~/curiefense-helm
.storage_class_name
in ~/curiefense-helm/curiefense-helm/curiefense/values.yaml
.sudo usermod -aG docker $USER && newgrp docker
screen
or tmux
, and keep the following command running:helm ls -a --all-namespaces
outputs nothing.s3cfg.yaml
, with the contents below, replacing both occurrences of BASE64_S3CFG
with the previously obtained base64 string:gs.yaml
, with the contents below, replacing both occurrences of BASE64_GS_PRIVATE_KEY
with the previously obtained base64 string:curieconf_manifest_url
variables in curiefense-helm/curiefense/values.yaml
and istio-helm/charts/gateways/istio-ingress/values.yaml
to the following URL: gs://BUCKET_NAME/prod/manifest.json
(replace BUCKET_NAME with the actual name of the bucket).curiefense_bucket_type
variables in the same values.yaml files to gs
.miniocfg.yaml
, with the contents below, replacing both occurrences of BASE64_MINIOCFG
with the previously obtained base64 string:~/curiefense-helm/curiefense-helm/example-miniocfg.yaml
. It contains default credentials for minio, that will work with the minio installation that is provided in the curiefense helm charts.curieconf_manifest_url
variables in curiefense-helm/curiefense/values.yaml
and istio-helm/charts/gateways/istio-ingress/values.yaml
to the following URL: minio://BUCKET_NAME/prod/manifest.json
(replace BUCKET_NAME with the actual name of the bucket; use curiefense-minio-bucket
with the minio installation that is provided in the curiefense helm charts).curiefense_bucket_type
variables in the same values.yaml files to minio
.hostPath
volume can be used. It is mounted to /bucket
on the host machine, as well as in relevant containers.curieconf_manifest_url
variables in curiefense-helm/curiefense/values.yaml
and istio-helm/charts/gateways/istio-ingress/values.yaml
to the following URL: file:///bucket/prod/manifest.json
.curiefense_bucket_type
variables in the same values.yaml files to local-bucket
.uiserver-tls.yaml
, replacing TLS_CERT_BASE64
with the base64-encoded PEM X509 TLS certificate, and TLS_KEY_BASE64
with the base64-encoded TLS key.~/curiefense-helm/curiefense-helm/example-uiserver-tls.yaml
.bookinfo
which is deployed in the default
kubernetes namespace. Installation instructions are summarized below. More detailed instruction are available on the istio website.istio-injection=enabled
label that will make Istio automatically inject necessary sidecars to applications that are deployed in the default
namespace.bookinfo
Pods are running (wait a bit if they are not):Could not resolve host: a6fdxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxx.us-west-2.elb.amazonaws.com
...the ELB is not ready yet. Wait and retry until it becomes available (typically a few minutes).curiefense-eks-...-Node
), select the "Security" pane, select the security group (named eks-cluster-sg-curiefense-eks-[0-9]+
), then add the incoming rule.bookinfo
sample app, the Book Review product page is now available on port 80 over HTTP, and on port 30444 over HTTPS. Try reaching http://IP/productpage
.http://IP:30000/api/v1/
.curiefense-admin
- confserver, and UIServer.curiefense-dashboards
- Grafana and Prometheus.curiefense-log
- elasticsearch, filebeat, fluentd, kibana, logstash.curiefense-proxy
- curielogger and redis.~/curiefense-helm/curiefense-helm/curiefense/values.yaml
can be modified or overridden to fit your deployment needs:images
section define the Docker image names for each component. Override this if you want to host images on your own private registry.storage_class_name
is the StorageClass that is used for dynamic provisioning of Persistent Volumes. It defaults to null
(default storage class, which works by default on EKS, GKE and minikube)...._storage_size
variables define the size of persistent volumes. The defaults are fine for a test or small-scale deployment.curieconf_manifest_url
is the URL of the AWS S3 or Google Cloud Storage bucket that is used to synchronize configurations between the confserver
and the Curiefense Istio sidecars.docker_tag
defines the image tag versions that should be used. deploy.sh
will override this to deploy a version that matches the current working directory, unless the DOCKER_TAG
environment variable is set.~/curiefense-helm/istio-helm/charts/gateways/istio-ingress/
. Compared to the upstream Istio Kubernetes distribution, we add or change the following Pods:initContainer
called curiesync-initialpull
has been added. It synchronizes configuration before running Envoy.curiesync
has been added. It periodically fetches the configuration that should be applied from an S3 or GS bucket (configurable with the curieconf_manifest_url
variable), and makes it available to Envoy. This configuration is used by the LUA code that inspects traffic.istio-proxy
now uses our custom Docker image, embedding our HTTP Filter, written in Lua.EnvoyFilter
has been added. It forwards access logs to curielogger
(see curiefense_access_logs_filter.yaml
).EnvoyFilter
has been added. It runs Curiefense's Lua code to inspect incoming traffic on the Ingress Gateways (see curiefense_lua_filter.yaml
).~/curiefense-helm/istio-helm/charts/gateways/istio-ingress/values.yaml
can be modified or overridden to fit your deployment needs:gw_image
defines the name of the image that contains our filtering code and modified Envoy binary.curiesync_image
defines the name of the image that contains scripts that synchronize local Envoy configuration with the AWS S3 bucket defined in curieconf_manifest_url
.curieconf_manifest_url
is the URL of the AWS S3 bucket that is used to synchronize configurations between the confserver
and the Curiefense Istio sidecars.curiefense_namespace
should contain the name of the namespace where Curiefense components defined in ~/curiefense-helm/curiefense-helm/
are running.redis_host
defines the hostname of the redis server that will be used by curieproxy
. Defaults to the provided redis StatefulSet. Override this to replace the redis instance with one you supply.initial_curieconf_pull
defines whether a configuration should be pulled from the AWS S3 bucket before running Envoy (true
), or if traffic should be allowed to flow with a default configuration until the next synchronization (typically every 10s).