acorn-istio-plugin

command module

v0.0.0-...-e94d887 Latest Latest Go to latest Published: Jul 26, 2023 License: Apache-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/acorn-io/acorn-istio-plugin

Links

Open Source Insights

README ¶

acorn-istio-plugin

acorn-istio-plugin is an Acorn plugin to enable mTLS in Acorn using Istio.

This plugin is responsible for the following:

Adding service mesh annotations to Acorn project namespaces, which will then be propagated to app namespaces.
Killing Istio sidecars on Acorn jobs, once the other containers in the job have completed.
Setting up a STRICT PeerAuthentication for every Acorn app.
Setting up a PERMISSIVE PeerAuthentication for every published port in every Acorn app.
Setting up VirtualServices to enable linked Acorn apps to communicate with each other.

Build

make build

Args

--allow-traffic-from-namespaces: list of namespaces to allow to connect to all Acorn apps as a single string, comma separated
- example: --allow-traffic-from-namespaces "monitoring,kube-system"

Prerequisites

Your local Kubernetes cluster needs to have Acorn installed with the following options at a minimum:

acorn install --set-pod-security-enforce-profile=false --propagate-project-label="istio-injection" --ingress-controller-namespace=<namespace>

Your cluster also needs to have Istio installed. Ingress and egress gateways are not needed, but Istio base and Istiod are required. The easiest way to do this is with Helm:

helm repo add istio https://istio-release.storage.googleapis.com/charts
helm repo update istio
helm install istio istio/base -n istio-system --create-namespace
helm install istiod istio/istiod -n istio-system

Using the Istio CNI

You can use the Istio CNI to avoid needing to disable pod security profiles.

The easiest way to install it is with Helm:

helm repo add istio https://istio-release.storage.googleapis.com/charts
helm repo update istio
helm install istio-cni istio/cni -n kube-system
helm install istio istio/base -n istio-system --create-namespace
helm install istiod istio/istiod -n istio-system --set istio_cni.enabled="true"

If you are using k3s, you need to set these values for the istio-cni installation:

cni:
  cniBinDir: /var/lib/rancher/k3s/data/current/bin
  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d

Now that the Istio CNI is set up, Acorn can be installed without disabling pod security profiles:

acorn install --propagate-project-label="istio-injection" --ingress-controller-namespace=<namespace>

Running the plugin

Run the plugin with Acorn:

# dev mode:
acorn run --name acorn-istio-plugin -i .

# latest main build:
acorn run --name acorn-istio-plugin ghcr.io/acorn-io/acorn-istio-plugin:main

# production:
acorn run --name acorn-istio-plugin ghcr.io/acorn-io/acorn-istio-plugin:prod

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
pkg
controller
scheme
version

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL