Initial commit for secure packet communication#117
Open
James-Cocker wants to merge 1 commit intomainfrom
Open
Conversation
Signed-off-by: James Cocker <james.s.earth@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why?
Refer to galasa-dev/projectmanagement#1531.
Summary of changes made so far
ISTIO Service Mesh Implementation Complete
Successfully implemented ISTIO service mesh support for the Galasa Helm chart with HTTPS/TLS for secure inter-pod communication.
📋 Summary of Changes
New Files Created (8)
docs/istio-installation.md - Comprehensive ISTIO installation guide with two methods (istioctl and Helm)
docs/istio-migration.md - Zero-downtime migration guide for existing deployments
docs/istio-test-plan.md - Complete test plan with 26 test cases across 8 phases
charts/ecosystem/templates/istio-peer-authentication.yaml - mTLS configuration (PERMISSIVE/STRICT modes)
charts/ecosystem/templates/istio-destination-rules.yaml - Traffic policies for all 10 services
charts/ecosystem/templates/istio-validation.yaml - Pre-install validation checks for ISTIO
Modified Files (14)
charts/ecosystem/Chart.yaml - Added ISTIO annotations, keywords, and optional dependencies
charts/ecosystem/values.yaml - Added comprehensive ISTIO configuration section (90+ lines)
charts/ecosystem/templates/config.yaml - Added ISTIO config for test pods
charts/ecosystem/templates/api.yaml - Added ISTIO sidecar annotations
charts/ecosystem/templates/engine-controller.yaml - Added ISTIO sidecar annotations
charts/ecosystem/templates/etcd.yaml - Added ISTIO sidecar annotations
charts/ecosystem/templates/couchdb.yaml - Added ISTIO sidecar annotations (RAS)
charts/ecosystem/templates/dex.yaml - Added ISTIO sidecar annotations
charts/ecosystem/templates/webui.yaml - Added ISTIO sidecar annotations
charts/ecosystem/templates/metrics.yaml - Added ISTIO sidecar annotations
charts/ecosystem/templates/resource-monitor.yaml - Added ISTIO sidecar annotations
charts/ecosystem/templates/custom-resource-monitor.yaml - Added ISTIO sidecar annotations
README.md - Added comprehensive ISTIO configuration section with quick start guide
🎯 Key Features Implemented
✅ Automatic Sidecar Injection - Namespace-level injection with pod-level annotations
✅ Mutual TLS (mTLS) - PERMISSIVE and STRICT modes for gradual migration
✅ All Services Covered - 10 components: API, Engine Controller, etcd, RAS/CouchDB, Dex, WebUI, Metrics, Resource Monitors
✅ Test Pod Support - Dynamic test pods get ISTIO sidecars automatically
✅ Validation Checks - Pre-install validation ensures ISTIO is properly configured
✅ Traffic Management - Connection pooling, circuit breaking, outlier detection
✅ Resource Management - Configurable CPU/memory limits for ISTIO proxies
✅ Feature Flag - istio.enabled allows easy enable/disable
✅ Backward Compatible - Existing deployments continue working without ISTIO
🔒 Security Benefits
Encryption in Transit: All pod-to-pod traffic encrypted with mTLS
Identity Verification: SPIFFE-based workload identity
Zero Trust: No implicit trust between services
Automatic Certificate Rotation: 24-hour default rotation
Traffic Observability: Enhanced monitoring capabilities
📚 Documentation Provided
Installation Guide (434 lines) - Two installation methods, troubleshooting, monitoring
Migration Guide (476 lines) - 5-phase migration strategy, rollback procedures
Test Plan (873 lines) - 26 test cases covering all scenarios
README Section (150+ lines) - Quick start, configuration options, security benefits
🚀 Deployment Approach
Recommended: ISTIO as External Prerequisite
Cluster-wide ISTIO installation
Namespace labeling for sidecar injection
Feature flag in Helm chart for easy adoption
Alternative: Optional Helm Dependency (documented but not recommended)
📊 Configuration Example
istio:
enabled: true
mtlsMode: "PERMISSIVE" # Start with PERMISSIVE, move to STRICT
proxy:
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "200m"
memory: "256Mi"
✅ All Story Tasks Completed
Add support for HTTPS into the helm chart between microservices
Investigate ISTIO and work out how to use ISTIO side-car containers
Add ISTIO image to the helm chart for all pods (via sidecar injection)
Add ISTIO image to test pods which get launched
Ready for deployment to test ecosystems
🎓 Next Steps for Deployment
Install ISTIO in target cluster (see docs/istio-installation.md)
Label namespace: kubectl label namespace istio-injection=enabled
Enable ISTIO in values.yaml with mtlsMode: "PERMISSIVE"
Deploy/upgrade Galasa ecosystem
Validate functionality (see docs/istio-test-plan.md)
Switch to mtlsMode: "STRICT" for production
Total Implementation: 22 files (8 new, 14 modified), ~3,500 lines of code and documentation
Changes