ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

Managed to understand sidecar a bit, need to document things.

Browse Source
This commit is contained in:
Oriol 2023-04-18 22:51:35 +01:00
parent a8e0b17d38
commit e28c54c89a
18 changed files with 610 additions and 330 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Istio/istio-classic/README.md
View File

@ -12,5 +12,5 @@ https://istio.io/latest/docs/ops/diagnostic-tools/proxy-cmd/
Using service accounts

108
Istio/sidecar/01-ingress-proxy-forwarding/README.md Normal file
View File

@ -0,0 +1,108 @@
# Continues from
- 01-hello_world_1_service_1_deployment
---
## Files
- deployment.yaml
- gateway.yaml
- sidecar.yaml
> Added the `sidecar.yaml` file.
## deployment.yaml
### Creates
#### Service
- helloworld
#### Deployments
- helloworld-nginx (Nginx container)
## gateway.yaml
### Creates
#### Gateway
##### helloworld-gateway
###### Configuration
```yml
port: 80
istio-ingress: ingressgateway
hosts: "*"
```
#### VirtualService
##### helloworld-vs
###### Configuration
```yaml
hosts: "*"
uri: "/helloworld"
rewrite:
uri: "/"
```
- Allows the traffic from that have any domain.
- Only allows traffic that has as a destination the directory/path `/helloworld`.
- `rewrite.uri` allows to redirect the traffic towards the root directory of the service, as the service(s) used don't have any directory named `helloworld` but are configured to work at the root base level.
# Run example
## Deploy resources
```shell
$ kubectl apply -f ./
service/helloworld created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
## Wait for the pods to be ready
(I think it deploys 2 pods as there is the Envoy Proxy pod besides the Nginx deployment)
```shell
$ kubectl get deployment helloworld-nginx -w
NAME READY UP-TO-DATE AVAILABLE AGE
helloworld-nginx 1/1 1 1 44s
```
## Test the service
### Get LB IP
```shell
$ kubectl get svc istio-ingressgateway -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
### Curl
```shell
$ curl 192.168.1.50/helloworld -s | grep "<title>.*</title>"  ✔
<title>Welcome to nginx!</title>
```

44
Istio/sidecar/01-ingress-proxy-forwarding/deployment.yaml Normal file
View File

@ -0,0 +1,44 @@
## https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld-service
labels:
app: helloworld
service: helloworld
# namespace: visiblent
spec:
ports:
- port: 8080
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
# namespace: visiblent
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
# namespace: visiblent
spec:
# serviceAccountName: istio-helloworld
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

64
Istio/sidecar/01-ingress-proxy-forwarding/gateway.yaml Normal file
View File

@ -0,0 +1,64 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helliworld
# host: helloworlddo
# host: helloworld-nginx-56c5c77cd7-9mxmf.visiblent
port:
number: 8080
rewrite:
uri: "/"
---
#apiVersion: networking.istio.io/v1alpha3
#kind: VirtualService
#metadata:
# name: helloworld-vs
#spec:
# hosts:
# - "*"
# gateways:
# - helloworld-gateway
# http:
# - timeout: 3s
# match:
# - uri:
# - exact: "/external"
# route:
# - destination:
# host: help.websiteos.com
# port:
# number: 80
# rewrite:
# uri: "/websiteos/example_of_a_simple_html_page.htm"
# headers:
# request:
# set:
# HOST: "help.websiteos.com"

48
Istio/sidecar/01-ingress-proxy-forwarding/sidecar.yaml Normal file
View File

@ -0,0 +1,48 @@
## First we overide the default configuration.
# This configures the egress, to only allow egress within the same namespace, and to `istio-system`
#apiVersion: networking.istio.io/v1beta1
#kind: Sidecar
#metadata:
# name: default
# namespace: istio-config
#spec:
# egress:
# - hosts:
# - "./*"
# - "istio-system/*"
---
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: helloworlddo
# name: helloworld-sidecar
# namespace: visiblent
spec:
workloadSelector:
labels:
app: helloworld
ingress:
# - bind: 192.168.1.50
# - bind: 172.17.121.220
- port:
number: 8080
protocol: HTTP
name: ingressport
defaultEndpoint: 127.0.0.1:80
# defaultEndpoint: unix:///var/run/someuds.sock
# captureMode: DEFAULT
# egress:
# - port:
# number: 80
# protocol: HTTP
# name: egressport
# hosts:
# - "prod-us1/*"
# - hosts:
# - "istio-system/*"
# egress:
# hosts:
# - "./*"
# - "istio-system/*"
# captureMode: DEFAULT

27
Istio/sidecar/01-visibility/README.md
View File

@ -1,27 +0,0 @@
https://github.com/steren/istio.github.io/blob/master/_docs/setup/kubernetes/sidecar-injection.md
https://istio.io/latest/docs/reference/config/networking/sidecar/
# Continues from
- 01-hello_world_1_service_1_deployment
the labbel `workloadSelector` only affects the pods.
```yaml
workloadSelector:
```
```sh
kubectl create namespace istio-config
```
No fucking clue on how to make it NOT work.

36
Istio/sidecar/01-visibility/gateway.yaml
View File

@ -1,36 +0,0 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld.visiblent.svc.cluster.local
port:
number: 80
rewrite:
uri: "/"

23
Istio/sidecar/01-visibility/sidecar.yaml
View File

@ -1,23 +0,0 @@
## First we overide the default configuration.
# This configures the egress, to only allow egress within the same namespace, and to `istio-system`
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: istio-config
spec:
egress:
- hosts:
- "./*"
# - "istio-system/*"
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: visiblent
spec:
egress:
- hosts:
- "visiblent/*"
- "istio-system/*"

235
Istio/sidecar/01-visibility/tmp.yaml
View File

@ -1,235 +0,0 @@
## https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
#apiVersion: v1
#kind: Service
#metadata:
# name: helloworld
# labels:
# app: helloworld
# service: helloworld
#spec:
# ports:
# - port: 80
# name: http
# selector:
# app: helloworld
#---
##apiVersion: v1
##kind: ServiceAccount
##metadata:
## name: istio-helloworld
## labels:
## account:
#---
#apiVersion: apps/v1
#kind: Deployment
#metadata:
# creationTimestamp: null
# labels:
# app: helloworld
# name: helloworld-nginx
#spec:
# replicas: 1
# selector:
# matchLabels:
# app: helloworld
# strategy: {}
# template:
# metadata:
# annotations:
# kubectl.kubernetes.io/default-container: helloworld
# kubectl.kubernetes.io/default-logs-container: helloworld
# prometheus.io/path: /stats/prometheus
# prometheus.io/port: "15020"
# prometheus.io/scrape: "true"
# sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}'
# creationTimestamp: null
# labels:
# app: helloworld
# security.istio.io/tlsMode: istio
# service.istio.io/canonical-name: helloworld
# service.istio.io/canonical-revision: latest
# spec:
# containers:
# - image: nginx
# imagePullPolicy: IfNotPresent
# name: helloworld
# ports:
# - containerPort: 80
# resources:
# requests:
# cpu: 100m
# - args:
# - proxy
# - sidecar
# - --domain
# - $(POD_NAMESPACE).svc.cluster.local
# - --proxyLogLevel=warning
# - --proxyComponentLogLevel=misc:error
# - --log_output_level=default:info
# - --concurrency
# - "2"
# env:
# - name: JWT_POLICY
# value: third-party-jwt
# - name: PILOT_CERT_PROVIDER
# value: istiod
# - name: CA_ADDR
# value: istiod.istio-system.svc:15012
# - name: POD_NAME
# valueFrom:
# fieldRef:
# fieldPath: metadata.name
# - name: POD_NAMESPACE
# valueFrom:
# fieldRef:
# fieldPath: metadata.namespace
# - name: INSTANCE_IP
# valueFrom:
# fieldRef:
# fieldPath: status.podIP
# - name: SERVICE_ACCOUNT
# valueFrom:
# fieldRef:
# fieldPath: spec.serviceAccountName
# - name: HOST_IP
# valueFrom:
# fieldRef:
# fieldPath: status.hostIP
# - name: PROXY_CONFIG
# value: |
# {}
# - name: ISTIO_META_POD_PORTS
# value: |-
# [
# {"containerPort":80}
# ]
# - name: ISTIO_META_APP_CONTAINERS
# value: helloworld
# - name: ISTIO_META_CLUSTER_ID
# value: Kubernetes
# - name: ISTIO_META_INTERCEPTION_MODE
# value: REDIRECT
# - name: ISTIO_META_MESH_ID
# value: cluster.local
# - name: TRUST_DOMAIN
# value: cluster.local
# image: istio/proxyv2:1.16.1
# name: istio-proxy
# ports:
# - containerPort: 15090
# name: http-envoy-prom
# protocol: TCP
# readinessProbe:
# failureThreshold: 30
# httpGet:
# path: /healthz/ready
# port: 15021
# initialDelaySeconds: 1
# periodSeconds: 2
# timeoutSeconds: 3
# resources:
# limits:
# cpu: "2"
# memory: 1Gi
# requests:
# cpu: 100m
# memory: 128Mi
# securityContext:
# allowPrivilegeEscalation: false
# capabilities:
# drop:
# - ALL
# privileged: false
# readOnlyRootFilesystem: true
# runAsGroup: 1337
# runAsNonRoot: true
# runAsUser: 1337
# volumeMounts:
# - mountPath: /var/run/secrets/workload-spiffe-uds
# name: workload-socket
# - mountPath: /var/run/secrets/credential-uds
# name: credential-socket
# - mountPath: /var/run/secrets/workload-spiffe-credentials
# name: workload-certs
# - mountPath: /var/run/secrets/istio
# name: istiod-ca-cert
# - mountPath: /var/lib/istio/data
# name: istio-data
# - mountPath: /etc/istio/proxy
# name: istio-envoy
# - mountPath: /var/run/secrets/tokens
# name: istio-token
# - mountPath: /etc/istio/pod
# name: istio-podinfo
# initContainers:
# - args:
# - istio-iptables
# - -p
# - "15001"
# - -z
# - "15006"
# - -u
# - "1337"
# - -m
# - REDIRECT
# - -i
# - '*'
# - -x
# - ""
# - -b
# - '*'
# - -d
# - 15090,15021,15020
# - --log_output_level=default:info
# image: istio/proxyv2:1.16.1
# name: istio-init
# resources:
# limits:
# cpu: "2"
# memory: 1Gi
# requests:
# cpu: 100m
# memory: 128Mi
# securityContext:
# allowPrivilegeEscalation: false
# capabilities:
# add:
# - NET_ADMIN
# - NET_RAW
# drop:
# - ALL
# privileged: false
# readOnlyRootFilesystem: false
# runAsGroup: 0
# runAsNonRoot: false
# runAsUser: 0
# volumes:
# - name: workload-socket
# - name: credential-socket
# - name: workload-certs
# - emptyDir:
# medium: Memory
# name: istio-envoy
# - emptyDir: {}
# name: istio-data
# - downwardAPI:
# items:
# - fieldRef:
# fieldPath: metadata.labels
# path: labels
# - fieldRef:
# fieldPath: metadata.annotations
# path: annotations
# name: istio-podinfo
# - name: istio-token
# projected:
# sources:
# - serviceAccountToken:
# audience: istio-ca
# expirationSeconds: 43200
# path: istio-token
# - configMap:
# name: istio-ca-root-cert
# name: istiod-ca-cert
#status: {}
#---

66
Istio/sidecar/README.md
View File

@ -8,6 +8,8 @@ I am not very sure on how or why to use this...
NOT HOW TO TRIGGER / UNTRIGGER IT
```yaml
apiVersion:
networking.istio.io/v1alpha3
@ -20,4 +22,66 @@ spec:
- hosts:
- "./*"
- "istio-system/*"
```
```
whats this again??
istio operator right? ye, but what is it again? I think I checked this time ago when doing something about creating a new ingress
kubectl get io -A
2023-04-17T00:08:00.086475Z info validationController Not ready to switch validation to fail-closed: dummy invalid config not rejected
2023-04-17T00:08:04.012630Z info validationServer configuration is invalid: gateway must have at least one server
kubectl logs -f deployments/istiod -n istio-system
https://istio.io/latest/docs/reference/config/networking/sidecar/
egress:
- port:
number: 8080
protocol: HTTP
hosts:
- "staging/*"
With the YAML above, the sidecar proxies the traffic thats bound for port 8080 for services running in the staging namespace.
- Confirm pod ingress port forwarding
- Confirm it can reach other places / namespaces / resources (pod egress)
- mtls (somehow)
# Ingress
Does stuff
# Egress
What is "bind"
# CaptureMode
Not my problem rn

1
Istio/sidecar/01-visibility/01-namespace.yaml → Istio/sidecar/placeholder/01-namespace.yaml
View File

@ -5,4 +5,5 @@ metadata:
labels:
# istio-injection: "false"
istio-injection: "enabled"
f: "3"
---

66
Istio/sidecar/placeholder/README.md Normal file
View File

@ -0,0 +1,66 @@
https://github.com/steren/istio.github.io/blob/master/_docs/setup/kubernetes/sidecar-injection.md
https://istio.io/latest/docs/reference/config/networking/sidecar/
# Continues from
- 01-hello_world_1_service_1_deployment
the labbel `workloadSelector` only affects the pods.
```yaml
workloadSelector:
```
whats this command again?
istioctl operator init
https://istio.io/latest/docs/ops/common-problems/injection/
```sh
kubectl create namespace istio-config
```
No fucking clue on how to make it NOT work.
https://istio.io/latest/blog/2021/discovery-selectors/#discovery-selectors-vs-sidecar-resource
https://istio.io/latest/docs/reference/config/networking/sidecar/
# Sidecar notes
Sidecar describes the configuration of the sidecar proxy that mediates inbound and outbound communication to the
workload instance it is attached to.
By default, Istio will program all sidecar proxies in the mesh with the necessary
configuration required to reach every workload instance in the mesh, as well as accept traffic on all the ports associated
with the workload.
The Sidecar configuration provides a way to fine tune the set of ports, protocols that the proxy will
accept when forwarding traffic to and from the workload. In addition, it is possible to restrict the set of services that
the proxy can reach when forwarding outbound traffic from workload instances.
The behavior of the system is undefined if two or more Sidecar configurations with a workloadSelector select the same workload instance.
https://youtu.be/lnYTqNfyzNk
https://www.youtube.com/watch?v=UJ86BNQEcTA

19
Istio/sidecar/placeholder/deployment-SE.yaml Normal file
View File

@ -0,0 +1,19 @@
## https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
#---
#apiVersion: networking.istio.io/v1alpha3
#kind: ServiceEntry
#metadata:
# name: external-svc
# namespace: visiblent
#spec:
# hosts:
# - help.websiteos.com
# # /websiteos/example_of_a_simple_html_page.htm
## - http://help.websiteos.com/websiteos/example_of_a_simple_html_page.htm
# ports:
# - number: 80
# name: http
# protocol: HTTP
# resolution: DNS
# location: MESH_EXTERNAL
#---

14
Istio/sidecar/01-visibility/deployment.yaml → Istio/sidecar/placeholder/deployment.yaml
View File

@ -1,19 +1,19 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
## https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
name: helliworld
labels:
app: helloworld
service: helloworld
namespace: visiblent
# namespace: visiblent
spec:
ports:
- port: 80
- port: 8080
name: http
selector:
app: helloworld
---
#---
#apiVersion: v1
#kind: ServiceAccount
#metadata:
@ -27,7 +27,7 @@ metadata:
name: helloworld-nginx
labels:
app: helloworld
namespace: visiblent
# namespace: visiblent
spec:
replicas: 1
selector:
@ -37,7 +37,7 @@ spec:
metadata:
labels:
app: helloworld
namespace: visiblent
# namespace: visiblent
spec:
# serviceAccountName: istio-helloworld
containers:

64
Istio/sidecar/placeholder/gateway.yaml Normal file
View File

@ -0,0 +1,64 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helliworld
# host: helloworlddo
# host: helloworld-nginx-56c5c77cd7-9mxmf.visiblent
port:
number: 8080
rewrite:
uri: "/"
---
#apiVersion: networking.istio.io/v1alpha3
#kind: VirtualService
#metadata:
# name: helloworld-vs
#spec:
# hosts:
# - "*"
# gateways:
# - helloworld-gateway
# http:
# - timeout: 3s
# match:
# - uri:
# - exact: "/external"
# route:
# - destination:
# host: help.websiteos.com
# port:
# number: 80
# rewrite:
# uri: "/websiteos/example_of_a_simple_html_page.htm"
# headers:
# request:
# set:
# HOST: "help.websiteos.com"

47
Istio/sidecar/placeholder/sidecar.yaml Normal file
View File

@ -0,0 +1,47 @@
## First we overide the default configuration.
# This configures the egress, to only allow egress within the same namespace, and to `istio-system`
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: istio-config
spec:
egress:
- hosts:
- "./*"
- "istio-system/*"
---
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: helloworlddo
# namespace: visiblent
spec:
workloadSelector:
labels:
app: helloworld
ingress:
# - bind: 192.168.1.50
# - bind: 172.17.121.220
- port:
number: 8080
protocol: HTTP
name: ingressport
defaultEndpoint: 127.0.0.1:80
# defaultEndpoint: unix:///var/run/someuds.sock
# captureMode: DEFAULT
# egress:
# - port:
# number: 80
# protocol: HTTP
# name: egressport
# hosts:
# - "prod-us1/*"
# - hosts:
# - "istio-system/*"
# egress:
# hosts:
# - "./*"
# - "istio-system/*"
# captureMode: DEFAULT

23
Istio/sidecar/placeholder/tmp.yaml Normal file
View File

@ -0,0 +1,23 @@
#apiVersion:
# networking.istio.io/v1alpha3
#kind: Sidecar
#metadata:
# name: default
# namespace: default
#spec:
# egress:
# - hosts:
# - "./*"
# - "istio-system/*"
#---
#apiVersion: networking.istio.io/v1alpha3
#kind: Sidecar
#metadata:
# name: default-sidecar
# namespace: default
#spec:
# egress:
# - hosts:
# - "default/*"
# - "istio-system/*"
# - "staging/*"

53
Istio/sidecar/placeholder/txt.txt Normal file
View File

@ -0,0 +1,53 @@
apiVersion: v1
kind: Service
metadata:
name: ratings
labels:
app: ratings
service: ratings
spec:
ports:
- port: 8443
name: https
targetPort: 80
selector:
app: ratings
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: ratings-peer-auth
namespace: prod-us1
spec:
selector:
matchLabels:
app: ratings
mtls:
mode: STRICT
portLevelMtls:
80:
mode: DISABLE
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: ratings
namespace: prod-us1
spec:
workloadSelector:
labels:
app: ratings
ingress:
- port:
number: 80
protocol: HTTPS
name: somename
defaultEndpoint: unix:///var/run/someuds.sock
tls:
mode: SIMPLE
privateKey: "/etc/certs/privatekey.pem"
serverCertificate: "/etc/certs/servercert.pem"