .items[*]}{@.metadata.name}:{range @.status.conditions[*]}{@.type}={@.status}{end}{end}' && kubectl -n istio-system get certificates.cert-manager.io -o jsonpath="$JSONPATH" - telemetry-gw-cert:Ready=True + {{< text bash >}} + $ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + $ export INGRESS_DOMAIN=${INGRESS_HOST}.nip.io {{< /text >}} +### Option 1: Secure access (HTTPS) + +A server certificate is required for secure access. Follow these steps to install and configure +server certificates for a domain that you control. + +{{< warning >}} +This option covers securing the transport layer *only*. You should also configure the telemetry +addons to require authentication when exposing them externally. +{{< /warning >}} + +This example uses self-signed certificates, which may not be appropriate for production usages. For these cases, consider using [cert-manager](/docs/ops/integrations/certmanager/) or other tools to provision certificates. You may also visit the [Securing Gateways with HTTPS](/docs/tasks/traffic-management/ingress/secure-ingress/) task for general information on using HTTPS on the gateway. + +1. Setup the certificates. This example uses `openssl` to self sign. + +{{< text bash >}} +$ CERT_DIR=/tmp/certs +$ mkdir -p ${CERT_DIR} +$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=*.${INGRESS_DOMAIN}' -keyout ${CERT_DIR}/ca.key -out ${CERT_DIR}/ca.crt +$ openssl req -out ${CERT_DIR}/cert.csr -newkey rsa:2048 -nodes -keyout ${CERT_DIR}/tls.key -subj "/CN=*.${INGRESS_DOMAIN}/O=example organization" +$ openssl x509 -req -days 365 -CA ${CERT_DIR}/ca.crt -CAkey ${CERT_DIR}/ca.key -set_serial 0 -in ${CERT_DIR}/cert.csr -out ${CERT_DIR}/tls.crt +$ kubectl create -n istio-system secret tls telemetry-gw-cert --key=${CERT_DIR}/tls.key --cert=${CERT_DIR}/tls.crt +{{< /text >}} + 1. Apply networking configuration for the telemetry addons. 1. Apply the following configuration to expose Grafana: @@ -124,16 +82,14 @@ addons to require authentication when exposing them externally. istio: ingressgateway servers: - port: - number: 15031 + number: 443 name: https-grafana protocol: HTTPS tls: mode: SIMPLE - serverCertificate: sds - privateKey: sds credentialName: telemetry-gw-cert hosts: - - "$TELEMETRY_DOMAIN" + - "grafana.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService @@ -142,13 +98,11 @@ addons to require authentication when exposing them externally. namespace: istio-system spec: hosts: - - "$TELEMETRY_DOMAIN" + - "grafana.${INGRESS_DOMAIN}" gateways: - grafana-gateway http: - - match: - - port: 15031 - route: + - route: - destination: host: grafana port: @@ -185,16 +139,14 @@ addons to require authentication when exposing them externally. istio: ingressgateway servers: - port: - number: 15029 + number: 443 name: https-kiali protocol: HTTPS tls: mode: SIMPLE - serverCertificate: sds - privateKey: sds credentialName: telemetry-gw-cert hosts: - - "$TELEMETRY_DOMAIN" + - "kiali.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService @@ -203,13 +155,11 @@ addons to require authentication when exposing them externally. namespace: istio-system spec: hosts: - - "$TELEMETRY_DOMAIN" + - "kiali.${INGRESS_DOMAIN}" gateways: - kiali-gateway http: - - match: - - port: 15029 - route: + - route: - destination: host: kiali port: @@ -246,16 +196,14 @@ addons to require authentication when exposing them externally. istio: ingressgateway servers: - port: - number: 15030 + number: 443 name: https-prom protocol: HTTPS tls: mode: SIMPLE - serverCertificate: sds - privateKey: sds credentialName: telemetry-gw-cert hosts: - - "$TELEMETRY_DOMAIN" + - "prometheus.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService @@ -264,13 +212,11 @@ addons to require authentication when exposing them externally. namespace: istio-system spec: hosts: - - "$TELEMETRY_DOMAIN" + - "prometheus.${INGRESS_DOMAIN}" gateways: - prometheus-gateway http: - - match: - - port: 15030 - route: + - route: - destination: host: prometheus port: @@ -307,16 +253,14 @@ addons to require authentication when exposing them externally. istio: ingressgateway servers: - port: - number: 15032 + number: 443 name: https-tracing protocol: HTTPS tls: mode: SIMPLE - serverCertificate: sds - privateKey: sds credentialName: telemetry-gw-cert hosts: - - "$TELEMETRY_DOMAIN" + - "tracing.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService @@ -325,13 +269,11 @@ addons to require authentication when exposing them externally. namespace: istio-system spec: hosts: - - "$TELEMETRY_DOMAIN" + - "tracing.${INGRESS_DOMAIN}" gateways: - tracing-gateway http: - - match: - - port: 15032 - route: + - route: - destination: host: tracing port: @@ -356,22 +298,17 @@ addons to require authentication when exposing them externally. 1. Visit the telemetry addons via your browser. - * Kiali: `https://$TELEMETRY_DOMAIN:15029/` - * Prometheus: `https://$TELEMETRY_DOMAIN:15030/` - * Grafana: `https://$TELEMETRY_DOMAIN:15031/` - * Tracing: `https://$TELEMETRY_DOMAIN:15032/` + {{< warning >}} + If you used self signed certificates, your browser will likely mark them as insecure. + {{< /warning >}} + + * Kiali: `https://kiali.${INGRESS_DOMAIN}` + * Prometheus: `https://prometheus.${INGRESS_DOMAIN}` + * Grafana: `https://grafana.${INGRESS_DOMAIN}` + * Tracing: `https://tracing.${INGRESS_DOMAIN}` ### Option 2: Insecure access (HTTP) -1. [Install Istio](/docs/setup/install/istioctl) in your cluster with your desired telemetry addons. - - To additionally install the telemetry addons, use the following installation options: - - * Grafana: `--set values.grafana.enabled=true` - * Kiali: `--set values.kiali.enabled=true` - * Prometheus: `--set values.prometheus.enabled=true` - * Tracing: `--set values.tracing.enabled=true` - 1. Apply networking configuration for the telemetry addons. 1. Apply the following configuration to expose Grafana: @@ -388,11 +325,11 @@ addons to require authentication when exposing them externally. istio: ingressgateway servers: - port: - number: 15031 + number: 80 name: http-grafana protocol: HTTP hosts: - - "*" + - "grafana.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService @@ -401,13 +338,11 @@ addons to require authentication when exposing them externally. namespace: istio-system spec: hosts: - - "*" + - "grafana.${INGRESS_DOMAIN}" gateways: - grafana-gateway http: - - match: - - port: 15031 - route: + - route: - destination: host: grafana port: @@ -444,11 +379,11 @@ addons to require authentication when exposing them externally. istio: ingressgateway servers: - port: - number: 15029 + number: 80 name: http-kiali protocol: HTTP hosts: - - "*" + - "kiali.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService @@ -457,13 +392,11 @@ addons to require authentication when exposing them externally. namespace: istio-system spec: hosts: - - "*" + - "kiali.${INGRESS_DOMAIN}" gateways: - kiali-gateway http: - - match: - - port: 15029 - route: + - route: - destination: host: kiali port: @@ -500,11 +433,11 @@ addons to require authentication when exposing them externally. istio: ingressgateway servers: - port: - number: 15030 + number: 80 name: http-prom protocol: HTTP hosts: - - "*" + - "prometheus.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService @@ -513,13 +446,11 @@ addons to require authentication when exposing them externally. namespace: istio-system spec: hosts: - - "*" + - "prometheus.${INGRESS_DOMAIN}" gateways: - prometheus-gateway http: - - match: - - port: 15030 - route: + - route: - destination: host: prometheus port: @@ -556,11 +487,11 @@ addons to require authentication when exposing them externally. istio: ingressgateway servers: - port: - number: 15032 + number: 80 name: http-tracing protocol: HTTP hosts: - - "*" + - "tracing.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService @@ -569,13 +500,11 @@ addons to require authentication when exposing them externally. namespace: istio-system spec: hosts: - - "*" + - "tracing.${INGRESS_DOMAIN}" gateways: - tracing-gateway http: - - match: - - port: 15032 - route: + - route: - destination: host: tracing port: @@ -600,10 +529,10 @@ addons to require authentication when exposing them externally. 1. Visit the telemetry addons via your browser. - * Kiali: `http://:15029/` - * Prometheus: `http://:15030/` - * Grafana: `http://:15031/` - * Tracing: `http://:15032/` + * Kiali: `http://kiali.${INGRESS_DOMAIN}` + * Prometheus: `http://prometheus.${INGRESS_DOMAIN}` + * Grafana: `http://grafana.${INGRESS_DOMAIN}` + * Tracing: `http://tracing.${INGRESS_DOMAIN}` ## Cleanup @@ -626,10 +555,3 @@ addons to require authentication when exposing them externally. virtualservice.networking.istio.io "prometheus-vs" deleted virtualservice.networking.istio.io "tracing-vs" deleted {{< /text >}} - -* If installed, remove the gateway certificate: - - {{< text bash >}} - $ kubectl -n istio-system delete certificates.cert-manager.io telemetry-gw-cert - certificate.cert-manager.io "telemetry-gw-cert" deleted - {{< /text >}}