ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

dev #19

Merged
ofilter merged 8 commits from dev into main 2023-04-23 08:52:42 +02:00
Conversation 1 Commits 8 Files Changed 21 +275 -44
9 changed files with 275 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 205f4c3716 - Show all commits

1
Istio/01-Simple/01-hello_world_1_service_1_deployment/gateway.yaml
View File

@ -1,4 +1,3 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:

7
Istio/02-Traffic_management/06-mTLS/README.md
View File

@ -30,7 +30,6 @@ From the Kiali dashboard we will review the mTLS label displayed
```shell
kubectl apply -f ./
````
```txt
peerauthentication.security.istio.io/default-mtls created
service/helloworld created
@ -46,9 +45,9 @@ virtualservice.networking.istio.io/helloworld-vs created
[Source Folder](https://github.com/istio/istio/tree/master/samples/addons)
```shell
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/grafana.yaml && \
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/kiali.yaml && \
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml && \
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/grafana.yaml
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/kiali.yaml
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml
```

0
Istio/__Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml → Istio/09-Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml
View File

185
Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md Normal file
View File

@ -0,0 +1,185 @@
---
gitea: none
include_toc: true
---
# Based on
- [01-hello_world_1_service_1_deployment](../../01-Simple/01-hello_world_1_service_1_deployment)
# Description
On this example, a new Istio Ingress Load Balancer is deployed.
The previous example has been modified to utilize the Ingress resource just deployed.
# Changelog
## Gateway
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: myingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
```
The selector `Istio` has been updated to `myingressgateway`, to match the selector of the Istio Ingress Load Balancer that will be created.
## Namespace
```yaml
apiVersion: v1
kind: Namespace
metadata:
name: istio-ingress
labels:
istio-injection: "enabled"
```
The namespace `istio-ingress` will have the label `istio-injection` with the contents set to `enabled` to allow Istio to automatically inject the Istio sidecars to the resources within that namespace, unless specified otherwise.
## IstioOperator
```yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: ingress
spec:
profile: empty # Do not install CRDs or the control plane
components:
ingressGateways:
- name: myistio-ingressgateway
namespace: istio-ingress
enabled: true
label:
# Set a unique label for the gateway. This is required to ensure Gateways
# can select this workload
istio: myingressgateway
values:
gateways:
istio-ingressgateway:
# Enable gateway injection
injectionTemplate: gateway
```
The following configuration will create an Istio Ingress Load Balancer named `myistio-ingressgateway`, located at the namespace `istio-ingress`.
The label `istio`, refers to the selector that the `Gateway` resources will use to specify the targeted Istio resource.
# Walkthrough
## Deploy resources
### Create namespace
```shell
kubectl apply -f 01-namespace.yaml
```
```text
namespace/istio-ingress created
```
### Create / Install the Istio Ingress resource
```shell
istioctl install -f ingress.yaml
```
```text
This will install the Istio 1.17.2 empty profile into the cluster. Proceed? (y/N) y
✔ Ingress gateways installed
✔ Installation complete
Thank you for installing Istio 1.17. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/hMHGiwZHPU7UQRWe9
```
### Deploy gateway
```shell
kubectl apply -f gateway.yaml
```
```text
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
### Deploy deployment
```shell
kubectl apply -f deployment.yaml
```
```text
service/helloworld created
deployment.apps/helloworld-nginx created
```
## Testing deployment
### Get Load Balancer IP
```shell
kubectl get svc -n istio-ingress
```
```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
myistio-ingressgateway LoadBalancer 10.102.158.128 192.168.1.51 15021:31181/TCP,80:30090/TCP,443:31285/TCP 5m10s
```
### Curl
The request results in status code `200`, meaning a correct handling of the request.
```shell
curl 192.168.1.51/helloworld -I
```
```text
HTTP/1.1 200 OK
server: istio-envoy
date: Sun, 23 Apr 2023 06:40:57 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 28 Mar 2023 15:01:54 GMT
etag: "64230162-267"
accept-ranges: bytes
x-envoy-upstream-service-time: 15
```
# Cleanup
[Yeah no idea, gl with that.](https://stackoverflow.com/a/55731730)
```shell
istioctl uninstall --purge
```
Also read that "just removing" the namespace works to purge the config/remove resources.
Meanwhile, I did that (and seems like it performed correctly), I am not entirely sure about it. I'm not bothered myself as the environment where I am performing the tests is intended to be destroyed anytime and recreated, yet in a production environment I am not sure how this would need to be approached.
Maybe with a `kubectl get all -A` and through `grep` and `less` find resources and configurations, and delete them manually.
```shell
kubectl delete namespace istio-ingress
```
# Troubleshooting
## curl: (7) Failed to connect to 192.168.1.51 port 80 after 2 ms: Couldn't connect to server
Ensure that the gateway is using the correct `selector` to target the Istio Ingress Load Balancer created.
# Links of interest
- https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway

48
Istio/09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml Executable file
View File

@ -0,0 +1,48 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
#apiVersion: v1
#kind: ServiceAccount
#metadata:
# name: istio-helloworld
# labels:
# account:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
# serviceAccountName: istio-helloworld
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

36
Istio/09-Ingress/01-Create-Istio-LoadBalancer/gateway.yaml Executable file
View File

@ -0,0 +1,36 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: myingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"

1
Istio/__Ingress/01-Create-Istio-LoadBalancer/ingress.yaml → Istio/09-Ingress/01-Create-Istio-LoadBalancer/ingress.yaml
View File

@ -1,4 +1,3 @@
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:

4
Istio/README.md
View File

@ -1,6 +1,8 @@
# Disclaimer:
I have absolutely used as a reference and or template other party configurations/files.
I have tried to reference as much as possible as long it's relevant/useful for the reader.
# Stuff

37
Istio/__Ingress/01-Create-Istio-LoadBalancer/README.md
View File

@ -1,37 +0,0 @@
https://istio.io/latest/docs/tasks/traffic-management/ingress/
TLS
https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway
kubectl apply -f 01-namespace.yaml
istioctl install -f ingress.yaml
kubectl get all -A | grep myistio
istio-ingress pod/myistio-ingressgateway-5cdcd89cfb-s4fsz 1/1 Running 0 43s
istio-ingress service/myistio-ingressgateway LoadBalancer 10.102.38.206 192.168.1.51 15021:30287/TCP,80:30979/TCP,443:31405/TCP 43s
istio-ingress deployment.apps/myistio-ingressgateway 1/1 1 1 44s
istio-ingress replicaset.apps/myistio-ingressgateway-5cdcd89cfb 1 1 1 44s
istio-ingress horizontalpodautoscaler.autoscaling/myistio-ingressgateway Deployment/myistio-ingressgateway <unknown>/80% 1 5 1 44s
---
It gets its own service account.
We can use this to restrict the network activity and enforce traffic rules.
```shell
kubectl get pod -n istio-ingress myistio-ingressgateway-5cdcd89cfb-s4fsz -o jsonpath='{.spec.serviceAccount}'
```
```text
myistio-ingressgateway-service-account
```