mitzen

  Enable secret provider class if you haven't done so.  export RESOURCE_GROUP = istio-rg export AKV_NAME = istio-kv-dev export LOCATION = australiaeast export CLUSTER = my-istio-cluster az keyvault create --name $AKV_NAME --resource-group $RESOURCE_GROUP --location $LOCATION az aks enable-addons --addons azure-keyvault-secrets-provider --resource-group $RESOURCE_GROUP --name $CLUSTER Grant all the role assignment to the user you're using so we can store the following into our keyvault. Once you have enable it, please deploy the book sample application: kubectl label namespace default istio.io/rev=asm-1-22 kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.18/samples/bookinfo/platform/kube/bookinfo.yaml Next create the relevant secret for your keyvault az keyvault secret set --vault-name $AKV_NAME --name test-productpage-bookinfo-key --file bookinfo_certs/productpage.bookinfo.com.key az keyvault secret set --vault-nam

Please ensure you have an istio enable cluster for this. You can query the current istio configuration using Azure cli by running the following command az aks show --name my-istio-cluster --resource-group istio-rg --query 'serviceMeshProfile' And you will get output shown here Configuration are store in a config map called istio-asm-revision and in my case it is istio-asm-1-22 stored in my aks-istio-system.   

  Enabling External Ingress First we need to ensure our cluster is installed with istio service mesh. I typically run the following command to get it installed on my existing cluster # enabling my cluster az aks mesh enable --resource-group istio-rg --name my-istio-cluster # see if the cluster service mesh is enabled az aks show --resource-group istio-rg --name my-istio-cluster  --query 'serviceMeshProfile.mode' External ingress Next we activate istio external ingress. Getting 400 bad request when running  az aks mesh enable-ingress-gateway --resource-group istio-rg --name my-istio-cluster --ingress-gateway-type external Ensure your managed identity has Network contributor permission for your. # Get the principal ID for a system-assigned managed identity. CLIENT_ID=$(az aks show --name my-istio-cluster --resource-group istio-rg   --query identity.principalId --output tsv) # Get the resource ID for the node resource group. RG_SCOPE=$(az group show --name MC_istio-rg_my-istio-clu

  To setup your kubernetes load balancer service type and tied it into your Azure public IP, you need to ensure 1. the service principal of your kubernetes cluster has Network Contributor access to your MC or node resource group 2. deploy the service yaml with the proper namely, service.beta.kubernetes.io/azure-load-balancer-resource-group and service.beta.kubernetes.io/azure-pip-name. Assuming you have an existing cluster. Please note when you create your AKS cluster using the portal, you would have been given a public ip address that named with a Guid. Setting up the network contributor  We need to get the client_id and MC resource group. Getting cluster client Id CLIENT_ID=$(az aks show --name aks-static-cluster --resource-group aks-static-rg  --query identity.principalId --output tsv) Getting resource id RG_SCOPE=$(az group show --name MC_aks-static-rg_aks-static-cluster_australiaeast --query id --output tsv) Assigning the scope  az role assignment create --assignee ${CLIENT_ID} --