ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

Seems like I moved some files around (it's been a while)

Browse Source 
Also have documented the ingress example regarding installing a Istio Ingress Gateway Load Balancer.
This commit is contained in:
savagebidoof 2023-07-01 15:40:15 +02:00
parent 703d380bca
commit 918f480319
21 changed files with 497 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
06-Envoy/01-envoy_add_headers/README.md → .placeholder/06-Envoy/01-envoy_add_headers/README.md
View File

0
06-Envoy/01-envoy_add_headers/deployment.yaml → .placeholder/06-Envoy/01-envoy_add_headers/deployment.yaml
View File

0
06-Envoy/01-envoy_add_headers/envoy.yaml → .placeholder/06-Envoy/01-envoy_add_headers/envoy.yaml
View File

0
06-Envoy/01-envoy_add_headers/envoy2.yaml → .placeholder/06-Envoy/01-envoy_add_headers/envoy2.yaml
View File

0
06-Envoy/01-envoy_add_headers/gateway.yaml → .placeholder/06-Envoy/01-envoy_add_headers/gateway.yaml
View File

0
06-Envoy/README.md → .placeholder/06-Envoy/README.md
View File

0
07-MeshConfig/01-Outboud-Traffic-Policy/README.md → .placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/README.md
View File

0
07-MeshConfig/01-Outboud-Traffic-Policy/deployment.yaml → .placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/deployment.yaml
View File

0
07-MeshConfig/01-Outboud-Traffic-Policy/gateway.yaml → .placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/gateway.yaml
View File

0
07-MeshConfig/README.md → .placeholder/07-MeshConfig/README.md
View File

110
00-Troubleshooting/README.md
View File

@ -3,6 +3,63 @@ gitea: none
include_toc: true
---
# Logs
> **Note:**\
> Remember that you can use the command `watch` or `watch -n 5` (where 5 refers every 5 seconds) in case of being interested on execute this commands periodically.
## Istiod
```shell
kubectl logs -n istio-system -f deployments/istiod
```
## Istio-Proxy Pod
This will display the logs from a deployment while targeting the `istio-proxy` container from the targeted pod/deployment.
As well will attach the session to stream new logs. (`-f` `--follow`)
```shell
kubectl logs deployments/helloworld-default -f -c istio-proxy
```
```text
[2023-05-15T00:42:03.699Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.111.90.232:8080 172.17.121.65:52006 - -
[2023-05-15T00:42:24.785Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 2 1 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" inbound|80|| 127.0.0.6:51695 172.17.121.65:80 172.17.121.65:43786 outbound_.80_._.helloworld.default.svc.cluster.local default
[2023-05-15T00:42:24.784Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 5 4 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" outbound|80||helloworld.default.svc.cluster.local 172.17.121.65:43786 10.111.90.232:80 172.17.121.65:57030 - default
[2023-05-15T00:43:23.209Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 6 5 "-" "curl/7.74.0" "e1f0a2f3-93ff-4c41-8cb3-6d3a53fce065" "helloworld.foo.svc.cluster.local" "172.17.247.42:80" outbound|80||helloworld.foo.svc.cluster.local 172.17.121.65:55040 10.109.248.148:80 172.17.121.65:60520 - default
[2023-05-15T00:43:29.751Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40370 - -
[2023-05-15T00:43:31.979Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40402 - -
```
## Ingress
The service targeted, `istio-ingressgateway`, is an Ingress Load Balancer service from Istio.
```shell
kubectl logs -n istio-system services/istio-ingressgateway
```
#### Invalid TLS context has neither subject CN nor SAN names
The TLS certificate specified don't have the field CN or the field SAN.
To address this issue, issue a new certificate that has at least one of those fields.
#### initial fetch timed out for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secretthread
This is due not being able to retrieve the TLS configuration assigned to the gateway.
It's Important that the secret is located in the same namespace as the Istio Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
# Istioctl analyze
`istioctl analyze` reviews the current configuration set.
@ -67,57 +124,24 @@ listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
...
```
# Logs
> **Note:**\
> Remember that you can use the command `watch` or `watch -n 5` (where 5 refers every 5 seconds) in case of being interested on execute this commands periodically.
## Istiod
# Istioctl proxy-status
> **Note:** Shorthand is `ps`
```shell
kubectl logs -n istio-system -f deployments/istiod
istioctl ps
```
## Istio-Proxy Pod
This will display the logs from a deployment while targeting the `istio-proxy` container from the targeted pod/deployment.
As well will attach the session to stream new logs. (`-f` `--follow`)
```shell
kubectl logs deployments/helloworld-default -f -c istio-proxy
```
```text
[2023-05-15T00:42:03.699Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.111.90.232:8080 172.17.121.65:52006 - -
[2023-05-15T00:42:24.785Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 2 1 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" inbound|80|| 127.0.0.6:51695 172.17.121.65:80 172.17.121.65:43786 outbound_.80_._.helloworld.default.svc.cluster.local default
[2023-05-15T00:42:24.784Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 5 4 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" outbound|80||helloworld.default.svc.cluster.local 172.17.121.65:43786 10.111.90.232:80 172.17.121.65:57030 - default
[2023-05-15T00:43:23.209Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 6 5 "-" "curl/7.74.0" "e1f0a2f3-93ff-4c41-8cb3-6d3a53fce065" "helloworld.foo.svc.cluster.local" "172.17.247.42:80" outbound|80||helloworld.foo.svc.cluster.local 172.17.121.65:55040 10.109.248.148:80 172.17.121.65:60520 - default
[2023-05-15T00:43:29.751Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40370 - -
[2023-05-15T00:43:31.979Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40402 - -
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
helloworld-6798765f88-ql26n.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-dbf5ff64-9kxxs 1.17.2
helloworld2-dc9cb5db6-m47x7.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-dbf5ff64-9kxxs 1.17.2
istio-egressgateway-676bf68b54-d28fn.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-dbf5ff64-9kxxs 1.17.2
istio-ingressgateway-8d56c999d-nv7ph.istio-system Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-dbf5ff64-9kxxs 1.17.2
```
## Ingress
The service targeted, `istio-ingressgateway`, is an Ingress Load Balancer service from Istio.
```shell
kubectl logs -n istio-system services/istio-ingressgateway
```
#### Invalid TLS context has neither subject CN nor SAN names
The TLS certificate specified don't have the field CN or the field SAN.
To address this issue, issue a new certificate that has at least one of those fields.
#### initial fetch timed out for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secretthread
This is due not being able to retrieve the TLS configuration assigned to the gateway.
It's Important that the secret is located in the same namespace as the Istio Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
# Istioctl proxy-config
> **Note:** Shorthand is `pc`
## Check listeners

2
01-Getting_Started/01-hello_world_1_service_1_deployment/README.md
View File

@ -219,7 +219,7 @@ I would like to put emphasis on the following line returned:
server: istio-envoy
```
This means that the contents returned was performed by the Istio service, instead of the Nginx or any other possible backend service.
This means that the contents returned was performed by the Istio service, therefore, the request was able to reach Istio and received a response from it.
## Cleanup

4
01-Getting_Started/03-hello_world_1_service_2_deployments_managed_version/VirtualService.yaml
View File

@ -19,13 +19,13 @@ spec:
port:
number: 80
subset: v1
weight: 20
weight: 80
- destination:
# host: helloworld (OLD)
host: helloworld.default.svc.cluster.local
port:
number: 80
subset: v2
weight: 80
weight: 20
rewrite:
uri: "/"

3
09-Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml → 09-Ingress/01-Create-Istio-LoadBalancer/01-Namespace.yaml
View File

@ -3,5 +3,4 @@ kind: Namespace
metadata:
name: istio-ingress
labels:
istio-injection: "enabled"
---
istio-injection: "enabled"

23
09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml → 09-Ingress/01-Create-Istio-LoadBalancer/Deployment.yaml
View File

@ -1,25 +1,3 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
#apiVersion: v1
#kind: ServiceAccount
#metadata:
# name: istio-helloworld
# labels:
# account:
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -36,7 +14,6 @@ spec:
labels:
app: helloworld
spec:
# serviceAccountName: istio-helloworld
containers:
- name: helloworld
image: nginx

26
09-Ingress/01-Create-Istio-LoadBalancer/Gateway.yaml
View File

@ -1,36 +1,14 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: myingressgateway # use istio default controller
istio: myingressgateway # Uses the selector we just deployed
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"
- "*"

0
09-Ingress/01-Create-Istio-LoadBalancer/ingress.yaml → 09-Ingress/01-Create-Istio-LoadBalancer/IstioOperator/IstioOperator.yaml
View File

292
09-Ingress/01-Create-Istio-LoadBalancer/README.md
View File

@ -4,41 +4,31 @@ include_toc: true
---
# Based on
- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
# Description
On this example, a new Istio Ingress Load Balancer is deployed.
On this example, a new Istio Ingress Load Balancer is deployed through the usage of an `IstioOperator` object, as well deploys a simple service for testing purposes.
The previous example has been modified to utilize the Ingress resource just deployed.
# Changelog
This example configures:
## Gateway
Generic Kubernetes resources:
- 1 Service
- 1 Deployment
Istio resources:
- 1 Ingress Gateway Load Balancer
- 1 Gateway
- 1 Virtual Service
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: myingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
> **Note:**\
> I don't intend to explain thing related to Kubernetes unless necessary.
The selector `Istio` has been updated to `myingressgateway`, to match the selector of the Istio Ingress Load Balancer that will be created.
# Configuration
## Namespace
Creates the namespace `istio-ingress` with the `istio-injection` enabled.
```yaml
apiVersion: v1
kind: Namespace
@ -48,10 +38,67 @@ metadata:
istio-injection: "enabled"
```
The namespace `istio-ingress` will have the label `istio-injection` with the contents set to `enabled` to allow Istio to automatically inject the Istio sidecars to the resources within that namespace, unless specified otherwise.
## Service
Creates a service named `helloworld`.
This service listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod.
```yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
```
## Deployment
Deploys a Nginx server that listens for the port `80`.
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
```
## IstioOperator
Deploys an Istio Ingress Load Balancer named `myistio-ingressgateway`.
It will contain the selector `istio: myingressgateway`.
```yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
@ -75,28 +122,104 @@ spec:
injectionTemplate: gateway
```
The following configuration will create an Istio Ingress Load Balancer named `myistio-ingressgateway`, located at the namespace `istio-ingress`.
## Gateway
The label `istio`, refers to the selector that the `Gateway` resources will use to specify the targeted Istio resource.
Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic.
It doesn't filter for any specific host.
The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to.
On this scenario, we want to target the Istio Ingress Load Balancer we just created, therefore the value of the selector will be `istio: myingressgateway`.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: myingressgateway # Uses the selector we just deployed
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
## VirtualService
The Virtual Service resources are used to route and filter the received traffic from the gateway resources, and route it towards the desired destination.
On this example we select the gateway `helloworld-gateway`, which is the [gateway that 's described in the `Gateway` section](#gateway).
On this resource, we are also not limiting the incoming traffic to any specific host, allowing for all the incoming traffic to go through the rules set.
Here we created a rule that will be applied on `HTTP` related traffic (including `HTTPS` and `HTTP2`) when the destination path is exactly `/helloworld`.
This traffic will be forwarded to the port `80` of the destination service `helloworld` (the full path URL equivalent would be `helloworld.$NAMESPACE.svc.cluster.local`).
Additionally, there will be an internal URL rewrite set, as if the URL is not modified, it would attempt to reach to the `/helloworld` path from the Nginx deployment, which currently has no content and would result in an error code `404` (Not found).
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"
```
# Walkthrough
## Deploy resources
### Create namespace
Deploy the resources.
```shell
kubectl apply -f 01-namespace.yaml
kubectl apply -f ./
```
```text
namespace/istio-ingress created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
service/helloworld created
```
### Create / Install the Istio Ingress resource
## Wait for the deployment to be ready
Wait for the Nginx deployment to be up and ready.
```shell
istioctl install -f ingress.yaml
kubectl get deployment helloworld-nginx -w
```
```text
NAME READY UP-TO-DATE AVAILABLE AGE
helloworld-nginx 1/1 1 1 16s
```
## Install the Istio Ingress Gateway Load Balancer
Press `y` to install.
```shell
istioctl install -f IstioOperator/IstioOperator.yaml
```
```text
This will install the Istio 1.17.2 empty profile into the cluster. Proceed? (y/N) y
@ -105,92 +228,73 @@ This will install the Istio 1.17.2 empty profile into the cluster. Proceed? (y/N
Thank you for installing Istio 1.17. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/hMHGiwZHPU7UQRWe9
```
### Deploy gateway
## Test the service
### Get LB IP
To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway).
On my environment, the IP is the `192.168.1.50`.
```shell
kubectl apply -f Gateway.yaml
kubectl get svc -l istio=myingressgateway -A
```
```text
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingress myistio-ingressgateway LoadBalancer 10.96.116.25 192.168.1.51 15021:31681/TCP,80:31993/TCP,443:32596/TCP 116s
```
### Deploy deployment
### Curl /helloworld
Due to accessing the path `/helloworld`, we are triggering the rule set on the [VirtualService configuration](#virtualservice), sending a request to the Nginx backend and returning us its contents.
```shell
kubectl apply -f deployment-nomtls.yaml
curl 192.168.1.51/helloworld -s | grep "<title>.*</title>"
```
```text
service/helloworld created
deployment.apps/helloworld-nginx created
<title>Welcome to nginx!</title>
```
## Testing deployment
### Curl /other
What happens if we access a path or URL that doesn't trigger any rule?
### Get Load Balancer IP
```shell
kubectl get svc -n istio-ingress
curl 192.168.1.51/other -s -I
```
```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
myistio-ingressgateway LoadBalancer 10.102.158.128 192.168.1.51 15021:31181/TCP,80:30090/TCP,443:31285/TCP 5m10s
```
### Curl
The request results in status code `200`, meaning a correct handling of the request.
```shell
curl 192.168.1.51/helloworld -I
```
```text
HTTP/1.1 200 OK
HTTP/1.1 404 Not Found
date: Sat, 01 Jul 2023 13:27:14 GMT
server: istio-envoy
date: Sun, 23 Apr 2023 06:40:57 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 28 Mar 2023 15:01:54 GMT
etag: "64230162-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 15
transfer-encoding: chunked
```
# Cleanup
[Yeah no idea, gl with that.](https://stackoverflow.com/a/55731730)
We receive a status code `404`.
I would like to put emphasis on the following line returned:
```text
server: istio-envoy
```
This means that the contents returned was performed by the Istio service, therefore, the request was able to reach Istio and received a response from it.
## Cleanup
Finally, a cleanup from the resources deployed.
It might take a minute or two, don't **panik** if that's the case.
Take into account that deleting the namespace will also delete the resources in it, **so be careful!**
```shell
kubectl delete -f ./deployment-nomtls.yaml
kubectl delete -f ./Gateway.yaml
kubectl delete -f ./
```
```text
service "helloworld" deleted
namespace "istio-ingress" deleted
deployment.apps "helloworld-nginx" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
service "helloworld" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
```shell
istioctl uninstall --purge
```
Also read that "just removing" the namespace works to purge the config/remove resources.
Meanwhile, I did that (and seems like it performed correctly), I am not entirely sure about it. I'm not bothered myself as the environment where I am performing the tests is intended to be destroyed anytime and recreated, yet in a production environment I am not sure how this would need to be approached.
Maybe with a `kubectl get all -A` and through `grep` and `less` find resources and configurations, and delete them manually.
```shell
kubectl delete namespace istio-ingress
```
# Troubleshooting
## curl: (7) Failed to connect to 192.168.1.51 port 80 after 2 ms: Couldn't connect to server
Ensure that the gateway is using the correct `selector` to target the Istio Ingress Load Balancer created.
# Links of interest
- https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway
```

193
09-Ingress/01-Create-Istio-LoadBalancer/README_old.md Normal file
View File

@ -0,0 +1,193 @@
---
gitea: none
include_toc: true
---
# Based on
- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
# Description
On this example, a new Istio Ingress Load Balancer is deployed.
The previous example has been modified to utilize the Ingress resource just deployed.
# Changelog
## Gateway
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: myingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
The selector `Istio` has been updated to `myingressgateway`, to match the selector of the Istio Ingress Load Balancer that will be created.
## Namespace
```yaml
apiVersion: v1
kind: Namespace
metadata:
name: istio-ingress
labels:
istio-injection: "enabled"
```
The namespace `istio-ingress` will have the label `istio-injection` with the contents set to `enabled` to allow Istio to automatically inject the Istio sidecars to the resources within that namespace, unless specified otherwise.
## IstioOperator
```yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: ingress
spec:
profile: empty # Do not install CRDs or the control plane
components:
ingressGateways:
- name: myistio-ingressgateway
namespace: istio-ingress
enabled: true
label:
# Set a unique label for the gateway. This is required to ensure Gateways
# can select this workload
istio: myingressgateway
values:
gateways:
istio-ingressgateway:
# Enable gateway injection
injectionTemplate: gateway
```
The following configuration will create an Istio Ingress Load Balancer named `myistio-ingressgateway`, located at the namespace `istio-ingress`.
The label `istio`, refers to the selector that the `Gateway` resources will use to specify the targeted Istio resource.
# Walkthrough
## Deploy resources
### Create namespace
```shell
kubectl apply -f 01-Namespace.yaml
```
```text
namespace/istio-ingress created
```
### Create / Install the Istio Ingress resource
```shell
istioctl install -f IstioOperator.yaml
```
```text
This will install the Istio 1.17.2 empty profile into the cluster. Proceed? (y/N) y
✔ Ingress gateways installed
✔ Installation complete
Thank you for installing Istio 1.17. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/hMHGiwZHPU7UQRWe9
```
### Deploy gateway
```shell
kubectl apply -f Gateway.yaml
```
```text
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
### Deploy deployment
```shell
kubectl apply -f deployment-nomtls.yaml
```
```text
service/helloworld created
deployment.apps/helloworld-nginx created
```
## Testing deployment
### Get Load Balancer IP
```shell
kubectl get svc -n istio-ingress
```
```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
myistio-ingressgateway LoadBalancer 10.102.158.128 192.168.1.51 15021:31181/TCP,80:30090/TCP,443:31285/TCP 5m10s
```
### Curl
The request results in status code `200`, meaning a correct handling of the request.
```shell
curl 192.168.1.51/helloworld -I
```
```text
HTTP/1.1 200 OK
server: istio-envoy
date: Sun, 23 Apr 2023 06:40:57 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 28 Mar 2023 15:01:54 GMT
etag: "64230162-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 15
```
# Cleanup
```shell
kubectl delete -f ./
```
```text
service "helloworld" deleted
deployment.apps "helloworld-nginx" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
```shell
istioctl uninstall --purge
```
Also read that "just removing" the namespace works to purge the config/remove resources.
Meanwhile, I did that (and seems like it performed correctly), I am not entirely sure about it. I'm not bothered myself as the environment where I am performing the tests is intended to be destroyed anytime and recreated, yet in a production environment I am not sure how this would need to be approached.
Maybe with a `kubectl get all -A` and through `grep` and `less` find resources and configurations, and delete them manually.
```shell
kubectl delete namespace istio-ingress
```
# Troubleshooting
## curl: (7) Failed to connect to 192.168.1.51 port 80 after 2 ms: Couldn't connect to server
Ensure that the gateway is using the correct `selector` to target the Istio Ingress Load Balancer created.
# Links of interest
- https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway

13
09-Ingress/01-Create-Istio-LoadBalancer/Service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld

20
09-Ingress/01-Create-Istio-LoadBalancer/VirtualService.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"