Skip to content
This repository has been archived by the owner on Aug 17, 2023. It is now read-only.
/ acorn-istio-plugin Public archive

A plugin to enable mTLS and metrics in Acorn using Istio.

License

Apache-2.0 license
0 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

acorn-io/acorn-istio-plugin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
.github/workflows
.github/workflows
 
 
pkg
pkg
 
 
.gitignore
.gitignore
 
 
Acornfile
Acornfile
 
 
Dockerfile
Dockerfile
 
 
License
License
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

acorn-istio-plugin

acorn-istio-plugin is an Acorn plugin to enable mTLS in Acorn using Istio.

This plugin is responsible for the following:

  1. Adding service mesh annotations to Acorn project namespaces, which will then be propagated to app namespaces.
  2. Killing Istio sidecars on Acorn jobs, once the other containers in the job have completed.
  3. Setting up a STRICT PeerAuthentication for every Acorn app.
  4. Setting up a PERMISSIVE PeerAuthentication for every published port in every Acorn app.
  5. Setting up VirtualServices to enable linked Acorn apps to communicate with each other.

Build

make build

Args

  • --allow-traffic-from-namespaces: list of namespaces to allow to connect to all Acorn apps as a single string, comma separated
    • example: --allow-traffic-from-namespaces "monitoring,kube-system"

Prerequisites

Your local Kubernetes cluster needs to have Acorn installed with the following options at a minimum:

acorn install --set-pod-security-enforce-profile=false --propagate-project-label="istio-injection" --ingress-controller-namespace=<namespace>

Your cluster also needs to have Istio installed. Ingress and egress gateways are not needed, but Istio base and Istiod are required. The easiest way to do this is with Helm:

helm repo add istio https://istio-release.storage.googleapis.com/charts
helm repo update istio
helm install istio istio/base -n istio-system --create-namespace
helm install istiod istio/istiod -n istio-system

Using the Istio CNI

You can use the Istio CNI to avoid needing to disable pod security profiles.

The easiest way to install it is with Helm:

helm repo add istio https://istio-release.storage.googleapis.com/charts
helm repo update istio
helm install istio-cni istio/cni -n kube-system
helm install istio istio/base -n istio-system --create-namespace
helm install istiod istio/istiod -n istio-system --set istio_cni.enabled="true"

If you are using k3s, you need to set these values for the istio-cni installation:

cni:
  cniBinDir: /var/lib/rancher/k3s/data/current/bin
  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d

Now that the Istio CNI is set up, Acorn can be installed without disabling pod security profiles:

acorn install --propagate-project-label="istio-injection" --ingress-controller-namespace=<namespace>

Running the plugin

Run the plugin with Acorn:

# dev mode:
acorn run --name acorn-istio-plugin -i .

# latest main build:
acorn run --name acorn-istio-plugin ghcr.io/acorn-io/acorn-istio-plugin:main

# production:
acorn run --name acorn-istio-plugin ghcr.io/acorn-io/acorn-istio-plugin:prod

About

A plugin to enable mTLS and metrics in Acorn using Istio.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

6 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 5

Languages