From 918f480319c396f5ec10f3c31efc414d6165601b Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 1 Jul 2023 15:40:15 +0200 Subject: [PATCH] Seems like I moved some files around (it's been a while) Also have documented the ingress example regarding installing a Istio Ingress Gateway Load Balancer. --- .../06-Envoy}/01-envoy_add_headers/README.md | 0 .../01-envoy_add_headers/deployment.yaml | 0 .../06-Envoy}/01-envoy_add_headers/envoy.yaml | 0 .../01-envoy_add_headers/envoy2.yaml | 0 .../01-envoy_add_headers/gateway.yaml | 0 {06-Envoy => .placeholder/06-Envoy}/README.md | 0 .../01-Outboud-Traffic-Policy/README.md | 0 .../01-Outboud-Traffic-Policy/deployment.yaml | 0 .../01-Outboud-Traffic-Policy/gateway.yaml | 0 .../07-MeshConfig}/README.md | 0 00-Troubleshooting/README.md | 110 ++++--- .../README.md | 2 +- .../VirtualService.yaml | 4 +- .../{01-namespace.yaml => 01-Namespace.yaml} | 3 +- .../{deployment.yaml => Deployment.yaml} | 23 -- .../01-Create-Istio-LoadBalancer/Gateway.yaml | 26 +- .../IstioOperator.yaml} | 0 .../01-Create-Istio-LoadBalancer/README.md | 292 ++++++++++++------ .../README_old.md | 193 ++++++++++++ .../01-Create-Istio-LoadBalancer/Service.yaml | 13 + .../VirtualService.yaml | 20 ++ 21 files changed, 497 insertions(+), 189 deletions(-) rename {06-Envoy => .placeholder/06-Envoy}/01-envoy_add_headers/README.md (100%) rename {06-Envoy => .placeholder/06-Envoy}/01-envoy_add_headers/deployment.yaml (100%) rename {06-Envoy => .placeholder/06-Envoy}/01-envoy_add_headers/envoy.yaml (100%) rename {06-Envoy => .placeholder/06-Envoy}/01-envoy_add_headers/envoy2.yaml (100%) rename {06-Envoy => .placeholder/06-Envoy}/01-envoy_add_headers/gateway.yaml (100%) rename {06-Envoy => .placeholder/06-Envoy}/README.md (100%) rename {07-MeshConfig => .placeholder/07-MeshConfig}/01-Outboud-Traffic-Policy/README.md (100%) rename {07-MeshConfig => .placeholder/07-MeshConfig}/01-Outboud-Traffic-Policy/deployment.yaml (100%) rename {07-MeshConfig => .placeholder/07-MeshConfig}/01-Outboud-Traffic-Policy/gateway.yaml (100%) rename {07-MeshConfig => .placeholder/07-MeshConfig}/README.md (100%) rename 09-Ingress/01-Create-Istio-LoadBalancer/{01-namespace.yaml => 01-Namespace.yaml} (68%) rename 09-Ingress/01-Create-Istio-LoadBalancer/{deployment.yaml => Deployment.yaml} (53%) rename 09-Ingress/01-Create-Istio-LoadBalancer/{ingress.yaml => IstioOperator/IstioOperator.yaml} (100%) create mode 100644 09-Ingress/01-Create-Istio-LoadBalancer/README_old.md create mode 100644 09-Ingress/01-Create-Istio-LoadBalancer/Service.yaml create mode 100644 09-Ingress/01-Create-Istio-LoadBalancer/VirtualService.yaml diff --git a/06-Envoy/01-envoy_add_headers/README.md b/.placeholder/06-Envoy/01-envoy_add_headers/README.md similarity index 100% rename from 06-Envoy/01-envoy_add_headers/README.md rename to .placeholder/06-Envoy/01-envoy_add_headers/README.md diff --git a/06-Envoy/01-envoy_add_headers/deployment.yaml b/.placeholder/06-Envoy/01-envoy_add_headers/deployment.yaml similarity index 100% rename from 06-Envoy/01-envoy_add_headers/deployment.yaml rename to .placeholder/06-Envoy/01-envoy_add_headers/deployment.yaml diff --git a/06-Envoy/01-envoy_add_headers/envoy.yaml b/.placeholder/06-Envoy/01-envoy_add_headers/envoy.yaml similarity index 100% rename from 06-Envoy/01-envoy_add_headers/envoy.yaml rename to .placeholder/06-Envoy/01-envoy_add_headers/envoy.yaml diff --git a/06-Envoy/01-envoy_add_headers/envoy2.yaml b/.placeholder/06-Envoy/01-envoy_add_headers/envoy2.yaml similarity index 100% rename from 06-Envoy/01-envoy_add_headers/envoy2.yaml rename to .placeholder/06-Envoy/01-envoy_add_headers/envoy2.yaml diff --git a/06-Envoy/01-envoy_add_headers/gateway.yaml b/.placeholder/06-Envoy/01-envoy_add_headers/gateway.yaml similarity index 100% rename from 06-Envoy/01-envoy_add_headers/gateway.yaml rename to .placeholder/06-Envoy/01-envoy_add_headers/gateway.yaml diff --git a/06-Envoy/README.md b/.placeholder/06-Envoy/README.md similarity index 100% rename from 06-Envoy/README.md rename to .placeholder/06-Envoy/README.md diff --git a/07-MeshConfig/01-Outboud-Traffic-Policy/README.md b/.placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/README.md similarity index 100% rename from 07-MeshConfig/01-Outboud-Traffic-Policy/README.md rename to .placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/README.md diff --git a/07-MeshConfig/01-Outboud-Traffic-Policy/deployment.yaml b/.placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/deployment.yaml similarity index 100% rename from 07-MeshConfig/01-Outboud-Traffic-Policy/deployment.yaml rename to .placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/deployment.yaml diff --git a/07-MeshConfig/01-Outboud-Traffic-Policy/gateway.yaml b/.placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/gateway.yaml similarity index 100% rename from 07-MeshConfig/01-Outboud-Traffic-Policy/gateway.yaml rename to .placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/gateway.yaml diff --git a/07-MeshConfig/README.md b/.placeholder/07-MeshConfig/README.md similarity index 100% rename from 07-MeshConfig/README.md rename to .placeholder/07-MeshConfig/README.md diff --git a/00-Troubleshooting/README.md b/00-Troubleshooting/README.md index fcb5ad1..7a78d48 100644 --- a/00-Troubleshooting/README.md +++ b/00-Troubleshooting/README.md @@ -3,6 +3,63 @@ gitea: none include_toc: true --- + +# Logs + +> **Note:**\ +> Remember that you can use the command `watch` or `watch -n 5` (where 5 refers every 5 seconds) in case of being interested on execute this commands periodically. + +## Istiod + +```shell +kubectl logs -n istio-system -f deployments/istiod +``` + +## Istio-Proxy Pod + +This will display the logs from a deployment while targeting the `istio-proxy` container from the targeted pod/deployment. + +As well will attach the session to stream new logs. (`-f` `--follow`) + +```shell +kubectl logs deployments/helloworld-default -f -c istio-proxy +``` + +```text +[2023-05-15T00:42:03.699Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.111.90.232:8080 172.17.121.65:52006 - - +[2023-05-15T00:42:24.785Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 2 1 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" inbound|80|| 127.0.0.6:51695 172.17.121.65:80 172.17.121.65:43786 outbound_.80_._.helloworld.default.svc.cluster.local default +[2023-05-15T00:42:24.784Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 5 4 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" outbound|80||helloworld.default.svc.cluster.local 172.17.121.65:43786 10.111.90.232:80 172.17.121.65:57030 - default +[2023-05-15T00:43:23.209Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 6 5 "-" "curl/7.74.0" "e1f0a2f3-93ff-4c41-8cb3-6d3a53fce065" "helloworld.foo.svc.cluster.local" "172.17.247.42:80" outbound|80||helloworld.foo.svc.cluster.local 172.17.121.65:55040 10.109.248.148:80 172.17.121.65:60520 - default +[2023-05-15T00:43:29.751Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40370 - - +[2023-05-15T00:43:31.979Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40402 - - +``` + +## Ingress + +The service targeted, `istio-ingressgateway`, is an Ingress Load Balancer service from Istio. + +```shell +kubectl logs -n istio-system services/istio-ingressgateway +``` +#### Invalid TLS context has neither subject CN nor SAN names + +The TLS certificate specified don't have the field CN or the field SAN. + +To address this issue, issue a new certificate that has at least one of those fields. + +#### initial fetch timed out for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secretthread + +This is due not being able to retrieve the TLS configuration assigned to the gateway. + +It's Important that the secret is located in the same namespace as the Istio Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. + + + + + + + + # Istioctl analyze `istioctl analyze` reviews the current configuration set. @@ -67,57 +124,24 @@ listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes ... ``` -# Logs - -> **Note:**\ -> Remember that you can use the command `watch` or `watch -n 5` (where 5 refers every 5 seconds) in case of being interested on execute this commands periodically. - -## Istiod +# Istioctl proxy-status +> **Note:** Shorthand is `ps` ```shell -kubectl logs -n istio-system -f deployments/istiod +istioctl ps ``` - -## Istio-Proxy Pod - -This will display the logs from a deployment while targeting the `istio-proxy` container from the targeted pod/deployment. - -As well will attach the session to stream new logs. (`-f` `--follow`) - -```shell -kubectl logs deployments/helloworld-default -f -c istio-proxy -``` - ```text -[2023-05-15T00:42:03.699Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.111.90.232:8080 172.17.121.65:52006 - - -[2023-05-15T00:42:24.785Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 2 1 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" inbound|80|| 127.0.0.6:51695 172.17.121.65:80 172.17.121.65:43786 outbound_.80_._.helloworld.default.svc.cluster.local default -[2023-05-15T00:42:24.784Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 5 4 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" outbound|80||helloworld.default.svc.cluster.local 172.17.121.65:43786 10.111.90.232:80 172.17.121.65:57030 - default -[2023-05-15T00:43:23.209Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 6 5 "-" "curl/7.74.0" "e1f0a2f3-93ff-4c41-8cb3-6d3a53fce065" "helloworld.foo.svc.cluster.local" "172.17.247.42:80" outbound|80||helloworld.foo.svc.cluster.local 172.17.121.65:55040 10.109.248.148:80 172.17.121.65:60520 - default -[2023-05-15T00:43:29.751Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40370 - - -[2023-05-15T00:43:31.979Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40402 - - +NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION +helloworld-6798765f88-ql26n.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-dbf5ff64-9kxxs 1.17.2 +helloworld2-dc9cb5db6-m47x7.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-dbf5ff64-9kxxs 1.17.2 +istio-egressgateway-676bf68b54-d28fn.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-dbf5ff64-9kxxs 1.17.2 +istio-ingressgateway-8d56c999d-nv7ph.istio-system Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-dbf5ff64-9kxxs 1.17.2 ``` -## Ingress - -The service targeted, `istio-ingressgateway`, is an Ingress Load Balancer service from Istio. - -```shell -kubectl logs -n istio-system services/istio-ingressgateway -``` -#### Invalid TLS context has neither subject CN nor SAN names - -The TLS certificate specified don't have the field CN or the field SAN. - -To address this issue, issue a new certificate that has at least one of those fields. - -#### initial fetch timed out for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secretthread - -This is due not being able to retrieve the TLS configuration assigned to the gateway. - -It's Important that the secret is located in the same namespace as the Istio Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. - # Istioctl proxy-config +> **Note:** Shorthand is `pc` + ## Check listeners diff --git a/01-Getting_Started/01-hello_world_1_service_1_deployment/README.md b/01-Getting_Started/01-hello_world_1_service_1_deployment/README.md index 13ebeb3..0641ada 100755 --- a/01-Getting_Started/01-hello_world_1_service_1_deployment/README.md +++ b/01-Getting_Started/01-hello_world_1_service_1_deployment/README.md @@ -219,7 +219,7 @@ I would like to put emphasis on the following line returned: server: istio-envoy ``` -This means that the contents returned was performed by the Istio service, instead of the Nginx or any other possible backend service. +This means that the contents returned was performed by the Istio service, therefore, the request was able to reach Istio and received a response from it. ## Cleanup diff --git a/01-Getting_Started/03-hello_world_1_service_2_deployments_managed_version/VirtualService.yaml b/01-Getting_Started/03-hello_world_1_service_2_deployments_managed_version/VirtualService.yaml index 3b39a70..97b9642 100644 --- a/01-Getting_Started/03-hello_world_1_service_2_deployments_managed_version/VirtualService.yaml +++ b/01-Getting_Started/03-hello_world_1_service_2_deployments_managed_version/VirtualService.yaml @@ -19,13 +19,13 @@ spec: port: number: 80 subset: v1 - weight: 20 + weight: 80 - destination: # host: helloworld (OLD) host: helloworld.default.svc.cluster.local port: number: 80 subset: v2 - weight: 80 + weight: 20 rewrite: uri: "/" \ No newline at end of file diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml b/09-Ingress/01-Create-Istio-LoadBalancer/01-Namespace.yaml similarity index 68% rename from 09-Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml rename to 09-Ingress/01-Create-Istio-LoadBalancer/01-Namespace.yaml index b9d9719..dca2b2b 100644 --- a/09-Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml +++ b/09-Ingress/01-Create-Istio-LoadBalancer/01-Namespace.yaml @@ -3,5 +3,4 @@ kind: Namespace metadata: name: istio-ingress labels: - istio-injection: "enabled" ---- \ No newline at end of file + istio-injection: "enabled" \ No newline at end of file diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml b/09-Ingress/01-Create-Istio-LoadBalancer/Deployment.yaml similarity index 53% rename from 09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml rename to 09-Ingress/01-Create-Istio-LoadBalancer/Deployment.yaml index 36e6b76..233fd2c 100755 --- a/09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml +++ b/09-Ingress/01-Create-Istio-LoadBalancer/Deployment.yaml @@ -1,25 +1,3 @@ -# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - port: 80 - name: http - selector: - app: helloworld ---- -#apiVersion: v1 -#kind: ServiceAccount -#metadata: -# name: istio-helloworld -# labels: -# account: ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -36,7 +14,6 @@ spec: labels: app: helloworld spec: -# serviceAccountName: istio-helloworld containers: - name: helloworld image: nginx diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/Gateway.yaml b/09-Ingress/01-Create-Istio-LoadBalancer/Gateway.yaml index 38b5390..61a4e1a 100755 --- a/09-Ingress/01-Create-Istio-LoadBalancer/Gateway.yaml +++ b/09-Ingress/01-Create-Istio-LoadBalancer/Gateway.yaml @@ -1,36 +1,14 @@ -# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: helloworld-gateway spec: selector: - istio: myingressgateway # use istio default controller + istio: myingressgateway # Uses the selector we just deployed servers: - port: number: 80 name: http protocol: HTTP hosts: - - "*" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: helloworld-vs -spec: - hosts: - - "*" - gateways: - - helloworld-gateway - http: - - match: - - uri: - exact: /helloworld - route: - - destination: - host: helloworld - port: - number: 80 - rewrite: - uri: "/" \ No newline at end of file + - "*" \ No newline at end of file diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/ingress.yaml b/09-Ingress/01-Create-Istio-LoadBalancer/IstioOperator/IstioOperator.yaml similarity index 100% rename from 09-Ingress/01-Create-Istio-LoadBalancer/ingress.yaml rename to 09-Ingress/01-Create-Istio-LoadBalancer/IstioOperator/IstioOperator.yaml diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/README.md b/09-Ingress/01-Create-Istio-LoadBalancer/README.md index dbc677d..bc5f83d 100644 --- a/09-Ingress/01-Create-Istio-LoadBalancer/README.md +++ b/09-Ingress/01-Create-Istio-LoadBalancer/README.md @@ -4,41 +4,31 @@ include_toc: true --- -# Based on - -- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment) - # Description -On this example, a new Istio Ingress Load Balancer is deployed. +On this example, a new Istio Ingress Load Balancer is deployed through the usage of an `IstioOperator` object, as well deploys a simple service for testing purposes. -The previous example has been modified to utilize the Ingress resource just deployed. -# Changelog +This example configures: -## Gateway + Generic Kubernetes resources: + - 1 Service + - 1 Deployment + + Istio resources: + - 1 Ingress Gateway Load Balancer + - 1 Gateway + - 1 Virtual Service -```yaml -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: - istio: myingressgateway # use istio default controller - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" -``` +> **Note:**\ +> I don't intend to explain thing related to Kubernetes unless necessary. -The selector `Istio` has been updated to `myingressgateway`, to match the selector of the Istio Ingress Load Balancer that will be created. +# Configuration ## Namespace +Creates the namespace `istio-ingress` with the `istio-injection` enabled. + ```yaml apiVersion: v1 kind: Namespace @@ -48,10 +38,67 @@ metadata: istio-injection: "enabled" ``` -The namespace `istio-ingress` will have the label `istio-injection` with the contents set to `enabled` to allow Istio to automatically inject the Istio sidecars to the resources within that namespace, unless specified otherwise. +## Service + +Creates a service named `helloworld`. + +This service listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod. + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld +``` + +## Deployment + +Deploys a Nginx server that listens for the port `80`. + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 +``` ## IstioOperator + +Deploys an Istio Ingress Load Balancer named `myistio-ingressgateway`. + +It will contain the selector `istio: myingressgateway`. + ```yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator @@ -75,28 +122,104 @@ spec: injectionTemplate: gateway ``` -The following configuration will create an Istio Ingress Load Balancer named `myistio-ingressgateway`, located at the namespace `istio-ingress`. +## Gateway -The label `istio`, refers to the selector that the `Gateway` resources will use to specify the targeted Istio resource. +Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic. + +It doesn't filter for any specific host. + +The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to. + +On this scenario, we want to target the Istio Ingress Load Balancer we just created, therefore the value of the selector will be `istio: myingressgateway`. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: myingressgateway # Uses the selector we just deployed + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +``` + +## VirtualService + +The Virtual Service resources are used to route and filter the received traffic from the gateway resources, and route it towards the desired destination. + +On this example we select the gateway `helloworld-gateway`, which is the [gateway that 's described in the `Gateway` section](#gateway). + +On this resource, we are also not limiting the incoming traffic to any specific host, allowing for all the incoming traffic to go through the rules set. + +Here we created a rule that will be applied on `HTTP` related traffic (including `HTTPS` and `HTTP2`) when the destination path is exactly `/helloworld`. + +This traffic will be forwarded to the port `80` of the destination service `helloworld` (the full path URL equivalent would be `helloworld.$NAMESPACE.svc.cluster.local`). + +Additionally, there will be an internal URL rewrite set, as if the URL is not modified, it would attempt to reach to the `/helloworld` path from the Nginx deployment, which currently has no content and would result in an error code `404` (Not found). + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" +``` # Walkthrough ## Deploy resources -### Create namespace +Deploy the resources. ```shell -kubectl apply -f 01-namespace.yaml +kubectl apply -f ./ ``` ```text namespace/istio-ingress created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +service/helloworld created ``` -### Create / Install the Istio Ingress resource +## Wait for the deployment to be ready +Wait for the Nginx deployment to be up and ready. ```shell -istioctl install -f ingress.yaml +kubectl get deployment helloworld-nginx -w +``` +```text +NAME READY UP-TO-DATE AVAILABLE AGE +helloworld-nginx 1/1 1 1 16s +``` + +## Install the Istio Ingress Gateway Load Balancer + +Press `y` to install. + +```shell +istioctl install -f IstioOperator/IstioOperator.yaml ``` ```text This will install the Istio 1.17.2 empty profile into the cluster. Proceed? (y/N) y @@ -105,92 +228,73 @@ This will install the Istio 1.17.2 empty profile into the cluster. Proceed? (y/N Thank you for installing Istio 1.17. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/hMHGiwZHPU7UQRWe9 ``` -### Deploy gateway +## Test the service + +### Get LB IP + +To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway). + +On my environment, the IP is the `192.168.1.50`. ```shell -kubectl apply -f Gateway.yaml +kubectl get svc -l istio=myingressgateway -A ``` ```text - -gateway.networking.istio.io/helloworld-gateway created -virtualservice.networking.istio.io/helloworld-vs created +NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +istio-ingress myistio-ingressgateway LoadBalancer 10.96.116.25 192.168.1.51 15021:31681/TCP,80:31993/TCP,443:32596/TCP 116s ``` -### Deploy deployment +### Curl /helloworld + +Due to accessing the path `/helloworld`, we are triggering the rule set on the [VirtualService configuration](#virtualservice), sending a request to the Nginx backend and returning us its contents. ```shell -kubectl apply -f deployment-nomtls.yaml +curl 192.168.1.51/helloworld -s | grep ".*" ``` ```text -service/helloworld created -deployment.apps/helloworld-nginx created +Welcome to nginx! ``` -## Testing deployment +### Curl /other + +What happens if we access a path or URL that doesn't trigger any rule? -### Get Load Balancer IP ```shell -kubectl get svc -n istio-ingress +curl 192.168.1.51/other -s -I ``` ```text -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -myistio-ingressgateway LoadBalancer 10.102.158.128 192.168.1.51 15021:31181/TCP,80:30090/TCP,443:31285/TCP 5m10s -``` - -### Curl - -The request results in status code `200`, meaning a correct handling of the request. - -```shell -curl 192.168.1.51/helloworld -I -``` -```text -HTTP/1.1 200 OK +HTTP/1.1 404 Not Found +date: Sat, 01 Jul 2023 13:27:14 GMT server: istio-envoy -date: Sun, 23 Apr 2023 06:40:57 GMT -content-type: text/html -content-length: 615 -last-modified: Tue, 28 Mar 2023 15:01:54 GMT -etag: "64230162-267" -accept-ranges: bytes -x-envoy-upstream-service-time: 15 +transfer-encoding: chunked ``` -# Cleanup -[Yeah no idea, gl with that.](https://stackoverflow.com/a/55731730) +We receive a status code `404`. + +I would like to put emphasis on the following line returned: + +```text +server: istio-envoy +``` + +This means that the contents returned was performed by the Istio service, therefore, the request was able to reach Istio and received a response from it. + +## Cleanup + +Finally, a cleanup from the resources deployed. + +It might take a minute or two, don't **panik** if that's the case. + +Take into account that deleting the namespace will also delete the resources in it, **so be careful!** ```shell -kubectl delete -f ./deployment-nomtls.yaml -kubectl delete -f ./Gateway.yaml +kubectl delete -f ./ ``` ```text -service "helloworld" deleted +namespace "istio-ingress" deleted deployment.apps "helloworld-nginx" deleted gateway.networking.istio.io "helloworld-gateway" deleted +service "helloworld" deleted virtualservice.networking.istio.io "helloworld-vs" deleted -``` - -```shell -istioctl uninstall --purge -``` - -Also read that "just removing" the namespace works to purge the config/remove resources. - -Meanwhile, I did that (and seems like it performed correctly), I am not entirely sure about it. I'm not bothered myself as the environment where I am performing the tests is intended to be destroyed anytime and recreated, yet in a production environment I am not sure how this would need to be approached. - -Maybe with a `kubectl get all -A` and through `grep` and `less` find resources and configurations, and delete them manually. - -```shell -kubectl delete namespace istio-ingress -``` - -# Troubleshooting - -## curl: (7) Failed to connect to 192.168.1.51 port 80 after 2 ms: Couldn't connect to server - -Ensure that the gateway is using the correct `selector` to target the Istio Ingress Load Balancer created. - -# Links of interest - -- https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway \ No newline at end of file +``` \ No newline at end of file diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/README_old.md b/09-Ingress/01-Create-Istio-LoadBalancer/README_old.md new file mode 100644 index 0000000..00d2914 --- /dev/null +++ b/09-Ingress/01-Create-Istio-LoadBalancer/README_old.md @@ -0,0 +1,193 @@ +--- +gitea: none +include_toc: true +--- + +# Based on + +- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment) + +# Description + +On this example, a new Istio Ingress Load Balancer is deployed. + +The previous example has been modified to utilize the Ingress resource just deployed. + + +# Changelog + +## Gateway + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: myingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +``` + +The selector `Istio` has been updated to `myingressgateway`, to match the selector of the Istio Ingress Load Balancer that will be created. + +## Namespace + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: istio-ingress + labels: + istio-injection: "enabled" +``` + +The namespace `istio-ingress` will have the label `istio-injection` with the contents set to `enabled` to allow Istio to automatically inject the Istio sidecars to the resources within that namespace, unless specified otherwise. + +## IstioOperator + +```yaml +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + name: ingress +spec: + profile: empty # Do not install CRDs or the control plane + components: + ingressGateways: + - name: myistio-ingressgateway + namespace: istio-ingress + enabled: true + label: + # Set a unique label for the gateway. This is required to ensure Gateways + # can select this workload + istio: myingressgateway + values: + gateways: + istio-ingressgateway: + # Enable gateway injection + injectionTemplate: gateway +``` + +The following configuration will create an Istio Ingress Load Balancer named `myistio-ingressgateway`, located at the namespace `istio-ingress`. + +The label `istio`, refers to the selector that the `Gateway` resources will use to specify the targeted Istio resource. + +# Walkthrough + +## Deploy resources + +### Create namespace + +```shell +kubectl apply -f 01-Namespace.yaml +``` +```text +namespace/istio-ingress created +``` + +### Create / Install the Istio Ingress resource + + +```shell +istioctl install -f IstioOperator.yaml +``` +```text +This will install the Istio 1.17.2 empty profile into the cluster. Proceed? (y/N) y +✔ Ingress gateways installed +✔ Installation complete +Thank you for installing Istio 1.17. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/hMHGiwZHPU7UQRWe9 +``` + +### Deploy gateway + +```shell +kubectl apply -f Gateway.yaml +``` +```text + +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +### Deploy deployment + +```shell +kubectl apply -f deployment-nomtls.yaml +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +``` + +## Testing deployment + +### Get Load Balancer IP + +```shell +kubectl get svc -n istio-ingress +``` +```text +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +myistio-ingressgateway LoadBalancer 10.102.158.128 192.168.1.51 15021:31181/TCP,80:30090/TCP,443:31285/TCP 5m10s +``` + +### Curl + +The request results in status code `200`, meaning a correct handling of the request. + +```shell +curl 192.168.1.51/helloworld -I +``` +```text +HTTP/1.1 200 OK +server: istio-envoy +date: Sun, 23 Apr 2023 06:40:57 GMT +content-type: text/html +content-length: 615 +last-modified: Tue, 28 Mar 2023 15:01:54 GMT +etag: "64230162-267" +accept-ranges: bytes +x-envoy-upstream-service-time: 15 +``` +# Cleanup + +```shell +kubectl delete -f ./ +``` +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +```shell +istioctl uninstall --purge +``` + +Also read that "just removing" the namespace works to purge the config/remove resources. + +Meanwhile, I did that (and seems like it performed correctly), I am not entirely sure about it. I'm not bothered myself as the environment where I am performing the tests is intended to be destroyed anytime and recreated, yet in a production environment I am not sure how this would need to be approached. + +Maybe with a `kubectl get all -A` and through `grep` and `less` find resources and configurations, and delete them manually. + +```shell +kubectl delete namespace istio-ingress +``` + +# Troubleshooting + +## curl: (7) Failed to connect to 192.168.1.51 port 80 after 2 ms: Couldn't connect to server + +Ensure that the gateway is using the correct `selector` to target the Istio Ingress Load Balancer created. + +# Links of interest + +- https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway \ No newline at end of file diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/Service.yaml b/09-Ingress/01-Create-Istio-LoadBalancer/Service.yaml new file mode 100644 index 0000000..271ce25 --- /dev/null +++ b/09-Ingress/01-Create-Istio-LoadBalancer/Service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld \ No newline at end of file diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/VirtualService.yaml b/09-Ingress/01-Create-Istio-LoadBalancer/VirtualService.yaml new file mode 100644 index 0000000..205231b --- /dev/null +++ b/09-Ingress/01-Create-Istio-LoadBalancer/VirtualService.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" \ No newline at end of file