Set and documented.
This commit is contained in:
parent
b506b32229
commit
26d947610a
@ -1,11 +1,189 @@
|
||||
# Continues from
|
||||
# Description
|
||||
|
||||
- 01-hello_world_1_service_1_deployment
|
||||
This example uses a resource `ServiceEntry` to "integrate" external resources into our `Istio Service Mesh`.
|
||||
|
||||
It also explores the different behaviors between specifying the destination URL on the headers or not.
|
||||
|
||||
The following page has been used for testing purposes:
|
||||
|
||||
- info.cern.ch
|
||||
|
||||
> **Quick disclaimer**:\
|
||||
> I have no relation with that page.
|
||||
|
||||
# Configuration
|
||||
|
||||
## ServiceEntry
|
||||
|
||||
This `ServiceEntry` resource, defines as a destination the URL `info.cern.ch`.
|
||||
|
||||
Note that location is set to `MESH_EXTERNAL` and that the resolution is set to `DNS`, this means that the resource is external to ou `Istio Service Mesh`, and the URL will be resolved through `DNS`
|
||||
|
||||
Bear in mind that when Istio is communicating with resources externals to the mesh, `mTLS` is disabled.
|
||||
|
||||
Also, policy enforcement is performed in the client side instead of the server side.
|
||||
|
||||
> **Note:**/
|
||||
> For more information regarding the `resolution` field or the `location` field, refer to the following official Istio documentations:
|
||||
> [ServiceEntry.Location](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location)
|
||||
> [ServiceEntry.Resolution](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Resolution)
|
||||
|
||||
```yaml
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-cern-service
|
||||
spec:
|
||||
hosts:
|
||||
- info.cern.ch
|
||||
ports:
|
||||
- number: 80
|
||||
name: http
|
||||
protocol: HTTP
|
||||
resolution: DNS
|
||||
location: MESH_EXTERNAL
|
||||
```
|
||||
|
||||
## Gateway
|
||||
|
||||
Listens for `HTTP` traffic at the port `80` without limiting to any host.
|
||||
|
||||
```yaml
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: helloworld-gateway
|
||||
spec:
|
||||
selector:
|
||||
istio: ingressgateway # use istio default controller
|
||||
servers:
|
||||
- port:
|
||||
number: 80
|
||||
name: http
|
||||
protocol: HTTP
|
||||
hosts:
|
||||
- "*"
|
||||
```
|
||||
|
||||
|
||||
https://github.com/istio/istio/issues/29463
|
||||
## VirtualService
|
||||
|
||||
There has been configured 2 paths:
|
||||
|
||||
- "/external"
|
||||
- "/external-noh"
|
||||
|
||||
Both routes will forward the request towards the destination URL `info.cern.ch`.
|
||||
|
||||
Highlight that the destination is `info.cern.ch`, which is the same as the contents set on the field `host` from the [ServiceEntry resource configured above](#serviceentry).
|
||||
|
||||
The difference between `/external` and `/external-noh` is that the first path will contain a header named `HOST`, with the contents set to `info.cern.ch`, it being the URL from the external service.
|
||||
|
||||
On the [Walkthrough](#walkthrough) section we will observe the different behaviors of these paths, being the only difference the header attributed.
|
||||
|
||||
```yaml
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: helloworld-vs
|
||||
spec:
|
||||
hosts:
|
||||
- "*"
|
||||
gateways:
|
||||
- helloworld-gateway
|
||||
http:
|
||||
- name: https-external-service
|
||||
timeout: 3s
|
||||
match:
|
||||
- uri:
|
||||
exact: "/external"
|
||||
route:
|
||||
- destination:
|
||||
host: info.cern.ch
|
||||
port:
|
||||
number: 80
|
||||
rewrite:
|
||||
uri: "/"
|
||||
headers:
|
||||
request:
|
||||
set:
|
||||
HOST: "info.cern.ch"
|
||||
|
||||
- name: https-external-service-without-headers
|
||||
timeout: 3s
|
||||
match:
|
||||
- uri:
|
||||
exact: "/external-noh"
|
||||
route:
|
||||
- destination:
|
||||
host: info.cern.ch
|
||||
port:
|
||||
number: 80
|
||||
rewrite:
|
||||
uri: "/"
|
||||
```
|
||||
|
||||
# Walkthrough
|
||||
|
||||
## Deploy the resources
|
||||
|
||||
```shell
|
||||
kubectl apply -f ./
|
||||
```
|
||||
```text
|
||||
serviceentry.networking.istio.io/external-cern-service created
|
||||
gateway.networking.istio.io/helloworld-gateway created
|
||||
virtualservice.networking.istio.io/helloworld-vs created
|
||||
```
|
||||
|
||||
## Test the service
|
||||
|
||||
### Get LB IP
|
||||
|
||||
```shell
|
||||
$ kubectl get svc -l istio=ingressgateway -A
|
||||
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
|
||||
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
|
||||
```
|
||||
|
||||
### /external
|
||||
|
||||
We can visualize the page contents without issues, nothing to highlight.
|
||||
|
||||
```shell
|
||||
curl 192.168.1.50/external
|
||||
```
|
||||
```text
|
||||
<html><head></head><body><header>
|
||||
<title>http://info.cern.ch</title>
|
||||
</header>
|
||||
|
||||
<h1>http://info.cern.ch - home of the first website</h1>
|
||||
<p>From here you can:</p>
|
||||
<ul>
|
||||
<li><a href="http://info.cern.ch/hypertext/WWW/TheProject.html">Browse the first website</a></li>
|
||||
<li><a href="http://line-mode.cern.ch/www/hypertext/WWW/TheProject.html">Browse the first website using the line-mode browser simulator</a></li>
|
||||
<li><a href="http://home.web.cern.ch/topics/birth-web">Learn about the birth of the web</a></li>
|
||||
<li><a href="http://home.web.cern.ch/about">Learn about CERN, the physics laboratory where the web was born</a></li>
|
||||
</ul>
|
||||
</body></html>
|
||||
```
|
||||
|
||||
### /external-noh
|
||||
|
||||
We don't receive any output.
|
||||
|
||||
This could be due, even if we resolve the destination IP for the URL `info.cern.ch`, the destination might have a Reverse Proxy or any other ingress resource that could condition handling this request.
|
||||
|
||||
Due to the `HOST` field not being modified after we set the request, it might not be able to pass the filtering set, weather it is security wise, for example, requiring such field to allow the request; or it being a routing condition, which due not having this field specified, it's not able to route the request towards the destination desired.
|
||||
|
||||
```shell
|
||||
curl 192.168.1.50/external
|
||||
```
|
||||
```text
|
||||
```
|
||||
|
||||
# Links of interest:
|
||||
|
||||
- https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location
|
||||
|
||||
Funny example I guess.
|
||||
Q
|
@ -0,0 +1,13 @@
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-cern-service
|
||||
spec:
|
||||
hosts:
|
||||
- info.cern.ch
|
||||
ports:
|
||||
- number: 80
|
||||
name: http
|
||||
protocol: HTTP
|
||||
resolution: DNS
|
||||
location: MESH_EXTERNAL
|
@ -1,57 +0,0 @@
|
||||
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: helloworld
|
||||
labels:
|
||||
app: helloworld
|
||||
service: helloworld
|
||||
spec:
|
||||
ports:
|
||||
- port: 80
|
||||
name: http
|
||||
selector:
|
||||
app: helloworld
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: helloworld-nginx
|
||||
labels:
|
||||
app: helloworld
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: helloworld
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: helloworld
|
||||
spec:
|
||||
containers:
|
||||
- name: helloworld
|
||||
image: nginx
|
||||
resources:
|
||||
requests:
|
||||
cpu: "100m"
|
||||
imagePullPolicy: IfNotPresent #Always
|
||||
ports:
|
||||
- containerPort: 80
|
||||
---
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc
|
||||
spec:
|
||||
hosts:
|
||||
- help.websiteos.com
|
||||
# /websiteos/example_of_a_simple_html_page.htm
|
||||
# - http://help.websiteos.com/websiteos/example_of_a_simple_html_page.htm
|
||||
ports:
|
||||
- number: 80
|
||||
name: http
|
||||
protocol: HTTP
|
||||
resolution: DNS
|
||||
location: MESH_EXTERNAL
|
||||
---
|
@ -1,4 +1,3 @@
|
||||
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: Gateway
|
||||
metadata:
|
||||
@ -24,29 +23,32 @@ spec:
|
||||
gateways:
|
||||
- helloworld-gateway
|
||||
http:
|
||||
- match:
|
||||
- uri:
|
||||
exact: /helloworld
|
||||
route:
|
||||
- destination:
|
||||
host: helloworld
|
||||
port:
|
||||
number: 80
|
||||
rewrite:
|
||||
uri: "/"
|
||||
|
||||
- timeout: 3s
|
||||
- name: https-external-service
|
||||
timeout: 3s
|
||||
match:
|
||||
- uri:
|
||||
exact: "/external"
|
||||
route:
|
||||
- destination:
|
||||
host: help.websiteos.com
|
||||
host: info.cern.ch
|
||||
port:
|
||||
number: 80
|
||||
rewrite:
|
||||
uri: "/websiteos/example_of_a_simple_html_page.htm"
|
||||
uri: "/"
|
||||
headers:
|
||||
request:
|
||||
set:
|
||||
HOST: "help.websiteos.com"
|
||||
HOST: "info.cern.ch"
|
||||
|
||||
- name: https-external-service-without-headers
|
||||
timeout: 3s
|
||||
match:
|
||||
- uri:
|
||||
exact: "/external-noh"
|
||||
route:
|
||||
- destination:
|
||||
host: info.cern.ch
|
||||
port:
|
||||
number: 80
|
||||
rewrite:
|
||||
uri: "/"
|
Loading…
x
Reference in New Issue
Block a user