OpenShift Service Mesh (Istio)

Introduction

Deployed projects designed and implemented with IBM Financial Services Workbench now support OpenShift Service Mesh (Istio). Istio makes it easy to create a network of deployed services with load balancing, service-to-service authentication, monitoring, and more, with few or no code changes in service code. Having Istio enabled the services can communicate secured by mutualTLS.

Prerequisites

  • OpenShift Service Mesh (version 2.0.2 and above)

  • Created certificates for Istio

Tip: you can create the certificates by using the following command: oc create secret tls istio-ingressgateway-certs --key tls.key --cert tls.crt -n istio-system
Attention: Make sure that the instance of Istio Service Mesh Control Plane is created and to update your certificates whenever they expire

Enable OpenShift Service Mesh

The enablement of OpenShift Service Mesh can be set during the creation of a k5-project. The variation in setting up additional steps are described below.

  1. Create an OpenShift project (see Creating new Deployment Targets)

  2. Assign Permissions

  3. Create service mesh member roll for the new k5-project

    • Switch to istio-system project: Home > Projects > istio-system

    • Navigate to: Operators > Installed Operators > Red Hat OpenShift Service Mesh > Istio Service Mesh Member Roll

    • Replace your-project with the created OpenShift project/s as described below

    apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
    name: default
    namespace: openshift-operators
spec:
    members: - your-project - another-of-your-projects

  4. Create an instance of the custom resource k5-project

Attention: While creating a new k5-project using CRD, enable Istio (required) and strictMtls (optional). But we recommend enabling strictMtls mode for security reasons.
istio:
    enabled: true
    strictMtls: true

Create a route for OpenShift Service Mesh

  1. Switch to istio-system project: Home > Projects > istio-system

  2. Navigate to: administrator > networking > routes > create route

    • provide name for the route

    • hostname must have below format <k5-project-name>.<your suffix URL>

    • select service as istio-ingressgateway

    • select target port as 443 -> 8443 (TCP)

    • under Security select checkbox Secure route

    • select TLS Termination to passthrough

    • click on create

Create a Webhook

  1. Switch to istio-system project: Home > Projects > istio-system

  2. Navigate to: Networking > Routes

  3. Search for route which is created in above steps and append /webhook for the URL and use this modified _URL to create the webhook.

Example:

https://<k5-project-name>.<your suffix URL>/webhook