Exposing the Dashboard

By default, Service Mesh Manager relies on Kubernetes' built-in authentication and proxying capabilities to allow our users to access the Dashboard. In some cases, it makes sense to allow developers to access the Dashboard via a public URL, to make distributing Service Mesh Manager client binaries easier.

You can download the Service Mesh Manager client binaries from the login page:

Download the CLI Download the CLI

Or alternatively, the deployment can use an OIDC-compliant External Provider for authentication so that there’s no need for downloading and installing the CLI binary.

Expose the dashboard

While planning to expose the dashboard, consider the following:

  1. Does the Kubernetes cluster running Service Mesh Manager support LoadBalancer typed services natively? If not, see exposing via NodePort.
  2. Where to terminate the TLS connections? (Should it be terminated by Istio inside the cluster, or should it be terminated by an external LoadBalancer?)
  3. How to manage the TLS certificate for the dashboard? (Do you want to use Let’s Encrypt for certificates, or does your organization have its own certificate authority?)

For some of the examples, we assume that the external dns controller is installed and functional on the cluster. If not, make sure to manually set up the required DNS record based on your deployment.

This document covers a few scenarios to address the setups based on the answers to the previous questions.

In this scenario, we are assuming that:

  1. Your Kubernetes cluster supports LoadBalancer typed services to expose services externally.
  2. You use Istio to terminate the TLS connections inside the cluster.
  3. You want to use Let’s Encrypt to manage the certificates.
  4. External dns is operational on the cluster.

The dashboard will be exposed on the domain name smm.example.org. To expose Service Mesh Manager on that URL, add the following to the smm ControlPlane resource:

cat > enable-dashboard-expose.yaml <<EOF
spec:
  smm:
   exposeDashboard:
      meshGateway:
        enabled: true
        service:
          annotations:
            external-dns.alpha.kubernetes.io/hostname: smm.example.org.
        tls:
          enabled: true
          letsEncrypt:
            dnsNames:
            - smm.example.org
            enabled: true
            # server: https://acme-staging-v02.api.letsencrypt.org/directory
EOF
kubectl patch controlplane --type=merge --patch "$(cat enable-dashboard-expose.yaml )" smm
  • If you are using Service Mesh Manager in Operator Mode, then the Istio deployment is updated automatically.
  • If you are using the imperative mode, run the smm operator reconcile command to apply the changes.

The dashboard is now available on the https://smm.example.org/ URL.

Note: When external dns is not present on the cluster, make sure that the external name of the MeshGateway service is assigned to the right DNS name. Otherwise, Certificate requests will fail. To check the IP address/name of the service, run the kubectl get service smm-ingressgateway-external --namespace smm-system command. The output should be similar to:

NAME                          TYPE           CLUSTER-IP      EXTERNAL-IP                                                               PORT(S)                                      AGE
smm-ingressgateway-external   LoadBalancer   10.10.157.144   afd8bac546b1e46faab0e284fa0dc5da-580525876.eu-north-1.elb.amazonaws.com   15021:30566/TCP,80:32436/TCP,443:30434/TCP   20h

Terminate TLS on the LoadBalancer

To terminate TLS on the LoadBalancer, in the smm ControlPlane resource you must set the .spec.smm.exposeDashboard.meshGateway.tls.enabled value to false.

If the Kubernetes Service requires additional annotations to enable TLS, add these annotations to the ControlPlane resource. For example, for AWS/EKS you can use the following settings to terminate TLS with AWS Certificate Manager:

cat > enable-dashboard-expose.yaml <<EOF
spec:
  smm:
   exposeDashboard:
      meshGateway:
        enabled: true
        service:
          annotations:
            service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
            service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:{region}:{user id}:certificate/{id}
            service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
            external-dns.alpha.kubernetes.io/hostname: smm.example.org.
        tls:
          enabled: true
          externalTermination: true
EOF
kubectl patch controlplane --type=merge --patch "$(cat enable-dashboard-expose.yaml )" smm
  • If you are using Service Mesh Manager in Operator Mode, then the Istio deployment is updated automatically.
  • If you are using the imperative mode, run the smm operator reconcile command to apply the changes.

Note: In the previous example, the externalTermination: true instructs Service Mesh Manager to expose a plain http endpoint on port 443 so that the external LoadBalancer can terminate TLS for that port too.

Using NodePort

In this setup the LoadBalancer is managed externally. Each worker node will expose the set ports and you can create a LoadBalancer by pointing it to all the worker node’s relevant port.

To enable NodePort-based exposing of the SMM service, run the following command. This example exposes the HTTP on all worker node’s 40080 port, and https on port 40443.

Note: The https port is only available if the tls settings are explicitly enabled, this example omits that part. Either use the TLS settings from the LoadBalancer example, or check the section on user-provided TLS settings.

cat > enable-dashboard-expose.yaml <<EOF
spec:
  smm:
   exposeDashboard:
      meshGateway:
        enabled: true
        service:
          type: NodePort
          nodePorts:
            http: 40080
            https: 40443
EOF
kubectl patch controlplane --type=merge --patch "$(cat enable-dashboard-expose.yaml )" smm

After that, set up the LoadBalancer and the DNS names manually.

  • If you are using Service Mesh Manager in Operator Mode, then the Istio deployment is updated automatically.
  • If you are using the imperative mode, run the smm operator reconcile command to apply the changes.

Expose using custom TLS credentials

You can provide a custom TLS secret in the secret called my-own-secret in the smm-system namespace. The following command configures the system to use that for in-cluster TLS termination:

cat > enable-dashboard-expose.yaml <<EOF
spec:
  smm:
   exposeDashboard:
      meshGateway:
        enabled: true
        tls:
          enabled: true
          credentialName: "my-own-secret"
EOF
kubectl patch controlplane --type=merge --patch "$(cat enable-dashboard-expose.yaml )" smm
  • If you are using Service Mesh Manager in Operator Mode, then the Istio deployment is updated automatically.
  • If you are using the imperative mode, run the smm operator reconcile command to apply the changes.

Known limitations in HTTP access

As a security measure, Service Mesh Manager operates only over HTTPS when exposed via an external URL. Make sure that somewhere in the traffic chain some component (Istio or LoadBalancer) terminates the TLS connections, otherwise every login attempt to the dashboard will fail.