From 205f4c3716ede27611f6da48ac40195322e777e0 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sun, 23 Apr 2023 08:45:52 +0200 Subject: [PATCH] Did an Ingress deployment example. Small quality improvements. --- .../gateway.yaml | 1 - Istio/02-Traffic_management/06-mTLS/README.md | 7 +- .../01-namespace.yaml | 0 .../01-Create-Istio-LoadBalancer/README.md | 185 ++++++++++++++++++ .../deployment.yaml | 48 +++++ .../01-Create-Istio-LoadBalancer/gateway.yaml | 36 ++++ .../01-Create-Istio-LoadBalancer/ingress.yaml | 1 - Istio/README.md | 4 +- .../01-Create-Istio-LoadBalancer/README.md | 37 ---- 9 files changed, 275 insertions(+), 44 deletions(-) rename Istio/{__Ingress => 09-Ingress}/01-Create-Istio-LoadBalancer/01-namespace.yaml (100%) create mode 100644 Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md create mode 100755 Istio/09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml create mode 100755 Istio/09-Ingress/01-Create-Istio-LoadBalancer/gateway.yaml rename Istio/{__Ingress => 09-Ingress}/01-Create-Istio-LoadBalancer/ingress.yaml (99%) delete mode 100644 Istio/__Ingress/01-Create-Istio-LoadBalancer/README.md diff --git a/Istio/01-Simple/01-hello_world_1_service_1_deployment/gateway.yaml b/Istio/01-Simple/01-hello_world_1_service_1_deployment/gateway.yaml index 8ba8a20..252a01e 100755 --- a/Istio/01-Simple/01-hello_world_1_service_1_deployment/gateway.yaml +++ b/Istio/01-Simple/01-hello_world_1_service_1_deployment/gateway.yaml @@ -1,4 +1,3 @@ -# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: diff --git a/Istio/02-Traffic_management/06-mTLS/README.md b/Istio/02-Traffic_management/06-mTLS/README.md index d6a79dc..51daca6 100755 --- a/Istio/02-Traffic_management/06-mTLS/README.md +++ b/Istio/02-Traffic_management/06-mTLS/README.md @@ -30,7 +30,6 @@ From the Kiali dashboard we will review the mTLS label displayed ```shell kubectl apply -f ./ ```` - ```txt peerauthentication.security.istio.io/default-mtls created service/helloworld created @@ -46,9 +45,9 @@ virtualservice.networking.istio.io/helloworld-vs created [Source Folder](https://github.com/istio/istio/tree/master/samples/addons) ```shell -kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/grafana.yaml && \ -kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/kiali.yaml && \ -kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml && \ +kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/grafana.yaml +kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/kiali.yaml +kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml ``` diff --git a/Istio/__Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml similarity index 100% rename from Istio/__Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml rename to Istio/09-Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml diff --git a/Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md new file mode 100644 index 0000000..e7b29b3 --- /dev/null +++ b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md @@ -0,0 +1,185 @@ +--- +gitea: none +include_toc: true +--- + + +# Based on + +- [01-hello_world_1_service_1_deployment](../../01-Simple/01-hello_world_1_service_1_deployment) + +# Description + +On this example, a new Istio Ingress Load Balancer is deployed. + +The previous example has been modified to utilize the Ingress resource just deployed. + +# Changelog + +## Gateway + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: myingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +``` + +The selector `Istio` has been updated to `myingressgateway`, to match the selector of the Istio Ingress Load Balancer that will be created. + +## Namespace + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: istio-ingress + labels: + istio-injection: "enabled" +``` + +The namespace `istio-ingress` will have the label `istio-injection` with the contents set to `enabled` to allow Istio to automatically inject the Istio sidecars to the resources within that namespace, unless specified otherwise. + +## IstioOperator + +```yaml +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + name: ingress +spec: + profile: empty # Do not install CRDs or the control plane + components: + ingressGateways: + - name: myistio-ingressgateway + namespace: istio-ingress + enabled: true + label: + # Set a unique label for the gateway. This is required to ensure Gateways + # can select this workload + istio: myingressgateway + values: + gateways: + istio-ingressgateway: + # Enable gateway injection + injectionTemplate: gateway +``` + +The following configuration will create an Istio Ingress Load Balancer named `myistio-ingressgateway`, located at the namespace `istio-ingress`. + +The label `istio`, refers to the selector that the `Gateway` resources will use to specify the targeted Istio resource. + +# Walkthrough + +## Deploy resources + +### Create namespace + +```shell +kubectl apply -f 01-namespace.yaml +``` +```text +namespace/istio-ingress created +``` + +### Create / Install the Istio Ingress resource + + +```shell +istioctl install -f ingress.yaml +``` +```text +This will install the Istio 1.17.2 empty profile into the cluster. Proceed? (y/N) y +✔ Ingress gateways installed +✔ Installation complete +Thank you for installing Istio 1.17. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/hMHGiwZHPU7UQRWe9 +``` + +### Deploy gateway + +```shell +kubectl apply -f gateway.yaml +``` +```text + +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +### Deploy deployment + +```shell +kubectl apply -f deployment.yaml +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +``` + +## Testing deployment + +### Get Load Balancer IP + +```shell +kubectl get svc -n istio-ingress +``` +```text +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +myistio-ingressgateway LoadBalancer 10.102.158.128 192.168.1.51 15021:31181/TCP,80:30090/TCP,443:31285/TCP 5m10s +``` + +### Curl + +The request results in status code `200`, meaning a correct handling of the request. + +```shell +curl 192.168.1.51/helloworld -I +``` +```text +HTTP/1.1 200 OK +server: istio-envoy +date: Sun, 23 Apr 2023 06:40:57 GMT +content-type: text/html +content-length: 615 +last-modified: Tue, 28 Mar 2023 15:01:54 GMT +etag: "64230162-267" +accept-ranges: bytes +x-envoy-upstream-service-time: 15 +``` +# Cleanup + +[Yeah no idea, gl with that.](https://stackoverflow.com/a/55731730) + +```shell +istioctl uninstall --purge +``` + +Also read that "just removing" the namespace works to purge the config/remove resources. + +Meanwhile, I did that (and seems like it performed correctly), I am not entirely sure about it. I'm not bothered myself as the environment where I am performing the tests is intended to be destroyed anytime and recreated, yet in a production environment I am not sure how this would need to be approached. + +Maybe with a `kubectl get all -A` and through `grep` and `less` find resources and configurations, and delete them manually. + +```shell +kubectl delete namespace istio-ingress +``` + +# Troubleshooting + +## curl: (7) Failed to connect to 192.168.1.51 port 80 after 2 ms: Couldn't connect to server + +Ensure that the gateway is using the correct `selector` to target the Istio Ingress Load Balancer created. + +# Links of interest + +- https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway \ No newline at end of file diff --git a/Istio/09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml new file mode 100755 index 0000000..36e6b76 --- /dev/null +++ b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml @@ -0,0 +1,48 @@ +# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld +--- +#apiVersion: v1 +#kind: ServiceAccount +#metadata: +# name: istio-helloworld +# labels: +# account: +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: +# serviceAccountName: istio-helloworld + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 diff --git a/Istio/09-Ingress/01-Create-Istio-LoadBalancer/gateway.yaml b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/gateway.yaml new file mode 100755 index 0000000..38b5390 --- /dev/null +++ b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/gateway.yaml @@ -0,0 +1,36 @@ +# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: myingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" \ No newline at end of file diff --git a/Istio/__Ingress/01-Create-Istio-LoadBalancer/ingress.yaml b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/ingress.yaml similarity index 99% rename from Istio/__Ingress/01-Create-Istio-LoadBalancer/ingress.yaml rename to Istio/09-Ingress/01-Create-Istio-LoadBalancer/ingress.yaml index 082cf45..3f3191d 100644 --- a/Istio/__Ingress/01-Create-Istio-LoadBalancer/ingress.yaml +++ b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/ingress.yaml @@ -1,4 +1,3 @@ - apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: diff --git a/Istio/README.md b/Istio/README.md index 126d5c8..53d112f 100755 --- a/Istio/README.md +++ b/Istio/README.md @@ -1,6 +1,8 @@ +# Disclaimer: +I have absolutely used as a reference and or template other party configurations/files. - +I have tried to reference as much as possible as long it's relevant/useful for the reader. # Stuff diff --git a/Istio/__Ingress/01-Create-Istio-LoadBalancer/README.md b/Istio/__Ingress/01-Create-Istio-LoadBalancer/README.md deleted file mode 100644 index 354dbdd..0000000 --- a/Istio/__Ingress/01-Create-Istio-LoadBalancer/README.md +++ /dev/null @@ -1,37 +0,0 @@ -https://istio.io/latest/docs/tasks/traffic-management/ingress/ - - -TLS -https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ - - - - -https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway - - -kubectl apply -f 01-namespace.yaml - -istioctl install -f ingress.yaml - - -kubectl get all -A | grep myistio -istio-ingress pod/myistio-ingressgateway-5cdcd89cfb-s4fsz 1/1 Running 0 43s -istio-ingress service/myistio-ingressgateway LoadBalancer 10.102.38.206 192.168.1.51 15021:30287/TCP,80:30979/TCP,443:31405/TCP 43s -istio-ingress deployment.apps/myistio-ingressgateway 1/1 1 1 44s -istio-ingress replicaset.apps/myistio-ingressgateway-5cdcd89cfb 1 1 1 44s -istio-ingress horizontalpodautoscaler.autoscaling/myistio-ingressgateway Deployment/myistio-ingressgateway /80% 1 5 1 44s - - ---- - -It gets its own service account. - -We can use this to restrict the network activity and enforce traffic rules. - -```shell -kubectl get pod -n istio-ingress myistio-ingressgateway-5cdcd89cfb-s4fsz -o jsonpath='{.spec.serviceAccount}' -``` -```text -myistio-ingressgateway-service-account -```