I am trying to deploy Istio Jaeger UI for distributed tracing. Currently I am using kubectl port forwarding using the command kubectl port-forward -n monitoring prometheus-prometheus-operator-prometheus-0 9090
. But it runs on http://localhost:port So how can I do it in production? Is there any other way to deploy in production. And also how can I make it run on https
?
According to the documentation Remotely Accessing Telemetry Addons. There are different ways how to acces telemetry.
The Recommended way is to create Secure acces using https instead of http.
Note for both methods:
This option covers securing the transport layer only. You should also configure the telemetry addons to require authentication when exposing them externally.
Please note that jaeger itself doesn't support authentication methods github and workaround using Apache httpd server here.
With your recruitments you can use Gateways (SDS) with self-signed certificates:
a.) Make sure your that during istio instalation youe have enabled SDS at ingress gateway --set gateways.istio-ingressgateway.sds.enabled=true
and --set tracing.enabled=true
for tacing purposes.
b.) Create self signed certificates for testing purposes you can use this example and repository.
c.) Please follow Generate client and server certificates and keys and Configure a TLS ingress gateway using SDS.
Create Virtualservice and Gateway:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mygateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: "httpbin-credential" # must be the same as secret crated in the step 2.
hosts:
- "httpbin.example.com" ## You can apply "*" for all hosts
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: tracing
spec:
hosts:
- "httpbin.example.com" ## You can apply "*" for all hosts
gateways:
- mygateway
http:
- match:
- port: 443
route:
- destination:
port:
number: 80
host: tracing.istio-system.svc.cluster.local
curl -kvI https ://xx.xx.xx.xx/
* Trying xx.xx.xx.xx...
* TCP_NODELAY set
* Connected to xx.xx.xx.xx (xx.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
> HEAD / HTTP/1.1
> Host: xx.xx.xx.xx
> User-Agent: curl/7.52.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< date: Thu, 07 Nov 2019 10:01:33 GMT
date: Thu, 07 Nov 2019 10:01:33 GMT
< x-envoy-upstream-service-time: 1
x-envoy-upstream-service-time: 1
< server: istio-envoy
server: istio-envoy
Hope this help