diff --git a/service-mesh/istio-tutorial/README.md b/service-mesh/istio-tutorial/README.md new file mode 100644 index 0000000000..4a09748e73 --- /dev/null +++ b/service-mesh/istio-tutorial/README.md @@ -0,0 +1,8 @@ +# Secure Kubernetes Services with Istio on GKE Autopilot + +[![Open in Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https://github.com/GoogleCloudPlatform/kubernetes-engine-samples&cloudshell_workspace=autopilot/istio-tutorial) + +This example shows how to deploy a Istio service mesh +to securely deploy of a Bank of Anthos sample application +with enabled mTLS on using [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine) +in Autopilot mode. diff --git a/service-mesh/istio-tutorial/kiali.yaml b/service-mesh/istio-tutorial/kiali.yaml new file mode 100644 index 0000000000..3d9e185c38 --- /dev/null +++ b/service-mesh/istio-tutorial/kiali.yaml @@ -0,0 +1,40 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# [START gke_service_mesh_istio_kiali_dashboard] +apiVersion: kiali.io/v1alpha1 +kind: Kiali +metadata: + name: kiali + namespace: istio-system +spec: + deployment: + namespace: istio-system + auth: + strategy: anonymous + external_services: + custom_dashboards: + prometheus: + url: "http://frontend.monitoring:9090/" + auth: + type: none + prometheus: + url: "http://frontend.monitoring:9090/" + auth: + type: none + tracing: + enabled: false + grafana: + enabled: false +# [END gke_service_mesh_istio_kiali_dashboard] diff --git a/service-mesh/istio-tutorial/peer-authentication.yaml b/service-mesh/istio-tutorial/peer-authentication.yaml new file mode 100644 index 0000000000..3c26443a73 --- /dev/null +++ b/service-mesh/istio-tutorial/peer-authentication.yaml @@ -0,0 +1,23 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# [START gke_service_mesh_istio_mtls] +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default +spec: + mtls: + mode: STRICT +# [END gke_service_mesh_istio_mtls] diff --git a/service-mesh/istio-tutorial/pod-monitorings.yaml b/service-mesh/istio-tutorial/pod-monitorings.yaml new file mode 100644 index 0000000000..cc74b6ff5b --- /dev/null +++ b/service-mesh/istio-tutorial/pod-monitorings.yaml @@ -0,0 +1,47 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# [START gke_service_mesh_istio_monitoring] +apiVersion: monitoring.googleapis.com/v1 +kind: PodMonitoring +metadata: + name: istiod + namespace: istio-system +spec: + selector: + matchLabels: + app: istiod + endpoints: + - port: 15014 + path: /metrics + timeout: 30s + interval: 60s +# [END gke_service_mesh_istio_monitoring] +--- +# [START gke_service_mesh_istio_containers_envoy_proxies_monitoring] +apiVersion: monitoring.googleapis.com/v1 +kind: PodMonitoring +metadata: + name: envoy-proxies + namespace: default +spec: + selector: + matchLabels: + application: bank-of-anthos + endpoints: + - port: 15020 + path: /metrics + timeout: 30s + interval: 60s +# [END gke_service_mesh_istio_containers_envoy_proxies_monitoring]