openfaas
diff --git a/‎_posts/2021-05-19-istio.md
Lines changed: 335 additions & 0 deletions b/‎_posts/2021-05-19-istio.md
Lines changed: 335 additions & 0 deletions
diff --git a/‎images/2021-05-istio/background.jpg
213 KB b/‎images/2021-05-istio/background.jpg
213 KB
@@ -0,0 +1,335 @@
+---
+title: "Learn how to integrate Istio service mesh with your Functions"
+description: "Learn how to enable Istio for OpenFaaS to take advantage of Mutual TLS and the Istio Gateway"
+date: 2021-05-12
+image: /images/2021-05-istio/background.jpg
+categories:
+ - live
+ - use-cases
+ - functions
+author_staff_member: alex
+dark_background: true
+
+---
+
+Learn how to enable Istio for OpenFaaS to take advantage of Mutual TLS and the Istio Gateway
+
+## Introduction
+
+Service meshes have become popular add-ons for Kubernetes, so much so that they have their [own ServiceMeshCon days](https://events.linuxfoundation.org/servicemeshcon/) at [KubeCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/), the official Kubernetes conference.
+
+A service mesh can be used to apply policies to network communication, encrypt traffic between endpoints and for advanced routing.
+
+<img src="https://istio.io/latest/img/istio-bluelogo-whitebackground-unframed.svg" width="10%" alt="Istio logo">
+
+[Istio](https://istio.io) is one of the most popular service meshes available for use with Kubernetes and with help from the team at Google, we've recently updated the support and documentation for using Istio with OpenFaaS.
+
+The value for users is:
+* Providing more advanced and flexible policy than Kubernetes' NetworkPolicies
+* Encrypting traffic between all OpenFaaS components and functions for "zero trust"
+* Providing advanced networking like retries, and weighting for canaries and gradual rollouts of new functions
+
+Thank you to [John Howard](https://github.com/howardjohn) from Google for helping us with this work and to [Lucas Roesler](https://github.com/lucasroesler) for reviewing and testing the work.
+
+In this blog post we'll give you a quick introduction so that you can start integrating Istio with OpenFaaS. We'll then go on to show you how to measure the resource consumption of the cluster, and how to create a TLS certificate for the Istio Gateway.
+
+There are many service mesh products available. Other popular options include: [Linkerd](https://linkerd.io), [Kuma](https://kuma.io/) and [Consul](https://learn.hashicorp.com/tutorials/consul/service-mesh).
+
+> You may also like the workshop we created to show how to do mutual TLS and traffic shifting with [OpenFaaS and Linkerd](https://github.com/openfaas/openfaas-linkerd-workshop).
+
+## Tutorial
+
+We are using arkade, the open source marketplace to download CLIs and to install the apps we need. You can also do this the hard way if you prefer, just refer to the documentation or the helm chart for more.
+
+### Bootstrap the cluster
+
+Create a local cluster for testing:
+
+```bash
+arkade get kind
+
+kind create cluster \
+  --name openfaas-istio
+```
+
+### Add Istio
+
+Once up and running, install Istio:
+
+```bash
+arkade install istio
+```
+
+At time of writing this installs Istio 1.9.
+
+### Install OpenFaaS
+
+Now install OpenFaaS using the following changes:
+
+The `gateway.directFunctions=true` flag prevents OpenFaaS from trying to do its own endpoint load-balancing between function replicas, and defers to Envoy instead. Envoy is configured for each pod by Istio and handles routing and retries.
+
+The `istio.mtls` flag is optional, but when set encrypts the traffic between each of the pods in the `openfaas` and `openfaas-fn` namespace.
+
+```bash
+arkade install openfaas \
+  --set gateway.directFunctions=true \
+  --set istio.mtls=true
+```
+
+At this point everything is configured and you can use OpenFaaS.
+
+### Deploy a test function
+
+Create an Istio Gateway so that we can connect to the OpenFaaS Gateway and log in.
+
+```bash
+# gateway.yaml
+cat > gateway.yaml <<EOF
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: openfaas-gateway
+  namespace: openfaas
+spec:
+  selector:
+    istio: ingressgateway # use istio default controller
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+    - "*"
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: openfaas-api
+  namespace: openfaas
+spec:
+  hosts:
+  - "*"
+  gateways:
+  - openfaas-gateway
+  http:
+  - match:
+    - uri:
+        prefix: /
+    route:
+    - destination:
+        host: gateway
+        port:
+          number: 8080
+EOF
+
+kubectl apply -f gateway.yaml
+```
+
+Port-forward the Istio Ingress Gateway:
+
+```bash
+kubectl port-forward -n istio-system \
+  svc/istio-ingressgateway \
+  8080:80 \
+  8443:443 &
+```
+
+Log in:
+
+```bash
+PASSWORD=$(kubectl get secret -n openfaas basic-auth -o jsonpath="{.data.basic-auth-password}" | base64 --decode; echo)
+echo -n $PASSWORD | faas-cli login --username admin --password-stdin
+```
+
+```bash
+# Find something you are interested in with:
+faas-cli store list
+
+# Deploy one of the functions
+faas-cli store deploy nodeinfo
+```
+
+Invoke the function via the Istio Ingress gateway:
+
+```bash
+echo | faas-cli invoke nodeinfo
+```
+
+Describe the Function's deployment, so you can see that the Istio proxy (Envoy) has been configured:
+
+```
+kubectl describe pod -n openfaas-fn
+
+Events:
+  Type    Reason     Age   From               Message
+  ----    ------     ----  ----               -------
+  Normal  Scheduled  48s   default-scheduler  Successfully assigned openfaas-fn/nodeinfo-857d9c469b-ww66k to openfaas-istio-control-plane
+  Normal  Pulling    47s   kubelet            Pulling image "docker.io/istio/proxyv2:1.9.1"
+  Normal  Pulled     46s   kubelet            Successfully pulled image "docker.io/istio/proxyv2:1.9.1" in 938.690323ms
+  Normal  Created    46s   kubelet            Created container istio-init
+  Normal  Started    46s   kubelet            Started container istio-init
+  Normal  Pulling    46s   kubelet            Pulling image "ghcr.io/openfaas/nodeinfo:latest"
+  Normal  Pulled     38s   kubelet            Successfully pulled image "ghcr.io/openfaas/nodeinfo:latest" in 8.160064746s
+  Normal  Created    38s   kubelet            Created container nodeinfo
+  Normal  Started    38s   kubelet            Started container nodeinfo
+  Normal  Pulling    38s   kubelet            Pulling image "docker.io/istio/proxyv2:1.9.1"
+  Normal  Pulled     37s   kubelet            Successfully pulled image "docker.io/istio/proxyv2:1.9.1" in 925.80937ms
+  Normal  Created    37s   kubelet            Created container istio-proxy
+  Normal  Started    37s   kubelet            Started container istio-proxy
+```
+
+## Going Further
+
+### Measuring the effects
+
+There is a cost involved with installing a service mesh like Istio. There will be additional RAM required, additional control-plane components to configure and keep updated, along with additional latency and cold-start times for scaling functions from zero.
+
+If you would like to understand the quiescent load on the cluster, you can install the Kubernetes metrics-server through arkade:
+
+```bash
+arkade install metrics-server
+
+# Wait a few minutes for data collection, then run:
+kubectl top node
+kubectl top pod -A
+```
+
+### Getting a TLS certificate
+
+Let's now get a TLS certificate so that we can serve traffic to clients securely.
+
+First, create a DNS A record for the IP address of the Istio Ingress gateway using your preferred cloud dashboard and DNS service.
+
+```bash
+kubectl get svc -n istio-system istio-ingressgateway
+NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP
+istio-ingressgateway   LoadBalancer   10.106.200.195   <pending>
+```
+If you're running within a private VPC, on-premises or on your laptop, then you will need to get a public IP for Istio through the inlets-operator. See a full guide to [setting up the inlets-operator with Istio](https://blog.alexellis.io/a-bit-of-istio-before-tea-time/) to provide an IP via a secure tunnel. That will then change `<pending>` to a fully accessible IP.
+
+Otherwise, copy the IP or CNAME issued to you under `EXTERNAL-IP` and create your DNS entry. I'll be using the domain `faas.o6s.io`.
+
+You can get a TLS certificate to serve traffic over HTTPS using cert-manager.
+
+```bash
+arkade install cert-manager
+```
+
+Now create an `Issuer` and register it with [Let's Encrypt](https://letsencrypt.org/):
+
+```bash
+export EMAIL="you@example.com"
+
+cat > issuer.yaml <<EOF
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-prod
+  namespace: istio-system
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: $EMAIL
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - selector: {}
+      http01:
+        ingress:
+          class: istio
+EOF
+kubectl apply -f issuer.yaml
+```
+
+Define a certificate:
+
+```bash
+export DOMAIN="faas.o6s.io"
+
+cat > cert.yaml <<EOF
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: ingress-cert
+  namespace: istio-system
+spec:
+  secretName: ingress-cert
+  commonName: $DOMAIN
+  dnsNames:
+  - $DOMAIN
+  issuerRef:
+    name: letsencrypt-prod
+    kind: Issuer
+EOF
+kubectl apply -f cert.yaml
+```
+
+You can then check the status of the issuer and certificate:
+
+```bash
+kubectl get issuer -n istio-system -o wide
+NAME               READY   STATUS                                                 AGE
+letsencrypt-prod   True    The ACME account was registered with the ACME server   2m22s
+
+kubectl get certificate -n istio-system -o wide
+NAME           READY   SECRET         ISSUER             STATUS                                          AGE
+ingress-cert   True    ingress-cert   letsencrypt-prod   Certificate is up to date and has not expired   30s
+```
+
+Now finally update the IngressGateway we created earlier so that it uses the domain we have defined such as `faas.o6s.io`.
+
+```bash
+# gateway.yaml
+cat > gateway.yaml <<EOF
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: openfaas-gateway
+  namespace: openfaas
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    tls:
+      mode: SIMPLE
+      credentialName: ingress-cert
+    hosts:
+    - faas.o6s.io
+EOF
+
+kubectl apply -f gateway.yaml
+```
+
+At this point you can log into OpenFaaS via its public URL and access the nodeinfo function:
+
+```bash
+export OPENFAAS_URL="https://faas.o6s.io"
+echo -n $PASSWORD | faas-cli login --username admin --password-stdin
+
+Calling the OpenFaaS server to validate the credentials...
+
+credentials saved for admin https://faas.o6s.io
+```
+
+Invoke the function:
+
+```bash
+curl -s -d "" $OPENFAAS_URL/function/nodeinfo
+```
+
+## Wrapping up
+
+In a short period of time we were able to deploy Istio and OpenFaaS on a local KinD cluster and see Envoy's sidecar providing mutual TLS encryption. We then went on to explore the additional resource consumption added by using Istio, and finally showed you how to create a TLS certificate for external traffic using a free certificate from Let's Encrypt.
+
+If you wanted to take things further, you could look into more advanced policies for routing and traffic shifting or partial weighting using [VirtualServices](https://istio.io/latest/docs/reference/config/networking/virtual-service/) for individual functions.
+
+> You may also like the workshop we created to show how to do mutual TLS and traffic shifting with [OpenFaaS and Linkerd](https://github.com/openfaas/openfaas-linkerd-workshop).
+
+Do you have questions, comments or suggestions?
+
+* Find out more about [Istio](https://istio.io)
+* Join [OpenFaaS Slack](https://slack.openfaas.io/)