How can I deploy Istio Jaeger UI tracing in production without using kubectl port forwarding

11/5/2019

I am trying to deploy Istio Jaeger UI for distributed tracing. Currently I am using kubectl port forwarding using the command kubectl port-forward -n monitoring prometheus-prometheus-operator-prometheus-0 9090. But it runs on http://localhost:port So how can I do it in production? Is there any other way to deploy in production. And also how can I make it run on https?

--
distributed-tracing
istio
jaeger
kubernetes

1 Answer

11/7/2019

According to the documentation Remotely Accessing Telemetry Addons. There are different ways how to acces telemetry.

The Recommended way is to create Secure acces using https instead of http.

Note for both methods:

This option covers securing the transport layer only. You should also configure the telemetry addons to require authentication when exposing them externally.

Please note that jaeger itself doesn't support authentication methods github and workaround using Apache httpd server here.

  1. With your recruitments you can use Gateways (SDS) with self-signed certificates:

    a.) Make sure your that during istio instalation youe have enabled SDS at ingress gateway --set gateways.istio-ingressgateway.sds.enabled=true and --set tracing.enabled=true for tacing purposes.

    b.) Create self signed certificates for testing purposes you can use this example and repository.

    c.) Please follow Generate client and server certificates and keys and Configure a TLS ingress gateway using SDS.

  2. Create Virtualservice and Gateway:


apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: "httpbin-credential" # must be the same as secret crated in the step 2.
    hosts:
    - "httpbin.example.com" ## You can apply "*" for all hosts

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: tracing
spec:
  hosts:
  - "httpbin.example.com" ## You can apply "*" for all hosts
  gateways:
  - mygateway
  http:
  - match:
    - port: 443
    route:
    - destination:
        port:
          number: 80
        host: tracing.istio-system.svc.cluster.local

curl -kvI https ://xx.xx.xx.xx/
*   Trying xx.xx.xx.xx...
* TCP_NODELAY set
* Connected to xx.xx.xx.xx (xx.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

* ALPN, server accepted to use h2
> HEAD / HTTP/1.1
> Host: xx.xx.xx.xx
> User-Agent: curl/7.52.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< date: Thu, 07 Nov 2019 10:01:33 GMT
date: Thu, 07 Nov 2019 10:01:33 GMT
< x-envoy-upstream-service-time: 1
x-envoy-upstream-service-time: 1
< server: istio-envoy
server: istio-envoy

Hope this help

-- Hanx
Source: StackOverflow