In this article, take a look at how to build modern applications using YugabyteDB and Istio.

Microservice architectures are becoming a de facto way for developers to think about how to build applications. But security remains a top concern for many organizations. Given the general trend of threat proliferation and the increase of privileged access points in production networks, it is increasingly necessary to adopt a zero-trust network security approach to microservice architectures.

One of the most common security approaches is to set up mTLS. While this is an important security tool, it is often difficult and time consuming to administer. First, you must create, distribute, and rotate keys and certificates for a large number of services. Then, you need to ensure that mTLS is implemented correctly on all clients and servers. One of the compelling features of Istio is the ability to manage mTLS uniformly for all your services without sacrificing developer productivity. While YugabyteDB does provide its own TLS encryption, you can set up a simple and consistent policy by having a central tool like Istio service Grid, which automatically manages certificate rotation.

This tutorial focuses on how to deploy YugabyteDB using Istio mTLS to secure communication between services.

Getting started guide

We’ll be using Google Cloud and Google Kubernetes Engine (GKE) for this blog, although you can run this setup on a Mini Kube on your local machine.

  • Betty’s

  • Google Kubernetes engine

  • He said

  • The helmsman

  • Download Yugabyte DB

A prerequisite for

  • Yugabyte DB Helm Chart has been tested with the following software versions:

  • Helmsman 3.0 or higher.

  • YugabyteDB Docker image (YugabyteDB/Yugabyte) version 2.3.0 or later.

  • For best performance, make sure you have set the appropriate system limits using ULIm IT on each node of the Kubernetes cluster.

  • Istio 1.6 or later.

Prepare the cluster with Istio and Kiali

  • Go to the Istio version page to download the installation file for your operating system, or automatically download and extract the latest version (Linux or MAC OS) :

  • For this installation, we use the demo configuration file. It was chosen to have a good set of defaults to test with.

  • Install Kiali to visualize grid traffic.

Deploy the YugabyteDB cluster through the Helm

  • Install Yugabyte DB using rudder diagram.

  • Make sure all pods are healthy and ready.

Peer Authentication Policy

  • Peer authentication policies are used to secure service-to-service communication by automating the generation, distribution, and rotation of certificates and keys.

  • In Istio, peer authentication policies have three levels of granularity through which we can define mTLS Settings. For each service, Istio applies the narrowest matching policy. The order is service-specific, namespace-scoped, and grid-scoped. In this demonstration, we will use the namespace-scoped strategy.

  • Namespace-wide Peer authentication policies affect all services in the namespace. The following Mesh Policy sets the mTLS mode for all services to STRICT (workloads only accept TLS traffic from each other).

  • Create Peer validation for the YB-demo namespace to enforce mTLS.

  • You can set mTLS to PERMISSIVE, which can accept encrypted and plain text traffic.

  • The PERMISSIVE pattern is particularly useful when migrating to Istio, when there are still services that Istio (or mTLS) does not manage. By enabling Settings, these network extra services can also communicate with services already in the grid to aid in the Istio migration process.

Destination rule

  • The Des Tina tonR UE object instructs the client service to establish a mutual TLS connection with the target service using the required certificate. The target rule object configures what happens to traffic for a given destination or target service.

  • We will create target rule objects with ISTIO_MUTUAL schema for yB-Master and YB-T Server services.

  • Verify that policies and target rules are set.

Deploy the sample application

Visualize grid traffic using Kiali

  • At this point, our cluster is running a sample workload and has mTLS enabled for the namespace, so now let’s use the Kiali UI to visualize grid traffic. Type the following command in a different terminal window to start Kia Li.

  • Once in the Kiali UI, browse the visualizations in the navigation pane. The focus of this tutorial is the graphical view, where you can see the topology of the Yugabyte DB microservice.

  • Open the graphics view and select YB-Demo in the namespace field that matches the Kubernetes namespace used in this tutorial. Enable the options in the display drop-down list to select safety badges and traffic animations. You should see a view similar to this example:

  • Kia Li has a useful security layer in the figure, where the lock icon for mTLS connections is displayed at the edge, and at a glance, I can confirm that mTLS is enabled between the internal YugabyteDB main service and the T Server service, as well as between the sample application connected to yB-T Server-Service.

conclusion

  • This tutorial discusses how YugabyteDB’s mutual TLS authentication works in an Istio service grid environment. YugabyteDB’s cloud-native and developer-friendly architecture makes it ideal for Kubernetes-based choreography by seamlessly integrating within the Kubernetes ecosystem. Now you can focus on building modern applications powered by distributed databases while shifting security concerns to Istio.

  • Topic:

  • Is TIO, Service Grid, API, open source, microservices, Kubernetes, YugabyteDB, Postgres, Postgres QL, database