ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

Compare commits

base: ofilter:73b4959b4506c28d977813b79414d41231ad73ef
Branches Tags
ofilter:main ofilter:dev
...
compare: ofilter:dev
Branches Tags
ofilter:main ofilter:dev

79 Commits
73b4959b45 ... dev

Author SHA1 Message Date
ofilter
a4419990ea Merge branch 'main' into dev 2024-01-15 21:45:39 +01:00
ofilter
990bada6e1 Merge pull request 'dev2_Jan_15_2024' (#67) from dev2_Jan_15_2024 into dev 
Reviewed-on: #67
 2024-01-15 21:44:43 +01:00
ofilter
e088cf6659 Merge branch 'dev' into dev2_Jan_15_2024 2024-01-15 21:44:34 +01:00
savagebidoof
ee13b20458 Fixed lowercase typo on folder name. 
Quick made the README.md
 2024-01-15 21:36:27 +01:00
savagebidoof
2582e15e1a Added couple relevant links to the topic, nothing else. 2024-01-15 21:32:45 +01:00
savagebidoof
404c036883 Deleted/Moved to main 2024-01-15 21:32:29 +01:00
savagebidoof
6cb3c9fa50 Added simple monitoring examples. 
They are based off Helm PrometheusStack community Chart.
 2024-01-15 21:32:14 +01:00
ofilter
f86ac97255 Merge pull request 'dev - 2023/10/14' (#66) from dev into main 
Reviewed-on: https://gitea.filterhome.xyz/ofilter/Istio_Examples/pulls/66
 2023-10-14 13:06:28 +02:00
ofilter
2fb608c5bd Merge branch 'main' into dev 2023-10-14 13:06:17 +02:00
savagebidoof
942a3bf8ae Updated Global README.md 2023-10-14 13:03:28 +02:00
savagebidoof
74e5b9d5f0 Inserted into the respective directory. 2023-10-14 13:01:46 +02:00
savagebidoof
7e004697a9 Fixed link refference 2023-10-14 13:00:52 +02:00
savagebidoof
c02a355a95 Renamed folder 2023-10-14 13:00:22 +02:00
savagebidoof
d2b1dc2284 Speed documented 2023-10-14 12:59:07 +02:00
savagebidoof
f0ce2ae68d Fixed format 2023-10-14 12:50:13 +02:00
savagebidoof
b6657bdd4c Renamed files and deglossed it's contents. 2023-10-14 12:30:39 +02:00
savagebidoof
68efcde1fa Added a section README.md to the sections: 
- 90-MixConfigs
- 99-resources
 2023-10-14 12:22:17 +02:00
savagebidoof
1cf75d5902 Deglossed the files. 2023-10-14 12:21:42 +02:00
savagebidoof
df8eea778c Documented examples from 11-Fault_Injection: 
- 01-FaultInjection-delay
- 02-FaultInjection-abort

Added a section README.md to the section:

- 11-Fault_Injection
 2023-10-14 12:11:34 +02:00
savagebidoof
c1aec3ae4c Renamed file to capitalized first letter. 2023-10-14 11:21:30 +02:00
savagebidoof
957dbfcf84 Updated global README.md 2023-10-14 11:19:29 +02:00
savagebidoof
e883755680 Added section README.md for: 
- 10-mTLS_PeerAuthentication

Renamed its files to use a capital letter at the start of the files.
 2023-10-14 11:14:19 +02:00
savagebidoof
0a1e36dcaf Added section README.md for: 
- 09-Ingress
 2023-10-14 11:08:51 +02:00
savagebidoof
40fe16c040 Renamed folder 2023-10-14 11:06:55 +02:00
savagebidoof
b440efb6b2 Renamed directories 2023-10-14 11:02:16 +02:00
savagebidoof
4e66d65096 Fixed refference 2023-10-14 11:01:51 +02:00
savagebidoof
16f7ab6178 Improved Readme slightly. 2023-10-14 11:00:10 +02:00
savagebidoof
d117481a5b Documented Section Readme for: 
- 08-AuthorizationPolicy

Also, (speed) documented its examples.
 2023-10-14 10:59:33 +02:00
savagebidoof
84b71d9751 Minor update to the global README.md file. 2023-10-14 10:27:11 +02:00
savagebidoof
fd3f9b6e95 Didn't add the examples section. 2023-10-14 10:25:13 +02:00
savagebidoof
de4ae7dd09 Documented 06_Envoy examples: 
- 01-Envoy-add-response-headers
- 02-envoy-logging

Added section README.md to:
- 05-Sidecar
- 06-Envoy
 2023-10-14 10:19:01 +02:00
savagebidoof
6aa4cb2c03 Updated global README 2023-10-14 06:46:54 +02:00
savagebidoof
8c1288f8d1 Set up the base of the README 2023-10-14 06:43:07 +02:00
savagebidoof
23eb763524 Fixed typos in 3 section references. 2023-10-14 06:42:54 +02:00
savagebidoof
87aab0c9be Proceeding with the README from each section. 2023-10-14 06:29:49 +02:00
savagebidoof
6ff0ce9ee8 Quality improvements. 
Fixed broken URL or typos in the directory references.

As well proceeding with the README from each section.
 2023-10-14 06:21:26 +02:00
savagebidoof
439d62b718 Merge remote-tracking branch 'origin/dev' into dev 2023-07-01 17:35:00 +02:00
savagebidoof
73d4918f2c deleted doomy file. 2023-07-01 17:33:59 +02:00
savagebidoof
93018487e6 deleted doomy file. 2023-07-01 17:33:20 +02:00
ofilter
1542aaafcc Merge pull request 'dev - mid update' (#63) from dev into main 
Reviewed-on: https://gitea.filterhome.xyz/ofilter/Istio_Examples/pulls/63
 2023-07-01 14:21:59 +00:00
ofilter
f8fd8c6ce5 Merge branch 'main' into dev 2023-07-01 14:21:19 +00:00
savagebidoof
9d7cae15f8 deleted doomy file. 2023-07-01 16:17:57 +02:00
savagebidoof
f068de7dcc quality improvement on the README.md 2023-07-01 16:07:15 +02:00
savagebidoof
eb001e704a fixed README.md tree 2023-07-01 16:05:54 +02:00
savagebidoof
f5b24a9a17 Added Undocumented Minecraft example. 2023-07-01 16:05:10 +02:00
savagebidoof
78f09bdc08 Updated README.md 2023-07-01 16:03:58 +02:00
savagebidoof
07bca8cce1 Renamed folder 
Small quality improvement
 2023-07-01 16:02:52 +02:00
savagebidoof
e9af4daeee Renamed folder 
Small quality improvement
 2023-07-01 16:02:18 +02:00
savagebidoof
be2375c14c Fixed link reference 2023-07-01 15:56:27 +02:00
savagebidoof
b7de0f8205 Sorted some folders. 
Quality improvements for 01-Service_Entry
 2023-07-01 15:54:38 +02:00
savagebidoof
918f480319 Seems like I moved some files around (it's been a while) 
Also have documented the ingress example regarding installing a Istio Ingress Gateway Load Balancer.
 2023-07-01 15:40:15 +02:00
savagebidoof
703d380bca added a final dot... 2023-05-15 15:36:08 +02:00
savagebidoof
4681d98ae7 fixed markdown checkboxes 2023-05-15 15:36:00 +02:00
ofilter
fe4cfa88a6 Merge pull request '15/May/2023' (#62) from dev into main 
Reviewed-on: https://gitea.filterhome.xyz/ofilter/Istio_Examples/pulls/62
 2023-05-15 13:33:16 +00:00
savagebidoof
88e71e8c5b Quality improvements. 2023-05-15 15:28:37 +02:00
savagebidoof
747c3f1171 Documented 02-egress-proxy. 
Not to brag, BUT I believe it's fairly godlike.
 2023-05-15 15:22:43 +02:00
savagebidoof
6c6f968097 Deleted a useless line. 2023-05-15 15:19:48 +02:00
savagebidoof
8ba4495ea7 Documented 02-egress-proxy. 
Not to brag, BUT I believe it's fairly godlike.
 2023-05-15 15:19:28 +02:00
savagebidoof
9dbcf712de Added a link. 
Added the logs entry of `istio-proxy` container from a pod.
 2023-05-15 02:48:49 +02:00
savagebidoof
6153529f9a Added a link 2023-05-15 02:47:19 +02:00
savagebidoof
38a7b70758 removed an space, wow 2023-05-11 23:23:46 +02:00
savagebidoof
ca68dde6ea Merge remote-tracking branch 'origin/dev' into dev 2023-05-11 10:11:32 +02:00
savagebidoof
57e858f416 01-ingress-proxy-forwarding documented. 2023-05-11 10:10:56 +02:00
savagebidoof
faf8b08e77 Assigned the number 12 to CircuitBreaking 2023-05-11 08:24:21 +02:00
savagebidoof
9fbc2c5f1f spelling fix 2023-05-11 08:21:42 +02:00
savagebidoof
4940fdd3b7 renamed "Target_Namespaces" to 02-Restrict_Namespace, documented 2023-05-11 07:46:38 +02:00
savagebidoof
4bd53c84de 02-Target_Namespace documented 2023-05-11 07:44:53 +02:00
savagebidoof
5059a13888 01-Host_Based_Routing documented 2023-05-10 10:51:56 +02:00
savagebidoof
c7c1f8cb9c Files rebasing 2023-05-10 10:15:00 +02:00
savagebidoof
fb34758197 Files rebasing 2023-05-10 01:42:54 +02:00
savagebidoof
54025a55dd 04-HTTPRedirect 2023-05-05 02:33:16 +02:00
savagebidoof
6b0b62b6a9 04-HTTPRedirect 2023-05-05 02:32:06 +02:00
savagebidoof
113ed75177 03-HTTPRewrite documented 2023-05-05 01:42:27 +02:00
savagebidoof
f3fa2372fe Spelling correction 2023-05-05 01:41:47 +02:00
savagebidoof
4e0f4ba05d 03-HTTPRewrite documented 2023-05-05 01:41:42 +02:00
savagebidoof
b37c523c39 Spelling correction 2023-05-05 01:33:08 +02:00
savagebidoof
f52e1125a7 Spelling correction 2023-05-05 01:26:51 +02:00
ofilter
d3d730b34c Merge pull request 'Examples update 04/05/2023' (#48) from dev into main 
Reviewed-on: https://gitea.filterhome.xyz/ofilter/Istio_Examples/pulls/48
 2023-05-04 01:27:31 +00:00
ofilter
ce4cb196eb Merge pull request 'Cleanup and minimal documentation added.' (#46) from dev into main 
Reviewed-on: https://gitea.filterhome.xyz/ofilter/Istio_Examples/pulls/46
 2023-05-01 00:08:05 +00:00
215 changed files with 6332 additions and 2036 deletions
Expand all files Collapse all files

2
.placeholder/08-monitoring/README.md
View File

@ -1,2 +0,0 @@
https://raw.githubusercontent.com/istio/istio/release-1.17/samples/httpbin/sample-client/fortio-deploy.yaml

3
.placeholder/13-WASM_Modules/README.md Normal file
View File

@ -0,0 +1,3 @@
https://github.com/istio-ecosystem/wasm-extensions
https://github.com/istio-ecosystem/wasm-extensions/tree/master/extensions/basic_auth

54
.placeholder/text.md Normal file
View File

@ -0,0 +1,54 @@
https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPRedirect
## The idea is that this rewrite is handled "externally" by the client, not by Istio.
## Practical examples
### HTTP to HTTPS redirect.
The following Virtual Service configuration will redirect all the incoming traffic from the gateway `my-gateway` that uses the http protocol, to the https protocol.
In this example, it would forward all the `http` traffic without taking into account which port is used.
```
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: to-https-vs
spec:
hosts:
- "*"
gateways:
- my-gateway
http:
- match:
- name: to_https
match:
scheme: http
redirect:
scheme: https
```
### Migrated from a domain
The following will update the requests coming "to" the domain `old.domain.com` and rewrite the URL to use the "new" `new.domain.com`
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: update-domain-vs
spec:
hosts:
- "old.domain.com"
gateways:
- helloworld-gateway
http:
- name: forward-to-new-domain
redirect:
authority: "new.domain.com"
```

100
00-Troubleshooting/README.md
View File

@ -3,6 +3,63 @@ gitea: none
include_toc: true
---
# Logs
> **Note:**\
> Remember that you can use the command `watch` or `watch -n 5` (where 5 refers every 5 seconds) in case of being interested on execute this commands periodically.
## Istiod
```shell
kubectl logs -n istio-system -f deployments/istiod
```
## Istio-Proxy Pod
This will display the logs from a deployment while targeting the `istio-proxy` container from the targeted pod/deployment.
As well will attach the session to stream new logs. (`-f` `--follow`)
```shell
kubectl logs deployments/helloworld-default -f -c istio-proxy
```
```text
[2023-05-15T00:42:03.699Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.111.90.232:8080 172.17.121.65:52006 - -
[2023-05-15T00:42:24.785Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 2 1 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" inbound|80|| 127.0.0.6:51695 172.17.121.65:80 172.17.121.65:43786 outbound_.80_._.helloworld.default.svc.cluster.local default
[2023-05-15T00:42:24.784Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 5 4 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" outbound|80||helloworld.default.svc.cluster.local 172.17.121.65:43786 10.111.90.232:80 172.17.121.65:57030 - default
[2023-05-15T00:43:23.209Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 6 5 "-" "curl/7.74.0" "e1f0a2f3-93ff-4c41-8cb3-6d3a53fce065" "helloworld.foo.svc.cluster.local" "172.17.247.42:80" outbound|80||helloworld.foo.svc.cluster.local 172.17.121.65:55040 10.109.248.148:80 172.17.121.65:60520 - default
[2023-05-15T00:43:29.751Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40370 - -
[2023-05-15T00:43:31.979Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40402 - -
```
## Ingress
The service targeted, `istio-ingressgateway`, is an Ingress Load Balancer service from Istio.
```shell
kubectl logs -n istio-system services/istio-ingressgateway
```
#### Invalid TLS context has neither subject CN nor SAN names
The TLS certificate specified don't have the field CN or the field SAN.
To address this issue, issue a new certificate that has at least one of those fields.
#### initial fetch timed out for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secretthread
This is due not being able to retrieve the TLS configuration assigned to the gateway.
It's Important that the secret is located in the same namespace as the Istio Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
# Istioctl analyze
`istioctl analyze` reviews the current configuration set.
@ -67,37 +124,24 @@ listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
...
```
# Logs
> **Note:**\
> Remember that you can use the command `watch` or `watch -n 5` (where 5 refers every 5 seconds) in case of being interested on execute this commands periodically.
## Istiod
# Istioctl proxy-status
> **Note:** Shorthand is `ps`
```shell
kubectl logs -n istio-system -f deployments/istiod
istioctl ps
```
```text
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
helloworld-6798765f88-ql26n.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-dbf5ff64-9kxxs 1.17.2
helloworld2-dc9cb5db6-m47x7.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-dbf5ff64-9kxxs 1.17.2
istio-egressgateway-676bf68b54-d28fn.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-dbf5ff64-9kxxs 1.17.2
istio-ingressgateway-8d56c999d-nv7ph.istio-system Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-dbf5ff64-9kxxs 1.17.2
```
## Ingress
The service targeted, `istio-ingressgateway`, is an Ingress Load Balancer service from Istio.
```shell
kubectl logs -n istio-system services/istio-ingressgateway
```
#### Invalid TLS context has neither subject CN nor SAN names
The TLS certificate specified don't have the field CN or the field SAN.
To address this issue, issue a new certificate that has at least one of those fields.
#### initial fetch timed out for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secretthread
This is due not being able to retrieve the TLS configuration assigned to the gateway.
It's Important that the secret is located in the same namespace as the Istio Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
# Istioctl proxy-config
> **Note:** Shorthand is `pc`
## Check listeners
@ -177,4 +221,8 @@ InboundPassthroughClusterIpv4 - -
PassthroughCluster - - - ORIGINAL_DST
agent - - - STATIC
...
```
```
# Other links
## [Debugging with Istio](https://www.istioworkshop.io/12-debugging/01-istioctl-debug-command/)

2
01-Getting_Started/01-hello_world_1_service_1_deployment/README.md
View File

@ -219,7 +219,7 @@ I would like to put emphasis on the following line returned:
server: istio-envoy
```
This means that the contents returned was performed by the Istio service, instead of the Nginx or any other possible backend service.
This means that the contents returned was performed by the Istio service, therefore, the request was able to reach Istio and received a response from it.
## Cleanup

4
01-Getting_Started/03-hello_world_1_service_2_deployments_managed_version/VirtualService.yaml
View File

@ -19,13 +19,13 @@ spec:
port:
number: 80
subset: v1
weight: 20
weight: 80
- destination:
# host: helloworld (OLD)
host: helloworld.default.svc.cluster.local
port:
number: 80
subset: v2
weight: 80
weight: 20
rewrite:
uri: "/"

3
01-Getting_Started/README.md
View File

@ -5,7 +5,8 @@ include_toc: true
# Getting Started
The idea of these examples is to get yourself familiarized with the basic elements used on Istio, allowing you to explore the documentation as well of proceeding with other examples or tests on your onw.
The idea of these examples is to get yourself familiarized with the basic elements used on Istio, allowing you to
explore the documentation as well of proceeding with other examples or tests on your onw.
On these examples you will find the following Istio resources:

2
02-Traffic_management/01-header_routing/README.md
View File

@ -342,7 +342,7 @@ virtualservice.networking.istio.io/helloworld-vs created
## Wait for the pods to be ready
Wait for the Apache and Nginx deployments to be up and ready.
Wait for the Apache, Nginx and Whoami deployments to be up and ready.
```shell
watch -n 2 kubectl get deployment helloworld-v{0..2}

7
02-Traffic_management/02-DirectResponse-HTTP-Body/README.md
View File

@ -111,7 +111,7 @@ The configuration set, targets the [gateway created](#gateway) as well of not li
We configure 2 rules for HTTP traffic (this includes `HTTPS` and `HTTP2`, this will be my last warning about this).
The first rule configure will match when the requested path is `/helloworld`.
The first rule configured will match when the requested path is `/helloworld`.
This traffic will be forwarded to the service `helloworld.default.svc.cluster.local` with port `80`.
@ -176,9 +176,8 @@ Wait for the Apache and Nginx deployments to be up and ready.
kubectl get deployment helloworld-nginx -w
```
```text
NAME READY UP-TO-DATE AVAILABLE AGE
helloworld-v1 1/1 1 1 4m1s
helloworld-v2 1/1 1 1 4m1s
NAME READY UP-TO-DATE AVAILABLE AGE
helloworld-nginx 1/1 1 1 9s
```
## Test the service

14
02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/deployment.yaml → 02-Traffic_management/03-HTTPRewrite/Deployment.yaml
View File

@ -1,17 +1,3 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:

246
02-Traffic_management/03-HTTPRewrite/README.md
View File

@ -1,52 +1,240 @@
---
gitea: none
include_toc: true
---
# Description
Based on the [previous example](../../01-Getting_Started/01-hello_world_1_service_1_deployment), we configure the [VirtualService](#virtualservice) to internally rewrite the destination URL.
This is useful, as if for example we have a rule that targets the traffic with destination path `/helloworld`, when we connect to the backend, the path that the request contains will also be `/helloworld`, and unless the destination service is already build around this and/or is ready to manage traffic with such destination, we will receive a status code 404 meaning that the page destination was not found.
If we internally rewrite such traffic to the root directory (`/`), we can interact with the root path from the destination service without issues, without the need of specifically altering the behavior of the destination service due this architectural requirement.
Additionally, we also configure a second rule that won't have the URL path rewrite configured, as it will allow us to compare the behaviors.
This example configures:
Generic Kubernetes resources:
- 1 Service
- 1 Deployments
Istio resources:
- 1 Gateway
- 1 Virtual Service
# Continues from
# Based on
- 01-hello_world_1_service_1_deployment
- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
# There were no changes respective to that version
# Configuration
Through rewriting the URI we can point to the root directory from nginx.
## Service
Creates a service named `helloworld`.
This service listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod.
```yaml
rewrite:
uri: "/"
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
```
## The idea is that this rewrite is handled "internally" by Istio, not by the Client that started the request
## Practical usages:
If we refactor our application, and for example we previously where hosting an API to the URL `/apiV1` and now it's being hosted in `/api/V1`, we can do the following rule:
## Deployment
Deploys a Nginx server that listens for the port `80`.
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
```
## Gateway
Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic.
It doesn't filter for any specific host.
The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to.
The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
## VirtualService
The configuration set, targets the [gateway created](#gateway) as well of not limiting the traffic to any specific host.
We configure 2 HTTP rules.
The first rule will match when the requested path is `/helloworld`.
Internally, we will rewrite the URL path, from `/helloworld` to `/`, as otherwise it will result in status code 404 due not containing such destination in the service, since we are using the default Nginx image.
The second rule will math with the path `/norewrite`, and won't have the rewrite URL path setting configured. This rule will be used to compare behaviors.
Both rules will connect with the backend service `helloworld.default.svc.cluster.local` with port `80`.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /apiV1
exact: /helloworld
route:
- destination:
host: mynewapi # the service destination/target
host: helloworld.default.svc.cluster.local
port:
number: 80 # whatever port it is
rewrite:
uri: "/api/V1"
```
Or if we "upgraded" the API, and the new API (v2) is retro-compatible with the old API (v1), we could do the following to force all the usages from the old API to be handled by the newer version:
```yaml
number: 80
- match:
- uri:
exact: /api/V1
exact: /norewrite
route:
- destination:
host: mynewapi # the service destination/target
host: helloworld.default.svc.cluster.local
port:
number: 80 # whatever port it is
rewrite:
uri: "/api/V2"
number: 80
```
# Walkthrough
## Deploy resources
Deploy the resources.
```shell
kubectl apply -f ./
```
```text
deployment.apps/helloworld-nginx created
service/helloworld created
virtualservice.networking.istio.io/helloworld-vs created
gateway.networking.istio.io/helloworld-gateway created
```
## Wait for the pods to be ready
Wait for the Nginx deployment to be up and ready.
```shell
kubectl get deployment helloworld-nginx -w
```
```text
NAME READY UP-TO-DATE AVAILABLE AGE
helloworld-nginx 1/1 1 1 2m47s
```
## Test the service
### Get LB IP
To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway).
On my environment, the IP is the `192.168.1.50`.
```shell
kubectl get svc -l istio=ingressgateway -A
```
```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
### helloworld
Due to rewriting the URL path internally, we are able to connect to the backend root path (`/`)
```shell
curl 192.168.1.50/helloworld -s | grep "<h1>.*</h1>"
```
```text
<h1>Welcome to nginx!</h1>
```
### norewrite
As expected, due the backend service not having a destination path named `/norewrite`, we receive a status code 404 as well of their pertinent service error page.
```shell
curl 192.168.1.50/helloworld -s | grep "<h1>.*</h1>"
```
```text
<center><h1>404 Not Found</h1></center>
```
## Cleanup`
Finally, a cleanup from the resources deployed.
```shell
kubectl delete -f ./
```
```text
deployment.apps "helloworld-nginx" deleted
service "helloworld" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
```
# Links of interest
- https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPRewrite

13
02-Traffic_management/03-HTTPRewrite/Service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld

26
02-Traffic_management/03-HTTPRewrite/VirtualService.yaml Normal file
View File

@ -0,0 +1,26 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 80
- match:
- uri:
exact: /norewrite
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 80

40
02-Traffic_management/03-HTTPRewrite/deployment.yaml
View File

@ -1,40 +0,0 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

22
02-Traffic_management/03-HTTPRewrite/gateway.yaml
View File

@ -1,4 +1,3 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
@ -13,24 +12,3 @@ spec:
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 80
rewrite:
uri: "/"

14
02-Traffic_management/04-HTTPRedirect/Gateway.yaml Executable file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"

256
02-Traffic_management/04-HTTPRedirect/README.md
View File

@ -1,61 +1,255 @@
---
gitea: none
include_toc: true
---
# Description
# Continues from
Based on the [previous example](../../01-Getting_Started/01-hello_world_1_service_1_deployment), we create multiple rules in the [VirtualService](#virtualservice) that will make usage of the `redirect` field to modify the request received and redirect the incoming request towards a new destination.
- 01-hello_world_1_service_1_deployment
This example configures:
Istio resources:
- 1 Gateway
- 1 Virtual Service
# Based on
https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPRedirect
- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
## The idea is that this rewrite is handled "externally" by the client, not by Istio.
# Configuration
## Gateway
Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic.
## Practical examples
It doesn't filter for any specific host.
The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to.
### HTTP to HTTPS redirect.
The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it.
The following Virtual Service configuration will redirect all the incoming traffic from the gateway `my-gateway` that uses the http protocol, to the https protocol.
In this example, it would forward all the `http` traffic without taking into account which port is used.
```
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
kind: Gateway
metadata:
name: to-https-vs
name: helloworld-gateway
spec:
hosts:
- "*"
gateways:
- my-gateway
http:
- match:
- name: to_https
match:
scheme: http
redirect:
scheme: https
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
### Migrated from a domain
## VirtualService
The following will update the requests coming "to" the domain `old.domain.com` and rewrite the URL to use the "new" `new.domain.com`
The configuration set, targets the [gateway created](#gateway) as well of not limiting the traffic to any specific host.
We configure 3 HTTP rules.
- to_https
A practical example regarding modifying protocol used from the incoming traffic request.
It will set the protocol used to `HTTPS`.
> **Note:**\
> Bear in mind that this example is not planned to be used `as it is` on production environments as other configurations should be applied, as an example you should target a specific source port.
- wikipedia
We are using the regex query `/wiki/?` to match the URL path, this rule allows us to target both `/wiki` and `/wiki/`.
On this example we will redirect the traffic that accesses to this rule towards the Wikipedia page, as well the protocol will be modified and set to `HTTPS`.
- wikipedia_search
Very similar to the previous rule, we will match the traffic that, as a prefix of the URl used, as long it starts by `/wiki/`.
More information about the behavior of ties rule will be seen in the [Walkthrough](#walkthrough) section.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: update-domain-vs
name: helloworld-vs
spec:
hosts:
- "old.domain.com"
- "*"
gateways:
- helloworld-gateway
http:
- name: forward-to-new-domain
- name: to_https
match:
- uri:
exact: /https
redirect:
authority: "new.domain.com"
```
scheme: "https"
- name: wikipedia
match:
- uri:
regex: "/wiki/?"
redirect:
uri: "/"
scheme: "https"
authority: "en.wikipedia.org"
- name: wikipedia_search
match:
- uri:
prefix: "/wiki/"
redirect:
scheme: "https"
authority: "en.wikipedia.org"
```
# Walkthrough
## Deploy resources
Deploy the resources.
```shell
kubectl apply -f ./
```
```text
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
## Test the rules
### Get LB IP
To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway).
On my environment, the IP is the `192.168.1.50`.
```shell
kubectl get svc -l istio=ingressgateway -A
```
```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
### to_https
We are receiving the status code `301` as the request is being modified.
By default `curl` won't follow the redirects.
```shell
curl 192.168.1.50/https -I
```
```text
HTTP/1.1 301 Moved Permanently
location: https://192.168.1.50/https
date: Fri, 05 May 2023 00:15:41 GMT
server: istio-envoy
transfer-encoding: chunked
```
The flag `-L` can be used to allow `curl` to follow redirects, as well of `-v` to increase the verbosity to review the behavior.
From the output received, we can see how the request initially points towards the port `80`.
After receiving the status code `301`, we can see the following line `Clear auth, redirects to port from 80 to 443`, stating that there was a redirect that changed the destination port, from `80`, to `443`.
As well, there is the line `Issue another request to this URL: 'https://192.168.1.50/https'`, which confirms that the protocol used, which previously was using `HTTP`, now is using `HTTPS`.
This proves that the configuration set is currently being applied and works as intended.
```shell
curl 192.168.1.50/https -L -v
```
```text
* Trying 192.168.1.50:80...
* Connected to 192.168.1.50 (192.168.1.50) port 80 (#0)
> GET /https HTTP/1.1
> Host: 192.168.1.50
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< location: https://192.168.1.50/https
< date: Fri, 05 May 2023 00:17:12 GMT
< server: istio-envoy
< content-length: 0
<
* Connection #0 to host 192.168.1.50 left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://192.168.1.50/https'
* Trying 192.168.1.50:443...
* connect to 192.168.1.50 port 443 failed: Connection refused
* Failed to connect to 192.168.1.50 port 443 after 0 ms: Couldn't connect to server
* Closing connection 1
curl: (7) Failed to connect to 192.168.1.50 port 443 after 0 ms: Couldn't connect to server
```
### /wiki/
On this example I will be using the Firefox browser to access the destination path `/wiki/`.
Which on accessing the path, it modified the request and forwarded the traffic towards the path `https://en.wikipedia.org/wiki`.
After accessing such destination, Wikipedia will forward you to the path `/wiki/Main_Page`, as we didn't target any specific element from the wiki.
```shell
firefox 192.168.1.50/wiki/
```
![img.png](src/img.png)
### /wiki/*
On this example I will be using the Firefox browser to access the destination path `/wiki/Istio` and `/wiki/Gitea`.
This will forward us towards the pertinent wiki service, as meanwhile the domain is modified, the path remains the same, allowing us to match the right destination paths.
```shell
firefox 192.168.1.50/wiki/Service_mesh
```
![img_1.png](src/img_1.png)
```shell
firefox 192.168.1.50/wiki/Gitea
```
![img_2.png](src/img_2.png)
## Cleanup
Finally, a cleanup from the resources deployed.
```shell
kubectl delete -f ./
```
```text
gateway.networking.istio.io "helloworld-gateway" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
# Links of interest
- https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPRedirect

33
02-Traffic_management/04-HTTPRedirect/VirtualService.yaml Normal file
View File

@ -0,0 +1,33 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- name: to_https
match:
- uri:
exact: /https
redirect:
scheme: "https"
- name: wikipedia
match:
- uri:
regex: "/wiki/?"
redirect:
uri: "/"
scheme: "https"
authority: "en.wikipedia.org"
- name: wikipedia_search
match:
- uri:
prefix: "/wiki/"
redirect:
scheme: "https"
authority: "en.wikipedia.org"

40
02-Traffic_management/04-HTTPRedirect/deployment.yaml
View File

@ -1,40 +0,0 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

58
02-Traffic_management/04-HTTPRedirect/gateway.yaml
View File

@ -1,58 +0,0 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 80
rewrite:
uri: "/"
- name: to_https
match:
- uri:
exact: /https
scheme: http
redirect:
scheme: "https"
- name: wikipedia
match:
- uri:
exact: "/wiki"
redirect:
uri: "/"
scheme: "https"
authority: "en.wikipedia.org"
- name: wikipedia_search
match:
- uri:
prefix: "/wiki/"
redirect:
scheme: "https"
authority: "en.wikipedia.org"

BIN
02-Traffic_management/04-HTTPRedirect/src/img.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 279 KiB

BIN
02-Traffic_management/04-HTTPRedirect/src/img_1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 130 KiB

BIN
02-Traffic_management/04-HTTPRedirect/src/img_2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 130 KiB

7
02-Traffic_management/05a-FaultInjection-delay/README.md
View File

@ -1,7 +0,0 @@
# Continues from
- 01-hello_world_1_service_1_deployment
https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPFaultInjection-Delay

40
02-Traffic_management/05a-FaultInjection-delay/deployment.yaml
View File

@ -1,40 +0,0 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

11
02-Traffic_management/05b-FaultInjection-abort/README.md
View File

@ -1,11 +0,0 @@
# Continues from
- 05a-FaultInjection-delay
https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPFaultInjection-Abort
curl 192.168.1.50/helloworld -I

55
02-Traffic_management/06-hello_world_1_HTTPS-Service_Entry/gateway.yaml
View File

@ -1,55 +0,0 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- name: https-external-service
timeout: 3s
match:
- uri:
exact: "/external"
route:
- destination:
host: "github.com"
port:
number: 8443
rewrite:
uri: "/OriolFilter/"
headers:
request:
set:
HOST: "github.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: github.com
namespace: default
spec:
host: github.com
trafficPolicy:
portLevelSettings:
- port:
number: 8443
tls:
mode: SIMPLE

57
02-Traffic_management/09-HTTPS-backend/gateway.yaml
View File

@ -1,57 +0,0 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
credentialName: my-tls-cert-secret
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- name: https-vs
match:
- port: 80
- port: 443
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: helloworld
namespace: default
spec:
host: helloworld.default.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8443
tls:
mode: SIMPLE

46
02-Traffic_management/10-TCP-FORWARDING/deployment.yaml
View File

@ -1,46 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http-web
targetPort: 80
protocol: TCP
- port: 8443
name: https-web
targetPort: 443
protocol: TCP
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443

73
02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml
View File

@ -1,73 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- name: https
port: 8443
targetPort: 443
protocol: TCP
appProtocol: HTTPS
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: Always #Always
ports:
- containerPort: 80
- containerPort: 443
#---
#apiVersion: apps/v1
#kind: Deployment
#metadata:
# name: nginx
# labels:
# app: nginx
# version: v1
#spec:
# replicas: 1
# selector:
# matchLabels:
# app: nginx
# version: v1
# template:
# metadata:
# labels:
# app: nginx
# version: v1
# spec:
# # serviceAccountName: istio-helloworld
# containers:
# - name: nginx
# image: nginx
# resources:
# requests:
# cpu: "100m"
# imagePullPolicy: IfNotPresent
# ports:
# - containerPort: 80

21
02-Traffic_management/README.md
View File

@ -1,23 +1,12 @@
# Description
This section involves the configuration of `Virtual Service` objects.
# Examples
(almost) ALL NEEDS DOCUMENTATION / REVIEW
- 01-2_deployments_method
- 01-header_routing
- 02-DirectResponse-HTTP-Body
- 03-HTTPRewrite
- 04-HTTPRedirect
- 05a-FaultInjection-delay
- 05b-FaultInjection-abort
- 06-mTLS (would need some documentation review, mainly go over the differences respective to the template/prior configuration used)
- 07-HTTPS-Gateway-Simple-TLS <- Doesn't respect the changelog format.
- 08a-HTTPS-min-TLS-version
- 08b-HTTPS-max-TLS-version
- 09-HTTPS-backend
- 10-TCP-FORWARDING
- 11-TLS-PASSTHROUGH
- 12-HTTP-to-HTTPS-traffic-redirect -> Documented.
This will need some reorganization.

14
02-Traffic_management/08a-HTTPS-min-TLS-version/deployment.yaml → 03-Gateway_Ingress/01-Host_Based_Routing/Deployment.yaml
View File

@ -1,17 +1,3 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:

14
03-Gateway_Ingress/01-Host_Based_Routing/Gateway.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "my.domain"

238
03-Gateway_Ingress/01-Host_Based_Routing/README.md Executable file
View File

@ -0,0 +1,238 @@
---
gitea: none
include_toc: true
---
# Description
This example deploys the same infrastructure as the [previous example](../../01-Getting_Started/01-hello_world_1_service_1_deployment), and restricts the access to the gateway based on the domain host from the destination URL.
The domain host targeted will be `my.domain`.
This example configures:
Generic Kubernetes resources:
- 1 Service
- 1 Deployment
Istio resources:
- 1 Gateway
- 1 Virtual Service
> **Note:**\
> I don't intend to explain thing related to Kubernetes unless necessary.
# Based on
- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
# Configuration
## Service
Creates a service named `helloworld`.
This service listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod.
```yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
```
## Deployment
Deploys a Nginx server that listens for the port `80`.
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
```
## Gateway
Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic.
The gateway only will allow the traffic that uses as a URL host: `my.domain`.
The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to.
The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "my.domain"
```
## VirtualService
The Virtual Service resources are used to route and filter the received traffic from the gateway resources, and route it towards the desired destination.
On this example we select the gateway `helloworld-gateway`, which is the [gateway that 's described in the `Gateway` section](#gateway).
On this resource, we are also not limiting the incoming traffic to any specific host, allowing for all the incoming traffic to go through the rules set.
Here we created a rule that will be applied on `HTTP` related traffic (including `HTTPS` and `HTTP2`) when the destination path is exactly `/helloworld`.
This traffic will be forwarded to the port `80` of the destination service `helloworld` (the full path URL equivalent would be `helloworld.$NAMESPACE.svc.cluster.local`).
Additionally, there will be an internal URL rewrite set, as if the URL is not modified, it would attempt to reach to the `/helloworld` path from the Nginx deployment, which currently has no content and would result in an error code `404` (Not found).
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"
```
# Walkthrough
## Deploy resources
Deploy the resources.
```shell
kubectl apply -f ./
```
```text
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
service/helloworld created
virtualservice.networking.istio.io/helloworld-vs created
```
## Wait for the deployment to be ready
Wait for the Nginx deployment to be up and ready.
```shell
kubectl get deployment helloworld-nginx -w
```
```text
NAME READY UP-TO-DATE AVAILABLE AGE
helloworld-nginx 1/1 1 1 44s
```
## Test the service
### Get LB IP
To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway).
On my environment, the IP is the `192.168.1.50`.
```shell
kubectl get svc -l istio=ingressgateway -A
```
```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
### Curl /helloworld
When performing a curl towards the destination path, as we are not using the domain host specified in the [gateway resource](#gateway), we are failing to match any rule.
```shell
curl 192.168.1.50/helloworld -I
```
```text
HTTP/1.1 404 Not Found
date: Wed, 10 May 2023 08:25:26 GMT
server: istio-envoy
transfer-encoding: chunked
```
### Curl my.domain/helloworld
We can "fake" the destination domain by modifying the `Host` header.
After setting that up, and attempting to curl the destination, we receive a positive response from the Nginx backend.
```shell
curl 192.168.1.50/helloworld -s -HHOST:my.domain | grep "<title>.*</title>"
```
```text
<title>Welcome to nginx!</title>
```
## Cleanup
Finally, a cleanup from the resources deployed.
```shell
kubectl delete -f ./
```
```text
deployment.apps "helloworld-nginx" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
service "helloworld" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
# Links of interest
- https://istio.io/latest/docs/reference/config/networking/gateway/

13
03-Gateway_Ingress/01-Host_Based_Routing/Service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld

18
02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/gateway.yaml → 03-Gateway_Ingress/01-Host_Based_Routing/VirtualService.yaml
View File

@ -1,22 +1,4 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: secure-http
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
credentialName: my-tls-cert-secret
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs

4
03-Gateway_Ingress/02-Restrict_Namespaces/01-namespace.yaml Executable file
View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: foo

14
02-Traffic_management/08b-HTTPS-max-TLS-version/deployment.yaml → 03-Gateway_Ingress/02-Restrict_Namespaces/Deployment.yaml
View File

@ -1,17 +1,3 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:

14
03-Gateway_Ingress/02-Restrict_Namespaces/Gateway.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http-b
protocol: HTTP
hosts:
- "foo/*"

294
03-Gateway_Ingress/02-Restrict_Namespaces/README.md Executable file
View File

@ -0,0 +1,294 @@
---
gitea: none
include_toc: true
---
# Description
This example deploys the same infrastructure as the [previous example](../../01-Getting_Started/01-hello_world_1_service_1_deployment), and restrict which `VirtualService` Istio resources can access/select the `Gateway` Istio resource, based on the `VirtualService` namespace.
The domain host targeted will be `my.domain`.
This example configures:
Generic Kubernetes resources:
- 1 Service
- 1 Deployment
- 1 Namespace
Istio resources (`default` namespace):
- 1 Gateway
- Virtual Service
Istio resources (`foo`namespace):
- 1 Virtual Service
> **Note:**\
> I don't intend to explain thing related to Kubernetes unless necessary.
# Based on
- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
# Configuration
## Service
Creates a service named `helloworld`.
This service listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod.
```yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
```
## Deployment
Deploys a Nginx server that listens for the port `80`.
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
```
## Namespace
Creates a namespace named `foo`.
```yaml
apiVersion: v1
kind: Namespace
metadata:
name: foo
```
## Gateway
Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic.
The gateway won't target any specific host domain, yet limits the `VirtualService` Istio resources that can target this gateway, limiting its access to the `VirtualServices` Istio resources created in the `foo` namespace.
The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to.
The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http-b
protocol: HTTP
hosts:
- "foo/*"
```
## VirtualService
We will create two `VirtualServices` with the same configuration, only difference will be the namespace they are created onto (and the destination path), this will be used to test if the [`Gateway` namespace restriction configured](#gateway) is being applied to the `VirtualService` resources as desired.
On this example we select the gateway `helloworld-gateway`, which is the [gateway that 's described in the `Gateway` section](#gateway).
On this resource, we are also not limiting the incoming traffic to any specific host, allowing for all the incoming traffic to go through the rules set.
Additionally, there will be an internal URL rewrite set, as if the URL is not modified, it would attempt to reach to the `/helloworld` path from the Nginx deployment, which currently has no content and would result in an error code `404` (Not found).
## helloworld-foo
`VirtualService` created in the namespace `foo`.
Here we created a rule that will be applied on `HTTP` related traffic (including `HTTPS` and `HTTP2`) when the destination path is exactly `/helloworld`.
This traffic will be forwarded to the port `80` of the destination service `helloworld.default.svc.cluster.local`.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-foo
namespace: foo
spec:
hosts:
- "*"
gateways:
- default/helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 80
rewrite:
uri: "/"
```
## helloworld-default
`VirtualService` created in the namespace `default`.
Here we created a rule that will be applied on `HTTP` related traffic (including `HTTPS` and `HTTP2`) when the destination path is exactly `/failure`.
This traffic will be forwarded to the port `80` of the destination service `helloworld.default.svc.cluster.local`.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-default
namespace: default
spec:
hosts:
- "*"
gateways:
- default/helloworld-gateway
http:
- match:
- uri:
exact: /failure
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 80
rewrite:
uri: "/"
```
# Walkthrough
## Deploy resources
Deploy the resources.
```shell
kubectl apply -f ./
```
```text
namespace/foo created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
service/helloworld created
virtualservice.networking.istio.io/helloworld-foo created
virtualservice.networking.istio.io/helloworld-default created
```
## Wait for the deployment to be ready
Wait for the Nginx deployment to be up and ready.
```shell
kubectl get deployment helloworld-nginx -w
```
```text
NAME READY UP-TO-DATE AVAILABLE AGE
helloworld-nginx 1/1 1 1 44s
```
## Test the service
### Get LB IP
To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway).
On my environment, the IP is the `192.168.1.50`.
```shell
kubectl get svc -l istio=ingressgateway -A
```
```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
### Curl /helloworld
When performing a curl towards the destination path, as we are not using the domain host specified in the [gateway resource](#gateway), we are failing to match any rule.
```shell
curl 192.168.1.50/helloworld -I
```
```text
HTTP/1.1 404 Not Found
date: Wed, 10 May 2023 08:25:26 GMT
server: istio-envoy
transfer-encoding: chunked
```
### Curl my.domain/helloworld
We can "fake" the destination domain by modifying the `Host` header.
After setting that up, and attempting to curl the destination, we receive a positive response from the Nginx backend.
```shell
curl 192.168.1.50/helloworld -s -HHOST:my.domain | grep "<title>.*</title>"
```
```text
<title>Welcome to nginx!</title>
```
## Cleanup
Finally, a cleanup from the resources deployed.
```shell
kubectl delete -f ./
```
```text
namespace "foo" deleted
deployment.apps "helloworld-nginx" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
service "helloworld" deleted
virtualservice.networking.istio.io "helloworld-foo" deleted
virtualservice.networking.istio.io "helloworld-default" deleted
```
# Links of interest
- https://istio.io/latest/docs/reference/config/networking/gateway/

13
03-Gateway_Ingress/02-Restrict_Namespaces/Service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld

43
03-Gateway_Ingress/02-Restrict_Namespaces/VirtualService.yaml Executable file
View File

@ -0,0 +1,43 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-foo
namespace: foo
spec:
hosts:
- "*"
gateways:
- default/helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 80
rewrite:
uri: "/"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-default
namespace: default
spec:
hosts:
- "*"
gateways:
- default/helloworld-gateway
http:
- match:
- uri:
exact: /failure
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 80
rewrite:
uri: "/"

14
03-Sidecar/01-ingress-proxy-forwarding/deployment.yaml → 03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/Deployment.yaml
View File

@ -1,17 +1,3 @@
## https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
spec:
ports:
- port: 8080
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:

17
03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/Gateway.yaml Executable file
View File

@ -0,0 +1,17 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: secure-http
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
credentialName: my-tls-cert-secret

2
02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md → 03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/README.md
View File

@ -5,7 +5,7 @@ include_toc: true
# Based on
- [01-hello_world_1_service_1_deployment](../../01-Getting%20Started/01-hello_world_1_service_1_deployment)
- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
# Description

13
03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/Service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld

20
03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/VirtualService.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"

25
03-Gateway_Ingress/04a-HTTPS-min-TLS-version/Deployment.yaml Executable file
View File

@ -0,0 +1,25 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

21
02-Traffic_management/08a-HTTPS-min-TLS-version/gateway.yaml → 03-Gateway_Ingress/04a-HTTPS-min-TLS-version/Gateway.yaml
View File

@ -16,24 +16,3 @@ spec:
mode: SIMPLE
credentialName: my-tls-cert-secret
minProtocolVersion: TLSV1_3
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"

2
02-Traffic_management/08a-HTTPS-min-TLS-version/README.md → 03-Gateway_Ingress/04a-HTTPS-min-TLS-version/README.md
View File

@ -5,7 +5,7 @@ include_toc: true
# Based on
- [07-HTTPS-Gateway-Simple-TLS](../07-HTTPS-Gateway-Simple-TLS)
- [03-HTTPS-Gateway-Simple-TLS](../03-HTTPS-Gateway-Simple-TLS)
# Description

13
03-Gateway_Ingress/04a-HTTPS-min-TLS-version/Service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld

20
03-Gateway_Ingress/04a-HTTPS-min-TLS-version/VirtualService.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"

25
03-Gateway_Ingress/04b-HTTPS-max-TLS-version/Deployment.yaml Executable file
View File

@ -0,0 +1,25 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

21
02-Traffic_management/08b-HTTPS-max-TLS-version/gateway.yaml → 03-Gateway_Ingress/04b-HTTPS-max-TLS-version/Gateway.yaml
View File

@ -16,24 +16,3 @@ spec:
mode: SIMPLE
credentialName: my-tls-cert-secret
maxProtocolVersion: TLSV1_2
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"

2
02-Traffic_management/08b-HTTPS-max-TLS-version/README.md → 03-Gateway_Ingress/04b-HTTPS-max-TLS-version/README.md
View File

@ -5,7 +5,7 @@ include_toc: true
# Based on
- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
- [04a-HTTPS-min-TLS-version](../04a-HTTPS-min-TLS-version)
# Description

13
03-Gateway_Ingress/04b-HTTPS-max-TLS-version/Service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld

20
03-Gateway_Ingress/04b-HTTPS-max-TLS-version/VirtualService.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"

18
06-AuthorizationPolicy/01-target-namespaces/deployment.yaml → 03-Gateway_Ingress/05-TCP-FORWARDING/Deployment.yaml
View File

@ -1,18 +1,3 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http
targetPort: 80
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -31,10 +16,11 @@ spec:
spec:
containers:
- name: helloworld
image: nginx
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443

20
03-Gateway_Ingress/05-TCP-FORWARDING/Gateway.yaml Executable file
View File

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: tcp-1
protocol: TCP
hosts:
- "*"
- port:
number: 443
name: tcp-2
protocol: TCP
hosts:
- "*"

2
02-Traffic_management/10-TCP-FORWARDING/README.md → 03-Gateway_Ingress/05-TCP-FORWARDING/README.md
View File

@ -5,7 +5,7 @@ include_toc: true
# Based on
- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
- [04a-HTTPS-min-TLS-version](../04a-HTTPS-min-TLS-version)
# Description

19
03-Gateway_Ingress/05-TCP-FORWARDING/Service.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http-web
targetPort: 80
protocol: TCP
- port: 8443
name: https-web
targetPort: 443
protocol: TCP
selector:
app: helloworld

21
02-Traffic_management/10-TCP-FORWARDING/gateway.yaml → 03-Gateway_Ingress/05-TCP-FORWARDING/VirtualService.yaml Executable file → Normal file
View File

@ -1,25 +1,4 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: tcp-1
protocol: TCP
hosts:
- "*"
- port:
number: 443
name: tcp-2
protocol: TCP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs

26
03-Gateway_Ingress/06-TLS-PASSTHROUGH/Deployment.yaml Executable file
View File

@ -0,0 +1,26 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: Always #Always
ports:
- containerPort: 80
- containerPort: 443

17
03-Gateway_Ingress/06-TLS-PASSTHROUGH/Gateway.yaml Executable file
View File

@ -0,0 +1,17 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https-web
protocol: HTTPS
hosts:
- "*"
tls:
mode: PASSTHROUGH

2
02-Traffic_management/11-TLS-PASSTHROUGH/README.md → 03-Gateway_Ingress/06-TLS-PASSTHROUGH/README.md
View File

@ -5,7 +5,7 @@ include_toc: true
# Based on
- [10-TCP-FORWARDING](../10-TCP-FORWARDING)
- [05-TCP-FORWARDING](../05-TCP-FORWARDING)
# Description

16
03-Gateway_Ingress/06-TLS-PASSTHROUGH/Service.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- name: https
port: 8443
targetPort: 443
protocol: TCP
appProtocol: HTTPS
selector:
app: helloworld

18
02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml → 03-Gateway_Ingress/06-TLS-PASSTHROUGH/VirtualService.yaml Executable file → Normal file
View File

@ -1,22 +1,4 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https-web
protocol: HTTPS
hosts:
- "*"
tls:
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs

0
02-Traffic_management/12-HTTP-to-HTTPS-traffic-redirect/gateway.yaml → 03-Gateway_Ingress/07-HTTP-to-HTTPS-traffic-redirect/Gateway.yaml
View File

2
02-Traffic_management/12-HTTP-to-HTTPS-traffic-redirect/README.md → 03-Gateway_Ingress/07-HTTP-to-HTTPS-traffic-redirect/README.md
View File

@ -5,7 +5,7 @@ include_toc: true
# Based on
- [07-HTTPS-Gateway-Simple-TLS](../07-HTTPS-Gateway-Simple-TLS)
- [03-HTTPS-Gateway-Simple-TLS](../03-HTTPS-Gateway-Simple-TLS)
# Description

12
03-Gateway_Ingress/README.md Normal file
View File

@ -0,0 +1,12 @@
# Description
This section focuses (but not limited to) on the configuration of `gateway` objects, providing examples of instances regarding how to limit to which `VirtualService` objects a `Gateway` object can connect to, regarding how to configure a HTTP to HTTPS redirect, or it's TLS configuration.
# Examples
- 01-header_routing
- 02-DirectResponse-HTTP-Body
- 03-HTTPRewrite
- 04-HTTPRedirect

172
03-Sidecar/01-ingress-proxy-forwarding/README.md
View File

@ -1,172 +0,0 @@
# Continues from
- 01-hello_world_1_service_1_deployment
# TO TRAFFIC PATH DIAGRAM
`etc -> "POD" -> sidecar -> service container`
# Description
This example configures the sidecar proxy on the pods created, to forward the traffic incoming from the port `8080` to the port `80`
## Files
- deployment.yaml
- gateway.yaml
- sidecar.yaml
> Added the `sidecar.yaml` file.
## deployment.yaml
### Creates
#### Service
- helloworld
#### Deployments
- helloworld-nginx (Nginx container)
## gateway.yaml
### Creates
#### Gateway
##### helloworld-gateway
###### Configuration
```yml
...
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
#### VirtualService
##### helloworld-vs
###### Configuration
```yaml
...
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8080
rewrite:
uri: "/"
```
- On this example, we are using the port `8080` as a destination.
## sidecar.yaml
### creates
#### sidecar
##### helloworld-sidecar
###### Configuration
```yaml
...
spec:
workloadSelector:
labels:
app: helloworld
ingress:
- port:
number: 8080
protocol: HTTP
name: ingressport
defaultEndpoint: 127.0.0.1:80
````
workloadSelector:
> `workloadSelector` is used to target the `PODS`, on which apply this sidecar configuration. \
> Bear in mind that this configuration doesn't target kinds `Service`, nor `Deployment`, it's applied to a kind `Pod` or `ServiceEntry` \
> If there is no `workloadSelector` specified, it will be used as default configuration for the namespace on which was created. \
> More info in the [Istio documentation for workloadSelector](https://istio.io/latest/docs/reference/config/networking/sidecar/#WorkloadSelector)
ingress:
> Configure the behavior of the ingress traffic.\
> On this "grabs"/targets the ingress traffic with port 8080, and forwards it to the port IP `127.0.0.1` (loopback) respective to the destination pod, with the destination port set to 80, which is the port that the service is currently listening to.
# Run example
## Deploy resources
```shell
$ kubectl apply -f ./
service/helloworld created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
sidecar.networking.istio.io/helloworld-sidecar created
```
## Wait for the pods to be ready
```shell
$ kubectl get deployment helloworld-nginx -w
NAME READY UP-TO-DATE AVAILABLE AGE
helloworld-nginx 1/1 1 1 39s
```
## Test the service
### Get LB IP
```shell
$ kubectl get svc istio-ingressgateway -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
### Curl
```shell
$ curl 192.168.1.50/helloworld -s | grep "<title>.*</title>"
<title>Welcome to nginx!</title>
```
### Delete the sidecar configuration to force failure.
```shell
$ kubectl delete sidecars.networking.istio.io helloworld-sidecar
sidecar.networking.istio.io "helloworld-sidecar" deleted
```
### Curl again
```shell
$ curl 192.168.1.50/helloworld -s
upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: delayed connect error: 111
```

157
03-Sidecar/README.md
View File

@ -1,157 +0,0 @@
## Examples
- 01-ingress-proxy-forwarding
-
Duplicate 01, and show how it also affects traffic between services.00
egress from (pod to pod)
mtls
examples showing application priority (root < namespace < workload)
istioctl install profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
```shell
$ kubectl get istiooperators.install.istio.io -n istio-system
NAME REVISION STATUS AGE
installed-state 8d
```
kubectl patch istiooperators installed-state -n istio-system --patch-file patch.txt
kubectl patch istiooperators installed-state -n istio-system --patch-file patch.yaml --type merge
---
Set the default behavior of the sidecar for handling outbound traffic from the application. If your application uses one or more external services that are not known apriori, setting the policy to ALLOW_ANY will cause the sidecars to route any unknown traffic originating from the application to its requested destination.
---
https://stackoverflow.com/questions/75093144/istio-sidecar-is-not-restricting-pod-connections-as-desired
https://github.com/istio/istio/issues/33387
https://gist.github.com/GregHanson/3567f5a23bcd58ad1a8acf2a4d1155eb
https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/?_ga=2.259114634.1481027401.1681916557-32589553.1681916557#change-to-the-blocking-by-default-policy
https://docs.tetrate.io/service-bridge/1.6.x/en-us/operations ?
https://istio.io/latest/docs/reference/config/networking/sidecar/
https://istio.io/latest/docs/reference/glossary/#workload
I am not very sure on how or why to use this...
NOT HOW TO TRIGGER / UNTRIGGER IT
```yaml
apiVersion:
networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: foo
spec:
egress:
- hosts:
- "./*"
- "istio-system/*"
```
whats this again??
istio operator right? ye, but what is it again? I think I checked this time ago when doing something about creating a new ingress
kubectl get io -A
2023-04-17T00:08:00.086475Z info validationController Not ready to switch validation to fail-closed: dummy invalid config not rejected
2023-04-17T00:08:04.012630Z info validationServer configuration is invalid: gateway must have at least one server
kubectl logs -f deployments/istiod -n istio-system
https://istio.io/latest/docs/reference/config/networking/sidecar/
egress:
- port:
number: 8080
protocol: HTTP
hosts:
- "staging/*"
With the YAML above, the sidecar proxies the traffic thats bound for port 8080 for services running in the staging namespace.
- Confirm pod ingress port forwarding
- Confirm it can reach other places / namespaces / resources (pod egress)
- mtls (somehow)
# Ingress
Does stuff
# Egress
What is "bind"
# CaptureMode
Not my problem rn

14
04-Backends/01-Service_Entry/Gateway.yaml Executable file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"

13
02-Traffic_management/05-hello_world_1_Service_Entry/README.md → 04-Backends/01-Service_Entry/README.md
View File

@ -24,9 +24,9 @@ Bear in mind that when Istio is communicating with resources externals to the me
Also, policy enforcement is performed in the client side instead of the server side.
> **Note:**/
> For more information regarding the `resolution` field or the `location` field, refer to the following official Istio documentations:
> [ServiceEntry.Location](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location)
> [ServiceEntry.Resolution](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Resolution)
> For more information regarding the `resolution` field or the `location` field, refer to the following official Istio documentations:\
> - [ServiceEntry.Location](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location)\
> - [ServiceEntry.Resolution](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Resolution)
```yaml
apiVersion: networking.istio.io/v1alpha3
@ -143,7 +143,7 @@ virtualservice.networking.istio.io/helloworld-vs created
### Get LB IP
```shell
$ kubectl get svc -l istio=ingressgateway -A
kubectl get svc -l istio=ingressgateway -A
```
```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
@ -177,14 +177,15 @@ curl 192.168.1.50/external
We don't receive any output.
This could be due, even if we resolve the destination IP for the URL `info.cern.ch`, the destination might have a Reverse Proxy or any other ingress resource that could condition handling this request.
Even if we resolve the destination IP for the URL `info.cern.ch`, the destination might have a **Reverse Proxy** or any other ingress resource that could condition handling this request.
Due to the `HOST` field not being modified after we set the request, it might not be able to pass the filtering set, weather it is security wise, for example, requiring such field to allow the request; or it being a routing condition, which due not having this field specified, it's not able to route the request towards the destination desired.
Due to the `HOST` field not being modified after we set the request, it might not be able to pass the filtering rules set on the destination server, on this scenario being the service responsible for receiving requests with the URL `info.cern.ch`.
```shell
curl 192.168.1.50/external-noh
```
```text
</pre></body></html>
```
## Cleanup

0
02-Traffic_management/05-hello_world_1_Service_Entry/ServiceEntry.yaml → 04-Backends/01-Service_Entry/ServiceEntry.yaml
View File

15
02-Traffic_management/05-hello_world_1_Service_Entry/gateway.yaml → 04-Backends/01-Service_Entry/VirtualService.yaml Executable file → Normal file
View File

@ -1,19 +1,4 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs

25
04-Backends/02-Outboud-Traffic-Policy/Deployment.yaml Executable file
View File

@ -0,0 +1,25 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

14
04-Backends/02-Outboud-Traffic-Policy/Gateway.yaml Executable file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"

338
04-Backends/02-Outboud-Traffic-Policy/README.md Executable file
View File

@ -0,0 +1,338 @@
---
gitea: none
include_toc: true
---
# Description
Based on the previous example where we configured an external service through a `ServiceEntry` object, this example compares the behavior between setting up the MeshConfig `OutboundTrafficPolicy.mode` setting to `REGISTRY_ONLY` and `ALLOW_ANY`.
- ALLOW_ANY: Allows all egress/outbound traffic from the mesh.
- REGISTRY_ONLY: Restricted to services that figure in the service registry a and the ServiceEntry objects.
More info regarding this configuration at the pertinent documentation (https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-OutboundTrafficPolicy-Mode)
> **Note:**\
> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo)
# Based on
- [01-Service_Entry](../01-Service_Entry)
# Configuration
## Gateway
Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic.
It doesn't filter for any specific host.
The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to.
The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it.
```shell
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
> **Note:**\
> The credentials resource is created further bellow through the [Walkthrough](#walkthrough) steps.
> **Note:**\
> For more information regarding the TLS mode configuration, refer to the following [Istio documentation regarding the TLS mode field](https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode).
## VirtualService
This configuration hosts 2 backends, 1 being the deployed service `helloworld.default.svc.cluster.local`, which will be accessible through the URL path `/helloworld`.
The second service will be accessible through the URL path `/external`, and will use as a backend the deployed `ServiceEntry` object, as well it has a timeout setting of 3 seconds.
This destination is the service that contains the `HTTPS` deployment, running over the port `8443`
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"
- timeout: 3s
match:
- uri:
exact: "/external"
route:
- destination:
host: help.websiteos.com
port:
number: 80
rewrite:
uri: "/websiteos/example_of_a_simple_html_page.htm"
headers:
request:
set:
HOST: "help.websiteos.com"
```
## Service
The service will forward incoming HTTP TCP traffic from the port `80`, towards the deployment port `80`.
```yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
```
## Deployment
Nginx deployment listens to port 80.
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
```
### ServiceEntry
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc
spec:
hosts:
- help.websiteos.com
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
```
## ServiceEntry
This `ServiceEntry` resource, defines as a destination the URL `help.websiteos.com`.
Note that location is set to `MESH_EXTERNAL` and that the resolution is set to `DNS`, this means that the resource is external to ou `Istio Service Mesh`, and the URL will be resolved through `DNS`
Bear in mind that when Istio is communicating with resources externals to the mesh, `mTLS` is disabled.
Also, policy enforcement is performed in the client side instead of the server side.
> **Note:**/
> For more information regarding the `resolution` field or the `location` field, refer to the following official Istio documentations:\
> - [ServiceEntry.Location](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location)\
> - [ServiceEntry.Resolution](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Resolution)
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc
spec:
hosts:
- help.websiteos.com
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
```
# Walkthrough
## Set ALLOW_ANY outbound traffic policy
First step will be to have the cluster with the `meshConfig.outboundTrafficPolicy.mode` setting set to `ALLOW_ANY`.
In case you are not using a "free to destroy" sandbox, you should update the setting through the `IstioOperator` object.
```shell
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=ALLOW_ANY
```
## Deploy resources
```shell
kubectl apply -f ./
```
```text
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
service/helloworld created
serviceentry.networking.istio.io/external-svc created
virtualservice.networking.istio.io/helloworld-vs created
```
## Get LB IP
```shell
kubectl get svc istio-ingressgateway -n istio-system
```
```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
## Test deployments
```shell
curl 192.168.1.50/helloworld -I
```
```text
HTTP/1.1 200 OK
server: istio-envoy
date: Sat, 14 Oct 2023 10:53:45 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 15 Aug 2023 17:03:04 GMT
etag: "64dbafc8-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 53
```
```shell
curl 192.168.1.50/external -I
```
```text
HTTP/1.1 200 OK
date: Sat, 14 Oct 2023 10:54:13 GMT
content-type: text/html
content-length: 5186
last-modified: Mon, 17 Mar 2014 17:25:03 GMT
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
x-envoy-upstream-service-time: 306
server: istio-envoy
```
## Test egress the helloworld deployment
It returns a 301 code, meaning that it was able to reach the destination, and it was attempted to redirect the traffic from HTTP to HTTPS.
```shell
kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl wikipedia.com -I
```
```text
HTTP/1.1 301 Moved Permanently
server: envoy
date: Sat, 14 Oct 2023 10:54:34 GMT
content-type: text/html
content-length: 169
location: https://wikipedia.com/
x-envoy-upstream-service-time: 61
```
## Set REGISTRY_ONLY outbound traffic policy
```shell
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
```
In case you are not using a "free to destroy" sandbox, you should update the setting through the `IstioOperator` object.
## Test (again) egress the helloworld deployment
It returns a 502 code, meaning that it wasn't able to reach the destination.
```shell
kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl wikipedia.com -I
```
```text
HTTP/1.1 502 Bad Gateway
date: Thu, 20 Apr 2023 18:08:37 GMT
server: envoy
transfer-encoding: chunked
```
This allowed us to confirm how the setting `outboundTrafficPolicy.mode` influences the reachability of the traffic.
## Cleanup
```shell
kubectl delete -f ./
```
```text
deployment.apps "helloworld-nginx" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
service "helloworld" deleted
serviceentry.networking.istio.io "external-svc" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
# Links of Interest
- https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#controlled-access-to-external-services
- https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services

13
04-Backends/02-Outboud-Traffic-Policy/Service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld

13
04-Backends/02-Outboud-Traffic-Policy/ServiceEntry.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc
spec:
hosts:
- help.websiteos.com
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL

16
05-MeshConfig/01-Outboud-Traffic-Policy/gateway.yaml → 04-Backends/02-Outboud-Traffic-Policy/VirtualService.yaml Executable file → Normal file
View File

@ -1,19 +1,3 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:

17
02-Traffic_management/09-HTTPS-backend/deployment.yaml → 04-Backends/03-HTTPS-backend/Deployment.yaml
View File

@ -1,20 +1,3 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8443
name: https
targetPort: 443
protocol: TCP
appProtocol: https
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:

13
04-Backends/03-HTTPS-backend/DestinationRule.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: helloworld
namespace: default
spec:
host: helloworld.default.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8443
tls:
mode: SIMPLE

23
04-Backends/03-HTTPS-backend/Gateway.yaml Executable file
View File

@ -0,0 +1,23 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
credentialName: my-tls-cert-secret
mode: SIMPLE

0
02-Traffic_management/09-HTTPS-backend/authentication.yaml → 04-Backends/03-HTTPS-backend/PeerAuthentication.yaml
View File

4
02-Traffic_management/09-HTTPS-backend/README.md → 04-Backends/03-HTTPS-backend/README.md
View File

@ -5,7 +5,7 @@ include_toc: true
# Based on
- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
- [03-Gateway_Ingress/04a-HTTPS-min-TLS-version](../../03-Gateway_Ingress/04a-HTTPS-min-TLS-version)
# Description
@ -197,7 +197,7 @@ spec:
```
> **Note**:\
> As this configuration is very board, and targets the whole namespace, I would strongly recommend referring to the following example [06-Internal-Authentication/02-target-service-accounts](../../06-AuthorizationPolicy/02-target-service-accounts), which shows how to target service accounts set to resources, limiting the scope of this rule set.
> As this configuration is very board, and targets the whole namespace, I would strongly recommend referring to the following example [06-Internal-Authentication/02-AuthorizationPolicy-Target-Service-Accounts](../../08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts), which shows how to target service accounts set to resources, limiting the scope of this rule set.
# Walkthrough

16
04-Backends/03-HTTPS-backend/Service.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8443
name: https
targetPort: 443
protocol: TCP
appProtocol: https
selector:
app: helloworld

19
04-Backends/03-HTTPS-backend/VirtualService.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- name: https-vs
match:
- port: 80
- port: 443
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443

17
04-Backends/README.md Normal file
View File

@ -0,0 +1,17 @@
# Description
This section will focus on the interaction with the backend and routing the traffic towards it.
## Examples
01-Service_Entry
02-HTTPS-backend
03-Outboud-Traffic-Policy
04-HTTPS-backend-with-mTLS (TODO)
## Heads up
On the example `03-Outboud-Traffic-Policy`, Istio's `meshConfig.outboundTrafficPolicy` will require to be modified.
On the example it's used the `istioctl install` command to set that up, as I assume you are testing this examples in a sandbox that you are free to "destroy".

42
04-Envoy/01-envoy_add_headers/README.md
View File

@ -1,42 +0,0 @@
https://github.com/istio/istio/wiki/EnvoyFilter-Samples
https://stackoverflow.com/questions/73262158/how-to-apply-envoyfilter-to-sidecar-inbound-and-gateway
https://istio.io/latest/docs/reference/config/networking/envoy-filter/
https://discuss.istio.io/t/adding-custom-response-headers-using-istios-1-6-0-envoy-lua-filter/7494
https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter
> kubectl logs -f deployments/istiod -n istio-system
This somewhat is monitoring, can do cool stuff I don't know how or what to do
enable export access logs to stdout
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout
https://istio.io/latest/docs/ops/diagnostic-tools/component-logging/
https://dev.to/aws-builders/understanding-istio-access-logs-2k5o
```yaml
Note: Here I am using request_handle:logCritical method because default logLevel is WARN for Istio components. request_handle:logInfo can be used, if logLevel is set to Info.
```
https://youtu.be/yOtEG1luTwU

43
04-Envoy/01-envoy_add_headers/deployment.yaml
View File

@ -1,43 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
# annotations:
# sidecar.istio.io/componentLogLevel: info
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
annotations:
sidecar.istio.io/componentLogLevel: lua:info
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

36
04-Envoy/01-envoy_add_headers/gateway.yaml
View File

@ -1,36 +0,0 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"

6
04-Envoy/README.md
View File

@ -1,6 +0,0 @@
https://youtu.be/yOtEG1luTwU
Rate Limit:
https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/

102
05-MeshConfig/01-Outboud-Traffic-Policy/README.md
View File

@ -1,102 +0,0 @@
# Continues from
- 05-hello_world_1_Service_Entry
# Description
On this example compares the behavior between setting up the MeshConfig `OutboundTrafficPolicy.mode` setting to `REGISTRY_ONLY` and `ALLOW_ANY`.
- ALLOW_ANY: Allows all egress/outbound traffic from the mesh.
- REGISTRY_ONLY: Restricted to services that figure in the service registry a and the ServiceEntry objects.
More info regarding this configuration at the pertintent documentation (https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-OutboundTrafficPolicy-Mode)
## Runthrough
### Set ALLOW_ANY outbound traffic policy
```shell
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=ALLOW_ANY
```
### Deploy resources
```shell
$ kubectl apply -f ./
service/helloworld created
deployment.apps/helloworld-nginx created
serviceentry.networking.istio.io/external-svc created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
### Get LB IP
```shell
$ kubectl get svc istio-ingressgateway -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
### Test deployments
```shell
$ curl 192.168.1.50/helloworld -I
HTTP/1.1 200 OK
server: istio-envoy
date: Thu, 20 Apr 2023 18:03:18 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 28 Mar 2023 15:01:54 GMT
etag: "64230162-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 73
```
```shell
$ curl 192.168.1.50/external -I
HTTP/1.1 200 OK
date: Thu, 20 Apr 2023 18:03:24 GMT
content-type: text/html
content-length: 5186
last-modified: Mon, 17 Mar 2014 17:25:03 GMT
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
x-envoy-upstream-service-time: 228
server: istio-envoy
```
### Test egress the helloworld deployment
It returns a 301 code, meaning that it was able to reach the destination and it was attempted to redirect the traffic from HTTP to HTTPS.
```shell
$ kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl wikipedia.com -I
HTTP/1.1 301 Moved Permanently
server: envoy
date: Thu, 20 Apr 2023 18:06:57 GMT
content-type: text/html
content-length: 169
location: https://wikipedia.com/
x-envoy-upstream-service-time: 65
```
### Set REGISTRY_ONLY outbound traffic policy
```shell
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
```
### Test (again) egress the helloworld deployment
It returns a 502 code, meaning that it wasn't able to reach the destination.
```shell
$ kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl wikipedia.com -I
HTTP/1.1 502 Bad Gateway
date: Thu, 20 Apr 2023 18:08:37 GMT
server: envoy
transfer-encoding: chunked
```

57
05-MeshConfig/01-Outboud-Traffic-Policy/deployment.yaml
View File

@ -1,57 +0,0 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc
spec:
hosts:
- help.websiteos.com
# /websiteos/example_of_a_simple_html_page.htm
# - http://help.websiteos.com/websiteos/example_of_a_simple_html_page.htm
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
---

10
05-MeshConfig/README.md
View File

@ -1,10 +0,0 @@
# Examples
- 01-Outboud-Traffic-Policy
## Additional
https://istio.io/latest/docs/tasks/observability/distributed-tracing/mesh-and-proxy-config/

25
05-Sidecar/01-ingress-proxy-forwarding/Deployment.yaml Executable file
View File

@ -0,0 +1,25 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

14
05-Sidecar/01-ingress-proxy-forwarding/Gateway.yaml Executable file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"

289
05-Sidecar/01-ingress-proxy-forwarding/README.md Executable file
View File

@ -0,0 +1,289 @@
---
gitea: none
include_toc: true
---
# Description
This example deploys the same infrastructure as the [previous example](../../01-Getting_Started/01-hello_world_1_service_1_deployment), configures the **sidecar** `envoy-proxy`/`istio-proxy`/`sidecar-proxy` on the pods created, to forward the traffic incoming from the port `8080` to the port `80`.
This example configures:
Generic Kubernetes resources:
- 1 Service
- 1 Deployment
Istio resources:
- 1 Gateway
- 1 Virtual Service
- 1 Sidecar configration
# Based on
- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
# Configuration
## Service
Creates a service named `helloworld`.
This service listens for the port `8080` expecting `HTTP` traffic and will forward the incoming traffic towards the port `8080` from the destination pod.
```yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
spec:
ports:
- port: 8080
name: http
selector:
app: helloworld
```
## Deployment
Deploys a Nginx server that listens for the port `80`.
We can notice how in the service we opened the port `8080` and in the deployment we are listening to the port `80`, more about this in the [Sidecar Section](#sidecar).
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
```
## Gateway
Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic.
It doesn't filter for any specific host.
The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to.
The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
## VirtualService
The Virtual Service resources are used to route and filter the received traffic from the gateway resources, and route it towards the desired destination.
On this example we select the gateway `helloworld-gateway`, which is the [gateway that 's described in the `Gateway` section](#gateway).
On this resource, we are also not limiting the incoming traffic to any specific host, allowing for all the incoming traffic to go through the rules set.
Here we created a rule that will be applied on `HTTP` related traffic when the destination path is exactly `/helloworld`.
This traffic will be forwarded to the port `8080` of the destination service `helloworld` (the full path URL equivalent would be `helloworld.$NAMESPACE.svc.cluster.local`).
Additionally, there will be an internal URL rewrite set, as if the URL is not modified, it would attempt to reach to the `/helloworld` path from the Nginx deployment, which currently has no content and would result in an error code `404` (Not found).
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"
```
## Sidecar
This will configure the sidecar configuration from the `envoy-proxy` in each pod.
`workloadSelector` will be used to select the target pods, where, on this scenario, it will target the pods that have the label set `app: helloworld`.
The ingress configuration set, will listen for the port `8080` from the pod, and forward it to the pod's port `80` through the loopback (127.0.0.1) IP.
On this scenario we are performing a simple `8080` to `80` redirect.
> **Note:**\
> A reminder that a `POD` is an object that groups container(s).
+ more notes:
- workloadSelector:
> `workloadSelector` is used to target the `PODS`, on which apply this sidecar configuration. \
> Bear in mind that this configuration doesn't target kinds `Service`, nor `Deployment`, it's applied to a kind `Pod` or `ServiceEntry` \
> If there is no `workloadSelector` specified, it will be used as default configuration for the namespace on which was created. \
> More info in the [Istio documentation for workloadSelector](https://istio.io/latest/docs/reference/config/networking/sidecar/#WorkloadSelector)
- ingress:
> Configure the behavior of the ingress traffic.\
> On this "grabs"/targets the ingress traffic with port 8080, and forwards it to the port IP `127.0.0.1` (loopback) respective to the destination pod, with the destination port set to 80, which is the port that the service is currently listening to.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: helloworld-sidecar
spec:
workloadSelector:
labels:
app: helloworld
ingress:
- port:
number: 8080
protocol: HTTP
name: ingressport
defaultEndpoint: 127.0.0.1:80
```
# Run example
## Deploy resources
```shell
kubectl apply -f ./
```
```text
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
service/helloworld created
sidecar.networking.istio.io/helloworld-sidecar created
virtualservice.networking.istio.io/helloworld-vs created
```
## Wait for the pods to be ready
```shell
kubectl get deployment helloworld-nginx -w
```
```text
NAME READY UP-TO-DATE AVAILABLE AGE
helloworld-nginx 1/1 1 1 39s
```
## Test the service
### Get LB IP
To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway).
On my environment, the IP is the `192.168.1.50`.
```shell
kubectl get svc -l istio=ingressgateway -A
```
```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
### Curl
We can perform a curl towards the destination.
A reminder that the configuration set in the [service](#service) created, it's listening to the port `8080` and forwarding the traffic to the same pod (`8080`).
As well on the Istio's [VirtualService](#virtualservice), we configured the destination port as `8080`.
Yet, on the [Sidecar](#sidecar) configuration, we are redirecting the ingress traffic from the port `8080`, to the port `80`.
```shell
curl 192.168.1.50/helloworld -s | grep "<title>.*</title>"
```
```text
<title>Welcome to nginx!</title>
```
### Delete the sidecar configuration to force failure.
As per the moment let's delete the `sidecar` configuration deployed.
```shell
kubectl delete sidecars.networking.istio.io helloworld-sidecar
```
```text
sidecar.networking.istio.io "helloworld-sidecar" deleted
```
### Curl again
After deleting the `sidecar` configuration, which was handling the ingress traffic from port `8080`, we can observe that we are no longer able to handle the incoming requests, raising an error message.
```shell
curl 192.168.1.50/helloworld -s
```
```text
upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: delayed connect error: 111
```
## Cleanup
Finally, a cleanup from the resources deployed.
```shell
kubectl delete -f ./
```
```text
deployment.apps "helloworld-nginx" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
service "helloworld" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
Error from server (NotFound): error when deleting "Sidecar.yaml": sidecars.networking.istio.io "helloworld-sidecar" not found
```

Some files were not shown because too many files have changed in this diff Show More