OpenShift Service Mesh (Istio) Support

Deployed solutions designed and implemented with Financial Services Workbench now support OpenShift Service Mesh.

Prerequisites

  • Create certificates by using the command
    oc create secret tls istio-ingressgateway-certs --key tls.key --cert tls.crt -n istio-system
    Note: Make sure to update your certificates when ever they expire.

Enable OpenShift Service Mesh Support

The enablement of OpenShift Service Mesh can be set during the creation of a k5project. The variation in setting up a additional steps are described below.

Step 1: Create an OpenShift project

Step 2: Assign permissions

Step 2 a): Create service mesh member roll for the new Project
  1. Switch to istio-system project: Home > Projects > istio-system
  2. Navigate to: Operators > Installed Operators > Red Hat OpenShift Service Mesh > Istio Service Mesh Member Roll

    Replace your-project with the created OpenShift project/s

    apiVersion: maistra.io/v1 
kind: ServiceMeshMemberRoll 
metadata: 
    name: default 
    namespace: openshift-operators 
spec: 
    members: - your-project - another-of-your-projects

Step 3: Create an instance of the custom resource k5project

Attention: while creating a new K5-project using CRD, enable Istio (must) and strictMtls (optional). But we recommend enabling strictMtls mode for security reasons.
 istio:
      enabled: true
      strictMtls: true

Create a route for OpenShift Service Mesh

  1. Switch to istio-system project: Home > Projects > istio-system
  2. Navigate to: administrator > networking > routes > create route
    1. provide name for the route
    2. hostname must have in below format <k5-project-name>.<your suffix URL>
    3. select service as istio-ingressgateway
    4. select target port as 443 -> 8443 (TCP)
    5. under security select checkbox Secure route
    6. select TLS Termination to passthrough
    7. click on create

Create a webhook

  1. Switch to istio-system project: Home > Projects > istio-system
  2. Navigate to: Networking > Routes
  3. Search for route which is created in above steps and append /webhook for the URL and use this modified _URL to create webhook.

    Example: https://<k5-project-name>.<your suffix URL>/webhook