ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

Compare commits

base: ofilter:8c1288f8d107389a6180813e6934195b83dbc7fc
Branches Tags
ofilter:main ofilter:dev
...
compare: ofilter:main
Branches Tags
ofilter:main ofilter:dev

34 Commits
8c1288f8d1 ... main

Author SHA1 Message Date
ofilter
2f87a19545 Merge pull request 'dev' (#68) from dev into main 
Reviewed-on: #68
 2024-01-15 21:45:58 +01:00
ofilter
a4419990ea Merge branch 'main' into dev 2024-01-15 21:45:39 +01:00
ofilter
990bada6e1 Merge pull request 'dev2_Jan_15_2024' (#67) from dev2_Jan_15_2024 into dev 
Reviewed-on: #67
 2024-01-15 21:44:43 +01:00
ofilter
e088cf6659 Merge branch 'dev' into dev2_Jan_15_2024 2024-01-15 21:44:34 +01:00
savagebidoof
ee13b20458 Fixed lowercase typo on folder name. 
Quick made the README.md
 2024-01-15 21:36:27 +01:00
savagebidoof
2582e15e1a Added couple relevant links to the topic, nothing else. 2024-01-15 21:32:45 +01:00
savagebidoof
404c036883 Deleted/Moved to main 2024-01-15 21:32:29 +01:00
savagebidoof
6cb3c9fa50 Added simple monitoring examples. 
They are based off Helm PrometheusStack community Chart.
 2024-01-15 21:32:14 +01:00
ofilter
f86ac97255 Merge pull request 'dev - 2023/10/14' (#66) from dev into main 
Reviewed-on: https://gitea.filterhome.xyz/ofilter/Istio_Examples/pulls/66
 2023-10-14 13:06:28 +02:00
ofilter
2fb608c5bd Merge branch 'main' into dev 2023-10-14 13:06:17 +02:00
savagebidoof
942a3bf8ae Updated Global README.md 2023-10-14 13:03:28 +02:00
savagebidoof
74e5b9d5f0 Inserted into the respective directory. 2023-10-14 13:01:46 +02:00
savagebidoof
7e004697a9 Fixed link refference 2023-10-14 13:00:52 +02:00
savagebidoof
c02a355a95 Renamed folder 2023-10-14 13:00:22 +02:00
savagebidoof
d2b1dc2284 Speed documented 2023-10-14 12:59:07 +02:00
savagebidoof
f0ce2ae68d Fixed format 2023-10-14 12:50:13 +02:00
savagebidoof
b6657bdd4c Renamed files and deglossed it's contents. 2023-10-14 12:30:39 +02:00
savagebidoof
68efcde1fa Added a section README.md to the sections: 
- 90-MixConfigs
- 99-resources
 2023-10-14 12:22:17 +02:00
savagebidoof
1cf75d5902 Deglossed the files. 2023-10-14 12:21:42 +02:00
savagebidoof
df8eea778c Documented examples from 11-Fault_Injection: 
- 01-FaultInjection-delay
- 02-FaultInjection-abort

Added a section README.md to the section:

- 11-Fault_Injection
 2023-10-14 12:11:34 +02:00
savagebidoof
c1aec3ae4c Renamed file to capitalized first letter. 2023-10-14 11:21:30 +02:00
savagebidoof
957dbfcf84 Updated global README.md 2023-10-14 11:19:29 +02:00
savagebidoof
e883755680 Added section README.md for: 
- 10-mTLS_PeerAuthentication

Renamed its files to use a capital letter at the start of the files.
 2023-10-14 11:14:19 +02:00
savagebidoof
0a1e36dcaf Added section README.md for: 
- 09-Ingress
 2023-10-14 11:08:51 +02:00
savagebidoof
40fe16c040 Renamed folder 2023-10-14 11:06:55 +02:00
savagebidoof
b440efb6b2 Renamed directories 2023-10-14 11:02:16 +02:00
savagebidoof
4e66d65096 Fixed refference 2023-10-14 11:01:51 +02:00
savagebidoof
16f7ab6178 Improved Readme slightly. 2023-10-14 11:00:10 +02:00
savagebidoof
d117481a5b Documented Section Readme for: 
- 08-AuthorizationPolicy

Also, (speed) documented its examples.
 2023-10-14 10:59:33 +02:00
savagebidoof
84b71d9751 Minor update to the global README.md file. 2023-10-14 10:27:11 +02:00
savagebidoof
fd3f9b6e95 Didn't add the examples section. 2023-10-14 10:25:13 +02:00
savagebidoof
de4ae7dd09 Documented 06_Envoy examples: 
- 01-Envoy-add-response-headers
- 02-envoy-logging

Added section README.md to:
- 05-Sidecar
- 06-Envoy
 2023-10-14 10:19:01 +02:00
savagebidoof
6aa4cb2c03 Updated global README 2023-10-14 06:46:54 +02:00
ofilter
1542aaafcc Merge pull request 'dev - mid update' (#63) from dev into main 
Reviewed-on: https://gitea.filterhome.xyz/ofilter/Istio_Examples/pulls/63
 2023-07-01 14:21:59 +00:00
122 changed files with 2948 additions and 859 deletions
Expand all files Collapse all files

42
.placeholder/06-Envoy/01-envoy_add_headers/README.md
View File

@ -1,42 +0,0 @@
https://github.com/istio/istio/wiki/EnvoyFilter-Samples
https://stackoverflow.com/questions/73262158/how-to-apply-envoyfilter-to-sidecar-inbound-and-gateway
https://istio.io/latest/docs/reference/config/networking/envoy-filter/
https://discuss.istio.io/t/adding-custom-response-headers-using-istios-1-6-0-envoy-lua-filter/7494
https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter
> kubectl logs -f deployments/istiod -n istio-system
This somewhat is monitoring, can do cool stuff I don't know how or what to do
enable export access logs to stdout
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout
https://istio.io/latest/docs/ops/diagnostic-tools/component-logging/
https://dev.to/aws-builders/understanding-istio-access-logs-2k5o
```yaml
Note: Here I am using request_handle:logCritical method because default logLevel is WARN for Istio components. request_handle:logInfo can be used, if logLevel is set to Info.
```
https://youtu.be/yOtEG1luTwU

43
.placeholder/06-Envoy/01-envoy_add_headers/deployment.yaml
View File

@ -1,43 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
# annotations:
# sidecar.istio.io/componentLogLevel: info
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
annotations:
sidecar.istio.io/componentLogLevel: lua:info
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

36
.placeholder/06-Envoy/01-envoy_add_headers/gateway.yaml
View File

@ -1,36 +0,0 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"

6
.placeholder/06-Envoy/README.md
View File

@ -1,6 +0,0 @@
https://youtu.be/yOtEG1luTwU
Rate Limit:
https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/

102
.placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/README.md
View File

@ -1,102 +0,0 @@
# Continues from
- 05-hello_world_1_Service_Entry
# Description
On this example compares the behavior between setting up the MeshConfig `OutboundTrafficPolicy.mode` setting to `REGISTRY_ONLY` and `ALLOW_ANY`.
- ALLOW_ANY: Allows all egress/outbound traffic from the mesh.
- REGISTRY_ONLY: Restricted to services that figure in the service registry a and the ServiceEntry objects.
More info regarding this configuration at the pertinent documentation (https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-OutboundTrafficPolicy-Mode)
## Runthrough
### Set ALLOW_ANY outbound traffic policy
```shell
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=ALLOW_ANY
```
### Deploy resources
```shell
$ kubectl apply -f ./
service/helloworld created
deployment.apps/helloworld-nginx created
serviceentry.networking.istio.io/external-svc created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
### Get LB IP
```shell
$ kubectl get svc istio-ingressgateway -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
### Test deployments
```shell
$ curl 192.168.1.50/helloworld -I
HTTP/1.1 200 OK
server: istio-envoy
date: Thu, 20 Apr 2023 18:03:18 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 28 Mar 2023 15:01:54 GMT
etag: "64230162-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 73
```
```shell
$ curl 192.168.1.50/external -I
HTTP/1.1 200 OK
date: Thu, 20 Apr 2023 18:03:24 GMT
content-type: text/html
content-length: 5186
last-modified: Mon, 17 Mar 2014 17:25:03 GMT
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
x-envoy-upstream-service-time: 228
server: istio-envoy
```
### Test egress the helloworld deployment
It returns a 301 code, meaning that it was able to reach the destination, and it was attempted to redirect the traffic from HTTP to HTTPS.
```shell
$ kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl wikipedia.com -I
HTTP/1.1 301 Moved Permanently
server: envoy
date: Thu, 20 Apr 2023 18:06:57 GMT
content-type: text/html
content-length: 169
location: https://wikipedia.com/
x-envoy-upstream-service-time: 65
```
### Set REGISTRY_ONLY outbound traffic policy
```shell
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
```
### Test (again) egress the helloworld deployment
It returns a 502 code, meaning that it wasn't able to reach the destination.
```shell
$ kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl wikipedia.com -I
HTTP/1.1 502 Bad Gateway
date: Thu, 20 Apr 2023 18:08:37 GMT
server: envoy
transfer-encoding: chunked
```

57
.placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/deployment.yaml
View File

@ -1,57 +0,0 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc
spec:
hosts:
- help.websiteos.com
# /websiteos/example_of_a_simple_html_page.htm
# - http://help.websiteos.com/websiteos/example_of_a_simple_html_page.htm
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
---

10
.placeholder/07-MeshConfig/README.md
View File

@ -1,10 +0,0 @@
# Examples
- 01-Outboud-Traffic-Policy
## Additional
https://istio.io/latest/docs/tasks/observability/distributed-tracing/mesh-and-proxy-config/

2
.placeholder/08-monitoring/README.md
View File

@ -1,2 +0,0 @@
https://raw.githubusercontent.com/istio/istio/release-1.17/samples/httpbin/sample-client/fortio-deploy.yaml

3
.placeholder/13-WASM_Modules/README.md Normal file
View File

@ -0,0 +1,3 @@
https://github.com/istio-ecosystem/wasm-extensions
https://github.com/istio-ecosystem/wasm-extensions/tree/master/extensions/basic_auth

18
08-AuthorizationPolicy/03-target-deployments/deployment.yaml → 03-Gateway_Ingress/05-TCP-FORWARDING/Deployment.yaml
View File

@ -1,18 +1,3 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http
targetPort: 80
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -31,10 +16,11 @@ spec:
spec:
containers:
- name: helloworld
image: nginx
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443

20
03-Gateway_Ingress/05-TCP-FORWARDING/Gateway.yaml Executable file
View File

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: tcp-1
protocol: TCP
hosts:
- "*"
- port:
number: 443
name: tcp-2
protocol: TCP
hosts:
- "*"

19
03-Gateway_Ingress/05-TCP-FORWARDING/Service.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http-web
targetPort: 80
protocol: TCP
- port: 8443
name: https-web
targetPort: 443
protocol: TCP
selector:
app: helloworld

21
03-Gateway_Ingress/05-TCP-FORWARDING/gateway.yaml → 03-Gateway_Ingress/05-TCP-FORWARDING/VirtualService.yaml Executable file → Normal file
View File

@ -1,25 +1,4 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: tcp-1
protocol: TCP
hosts:
- "*"
- port:
number: 443
name: tcp-2
protocol: TCP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs

46
03-Gateway_Ingress/05-TCP-FORWARDING/deployment.yaml
View File

@ -1,46 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http-web
targetPort: 80
protocol: TCP
- port: 8443
name: https-web
targetPort: 443
protocol: TCP
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443

26
03-Gateway_Ingress/06-TLS-PASSTHROUGH/Deployment.yaml Executable file
View File

@ -0,0 +1,26 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: Always #Always
ports:
- containerPort: 80
- containerPort: 443

17
03-Gateway_Ingress/06-TLS-PASSTHROUGH/Gateway.yaml Executable file
View File

@ -0,0 +1,17 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https-web
protocol: HTTPS
hosts:
- "*"
tls:
mode: PASSTHROUGH

16
03-Gateway_Ingress/06-TLS-PASSTHROUGH/Service.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- name: https
port: 8443
targetPort: 443
protocol: TCP
appProtocol: HTTPS
selector:
app: helloworld

18
03-Gateway_Ingress/06-TLS-PASSTHROUGH/gateway.yaml → 03-Gateway_Ingress/06-TLS-PASSTHROUGH/VirtualService.yaml Executable file → Normal file
View File

@ -1,22 +1,4 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https-web
protocol: HTTPS
hosts:
- "*"
tls:
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs

73
03-Gateway_Ingress/06-TLS-PASSTHROUGH/deployment.yaml
View File

@ -1,73 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- name: https
port: 8443
targetPort: 443
protocol: TCP
appProtocol: HTTPS
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: Always #Always
ports:
- containerPort: 80
- containerPort: 443
#---
#apiVersion: apps/v1
#kind: Deployment
#metadata:
# name: nginx
# labels:
# app: nginx
# version: v1
#spec:
# replicas: 1
# selector:
# matchLabels:
# app: nginx
# version: v1
# template:
# metadata:
# labels:
# app: nginx
# version: v1
# spec:
# # serviceAccountName: istio-helloworld
# containers:
# - name: nginx
# image: nginx
# resources:
# requests:
# cpu: "100m"
# imagePullPolicy: IfNotPresent
# ports:
# - containerPort: 80

6
04-Backends/01-Service_Entry/README.md
View File

@ -24,9 +24,9 @@ Bear in mind that when Istio is communicating with resources externals to the me
Also, policy enforcement is performed in the client side instead of the server side.
> **Note:**/
> For more information regarding the `resolution` field or the `location` field, refer to the following official Istio documentations:
> [ServiceEntry.Location](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location)
> [ServiceEntry.Resolution](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Resolution)
> For more information regarding the `resolution` field or the `location` field, refer to the following official Istio documentations:\
> - [ServiceEntry.Location](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location)\
> - [ServiceEntry.Resolution](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Resolution)
```yaml
apiVersion: networking.istio.io/v1alpha3

57
04-Backends/02-HTTPS-backend/gateway.yaml
View File

@ -1,57 +0,0 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
credentialName: my-tls-cert-secret
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- name: https-vs
match:
- port: 80
- port: 443
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: helloworld
namespace: default
spec:
host: helloworld.default.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8443
tls:
mode: SIMPLE

25
04-Backends/02-Outboud-Traffic-Policy/Deployment.yaml Executable file
View File

@ -0,0 +1,25 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

14
04-Backends/02-Outboud-Traffic-Policy/Gateway.yaml Executable file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"

338
04-Backends/02-Outboud-Traffic-Policy/README.md Executable file
View File

@ -0,0 +1,338 @@
---
gitea: none
include_toc: true
---
# Description
Based on the previous example where we configured an external service through a `ServiceEntry` object, this example compares the behavior between setting up the MeshConfig `OutboundTrafficPolicy.mode` setting to `REGISTRY_ONLY` and `ALLOW_ANY`.
- ALLOW_ANY: Allows all egress/outbound traffic from the mesh.
- REGISTRY_ONLY: Restricted to services that figure in the service registry a and the ServiceEntry objects.
More info regarding this configuration at the pertinent documentation (https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-OutboundTrafficPolicy-Mode)
> **Note:**\
> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo)
# Based on
- [01-Service_Entry](../01-Service_Entry)
# Configuration
## Gateway
Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic.
It doesn't filter for any specific host.
The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to.
The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it.
```shell
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
> **Note:**\
> The credentials resource is created further bellow through the [Walkthrough](#walkthrough) steps.
> **Note:**\
> For more information regarding the TLS mode configuration, refer to the following [Istio documentation regarding the TLS mode field](https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode).
## VirtualService
This configuration hosts 2 backends, 1 being the deployed service `helloworld.default.svc.cluster.local`, which will be accessible through the URL path `/helloworld`.
The second service will be accessible through the URL path `/external`, and will use as a backend the deployed `ServiceEntry` object, as well it has a timeout setting of 3 seconds.
This destination is the service that contains the `HTTPS` deployment, running over the port `8443`
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"
- timeout: 3s
match:
- uri:
exact: "/external"
route:
- destination:
host: help.websiteos.com
port:
number: 80
rewrite:
uri: "/websiteos/example_of_a_simple_html_page.htm"
headers:
request:
set:
HOST: "help.websiteos.com"
```
## Service
The service will forward incoming HTTP TCP traffic from the port `80`, towards the deployment port `80`.
```yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
```
## Deployment
Nginx deployment listens to port 80.
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
```
### ServiceEntry
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc
spec:
hosts:
- help.websiteos.com
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
```
## ServiceEntry
This `ServiceEntry` resource, defines as a destination the URL `help.websiteos.com`.
Note that location is set to `MESH_EXTERNAL` and that the resolution is set to `DNS`, this means that the resource is external to ou `Istio Service Mesh`, and the URL will be resolved through `DNS`
Bear in mind that when Istio is communicating with resources externals to the mesh, `mTLS` is disabled.
Also, policy enforcement is performed in the client side instead of the server side.
> **Note:**/
> For more information regarding the `resolution` field or the `location` field, refer to the following official Istio documentations:\
> - [ServiceEntry.Location](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location)\
> - [ServiceEntry.Resolution](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Resolution)
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc
spec:
hosts:
- help.websiteos.com
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
```
# Walkthrough
## Set ALLOW_ANY outbound traffic policy
First step will be to have the cluster with the `meshConfig.outboundTrafficPolicy.mode` setting set to `ALLOW_ANY`.
In case you are not using a "free to destroy" sandbox, you should update the setting through the `IstioOperator` object.
```shell
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=ALLOW_ANY
```
## Deploy resources
```shell
kubectl apply -f ./
```
```text
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
service/helloworld created
serviceentry.networking.istio.io/external-svc created
virtualservice.networking.istio.io/helloworld-vs created
```
## Get LB IP
```shell
kubectl get svc istio-ingressgateway -n istio-system
```
```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
## Test deployments
```shell
curl 192.168.1.50/helloworld -I
```
```text
HTTP/1.1 200 OK
server: istio-envoy
date: Sat, 14 Oct 2023 10:53:45 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 15 Aug 2023 17:03:04 GMT
etag: "64dbafc8-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 53
```
```shell
curl 192.168.1.50/external -I
```
```text
HTTP/1.1 200 OK
date: Sat, 14 Oct 2023 10:54:13 GMT
content-type: text/html
content-length: 5186
last-modified: Mon, 17 Mar 2014 17:25:03 GMT
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
x-envoy-upstream-service-time: 306
server: istio-envoy
```
## Test egress the helloworld deployment
It returns a 301 code, meaning that it was able to reach the destination, and it was attempted to redirect the traffic from HTTP to HTTPS.
```shell
kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl wikipedia.com -I
```
```text
HTTP/1.1 301 Moved Permanently
server: envoy
date: Sat, 14 Oct 2023 10:54:34 GMT
content-type: text/html
content-length: 169
location: https://wikipedia.com/
x-envoy-upstream-service-time: 61
```
## Set REGISTRY_ONLY outbound traffic policy
```shell
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
```
In case you are not using a "free to destroy" sandbox, you should update the setting through the `IstioOperator` object.
## Test (again) egress the helloworld deployment
It returns a 502 code, meaning that it wasn't able to reach the destination.
```shell
kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl wikipedia.com -I
```
```text
HTTP/1.1 502 Bad Gateway
date: Thu, 20 Apr 2023 18:08:37 GMT
server: envoy
transfer-encoding: chunked
```
This allowed us to confirm how the setting `outboundTrafficPolicy.mode` influences the reachability of the traffic.
## Cleanup
```shell
kubectl delete -f ./
```
```text
deployment.apps "helloworld-nginx" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
service "helloworld" deleted
serviceentry.networking.istio.io "external-svc" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
# Links of Interest
- https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#controlled-access-to-external-services
- https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services

0
09-Ingress/01-Create-Istio-LoadBalancer/Service.yaml → 04-Backends/02-Outboud-Traffic-Policy/Service.yaml
View File

13
04-Backends/02-Outboud-Traffic-Policy/ServiceEntry.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc
spec:
hosts:
- help.websiteos.com
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL

16
.placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/gateway.yaml → 04-Backends/02-Outboud-Traffic-Policy/VirtualService.yaml Executable file → Normal file
View File

@ -1,19 +1,3 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:

17
04-Backends/02-HTTPS-backend/deployment.yaml → 04-Backends/03-HTTPS-backend/Deployment.yaml
View File

@ -1,20 +1,3 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8443
name: https
targetPort: 443
protocol: TCP
appProtocol: https
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:

13
04-Backends/03-HTTPS-backend/DestinationRule.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: helloworld
namespace: default
spec:
host: helloworld.default.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8443
tls:
mode: SIMPLE

23
04-Backends/03-HTTPS-backend/Gateway.yaml Executable file
View File

@ -0,0 +1,23 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
credentialName: my-tls-cert-secret
mode: SIMPLE

0
04-Backends/02-HTTPS-backend/authentication.yaml → 04-Backends/03-HTTPS-backend/PeerAuthentication.yaml
View File

2
04-Backends/02-HTTPS-backend/README.md → 04-Backends/03-HTTPS-backend/README.md
View File

@ -197,7 +197,7 @@ spec:
```
> **Note**:\
> As this configuration is very board, and targets the whole namespace, I would strongly recommend referring to the following example [06-Internal-Authentication/02-target-service-accounts](../../08-AuthorizationPolicy/02-target-service-accounts), which shows how to target service accounts set to resources, limiting the scope of this rule set.
> As this configuration is very board, and targets the whole namespace, I would strongly recommend referring to the following example [06-Internal-Authentication/02-AuthorizationPolicy-Target-Service-Accounts](../../08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts), which shows how to target service accounts set to resources, limiting the scope of this rule set.
# Walkthrough

16
04-Backends/03-HTTPS-backend/Service.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8443
name: https
targetPort: 443
protocol: TCP
appProtocol: https
selector:
app: helloworld

19
04-Backends/03-HTTPS-backend/VirtualService.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- name: https-vs
match:
- port: 80
- port: 443
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443

10
04-Backends/README.md
View File

@ -6,4 +6,12 @@ This section will focus on the interaction with the backend and routing the traf
01-Service_Entry
02-HTTPS-backend
03-HTTPS-backend-with-mTLS (TODO)
03-Outboud-Traffic-Policy
04-HTTPS-backend-with-mTLS (TODO)
## Heads up
On the example `03-Outboud-Traffic-Policy`, Istio's `meshConfig.outboundTrafficPolicy` will require to be modified.
On the example it's used the `istioctl install` command to set that up, as I assume you are testing this examples in a sandbox that you are free to "destroy".

6
05-Sidecar/README.md
View File

@ -1,6 +1,6 @@
## Description
On these examples, a `Sidecar` will be configured.
On these examples, the `Sidecar` object will be configured to select which services the `proxy-container` has access to.
## Examples
@ -9,9 +9,9 @@ On these examples, a `Sidecar` will be configured.
## Heads up
On the example `02-egress-proxy`, it's a requisite to configure Istio's `meshConfig.outboundTrafficPolicy.mode` as "REGISTRY_ONLY".
On the example `02-egress-proxy`, it's a requisite to configure Istio's `meshConfig.outboundTrafficPolicy.mode` as `REGISTRY_ONLY`.
During the installation of the cluster itself, can be set with.
During the installation of the cluster itself, can be set with:
```shell
istioctl install profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY

16
11-Fault_Injection/05b-FaultInjection-abort/deployment.yaml → 06-Envoy/01-Envoy-add-response-headers/Deployment.yaml
View File

@ -1,18 +1,3 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -28,6 +13,7 @@ spec:
metadata:
labels:
app: helloworld
annotations:
spec:
containers:
- name: helloworld

2
.placeholder/06-Envoy/01-envoy_add_headers/envoy.yaml → 06-Envoy/01-Envoy-add-response-headers/Envoy.yaml
View File

@ -28,6 +28,4 @@ spec:
inlineCode: |
function envoy_on_response(response_handle)
response_handle:headers():add("numbers", "lots of numbers")
response_handle:logInfo("Added header `numbers`")
response_handle:logInfo(">>>> Executed `envoy-add-response-header` <<<<")
end

14
06-Envoy/01-Envoy-add-response-headers/Gateway.yaml Executable file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"

308
06-Envoy/01-Envoy-add-response-headers/README.md Executable file
View File

@ -0,0 +1,308 @@
---
gitea: none
include_toc: true
---
# Description
This example deploys the same infrastructure as the [previous example](../../01-Getting_Started/01-hello_world_1_service_1_deployment), this time we will be configuring `Envoy` to add a custom header to the request response when our deployed service replies back.
This example configures:
Generic Kubernetes resources:
- 1 Service
- 1 Deployment
Istio resources:
- 1 Gateway
- 1 Virtual Service
- 1 EnvoyFilter
# Based on
- [01-Getting_Started/01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
# Configuration
## Service
Creates a service named `helloworld`.
This service listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod.
```yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
```
## Deployment
### helloworld
Deploys a Nginx server that listens for the port `80`.
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
```
## Gateway
Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic.
It doesn't filter for any specific host.
The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to.
The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
## VirtualService
The Virtual Service resources are used to route and filter the received traffic from the gateway resources, and route it towards the desired destination.
On this example we select the gateway `helloworld-gateway`, which is the [gateway that 's described in the `Gateway` section](#gateway).
On this resource, we are also not limiting the incoming traffic to any specific host, allowing for all the incoming traffic to go through the rules set.
Here we created a rule that will be applied on `HTTP` related traffic (including `HTTPS` and `HTTP2`) when the destination path is exactly `/helloworld`.
This traffic will be forwarded to the port `80` of the destination service `helloworld` (the full path URL equivalent would be `helloworld.$NAMESPACE.svc.cluster.local`).
Additionally, there will be an internal URL rewrite set, as if the URL is not modified, it would attempt to reach to the `/helloworld` path from the Nginx deployment, which currently has no content and would result in an error code `404` (Not found).
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"
```
## EnvoyFilter
`EnvoyFilter` allows to customize the Envoy configuration generated by Istio Pilot.
On this scenario we will be targeting the pods deployed in the namespace `default` with the label `app` set to `helloworld`.
The rule created will apply to the filter `HTTP_FILTER` to attach the Lua script to the http connection manager.
This script will be triggered with the incoming traffic goes through the port 80.
The code inside the lua script is very straightforward:
```lua
response_handle:headers():add("numbers", "lots of numbers")
```
Adds a header on the response request, which on this scenario is adding the header `numbers`, and giving it a value of `lots of numbers`.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: envoy-add-response-header
namespace: default
spec:
priority: 30
workloadSelector:
labels:
app: helloworld
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 80
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_response(response_handle)
response_handle:headers():add("numbers", "lots of numbers")
end
```
# Walkthrough
## Deploy resources
Deploy the resources.
```shell
kubectl apply -f ./
```
```text
deployment.apps/helloworld-nginx created
envoyfilter.networking.istio.io/envoy-add-response-header created
gateway.networking.istio.io/helloworld-gateway created
service/helloworld created
virtualservice.networking.istio.io/helloworld-vs created
```
## Wait for the pods to be ready
Wait for the Nginx deployment to be ready.
```shell
kubectl get deployment helloworld-nginx -w
```
```text
NAME READY UP-TO-DATE AVAILABLE AGE
helloworld-nginx 1/1 1 1 49s
```
## Test the service
### Get LB IP
To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway).
On my environment, the IP is the `192.168.1.50`.
```shell
kubectl get svc -l istio=ingressgateway -A
```
```text
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-system istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 72d
```
### Confirm the deployment works correctly.
```shell
curl 192.168.1.50/helloworld -s | grep "<h1>.*</h1>"
```
```text
<h1>Welcome to nginx!</h1>
```
### Confirm the Lua Script is working correctly
After confirming that the request is able to succeed and confirming the backend that it's handling such request, the
next step is to verify if the Lua script we deployed on through the [EnvoyFilter](#envoyfilter) is adding a new header.
```shell
curl 192.168.1.50/helloworld --head
```
```text
HTTP/1.1 200 OK
server: istio-envoy
date: Sat, 14 Oct 2023 07:21:03 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 15 Aug 2023 17:03:04 GMT
etag: "64dbafc8-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 3
numbers: lots of numbers
```
#### Reviewing the response
If we take a closer look at the fields returned, at the bottom of the textblock, we can appreciate the following line:
> numbers: lots of numbers
Therefore, we were able to confirm that the [EnvoyFilter](#envoyfilter) configuration we set with a Lua script, did work
as intended and added the desired Header to the response from the backend.
## Cleanup
Finally, a cleanup from the resources deployed.
```shell
kubectl delete -f ./
```
```text
deployment.apps "helloworld-nginx" deleted
envoyfilter.networking.istio.io "envoy-add-response-header" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
service "helloworld" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
## Links of interest
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-ApplyTo
- https://github.com/istio/istio/wiki/EnvoyFilter-Samples
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-Patch-Operation

13
06-Envoy/01-Envoy-add-response-headers/Service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld

0
09-Ingress/01-Create-Istio-LoadBalancer/VirtualService.yaml → 06-Envoy/01-Envoy-add-response-headers/VirtualService.yaml
View File

17
11-Fault_Injection/05a-FaultInjection-delay/deployment.yaml → 06-Envoy/02-envoy-logging/Deployment.yaml
View File

@ -1,18 +1,3 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -28,6 +13,8 @@ spec:
metadata:
labels:
app: helloworld
annotations:
sidecar.istio.io/componentLogLevel: lua:debug
spec:
containers:
- name: helloworld

19
.placeholder/06-Envoy/01-envoy_add_headers/envoy2.yaml → 06-Envoy/02-envoy-logging/Envoy.yaml
View File

@ -1,7 +1,7 @@
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: envoy-add-response-header2
name: envoy-raise-logs
namespace: default
spec:
priority: 40
@ -27,12 +27,11 @@ spec:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_response(response_handle)
response_handle:headers():add("fruit", "watermelons")
response_handle:logCritical("Critical: Added header `fruit`")
response_handle:logErr("Error: Added header `fruit`")
response_handle:logWarn("Warning: Added header `fruit`")
response_handle:logInfo("Info: Added header `fruit`")
response_handle:logDebug("Debug: Added header `fruit`")
response_handle:logTrace("Trace: Added header `fruit`")
response_handle:logInfo(">>>> Executed `envoy-add-response-header2` <<<<")
end
response_handle:logCritical("Critical: This is my Critical log")
response_handle:logErr("Error: This is my Error log")
response_handle:logWarn("Warning: This is my Warning log")
response_handle:logInfo("Info: This is my Info log")
response_handle:logDebug("Debug: This is my Debug log")
response_handle:logTrace("Trace: This is my Trace log")
response_handle:logInfo(">>>> Executed `envoy-raise-logs` <<<<")
end

14
06-Envoy/02-envoy-logging/Gateway.yaml Executable file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"

362
06-Envoy/02-envoy-logging/README.md Executable file
View File

@ -0,0 +1,362 @@
---
gitea: none
include_toc: true
---
# Description
This example deploys the same infrastructure as the [previous example](../../01-Getting_Started/01-hello_world_1_service_1_deployment), but instead of adding a header to the response, we will be raising a custom log entry.
This example configures:
Generic Kubernetes resources:
- 1 Service
- 1 Deployment
Istio resources:
- 1 Gateway
- 1 Virtual Service
- 1 EnvoyFilter
# Based on
- [01-Getting_Started/01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
# Configuration
## Service
Creates a service named `helloworld`.
This service listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod.
```yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
```
## Deployment
### helloworld
Deploys a Nginx server that listens for the port `80`.
On this deployment, we have set an annotation to configure a log level for the Istio sidecar/envoy-proxy attached to the deployment, that will allow the Lua scripts for a "debug" log level.
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
annotations:
sidecar.istio.io/componentLogLevel: lua:debug
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
```
## Gateway
Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic.
It doesn't filter for any specific host.
The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to.
The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
## VirtualService
The Virtual Service resources are used to route and filter the received traffic from the gateway resources, and route it towards the desired destination.
On this example we select the gateway `helloworld-gateway`, which is the [gateway that 's described in the `Gateway` section](#gateway).
On this resource, we are also not limiting the incoming traffic to any specific host, allowing for all the incoming traffic to go through the rules set.
Here we created a rule that will be applied on `HTTP` related traffic (including `HTTPS` and `HTTP2`) when the destination path is exactly `/helloworld`.
This traffic will be forwarded to the port `80` of the destination service `helloworld` (the full path URL equivalent would be `helloworld.$NAMESPACE.svc.cluster.local`).
Additionally, there will be an internal URL rewrite set, as if the URL is not modified, it would attempt to reach to the `/helloworld` path from the Nginx deployment, which currently has no content and would result in an error code `404` (Not found).
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"
```
## EnvoyFilter
`EnvoyFilter` allows to customize the Envoy configuration generated by Istio Pilot.
On this scenario we will be targeting the pods deployed in the namespace `default` with the label `app` set to `helloworld`.
The rule created will apply to the filter `HTTP_FILTER` to attach the Lua script to the http connection manager.
This script will be triggered with the incoming traffic goes through the port 80.
The code inside the lua script is fairly simple, as it will generate multiple logs in various tier levels, going from **Critical** to **Trace**:
```lua
response_handle:logCritical("Critical: This is my Critical log")
response_handle:logErr("Error: This is my Error log")
response_handle:logWarn("Warning: This is my Warning log")
response_handle:logInfo("Info: This is my Info log")
response_handle:logDebug("Debug: This is my Debug log")
response_handle:logTrace("Trace: This is my Trace log")
response_handle:logInfo(">>>> Executed `envoy-raise-logs` <<<<")
```
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: envoy-raise-logs
namespace: default
spec:
priority: 40
workloadSelector:
labels:
app: helloworld
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 80
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_response(response_handle)
response_handle:logCritical("Critical: This is my Critical log")
response_handle:logErr("Error: This is my Error log")
response_handle:logWarn("Warning: This is my Warning log")
response_handle:logInfo("Info: This is my Info log")
response_handle:logDebug("Debug: This is my Debug log")
response_handle:logTrace("Trace: This is my Trace log")
response_handle:logInfo(">>>> Executed `envoy-raise-logs` <<<<")
end
```
# Walkthrough
## Deploy resources
Deploy the resources.
```shell
kubectl apply -f ./
```
```text
deployment.apps/helloworld-nginx created
envoyfilter.networking.istio.io/envoy-raise-logs created
gateway.networking.istio.io/helloworld-gateway created
service/helloworld created
virtualservice.networking.istio.io/helloworld-vs created
```
## Wait for the pods to be ready
Wait for the Nginx deployment to be ready.
```shell
kubectl get deployment helloworld-nginx -w
```
```text
NAME READY UP-TO-DATE AVAILABLE AGE
helloworld-nginx 1/1 1 1 7s
```
## Test the service
### Get LB IP
To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway).
On my environment, the IP is the `192.168.1.50`.
```shell
kubectl get svc -l istio=ingressgateway -A
```
```text
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-system istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 72d
```
### Confirm the deployment works correctly.
```shell
curl 192.168.1.50/helloworld -s | grep "<h1>.*</h1>"
```
```text
<h1>Welcome to nginx!</h1>
```
### Confirm the Lua Script is working correctly
#### Monitor the logs
In a new shell we will use the following command to monitor the logs from the `istio-proxy` container located in the deployment created.
```shell
kubectl logs -l app=helloworld -c istio-proxy -f
```
#### Initiate a traffic request
After confirming that the request is able to succeed and confirming the backend that it's handling such request, the
next step is to verify if the Lua script we deployed on through the [EnvoyFilter](#envoyfilter) is adding a new header.
```shell
curl 192.168.1.50/helloworld -s | grep "<h1>.*</h1>"
```
```text
<h1>Welcome to nginx!</h1>
```
#### Logs generated
```text
2023-10-14T07:59:36.213492Z critical envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:933 script log: Critical: This is my Critical log thread=28
2023-10-14T07:59:36.213714Z error envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:930 script log: Error: This is my Error log thread=28
2023-10-14T07:59:36.213846Z warning envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:927 script log: Warning: This is my Warning log thread=28
2023-10-14T07:59:36.213972Z info envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:924 script log: Info: This is my Info log thread=28
2023-10-14T07:59:36.214096Z debug envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:921 script log: Debug: This is my Debug log thread=28
2023-10-14T07:59:36.214296Z info envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:924 script log: >>>> Executed `envoy-raise-logs` <<<< thread=28
2023-10-14T07:59:36.214425Z debug envoy lua external/envoy/source/extensions/filters/common/lua/lua.cc:39 coroutine finished thread=28
[2023-10-14T07:59:36.210Z] "GET /helloworld HTTP/1.1" 200 - via_upstream - "-" 0 615 11 1 "192.168.1.44" "curl/8.4.0" "47093b83-6658-4ec6-8d21-7da5e70d6423" "192.168.1.50" "172.16.106.50:80" inbound|80|| 127.0.0.6:44723 172.16.106.50:80 192.168.1.44:0 outbound_.80_._.helloworld.default.svc.cluster.local default
```
Reviewing the logs generated, we can observe that the entries range from `critical` to `debug`, yet we cannot locate the `trace` level log entry that we configured in the Lua script.
This is caused due to the annotation configured in the [Deployment](#deployment), where we selected a log level for the Lua script to be `debug`, out-ranging the `trace` level.
Therefore, we were able to confirm that the [EnvoyFilter](#envoyfilter) configuration we set with a Lua script, did work
as intended and added the desired Header to the response from the backend, even tho the log entry with `trace` level was not recorded.
#### How to check the log level settings from a pod?
Through the command `istioctl proxy-config log <POD>`.
```shell
istioctl proxy-config log "$(kubectl get pod -l app=helloworld | grep helloworld-nginx | awk '{print $1}')"
```
```text
helloworld-nginx-d8bc84b86-h6c68.default:
active loggers:
...
health_checker: warning
http: warning
http2: warning
hystrix: warning
init: warning
io: warning
jwt: warning
kafka: warning
key_value_store: warning
lua: debug
main: warning
...
```
As well, we can confirm that by default the settings are set to only retain "warning" level logs.
## Cleanup
Finally, a cleanup from the resources deployed.
```shell
kubectl delete -f ./
```
```text
deployment.apps "helloworld-nginx" deleted
envoyfilter.networking.istio.io "envoy-raise-logs" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
service "helloworld" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
## Links of interest
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-ApplyTo
- https://github.com/istio/istio/wiki/EnvoyFilter-Samples
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-Patch-Operation

13
06-Envoy/02-envoy-logging/Service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld

20
06-Envoy/02-envoy-logging/VirtualService.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"

49
06-Envoy/README.md Executable file
View File

@ -0,0 +1,49 @@
## Description
This section focuses on configuring the object `EnvoyFilter`.
## Examples
- 01-Envoy-add-response-headers
- 02-envoy-logging
## Heads up
On the example `02-envoy-logging`, it's a requisite to configure Istio's `meshConfig.accessLogFile` as `/dev/stdout`.
During the installation of the cluster itself, can be set with:
```shell
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout
```
On the current scenario, I would recommend purging the Istio installation and reinstalling again, as I assume that you
are testing this examples in a sandbox that you are free to "destroy".
### Purging Istio
```shell
istioctl uninstall --purge
```
Then proceed with reinstalling Istio using the command from above.
### What if I don't want to purge Istio?
Modify the IstioOperator similarly as mentioned [here](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy), and populate the object with the following fields:
```yaml
spec:
profile: minimal
meshConfig:
accessLogFile: /dev/stdout
```
## Links of Interest
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-ApplyTo
- https://github.com/istio/istio/wiki/EnvoyFilter-Samples
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-Patch-Operation

0
08-AuthorizationPolicy/01-target-namespaces/01-namespace.yaml → 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/01-Namespace.yaml
View File

0
08-AuthorizationPolicy/01-target-namespaces/authentication.yaml → 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/AuthorizationPolicy.yaml
View File

32
08-AuthorizationPolicy/02-target-service-accounts/deployment_2.yaml → 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Deployments.yaml
View File

@ -1,18 +1,28 @@
apiVersion: v1
kind: Service
apiVersion: apps/v1
kind: Deployment
metadata:
name: byeworld
name: helloworld-nginx
labels:
app: byeworld
service: byeworld
namespace: foo
app: helloworld
spec:
ports:
- port: 9090
name: http
targetPort: 80
replicas: 1
selector:
app: byeworld
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment

0
08-AuthorizationPolicy/01-target-namespaces/gateway.yaml → 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Gateway.yaml
View File

11
08-AuthorizationPolicy/01-target-namespaces/README.md → 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/README.md
View File

@ -3,15 +3,16 @@ gitea: none
include_toc: true
---
# Continues from
- [06-mTLS](../../10-mTLS_PeerAuthentication/06-mTLS)
# Description
## Description
On this example we will be deploying an `AuthorizationPolicy` object to control the traffic that the `envoy-proxy` will manage on deployment created.
Bla bla bla
As well, we will configure the `AuthorizationPolicy` object to be applied at a "namespace" level.
Configuration targeting namespaces
# Based on
- [10-mTLS_PeerAuthentication/01-mTLS](../../10-mTLS_PeerAuthentication/01-mTLS)
# Configuration

30
08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Services.yaml Normal file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http
targetPort: 80
selector:
app: helloworld
---
apiVersion: v1
kind: Service
metadata:
name: byeworld
labels:
app: byeworld
service: byeworld
namespace: foo
spec:
ports:
- port: 9090
name: http
targetPort: 80
selector:
app: byeworld

42
08-AuthorizationPolicy/01-target-namespaces/deployment_2.yaml
View File

@ -1,42 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: byeworld
labels:
app: byeworld
service: byeworld
namespace: foo
spec:
ports:
- port: 9090
name: http
targetPort: 80
selector:
app: byeworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: byeworld-nginx
labels:
app: byeworld
namespace: foo
spec:
replicas: 1
selector:
matchLabels:
app: byeworld
template:
metadata:
labels:
app: byeworld
spec:
containers:
- name: byeworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80

0
08-AuthorizationPolicy/02-target-service-accounts/01-namespace.yaml → 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/01-Namespace.yaml
View File

0
08-AuthorizationPolicy/02-target-service-accounts/01-service-accounts.yaml → 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/01-Service_Accounts.yaml
View File

0
08-AuthorizationPolicy/02-target-service-accounts/authentication.yaml → 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/AuthorizationPolicy.yaml
View File

42
08-AuthorizationPolicy/02-target-service-accounts/deployment.yaml → 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Deployments.yaml
View File

@ -1,18 +1,3 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http
targetPort: 80
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -39,3 +24,30 @@ spec:
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: byeworld-nginx
labels:
app: byeworld
namespace: foo
spec:
replicas: 1
selector:
matchLabels:
app: byeworld
template:
metadata:
labels:
app: byeworld
spec:
containers:
- name: byeworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80

0
08-AuthorizationPolicy/02-target-service-accounts/gateway.yaml → 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Gateway.yaml
View File

16
08-AuthorizationPolicy/02-target-service-accounts/README.md → 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/README.md
View File

@ -3,21 +3,19 @@ gitea: none
include_toc: true
---
# Continues from
[//]: # (- [01-hello_world_1_service_1_deployment]&#40;../../01-simple/01-hello_world_1_service_1_deployment&#41;)
- [01-target-namespaces](../01-target-namespaces)
# Description
On this example we will be deploying an `AuthorizationPolicy` object to control the traffic that the `envoy-proxy` will manage on deployment created.
As well, we will configure the `AuthorizationPolicy` object will be applied to the deployments with the targeted `ServiceAccount`.
> **Note:**\
> On this example there is minimal changes to the configuration to involve targeting service accounts.
## Description
# Based on
Bla bla bla
Configuration targeting service accounts (among others)
By default, when a pod is deployed, if a service account has not been specified, it will be given the service account `default` from that namespace.
- [01-AuthorizationPolicy-Target-Namespaces](../01-AuthorizationPolicy-Target-Namespaces)
# Changelog

30
08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Services.yaml Normal file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http
targetPort: 80
selector:
app: helloworld
---
apiVersion: v1
kind: Service
metadata:
name: byeworld
labels:
app: byeworld
service: byeworld
namespace: foo
spec:
ports:
- port: 9090
name: http
targetPort: 80
selector:
app: byeworld

0
08-AuthorizationPolicy/03-target-deployments/01-namespace.yaml → 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/01-Namespace.yaml
View File

0
08-AuthorizationPolicy/03-target-deployments/authentication.yaml → 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/AuthorizationPolicy.yaml
View File

32
08-AuthorizationPolicy/03-target-deployments/deployment_2.yaml → 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Deployments.yaml
View File

@ -1,18 +1,28 @@
apiVersion: v1
kind: Service
apiVersion: apps/v1
kind: Deployment
metadata:
name: byeworld
name: helloworld-nginx
labels:
app: byeworld
service: byeworld
namespace: foo
app: helloworld
spec:
ports:
- port: 9090
name: http
targetPort: 80
replicas: 1
selector:
app: byeworld
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment

0
08-AuthorizationPolicy/03-target-deployments/gateway.yaml → 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Gateway.yaml
View File

19
08-AuthorizationPolicy/03-target-deployments/README.md → 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/README.md
View File

@ -3,18 +3,27 @@ gitea: none
include_toc: true
---
# Continues from
- [01-target-namespaces](../01-target-namespaces)
# Description
On this example we will be deploying an `AuthorizationPolicy` object to control the traffic that the `envoy-proxy` will manage on deployment created.
As well, we will configure the `AuthorizationPolicy` object will be applied to the deployments with the targeted through the usage of labels to filter the resources affected.
> **Note:**\
> On this example there is minimal changes to the configuration to involve targeting the deployment resources through label filtering.
## Description
# Based on
Bla bla bla
- [01-AuthorizationPolicy-Target-Namespaces](../01-AuthorizationPolicy-Target-Namespaces)
In this example we will be targeting the labels set to the deployments, while keeping part of the previous AuthorizationPolicy configuration to maintain its behavior.
[//]: # (## Description)
[//]: # ()
[//]: # (Bla bla bla)
[//]: # ()
[//]: # (In this example we will be targeting the labels set to the deployments, while keeping part of the previous AuthorizationPolicy configuration to maintain its behavior. )
[//]: # (For such, it's important to check the labels set in the Istio ingress that we will be using.)

30
08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Services.yaml Normal file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http
targetPort: 80
selector:
app: helloworld
---
apiVersion: v1
kind: Service
metadata:
name: byeworld
labels:
app: byeworld
service: byeworld
namespace: foo
spec:
ports:
- port: 9090
name: http
targetPort: 80
selector:
app: byeworld

26
08-AuthorizationPolicy/README.md
View File

@ -1,24 +1,12 @@
## Authentication
- Based on namespaces (done)
- Based on method (somewhat done, so I will mark it as valid)
## Description
- Based on service account(s) (somewhat done)
Through the usage of `AuthorizationPolicies`, we are able to configure rules for access control, whether be (but not limited to) **Allowing** or **Denying** the request.
- Custom action (it's in alpha feature, should not focus on it for now)
On all the examples for simplicity it's been kept to the "Head" request.
- Audit / logs (should be the 3th)
## Examples
JWT seems important, refer to source.requestPrincipals
https://istio.io/latest/docs/tasks/security/authentication/
Per deployment:
```yaml
selector:
matchLabels:
app: myapi
```
- 01-target-namespaces
- 02-target-service-accounts
- 03-target-deployments

0
09-Ingress/01-Create-Istio-LoadBalancer/01-Namespace.yaml → 09-Ingress/01-Ingress-IstioOperator/01-Namespace.yaml
View File

0
09-Ingress/01-Create-Istio-LoadBalancer/Deployment.yaml → 09-Ingress/01-Ingress-IstioOperator/Deployment.yaml
View File

0
09-Ingress/01-Create-Istio-LoadBalancer/Gateway.yaml → 09-Ingress/01-Ingress-IstioOperator/Gateway.yaml
View File

0
09-Ingress/01-Create-Istio-LoadBalancer/IstioOperator/IstioOperator.yaml → 09-Ingress/01-Ingress-IstioOperator/IstioOperator/IstioOperator.yaml
View File

0
09-Ingress/01-Create-Istio-LoadBalancer/README.md → 09-Ingress/01-Ingress-IstioOperator/README.md
View File

13
09-Ingress/01-Ingress-IstioOperator/Service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld

20
09-Ingress/01-Ingress-IstioOperator/VirtualService.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"

15
09-Ingress/README.md Normal file
View File

@ -0,0 +1,15 @@
## Description
This section is focused in the Ingress Load balancers and how to install or set them up.
Nevertheless, currently only contains how to install through the IstioOperator.
## Examples
- 01-Ingress-IstioOperator
## Links of interest
- https://istio.io/latest/docs/setup/additional-setup/gateway/

0
08-AuthorizationPolicy/01-target-namespaces/deployment.yaml → 10-mTLS_PeerAuthentication/01-mTLS/Deployment.yaml
View File

0
10-mTLS_PeerAuthentication/06-mTLS/deployment_2.yaml → 10-mTLS_PeerAuthentication/01-mTLS/Deployment_2.yaml
View File

0
10-mTLS_PeerAuthentication/06-mTLS/gateway.yaml → 10-mTLS_PeerAuthentication/01-mTLS/Gateway.yaml
View File

0
10-mTLS_PeerAuthentication/06-mTLS/authentication.yaml → 10-mTLS_PeerAuthentication/01-mTLS/PeerAuthentication.yaml
View File

0
10-mTLS_PeerAuthentication/06-mTLS/README.md → 10-mTLS_PeerAuthentication/01-mTLS/README.md
View File

0
10-mTLS_PeerAuthentication/06-mTLS/src/06-kiali-services-byeworld.png → 10-mTLS_PeerAuthentication/01-mTLS/src/06-kiali-services-byeworld.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 35 KiB

After

Width:  |  Height:  |  Size: 35 KiB

0
10-mTLS_PeerAuthentication/06-mTLS/src/06-kiali-services-helloworld.png → 10-mTLS_PeerAuthentication/01-mTLS/src/06-kiali-services-helloworld.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 32 KiB

After

Width:  |  Height:  |  Size: 32 KiB

0
10-mTLS_PeerAuthentication/06-mTLS/src/06-kiali-services.png → 10-mTLS_PeerAuthentication/01-mTLS/src/06-kiali-services.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 74 KiB

After

Width:  |  Height:  |  Size: 74 KiB

0
10-mTLS_PeerAuthentication/01-disable-mTLS/deployment.yaml → 10-mTLS_PeerAuthentication/02-disable-mTLS/Deployment.yaml
View File

0
10-mTLS_PeerAuthentication/01-disable-mTLS/gateway.yaml → 10-mTLS_PeerAuthentication/02-disable-mTLS/Gateway.yaml
View File

0
10-mTLS_PeerAuthentication/01-disable-mTLS/authentication.yaml → 10-mTLS_PeerAuthentication/02-disable-mTLS/PeerAuthentication.yaml
View File

0
10-mTLS_PeerAuthentication/01-disable-mTLS/README.md → 10-mTLS_PeerAuthentication/02-disable-mTLS/README.md
View File

0
10-mTLS_PeerAuthentication/01-disable-mTLS/Service.yaml → 10-mTLS_PeerAuthentication/02-disable-mTLS/Service.yaml
View File

0
10-mTLS_PeerAuthentication/02-portLevelMtls/deployment.yaml → 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/Deployment.yaml
View File

0
10-mTLS_PeerAuthentication/02-portLevelMtls/gateway.yaml → 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/Gateway.yaml
View File

0
10-mTLS_PeerAuthentication/02-portLevelMtls/authentication.yaml → 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/PeerAuthentication.yaml
View File

6
10-mTLS_PeerAuthentication/02-portLevelMtls/README.md → 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/README.md
View File

@ -5,13 +5,13 @@ include_toc: true
# Based on
- [01-disable-mTLS](../01-disable-mTLS)
- [02-disable-mTLS](../02-disable-mTLS)
# Description
Based on the previous example that disabled mTLS, and explored how it affected the behavior of the services, on `HTTP` and `HTTPS` backends, this example aims to, through the usage of `portLevelMtls`, configure the `mTLS` behavior based on the destination port.
Through this, we can apply multiple `mTLS` behaviors under a single deployment, unlike the [previous example](../01-disable-mTLS) that required to create 2 different deployments under a single service, and as well implement `Destination Rules` as well of `subsets` to route the traffic between the 2 deployments.
Through this, we can apply multiple `mTLS` behaviors under a single deployment, unlike the [previous example](../02-disable-mTLS) that required to create 2 different deployments under a single service, and as well implement `Destination Rules` as well of `subsets` to route the traffic between the 2 deployments.
> **Note:**\
> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo)
@ -312,7 +312,7 @@ listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
##### Curl
Even tho, we have set in the [PeerAuthentication configuration](#peerauthentication) mode to `STRICT`, unlike in the [previous example](../01-disable-mTLS/#https-1), where the mode was also set to `STRICT`, in this example we configured the `portLevelMtls` field for the port `443`, successfully disabling `mTLS` for this port, and allowing to proceed with the request towards the `HTTPS` backend; which was performed without the need of disabling `mTLS` for the whole deployment.
Even tho, we have set in the [PeerAuthentication configuration](#peerauthentication) mode to `STRICT`, unlike in the [previous example](../02-disable-mTLS/#https-1), where the mode was also set to `STRICT`, in this example we configured the `portLevelMtls` field for the port `443`, successfully disabling `mTLS` for this port, and allowing to proceed with the request towards the `HTTPS` backend; which was performed without the need of disabling `mTLS` for the whole deployment.
```shell
curl 192.168.1.50/https

0
10-mTLS_PeerAuthentication/02-portLevelMtls/Service.yaml → 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/Service.yaml
View File

10
10-mTLS_PeerAuthentication/README.md Normal file
View File

@ -0,0 +1,10 @@
## Description
This section is focused regarding mTLS, using Kiali dashboard to confirm which services have mTLS enabled, how to enable and disable mTLS, and as well how to apply a desired configuration targeting a specific port.
## Examples
- 01-mTLS
- 02-disable-mTLS
- 03-mTLS-per-port-settings

17
10-mTLS_PeerAuthentication/06-mTLS/deployment.yaml → 11-Fault_Injection/01-FaultInjection-delay/Deployment.yaml
View File

@ -1,18 +1,3 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http
targetPort: 80
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -35,6 +20,6 @@ spec:
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

14
11-Fault_Injection/01-FaultInjection-delay/Gateway.yaml Executable file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"

251
11-Fault_Injection/01-FaultInjection-delay/README.md Executable file
View File

@ -0,0 +1,251 @@
---
gitea: none
include_toc: true
---
# Description
Based on the [previous example](../../01-Getting_Started/01-hello_world_1_service_1_deployment), we configure a "fault" that will make the backend take 10 more seconds before receiving the request.
This will be applied to a 90% of the incoming traffic that matches the rule and will allow to confirm in a secure environment how the application would behave in such difficult situations, and apply the modifications required to avoid issue in case there would be a network issue.
This example configures:
Generic Kubernetes resources:
- 1 Service
- 1 Deployments
Istio resources:
- 1 Gateway
- 1 Virtual Service
# Based on
- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
- https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPFaultInjection-Delay
# Configuration
## Service
Creates a service named `helloworld`.
This service listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod.
```yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
```
## Deployment
Deploys a Nginx server that listens for the port `80`.
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
```
## Gateway
Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic.
It doesn't filter for any specific host.
The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to.
The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
## VirtualService
The Virtual Service resources are used to route and filter the received traffic from the gateway resources, and route it towards the desired destination.
On this example we select the gateway `helloworld-gateway`, which is the [gateway that 's described in the `Gateway` section](#gateway).
On this resource, we are also not limiting the incoming traffic to any specific host, allowing for all the incoming traffic to go through the rules set.
Here we created a rule that will be applied on `HTTP` related traffic (including `HTTPS` and `HTTP2`) when the destination path is exactly `/helloworld`.
This traffic will be forwarded to the port `80` of the destination service `helloworld` (the full path URL equivalent would be `helloworld.$NAMESPACE.svc.cluster.local`).
There will be an internal URL rewrite set, as if the URL is not modified, it would attempt to reach to the `/helloworld` path from the Nginx deployment, which currently has no content and would result in an error code `404` (Not found).
Additionally, we apply a "fault", where a 90% of the traffic will have 10 seconds extra of delay.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"
fault:
delay:
percentage:
value: 90
fixedDelay: 10s
```
# Walkthrough
## Deploy resources
Deploy the resources.
```shell
kubectl apply -f ./
```
```text
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
service/helloworld created
virtualservice.networking.istio.io/helloworld-vs created
```
## Wait for the pods to be ready
Wait for the Nginx deployments to be up and ready.
```shell
kubectl get deployment helloworld-nginx -w
```
```text
NAME READY UP-TO-DATE AVAILABLE AGE
helloworld-nginx 1/1 1 1 12s
```
## Test the service
### Get LB IP
To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway).
On my environment, the IP is the `192.168.1.50`.
```shell
kubectl get svc -l istio=ingressgateway -A
```
```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
### helloworld
We will use the `curl` command and feed it a template to provide us with some timings and as well of confirming the status code from the request.
Since the fault that we set had a 90% chance of triggering, if you are "unlucky", and get instantly the response from the backend, you might need to run the command multiple times in order to get the fault triggered.
```shell
curl -w @- -o /dev/null -s 192.168.1.50/helloworld <<'EOF'
http_code: %{http_code}\n
time_namelookup: %{time_namelookup}\n
time_connect: %{time_connect}\n
time_appconnect: %{time_appconnect}\n
time_pretransfer: %{time_pretransfer}\n
time_redirect: %{time_redirect}\n
time_starttransfer: %{time_starttransfer}\n
----------\n
time_total: %{time_total}\n
EOF
```
```text
http_code: 200
time_namelookup: 0.000010
time_connect: 0.000671
time_appconnect: 0.000000
time_pretransfer: 0.000689
time_redirect: 0.000000
time_starttransfer: 10.008781
----------
time_total: 10.008817
```
From the command output, we can observe that the request took more than 10 seconds to be replied, and as well the status code was successful, meaning that the application was able to handle the request.
## Cleanup
Finally, a cleanup from the resources deployed.
```shell
kubectl delete -f ./
```
```text
deployment.apps "helloworld-nginx" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
service "helloworld" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
# Links of interest
- https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPFaultInjection-Delay

Some files were not shown because too many files have changed in this diff Show More