Get started with the charmed Istio service mesh

Introduction

This tutorial demonstrates how to:

  • deploy the Istio service mesh using Charmed Istio

  • put a microservice application on the mesh

  • secure that application by:

    • establishing mTLS between all components

    • creating authorization policies that allow only the required communication, blocking any other entity from even reaching your components To demonstrate this, we’ll use the Istio Bookinfo example application.

Prerequisites

This tutorial assumes you have a Juju controller bootstrapped on a MicroK8s cloud that is ready to use, on a 4 CPU, 8 GB node or better, with at least 40 GB disk space. Typical setup using snaps can be found in the Juju docs.

This tutorial also assumes you have a basic knowledge of Juju.

Configure MicroK8s

For this tutorial to go smoothly, make sure the following MicroK8s addons are enabled: dns, hostpath-storage, and metallb.

You can check this with microk8s status and enable any missing addons.

<! – vale off –>

Deploy Charmed Istio

<! – vale on –>

Step 1: Set up the Istio system

Create a dedicated model for Istio components and deploy the core charms:

Note

The channels of the charms in the tutorial are currently pinned edge channels to include certain bug fixes and features from the corresponding charm required to efficiently demonstrate service-mesh capabilities.

juju add-model istio-system
juju deploy istio-k8s --trust --channel 2/edge
juju deploy istio-ingress-k8s --trust --channel 2/edge

The istio-k8s charm deploys and manages the control plane of an Istio service mesh on Kubernetes, enabling you to configure and manage Istio through Juju.

The istio-ingress-k8s charm manages Istio ingress gateways in Kubernetes clusters and provides an ingress endpoint for charms that use it.

Step 2: Offer Istio ingress

As we’ve deployed a single central ingress for our applications, we must make that ingress accessible to other Juju models by offering it:

juju offer istio-ingress-k8s:ingress

<! – vale off –>

Deploy Charmed Bookinfo application

<! – vale on –>

The Bookinfo application consists of three charms:

  • bookinfo-productpage-k8s: Frontend charm that displays book information

  • bookinfo-details-k8s: Backend charm that provides book details

  • bookinfo-reviews-k8s: Backend charm that provides book reviews

The Bookinfo example was chosen for this tutorial because:

  • It’s the official demo application used by Istio

  • It’s composed of multiple microservices that replicate a conventional web application and can be conveniently used to demonstrate various service mesh features

The Bookinfo application needs the bookinfo-productpage-k8s successfully communicating with the bookinfo-details-k8s and bookinfo-reviews-k8s for the web application to display all the relevant information without any errors.

Charmed bookinfo application architecture

Step 3: Deploy application components

Create a model for the application and deploy the charms:

juju add-model bookinfo

# Deploy the charms
juju deploy bookinfo-productpage-k8s 
juju deploy bookinfo-details-k8s --trust
juju deploy bookinfo-reviews-k8s --trust

# Connect the charms
juju integrate bookinfo-productpage-k8s:details bookinfo-details-k8s:details
juju integrate bookinfo-productpage-k8s:reviews bookinfo-reviews-k8s:reviews

Now you can sit back and watch the deployment take place:

juju status --integrations --watch=5s

Step 4: Configure external access

Expose the bookinfo-productpage-k8s using the istio-ingress-k8s ingress gateway. It is necessary to consume istio-ingress-k8s from the istio-system model into the bookinfo model before adding the ingress relation.

juju consume istio-system.istio-ingress-k8s
juju integrate bookinfo-productpage-k8s istio-ingress-k8s:ingress

This ingress relation would allow the bookinfo-productpage-k8s charm to be accessed from outside the cluster, for example, your browser.

Step 5: Access the application

Get the application URL and verify it’s working:

juju run bookinfo-productpage-k8s/0 get-url

Open the URL in your browser. You’ll see the book information page.

Bookinfo application

Secure with Service Mesh

Your application now works, but it:

  • communicates over plain HTTP, meaning any sensitive data could be exposed if someone intercepts your traffic

  • can be accessed by anything in your Kubernetes cluster

For example, if we curl from the productpage charm Pod we see it succeeds in many situations, even ones that are not necessary for our application:

# All endpoints are accessible with any HTTP method
juju exec -m bookinfo -u bookinfo-productpage-k8s/0 -- curl -s http://bookinfo-details-k8s.bookinfo.svc.cluster.local:9080/
juju exec -m bookinfo -u bookinfo-productpage-k8s/0 -- curl -s http://bookinfo-details-k8s.bookinfo.svc.cluster.local:9080/health
juju exec -m bookinfo -u bookinfo-productpage-k8s/0 -- curl -s http://bookinfo-details-k8s.bookinfo.svc.cluster.local:9080/details/1

# Even potentially dangerous methods like POST work
juju exec -m bookinfo -u bookinfo-productpage-k8s/0 -- curl -s -X POST http://bookinfo-details-k8s.bookinfo.svc.cluster.local:9080/details/1 -d '{}'

These issues can be solved with a service mesh. Below, we demonstrate this with Charmed Istio

Step 6: Add Services to the Mesh

Deploy the istio-beacon-k8s charm and connect it to the bookinfo backend charms:

juju deploy istio-beacon-k8s --channel 2/edge --trust
juju integrate bookinfo-details-k8s istio-beacon-k8s
juju integrate bookinfo-reviews-k8s istio-beacon-k8s

With the above commands, the istio-beacon-k8s charm

  • Adds the bookinfo-details-k8s and bookinfo-reviews-k8s charms to the Istio service mesh

  • Applies mTLS for the traffic between the services in the mesh

  • Applies a deny-by-default authorization policy which means traffic to anything on the mesh is denied unless explicitly allowed

Refresh the Bookinfo webpage in your browser - you’ll notice that the details section and the reviews section are no longer accessible because the bookinfo-productpage-k8s charm is not authorized to communicate with them.

Bookinfo application with authorization error

Add the bookinfo-productpage-k8s charm to the mesh to enable secure communication:

juju integrate bookinfo-productpage-k8s istio-beacon-k8s

The istio-beacon-k8s charm automatically creates authorization policies allowing bookinfo-productpage-k8s to access specific endpoints on the bookinfo-details-k8s and bookinfo-reviews-k8s charms via GET requests on port 9080. Read How to Add Mesh Support to your Charms for details on how to automate authorization policy creation in your own charms.

Refresh the application - the missing sections should now be available again. With these few commands, you have:

  • Secured the traffic between the services with mutual TLS (mTLS)

  • Specified authorization policies so that the services can communicate only along the allowed traffic routes

Verify the security configuration

With Charmed Istio authorization policies in place, access is now restricted.

  • The bookinfo-details-k8s charm allows access only to /health and /details/* endpoints for GET requests via port 9080 from authorized services

  • The bookinfo-reviews-k8s charm allows access only to /health and /reviews/* endpoints for GET requests via port 9080 from authorized services

Verify the security restrictions:

# These still work - authorized endpoints with GET method
juju exec -m bookinfo -u bookinfo-productpage-k8s/0 -- curl -s http://bookinfo-details-k8s.bookinfo.svc.cluster.local:9080/health
juju exec -m bookinfo -u bookinfo-productpage-k8s/0 -- curl -s http://bookinfo-details-k8s.bookinfo.svc.cluster.local:9080/details/1

# These are now blocked - unauthorized endpoint or method
juju exec -m bookinfo -u bookinfo-productpage-k8s/0 -- curl -s http://bookinfo-details-k8s.bookinfo.svc.cluster.local:9080/
juju exec -m bookinfo -u bookinfo-productpage-k8s/0 -- curl -s -X POST http://bookinfo-details-k8s.bookinfo.svc.cluster.local:9080/details/1 -d '{}'

Notice how the same commands that worked before are now properly restricted based on endpoint and HTTP method.

Troubleshooting

If you encounter issues during the deployment:

  1. Check the status of all charms:

    juju status --integrations
    
  2. Verify the Istio components are running:

    kubectl get pods -n istio-system
    
  3. Check if the application pods are running:

    kubectl get pods -n bookinfo 
    
  4. Review the Juju debug logs for any issues:

    juju debug-log --include istio-beacon-k8s
    

Summary

Congratulations! You’ve successfully:

  • Deployed Charmed Istio service mesh

  • Deployed the Charmed Bookinfo web application

  • Secured the application with mesh integration

  • Configured fine-grained authorization policies

Tip

If you’re planning to continue with the Use the Istio Mesh across different Juju models tutorial, keep both models running as it builds upon this deployment.

Teardown

To clean up the resources created in this tutorial, run:

juju destroy-model bookinfo
juju destroy-model istio-system

Next steps

To further explore Charmed Istio capabilities: