Bookinfo mutual TLS destination rules example

[nicop311]

Hello, I am trying to do the Bookinfo example from Maistra documentation.

Under the section Add default destination rules, for the second case where I did enable mutual TLS: I think the actual oc command lacks.

It is written in the current doc:

destinationrule.networking.istio.io/productpage configured
destinationrule.networking.istio.io/reviews configured
destinationrule.networking.istio.io/ratings configured
destinationrule.networking.istio.io/details configured

Instead of (I assume it should be written):

oc -n ${BOOKINFO_NS} apply -f  https://raw.githubusercontent.com/maistra/istio/maistra-2.0/samples/bookinfo/networking/destination-rule-all-mtls.yaml

# result
destinationrule.networking.istio.io/productpage configured
destinationrule.networking.istio.io/reviews configured
destinationrule.networking.istio.io/ratings configured
destinationrule.networking.istio.io/details configured

I refer to the following repository: https://github.com/maistra/istio/tree/maistra-2.0/samples/bookinfo/networking

In this OpenShift 4.5 Doc, they suggest the following from maistra-1.1:

## If you enabled mutual TLS:

$ oc apply -n bookinfo -f https://raw.githubusercontent.com/Maistra/istio/maistra-1.1/samples/bookinfo/networking/destination-rule-all-mtls.yaml

Note the file destination-rule-all-mtls.yaml is the same for maistra-1.1 and maistra-2.0.

Mutal TLS Maistra Bookinfo example not working ?

However, after I set the destination rules with the mTLS, I can still reach the Bookinfo service/web page trough HTTP.

At this point, I was expecting to reach Bookinfo page trough HTTPS.

What am I missing?

oc -n ${BOOKINFO_NS} apply -f  https://raw.githubusercontent.com/maistra/istio/maistra-2.0/samples/bookinfo/networking/destination-rule-all-mtls.yaml

# result
destinationrule.networking.istio.io/productpage unchanged
destinationrule.networking.istio.io/reviews unchanged
destinationrule.networking.istio.io/ratings unchanged
destinationrule.networking.istio.io/details unchanged

curl -o /dev/null -s -w "%{http_code}\n" http://${GATEWAY_URL}/productpage

# result
200

Sofware version & environment

• OKD cluster version: 4.5.0-0.okd-2020-09-04-180756

  Kernel Version:                         5.6.19-300.fc32.x86_64
  OS Image:                               Fedora CoreOS 32.20200629.3.0
  Operating System:                       linux
  Architecture:                           amd64
  Container Runtime Version:              cri-o://1.18.2
  Kubelet Version:                        v1.18.3
  Kube-Proxy Version:                     v1.18.3

Operator name	Version	vendor
Elastic Cloud on Kubernetes	1.2.1	provided by Elastic
Grafana Operator	3.5.0	provided by Red Hat
Community Jaeger Operator	1.19.0	provided by CNCF
Kiali Operator	1.22.0	provided by Kiali
Maistra Service Mesh	1.1.1	provided by Red Hat, Inc.

Other issue in the doc

I also think that there might be a mistake or a bug in how the spec.ressources default values are dealt with. See this other issue about spec.resources.limits for Jaeger.

[nicop311]

Following my original Issue post, I found this Medium blog post by Gaurav Agarwal: Kubernetes Services over HTTPS With Istio’s Secure Gateways, and it features the Bookinfo example.

The aim of this Medium post is to explain how to (I quote) Expose your microservices over TLS to the external world. I think that the Istio (and Maistra) documentation could use a little upgrade on the Bookinfo + TLS example. Indeed, in the Istio doc, you can find an example with TLS on httpbin; as well as various examples for EGRESS and INGRESS gateways using httbin or sleep.

But it could be good to have an example with Bookinfo where you start to access the Bookinfo web page with HTTP. Then you play with reviews' (v1, v2, v3...) different versions and destination rules. And then you do the same but over HTTPS instead.