ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

Compare commits

base: ofilter:ca68dde6ea9e3cad11b58e985b6b0e07131f18b3
Branches Tags
ofilter:main ofilter:dev
...
compare: ofilter:dev
Branches Tags
ofilter:main ofilter:dev

63 Commits
ca68dde6ea ... dev

Author SHA1 Message Date
ofilter
a4419990ea Merge branch 'main' into dev 2024-01-15 21:45:39 +01:00
ofilter
990bada6e1 Merge pull request 'dev2_Jan_15_2024' (#67) from dev2_Jan_15_2024 into dev 
Reviewed-on: #67
 2024-01-15 21:44:43 +01:00
ofilter
e088cf6659 Merge branch 'dev' into dev2_Jan_15_2024 2024-01-15 21:44:34 +01:00
savagebidoof
ee13b20458 Fixed lowercase typo on folder name. 
Quick made the README.md
 2024-01-15 21:36:27 +01:00
savagebidoof
2582e15e1a Added couple relevant links to the topic, nothing else. 2024-01-15 21:32:45 +01:00
savagebidoof
404c036883 Deleted/Moved to main 2024-01-15 21:32:29 +01:00
savagebidoof
6cb3c9fa50 Added simple monitoring examples. 
They are based off Helm PrometheusStack community Chart.
 2024-01-15 21:32:14 +01:00
ofilter
f86ac97255 Merge pull request 'dev - 2023/10/14' (#66) from dev into main 
Reviewed-on: https://gitea.filterhome.xyz/ofilter/Istio_Examples/pulls/66
 2023-10-14 13:06:28 +02:00
ofilter
2fb608c5bd Merge branch 'main' into dev 2023-10-14 13:06:17 +02:00
savagebidoof
942a3bf8ae Updated Global README.md 2023-10-14 13:03:28 +02:00
savagebidoof
74e5b9d5f0 Inserted into the respective directory. 2023-10-14 13:01:46 +02:00
savagebidoof
7e004697a9 Fixed link refference 2023-10-14 13:00:52 +02:00
savagebidoof
c02a355a95 Renamed folder 2023-10-14 13:00:22 +02:00
savagebidoof
d2b1dc2284 Speed documented 2023-10-14 12:59:07 +02:00
savagebidoof
f0ce2ae68d Fixed format 2023-10-14 12:50:13 +02:00
savagebidoof
b6657bdd4c Renamed files and deglossed it's contents. 2023-10-14 12:30:39 +02:00
savagebidoof
68efcde1fa Added a section README.md to the sections: 
- 90-MixConfigs
- 99-resources
 2023-10-14 12:22:17 +02:00
savagebidoof
1cf75d5902 Deglossed the files. 2023-10-14 12:21:42 +02:00
savagebidoof
df8eea778c Documented examples from 11-Fault_Injection: 
- 01-FaultInjection-delay
- 02-FaultInjection-abort

Added a section README.md to the section:

- 11-Fault_Injection
 2023-10-14 12:11:34 +02:00
savagebidoof
c1aec3ae4c Renamed file to capitalized first letter. 2023-10-14 11:21:30 +02:00
savagebidoof
957dbfcf84 Updated global README.md 2023-10-14 11:19:29 +02:00
savagebidoof
e883755680 Added section README.md for: 
- 10-mTLS_PeerAuthentication

Renamed its files to use a capital letter at the start of the files.
 2023-10-14 11:14:19 +02:00
savagebidoof
0a1e36dcaf Added section README.md for: 
- 09-Ingress
 2023-10-14 11:08:51 +02:00
savagebidoof
40fe16c040 Renamed folder 2023-10-14 11:06:55 +02:00
savagebidoof
b440efb6b2 Renamed directories 2023-10-14 11:02:16 +02:00
savagebidoof
4e66d65096 Fixed refference 2023-10-14 11:01:51 +02:00
savagebidoof
16f7ab6178 Improved Readme slightly. 2023-10-14 11:00:10 +02:00
savagebidoof
d117481a5b Documented Section Readme for: 
- 08-AuthorizationPolicy

Also, (speed) documented its examples.
 2023-10-14 10:59:33 +02:00
savagebidoof
84b71d9751 Minor update to the global README.md file. 2023-10-14 10:27:11 +02:00
savagebidoof
fd3f9b6e95 Didn't add the examples section. 2023-10-14 10:25:13 +02:00
savagebidoof
de4ae7dd09 Documented 06_Envoy examples: 
- 01-Envoy-add-response-headers
- 02-envoy-logging

Added section README.md to:
- 05-Sidecar
- 06-Envoy
 2023-10-14 10:19:01 +02:00
savagebidoof
6aa4cb2c03 Updated global README 2023-10-14 06:46:54 +02:00
savagebidoof
8c1288f8d1 Set up the base of the README 2023-10-14 06:43:07 +02:00
savagebidoof
23eb763524 Fixed typos in 3 section references. 2023-10-14 06:42:54 +02:00
savagebidoof
87aab0c9be Proceeding with the README from each section. 2023-10-14 06:29:49 +02:00
savagebidoof
6ff0ce9ee8 Quality improvements. 
Fixed broken URL or typos in the directory references.

As well proceeding with the README from each section.
 2023-10-14 06:21:26 +02:00
savagebidoof
439d62b718 Merge remote-tracking branch 'origin/dev' into dev 2023-07-01 17:35:00 +02:00
savagebidoof
73d4918f2c deleted doomy file. 2023-07-01 17:33:59 +02:00
savagebidoof
93018487e6 deleted doomy file. 2023-07-01 17:33:20 +02:00
ofilter
1542aaafcc Merge pull request 'dev - mid update' (#63) from dev into main 
Reviewed-on: https://gitea.filterhome.xyz/ofilter/Istio_Examples/pulls/63
 2023-07-01 14:21:59 +00:00
ofilter
f8fd8c6ce5 Merge branch 'main' into dev 2023-07-01 14:21:19 +00:00
savagebidoof
9d7cae15f8 deleted doomy file. 2023-07-01 16:17:57 +02:00
savagebidoof
f068de7dcc quality improvement on the README.md 2023-07-01 16:07:15 +02:00
savagebidoof
eb001e704a fixed README.md tree 2023-07-01 16:05:54 +02:00
savagebidoof
f5b24a9a17 Added Undocumented Minecraft example. 2023-07-01 16:05:10 +02:00
savagebidoof
78f09bdc08 Updated README.md 2023-07-01 16:03:58 +02:00
savagebidoof
07bca8cce1 Renamed folder 
Small quality improvement
 2023-07-01 16:02:52 +02:00
savagebidoof
e9af4daeee Renamed folder 
Small quality improvement
 2023-07-01 16:02:18 +02:00
savagebidoof
be2375c14c Fixed link reference 2023-07-01 15:56:27 +02:00
savagebidoof
b7de0f8205 Sorted some folders. 
Quality improvements for 01-Service_Entry
 2023-07-01 15:54:38 +02:00
savagebidoof
918f480319 Seems like I moved some files around (it's been a while) 
Also have documented the ingress example regarding installing a Istio Ingress Gateway Load Balancer.
 2023-07-01 15:40:15 +02:00
savagebidoof
703d380bca added a final dot... 2023-05-15 15:36:08 +02:00
savagebidoof
4681d98ae7 fixed markdown checkboxes 2023-05-15 15:36:00 +02:00
ofilter
fe4cfa88a6 Merge pull request '15/May/2023' (#62) from dev into main 
Reviewed-on: https://gitea.filterhome.xyz/ofilter/Istio_Examples/pulls/62
 2023-05-15 13:33:16 +00:00
savagebidoof
88e71e8c5b Quality improvements. 2023-05-15 15:28:37 +02:00
savagebidoof
747c3f1171 Documented 02-egress-proxy. 
Not to brag, BUT I believe it's fairly godlike.
 2023-05-15 15:22:43 +02:00
savagebidoof
6c6f968097 Deleted a useless line. 2023-05-15 15:19:48 +02:00
savagebidoof
8ba4495ea7 Documented 02-egress-proxy. 
Not to brag, BUT I believe it's fairly godlike.
 2023-05-15 15:19:28 +02:00
savagebidoof
9dbcf712de Added a link. 
Added the logs entry of `istio-proxy` container from a pod.
 2023-05-15 02:48:49 +02:00
savagebidoof
6153529f9a Added a link 2023-05-15 02:47:19 +02:00
savagebidoof
38a7b70758 removed an space, wow 2023-05-11 23:23:46 +02:00
ofilter
d3d730b34c Merge pull request 'Examples update 04/05/2023' (#48) from dev into main 
Reviewed-on: https://gitea.filterhome.xyz/ofilter/Istio_Examples/pulls/48
 2023-05-04 01:27:31 +00:00
ofilter
ce4cb196eb Merge pull request 'Cleanup and minimal documentation added.' (#46) from dev into main 
Reviewed-on: https://gitea.filterhome.xyz/ofilter/Istio_Examples/pulls/46
 2023-05-01 00:08:05 +00:00
171 changed files with 4446 additions and 1327 deletions
Expand all files Collapse all files

2
.placeholder/08-monitoring/README.md
View File

@ -1,2 +0,0 @@
https://raw.githubusercontent.com/istio/istio/release-1.17/samples/httpbin/sample-client/fortio-deploy.yaml

3
.placeholder/13-WASM_Modules/README.md Normal file
View File

@ -0,0 +1,3 @@
https://github.com/istio-ecosystem/wasm-extensions
https://github.com/istio-ecosystem/wasm-extensions/tree/master/extensions/basic_auth

100
00-Troubleshooting/README.md
View File

@ -3,6 +3,63 @@ gitea: none
include_toc: true
---
# Logs
> **Note:**\
> Remember that you can use the command `watch` or `watch -n 5` (where 5 refers every 5 seconds) in case of being interested on execute this commands periodically.
## Istiod
```shell
kubectl logs -n istio-system -f deployments/istiod
```
## Istio-Proxy Pod
This will display the logs from a deployment while targeting the `istio-proxy` container from the targeted pod/deployment.
As well will attach the session to stream new logs. (`-f` `--follow`)
```shell
kubectl logs deployments/helloworld-default -f -c istio-proxy
```
```text
[2023-05-15T00:42:03.699Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.111.90.232:8080 172.17.121.65:52006 - -
[2023-05-15T00:42:24.785Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 2 1 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" inbound|80|| 127.0.0.6:51695 172.17.121.65:80 172.17.121.65:43786 outbound_.80_._.helloworld.default.svc.cluster.local default
[2023-05-15T00:42:24.784Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 5 4 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" outbound|80||helloworld.default.svc.cluster.local 172.17.121.65:43786 10.111.90.232:80 172.17.121.65:57030 - default
[2023-05-15T00:43:23.209Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 6 5 "-" "curl/7.74.0" "e1f0a2f3-93ff-4c41-8cb3-6d3a53fce065" "helloworld.foo.svc.cluster.local" "172.17.247.42:80" outbound|80||helloworld.foo.svc.cluster.local 172.17.121.65:55040 10.109.248.148:80 172.17.121.65:60520 - default
[2023-05-15T00:43:29.751Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40370 - -
[2023-05-15T00:43:31.979Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40402 - -
```
## Ingress
The service targeted, `istio-ingressgateway`, is an Ingress Load Balancer service from Istio.
```shell
kubectl logs -n istio-system services/istio-ingressgateway
```
#### Invalid TLS context has neither subject CN nor SAN names
The TLS certificate specified don't have the field CN or the field SAN.
To address this issue, issue a new certificate that has at least one of those fields.
#### initial fetch timed out for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secretthread
This is due not being able to retrieve the TLS configuration assigned to the gateway.
It's Important that the secret is located in the same namespace as the Istio Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
# Istioctl analyze
`istioctl analyze` reviews the current configuration set.
@ -67,37 +124,24 @@ listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
...
```
# Logs
> **Note:**\
> Remember that you can use the command `watch` or `watch -n 5` (where 5 refers every 5 seconds) in case of being interested on execute this commands periodically.
## Istiod
# Istioctl proxy-status
> **Note:** Shorthand is `ps`
```shell
kubectl logs -n istio-system -f deployments/istiod
istioctl ps
```
```text
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
helloworld-6798765f88-ql26n.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-dbf5ff64-9kxxs 1.17.2
helloworld2-dc9cb5db6-m47x7.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-dbf5ff64-9kxxs 1.17.2
istio-egressgateway-676bf68b54-d28fn.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-dbf5ff64-9kxxs 1.17.2
istio-ingressgateway-8d56c999d-nv7ph.istio-system Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-dbf5ff64-9kxxs 1.17.2
```
## Ingress
The service targeted, `istio-ingressgateway`, is an Ingress Load Balancer service from Istio.
```shell
kubectl logs -n istio-system services/istio-ingressgateway
```
#### Invalid TLS context has neither subject CN nor SAN names
The TLS certificate specified don't have the field CN or the field SAN.
To address this issue, issue a new certificate that has at least one of those fields.
#### initial fetch timed out for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secretthread
This is due not being able to retrieve the TLS configuration assigned to the gateway.
It's Important that the secret is located in the same namespace as the Istio Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
# Istioctl proxy-config
> **Note:** Shorthand is `pc`
## Check listeners
@ -177,4 +221,8 @@ InboundPassthroughClusterIpv4 - -
PassthroughCluster - - - ORIGINAL_DST
agent - - - STATIC
...
```
```
# Other links
## [Debugging with Istio](https://www.istioworkshop.io/12-debugging/01-istioctl-debug-command/)

2
01-Getting_Started/01-hello_world_1_service_1_deployment/README.md
View File

@ -219,7 +219,7 @@ I would like to put emphasis on the following line returned:
server: istio-envoy
```
This means that the contents returned was performed by the Istio service, instead of the Nginx or any other possible backend service.
This means that the contents returned was performed by the Istio service, therefore, the request was able to reach Istio and received a response from it.
## Cleanup

4
01-Getting_Started/03-hello_world_1_service_2_deployments_managed_version/VirtualService.yaml
View File

@ -19,13 +19,13 @@ spec:
port:
number: 80
subset: v1
weight: 20
weight: 80
- destination:
# host: helloworld (OLD)
host: helloworld.default.svc.cluster.local
port:
number: 80
subset: v2
weight: 80
weight: 20
rewrite:
uri: "/"

3
01-Getting_Started/README.md
View File

@ -5,7 +5,8 @@ include_toc: true
# Getting Started
The idea of these examples is to get yourself familiarized with the basic elements used on Istio, allowing you to explore the documentation as well of proceeding with other examples or tests on your onw.
The idea of these examples is to get yourself familiarized with the basic elements used on Istio, allowing you to
explore the documentation as well of proceeding with other examples or tests on your onw.
On these examples you will find the following Istio resources:

13
02-Traffic_management/README.md
View File

@ -1 +1,12 @@
This gloves the resources `Virtual Service` and `Destination Rule`
# Description
This section involves the configuration of `Virtual Service` objects.
# Examples
- 01-header_routing
- 02-DirectResponse-HTTP-Body
- 03-HTTPRewrite
- 04-HTTPRedirect

2
03-Gateway_Ingress/01-Host_Based_Routing/README.md
View File

@ -25,7 +25,7 @@ This example configures:
# Based on
- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment
- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
# Configuration

2
03-Gateway_Ingress/02-Restrict_Namespaces/README.md
View File

@ -28,7 +28,7 @@ This example configures:
# Based on
- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment
- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
# Configuration

0
03-Gateway_Ingress/07-HTTPS-Gateway-Simple-TLS/Deployment.yaml → 03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/Deployment.yaml
View File

0
03-Gateway_Ingress/07-HTTPS-Gateway-Simple-TLS/Gateway.yaml → 03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/Gateway.yaml
View File

2
03-Gateway_Ingress/07-HTTPS-Gateway-Simple-TLS/README.md → 03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/README.md
View File

@ -5,7 +5,7 @@ include_toc: true
# Based on
- [01-hello_world_1_service_1_deployment](../../01-Getting%20Started/01-hello_world_1_service_1_deployment)
- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
# Description

0
03-Gateway_Ingress/07-HTTPS-Gateway-Simple-TLS/Service.yaml → 03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/Service.yaml
View File

0
03-Gateway_Ingress/07-HTTPS-Gateway-Simple-TLS/VirtualService.yaml → 03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/VirtualService.yaml
View File

0
03-Gateway_Ingress/08a-HTTPS-min-TLS-version/Deployment.yaml → 03-Gateway_Ingress/04a-HTTPS-min-TLS-version/Deployment.yaml
View File

0
03-Gateway_Ingress/08a-HTTPS-min-TLS-version/Gateway.yaml → 03-Gateway_Ingress/04a-HTTPS-min-TLS-version/Gateway.yaml
View File

2
03-Gateway_Ingress/08a-HTTPS-min-TLS-version/README.md → 03-Gateway_Ingress/04a-HTTPS-min-TLS-version/README.md
View File

@ -5,7 +5,7 @@ include_toc: true
# Based on
- [07-HTTPS-Gateway-Simple-TLS](../07-HTTPS-Gateway-Simple-TLS)
- [03-HTTPS-Gateway-Simple-TLS](../03-HTTPS-Gateway-Simple-TLS)
# Description

0
03-Gateway_Ingress/08a-HTTPS-min-TLS-version/Service.yaml → 03-Gateway_Ingress/04a-HTTPS-min-TLS-version/Service.yaml
View File

0
03-Gateway_Ingress/08a-HTTPS-min-TLS-version/VirtualService.yaml → 03-Gateway_Ingress/04a-HTTPS-min-TLS-version/VirtualService.yaml
View File

0
03-Gateway_Ingress/08b-HTTPS-max-TLS-version/Deployment.yaml → 03-Gateway_Ingress/04b-HTTPS-max-TLS-version/Deployment.yaml
View File

0
03-Gateway_Ingress/08b-HTTPS-max-TLS-version/Gateway.yaml → 03-Gateway_Ingress/04b-HTTPS-max-TLS-version/Gateway.yaml
View File

2
03-Gateway_Ingress/08b-HTTPS-max-TLS-version/README.md → 03-Gateway_Ingress/04b-HTTPS-max-TLS-version/README.md
View File

@ -5,7 +5,7 @@ include_toc: true
# Based on
- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
- [04a-HTTPS-min-TLS-version](../04a-HTTPS-min-TLS-version)
# Description

0
03-Gateway_Ingress/08b-HTTPS-max-TLS-version/Service.yaml → 03-Gateway_Ingress/04b-HTTPS-max-TLS-version/Service.yaml
View File

0
03-Gateway_Ingress/08b-HTTPS-max-TLS-version/VirtualService.yaml → 03-Gateway_Ingress/04b-HTTPS-max-TLS-version/VirtualService.yaml
View File

18
08-AuthorizationPolicy/03-target-deployments/deployment.yaml → 03-Gateway_Ingress/05-TCP-FORWARDING/Deployment.yaml
View File

@ -1,18 +1,3 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http
targetPort: 80
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -31,10 +16,11 @@ spec:
spec:
containers:
- name: helloworld
image: nginx
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443

20
03-Gateway_Ingress/05-TCP-FORWARDING/Gateway.yaml Executable file
View File

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: tcp-1
protocol: TCP
hosts:
- "*"
- port:
number: 443
name: tcp-2
protocol: TCP
hosts:
- "*"

2
03-Gateway_Ingress/10-TCP-FORWARDING/README.md → 03-Gateway_Ingress/05-TCP-FORWARDING/README.md
View File

@ -5,7 +5,7 @@ include_toc: true
# Based on
- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
- [04a-HTTPS-min-TLS-version](../04a-HTTPS-min-TLS-version)
# Description

19
03-Gateway_Ingress/05-TCP-FORWARDING/Service.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http-web
targetPort: 80
protocol: TCP
- port: 8443
name: https-web
targetPort: 443
protocol: TCP
selector:
app: helloworld

21
03-Gateway_Ingress/10-TCP-FORWARDING/gateway.yaml → 03-Gateway_Ingress/05-TCP-FORWARDING/VirtualService.yaml Executable file → Normal file
View File

@ -1,25 +1,4 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: tcp-1
protocol: TCP
hosts:
- "*"
- port:
number: 443
name: tcp-2
protocol: TCP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs

26
03-Gateway_Ingress/06-TLS-PASSTHROUGH/Deployment.yaml Executable file
View File

@ -0,0 +1,26 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: Always #Always
ports:
- containerPort: 80
- containerPort: 443

17
03-Gateway_Ingress/06-TLS-PASSTHROUGH/Gateway.yaml Executable file
View File

@ -0,0 +1,17 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https-web
protocol: HTTPS
hosts:
- "*"
tls:
mode: PASSTHROUGH

2
03-Gateway_Ingress/11-TLS-PASSTHROUGH/README.md → 03-Gateway_Ingress/06-TLS-PASSTHROUGH/README.md
View File

@ -5,7 +5,7 @@ include_toc: true
# Based on
- [10-TCP-FORWARDING](../10-TCP-FORWARDING)
- [05-TCP-FORWARDING](../05-TCP-FORWARDING)
# Description

16
03-Gateway_Ingress/06-TLS-PASSTHROUGH/Service.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- name: https
port: 8443
targetPort: 443
protocol: TCP
appProtocol: HTTPS
selector:
app: helloworld

18
03-Gateway_Ingress/11-TLS-PASSTHROUGH/gateway.yaml → 03-Gateway_Ingress/06-TLS-PASSTHROUGH/VirtualService.yaml Executable file → Normal file
View File

@ -1,22 +1,4 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https-web
protocol: HTTPS
hosts:
- "*"
tls:
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs

0
03-Gateway_Ingress/12-HTTP-to-HTTPS-traffic-redirect/Gateway.yaml → 03-Gateway_Ingress/07-HTTP-to-HTTPS-traffic-redirect/Gateway.yaml
View File

2
03-Gateway_Ingress/12-HTTP-to-HTTPS-traffic-redirect/README.md → 03-Gateway_Ingress/07-HTTP-to-HTTPS-traffic-redirect/README.md
View File

@ -5,7 +5,7 @@ include_toc: true
# Based on
- [07-HTTPS-Gateway-Simple-TLS](../07-HTTPS-Gateway-Simple-TLS)
- [03-HTTPS-Gateway-Simple-TLS](../03-HTTPS-Gateway-Simple-TLS)
# Description

46
03-Gateway_Ingress/10-TCP-FORWARDING/deployment.yaml
View File

@ -1,46 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http-web
targetPort: 80
protocol: TCP
- port: 8443
name: https-web
targetPort: 443
protocol: TCP
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443

73
03-Gateway_Ingress/11-TLS-PASSTHROUGH/deployment.yaml
View File

@ -1,73 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- name: https
port: 8443
targetPort: 443
protocol: TCP
appProtocol: HTTPS
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: Always #Always
ports:
- containerPort: 80
- containerPort: 443
#---
#apiVersion: apps/v1
#kind: Deployment
#metadata:
# name: nginx
# labels:
# app: nginx
# version: v1
#spec:
# replicas: 1
# selector:
# matchLabels:
# app: nginx
# version: v1
# template:
# metadata:
# labels:
# app: nginx
# version: v1
# spec:
# # serviceAccountName: istio-helloworld
# containers:
# - name: nginx
# image: nginx
# resources:
# requests:
# cpu: "100m"
# imagePullPolicy: IfNotPresent
# ports:
# - containerPort: 80

12
03-Gateway_Ingress/README.md
View File

@ -0,0 +1,12 @@
# Description
This section focuses (but not limited to) on the configuration of `gateway` objects, providing examples of instances regarding how to limit to which `VirtualService` objects a `Gateway` object can connect to, regarding how to configure a HTTP to HTTPS redirect, or it's TLS configuration.
# Examples
- 01-header_routing
- 02-DirectResponse-HTTP-Body
- 03-HTTPRewrite
- 04-HTTPRedirect

0
04-Backends/05-Service_Entry/Gateway.yaml → 04-Backends/01-Service_Entry/Gateway.yaml
View File

13
04-Backends/05-Service_Entry/README.md → 04-Backends/01-Service_Entry/README.md
View File

@ -24,9 +24,9 @@ Bear in mind that when Istio is communicating with resources externals to the me
Also, policy enforcement is performed in the client side instead of the server side.
> **Note:**/
> For more information regarding the `resolution` field or the `location` field, refer to the following official Istio documentations:
> [ServiceEntry.Location](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location)
> [ServiceEntry.Resolution](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Resolution)
> For more information regarding the `resolution` field or the `location` field, refer to the following official Istio documentations:\
> - [ServiceEntry.Location](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location)\
> - [ServiceEntry.Resolution](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Resolution)
```yaml
apiVersion: networking.istio.io/v1alpha3
@ -143,7 +143,7 @@ virtualservice.networking.istio.io/helloworld-vs created
### Get LB IP
```shell
$ kubectl get svc -l istio=ingressgateway -A
kubectl get svc -l istio=ingressgateway -A
```
```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
@ -177,14 +177,15 @@ curl 192.168.1.50/external
We don't receive any output.
This could be due, even if we resolve the destination IP for the URL `info.cern.ch`, the destination might have a Reverse Proxy or any other ingress resource that could condition handling this request.
Even if we resolve the destination IP for the URL `info.cern.ch`, the destination might have a **Reverse Proxy** or any other ingress resource that could condition handling this request.
Due to the `HOST` field not being modified after we set the request, it might not be able to pass the filtering set, weather it is security wise, for example, requiring such field to allow the request; or it being a routing condition, which due not having this field specified, it's not able to route the request towards the destination desired.
Due to the `HOST` field not being modified after we set the request, it might not be able to pass the filtering rules set on the destination server, on this scenario being the service responsible for receiving requests with the URL `info.cern.ch`.
```shell
curl 192.168.1.50/external-noh
```
```text
</pre></body></html>
```
## Cleanup

0
04-Backends/05-Service_Entry/ServiceEntry.yaml → 04-Backends/01-Service_Entry/ServiceEntry.yaml
View File

0
04-Backends/05-Service_Entry/VirtualService.yaml → 04-Backends/01-Service_Entry/VirtualService.yaml
View File

25
04-Backends/02-Outboud-Traffic-Policy/Deployment.yaml Executable file
View File

@ -0,0 +1,25 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

0
90-MixConfigs/06-HTTPS-Gateway_Service_Entry/Gateway.yaml → 04-Backends/02-Outboud-Traffic-Policy/Gateway.yaml
View File

338
04-Backends/02-Outboud-Traffic-Policy/README.md Executable file
View File

@ -0,0 +1,338 @@
---
gitea: none
include_toc: true
---
# Description
Based on the previous example where we configured an external service through a `ServiceEntry` object, this example compares the behavior between setting up the MeshConfig `OutboundTrafficPolicy.mode` setting to `REGISTRY_ONLY` and `ALLOW_ANY`.
- ALLOW_ANY: Allows all egress/outbound traffic from the mesh.
- REGISTRY_ONLY: Restricted to services that figure in the service registry a and the ServiceEntry objects.
More info regarding this configuration at the pertinent documentation (https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-OutboundTrafficPolicy-Mode)
> **Note:**\
> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo)
# Based on
- [01-Service_Entry](../01-Service_Entry)
# Configuration
## Gateway
Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic.
It doesn't filter for any specific host.
The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to.
The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it.
```shell
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
> **Note:**\
> The credentials resource is created further bellow through the [Walkthrough](#walkthrough) steps.
> **Note:**\
> For more information regarding the TLS mode configuration, refer to the following [Istio documentation regarding the TLS mode field](https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode).
## VirtualService
This configuration hosts 2 backends, 1 being the deployed service `helloworld.default.svc.cluster.local`, which will be accessible through the URL path `/helloworld`.
The second service will be accessible through the URL path `/external`, and will use as a backend the deployed `ServiceEntry` object, as well it has a timeout setting of 3 seconds.
This destination is the service that contains the `HTTPS` deployment, running over the port `8443`
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"
- timeout: 3s
match:
- uri:
exact: "/external"
route:
- destination:
host: help.websiteos.com
port:
number: 80
rewrite:
uri: "/websiteos/example_of_a_simple_html_page.htm"
headers:
request:
set:
HOST: "help.websiteos.com"
```
## Service
The service will forward incoming HTTP TCP traffic from the port `80`, towards the deployment port `80`.
```yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
```
## Deployment
Nginx deployment listens to port 80.
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
```
### ServiceEntry
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc
spec:
hosts:
- help.websiteos.com
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
```
## ServiceEntry
This `ServiceEntry` resource, defines as a destination the URL `help.websiteos.com`.
Note that location is set to `MESH_EXTERNAL` and that the resolution is set to `DNS`, this means that the resource is external to ou `Istio Service Mesh`, and the URL will be resolved through `DNS`
Bear in mind that when Istio is communicating with resources externals to the mesh, `mTLS` is disabled.
Also, policy enforcement is performed in the client side instead of the server side.
> **Note:**/
> For more information regarding the `resolution` field or the `location` field, refer to the following official Istio documentations:\
> - [ServiceEntry.Location](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location)\
> - [ServiceEntry.Resolution](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Resolution)
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc
spec:
hosts:
- help.websiteos.com
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
```
# Walkthrough
## Set ALLOW_ANY outbound traffic policy
First step will be to have the cluster with the `meshConfig.outboundTrafficPolicy.mode` setting set to `ALLOW_ANY`.
In case you are not using a "free to destroy" sandbox, you should update the setting through the `IstioOperator` object.
```shell
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=ALLOW_ANY
```
## Deploy resources
```shell
kubectl apply -f ./
```
```text
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
service/helloworld created
serviceentry.networking.istio.io/external-svc created
virtualservice.networking.istio.io/helloworld-vs created
```
## Get LB IP
```shell
kubectl get svc istio-ingressgateway -n istio-system
```
```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
## Test deployments
```shell
curl 192.168.1.50/helloworld -I
```
```text
HTTP/1.1 200 OK
server: istio-envoy
date: Sat, 14 Oct 2023 10:53:45 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 15 Aug 2023 17:03:04 GMT
etag: "64dbafc8-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 53
```
```shell
curl 192.168.1.50/external -I
```
```text
HTTP/1.1 200 OK
date: Sat, 14 Oct 2023 10:54:13 GMT
content-type: text/html
content-length: 5186
last-modified: Mon, 17 Mar 2014 17:25:03 GMT
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
x-envoy-upstream-service-time: 306
server: istio-envoy
```
## Test egress the helloworld deployment
It returns a 301 code, meaning that it was able to reach the destination, and it was attempted to redirect the traffic from HTTP to HTTPS.
```shell
kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl wikipedia.com -I
```
```text
HTTP/1.1 301 Moved Permanently
server: envoy
date: Sat, 14 Oct 2023 10:54:34 GMT
content-type: text/html
content-length: 169
location: https://wikipedia.com/
x-envoy-upstream-service-time: 61
```
## Set REGISTRY_ONLY outbound traffic policy
```shell
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
```
In case you are not using a "free to destroy" sandbox, you should update the setting through the `IstioOperator` object.
## Test (again) egress the helloworld deployment
It returns a 502 code, meaning that it wasn't able to reach the destination.
```shell
kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl wikipedia.com -I
```
```text
HTTP/1.1 502 Bad Gateway
date: Thu, 20 Apr 2023 18:08:37 GMT
server: envoy
transfer-encoding: chunked
```
This allowed us to confirm how the setting `outboundTrafficPolicy.mode` influences the reachability of the traffic.
## Cleanup
```shell
kubectl delete -f ./
```
```text
deployment.apps "helloworld-nginx" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
service "helloworld" deleted
serviceentry.networking.istio.io "external-svc" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
# Links of Interest
- https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#controlled-access-to-external-services
- https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services

13
04-Backends/02-Outboud-Traffic-Policy/Service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld

13
04-Backends/02-Outboud-Traffic-Policy/ServiceEntry.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc
spec:
hosts:
- help.websiteos.com
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL

16
07-MeshConfig/01-Outboud-Traffic-Policy/gateway.yaml → 04-Backends/02-Outboud-Traffic-Policy/VirtualService.yaml Executable file → Normal file
View File

@ -1,19 +1,3 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:

17
04-Backends/09-HTTPS-backend/deployment.yaml → 04-Backends/03-HTTPS-backend/Deployment.yaml
View File

@ -1,20 +1,3 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8443
name: https
targetPort: 443
protocol: TCP
appProtocol: https
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:

13
04-Backends/03-HTTPS-backend/DestinationRule.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: helloworld
namespace: default
spec:
host: helloworld.default.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8443
tls:
mode: SIMPLE

23
04-Backends/03-HTTPS-backend/Gateway.yaml Executable file
View File

@ -0,0 +1,23 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
credentialName: my-tls-cert-secret
mode: SIMPLE

0
04-Backends/09-HTTPS-backend/authentication.yaml → 04-Backends/03-HTTPS-backend/PeerAuthentication.yaml
View File

4
04-Backends/09-HTTPS-backend/README.md → 04-Backends/03-HTTPS-backend/README.md
View File

@ -5,7 +5,7 @@ include_toc: true
# Based on
- [08a-HTTPS-min-TLS-version](../../03-Gateway_Ingress/08a-HTTPS-min-TLS-version)
- [03-Gateway_Ingress/04a-HTTPS-min-TLS-version](../../03-Gateway_Ingress/04a-HTTPS-min-TLS-version)
# Description
@ -197,7 +197,7 @@ spec:
```
> **Note**:\
> As this configuration is very board, and targets the whole namespace, I would strongly recommend referring to the following example [06-Internal-Authentication/02-target-service-accounts](../../08-AuthorizationPolicy/02-target-service-accounts), which shows how to target service accounts set to resources, limiting the scope of this rule set.
> As this configuration is very board, and targets the whole namespace, I would strongly recommend referring to the following example [06-Internal-Authentication/02-AuthorizationPolicy-Target-Service-Accounts](../../08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts), which shows how to target service accounts set to resources, limiting the scope of this rule set.
# Walkthrough

16
04-Backends/03-HTTPS-backend/Service.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8443
name: https
targetPort: 443
protocol: TCP
appProtocol: https
selector:
app: helloworld

19
04-Backends/03-HTTPS-backend/VirtualService.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- name: https-vs
match:
- port: 80
- port: 443
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443

57
04-Backends/09-HTTPS-backend/gateway.yaml
View File

@ -1,57 +0,0 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
credentialName: my-tls-cert-secret
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- name: https-vs
match:
- port: 80
- port: 443
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: helloworld
namespace: default
spec:
host: helloworld.default.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8443
tls:
mode: SIMPLE

17
04-Backends/README.md
View File

@ -0,0 +1,17 @@
# Description
This section will focus on the interaction with the backend and routing the traffic towards it.
## Examples
01-Service_Entry
02-HTTPS-backend
03-Outboud-Traffic-Policy
04-HTTPS-backend-with-mTLS (TODO)
## Heads up
On the example `03-Outboud-Traffic-Policy`, Istio's `meshConfig.outboundTrafficPolicy` will require to be modified.
On the example it's used the `istioctl install` command to set that up, as I assume you are testing this examples in a sandbox that you are free to "destroy".

4
05-Sidecar/01-ingress-proxy-forwarding/README.md
View File

@ -24,8 +24,6 @@ This example configures:
# Configuration
`etc -> "POD" -> sidecar -> service container`
## Service
Creates a service named `helloworld`.
@ -264,7 +262,7 @@ sidecar.networking.istio.io "helloworld-sidecar" deleted
### Curl again
After deleting the `sidecar` configuration, which was handling the ingress traffic from port `8080`, we can observe that we are no longer able to handle the incoming requests, raising an error message.
After deleting the `sidecar` configuration, which was handling the ingress traffic from port `8080`, we can observe that we are no longer able to handle the incoming requests, raising an error message.
```shell
curl 192.168.1.50/helloworld -s

6
05-Sidecar/02-egress-proxy/01-namespace.yaml Executable file
View File

@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: foo
labels:
istio-injection: "enabled"

53
09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml → 05-Sidecar/02-egress-proxy/Deployment.yaml
View File

@ -1,31 +1,10 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
#apiVersion: v1
#kind: ServiceAccount
#metadata:
# name: istio-helloworld
# labels:
# account:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
name: helloworld-default
labels:
app: helloworld
namespace: default
spec:
replicas: 1
selector:
@ -36,7 +15,6 @@ spec:
labels:
app: helloworld
spec:
# serviceAccountName: istio-helloworld
containers:
- name: helloworld
image: nginx
@ -46,3 +24,30 @@ spec:
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-foo
labels:
app: helloworld
namespace: foo
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

737
05-Sidecar/02-egress-proxy/README.md Executable file
View File

@ -0,0 +1,737 @@
---
gitea: none
include_toc: true
---
# Description
This example deploys the same infrastructure as the [previous example](../../01-Getting_Started/01-hello_world_1_service_1_deployment), configures the **sidecar** `envoy-proxy`/`istio-proxy`/`sidecar-proxy` on the pods created, to limit the egress resources to which the `istio-proxy`, who proxies the traffic from the pod (both ingress and egress), can send request to.
This will be done through 2 principles: <FILL>
This example configures:
Generic Kubernetes resources:
- 2 Services
- 2 Deployments
- 1 Namespace
Istio resources:
- 2 Sidecar configrations
# Based on
- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
# Configuration
## Namespace
Creates a namespace named `foo` with the `istio-proxy` injection enabled.
```yaml
apiVersion: v1
kind: Namespace
metadata:
name: foo
labels:
istio-injection: "enabled"
```
## Service
### hellowolrd (default/foo namespace)
Creates two services named `helloworld`, one in the namespace `default`, and another in the namespace `foo`.
This service listens for the port `8080` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod.
Also listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod.
```yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
namespace: foo
spec:
ports:
- port: 8080
name: http-a
targetPort: 80
- port: 80
name: http-b
targetPort: 80
selector:
app: helloworld
---
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
namespace: default
spec:
ports:
- port: 8080
name: http-a
targetPort: 80
- port: 80
name: http-b
targetPort: 80
selector:
app: helloworld
```
## Deployment
Creates two deployments named `helloworld`, one in the namespace `default`, and another in the namespace `foo`
### helloworld-default
Contains a Nginx server that listens for the port `80`.
It's created in the namespace `default`.
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-default
labels:
app: helloworld
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
```
### helloworld-foo
Contains a Nginx server that listens for the port `80`.
It's created in the namespace `foo`.
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-foo
labels:
app: helloworld
namespace: foo
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
```
## Sidecar
This will configure the sidecar configuration from the `envoy-proxy` in each pod.
`workloadSelector` will be used to select the target pods, where, on this scenario, it will target the pods that have the label set `app: helloworld`.
> **Note:**\
> A reminder that a `POD` is an object that groups container(s).
+ more notes:
- workloadSelector:
> `workloadSelector` is used to target the `PODS`, on which apply this sidecar configuration. \
> Bear in mind that this configuration doesn't target kinds `Service`, nor `Deployment`, it's applied to a kind `Pod` or `ServiceEntry` \
> If there is no `workloadSelector` specified, it will be used as default configuration for the namespace on which was created. \
> More info in the [Istio documentation for workloadSelector](https://istio.io/latest/docs/reference/config/networking/sidecar/#WorkloadSelector)
- egress:
> Configure the behavior of the proxied egress traffic.\
> On this example, we limit port that the `sidecar-proxy` will be allowed to send traffic to, as well limiting the routes that can the `sidecar-proxy` container will be able to learn the routes from.\
> A reminder that Istio automatically creates routes for each one of the services and each one of the ports configured to be exposed.\
> More info in the [Istio documentation for IstioEgressListener](https://istio.io/latest/docs/reference/config/networking/sidecar/#IstioEgressListener)
- outboundTrafficPolicy.mode:
> The most important step from this configuration.\
> By setting the value to `REGISTRY_ONLY`, it will restrict the egress connectivity towards the destinations defined in the registry as well of the defined `ServiceEntry` configurations.
> Taking into account that the field `egress`, where we limited the routes that the `sidecar-proxy` would be allowed to learn routes from, combined with this setting set to `REGISTRY_ONLY`, we limit the egress reachability from the PODS.\
> If the setting is set to `ALLOW_ANY`, the egress limitation will be ignored.
> More info in the [Istio documentation for OutboundTrafficPolicy.Mode](https://istio.io/latest/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy-Mode)
### helloworld-sidecar-default
On this example we target the Deployments from the namespace `default` that contain a label named `app` with the contents set to `helloworld`.
We limit the egress to the port `80`, and will only be able to reach out to the learned destinations from the namespaces `foo`.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: helloworld-sidecar-default
namespace: default
spec:
workloadSelector:
labels:
app: helloworld
egress:
- port:
number: 80
protocol: HTTP
name: egress-http
hosts:
- "foo/*"
outboundTrafficPolicy:
mode: REGISTRY_ONLY
```
### helloworld-sidecar-foo
On this example we target the Deployments from the namespace `foo` that contain a label named `app` with the contents set to `helloworld`.
We limit the egress to the port `8080`, and will only be able to reach out to the learned destinations from the namespaces `default`, and it's own (`./*`) aka. `foo`.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: helloworld-sidecar-foo
namespace: foo
spec:
workloadSelector:
labels:
app: helloworld
egress:
- port:
number: 8080
protocol: HTTP
name: egress-default
hosts:
- "./*"
- "default/*"
outboundTrafficPolicy:
mode: REGISTRY_ONLY
```
# Run example
## Deploy resources
```shell
kubectl apply -f ./
```
```text
namespace/foo created
deployment.apps/helloworld-default created
deployment.apps/helloworld-foo created
service/helloworld created
service/helloworld created
sidecar.networking.istio.io/helloworld-sidecar-default created
sidecar.networking.istio.io/helloworld-sidecar-foo created
```
## Wait for the pods to be ready
```shell
watch -n 5 "kubectl get deployment -A | grep helloworld"
```
```text
default helloworld-default 1/1 1 1 10s
foo helloworld-foo 1/1 1 1 10s
```
## Test the service
### from `helloworld-default`
Reminder of the **egress** criteria that has been configured to be met:
- [ ] Port `80`.
- [ ] `HTTP` protocol.
- [ ] Namespace destination `foo`.
#### Curl helloworld.foo.svc.cluster.local:80
On this scenario we meet the following criteria:
- [x] Port `80`.
- [x] `HTTP` protocol.
- [x] Namespace destination `foo`.
```shell
NAMESPACE="default" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.foo.svc.cluster.local:80 -sI
```
```text
HTTP/1.1 200 OK
server: envoy
date: Mon, 15 May 2023 11:49:34 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 28 Mar 2023 15:01:54 GMT
etag: "64230162-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 10
```
#### Curl helloworld.foo.svc.cluster.local:8080
- [ ] Port `80`.
- [x] `HTTP` protocol.
- [x] Namespace destination `foo`.
```shell
NAMESPACE="default" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.foo.svc.cluster.local:8080 -sI
```
```text
command terminated with exit code 56
```
##### What's happening?
Let's observe the logs activity from the `istio-proxy` container, of the deployment `helloworld` in the namespace `default` when we send request towards the service `helloworld` in the namespace `foo` through the port `8080`.
```shell
NAMESPACE="default" && kubectl logs -l app=helloworld --follow -c istio-proxy -n $NAMESPACE --tail 0
```
From another `shell` send a request towards the destination.
```shell
NAMESPACE="default" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.foo.svc.cluster.local:8080 -sI
```
We can see, how the `istio-proxy` container, from the `helloworld` POD, in the namespace `default`, generates the following log entry:
```text
[2023-05-15T12:19:03.577Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.107.249.242:8080 172.17.247.52:58820 - -
```
On the log generated, it specifies the word `BlackHoleCluster`.
`BlackHoleCluster` is an Istio resource/destination used to block requests, meaning that our request was forwarded to it, preventing us to reach to the desired destination, as per configured in the [sidecar configuration](#sidecar).
I understand that this behavior is caused due that the namespace `foo` is an external location respective to the deployment, and for such it requires `istio-proxy` to learn its destination, whereas in this scenario, due [sidecar configuration](#sidecar), doesn't figure either in the list of accepted routes.
For such, instead the is sent towards `BlackHoleCluster`.
#### Curl helloworld.default.svc.cluster.local:80
- [x] Port `80`.
- [x] `HTTP` protocol.
- [ ] Namespace destination `foo`.
```shell
NAMESPACE="default" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.default.svc.cluster.local:80 -sI
```
```text
HTTP/1.1 502 Bad Gateway
date: Mon, 15 May 2023 12:23:12 GMT
server: envoy
transfer-encoding: chunked
```
##### What's happening?
Let's observe the logs activity from the `istio-proxy` container, of the deployment `helloworld` in the namespace `default` when we send request towards the service `helloworld` in the namespace `default` through the port `80`.
```shell
NAMESPACE="default" && kubectl logs -l app=helloworld --follow -c istio-proxy -n $NAMESPACE --tail 0
```
From another `shell` send a request towards the destination.
```shell
NAMESPACE="default" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.default.svc.cluster.local:80 -sI
```
We can see, how the `istio-proxy` container, from the `helloworld` POD, in the namespace `default`, generates the following log entry:
```text
[2023-05-15T12:24:40.757Z] "HEAD / HTTP/1.1" 502 - direct_response - "-" 0 0 0 - "-" "curl/7.74.0" "952652df-7761-4f15-be58-776eeedfb6cf" "helloworld.default.svc.cluster.local" "-" - - 10.108.186.1:80 172.17.247.52:57516 - block_all
```
On the log generated, we can observe further information than the previous one, nevertheless I want to put emphasis on the following sections:
- `502 - direct_response`
This means that the status code `502` was a `direct response`, coming from istio itself, directly targeting this request.
- `block_all`
Istio already acknowledges this request and flags is as doesn't meet the requirements configured in the [sidecar configuration](#sidecar).
I understand that this behavior is different from when sending a request to `foo` on the port `8080`, in the current configuration set, we didn't specify any egress setting that allow any kind of egress towards the port `80`.
For such it raises a `direct response` with status code `502`, as the `istio-proxy` strictly won't accept any egress request with that port.
#### Curl helloworld.default.svc.cluster.local:8080
- [x] Port `8080`.
- [x] `HTTP` protocol.
- [ ] Namespace destination `foo`.
```shell
NAMESPACE="default" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.default.svc.cluster.local:8080 -sI
```
```text
command terminated with exit code 56
```
##### What's happening?
Let's observe the logs activity from the `istio-proxy` container, of the deployment `helloworld` in the namespace `default` when we send request towards the service `helloworld` in the namespace `default` through the port `8080`.
```shell
NAMESPACE="default" && kubectl logs -l app=helloworld --follow -c istio-proxy -n $NAMESPACE --tail 0
```
From another `shell` send a request towards the destination.
```shell
NAMESPACE="default" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.default.svc.cluster.local:8080 -sI
```
We can see, how the `istio-proxy` container, from the `helloworld` POD, in the namespace `default`, generates the following log entry:
```text
[2023-05-15T12:48:31.605Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.108.186.1:8080 172.17.247.52:53742 - -
```
`BlackHoleCluster` resembles the same behavior as on the section [Curl helloworld.foo.svc.cluster.local:8080](#curl-helloworldfoosvcclusterlocal8080).
### from `helloworld-foo`
Reminder of the **egress** criteria that has been configured to be met:
- [ ] Port `8080`.
- [ ] `HTTP` protocol.
- [ ] Namespace destination `foo` or `default`.
#### Curl helloworld.foo.svc.cluster.local:80
On this scenario we meet the following criteria:
- [ ] Port `8080`.
- [x] `HTTP` protocol.
- [x] Namespace destination `foo` or `default`.
```shell
NAMESPACE="foo" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.foo.svc.cluster.local:80 -sI
```
```text
command terminated with exit code 56
```
##### What's happening?
Let's observe the logs activity from the `istio-proxy` container, of the deployment `helloworld` in the namespace `foo` when we send request towards the service `helloworld` in the namespace `foo` through the port `80`.
```shell
NAMESPACE="foo" && kubectl logs -l app=helloworld --follow -c istio-proxy -n $NAMESPACE --tail 0
```
From another `shell` send a request towards the destination.
```shell
NAMESPACE="foo" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.foo.svc.cluster.local:80 -sI
```
We can see, how the `istio-proxy` container, from the `helloworld` POD, in the namespace `foo`, generates the following log entry:
```text
[2023-05-15T12:56:49.064Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.107.249.242:80 172.17.121.93:57680 - -
```
`BlackHoleCluster` resembles the same behavior as on the section [Curl helloworld.foo.svc.cluster.local:8080](#curl-helloworldfoosvcclusterlocal8080).
#### Curl helloworld.foo.svc.cluster.local:8080
On this scenario we meet the following criteria:
- [x] Port `8080`.
- [x] `HTTP` protocol.
- [x] Namespace destination `foo` or `default`.
```shell
NAMESPACE="foo" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.foo.svc.cluster.local:8080 -sI
```
```text
HTTP/1.1 200 OK
server: envoy
date: Mon, 15 May 2023 12:57:58 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 28 Mar 2023 15:01:54 GMT
etag: "64230162-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 77
```
#### Curl helloworld.default.svc.cluster.local:80
On this scenario we meet the following criteria:
- [ ] Port `8080`.
- [x] `HTTP` protocol.
- [x] Namespace destination `foo` or `default`.
```shell
NAMESPACE="foo" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.default.svc.cluster.local:80 -sI
```
```text
command terminated with exit code 56
```
##### What's happening?
Let's observe the logs activity from the `istio-proxy` container, of the deployment `helloworld` in the namespace `foo` when we send request towards the service `helloworld` in the namespace `default` through the port `80`.
```shell
NAMESPACE="foo" && kubectl logs -l app=helloworld --follow -c istio-proxy -n $NAMESPACE --tail 0
```
From another `shell` send a request towards the destination.
```shell
NAMESPACE="foo" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.default.svc.cluster.local:80 -sI
```
We can see, how the `istio-proxy` container, from the `helloworld` POD, in the namespace `foo`, generates the following log entry:
```text
[2023-05-15T13:03:50.935Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.108.186.1:80 172.17.121.93:43342 - -
```
`BlackHoleCluster` resembles the same behavior as on the section [Curl helloworld.foo.svc.cluster.local:8080](#curl-helloworldfoosvcclusterlocal8080).
#### Curl helloworld.default.svc.cluster.local:8080
On this scenario we meet the following criteria:
- [x] Port `8080`.
- [x] `HTTP` protocol.
- [x] Namespace destination `foo` or `default`.
```shell
NAMESPACE="foo" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.default.svc.cluster.local:8080 -sI
```
```text
HTTP/1.1 200 OK
server: envoy
date: Mon, 15 May 2023 13:07:49 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 28 Mar 2023 15:01:54 GMT
etag: "64230162-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 67
```
## BlackHoleCluster?
Let's check the learned routes from each deployment.
### helloworld-default
```shell
NAMESPACE="default" && istioctl proxy-config clusters -n $NAMESPACE "$(kubectl get pods -n ${NAMESPACE} -l app=helloworld | tail -n 1 | awk '{ print $1 }')"
```
```text
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
80 - inbound ORIGINAL_DST
BlackHoleCluster - - - STATIC
InboundPassthroughClusterIpv4 - - - ORIGINAL_DST
PassthroughCluster - - - ORIGINAL_DST
agent - - - STATIC
helloworld.foo.svc.cluster.local 80 - outbound EDS
prometheus_stats - - - STATIC
sds-grpc - - - STATIC
xds-grpc - - - STATIC
zipkin - - - STRICT_DNS
```
We can observe the following entries:
- `BlackHoleCluster - - - STATIC`
and
- `helloworld.foo.svc.cluster.local 80 - outbound EDS`
Where `BlackHoleCluster` is a static destination without port attributed nor direction set, and is the route used to send the traffic to the `void`.
As well, we can find the route `helloworld.foo.svc.cluster.local` that specifies the port `80` and direction `outbound`.
> **Note:**\
> For more information about the routes, refer to the [documentation about `pilot-discovery`](https://istio.io/latest/docs/reference/commands/pilot-discovery/#pilot-discovery-completion).
### helloworld-foo
```shell
NAMESPACE="foo" && istioctl proxy-config clusters -n $NAMESPACE "$(kubectl get pods -n ${NAMESPACE} -l app=helloworld | tail -n 1 | awk '{ print $1 }')"
```
```text
SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE
80 - inbound ORIGINAL_DST
BlackHoleCluster - - - STATIC
InboundPassthroughClusterIpv4 - - - ORIGINAL_DST
PassthroughCluster - - - ORIGINAL_DST
agent - - - STATIC
helloworld.default.svc.cluster.local 8080 - outbound EDS
helloworld.foo.svc.cluster.local 8080 - outbound EDS
prometheus_stats - - - STATIC
sds-grpc - - - STATIC
xds-grpc - - - STATIC
zipkin - - - STRICT_DNS
```
We can observe the following entries:
- `BlackHoleCluster - - - STATIC`
and
- `helloworld.foo.svc.cluster.local 80 - outbound EDS`
Where `BlackHoleCluster` is a static destination without port attributed nor direction set, and is the route used to send the traffic to the `void`.
As well, we can find the routes `helloworld.foo.svc.cluster.local` and `helloworld.default.svc.cluster.local` where both specify the port `8080` and direction `outbound`.
> **Note:**\
> For more information about the routes, refer to the [documentation about `pilot-discovery`](https://istio.io/latest/docs/reference/commands/pilot-discovery/#pilot-discovery-completion).
## Cleanup
Finally, a cleanup from the resources deployed.
```shell
kubectl delete -f ./
```
```text
namespace "foo" deleted
deployment.apps "helloworld-default" deleted
deployment.apps "helloworld-foo" deleted
service "helloworld" deleted
service "helloworld" deleted
sidecar.networking.istio.io "helloworld-sidecar-default" deleted
sidecar.networking.istio.io "helloworld-sidecar-foo" deleted
```
# Links of interest
- https://istio.io/latest/docs/reference/config/networking/sidecar/#IstioEgressListener
- https://istio.io/latest/blog/2019/monitoring-external-service-traffic/#what-are-blackhole-and-passthrough-clusters
- https://istio.io/v1.0/help/ops/traffic-management/proxy-cmd/#deep-dive-into-envoy-configuration
- https://istio.io/latest/docs/reference/commands/pilot-discovery/#pilot-discovery-completion
- https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy

39
05-Sidecar/02-egress-proxy/Service.yaml Normal file
View File

@ -0,0 +1,39 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
namespace: foo
spec:
ports:
- port: 8080
name: http-a
targetPort: 80
- port: 80
name: http-b
targetPort: 80
selector:
app: helloworld
---
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
namespace: default
spec:
ports:
- port: 8080
name: http-a
targetPort: 80
- port: 80
name: http-b
targetPort: 80
selector:
app: helloworld

38
05-Sidecar/02-egress-proxy/Sidecar.yaml Executable file
View File

@ -0,0 +1,38 @@
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: helloworld-sidecar-default
namespace: default
spec:
workloadSelector:
labels:
app: helloworld
egress:
- port:
number: 80
protocol: HTTP
name: egress-http
hosts:
- "foo/*"
outboundTrafficPolicy:
mode: REGISTRY_ONLY
---
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: helloworld-sidecar-foo
namespace: foo
spec:
workloadSelector:
labels:
app: helloworld
egress:
- port:
number: 8080
protocol: HTTP
name: egress-default
hosts:
- "default/*"
- "./*"
outboundTrafficPolicy:
mode: REGISTRY_ONLY

156
05-Sidecar/README.md
View File

@ -1,157 +1,33 @@
## Description
On these examples, the `Sidecar` object will be configured to select which services the `proxy-container` has access to.
## Examples
- 01-ingress-proxy-forwarding
- 02-egress-proxy
-
Duplicate 01, and show how it also affects traffic between services.00
egress from (pod to pod)
mtls
examples showing application priority (root < namespace < workload)
istioctl install profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
## Heads up
On the example `02-egress-proxy`, it's a requisite to configure Istio's `meshConfig.outboundTrafficPolicy.mode` as `REGISTRY_ONLY`.
During the installation of the cluster itself, can be set with:
```shell
$ kubectl get istiooperators.install.istio.io -n istio-system
NAME REVISION STATUS AGE
installed-state 8d
istioctl install profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
```
kubectl patch istiooperators installed-state -n istio-system --patch-file patch.txt
On the current scenario, I would recommend purging the Istio installation and reinstalling again, as I assume that you
are testing this examples in a sandbox that you are free to "destroy".
### Purging Istio
kubectl patch istiooperators installed-state -n istio-system --patch-file patch.yaml --type merge
---
Set the default behavior of the sidecar for handling outbound traffic from the application. If your application uses one or more external services that are not known apriori, setting the policy to ALLOW_ANY will cause the sidecars to route any unknown traffic originating from the application to its requested destination.
---
https://stackoverflow.com/questions/75093144/istio-sidecar-is-not-restricting-pod-connections-as-desired
https://github.com/istio/istio/issues/33387
https://gist.github.com/GregHanson/3567f5a23bcd58ad1a8acf2a4d1155eb
https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/?_ga=2.259114634.1481027401.1681916557-32589553.1681916557#change-to-the-blocking-by-default-policy
https://docs.tetrate.io/service-bridge/1.6.x/en-us/operations ?
https://istio.io/latest/docs/reference/config/networking/sidecar/
https://istio.io/latest/docs/reference/glossary/#workload
I am not very sure on how or why to use this...
NOT HOW TO TRIGGER / UNTRIGGER IT
```yaml
apiVersion:
networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: foo
spec:
egress:
- hosts:
- "./*"
- "istio-system/*"
```shell
istioctl uninstall --purge
```
Then proceed with reinstalling Istio using the command from above.
### What if I don't want to purge Istio?
whats this again??
istio operator right? ye, but what is it again? I think I checked this time ago when doing something about creating a new ingress
kubectl get io -A
2023-04-17T00:08:00.086475Z info validationController Not ready to switch validation to fail-closed: dummy invalid config not rejected
2023-04-17T00:08:04.012630Z info validationServer configuration is invalid: gateway must have at least one server
kubectl logs -f deployments/istiod -n istio-system
https://istio.io/latest/docs/reference/config/networking/sidecar/
egress:
- port:
number: 8080
protocol: HTTP
hosts:
- "staging/*"
With the YAML above, the sidecar proxies the traffic thats bound for port 8080 for services running in the staging namespace.
- Confirm pod ingress port forwarding
- Confirm it can reach other places / namespaces / resources (pod egress)
- mtls (somehow)
# Ingress
Does stuff
# Egress
What is "bind"
# CaptureMode
Not my problem rn
Modify the IstioOperator as mentioned [here](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy).

16
11-Fault_Injection/05b-FaultInjection-abort/deployment.yaml → 06-Envoy/01-Envoy-add-response-headers/Deployment.yaml
View File

@ -1,18 +1,3 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -28,6 +13,7 @@ spec:
metadata:
labels:
app: helloworld
annotations:
spec:
containers:
- name: helloworld

2
06-Envoy/01-envoy_add_headers/envoy.yaml → 06-Envoy/01-Envoy-add-response-headers/Envoy.yaml
View File

@ -28,6 +28,4 @@ spec:
inlineCode: |
function envoy_on_response(response_handle)
response_handle:headers():add("numbers", "lots of numbers")
response_handle:logInfo("Added header `numbers`")
response_handle:logInfo(">>>> Executed `envoy-add-response-header` <<<<")
end

14
06-Envoy/01-Envoy-add-response-headers/Gateway.yaml Executable file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"

308
06-Envoy/01-Envoy-add-response-headers/README.md Executable file
View File

@ -0,0 +1,308 @@
---
gitea: none
include_toc: true
---
# Description
This example deploys the same infrastructure as the [previous example](../../01-Getting_Started/01-hello_world_1_service_1_deployment), this time we will be configuring `Envoy` to add a custom header to the request response when our deployed service replies back.
This example configures:
Generic Kubernetes resources:
- 1 Service
- 1 Deployment
Istio resources:
- 1 Gateway
- 1 Virtual Service
- 1 EnvoyFilter
# Based on
- [01-Getting_Started/01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
# Configuration
## Service
Creates a service named `helloworld`.
This service listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod.
```yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
```
## Deployment
### helloworld
Deploys a Nginx server that listens for the port `80`.
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
```
## Gateway
Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic.
It doesn't filter for any specific host.
The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to.
The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
## VirtualService
The Virtual Service resources are used to route and filter the received traffic from the gateway resources, and route it towards the desired destination.
On this example we select the gateway `helloworld-gateway`, which is the [gateway that 's described in the `Gateway` section](#gateway).
On this resource, we are also not limiting the incoming traffic to any specific host, allowing for all the incoming traffic to go through the rules set.
Here we created a rule that will be applied on `HTTP` related traffic (including `HTTPS` and `HTTP2`) when the destination path is exactly `/helloworld`.
This traffic will be forwarded to the port `80` of the destination service `helloworld` (the full path URL equivalent would be `helloworld.$NAMESPACE.svc.cluster.local`).
Additionally, there will be an internal URL rewrite set, as if the URL is not modified, it would attempt to reach to the `/helloworld` path from the Nginx deployment, which currently has no content and would result in an error code `404` (Not found).
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"
```
## EnvoyFilter
`EnvoyFilter` allows to customize the Envoy configuration generated by Istio Pilot.
On this scenario we will be targeting the pods deployed in the namespace `default` with the label `app` set to `helloworld`.
The rule created will apply to the filter `HTTP_FILTER` to attach the Lua script to the http connection manager.
This script will be triggered with the incoming traffic goes through the port 80.
The code inside the lua script is very straightforward:
```lua
response_handle:headers():add("numbers", "lots of numbers")
```
Adds a header on the response request, which on this scenario is adding the header `numbers`, and giving it a value of `lots of numbers`.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: envoy-add-response-header
namespace: default
spec:
priority: 30
workloadSelector:
labels:
app: helloworld
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 80
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_response(response_handle)
response_handle:headers():add("numbers", "lots of numbers")
end
```
# Walkthrough
## Deploy resources
Deploy the resources.
```shell
kubectl apply -f ./
```
```text
deployment.apps/helloworld-nginx created
envoyfilter.networking.istio.io/envoy-add-response-header created
gateway.networking.istio.io/helloworld-gateway created
service/helloworld created
virtualservice.networking.istio.io/helloworld-vs created
```
## Wait for the pods to be ready
Wait for the Nginx deployment to be ready.
```shell
kubectl get deployment helloworld-nginx -w
```
```text
NAME READY UP-TO-DATE AVAILABLE AGE
helloworld-nginx 1/1 1 1 49s
```
## Test the service
### Get LB IP
To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway).
On my environment, the IP is the `192.168.1.50`.
```shell
kubectl get svc -l istio=ingressgateway -A
```
```text
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-system istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 72d
```
### Confirm the deployment works correctly.
```shell
curl 192.168.1.50/helloworld -s | grep "<h1>.*</h1>"
```
```text
<h1>Welcome to nginx!</h1>
```
### Confirm the Lua Script is working correctly
After confirming that the request is able to succeed and confirming the backend that it's handling such request, the
next step is to verify if the Lua script we deployed on through the [EnvoyFilter](#envoyfilter) is adding a new header.
```shell
curl 192.168.1.50/helloworld --head
```
```text
HTTP/1.1 200 OK
server: istio-envoy
date: Sat, 14 Oct 2023 07:21:03 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 15 Aug 2023 17:03:04 GMT
etag: "64dbafc8-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 3
numbers: lots of numbers
```
#### Reviewing the response
If we take a closer look at the fields returned, at the bottom of the textblock, we can appreciate the following line:
> numbers: lots of numbers
Therefore, we were able to confirm that the [EnvoyFilter](#envoyfilter) configuration we set with a Lua script, did work
as intended and added the desired Header to the response from the backend.
## Cleanup
Finally, a cleanup from the resources deployed.
```shell
kubectl delete -f ./
```
```text
deployment.apps "helloworld-nginx" deleted
envoyfilter.networking.istio.io "envoy-add-response-header" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
service "helloworld" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
## Links of interest
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-ApplyTo
- https://github.com/istio/istio/wiki/EnvoyFilter-Samples
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-Patch-Operation

13
06-Envoy/01-Envoy-add-response-headers/Service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld

20
06-Envoy/01-Envoy-add-response-headers/VirtualService.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"

42
06-Envoy/01-envoy_add_headers/README.md
View File

@ -1,42 +0,0 @@
https://github.com/istio/istio/wiki/EnvoyFilter-Samples
https://stackoverflow.com/questions/73262158/how-to-apply-envoyfilter-to-sidecar-inbound-and-gateway
https://istio.io/latest/docs/reference/config/networking/envoy-filter/
https://discuss.istio.io/t/adding-custom-response-headers-using-istios-1-6-0-envoy-lua-filter/7494
https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter
> kubectl logs -f deployments/istiod -n istio-system
This somewhat is monitoring, can do cool stuff I don't know how or what to do
enable export access logs to stdout
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout
https://istio.io/latest/docs/ops/diagnostic-tools/component-logging/
https://dev.to/aws-builders/understanding-istio-access-logs-2k5o
```yaml
Note: Here I am using request_handle:logCritical method because default logLevel is WARN for Istio components. request_handle:logInfo can be used, if logLevel is set to Info.
```
https://youtu.be/yOtEG1luTwU

43
06-Envoy/01-envoy_add_headers/deployment.yaml
View File

@ -1,43 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
# annotations:
# sidecar.istio.io/componentLogLevel: info
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
annotations:
sidecar.istio.io/componentLogLevel: lua:info
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

36
06-Envoy/01-envoy_add_headers/gateway.yaml
View File

@ -1,36 +0,0 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"

17
11-Fault_Injection/05a-FaultInjection-delay/deployment.yaml → 06-Envoy/02-envoy-logging/Deployment.yaml
View File

@ -1,18 +1,3 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -28,6 +13,8 @@ spec:
metadata:
labels:
app: helloworld
annotations:
sidecar.istio.io/componentLogLevel: lua:debug
spec:
containers:
- name: helloworld

19
06-Envoy/01-envoy_add_headers/envoy2.yaml → 06-Envoy/02-envoy-logging/Envoy.yaml
View File

@ -1,7 +1,7 @@
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: envoy-add-response-header2
name: envoy-raise-logs
namespace: default
spec:
priority: 40
@ -27,12 +27,11 @@ spec:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_response(response_handle)
response_handle:headers():add("fruit", "watermelons")
response_handle:logCritical("Critical: Added header `fruit`")
response_handle:logErr("Error: Added header `fruit`")
response_handle:logWarn("Warning: Added header `fruit`")
response_handle:logInfo("Info: Added header `fruit`")
response_handle:logDebug("Debug: Added header `fruit`")
response_handle:logTrace("Trace: Added header `fruit`")
response_handle:logInfo(">>>> Executed `envoy-add-response-header2` <<<<")
end
response_handle:logCritical("Critical: This is my Critical log")
response_handle:logErr("Error: This is my Error log")
response_handle:logWarn("Warning: This is my Warning log")
response_handle:logInfo("Info: This is my Info log")
response_handle:logDebug("Debug: This is my Debug log")
response_handle:logTrace("Trace: This is my Trace log")
response_handle:logInfo(">>>> Executed `envoy-raise-logs` <<<<")
end

14
06-Envoy/02-envoy-logging/Gateway.yaml Executable file
View File

@ -0,0 +1,14 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"

362
06-Envoy/02-envoy-logging/README.md Executable file
View File

@ -0,0 +1,362 @@
---
gitea: none
include_toc: true
---
# Description
This example deploys the same infrastructure as the [previous example](../../01-Getting_Started/01-hello_world_1_service_1_deployment), but instead of adding a header to the response, we will be raising a custom log entry.
This example configures:
Generic Kubernetes resources:
- 1 Service
- 1 Deployment
Istio resources:
- 1 Gateway
- 1 Virtual Service
- 1 EnvoyFilter
# Based on
- [01-Getting_Started/01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
# Configuration
## Service
Creates a service named `helloworld`.
This service listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod.
```yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
```
## Deployment
### helloworld
Deploys a Nginx server that listens for the port `80`.
On this deployment, we have set an annotation to configure a log level for the Istio sidecar/envoy-proxy attached to the deployment, that will allow the Lua scripts for a "debug" log level.
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
annotations:
sidecar.istio.io/componentLogLevel: lua:debug
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
```
## Gateway
Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic.
It doesn't filter for any specific host.
The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to.
The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
## VirtualService
The Virtual Service resources are used to route and filter the received traffic from the gateway resources, and route it towards the desired destination.
On this example we select the gateway `helloworld-gateway`, which is the [gateway that 's described in the `Gateway` section](#gateway).
On this resource, we are also not limiting the incoming traffic to any specific host, allowing for all the incoming traffic to go through the rules set.
Here we created a rule that will be applied on `HTTP` related traffic (including `HTTPS` and `HTTP2`) when the destination path is exactly `/helloworld`.
This traffic will be forwarded to the port `80` of the destination service `helloworld` (the full path URL equivalent would be `helloworld.$NAMESPACE.svc.cluster.local`).
Additionally, there will be an internal URL rewrite set, as if the URL is not modified, it would attempt to reach to the `/helloworld` path from the Nginx deployment, which currently has no content and would result in an error code `404` (Not found).
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"
```
## EnvoyFilter
`EnvoyFilter` allows to customize the Envoy configuration generated by Istio Pilot.
On this scenario we will be targeting the pods deployed in the namespace `default` with the label `app` set to `helloworld`.
The rule created will apply to the filter `HTTP_FILTER` to attach the Lua script to the http connection manager.
This script will be triggered with the incoming traffic goes through the port 80.
The code inside the lua script is fairly simple, as it will generate multiple logs in various tier levels, going from **Critical** to **Trace**:
```lua
response_handle:logCritical("Critical: This is my Critical log")
response_handle:logErr("Error: This is my Error log")
response_handle:logWarn("Warning: This is my Warning log")
response_handle:logInfo("Info: This is my Info log")
response_handle:logDebug("Debug: This is my Debug log")
response_handle:logTrace("Trace: This is my Trace log")
response_handle:logInfo(">>>> Executed `envoy-raise-logs` <<<<")
```
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: envoy-raise-logs
namespace: default
spec:
priority: 40
workloadSelector:
labels:
app: helloworld
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 80
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_response(response_handle)
response_handle:logCritical("Critical: This is my Critical log")
response_handle:logErr("Error: This is my Error log")
response_handle:logWarn("Warning: This is my Warning log")
response_handle:logInfo("Info: This is my Info log")
response_handle:logDebug("Debug: This is my Debug log")
response_handle:logTrace("Trace: This is my Trace log")
response_handle:logInfo(">>>> Executed `envoy-raise-logs` <<<<")
end
```
# Walkthrough
## Deploy resources
Deploy the resources.
```shell
kubectl apply -f ./
```
```text
deployment.apps/helloworld-nginx created
envoyfilter.networking.istio.io/envoy-raise-logs created
gateway.networking.istio.io/helloworld-gateway created
service/helloworld created
virtualservice.networking.istio.io/helloworld-vs created
```
## Wait for the pods to be ready
Wait for the Nginx deployment to be ready.
```shell
kubectl get deployment helloworld-nginx -w
```
```text
NAME READY UP-TO-DATE AVAILABLE AGE
helloworld-nginx 1/1 1 1 7s
```
## Test the service
### Get LB IP
To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway).
On my environment, the IP is the `192.168.1.50`.
```shell
kubectl get svc -l istio=ingressgateway -A
```
```text
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-system istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 72d
```
### Confirm the deployment works correctly.
```shell
curl 192.168.1.50/helloworld -s | grep "<h1>.*</h1>"
```
```text
<h1>Welcome to nginx!</h1>
```
### Confirm the Lua Script is working correctly
#### Monitor the logs
In a new shell we will use the following command to monitor the logs from the `istio-proxy` container located in the deployment created.
```shell
kubectl logs -l app=helloworld -c istio-proxy -f
```
#### Initiate a traffic request
After confirming that the request is able to succeed and confirming the backend that it's handling such request, the
next step is to verify if the Lua script we deployed on through the [EnvoyFilter](#envoyfilter) is adding a new header.
```shell
curl 192.168.1.50/helloworld -s | grep "<h1>.*</h1>"
```
```text
<h1>Welcome to nginx!</h1>
```
#### Logs generated
```text
2023-10-14T07:59:36.213492Z critical envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:933 script log: Critical: This is my Critical log thread=28
2023-10-14T07:59:36.213714Z error envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:930 script log: Error: This is my Error log thread=28
2023-10-14T07:59:36.213846Z warning envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:927 script log: Warning: This is my Warning log thread=28
2023-10-14T07:59:36.213972Z info envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:924 script log: Info: This is my Info log thread=28
2023-10-14T07:59:36.214096Z debug envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:921 script log: Debug: This is my Debug log thread=28
2023-10-14T07:59:36.214296Z info envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:924 script log: >>>> Executed `envoy-raise-logs` <<<< thread=28
2023-10-14T07:59:36.214425Z debug envoy lua external/envoy/source/extensions/filters/common/lua/lua.cc:39 coroutine finished thread=28
[2023-10-14T07:59:36.210Z] "GET /helloworld HTTP/1.1" 200 - via_upstream - "-" 0 615 11 1 "192.168.1.44" "curl/8.4.0" "47093b83-6658-4ec6-8d21-7da5e70d6423" "192.168.1.50" "172.16.106.50:80" inbound|80|| 127.0.0.6:44723 172.16.106.50:80 192.168.1.44:0 outbound_.80_._.helloworld.default.svc.cluster.local default
```
Reviewing the logs generated, we can observe that the entries range from `critical` to `debug`, yet we cannot locate the `trace` level log entry that we configured in the Lua script.
This is caused due to the annotation configured in the [Deployment](#deployment), where we selected a log level for the Lua script to be `debug`, out-ranging the `trace` level.
Therefore, we were able to confirm that the [EnvoyFilter](#envoyfilter) configuration we set with a Lua script, did work
as intended and added the desired Header to the response from the backend, even tho the log entry with `trace` level was not recorded.
#### How to check the log level settings from a pod?
Through the command `istioctl proxy-config log <POD>`.
```shell
istioctl proxy-config log "$(kubectl get pod -l app=helloworld | grep helloworld-nginx | awk '{print $1}')"
```
```text
helloworld-nginx-d8bc84b86-h6c68.default:
active loggers:
...
health_checker: warning
http: warning
http2: warning
hystrix: warning
init: warning
io: warning
jwt: warning
kafka: warning
key_value_store: warning
lua: debug
main: warning
...
```
As well, we can confirm that by default the settings are set to only retain "warning" level logs.
## Cleanup
Finally, a cleanup from the resources deployed.
```shell
kubectl delete -f ./
```
```text
deployment.apps "helloworld-nginx" deleted
envoyfilter.networking.istio.io "envoy-raise-logs" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
service "helloworld" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
## Links of interest
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-ApplyTo
- https://github.com/istio/istio/wiki/EnvoyFilter-Samples
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-Patch-Operation

13
06-Envoy/02-envoy-logging/Service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld

20
06-Envoy/02-envoy-logging/VirtualService.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"

49
06-Envoy/README.md
View File

@ -1,6 +1,49 @@
https://youtu.be/yOtEG1luTwU
## Description
This section focuses on configuring the object `EnvoyFilter`.
## Examples
- 01-Envoy-add-response-headers
- 02-envoy-logging
## Heads up
On the example `02-envoy-logging`, it's a requisite to configure Istio's `meshConfig.accessLogFile` as `/dev/stdout`.
During the installation of the cluster itself, can be set with:
```shell
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout
```
On the current scenario, I would recommend purging the Istio installation and reinstalling again, as I assume that you
are testing this examples in a sandbox that you are free to "destroy".
### Purging Istio
```shell
istioctl uninstall --purge
```
Then proceed with reinstalling Istio using the command from above.
### What if I don't want to purge Istio?
Modify the IstioOperator similarly as mentioned [here](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy), and populate the object with the following fields:
```yaml
spec:
profile: minimal
meshConfig:
accessLogFile: /dev/stdout
```
Rate Limit:
## Links of Interest
https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-ApplyTo
- https://github.com/istio/istio/wiki/EnvoyFilter-Samples
- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-Patch-Operation

102
07-MeshConfig/01-Outboud-Traffic-Policy/README.md
View File

@ -1,102 +0,0 @@
# Continues from
- 05-hello_world_1_Service_Entry
# Description
On this example compares the behavior between setting up the MeshConfig `OutboundTrafficPolicy.mode` setting to `REGISTRY_ONLY` and `ALLOW_ANY`.
- ALLOW_ANY: Allows all egress/outbound traffic from the mesh.
- REGISTRY_ONLY: Restricted to services that figure in the service registry a and the ServiceEntry objects.
More info regarding this configuration at the pertinent documentation (https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-OutboundTrafficPolicy-Mode)
## Runthrough
### Set ALLOW_ANY outbound traffic policy
```shell
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=ALLOW_ANY
```
### Deploy resources
```shell
$ kubectl apply -f ./
service/helloworld created
deployment.apps/helloworld-nginx created
serviceentry.networking.istio.io/external-svc created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
### Get LB IP
```shell
$ kubectl get svc istio-ingressgateway -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
### Test deployments
```shell
$ curl 192.168.1.50/helloworld -I
HTTP/1.1 200 OK
server: istio-envoy
date: Thu, 20 Apr 2023 18:03:18 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 28 Mar 2023 15:01:54 GMT
etag: "64230162-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 73
```
```shell
$ curl 192.168.1.50/external -I
HTTP/1.1 200 OK
date: Thu, 20 Apr 2023 18:03:24 GMT
content-type: text/html
content-length: 5186
last-modified: Mon, 17 Mar 2014 17:25:03 GMT
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
x-envoy-upstream-service-time: 228
server: istio-envoy
```
### Test egress the helloworld deployment
It returns a 301 code, meaning that it was able to reach the destination, and it was attempted to redirect the traffic from HTTP to HTTPS.
```shell
$ kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl wikipedia.com -I
HTTP/1.1 301 Moved Permanently
server: envoy
date: Thu, 20 Apr 2023 18:06:57 GMT
content-type: text/html
content-length: 169
location: https://wikipedia.com/
x-envoy-upstream-service-time: 65
```
### Set REGISTRY_ONLY outbound traffic policy
```shell
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
```
### Test (again) egress the helloworld deployment
It returns a 502 code, meaning that it wasn't able to reach the destination.
```shell
$ kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl wikipedia.com -I
HTTP/1.1 502 Bad Gateway
date: Thu, 20 Apr 2023 18:08:37 GMT
server: envoy
transfer-encoding: chunked
```

57
07-MeshConfig/01-Outboud-Traffic-Policy/deployment.yaml
View File

@ -1,57 +0,0 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc
spec:
hosts:
- help.websiteos.com
# /websiteos/example_of_a_simple_html_page.htm
# - http://help.websiteos.com/websiteos/example_of_a_simple_html_page.htm
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
---

10
07-MeshConfig/README.md
View File

@ -1,10 +0,0 @@
# Examples
- 01-Outboud-Traffic-Policy
## Additional
https://istio.io/latest/docs/tasks/observability/distributed-tracing/mesh-and-proxy-config/

0
08-AuthorizationPolicy/01-target-namespaces/01-namespace.yaml → 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/01-Namespace.yaml
View File

0
08-AuthorizationPolicy/01-target-namespaces/authentication.yaml → 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/AuthorizationPolicy.yaml
View File

32
08-AuthorizationPolicy/02-target-service-accounts/deployment_2.yaml → 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Deployments.yaml
View File

@ -1,18 +1,28 @@
apiVersion: v1
kind: Service
apiVersion: apps/v1
kind: Deployment
metadata:
name: byeworld
name: helloworld-nginx
labels:
app: byeworld
service: byeworld
namespace: foo
app: helloworld
spec:
ports:
- port: 9090
name: http
targetPort: 80
replicas: 1
selector:
app: byeworld
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment

0
08-AuthorizationPolicy/01-target-namespaces/gateway.yaml → 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Gateway.yaml
View File

11
08-AuthorizationPolicy/01-target-namespaces/README.md → 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/README.md
View File

@ -3,15 +3,16 @@ gitea: none
include_toc: true
---
# Continues from
- [06-mTLS](../../10-mTLS_PeerAuthentication/06-mTLS)
# Description
## Description
On this example we will be deploying an `AuthorizationPolicy` object to control the traffic that the `envoy-proxy` will manage on deployment created.
Bla bla bla
As well, we will configure the `AuthorizationPolicy` object to be applied at a "namespace" level.
Configuration targeting namespaces
# Based on
- [10-mTLS_PeerAuthentication/01-mTLS](../../10-mTLS_PeerAuthentication/01-mTLS)
# Configuration

30
08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Services.yaml Normal file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http
targetPort: 80
selector:
app: helloworld
---
apiVersion: v1
kind: Service
metadata:
name: byeworld
labels:
app: byeworld
service: byeworld
namespace: foo
spec:
ports:
- port: 9090
name: http
targetPort: 80
selector:
app: byeworld

42
08-AuthorizationPolicy/01-target-namespaces/deployment_2.yaml
View File

@ -1,42 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: byeworld
labels:
app: byeworld
service: byeworld
namespace: foo
spec:
ports:
- port: 9090
name: http
targetPort: 80
selector:
app: byeworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: byeworld-nginx
labels:
app: byeworld
namespace: foo
spec:
replicas: 1
selector:
matchLabels:
app: byeworld
template:
metadata:
labels:
app: byeworld
spec:
containers:
- name: byeworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80

0
08-AuthorizationPolicy/02-target-service-accounts/01-namespace.yaml → 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/01-Namespace.yaml
View File

0
08-AuthorizationPolicy/02-target-service-accounts/01-service-accounts.yaml → 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/01-Service_Accounts.yaml
View File

0
08-AuthorizationPolicy/02-target-service-accounts/authentication.yaml → 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/AuthorizationPolicy.yaml
View File

42
08-AuthorizationPolicy/02-target-service-accounts/deployment.yaml → 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Deployments.yaml
View File

@ -1,18 +1,3 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http
targetPort: 80
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -39,3 +24,30 @@ spec:
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: byeworld-nginx
labels:
app: byeworld
namespace: foo
spec:
replicas: 1
selector:
matchLabels:
app: byeworld
template:
metadata:
labels:
app: byeworld
spec:
containers:
- name: byeworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80

0
08-AuthorizationPolicy/02-target-service-accounts/gateway.yaml → 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Gateway.yaml
View File

16
08-AuthorizationPolicy/02-target-service-accounts/README.md → 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/README.md
View File

@ -3,21 +3,19 @@ gitea: none
include_toc: true
---
# Continues from
[//]: # (- [01-hello_world_1_service_1_deployment]&#40;../../01-simple/01-hello_world_1_service_1_deployment&#41;)
- [01-target-namespaces](../01-target-namespaces)
# Description
On this example we will be deploying an `AuthorizationPolicy` object to control the traffic that the `envoy-proxy` will manage on deployment created.
As well, we will configure the `AuthorizationPolicy` object will be applied to the deployments with the targeted `ServiceAccount`.
> **Note:**\
> On this example there is minimal changes to the configuration to involve targeting service accounts.
## Description
# Based on
Bla bla bla
Configuration targeting service accounts (among others)
By default, when a pod is deployed, if a service account has not been specified, it will be given the service account `default` from that namespace.
- [01-AuthorizationPolicy-Target-Namespaces](../01-AuthorizationPolicy-Target-Namespaces)
# Changelog

30
08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Services.yaml Normal file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http
targetPort: 80
selector:
app: helloworld
---
apiVersion: v1
kind: Service
metadata:
name: byeworld
labels:
app: byeworld
service: byeworld
namespace: foo
spec:
ports:
- port: 9090
name: http
targetPort: 80
selector:
app: byeworld

0
08-AuthorizationPolicy/03-target-deployments/01-namespace.yaml → 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/01-Namespace.yaml
View File

0
08-AuthorizationPolicy/03-target-deployments/authentication.yaml → 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/AuthorizationPolicy.yaml
View File

Some files were not shown because too many files have changed in this diff Show More