{"id":17143174,"url":"https://github.com/debianmaster/istio-test1","last_synced_at":"2025-07-16T08:11:05.578Z","repository":{"id":150499148,"uuid":"142953556","full_name":"debianmaster/istio-test1","owner":"debianmaster","description":"Generated by the Red Hat Developer Launch (https://developers.redhat.com/launch)","archived":false,"fork":false,"pushed_at":"2018-07-31T02:46:35.000Z","size":15,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-24T09:28:37.465Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/debianmaster.png","metadata":{"files":{"readme":"README.adoc","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-07-31T02:46:29.000Z","updated_at":"2018-07-31T02:46:36.000Z","dependencies_parsed_at":"2023-07-29T00:15:08.950Z","dependency_job_id":null,"html_url":"https://github.com/debianmaster/istio-test1","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/debianmaster/istio-test1","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/debianmaster%2Fistio-test1","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/debianmaster%2Fistio-test1/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/debianmaster%2Fistio-test1/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/debianmaster%2Fistio-test1/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/debianmaster","download_url":"https://codeload.github.com/debianmaster/istio-test1/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/debianmaster%2Fistio-test1/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265495460,"owners_count":23776633,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-14T20:33:54.856Z","updated_at":"2025-07-16T08:11:05.556Z","avatar_url":"https://github.com/debianmaster.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"= Istio Security Mission\n\n== Purpose\nShowcase Istio TLS and ACL via a set of Spring Boot applications.\n\n== Prerequisites\n. Openshift 3.9 cluster\n. Istio 0.7.1 with authentication installed on the aforementioned cluster. To install Istio simply follow one of the following docs:\n.. https://istio.io/docs/setup/kubernetes/quick-start.html\n.. https://istio.io/docs/setup/kubernetes/ansible-install.html\n. Enable automatic sidecar injection for Istio (See https://istio.io/docs/setup/kubernetes/sidecar-injection.html[this] for details)\n+\nIn order for Istio automatic sidecar injection to work properly, the following Istio configuration needs to be in place:\n+\n.. The `policy` field is set to `disabled` in the `istio-inject` configmap  of the `istio-system` namespace.\n   This can be checked by inspecting the output of\n\n   oc get configmap istio-inject -o jsonpath='{.data.config}' -n istio-system | grep policy\n   \n.. The `istio-sidecar-injector` `MutatingWebhookConfiguration` should not limit the injection to properly labeled namespaces.\n   If Istio was installed using the default settings, then make sure the output of\n\n   oc get MutatingWebhookConfiguration istio-sidecar-injector -o jsonpath='{.webhooks[0].namespaceSelector}' -n istio-system`\n+\nis empty. It is advised however that you inspect the output of\n\n   oc get MutatingWebhookConfiguration istio-sidecar-injector -o yaml\n+\nto make sure that no other \"filters\" have been applied.\n\n. Expose services and Istio ingress:\n+\n```\noc expose svc istio-ingress -n istio-system\n```\n. Login to the cluster with the admin user\n\n== Environment preparation\n\nCreate a new project/namespace on the cluster. This is where your application will be deployed.\n\n```bash\noc new-project \u003cwhatever valid project name you want\u003e\n```\n\n== Build and deploy the application\n=== With Fabric8 Maven Plugin (FMP)\nExecute the following command to build the project and deploy it to OpenShift:\n```bash\nmvn clean package fabric8:deploy -Popenshift\n```\nConfiguration for FMP may be found both in pom.xml and `src/main/fabric8` files/folders.\n\nThis configuration is used to define service names and deployments that control how pods are labeled/versioned on the OpenShift cluster.\n\n=== With Source to Image build (S2I)\nRun the following commands to apply and execute the OpenShift templates that will configure and deploy the applications:\n```bash\nfind . | grep openshiftio | grep application | xargs -n 1 oc apply -f\n\noc new-app --template=spring-boot-istio-security-name -p SOURCE_REPOSITORY_URL=https://github.com/snowdrop/spring-boot-istio-security-booster -p SOURCE_REPOSITORY_REF=master -p SOURCE_REPOSITORY_DIR=spring-boot-istio-security-name\noc new-app --template=spring-boot-istio-security-greeting -p SOURCE_REPOSITORY_URL=https://github.com/snowdrop/spring-boot-istio-security-booster -p SOURCE_REPOSITORY_REF=master -p SOURCE_REPOSITORY_DIR=spring-boot-istio-security-greeting\n```\n\n= Use Cases\n== Scenario #1. Mutual TLS\n\nThis scenario demonstrates a mutual transport level security between the services.\n\n1. Open the booster’s web page via Istio ingress route\n+\n```bash\necho http://$(oc get route istio-ingress -o jsonpath='{.spec.host}{\"\\n\"}' -n istio-system)/\n```\n1. \"Hello, World!\" should be returned after invoking `greeting` service.\n1. Now modify greeting deployment to disable sidecar injection by replacing all `sidecar.istio.io/inject` values to `false`\n+\n```bash\noc edit deploymentconfigs/spring-boot-istio-security-greeting\n```\n1. Open the booster’s web page via `greeting` service’s route\n+\n```bash\necho http://$(oc get route spring-boot-istio-security-greeting -o jsonpath='{.spec.host}{\"\\n\"}' -n $(oc project -q))/\n```\n1. `Greeting` service invocation will fail with a reset connection, because the `greeting` service has to be inside a service mesh in order to access the `name` service.\n1. Cleanup by setting `sidecar.istio.io/inject` values to true\n+\n```bash\noc edit deploymentconfigs/spring-boot-istio-security-greeting\n```\n\n== Scenario #2. Access control\n\nThis scenario demonstrates access control when using mutual TLS. In order to access a name service, calling service has to have a specific label and service account name.\n\n1. Open the booster’s web page via Istio ingress route\n+\n```bash\necho http://$(oc get route istio-ingress -o jsonpath='{.spec.host}{\"\\n\"}' -n istio-system)/\n```\n1. \"Hello, World!\" should be returned after invoking `greeting` service.\n1. Configure Istio Mixer to block `greeting` service from accessing `name` service\n+\n```bash\noc apply -f rules/block-greeting-service.yml\n```\n1. `Greeting` service invocations to the `name` service will be forbidden.\n1. Configure Istio Mixer to only allow requests from `greeting` service and with `sa-greeting` service account to access `name` service\n+\n```bash\noc apply -f \u003c(sed -e \"s/TARGET_NAMESPACE/$(oc project -q)/g\" rules/require-service-account-and-label.yml)\n```\n1. \"Hello, World!\" should be returned after invoking `greeting` service.\n1. Cleanup\n+\n```bash\noc delete -f rules/require-service-account-and-label.yml\n```\n\n== Undeploy the application\n\n=== With Fabric8 Maven Plugin (FMP)\n```bash\nmvn fabric8:undeploy\n```\n\n=== With Source to Image build (S2I)\n```bash\noc delete all --all\nfind . | grep openshiftio | grep application | xargs -n 1 oc delete -f\n```\n\n=== Remove the namespace\nThis will delete the project from the OpenShift cluster\n```bash\noc delete project \u003cyour project name\u003e\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdebianmaster%2Fistio-test1","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdebianmaster%2Fistio-test1","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdebianmaster%2Fistio-test1/lists"}