{"id":250,"date":"2023-11-27T20:52:00","date_gmt":"2023-11-27T20:52:00","guid":{"rendered":"http:\/\/blog.firatyasar.com\/?p=250"},"modified":"2024-03-27T21:08:42","modified_gmt":"2024-03-27T21:08:42","slug":"aks-istio-certmanager","status":"publish","type":"post","link":"https:\/\/blog.firatyasar.com\/?p=250","title":{"rendered":"AKS, Istio & CertManager"},"content":{"rendered":"\n

Bu makalede AKS \u00fczerinde Istio’yu nas\u0131l enable edece\u011finizi ve cert manager entegrasyonunu nas\u0131l yapaca\u011f\u0131n\u0131z\u0131 ele alaca\u011f\u0131m. Tenik i\u00e7erikli bir makale olacak, \u015fimdiden uyarm\u0131\u015f olay\u0131m \ud83d\ude42<\/p>\n\n\n\n

\u00d6ncelikle bir aks cluster olu\u015fturmak i\u00e7in gerekli olan resource group’u a\u015fa\u011f\u0131daki komutu kullanarak olu\u015ftural\u0131m.<\/p>\n\n\n\n

az group create --name azureservicemesh --location westeurope<\/code><\/pre>\n\n\n\n
AKS kurulumu i\u00e7in gerekli olan az komutunu a\u015fa\u011f\u0131daki gibi \u00e7al\u0131\u015ft\u0131rabiliriz.<\/p>\n\n\n\n
az aks create \\\r\n --location westeurope \\\r\n --name azureservicemesh \\\r\n --resource-group azureservicemesh \\\r\n --network-plugin azure  \\\r\n --kubernetes-version 1.28  \\\r\n --node-vm-size Standard_DS3_v2 \\\r\n --node-count 2 \\\r\n --auto-upgrade-channel rapid \\\r\n --node-os-upgrade-channel  NodeImage \\\r\n --enable-asm\r<\/code><\/pre>\n\n\n\n
Gerekli kubeconfig dosyas\u0131n\u0131 local config dosyam\u0131za yazmak i\u00e7in a\u015fa\u011f\u0131daki az komutunu \u00e7al\u0131\u015ft\u0131rmam\u0131z yeterli olacakt\u0131r.<\/p>\n\n\n\n
az aks get-credentials \\\r\n  --resource-group azureservicemesh \\\r\n  --name azureservicemesh \\\r\n  --overwrite-existing\r<\/code><\/pre>\n\n\n\n
AKS kurulumunun ard\u0131ndan sample bir application’\u0131 a\u015fa\u011f\u0131daki definition dosyas\u0131n\u0131 kullanarak deploy edelim.<\/p>\n\n\n\n
kubectl apply -f - <<EOF\r\n---\r\napiVersion: v1\r\nkind: Service\r\nmetadata:\r\n  name: echoserver\r\nspec:\r\n  ports:\r\n  - port: 8080\r\n    protocol: TCP\r\n    targetPort: 8080\r\n  selector:\r\n    run: echoserver\r\n---\r\napiVersion: apps\/v1\r\nkind: Deployment\r\nmetadata:\r\n  name: echoserver\r\nspec:\r\n  replicas: 1\r\n  selector:\r\n    matchLabels:\r\n      run: echoserver\r\n  template:\r\n    metadata:\r\n      labels:\r\n        run: echoserver\r\n    spec:\r\n      containers:\r\n      - name: echoserver\r\n        image: gcr.io\/google_containers\/echoserver:1.10\r\n        ports:\r\n        - containerPort: 8080\r\n        readinessProbe:\r\n          tcpSocket:\r\n            port: 8080\r\n          initialDelaySeconds: 6\r\n          periodSeconds: 10\r\n        resources:\r\n          requests:\r\n            memory: \"40Mi\"\r\n            cpu: \"20m\"\r\nEOF\r<\/code><\/pre>\n\n\n\n
Uygulama deployment i\u015fleminin ard\u0131ndan gerekli olan ingress konfig\u00fcrasyonu ile devam edebiliriz. \u00d6ncelikle istio ile kullan\u0131cak ingress class’\u0131m\u0131za ait objeyi olu\u015fturmam\u0131z gerekir. Bu sebeple a\u015fa\u011f\u0131daki definition file’\u0131n\u0131 cluster’\u0131m\u0131z \u00fczerinde apply edebiliriz.<\/p>\n\n\n\n
kubectl apply -f - <<EOF\r\n---\r\napiVersion: networking.k8s.io\/v1\r\nkind: IngressClass\r\nmetadata:\r\n  name: istio\r\nspec:\r\n  controller: istio.io\/ingress-controller\r\nEOF\r<\/code><\/pre>\n\n\n\n
Istio’yu helm arac\u0131l\u0131\u011f\u0131 ile deploy etmek i\u00e7in a\u015fa\u011f\u0131daki komutu \u00e7al\u0131\u015ft\u0131rmak yeterli olacakt\u0131r. Burada dikkat edilmesi gereken durum my-istio-ingress place holder’\u0131n\u0131 kendi dns’iniz ile de\u011fi\u015ftirmeniz gerekmektedir.<\/p>\n\n\n\n
kubectl create namespace istio-system\r\nhelm repo add istio https:\/\/istio-release.storage.googleapis.com\/charts\r\nhelm repo update\r\nhelm install istio-ingressgateway istio\/gateway \\\r\n  --set revision=asm-1-17 \\\r\n  --set service.annotations.\"service\\.beta\\.kubernetes\\.io\/azure-dns-label-name\"=my-istio-ingress \\\r\n  -n istio-system --wait\r<\/code><\/pre>\n\n\n\n
Bu i\u015flemin ard\u0131ndan gerekli olan ingress objesini daha \u00f6nce olu\u015fturmu\u015f oldu\u011funuz ingress class’\u0131 kullanarak olu\u015fturabilirsiniz.<\/p>\n\n\n\n
kubectl apply -f - <<EOF\r\n---\r\napiVersion: networking.k8s.io\/v1\r\nkind: Ingress\r\nmetadata:\r\n  name: echoserver\r\nspec:\r\n  ingressClassName: istio\r\n  rules:\r\n  - http:\r\n      paths:\r\n      - path: \/\r\n        pathType: Prefix\r\n        backend:\r\n          service:\r\n            name: echoserver\r\n            port:\r\n              number: 8080\r\nEOF\r<\/code><\/pre>\n\n\n\n
\u0130\u015flemlerin tamamlanmas\u0131n\u0131n ard\u0131ndan TLS sertifikas\u0131 entegrasyonu i\u00e7in certmanager kurulumu yapman\u0131z gerekir. Bu sebeple cluster \u00fczerine \u00f6ncelikle certmanager deployment’\u0131 yapmam\u0131z gerekir. Certmanager kurulumu i\u00e7in a\u015fa\u011f\u0131daki helm komut setini \u00e7al\u0131\u015ft\u0131rman\u0131z yeterli olacakt\u0131r.<\/p>\n\n\n\n
helm repo add jetstack https:\/\/charts.jetstack.io\r\nhelm repo update\r\nhelm upgrade cert-manager jetstack\/cert-manager \\\r\n    --install \\\r\n    --create-namespace \\\r\n    --wait \\\r\n    --namespace cert-manager \\\r\n    --set installCRDs=true\r<\/code><\/pre>\n\n\n\n
Kurulum ard\u0131ndan otomatik sertifika issue edilmesi i\u00e7in gerekli olan bir ka\u00e7 konfig\u00fcrasyon ad\u0131m\u0131n\u0131 a\u015fa\u011f\u0131daki definition’lar\u0131 apply ederek yapabilirsiniz.<\/p>\n\n\n\n
Replace example.com with a valid email\r\nkubectl apply -f - <<EOF\r\n---\r\napiVersion: cert-manager.io\/v1\r\nkind: ClusterIssuer\r\nmetadata:\r\n  name: letsencrypt-prod\r\nspec:\r\n  acme:\r\n    email: example@example.com\r\n    server: https:\/\/acme-v02.api.letsencrypt.org\/directory\r\n    privateKeySecretRef:\r\n      name: letsencrypt-prod-issuer-account-key\r\n    solvers:\r\n      - http01:\r\n          ingress:\r\n            class: istio\r\n---\r\napiVersion: cert-manager.io\/v1\r\nkind: Certificate\r\nmetadata:\r\n  name: echoserver-tls-secret\r\n  namespace: istio-system\r\nspec:\r\n  dnsNames:\r\n  - my-istio-ingress.eastus.cloudapp.azure.com\r\n  issuerRef:\r\n    group: cert-manager.io\r\n    kind: ClusterIssuer\r\n    name: letsencrypt-prod\r\n  secretName: echoserver-tls-secret\r\n---\r\napiVersion: networking.k8s.io\/v1\r\nkind: Ingress\r\nmetadata:\r\n  name: echoserver\r\nspec:\r\n  ingressClassName: istio\r\n  tls:\r\n    - hosts:\r\n        - my-istio-ingress.eastus.cloudapp.azure.com\r\n      secretName: echoserver-tls-secret\r\n  rules:\r\n  - host: my-istio-ingress.eastus.cloudapp.azure.com\r\n    http:\r\n      paths:\r\n      - path: \/\r\n        pathType: Prefix\r\n        backend:\r\n          service:\r\n            name: echoserver\r\n            port:\r\n              number: 8080\r\nEOF\r\n\r\n  annotations:\r\n    cert-manager.io\/cluster-issuer: letsencrypt-prod\r<\/code><\/pre>\n\n\n\n
Klasik olarak istio gateway entegrasyonunu bu \u015fekilde yapabilirsiniz. addon olarak aks \u00fczerine ekleme i\u015flemini di\u011fer makalede anlataca\u011f\u0131m.<\/p>\n\n\n\n
F\u0131rat<\/p>\n","protected":false},"excerpt":{"rendered":"
Bu makalede AKS \u00fczerinde Istio’yu nas\u0131l enable edece\u011finizi ve cert manager entegrasyonunu nas\u0131l yapaca\u011f\u0131n\u0131z\u0131 ele alaca\u011f\u0131m. Tenik i\u00e7erikli bir makale olacak, \u015fimdiden uyarm\u0131\u015f olay\u0131m \ud83d\ude42 \u00d6ncelikle bir aks cluster olu\u015fturmak i\u00e7in gerekli olan resource group’u a\u015fa\u011f\u0131daki komutu kullanarak olu\u015ftural\u0131m. AKS kurulumu i\u00e7in gerekli olan az komutunu a\u015fa\u011f\u0131daki gibi \u00e7al\u0131\u015ft\u0131rabiliriz. Gerekli kubeconfig dosyas\u0131n\u0131 local config dosyam\u0131za\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":251,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[5,96,98,95,97],"_links":{"self":[{"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/posts\/250"}],"collection":[{"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=250"}],"version-history":[{"count":1,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/posts\/250\/revisions"}],"predecessor-version":[{"id":252,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/posts\/250\/revisions\/252"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/media\/251"}],"wp:attachment":[{"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=250"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=250"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=250"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}