Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Request] Documentation on usage with istio // other service mesh #636

Open
grzesuav opened this issue Sep 4, 2024 · 3 comments
Open

[Request] Documentation on usage with istio // other service mesh #636

grzesuav opened this issue Sep 4, 2024 · 3 comments
Labels
docs needs-triage Needs thorough attention from code reviewers question Further information is requested

Comments

@grzesuav
Copy link

grzesuav commented Sep 4, 2024

Describe the feature

I would like to see in documentation/guide a setup for istio in both scenarios:

  1. cryostat being part of istio mesh
    1. requirements/setup for Cryostat JMX connection to work with target running inside istio mesh
    2. requirements/setup for Cryostat JMX connection to work with target running outside istio mesh
    3. requirement/setup for cryostat agent connection to cryostat (I guess connections is other way around in that scenario) which JMV being inside the mesh
    4. requirement/setup for cryostat agent connection to cryostat (I guess connections is other way around in that scenario) which JMV being outside the mesh
  2. cryostat being outside of istio mesh
    1. requirements/setup for Cryostat JMX connection to work with target running inside istio mesh
    2. equirement/setup for cryostat agent connection to cryostat (I guess connections is other way around in that scenario) which JMV being inside the mesh

Anything other information?

I can get kind of way round with 2.i. with

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: name
  namespace: namespace
spec:
  mtls:
    mode: PERMISSIVE
  selector:
    matchLabels:
      app: {{ .Values.apps.service.name }}

but it is allowing all connections to target one, which is not desired.

I am experimenting with

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: name
  namespace: namespace
spec:
  mtls:
    mode: UNSET
  portLevelMtls:
    "9091":
      mode: PERMISSIVE
  selector:
    matchLabels:
      app: {{ .Values.apps.service.name }}

but it is not working, not sure if this is because JMX specific thing or some lack of istio configuration
@grzesuav grzesuav added feat New feature or request needs-triage Needs thorough attention from code reviewers labels Sep 4, 2024
@andrewazores andrewazores added question Further information is requested docs and removed feat New feature or request labels Sep 4, 2024
@grzesuav
Copy link
Author

grzesuav commented Sep 6, 2024

I figured out working config in my case -

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: name
  namespace: namespace
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "9091":
      mode: DISABLE
  selector:
    matchLabels:
      app: {{ .Values.apps.service.name }}

@grzesuav
Copy link
Author

grzesuav commented Sep 6, 2024

I am still wonder if cryostat can be inside of istio mesh while it needs to communicate with pods per ip's, and how it should be configured.

@andrewazores
Copy link
Member

Sounds related, or becoming the same discussio9n as, #642 . I'll leave both open for now but it seems like the conversation will lead that way (Istio, or other service mesh, discovery plugin).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs needs-triage Needs thorough attention from code reviewers question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrewazores @grzesuav