search

cryostatio / cryostat

Secure JDK Flight Recorder management for containerized JVMs
https://cryostat.io
Other
18 stars 10 forks source link

[Request] Documentation on usage with istio // other service mesh #636

Open grzesuav opened 2 months ago

grzesuav commented 2 months ago

Describe the feature

I would like to see in documentation/guide a setup for istio in both scenarios:

  1. cryostat being part of istio mesh
    1. requirements/setup for Cryostat JMX connection to work with target running inside istio mesh
    2. requirements/setup for Cryostat JMX connection to work with target running outside istio mesh
    3. requirement/setup for cryostat agent connection to cryostat (I guess connections is other way around in that scenario) which JMV being inside the mesh
    4. requirement/setup for cryostat agent connection to cryostat (I guess connections is other way around in that scenario) which JMV being outside the mesh
  2. cryostat being outside of istio mesh
    1. requirements/setup for Cryostat JMX connection to work with target running inside istio mesh
    2. equirement/setup for cryostat agent connection to cryostat (I guess connections is other way around in that scenario) which JMV being inside the mesh

Anything other information?

I can get kind of way round with 2.i. with 

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: name
  namespace: namespace
spec:
  mtls:
    mode: PERMISSIVE
  selector:
    matchLabels:
      app: {{ .Values.apps.service.name }}

but it is allowing all connections to target one, which is not desired.

I am experimenting with

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: name
  namespace: namespace
spec:
  mtls:
    mode: UNSET
  portLevelMtls:
    "9091":
      mode: PERMISSIVE
  selector:
    matchLabels:
      app: {{ .Values.apps.service.name }}

but it is not working, not sure if this is because JMX specific thing or some lack of istio configuration

grzesuav commented 2 months ago

I figured out working config in my case - 

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: name
  namespace: namespace
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "9091":
      mode: DISABLE
  selector:
    matchLabels:
      app: {{ .Values.apps.service.name }}
grzesuav commented 2 months ago

I am still wonder if cryostat can be inside of istio mesh while it needs to communicate with pods per ip's, and how it should be configured.

andrewazores commented 2 months ago

Sounds related, or becoming the same discussio9n as, #642 . I'll leave both open for now but it seems like the conversation will lead that way (Istio, or other service mesh, discovery plugin).