From 93018487e65726e5a395b4abe281f38f17dca1ee Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 1 Jul 2023 17:33:20 +0200 Subject: [PATCH 01/22] deleted doomy file. --- .../IstioOperator/IstioOperator.yaml | 7 +------ 09-Ingress/01-Create-Istio-LoadBalancer/README.md | 12 +++++++----- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/IstioOperator/IstioOperator.yaml b/09-Ingress/01-Create-Istio-LoadBalancer/IstioOperator/IstioOperator.yaml index 3f3191d..d9627bb 100644 --- a/09-Ingress/01-Create-Istio-LoadBalancer/IstioOperator/IstioOperator.yaml +++ b/09-Ingress/01-Create-Istio-LoadBalancer/IstioOperator/IstioOperator.yaml @@ -12,9 +12,4 @@ spec: label: # Set a unique label for the gateway. This is required to ensure Gateways # can select this workload - istio: myingressgateway - values: - gateways: - istio-ingressgateway: - # Enable gateway injection - injectionTemplate: gateway + istio: myingressgateway \ No newline at end of file diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/README.md b/09-Ingress/01-Create-Istio-LoadBalancer/README.md index bc5f83d..49b602b 100644 --- a/09-Ingress/01-Create-Istio-LoadBalancer/README.md +++ b/09-Ingress/01-Create-Istio-LoadBalancer/README.md @@ -216,13 +216,10 @@ helloworld-nginx 1/1 1 1 16s ## Install the Istio Ingress Gateway Load Balancer -Press `y` to install. - ```shell -istioctl install -f IstioOperator/IstioOperator.yaml +istioctl install -f IstioOperator/IstioOperator.yaml -y ``` ```text -This will install the Istio 1.17.2 empty profile into the cluster. Proceed? (y/N) y ✔ Ingress gateways installed ✔ Installation complete Thank you for installing Istio 1.17. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/hMHGiwZHPU7UQRWe9 @@ -297,4 +294,9 @@ deployment.apps "helloworld-nginx" deleted gateway.networking.istio.io "helloworld-gateway" deleted service "helloworld" deleted virtualservice.networking.istio.io "helloworld-vs" deleted -``` \ No newline at end of file +``` + + +# Links of interest + +- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1 \ No newline at end of file -- 2.47.2 From 73d4918f2ce00eff15b90bc59c242b7ed7c222ca Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 1 Jul 2023 17:33:59 +0200 Subject: [PATCH 02/22] deleted doomy file. --- 09-Ingress/01-Create-Istio-LoadBalancer/README.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/README.md b/09-Ingress/01-Create-Istio-LoadBalancer/README.md index 49b602b..64ce9bf 100644 --- a/09-Ingress/01-Create-Istio-LoadBalancer/README.md +++ b/09-Ingress/01-Create-Istio-LoadBalancer/README.md @@ -115,11 +115,6 @@ spec: # Set a unique label for the gateway. This is required to ensure Gateways # can select this workload istio: myingressgateway - values: - gateways: - istio-ingressgateway: - # Enable gateway injection - injectionTemplate: gateway ``` ## Gateway -- 2.47.2 From 6ff0ce9ee87eaae91edfd9cf523060aeba3bd23a Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 06:21:26 +0200 Subject: [PATCH 03/22] Quality improvements. Fixed broken URL or typos in the directory references. As well proceeding with the README from each section. --- 01-Getting_Started/README.md | 3 ++- 02-Traffic_management/README.md | 12 +++++++++++- 03-Gateway_Ingress/01-Host_Based_Routing/README.md | 2 +- 03-Gateway_Ingress/02-Restrict_Namespaces/README.md | 2 +- .../04a-HTTPS-min-TLS-version/README.md | 2 +- .../04b-HTTPS-max-TLS-version/README.md | 2 +- 03-Gateway_Ingress/05-TCP-FORWARDING/README.md | 2 +- 03-Gateway_Ingress/06-TLS-PASSTHROUGH/README.md | 2 +- .../07-HTTP-to-HTTPS-traffic-redirect/README.md | 2 +- 03-Gateway_Ingress/README.md | 12 ++++++++++++ 10 files changed, 32 insertions(+), 9 deletions(-) diff --git a/01-Getting_Started/README.md b/01-Getting_Started/README.md index d1fe4ea..36b2102 100755 --- a/01-Getting_Started/README.md +++ b/01-Getting_Started/README.md @@ -5,7 +5,8 @@ include_toc: true # Getting Started -The idea of these examples is to get yourself familiarized with the basic elements used on Istio, allowing you to explore the documentation as well of proceeding with other examples or tests on your onw. +The idea of these examples is to get yourself familiarized with the basic elements used on Istio, allowing you to +explore the documentation as well of proceeding with other examples or tests on your onw. On these examples you will find the following Istio resources: diff --git a/02-Traffic_management/README.md b/02-Traffic_management/README.md index 9efb673..b60ad8b 100644 --- a/02-Traffic_management/README.md +++ b/02-Traffic_management/README.md @@ -1,2 +1,12 @@ -This gloves the resources `Virtual Service` and `Destination Rule`. +# Description + +This section involves the configuration of `Virtual Service` objects. + +# Examples + +- 01-header_routing +- 02-DirectResponse-HTTP-Body +- 03-HTTPRewrite +- 04-HTTPRedirect + diff --git a/03-Gateway_Ingress/01-Host_Based_Routing/README.md b/03-Gateway_Ingress/01-Host_Based_Routing/README.md index 93676e5..ef93cc6 100755 --- a/03-Gateway_Ingress/01-Host_Based_Routing/README.md +++ b/03-Gateway_Ingress/01-Host_Based_Routing/README.md @@ -25,7 +25,7 @@ This example configures: # Based on -- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment +- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment) # Configuration diff --git a/03-Gateway_Ingress/02-Restrict_Namespaces/README.md b/03-Gateway_Ingress/02-Restrict_Namespaces/README.md index 940472d..df0b2d8 100755 --- a/03-Gateway_Ingress/02-Restrict_Namespaces/README.md +++ b/03-Gateway_Ingress/02-Restrict_Namespaces/README.md @@ -28,7 +28,7 @@ This example configures: # Based on -- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment +- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment) # Configuration diff --git a/03-Gateway_Ingress/04a-HTTPS-min-TLS-version/README.md b/03-Gateway_Ingress/04a-HTTPS-min-TLS-version/README.md index 74374f7..13e318b 100644 --- a/03-Gateway_Ingress/04a-HTTPS-min-TLS-version/README.md +++ b/03-Gateway_Ingress/04a-HTTPS-min-TLS-version/README.md @@ -5,7 +5,7 @@ include_toc: true # Based on -- [07-HTTPS-Gateway-Simple-TLS](../03-HTTPS-Gateway-Simple-TLS) +- [03-HTTPS-Gateway-Simple-TLS](../03-HTTPS-Gateway-Simple-TLS) # Description diff --git a/03-Gateway_Ingress/04b-HTTPS-max-TLS-version/README.md b/03-Gateway_Ingress/04b-HTTPS-max-TLS-version/README.md index ae1d63d..56edfea 100644 --- a/03-Gateway_Ingress/04b-HTTPS-max-TLS-version/README.md +++ b/03-Gateway_Ingress/04b-HTTPS-max-TLS-version/README.md @@ -5,7 +5,7 @@ include_toc: true # Based on -- [08a-HTTPS-min-TLS-version](../04a-HTTPS-min-TLS-version) +- [04a-HTTPS-min-TLS-version](../04a-HTTPS-min-TLS-version) # Description diff --git a/03-Gateway_Ingress/05-TCP-FORWARDING/README.md b/03-Gateway_Ingress/05-TCP-FORWARDING/README.md index 34d1ce3..4492f21 100644 --- a/03-Gateway_Ingress/05-TCP-FORWARDING/README.md +++ b/03-Gateway_Ingress/05-TCP-FORWARDING/README.md @@ -5,7 +5,7 @@ include_toc: true # Based on -- [08a-HTTPS-min-TLS-version](../04a-HTTPS-min-TLS-version) +- [04a-HTTPS-min-TLS-version](../04a-HTTPS-min-TLS-version) # Description diff --git a/03-Gateway_Ingress/06-TLS-PASSTHROUGH/README.md b/03-Gateway_Ingress/06-TLS-PASSTHROUGH/README.md index 1172b82..1e3adfb 100644 --- a/03-Gateway_Ingress/06-TLS-PASSTHROUGH/README.md +++ b/03-Gateway_Ingress/06-TLS-PASSTHROUGH/README.md @@ -5,7 +5,7 @@ include_toc: true # Based on -- [10-TCP-FORWARDING](../05-TCP-FORWARDING) +- [05-TCP-FORWARDING](../05-TCP-FORWARDING) # Description diff --git a/03-Gateway_Ingress/07-HTTP-to-HTTPS-traffic-redirect/README.md b/03-Gateway_Ingress/07-HTTP-to-HTTPS-traffic-redirect/README.md index 2eb8e66..7288f33 100644 --- a/03-Gateway_Ingress/07-HTTP-to-HTTPS-traffic-redirect/README.md +++ b/03-Gateway_Ingress/07-HTTP-to-HTTPS-traffic-redirect/README.md @@ -5,7 +5,7 @@ include_toc: true # Based on -- [07-HTTPS-Gateway-Simple-TLS](../03-HTTPS-Gateway-Simple-TLS) +- [03-HTTPS-Gateway-Simple-TLS](../03-HTTPS-Gateway-Simple-TLS) # Description diff --git a/03-Gateway_Ingress/README.md b/03-Gateway_Ingress/README.md index e69de29..28428f2 100644 --- a/03-Gateway_Ingress/README.md +++ b/03-Gateway_Ingress/README.md @@ -0,0 +1,12 @@ +# Description + +This section focuses (but not limited to) on the configuration of `gateway` objects, providing examples of instances regarding how to limit to which `VirtualService` objects a `Gateway` object can connect to, regarding how to configure a HTTP to HTTPS redirect, or it's TLS configuration. + +# Examples + +- 01-header_routing +- 02-DirectResponse-HTTP-Body +- 03-HTTPRewrite +- 04-HTTPRedirect + + -- 2.47.2 From 87aab0c9be29f7f4e70479715b9f6030f9f23f9a Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 06:29:49 +0200 Subject: [PATCH 04/22] Proceeding with the README from each section. --- 04-Backends/02-HTTPS-backend/README.md | 2 +- 04-Backends/README.md | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/04-Backends/02-HTTPS-backend/README.md b/04-Backends/02-HTTPS-backend/README.md index 901a345..76369d1 100644 --- a/04-Backends/02-HTTPS-backend/README.md +++ b/04-Backends/02-HTTPS-backend/README.md @@ -5,7 +5,7 @@ include_toc: true # Based on -- [08a-HTTPS-min-TLS-version](../../03-Gateway_Ingress/04a-HTTPS-min-TLS-version) +- [03-Gateway_Ingress/04a-HTTPS-min-TLS-version](../../03-Gateway_Ingress/04a-HTTPS-min-TLS-version) # Description diff --git a/04-Backends/README.md b/04-Backends/README.md index e69de29..6cd98ca 100644 --- a/04-Backends/README.md +++ b/04-Backends/README.md @@ -0,0 +1,9 @@ +# Description + +This section will focus on the interaction with the backend and routing the traffic towards it. + +## Examples + +01-Service_Entry +02-HTTPS-backend +03-HTTPS-backend-with-mTLS (TODO) -- 2.47.2 From 23eb76352478297ef7228abfe0caaf3d989a675d Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 06:42:54 +0200 Subject: [PATCH 05/22] Fixed typos in 3 section references. --- 05-Sidecar/02-egress-proxy/README.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/05-Sidecar/02-egress-proxy/README.md b/05-Sidecar/02-egress-proxy/README.md index 9654487..94b17d2 100755 --- a/05-Sidecar/02-egress-proxy/README.md +++ b/05-Sidecar/02-egress-proxy/README.md @@ -467,7 +467,7 @@ We can see, how the `istio-proxy` container, from the `helloworld` POD, in the n [2023-05-15T12:48:31.605Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.108.186.1:8080 172.17.247.52:53742 - - ``` -`BlackHoleCluster` resembles the same behavior as on the section [Curl helloworld.foo.svc.cluster.local:8080](#curl-helloworldfoosvcclusterlocal--8080). +`BlackHoleCluster` resembles the same behavior as on the section [Curl helloworld.foo.svc.cluster.local:8080](#curl-helloworldfoosvcclusterlocal8080). @@ -527,7 +527,7 @@ We can see, how the `istio-proxy` container, from the `helloworld` POD, in the n [2023-05-15T12:56:49.064Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.107.249.242:80 172.17.121.93:57680 - - ``` -`BlackHoleCluster` resembles the same behavior as on the section [Curl helloworld.foo.svc.cluster.local:8080](#curl-helloworldfoosvcclusterlocal--8080). +`BlackHoleCluster` resembles the same behavior as on the section [Curl helloworld.foo.svc.cluster.local:8080](#curl-helloworldfoosvcclusterlocal8080). @@ -602,10 +602,7 @@ We can see, how the `istio-proxy` container, from the `helloworld` POD, in the n [2023-05-15T13:03:50.935Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.108.186.1:80 172.17.121.93:43342 - - ``` -`BlackHoleCluster` resembles the same behavior as on the section [Curl helloworld.foo.svc.cluster.local:8080](#curl-helloworldfoosvcclusterlocal--8080). - - - +`BlackHoleCluster` resembles the same behavior as on the section [Curl helloworld.foo.svc.cluster.local:8080](#curl-helloworldfoosvcclusterlocal8080). #### Curl helloworld.default.svc.cluster.local:8080 @@ -735,4 +732,6 @@ sidecar.networking.istio.io "helloworld-sidecar-foo" deleted - https://istio.io/v1.0/help/ops/traffic-management/proxy-cmd/#deep-dive-into-envoy-configuration -- https://istio.io/latest/docs/reference/commands/pilot-discovery/#pilot-discovery-completion \ No newline at end of file +- https://istio.io/latest/docs/reference/commands/pilot-discovery/#pilot-discovery-completion + +- https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy \ No newline at end of file -- 2.47.2 From 8c1288f8d107389a6180813e6934195b83dbc7fc Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 06:43:07 +0200 Subject: [PATCH 06/22] Set up the base of the README --- 05-Sidecar/README.md | 156 +++++-------------------------------------- 1 file changed, 16 insertions(+), 140 deletions(-) diff --git a/05-Sidecar/README.md b/05-Sidecar/README.md index c0fed2d..1d132cf 100755 --- a/05-Sidecar/README.md +++ b/05-Sidecar/README.md @@ -1,157 +1,33 @@ +## Description + +On these examples, a `Sidecar` will be configured. ## Examples - 01-ingress-proxy-forwarding +- 02-egress-proxy -- - - - -Duplicate 01, and show how it also affects traffic between services.00 - - - - -egress from (pod to pod) - -mtls - - - -examples showing application priority (root < namespace < workload) - - - - -istioctl install profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY - +## Heads up +On the example `02-egress-proxy`, it's a requisite to configure Istio's `meshConfig.outboundTrafficPolicy.mode` as "REGISTRY_ONLY". +During the installation of the cluster itself, can be set with. ```shell -$ kubectl get istiooperators.install.istio.io -n istio-system -NAME REVISION STATUS AGE -installed-state 8d +istioctl install profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY ``` -kubectl patch istiooperators installed-state -n istio-system --patch-file patch.txt +On the current scenario, I would recommend purging the Istio installation and reinstalling again, as I assume that you +are testing this examples in a sandbox that you are free to "destroy". +### Purging Istio -kubectl patch istiooperators installed-state -n istio-system --patch-file patch.yaml --type merge - - - - - - ---- -Set the default behavior of the sidecar for handling outbound traffic from the application. If your application uses one or more external services that are not known apriori, setting the policy to ALLOW_ANY will cause the sidecars to route any unknown traffic originating from the application to its requested destination. - - - ---- -https://stackoverflow.com/questions/75093144/istio-sidecar-is-not-restricting-pod-connections-as-desired - -https://github.com/istio/istio/issues/33387 - -https://gist.github.com/GregHanson/3567f5a23bcd58ad1a8acf2a4d1155eb - - -https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/?_ga=2.259114634.1481027401.1681916557-32589553.1681916557#change-to-the-blocking-by-default-policy - - - - - - - -https://docs.tetrate.io/service-bridge/1.6.x/en-us/operations ? - - -https://istio.io/latest/docs/reference/config/networking/sidecar/ - - -https://istio.io/latest/docs/reference/glossary/#workload - - -I am not very sure on how or why to use this... - - - -NOT HOW TO TRIGGER / UNTRIGGER IT - -```yaml -apiVersion: - networking.istio.io/v1alpha3 -kind: Sidecar -metadata: - name: default - namespace: foo -spec: - egress: - - hosts: - - "./*" - - "istio-system/*" +```shell +istioctl uninstall --purge ``` +Then proceed with reinstalling Istio using the command from above. +### What if I don't want to purge Istio? -whats this again?? - -istio operator right? ye, but what is it again? I think I checked this time ago when doing something about creating a new ingress - - -kubectl get io -A - - -2023-04-17T00:08:00.086475Z info validationController Not ready to switch validation to fail-closed: dummy invalid config not rejected - - -2023-04-17T00:08:04.012630Z info validationServer configuration is invalid: gateway must have at least one server - - - - -kubectl logs -f deployments/istiod -n istio-system - -https://istio.io/latest/docs/reference/config/networking/sidecar/ - - - - - egress: - - port: - number: 8080 - protocol: HTTP - hosts: - - "staging/*" - - - -With the YAML above, the sidecar proxies the traffic that’s bound for port 8080 for services running in the staging namespace. - - - - - - - - -- Confirm pod ingress port forwarding - -- Confirm it can reach other places / namespaces / resources (pod egress) - -- mtls (somehow) - - -# Ingress - -Does stuff - -# Egress - -What is "bind" - -# CaptureMode - -Not my problem rn \ No newline at end of file +Modify the IstioOperator as mentioned [here](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy). \ No newline at end of file -- 2.47.2 From 6aa4cb2c03209abf18e2ff17db198c2992858a49 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 06:46:54 +0200 Subject: [PATCH 07/22] Updated global README --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 503a4d1..419f96b 100755 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ I have absolutely used as a reference and/or template other parties configuratio I have tried to reference as much as possible as long it's relevant/useful for the reader. -Refer to the specific `README.md` in each example for more information, as (**my**) documentation is still in progress. +Refer to the specific `README.md` in each example for more information, some documentation is still in progress. Currently, the resources are under a relocation and the folders might contain things that don't _really match the topic_. @@ -13,9 +13,6 @@ Currently, the resources are under a relocation and the folders might contain th https://istio.io/latest/docs/reference/glossary/ - - - ## Services port names Istio allows to specify which protocol will run through a port. @@ -73,7 +70,8 @@ https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selec │   └── 07-HTTP-to-HTTPS-traffic-redirect ├── 04-Backends │   ├── 01-Service_Entry -│   └── 02-HTTPS-backend +│   ├── 02-HTTPS-backend +│   └── 03-HTTPS-backend-with-MTLS ├── 05-Sidecar │   ├── 01-ingress-proxy-forwarding │   └── 02-egress-proxy @@ -83,6 +81,7 @@ https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selec │   └── 03-target-deployments ├── 09-Ingress │   └── 01-Create-Istio-LoadBalancer +│   └── IstioOperator ├── 10-mTLS_PeerAuthentication │   ├── 01-disable-mTLS │   ├── 02-portLevelMtls @@ -94,6 +93,7 @@ https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selec ├── 90-MixConfigs │   ├── 01-HTTPS-Gateway_Service_Entry │   └── Minecraft +│   └── Istio-Ingress └── 99-resources └── HTTPS-NGINX-DOCKERFILE ``` \ No newline at end of file -- 2.47.2 From de4ae7dd09540f375bb547face46ec2632bf4da2 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 10:19:01 +0200 Subject: [PATCH 08/22] Documented 06_Envoy examples: - 01-Envoy-add-response-headers - 02-envoy-logging Added section README.md to: - 05-Sidecar - 06-Envoy --- .../06-Envoy/01-envoy_add_headers/README.md | 42 -- .../01-envoy_add_headers/gateway.yaml | 36 -- .placeholder/06-Envoy/README.md | 6 - 05-Sidecar/README.md | 4 +- .../Deployment.yaml | 17 - .../01-Envoy-add-response-headers/Envoy.yaml | 2 - .../Gateway.yaml | 14 + .../01-Envoy-add-response-headers/README.md | 308 +++++++++++++++ .../Service.yaml | 13 + .../VirtualService.yaml | 20 + 06-Envoy/02-envoy-logging/Deployment.yaml | 27 ++ .../02-envoy-logging/Envoy.yaml | 19 +- 06-Envoy/02-envoy-logging/Gateway.yaml | 14 + 06-Envoy/02-envoy-logging/README.md | 362 ++++++++++++++++++ 06-Envoy/02-envoy-logging/Service.yaml | 13 + 06-Envoy/02-envoy-logging/VirtualService.yaml | 20 + 06-Envoy/README.md | 45 +++ 17 files changed, 847 insertions(+), 115 deletions(-) delete mode 100755 .placeholder/06-Envoy/01-envoy_add_headers/README.md delete mode 100755 .placeholder/06-Envoy/01-envoy_add_headers/gateway.yaml delete mode 100755 .placeholder/06-Envoy/README.md rename .placeholder/06-Envoy/01-envoy_add_headers/deployment.yaml => 06-Envoy/01-Envoy-add-response-headers/Deployment.yaml (61%) rename .placeholder/06-Envoy/01-envoy_add_headers/envoy.yaml => 06-Envoy/01-Envoy-add-response-headers/Envoy.yaml (85%) create mode 100755 06-Envoy/01-Envoy-add-response-headers/Gateway.yaml create mode 100755 06-Envoy/01-Envoy-add-response-headers/README.md create mode 100644 06-Envoy/01-Envoy-add-response-headers/Service.yaml create mode 100644 06-Envoy/01-Envoy-add-response-headers/VirtualService.yaml create mode 100755 06-Envoy/02-envoy-logging/Deployment.yaml rename .placeholder/06-Envoy/01-envoy_add_headers/envoy2.yaml => 06-Envoy/02-envoy-logging/Envoy.yaml (54%) create mode 100755 06-Envoy/02-envoy-logging/Gateway.yaml create mode 100755 06-Envoy/02-envoy-logging/README.md create mode 100644 06-Envoy/02-envoy-logging/Service.yaml create mode 100644 06-Envoy/02-envoy-logging/VirtualService.yaml create mode 100755 06-Envoy/README.md diff --git a/.placeholder/06-Envoy/01-envoy_add_headers/README.md b/.placeholder/06-Envoy/01-envoy_add_headers/README.md deleted file mode 100755 index 74fa6b5..0000000 --- a/.placeholder/06-Envoy/01-envoy_add_headers/README.md +++ /dev/null @@ -1,42 +0,0 @@ -https://github.com/istio/istio/wiki/EnvoyFilter-Samples - -https://stackoverflow.com/questions/73262158/how-to-apply-envoyfilter-to-sidecar-inbound-and-gateway - - -https://istio.io/latest/docs/reference/config/networking/envoy-filter/ - -https://discuss.istio.io/t/adding-custom-response-headers-using-istios-1-6-0-envoy-lua-filter/7494 - - - -https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter - - -> kubectl logs -f deployments/istiod -n istio-system - - - -This somewhat is monitoring, can do cool stuff I don't know how or what to do - - -enable export access logs to stdout - - -istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout - - - -https://istio.io/latest/docs/ops/diagnostic-tools/component-logging/ - - - - -https://dev.to/aws-builders/understanding-istio-access-logs-2k5o - -```yaml -Note: Here I am using request_handle:logCritical method because default logLevel is WARN for Istio components. request_handle:logInfo can be used, if logLevel is set to Info. -``` - -https://youtu.be/yOtEG1luTwU - - diff --git a/.placeholder/06-Envoy/01-envoy_add_headers/gateway.yaml b/.placeholder/06-Envoy/01-envoy_add_headers/gateway.yaml deleted file mode 100755 index 8ba8a20..0000000 --- a/.placeholder/06-Envoy/01-envoy_add_headers/gateway.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: - istio: ingressgateway # use istio default controller - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: helloworld-vs -spec: - hosts: - - "*" - gateways: - - helloworld-gateway - http: - - match: - - uri: - exact: /helloworld - route: - - destination: - host: helloworld - port: - number: 80 - rewrite: - uri: "/" \ No newline at end of file diff --git a/.placeholder/06-Envoy/README.md b/.placeholder/06-Envoy/README.md deleted file mode 100755 index 42d222c..0000000 --- a/.placeholder/06-Envoy/README.md +++ /dev/null @@ -1,6 +0,0 @@ -https://youtu.be/yOtEG1luTwU - - -Rate Limit: - -https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/ \ No newline at end of file diff --git a/05-Sidecar/README.md b/05-Sidecar/README.md index 1d132cf..cd189d4 100755 --- a/05-Sidecar/README.md +++ b/05-Sidecar/README.md @@ -9,9 +9,9 @@ On these examples, a `Sidecar` will be configured. ## Heads up -On the example `02-egress-proxy`, it's a requisite to configure Istio's `meshConfig.outboundTrafficPolicy.mode` as "REGISTRY_ONLY". +On the example `02-egress-proxy`, it's a requisite to configure Istio's `meshConfig.outboundTrafficPolicy.mode` as `REGISTRY_ONLY`. -During the installation of the cluster itself, can be set with. +During the installation of the cluster itself, can be set with: ```shell istioctl install profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY diff --git a/.placeholder/06-Envoy/01-envoy_add_headers/deployment.yaml b/06-Envoy/01-Envoy-add-response-headers/Deployment.yaml similarity index 61% rename from .placeholder/06-Envoy/01-envoy_add_headers/deployment.yaml rename to 06-Envoy/01-Envoy-add-response-headers/Deployment.yaml index e3319c3..d6dc8b9 100755 --- a/.placeholder/06-Envoy/01-envoy_add_headers/deployment.yaml +++ b/06-Envoy/01-Envoy-add-response-headers/Deployment.yaml @@ -1,19 +1,3 @@ -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -# annotations: -# sidecar.istio.io/componentLogLevel: info -spec: - ports: - - port: 80 - name: http - selector: - app: helloworld ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -30,7 +14,6 @@ spec: labels: app: helloworld annotations: - sidecar.istio.io/componentLogLevel: lua:info spec: containers: - name: helloworld diff --git a/.placeholder/06-Envoy/01-envoy_add_headers/envoy.yaml b/06-Envoy/01-Envoy-add-response-headers/Envoy.yaml similarity index 85% rename from .placeholder/06-Envoy/01-envoy_add_headers/envoy.yaml rename to 06-Envoy/01-Envoy-add-response-headers/Envoy.yaml index 00a50dc..a70ea82 100755 --- a/.placeholder/06-Envoy/01-envoy_add_headers/envoy.yaml +++ b/06-Envoy/01-Envoy-add-response-headers/Envoy.yaml @@ -28,6 +28,4 @@ spec: inlineCode: | function envoy_on_response(response_handle) response_handle:headers():add("numbers", "lots of numbers") - response_handle:logInfo("Added header `numbers`") - response_handle:logInfo(">>>> Executed `envoy-add-response-header` <<<<") end diff --git a/06-Envoy/01-Envoy-add-response-headers/Gateway.yaml b/06-Envoy/01-Envoy-add-response-headers/Gateway.yaml new file mode 100755 index 0000000..bbd9d67 --- /dev/null +++ b/06-Envoy/01-Envoy-add-response-headers/Gateway.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" \ No newline at end of file diff --git a/06-Envoy/01-Envoy-add-response-headers/README.md b/06-Envoy/01-Envoy-add-response-headers/README.md new file mode 100755 index 0000000..de589c5 --- /dev/null +++ b/06-Envoy/01-Envoy-add-response-headers/README.md @@ -0,0 +1,308 @@ +--- +gitea: none +include_toc: true +--- + +# Description + +This example deploys the same infrastructure as the [previous example](../../01-Getting_Started/01-hello_world_1_service_1_deployment), this time we will be configuring `Envoy` to add a custom header to the request response when our deployed service replies back. + +This example configures: + + Generic Kubernetes resources: + - 1 Service + - 1 Deployment + + Istio resources: + - 1 Gateway + - 1 Virtual Service + - 1 EnvoyFilter + + + +# Based on + +- [01-Getting_Started/01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment) + +# Configuration + +## Service + +Creates a service named `helloworld`. + +This service listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod. + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld +``` + +## Deployment + +### helloworld + +Deploys a Nginx server that listens for the port `80`. + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 + +``` + +## Gateway + +Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic. + +It doesn't filter for any specific host. + +The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to. + +The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +``` + +## VirtualService + +The Virtual Service resources are used to route and filter the received traffic from the gateway resources, and route it towards the desired destination. + +On this example we select the gateway `helloworld-gateway`, which is the [gateway that 's described in the `Gateway` section](#gateway). + +On this resource, we are also not limiting the incoming traffic to any specific host, allowing for all the incoming traffic to go through the rules set. + +Here we created a rule that will be applied on `HTTP` related traffic (including `HTTPS` and `HTTP2`) when the destination path is exactly `/helloworld`. + +This traffic will be forwarded to the port `80` of the destination service `helloworld` (the full path URL equivalent would be `helloworld.$NAMESPACE.svc.cluster.local`). + +Additionally, there will be an internal URL rewrite set, as if the URL is not modified, it would attempt to reach to the `/helloworld` path from the Nginx deployment, which currently has no content and would result in an error code `404` (Not found). + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" +``` + +## EnvoyFilter + +`EnvoyFilter` allows to customize the Envoy configuration generated by Istio Pilot. + +On this scenario we will be targeting the pods deployed in the namespace `default` with the label `app` set to `helloworld`. + +The rule created will apply to the filter `HTTP_FILTER` to attach the Lua script to the http connection manager. + +This script will be triggered with the incoming traffic goes through the port 80. + +The code inside the lua script is very straightforward: + +```lua +response_handle:headers():add("numbers", "lots of numbers") +``` + +Adds a header on the response request, which on this scenario is adding the header `numbers`, and giving it a value of `lots of numbers`. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: envoy-add-response-header + namespace: default +spec: + priority: 30 + workloadSelector: + labels: + app: helloworld + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + listener: + portNumber: 80 + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: envoy.lua + typed_config: + "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua" + inlineCode: | + function envoy_on_response(response_handle) + response_handle:headers():add("numbers", "lots of numbers") + end +``` + +# Walkthrough + +## Deploy resources + +Deploy the resources. + +```shell +kubectl apply -f ./ +``` +```text +deployment.apps/helloworld-nginx created +envoyfilter.networking.istio.io/envoy-add-response-header created +gateway.networking.istio.io/helloworld-gateway created +service/helloworld created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Wait for the pods to be ready + +Wait for the Nginx deployment to be ready. + +```shell +kubectl get deployment helloworld-nginx -w +``` +```text +NAME READY UP-TO-DATE AVAILABLE AGE +helloworld-nginx 1/1 1 1 49s +``` + +## Test the service + +### Get LB IP + +To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway). + +On my environment, the IP is the `192.168.1.50`. + +```shell +kubectl get svc -l istio=ingressgateway -A +``` +```text +NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +istio-system istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 72d +``` + +### Confirm the deployment works correctly. + +```shell +curl 192.168.1.50/helloworld -s | grep "

.*

" +``` + +```text +

Welcome to nginx!

+``` + +### Confirm the Lua Script is working correctly + +After confirming that the request is able to succeed and confirming the backend that it's handling such request, the +next step is to verify if the Lua script we deployed on through the [EnvoyFilter](#envoyfilter) is adding a new header. + +```shell +curl 192.168.1.50/helloworld --head +``` + +```text +HTTP/1.1 200 OK +server: istio-envoy +date: Sat, 14 Oct 2023 07:21:03 GMT +content-type: text/html +content-length: 615 +last-modified: Tue, 15 Aug 2023 17:03:04 GMT +etag: "64dbafc8-267" +accept-ranges: bytes +x-envoy-upstream-service-time: 3 +numbers: lots of numbers +``` + +#### Reviewing the response + +If we take a closer look at the fields returned, at the bottom of the textblock, we can appreciate the following line: + +> numbers: lots of numbers + +Therefore, we were able to confirm that the [EnvoyFilter](#envoyfilter) configuration we set with a Lua script, did work +as intended and added the desired Header to the response from the backend. + +## Cleanup + +Finally, a cleanup from the resources deployed. + +```shell +kubectl delete -f ./ +``` +```text +deployment.apps "helloworld-nginx" deleted +envoyfilter.networking.istio.io "envoy-add-response-header" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +service "helloworld" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +## Links of interest + +- https://istio.io/latest/docs/reference/config/networking/envoy-filter/ +- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-ApplyTo +- https://github.com/istio/istio/wiki/EnvoyFilter-Samples +- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-Patch-Operation \ No newline at end of file diff --git a/06-Envoy/01-Envoy-add-response-headers/Service.yaml b/06-Envoy/01-Envoy-add-response-headers/Service.yaml new file mode 100644 index 0000000..271ce25 --- /dev/null +++ b/06-Envoy/01-Envoy-add-response-headers/Service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld \ No newline at end of file diff --git a/06-Envoy/01-Envoy-add-response-headers/VirtualService.yaml b/06-Envoy/01-Envoy-add-response-headers/VirtualService.yaml new file mode 100644 index 0000000..205231b --- /dev/null +++ b/06-Envoy/01-Envoy-add-response-headers/VirtualService.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" \ No newline at end of file diff --git a/06-Envoy/02-envoy-logging/Deployment.yaml b/06-Envoy/02-envoy-logging/Deployment.yaml new file mode 100755 index 0000000..056a1da --- /dev/null +++ b/06-Envoy/02-envoy-logging/Deployment.yaml @@ -0,0 +1,27 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + annotations: + sidecar.istio.io/componentLogLevel: lua:debug + spec: + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 diff --git a/.placeholder/06-Envoy/01-envoy_add_headers/envoy2.yaml b/06-Envoy/02-envoy-logging/Envoy.yaml similarity index 54% rename from .placeholder/06-Envoy/01-envoy_add_headers/envoy2.yaml rename to 06-Envoy/02-envoy-logging/Envoy.yaml index 664b472..0961e7c 100755 --- a/.placeholder/06-Envoy/01-envoy_add_headers/envoy2.yaml +++ b/06-Envoy/02-envoy-logging/Envoy.yaml @@ -1,7 +1,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: envoy-add-response-header2 + name: envoy-raise-logs namespace: default spec: priority: 40 @@ -27,12 +27,11 @@ spec: "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua" inlineCode: | function envoy_on_response(response_handle) - response_handle:headers():add("fruit", "watermelons") - response_handle:logCritical("Critical: Added header `fruit`") - response_handle:logErr("Error: Added header `fruit`") - response_handle:logWarn("Warning: Added header `fruit`") - response_handle:logInfo("Info: Added header `fruit`") - response_handle:logDebug("Debug: Added header `fruit`") - response_handle:logTrace("Trace: Added header `fruit`") - response_handle:logInfo(">>>> Executed `envoy-add-response-header2` <<<<") - end \ No newline at end of file + response_handle:logCritical("Critical: This is my Critical log") + response_handle:logErr("Error: This is my Error log") + response_handle:logWarn("Warning: This is my Warning log") + response_handle:logInfo("Info: This is my Info log") + response_handle:logDebug("Debug: This is my Debug log") + response_handle:logTrace("Trace: This is my Trace log") + response_handle:logInfo(">>>> Executed `envoy-raise-logs` <<<<") + end diff --git a/06-Envoy/02-envoy-logging/Gateway.yaml b/06-Envoy/02-envoy-logging/Gateway.yaml new file mode 100755 index 0000000..bbd9d67 --- /dev/null +++ b/06-Envoy/02-envoy-logging/Gateway.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" \ No newline at end of file diff --git a/06-Envoy/02-envoy-logging/README.md b/06-Envoy/02-envoy-logging/README.md new file mode 100755 index 0000000..d7f64f4 --- /dev/null +++ b/06-Envoy/02-envoy-logging/README.md @@ -0,0 +1,362 @@ +--- +gitea: none +include_toc: true +--- + +# Description + +This example deploys the same infrastructure as the [previous example](../../01-Getting_Started/01-hello_world_1_service_1_deployment), but instead of adding a header to the response, we will be raising a custom log entry. + +This example configures: + + Generic Kubernetes resources: + - 1 Service + - 1 Deployment + + Istio resources: + - 1 Gateway + - 1 Virtual Service + - 1 EnvoyFilter + + + +# Based on + +- [01-Getting_Started/01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment) + +# Configuration + +## Service + +Creates a service named `helloworld`. + +This service listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod. + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld +``` + +## Deployment + +### helloworld + +Deploys a Nginx server that listens for the port `80`. + +On this deployment, we have set an annotation to configure a log level for the Istio sidecar/envoy-proxy attached to the deployment, that will allow the Lua scripts for a "debug" log level. + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + annotations: + sidecar.istio.io/componentLogLevel: lua:debug + spec: + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 + +``` + +## Gateway + +Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic. + +It doesn't filter for any specific host. + +The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to. + +The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +``` + +## VirtualService + +The Virtual Service resources are used to route and filter the received traffic from the gateway resources, and route it towards the desired destination. + +On this example we select the gateway `helloworld-gateway`, which is the [gateway that 's described in the `Gateway` section](#gateway). + +On this resource, we are also not limiting the incoming traffic to any specific host, allowing for all the incoming traffic to go through the rules set. + +Here we created a rule that will be applied on `HTTP` related traffic (including `HTTPS` and `HTTP2`) when the destination path is exactly `/helloworld`. + +This traffic will be forwarded to the port `80` of the destination service `helloworld` (the full path URL equivalent would be `helloworld.$NAMESPACE.svc.cluster.local`). + +Additionally, there will be an internal URL rewrite set, as if the URL is not modified, it would attempt to reach to the `/helloworld` path from the Nginx deployment, which currently has no content and would result in an error code `404` (Not found). + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" +``` + +## EnvoyFilter + +`EnvoyFilter` allows to customize the Envoy configuration generated by Istio Pilot. + +On this scenario we will be targeting the pods deployed in the namespace `default` with the label `app` set to `helloworld`. + +The rule created will apply to the filter `HTTP_FILTER` to attach the Lua script to the http connection manager. + +This script will be triggered with the incoming traffic goes through the port 80. + +The code inside the lua script is fairly simple, as it will generate multiple logs in various tier levels, going from **Critical** to **Trace**: + +```lua +response_handle:logCritical("Critical: This is my Critical log") +response_handle:logErr("Error: This is my Error log") +response_handle:logWarn("Warning: This is my Warning log") +response_handle:logInfo("Info: This is my Info log") +response_handle:logDebug("Debug: This is my Debug log") +response_handle:logTrace("Trace: This is my Trace log") +response_handle:logInfo(">>>> Executed `envoy-raise-logs` <<<<") +``` + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: envoy-raise-logs + namespace: default +spec: + priority: 40 + workloadSelector: + labels: + app: helloworld + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + listener: + portNumber: 80 + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: envoy.lua + typed_config: + "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua" + inlineCode: | + function envoy_on_response(response_handle) + response_handle:logCritical("Critical: This is my Critical log") + response_handle:logErr("Error: This is my Error log") + response_handle:logWarn("Warning: This is my Warning log") + response_handle:logInfo("Info: This is my Info log") + response_handle:logDebug("Debug: This is my Debug log") + response_handle:logTrace("Trace: This is my Trace log") + response_handle:logInfo(">>>> Executed `envoy-raise-logs` <<<<") + end +``` + +# Walkthrough + +## Deploy resources + +Deploy the resources. + +```shell +kubectl apply -f ./ +``` +```text +deployment.apps/helloworld-nginx created +envoyfilter.networking.istio.io/envoy-raise-logs created +gateway.networking.istio.io/helloworld-gateway created +service/helloworld created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Wait for the pods to be ready + +Wait for the Nginx deployment to be ready. + +```shell +kubectl get deployment helloworld-nginx -w +``` +```text +NAME READY UP-TO-DATE AVAILABLE AGE +helloworld-nginx 1/1 1 1 7s +``` + +## Test the service + +### Get LB IP + +To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway). + +On my environment, the IP is the `192.168.1.50`. + +```shell +kubectl get svc -l istio=ingressgateway -A +``` +```text +NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +istio-system istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 72d +``` + +### Confirm the deployment works correctly. + +```shell +curl 192.168.1.50/helloworld -s | grep "

.*

" +``` + +```text +

Welcome to nginx!

+``` + +### Confirm the Lua Script is working correctly + +#### Monitor the logs + +In a new shell we will use the following command to monitor the logs from the `istio-proxy` container located in the deployment created. + +```shell +kubectl logs -l app=helloworld -c istio-proxy -f +``` + +#### Initiate a traffic request + +After confirming that the request is able to succeed and confirming the backend that it's handling such request, the +next step is to verify if the Lua script we deployed on through the [EnvoyFilter](#envoyfilter) is adding a new header. + +```shell +curl 192.168.1.50/helloworld -s | grep "

.*

" +``` + +```text +

Welcome to nginx!

+``` + +#### Logs generated + +```text +2023-10-14T07:59:36.213492Z critical envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:933 script log: Critical: This is my Critical log thread=28 +2023-10-14T07:59:36.213714Z error envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:930 script log: Error: This is my Error log thread=28 +2023-10-14T07:59:36.213846Z warning envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:927 script log: Warning: This is my Warning log thread=28 +2023-10-14T07:59:36.213972Z info envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:924 script log: Info: This is my Info log thread=28 +2023-10-14T07:59:36.214096Z debug envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:921 script log: Debug: This is my Debug log thread=28 +2023-10-14T07:59:36.214296Z info envoy lua external/envoy/source/extensions/filters/http/lua/lua_filter.cc:924 script log: >>>> Executed `envoy-raise-logs` <<<< thread=28 +2023-10-14T07:59:36.214425Z debug envoy lua external/envoy/source/extensions/filters/common/lua/lua.cc:39 coroutine finished thread=28 +[2023-10-14T07:59:36.210Z] "GET /helloworld HTTP/1.1" 200 - via_upstream - "-" 0 615 11 1 "192.168.1.44" "curl/8.4.0" "47093b83-6658-4ec6-8d21-7da5e70d6423" "192.168.1.50" "172.16.106.50:80" inbound|80|| 127.0.0.6:44723 172.16.106.50:80 192.168.1.44:0 outbound_.80_._.helloworld.default.svc.cluster.local default +``` + +Reviewing the logs generated, we can observe that the entries range from `critical` to `debug`, yet we cannot locate the `trace` level log entry that we configured in the Lua script. + +This is caused due to the annotation configured in the [Deployment](#deployment), where we selected a log level for the Lua script to be `debug`, out-ranging the `trace` level. + +Therefore, we were able to confirm that the [EnvoyFilter](#envoyfilter) configuration we set with a Lua script, did work +as intended and added the desired Header to the response from the backend, even tho the log entry with `trace` level was not recorded. + +#### How to check the log level settings from a pod? + +Through the command `istioctl proxy-config log `. + +```shell +istioctl proxy-config log "$(kubectl get pod -l app=helloworld | grep helloworld-nginx | awk '{print $1}')" +``` + +```text +helloworld-nginx-d8bc84b86-h6c68.default: +active loggers: +... + health_checker: warning + http: warning + http2: warning + hystrix: warning + init: warning + io: warning + jwt: warning + kafka: warning + key_value_store: warning + lua: debug + main: warning +... +``` + +As well, we can confirm that by default the settings are set to only retain "warning" level logs. + +## Cleanup + +Finally, a cleanup from the resources deployed. + +```shell +kubectl delete -f ./ +``` +```text +deployment.apps "helloworld-nginx" deleted +envoyfilter.networking.istio.io "envoy-raise-logs" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +service "helloworld" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +## Links of interest + +- https://istio.io/latest/docs/reference/config/networking/envoy-filter/ +- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-ApplyTo +- https://github.com/istio/istio/wiki/EnvoyFilter-Samples +- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-Patch-Operation \ No newline at end of file diff --git a/06-Envoy/02-envoy-logging/Service.yaml b/06-Envoy/02-envoy-logging/Service.yaml new file mode 100644 index 0000000..271ce25 --- /dev/null +++ b/06-Envoy/02-envoy-logging/Service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld \ No newline at end of file diff --git a/06-Envoy/02-envoy-logging/VirtualService.yaml b/06-Envoy/02-envoy-logging/VirtualService.yaml new file mode 100644 index 0000000..205231b --- /dev/null +++ b/06-Envoy/02-envoy-logging/VirtualService.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" \ No newline at end of file diff --git a/06-Envoy/README.md b/06-Envoy/README.md new file mode 100755 index 0000000..6ddf0b6 --- /dev/null +++ b/06-Envoy/README.md @@ -0,0 +1,45 @@ + +## Description + +This section focuses on configuring the object `EnvoyFilter`. + + +## Heads up + +On the example `02-envoy-logging`, it's a requisite to configure Istio's `meshConfig.accessLogFile` as `/dev/stdout`. + +During the installation of the cluster itself, can be set with: + +```shell +istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout +``` + +On the current scenario, I would recommend purging the Istio installation and reinstalling again, as I assume that you +are testing this examples in a sandbox that you are free to "destroy". + +### Purging Istio + +```shell +istioctl uninstall --purge +``` + +Then proceed with reinstalling Istio using the command from above. + +### What if I don't want to purge Istio? + +Modify the IstioOperator similarly as mentioned [here](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy), and populate the object with the following fields: + +```yaml +spec: + profile: minimal + meshConfig: + accessLogFile: /dev/stdout +``` + + +## Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/envoy-filter/ +- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-ApplyTo +- https://github.com/istio/istio/wiki/EnvoyFilter-Samples +- https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-Patch-Operation -- 2.47.2 From fd3f9b6e95c8b95e89c5083b9e563db868f37292 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 10:25:13 +0200 Subject: [PATCH 09/22] Didn't add the `examples` section. --- 06-Envoy/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/06-Envoy/README.md b/06-Envoy/README.md index 6ddf0b6..cbdb984 100755 --- a/06-Envoy/README.md +++ b/06-Envoy/README.md @@ -3,6 +3,10 @@ This section focuses on configuring the object `EnvoyFilter`. +## Examples + +- 01-Envoy-add-response-headers +- 02-envoy-logging ## Heads up -- 2.47.2 From 84b71d975199c40bbdfaf044dfca82f3491c3bca Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 10:27:11 +0200 Subject: [PATCH 10/22] Minor update to the global README.md file. --- README.md | 77 ++++++++++++++++++++++++++++--------------------------- 1 file changed, 39 insertions(+), 38 deletions(-) diff --git a/README.md b/README.md index 419f96b..d9ca429 100755 --- a/README.md +++ b/README.md @@ -8,43 +8,6 @@ Refer to the specific `README.md` in each example for more information, some doc Currently, the resources are under a relocation and the folders might contain things that don't _really match the topic_. - -# Glossary - -https://istio.io/latest/docs/reference/glossary/ - -## Services port names - -Istio allows to specify which protocol will run through a port. - -It requires the name of the port to be set to a specific format `name: (-)`. - -Starting from Kubernetes 1.18, it also can be specified through the `appProtocol` field in the port, resulting in `appProtocol: `. - -This means that port names should respect this format to avoid issues, and for such be cautious when setting up the name of the ports. - -This applies to multiple Istio elements, but as well to `kind: Services` from default Kubernetes. - -For more information about this behavior, refer to: - -https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/#explicit-protocol-selection - - - -# Links of interest - -- https://istio.io/latest/docs/ - -- https://istiobyexample.dev/ - -- https://www.istioworkshop.io/ - -- https://istio.io/latest/news/ - -- https://istio.io/latest/blog/ - -- https://istio.io/latest/about/ecosystem/ - # Tree of folders ```text @@ -75,6 +38,9 @@ https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selec ├── 05-Sidecar │   ├── 01-ingress-proxy-forwarding │   └── 02-egress-proxy +├── 06-Envoy +│   ├── 01-Envoy-add-response-headers +│   └── 02-envoy-logging ├── 08-AuthorizationPolicy │   ├── 01-target-namespaces │   ├── 02-target-service-accounts @@ -96,4 +62,39 @@ https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selec │   └── Istio-Ingress └── 99-resources └── HTTPS-NGINX-DOCKERFILE -``` \ No newline at end of file +``` + + +# Glossary + +https://istio.io/latest/docs/reference/glossary/ + +## Services port names + +Istio allows to specify which protocol will run through a port. + +It requires the name of the port to be set to a specific format `name: (-)`. + +Starting from Kubernetes 1.18, it also can be specified through the `appProtocol` field in the port, resulting in `appProtocol: `. + +This means that port names should respect this format to avoid issues, and for such be cautious when setting up the name of the ports. + +This applies to multiple Istio elements, but as well to `kind: Services` from default Kubernetes. + +For more information about this behavior, refer to: + +https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/#explicit-protocol-selection + +# Links of interest + +- https://istio.io/latest/docs/ + +- https://istiobyexample.dev/ + +- https://www.istioworkshop.io/ + +- https://istio.io/latest/news/ + +- https://istio.io/latest/blog/ + +- https://istio.io/latest/about/ecosystem/ -- 2.47.2 From d117481a5b4140dd821334326cbe2c6384ef9ac0 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 10:59:33 +0200 Subject: [PATCH 11/22] Documented Section Readme for: - 08-AuthorizationPolicy Also, (speed) documented its examples. --- .../01-Namespace.yaml} | 0 .../AuthorizationPolicy.yaml} | 0 .../Deployments.yaml} | 32 +++++++++----- .../Gateway.yaml} | 0 .../README.md | 11 ++--- .../Services.yaml | 30 +++++++++++++ .../01-Namespace.yaml} | 0 .../01-Service_Accounts.yaml} | 0 .../AuthorizationPolicy.yaml} | 0 .../Deployments.yaml} | 42 ++++++++++++------- .../README.md | 16 ++++--- .../Services.yaml | 30 +++++++++++++ .../gateway.yaml | 0 .../01-Namespace.yaml} | 0 .../AuthorizationPolicy.yaml} | 0 .../Deployments.yaml} | 32 +++++++++----- .../Gateway.yaml} | 0 .../README.md | 19 ++++++--- .../Services.yaml | 30 +++++++++++++ .../03-target-deployments/deployment.yaml | 40 ------------------ .../03-target-deployments/deployment_2.yaml | 42 ------------------- 08-AuthorizationPolicy/README.md | 26 ++++-------- 22 files changed, 193 insertions(+), 157 deletions(-) rename 08-AuthorizationPolicy/{01-target-namespaces/01-namespace.yaml => 01-AuthorizationPolicy-Target-Namespaces/01-Namespace.yaml} (100%) rename 08-AuthorizationPolicy/{01-target-namespaces/authentication.yaml => 01-AuthorizationPolicy-Target-Namespaces/AuthorizationPolicy.yaml} (100%) rename 08-AuthorizationPolicy/{02-target-service-accounts/deployment_2.yaml => 01-AuthorizationPolicy-Target-Namespaces/Deployments.yaml} (54%) rename 08-AuthorizationPolicy/{01-target-namespaces/gateway.yaml => 01-AuthorizationPolicy-Target-Namespaces/Gateway.yaml} (100%) rename 08-AuthorizationPolicy/{01-target-namespaces => 01-AuthorizationPolicy-Target-Namespaces}/README.md (96%) create mode 100644 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Services.yaml rename 08-AuthorizationPolicy/{02-target-service-accounts/01-namespace.yaml => 02-AuthorizationPolicy-Target-Service-Accounts/01-Namespace.yaml} (100%) rename 08-AuthorizationPolicy/{02-target-service-accounts/01-service-accounts.yaml => 02-AuthorizationPolicy-Target-Service-Accounts/01-Service_Accounts.yaml} (100%) rename 08-AuthorizationPolicy/{02-target-service-accounts/authentication.yaml => 02-AuthorizationPolicy-Target-Service-Accounts/AuthorizationPolicy.yaml} (100%) rename 08-AuthorizationPolicy/{02-target-service-accounts/deployment.yaml => 02-AuthorizationPolicy-Target-Service-Accounts/Deployments.yaml} (55%) rename 08-AuthorizationPolicy/{02-target-service-accounts => 02-AuthorizationPolicy-Target-Service-Accounts}/README.md (96%) create mode 100644 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Services.yaml rename 08-AuthorizationPolicy/{02-target-service-accounts => 02-AuthorizationPolicy-Target-Service-Accounts}/gateway.yaml (100%) rename 08-AuthorizationPolicy/{03-target-deployments/01-namespace.yaml => 03-AuthorizationPolicy-Target-Deployments/01-Namespace.yaml} (100%) rename 08-AuthorizationPolicy/{03-target-deployments/authentication.yaml => 03-AuthorizationPolicy-Target-Deployments/AuthorizationPolicy.yaml} (100%) rename 08-AuthorizationPolicy/{01-target-namespaces/deployment_2.yaml => 03-AuthorizationPolicy-Target-Deployments/Deployments.yaml} (54%) rename 08-AuthorizationPolicy/{03-target-deployments/gateway.yaml => 03-AuthorizationPolicy-Target-Deployments/Gateway.yaml} (100%) rename 08-AuthorizationPolicy/{03-target-deployments => 03-AuthorizationPolicy-Target-Deployments}/README.md (94%) create mode 100644 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Services.yaml delete mode 100755 08-AuthorizationPolicy/03-target-deployments/deployment.yaml delete mode 100755 08-AuthorizationPolicy/03-target-deployments/deployment_2.yaml diff --git a/08-AuthorizationPolicy/01-target-namespaces/01-namespace.yaml b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/01-Namespace.yaml similarity index 100% rename from 08-AuthorizationPolicy/01-target-namespaces/01-namespace.yaml rename to 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/01-Namespace.yaml diff --git a/08-AuthorizationPolicy/01-target-namespaces/authentication.yaml b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/AuthorizationPolicy.yaml similarity index 100% rename from 08-AuthorizationPolicy/01-target-namespaces/authentication.yaml rename to 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/AuthorizationPolicy.yaml diff --git a/08-AuthorizationPolicy/02-target-service-accounts/deployment_2.yaml b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Deployments.yaml similarity index 54% rename from 08-AuthorizationPolicy/02-target-service-accounts/deployment_2.yaml rename to 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Deployments.yaml index 69a8412..660a57e 100755 --- a/08-AuthorizationPolicy/02-target-service-accounts/deployment_2.yaml +++ b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Deployments.yaml @@ -1,18 +1,28 @@ -apiVersion: v1 -kind: Service +apiVersion: apps/v1 +kind: Deployment metadata: - name: byeworld + name: helloworld-nginx labels: - app: byeworld - service: byeworld - namespace: foo + app: helloworld spec: - ports: - - port: 9090 - name: http - targetPort: 80 + replicas: 1 selector: - app: byeworld + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 --- apiVersion: apps/v1 kind: Deployment diff --git a/08-AuthorizationPolicy/01-target-namespaces/gateway.yaml b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Gateway.yaml similarity index 100% rename from 08-AuthorizationPolicy/01-target-namespaces/gateway.yaml rename to 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Gateway.yaml diff --git a/08-AuthorizationPolicy/01-target-namespaces/README.md b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/README.md similarity index 96% rename from 08-AuthorizationPolicy/01-target-namespaces/README.md rename to 08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/README.md index bf57e99..d169a17 100755 --- a/08-AuthorizationPolicy/01-target-namespaces/README.md +++ b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/README.md @@ -3,15 +3,16 @@ gitea: none include_toc: true --- -# Continues from -- [06-mTLS](../../10-mTLS_PeerAuthentication/06-mTLS) +# Description -## Description +On this example we will be deploying an `AuthorizationPolicy` object to control the traffic that the `envoy-proxy` will manage on deployment created. -Bla bla bla +As well, we will configure the `AuthorizationPolicy` object to be applied at a "namespace" level. -Configuration targeting namespaces +# Based on + +- [10-mTLS_PeerAuthentication/01-mTLS](../../10-mTLS_PeerAuthentication/01-mTLS) # Configuration diff --git a/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Services.yaml b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Services.yaml new file mode 100644 index 0000000..4ec62d4 --- /dev/null +++ b/08-AuthorizationPolicy/01-AuthorizationPolicy-Target-Namespaces/Services.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http + targetPort: 80 + selector: + app: helloworld +--- +apiVersion: v1 +kind: Service +metadata: + name: byeworld + labels: + app: byeworld + service: byeworld + namespace: foo +spec: + ports: + - port: 9090 + name: http + targetPort: 80 + selector: + app: byeworld \ No newline at end of file diff --git a/08-AuthorizationPolicy/02-target-service-accounts/01-namespace.yaml b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/01-Namespace.yaml similarity index 100% rename from 08-AuthorizationPolicy/02-target-service-accounts/01-namespace.yaml rename to 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/01-Namespace.yaml diff --git a/08-AuthorizationPolicy/02-target-service-accounts/01-service-accounts.yaml b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/01-Service_Accounts.yaml similarity index 100% rename from 08-AuthorizationPolicy/02-target-service-accounts/01-service-accounts.yaml rename to 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/01-Service_Accounts.yaml diff --git a/08-AuthorizationPolicy/02-target-service-accounts/authentication.yaml b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/AuthorizationPolicy.yaml similarity index 100% rename from 08-AuthorizationPolicy/02-target-service-accounts/authentication.yaml rename to 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/AuthorizationPolicy.yaml diff --git a/08-AuthorizationPolicy/02-target-service-accounts/deployment.yaml b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Deployments.yaml similarity index 55% rename from 08-AuthorizationPolicy/02-target-service-accounts/deployment.yaml rename to 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Deployments.yaml index 2a3ac62..8f4e59d 100755 --- a/08-AuthorizationPolicy/02-target-service-accounts/deployment.yaml +++ b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Deployments.yaml @@ -1,18 +1,3 @@ -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - port: 8080 - name: http - targetPort: 80 - selector: - app: helloworld ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -39,3 +24,30 @@ spec: imagePullPolicy: IfNotPresent ports: - containerPort: 80 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: byeworld-nginx + labels: + app: byeworld + namespace: foo +spec: + replicas: 1 + selector: + matchLabels: + app: byeworld + template: + metadata: + labels: + app: byeworld + spec: + containers: + - name: byeworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 diff --git a/08-AuthorizationPolicy/02-target-service-accounts/README.md b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/README.md similarity index 96% rename from 08-AuthorizationPolicy/02-target-service-accounts/README.md rename to 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/README.md index 0018395..42548c2 100755 --- a/08-AuthorizationPolicy/02-target-service-accounts/README.md +++ b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/README.md @@ -3,21 +3,19 @@ gitea: none include_toc: true --- -# Continues from -[//]: # (- [01-hello_world_1_service_1_deployment](../../01-simple/01-hello_world_1_service_1_deployment)) -- [01-target-namespaces](../01-target-namespaces) +# Description + +On this example we will be deploying an `AuthorizationPolicy` object to control the traffic that the `envoy-proxy` will manage on deployment created. + +As well, we will configure the `AuthorizationPolicy` object will be applied to the deployments with the targeted `ServiceAccount`. > **Note:**\ > On this example there is minimal changes to the configuration to involve targeting service accounts. -## Description +# Based on -Bla bla bla - -Configuration targeting service accounts (among others) - -By default, when a pod is deployed, if a service account has not been specified, it will be given the service account `default` from that namespace. +- [01-AuthorizationPolicy-Target-Namespaces](../01-AuthorizationPolicy-Target-Namespaces) # Changelog diff --git a/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Services.yaml b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Services.yaml new file mode 100644 index 0000000..4ec62d4 --- /dev/null +++ b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Services.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http + targetPort: 80 + selector: + app: helloworld +--- +apiVersion: v1 +kind: Service +metadata: + name: byeworld + labels: + app: byeworld + service: byeworld + namespace: foo +spec: + ports: + - port: 9090 + name: http + targetPort: 80 + selector: + app: byeworld \ No newline at end of file diff --git a/08-AuthorizationPolicy/02-target-service-accounts/gateway.yaml b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/gateway.yaml similarity index 100% rename from 08-AuthorizationPolicy/02-target-service-accounts/gateway.yaml rename to 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/gateway.yaml diff --git a/08-AuthorizationPolicy/03-target-deployments/01-namespace.yaml b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/01-Namespace.yaml similarity index 100% rename from 08-AuthorizationPolicy/03-target-deployments/01-namespace.yaml rename to 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/01-Namespace.yaml diff --git a/08-AuthorizationPolicy/03-target-deployments/authentication.yaml b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/AuthorizationPolicy.yaml similarity index 100% rename from 08-AuthorizationPolicy/03-target-deployments/authentication.yaml rename to 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/AuthorizationPolicy.yaml diff --git a/08-AuthorizationPolicy/01-target-namespaces/deployment_2.yaml b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Deployments.yaml similarity index 54% rename from 08-AuthorizationPolicy/01-target-namespaces/deployment_2.yaml rename to 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Deployments.yaml index 69a8412..660a57e 100755 --- a/08-AuthorizationPolicy/01-target-namespaces/deployment_2.yaml +++ b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Deployments.yaml @@ -1,18 +1,28 @@ -apiVersion: v1 -kind: Service +apiVersion: apps/v1 +kind: Deployment metadata: - name: byeworld + name: helloworld-nginx labels: - app: byeworld - service: byeworld - namespace: foo + app: helloworld spec: - ports: - - port: 9090 - name: http - targetPort: 80 + replicas: 1 selector: - app: byeworld + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 --- apiVersion: apps/v1 kind: Deployment diff --git a/08-AuthorizationPolicy/03-target-deployments/gateway.yaml b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Gateway.yaml similarity index 100% rename from 08-AuthorizationPolicy/03-target-deployments/gateway.yaml rename to 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Gateway.yaml diff --git a/08-AuthorizationPolicy/03-target-deployments/README.md b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/README.md similarity index 94% rename from 08-AuthorizationPolicy/03-target-deployments/README.md rename to 08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/README.md index 972ae00..70b944b 100755 --- a/08-AuthorizationPolicy/03-target-deployments/README.md +++ b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/README.md @@ -3,18 +3,27 @@ gitea: none include_toc: true --- -# Continues from -- [01-target-namespaces](../01-target-namespaces) +# Description + +On this example we will be deploying an `AuthorizationPolicy` object to control the traffic that the `envoy-proxy` will manage on deployment created. + +As well, we will configure the `AuthorizationPolicy` object will be applied to the deployments with the targeted through the usage of labels to filter the resources affected. > **Note:**\ > On this example there is minimal changes to the configuration to involve targeting the deployment resources through label filtering. -## Description +# Based on -Bla bla bla +- [01-AuthorizationPolicy-Target-Namespaces](../01-AuthorizationPolicy-Target-Namespaces) -In this example we will be targeting the labels set to the deployments, while keeping part of the previous AuthorizationPolicy configuration to maintain its behavior. +[//]: # (## Description) + +[//]: # () +[//]: # (Bla bla bla) + +[//]: # () +[//]: # (In this example we will be targeting the labels set to the deployments, while keeping part of the previous AuthorizationPolicy configuration to maintain its behavior. ) [//]: # (For such, it's important to check the labels set in the Istio ingress that we will be using.) diff --git a/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Services.yaml b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Services.yaml new file mode 100644 index 0000000..4ec62d4 --- /dev/null +++ b/08-AuthorizationPolicy/03-AuthorizationPolicy-Target-Deployments/Services.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http + targetPort: 80 + selector: + app: helloworld +--- +apiVersion: v1 +kind: Service +metadata: + name: byeworld + labels: + app: byeworld + service: byeworld + namespace: foo +spec: + ports: + - port: 9090 + name: http + targetPort: 80 + selector: + app: byeworld \ No newline at end of file diff --git a/08-AuthorizationPolicy/03-target-deployments/deployment.yaml b/08-AuthorizationPolicy/03-target-deployments/deployment.yaml deleted file mode 100755 index 0fb81b3..0000000 --- a/08-AuthorizationPolicy/03-target-deployments/deployment.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - port: 8080 - name: http - targetPort: 80 - selector: - app: helloworld ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: helloworld-nginx - labels: - app: helloworld -spec: - replicas: 1 - selector: - matchLabels: - app: helloworld - template: - metadata: - labels: - app: helloworld - spec: - containers: - - name: helloworld - image: nginx - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 80 diff --git a/08-AuthorizationPolicy/03-target-deployments/deployment_2.yaml b/08-AuthorizationPolicy/03-target-deployments/deployment_2.yaml deleted file mode 100755 index 69a8412..0000000 --- a/08-AuthorizationPolicy/03-target-deployments/deployment_2.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: byeworld - labels: - app: byeworld - service: byeworld - namespace: foo -spec: - ports: - - port: 9090 - name: http - targetPort: 80 - selector: - app: byeworld ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: byeworld-nginx - labels: - app: byeworld - namespace: foo -spec: - replicas: 1 - selector: - matchLabels: - app: byeworld - template: - metadata: - labels: - app: byeworld - spec: - containers: - - name: byeworld - image: nginx - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 80 diff --git a/08-AuthorizationPolicy/README.md b/08-AuthorizationPolicy/README.md index c722a3c..6bf312a 100644 --- a/08-AuthorizationPolicy/README.md +++ b/08-AuthorizationPolicy/README.md @@ -1,24 +1,12 @@ -## Authentication -- Based on namespaces (done) - -- Based on method (somewhat done, so I will mark it as valid) +## Description -- Based on service account(s) (somewhat done) +Through the usage of `AuthorizationPolicies`, we are able to configure rules for access control, whether be (but not limited to) **Allowing** or **Denying** the request. -- Custom action (it's in alpha feature, should not focus on it for now) +On all the examples for simplicity it's been kept to the "Head" request. -- Audit / logs (should be the 3th) +## Examples -JWT seems important, refer to source.requestPrincipals - -https://istio.io/latest/docs/tasks/security/authentication/ - - - -Per deployment: -```yaml - selector: - matchLabels: - app: myapi -``` \ No newline at end of file +- 01-target-namespaces +- 02-target-service-accounts +- 03-target-deployments -- 2.47.2 From 16f7ab6178c044ce7c6ba7a4d6e815e698a28980 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 11:00:10 +0200 Subject: [PATCH 12/22] Improved Readme slightly. --- 05-Sidecar/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/05-Sidecar/README.md b/05-Sidecar/README.md index cd189d4..a5ddbc1 100755 --- a/05-Sidecar/README.md +++ b/05-Sidecar/README.md @@ -1,6 +1,6 @@ ## Description -On these examples, a `Sidecar` will be configured. +On these examples, the `Sidecar` object will be configured to select which services the `proxy-container` has access to. ## Examples -- 2.47.2 From 4e66d65096e9cd29f3ec4029cc72c4bd6cd00732 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 11:01:51 +0200 Subject: [PATCH 13/22] Fixed refference --- 04-Backends/02-HTTPS-backend/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/04-Backends/02-HTTPS-backend/README.md b/04-Backends/02-HTTPS-backend/README.md index 76369d1..06c60bd 100644 --- a/04-Backends/02-HTTPS-backend/README.md +++ b/04-Backends/02-HTTPS-backend/README.md @@ -197,7 +197,7 @@ spec: ``` > **Note**:\ -> As this configuration is very board, and targets the whole namespace, I would strongly recommend referring to the following example [06-Internal-Authentication/02-target-service-accounts](../../08-AuthorizationPolicy/02-target-service-accounts), which shows how to target service accounts set to resources, limiting the scope of this rule set. +> As this configuration is very board, and targets the whole namespace, I would strongly recommend referring to the following example [06-Internal-Authentication/02-AuthorizationPolicy-Target-Service-Accounts](../../08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts), which shows how to target service accounts set to resources, limiting the scope of this rule set. # Walkthrough -- 2.47.2 From b440efb6b209d6517d9c93577f20a285f41502c7 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 11:02:16 +0200 Subject: [PATCH 14/22] Renamed directories --- .../{06-mTLS => 01-mTLS}/README.md | 0 .../{06-mTLS => 01-mTLS}/authentication.yaml | 0 .../01-mTLS}/deployment.yaml | 0 .../{06-mTLS => 01-mTLS}/deployment_2.yaml | 0 .../{06-mTLS => 01-mTLS}/gateway.yaml | 0 .../src/06-kiali-services-byeworld.png | Bin .../src/06-kiali-services-helloworld.png | Bin .../src/06-kiali-services.png | Bin .../README.md | 0 .../Service.yaml | 0 .../authentication.yaml | 0 .../deployment.yaml | 0 .../gateway.yaml | 0 .../README.md | 6 +-- .../Service.yaml | 0 .../authentication.yaml | 0 .../deployment.yaml | 0 .../gateway.yaml | 0 .../06-mTLS/deployment.yaml | 40 ------------------ 19 files changed, 3 insertions(+), 43 deletions(-) rename 10-mTLS_PeerAuthentication/{06-mTLS => 01-mTLS}/README.md (100%) rename 10-mTLS_PeerAuthentication/{06-mTLS => 01-mTLS}/authentication.yaml (100%) rename {08-AuthorizationPolicy/01-target-namespaces => 10-mTLS_PeerAuthentication/01-mTLS}/deployment.yaml (100%) rename 10-mTLS_PeerAuthentication/{06-mTLS => 01-mTLS}/deployment_2.yaml (100%) rename 10-mTLS_PeerAuthentication/{06-mTLS => 01-mTLS}/gateway.yaml (100%) rename 10-mTLS_PeerAuthentication/{06-mTLS => 01-mTLS}/src/06-kiali-services-byeworld.png (100%) rename 10-mTLS_PeerAuthentication/{06-mTLS => 01-mTLS}/src/06-kiali-services-helloworld.png (100%) rename 10-mTLS_PeerAuthentication/{06-mTLS => 01-mTLS}/src/06-kiali-services.png (100%) rename 10-mTLS_PeerAuthentication/{01-disable-mTLS => 02-disable-mTLS}/README.md (100%) rename 10-mTLS_PeerAuthentication/{01-disable-mTLS => 02-disable-mTLS}/Service.yaml (100%) rename 10-mTLS_PeerAuthentication/{01-disable-mTLS => 02-disable-mTLS}/authentication.yaml (100%) rename 10-mTLS_PeerAuthentication/{01-disable-mTLS => 02-disable-mTLS}/deployment.yaml (100%) rename 10-mTLS_PeerAuthentication/{01-disable-mTLS => 02-disable-mTLS}/gateway.yaml (100%) rename 10-mTLS_PeerAuthentication/{02-portLevelMtls => 03-mTLS-per-port-settings}/README.md (99%) rename 10-mTLS_PeerAuthentication/{02-portLevelMtls => 03-mTLS-per-port-settings}/Service.yaml (100%) rename 10-mTLS_PeerAuthentication/{02-portLevelMtls => 03-mTLS-per-port-settings}/authentication.yaml (100%) rename 10-mTLS_PeerAuthentication/{02-portLevelMtls => 03-mTLS-per-port-settings}/deployment.yaml (100%) rename 10-mTLS_PeerAuthentication/{02-portLevelMtls => 03-mTLS-per-port-settings}/gateway.yaml (100%) delete mode 100755 10-mTLS_PeerAuthentication/06-mTLS/deployment.yaml diff --git a/10-mTLS_PeerAuthentication/06-mTLS/README.md b/10-mTLS_PeerAuthentication/01-mTLS/README.md similarity index 100% rename from 10-mTLS_PeerAuthentication/06-mTLS/README.md rename to 10-mTLS_PeerAuthentication/01-mTLS/README.md diff --git a/10-mTLS_PeerAuthentication/06-mTLS/authentication.yaml b/10-mTLS_PeerAuthentication/01-mTLS/authentication.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/06-mTLS/authentication.yaml rename to 10-mTLS_PeerAuthentication/01-mTLS/authentication.yaml diff --git a/08-AuthorizationPolicy/01-target-namespaces/deployment.yaml b/10-mTLS_PeerAuthentication/01-mTLS/deployment.yaml similarity index 100% rename from 08-AuthorizationPolicy/01-target-namespaces/deployment.yaml rename to 10-mTLS_PeerAuthentication/01-mTLS/deployment.yaml diff --git a/10-mTLS_PeerAuthentication/06-mTLS/deployment_2.yaml b/10-mTLS_PeerAuthentication/01-mTLS/deployment_2.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/06-mTLS/deployment_2.yaml rename to 10-mTLS_PeerAuthentication/01-mTLS/deployment_2.yaml diff --git a/10-mTLS_PeerAuthentication/06-mTLS/gateway.yaml b/10-mTLS_PeerAuthentication/01-mTLS/gateway.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/06-mTLS/gateway.yaml rename to 10-mTLS_PeerAuthentication/01-mTLS/gateway.yaml diff --git a/10-mTLS_PeerAuthentication/06-mTLS/src/06-kiali-services-byeworld.png b/10-mTLS_PeerAuthentication/01-mTLS/src/06-kiali-services-byeworld.png similarity index 100% rename from 10-mTLS_PeerAuthentication/06-mTLS/src/06-kiali-services-byeworld.png rename to 10-mTLS_PeerAuthentication/01-mTLS/src/06-kiali-services-byeworld.png diff --git a/10-mTLS_PeerAuthentication/06-mTLS/src/06-kiali-services-helloworld.png b/10-mTLS_PeerAuthentication/01-mTLS/src/06-kiali-services-helloworld.png similarity index 100% rename from 10-mTLS_PeerAuthentication/06-mTLS/src/06-kiali-services-helloworld.png rename to 10-mTLS_PeerAuthentication/01-mTLS/src/06-kiali-services-helloworld.png diff --git a/10-mTLS_PeerAuthentication/06-mTLS/src/06-kiali-services.png b/10-mTLS_PeerAuthentication/01-mTLS/src/06-kiali-services.png similarity index 100% rename from 10-mTLS_PeerAuthentication/06-mTLS/src/06-kiali-services.png rename to 10-mTLS_PeerAuthentication/01-mTLS/src/06-kiali-services.png diff --git a/10-mTLS_PeerAuthentication/01-disable-mTLS/README.md b/10-mTLS_PeerAuthentication/02-disable-mTLS/README.md similarity index 100% rename from 10-mTLS_PeerAuthentication/01-disable-mTLS/README.md rename to 10-mTLS_PeerAuthentication/02-disable-mTLS/README.md diff --git a/10-mTLS_PeerAuthentication/01-disable-mTLS/Service.yaml b/10-mTLS_PeerAuthentication/02-disable-mTLS/Service.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/01-disable-mTLS/Service.yaml rename to 10-mTLS_PeerAuthentication/02-disable-mTLS/Service.yaml diff --git a/10-mTLS_PeerAuthentication/01-disable-mTLS/authentication.yaml b/10-mTLS_PeerAuthentication/02-disable-mTLS/authentication.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/01-disable-mTLS/authentication.yaml rename to 10-mTLS_PeerAuthentication/02-disable-mTLS/authentication.yaml diff --git a/10-mTLS_PeerAuthentication/01-disable-mTLS/deployment.yaml b/10-mTLS_PeerAuthentication/02-disable-mTLS/deployment.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/01-disable-mTLS/deployment.yaml rename to 10-mTLS_PeerAuthentication/02-disable-mTLS/deployment.yaml diff --git a/10-mTLS_PeerAuthentication/01-disable-mTLS/gateway.yaml b/10-mTLS_PeerAuthentication/02-disable-mTLS/gateway.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/01-disable-mTLS/gateway.yaml rename to 10-mTLS_PeerAuthentication/02-disable-mTLS/gateway.yaml diff --git a/10-mTLS_PeerAuthentication/02-portLevelMtls/README.md b/10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/README.md similarity index 99% rename from 10-mTLS_PeerAuthentication/02-portLevelMtls/README.md rename to 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/README.md index 0dfb971..2fa36c9 100644 --- a/10-mTLS_PeerAuthentication/02-portLevelMtls/README.md +++ b/10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/README.md @@ -5,13 +5,13 @@ include_toc: true # Based on -- [01-disable-mTLS](../01-disable-mTLS) +- [02-disable-mTLS](../02-disable-mTLS) # Description Based on the previous example that disabled mTLS, and explored how it affected the behavior of the services, on `HTTP` and `HTTPS` backends, this example aims to, through the usage of `portLevelMtls`, configure the `mTLS` behavior based on the destination port. -Through this, we can apply multiple `mTLS` behaviors under a single deployment, unlike the [previous example](../01-disable-mTLS) that required to create 2 different deployments under a single service, and as well implement `Destination Rules` as well of `subsets` to route the traffic between the 2 deployments. +Through this, we can apply multiple `mTLS` behaviors under a single deployment, unlike the [previous example](../02-disable-mTLS) that required to create 2 different deployments under a single service, and as well implement `Destination Rules` as well of `subsets` to route the traffic between the 2 deployments. > **Note:**\ > For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo) @@ -312,7 +312,7 @@ listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes ##### Curl -Even tho, we have set in the [PeerAuthentication configuration](#peerauthentication) mode to `STRICT`, unlike in the [previous example](../01-disable-mTLS/#https-1), where the mode was also set to `STRICT`, in this example we configured the `portLevelMtls` field for the port `443`, successfully disabling `mTLS` for this port, and allowing to proceed with the request towards the `HTTPS` backend; which was performed without the need of disabling `mTLS` for the whole deployment. +Even tho, we have set in the [PeerAuthentication configuration](#peerauthentication) mode to `STRICT`, unlike in the [previous example](../02-disable-mTLS/#https-1), where the mode was also set to `STRICT`, in this example we configured the `portLevelMtls` field for the port `443`, successfully disabling `mTLS` for this port, and allowing to proceed with the request towards the `HTTPS` backend; which was performed without the need of disabling `mTLS` for the whole deployment. ```shell curl 192.168.1.50/https diff --git a/10-mTLS_PeerAuthentication/02-portLevelMtls/Service.yaml b/10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/Service.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/02-portLevelMtls/Service.yaml rename to 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/Service.yaml diff --git a/10-mTLS_PeerAuthentication/02-portLevelMtls/authentication.yaml b/10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/authentication.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/02-portLevelMtls/authentication.yaml rename to 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/authentication.yaml diff --git a/10-mTLS_PeerAuthentication/02-portLevelMtls/deployment.yaml b/10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/deployment.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/02-portLevelMtls/deployment.yaml rename to 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/deployment.yaml diff --git a/10-mTLS_PeerAuthentication/02-portLevelMtls/gateway.yaml b/10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/gateway.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/02-portLevelMtls/gateway.yaml rename to 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/gateway.yaml diff --git a/10-mTLS_PeerAuthentication/06-mTLS/deployment.yaml b/10-mTLS_PeerAuthentication/06-mTLS/deployment.yaml deleted file mode 100755 index 0fb81b3..0000000 --- a/10-mTLS_PeerAuthentication/06-mTLS/deployment.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - port: 8080 - name: http - targetPort: 80 - selector: - app: helloworld ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: helloworld-nginx - labels: - app: helloworld -spec: - replicas: 1 - selector: - matchLabels: - app: helloworld - template: - metadata: - labels: - app: helloworld - spec: - containers: - - name: helloworld - image: nginx - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 80 -- 2.47.2 From 40fe16c0400b211f657c2acb19adbe8ffb39070d Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 11:06:55 +0200 Subject: [PATCH 15/22] Renamed folder --- .../01-Namespace.yaml | 0 .../Deployment.yaml | 0 .../Gateway.yaml | 0 .../IstioOperator/IstioOperator.yaml | 0 .../README.md | 0 .../Service.yaml | 0 .../VirtualService.yaml | 0 7 files changed, 0 insertions(+), 0 deletions(-) rename 09-Ingress/{01-Create-Istio-LoadBalancer => 01-Ingress-IstioOperator}/01-Namespace.yaml (100%) rename 09-Ingress/{01-Create-Istio-LoadBalancer => 01-Ingress-IstioOperator}/Deployment.yaml (100%) rename 09-Ingress/{01-Create-Istio-LoadBalancer => 01-Ingress-IstioOperator}/Gateway.yaml (100%) rename 09-Ingress/{01-Create-Istio-LoadBalancer => 01-Ingress-IstioOperator}/IstioOperator/IstioOperator.yaml (100%) rename 09-Ingress/{01-Create-Istio-LoadBalancer => 01-Ingress-IstioOperator}/README.md (100%) rename 09-Ingress/{01-Create-Istio-LoadBalancer => 01-Ingress-IstioOperator}/Service.yaml (100%) rename 09-Ingress/{01-Create-Istio-LoadBalancer => 01-Ingress-IstioOperator}/VirtualService.yaml (100%) diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/01-Namespace.yaml b/09-Ingress/01-Ingress-IstioOperator/01-Namespace.yaml similarity index 100% rename from 09-Ingress/01-Create-Istio-LoadBalancer/01-Namespace.yaml rename to 09-Ingress/01-Ingress-IstioOperator/01-Namespace.yaml diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/Deployment.yaml b/09-Ingress/01-Ingress-IstioOperator/Deployment.yaml similarity index 100% rename from 09-Ingress/01-Create-Istio-LoadBalancer/Deployment.yaml rename to 09-Ingress/01-Ingress-IstioOperator/Deployment.yaml diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/Gateway.yaml b/09-Ingress/01-Ingress-IstioOperator/Gateway.yaml similarity index 100% rename from 09-Ingress/01-Create-Istio-LoadBalancer/Gateway.yaml rename to 09-Ingress/01-Ingress-IstioOperator/Gateway.yaml diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/IstioOperator/IstioOperator.yaml b/09-Ingress/01-Ingress-IstioOperator/IstioOperator/IstioOperator.yaml similarity index 100% rename from 09-Ingress/01-Create-Istio-LoadBalancer/IstioOperator/IstioOperator.yaml rename to 09-Ingress/01-Ingress-IstioOperator/IstioOperator/IstioOperator.yaml diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/README.md b/09-Ingress/01-Ingress-IstioOperator/README.md similarity index 100% rename from 09-Ingress/01-Create-Istio-LoadBalancer/README.md rename to 09-Ingress/01-Ingress-IstioOperator/README.md diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/Service.yaml b/09-Ingress/01-Ingress-IstioOperator/Service.yaml similarity index 100% rename from 09-Ingress/01-Create-Istio-LoadBalancer/Service.yaml rename to 09-Ingress/01-Ingress-IstioOperator/Service.yaml diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/VirtualService.yaml b/09-Ingress/01-Ingress-IstioOperator/VirtualService.yaml similarity index 100% rename from 09-Ingress/01-Create-Istio-LoadBalancer/VirtualService.yaml rename to 09-Ingress/01-Ingress-IstioOperator/VirtualService.yaml -- 2.47.2 From 0a1e36dcaf3a71bb2d43fec061b4369ee8bfc205 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 11:08:51 +0200 Subject: [PATCH 16/22] Added section README.md for: - 09-Ingress --- 09-Ingress/README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 09-Ingress/README.md diff --git a/09-Ingress/README.md b/09-Ingress/README.md new file mode 100644 index 0000000..571f661 --- /dev/null +++ b/09-Ingress/README.md @@ -0,0 +1,15 @@ + +## Description + +This section is focused in the Ingress Load balancers and how to install or set them up. + +Nevertheless, currently only contains how to install through the IstioOperator. + +## Examples + +- 01-Ingress-IstioOperator + + +## Links of interest + +- https://istio.io/latest/docs/setup/additional-setup/gateway/ \ No newline at end of file -- 2.47.2 From e883755680c7ac457ed0003dd671241fa2407def Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 11:14:19 +0200 Subject: [PATCH 17/22] Added section README.md for: - 10-mTLS_PeerAuthentication Renamed its files to use a capital letter at the start of the files. --- .../01-mTLS/{deployment.yaml => Deployment.yaml} | 0 .../01-mTLS/{deployment_2.yaml => Deployment_2.yaml} | 0 .../01-mTLS/{gateway.yaml => Gateway.yaml} | 0 .../{authentication.yaml => PeerAuthentication.yaml} | 0 .../{deployment.yaml => Deployment.yaml} | 0 .../02-disable-mTLS/{gateway.yaml => Gateway.yaml} | 0 .../{authentication.yaml => PeerAuthentication.yaml} | 0 .../{deployment.yaml => Deployment.yaml} | 0 .../{gateway.yaml => Gateway.yaml} | 0 .../{authentication.yaml => PeerAuthentication.yaml} | 0 10-mTLS_PeerAuthentication/README.md | 10 ++++++++++ 11 files changed, 10 insertions(+) rename 10-mTLS_PeerAuthentication/01-mTLS/{deployment.yaml => Deployment.yaml} (100%) rename 10-mTLS_PeerAuthentication/01-mTLS/{deployment_2.yaml => Deployment_2.yaml} (100%) rename 10-mTLS_PeerAuthentication/01-mTLS/{gateway.yaml => Gateway.yaml} (100%) rename 10-mTLS_PeerAuthentication/01-mTLS/{authentication.yaml => PeerAuthentication.yaml} (100%) rename 10-mTLS_PeerAuthentication/02-disable-mTLS/{deployment.yaml => Deployment.yaml} (100%) rename 10-mTLS_PeerAuthentication/02-disable-mTLS/{gateway.yaml => Gateway.yaml} (100%) rename 10-mTLS_PeerAuthentication/02-disable-mTLS/{authentication.yaml => PeerAuthentication.yaml} (100%) rename 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/{deployment.yaml => Deployment.yaml} (100%) rename 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/{gateway.yaml => Gateway.yaml} (100%) rename 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/{authentication.yaml => PeerAuthentication.yaml} (100%) create mode 100644 10-mTLS_PeerAuthentication/README.md diff --git a/10-mTLS_PeerAuthentication/01-mTLS/deployment.yaml b/10-mTLS_PeerAuthentication/01-mTLS/Deployment.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/01-mTLS/deployment.yaml rename to 10-mTLS_PeerAuthentication/01-mTLS/Deployment.yaml diff --git a/10-mTLS_PeerAuthentication/01-mTLS/deployment_2.yaml b/10-mTLS_PeerAuthentication/01-mTLS/Deployment_2.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/01-mTLS/deployment_2.yaml rename to 10-mTLS_PeerAuthentication/01-mTLS/Deployment_2.yaml diff --git a/10-mTLS_PeerAuthentication/01-mTLS/gateway.yaml b/10-mTLS_PeerAuthentication/01-mTLS/Gateway.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/01-mTLS/gateway.yaml rename to 10-mTLS_PeerAuthentication/01-mTLS/Gateway.yaml diff --git a/10-mTLS_PeerAuthentication/01-mTLS/authentication.yaml b/10-mTLS_PeerAuthentication/01-mTLS/PeerAuthentication.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/01-mTLS/authentication.yaml rename to 10-mTLS_PeerAuthentication/01-mTLS/PeerAuthentication.yaml diff --git a/10-mTLS_PeerAuthentication/02-disable-mTLS/deployment.yaml b/10-mTLS_PeerAuthentication/02-disable-mTLS/Deployment.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/02-disable-mTLS/deployment.yaml rename to 10-mTLS_PeerAuthentication/02-disable-mTLS/Deployment.yaml diff --git a/10-mTLS_PeerAuthentication/02-disable-mTLS/gateway.yaml b/10-mTLS_PeerAuthentication/02-disable-mTLS/Gateway.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/02-disable-mTLS/gateway.yaml rename to 10-mTLS_PeerAuthentication/02-disable-mTLS/Gateway.yaml diff --git a/10-mTLS_PeerAuthentication/02-disable-mTLS/authentication.yaml b/10-mTLS_PeerAuthentication/02-disable-mTLS/PeerAuthentication.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/02-disable-mTLS/authentication.yaml rename to 10-mTLS_PeerAuthentication/02-disable-mTLS/PeerAuthentication.yaml diff --git a/10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/deployment.yaml b/10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/Deployment.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/deployment.yaml rename to 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/Deployment.yaml diff --git a/10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/gateway.yaml b/10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/Gateway.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/gateway.yaml rename to 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/Gateway.yaml diff --git a/10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/authentication.yaml b/10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/PeerAuthentication.yaml similarity index 100% rename from 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/authentication.yaml rename to 10-mTLS_PeerAuthentication/03-mTLS-per-port-settings/PeerAuthentication.yaml diff --git a/10-mTLS_PeerAuthentication/README.md b/10-mTLS_PeerAuthentication/README.md new file mode 100644 index 0000000..dac161b --- /dev/null +++ b/10-mTLS_PeerAuthentication/README.md @@ -0,0 +1,10 @@ + +## Description + +This section is focused regarding mTLS, using Kiali dashboard to confirm which services have mTLS enabled, how to enable and disable mTLS, and as well how to apply a desired configuration targeting a specific port. + +## Examples + +- 01-mTLS +- 02-disable-mTLS +- 03-mTLS-per-port-settings -- 2.47.2 From 957dbfcf84af707a209a1d4c5343b679fbe5e1fb Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 11:19:29 +0200 Subject: [PATCH 18/22] Updated global README.md --- README.md | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index d9ca429..d1daff3 100755 --- a/README.md +++ b/README.md @@ -34,7 +34,6 @@ Currently, the resources are under a relocation and the folders might contain th ├── 04-Backends │   ├── 01-Service_Entry │   ├── 02-HTTPS-backend -│   └── 03-HTTPS-backend-with-MTLS ├── 05-Sidecar │   ├── 01-ingress-proxy-forwarding │   └── 02-egress-proxy @@ -42,16 +41,16 @@ Currently, the resources are under a relocation and the folders might contain th │   ├── 01-Envoy-add-response-headers │   └── 02-envoy-logging ├── 08-AuthorizationPolicy -│   ├── 01-target-namespaces -│   ├── 02-target-service-accounts -│   └── 03-target-deployments +│   ├── 01-AuthorizationPolicy-Target-Namespaces +│   ├── 02-AuthorizationPolicy-Target-Service-Accounts +│   └── 03-AuthorizationPolicy-Target-Deployments ├── 09-Ingress -│   └── 01-Create-Istio-LoadBalancer +│   └── 01-Ingress-IstioOperator │   └── IstioOperator ├── 10-mTLS_PeerAuthentication -│   ├── 01-disable-mTLS -│   ├── 02-portLevelMtls -│   └── 06-mTLS +│   ├── 01-mTLS +│   ├── 02-disable-mTLS +│   └── 03-mTLS-per-port-settings ├── 11-Fault_Injection │   ├── 05a-FaultInjection-delay │   └── 05b-FaultInjection-abort @@ -64,6 +63,13 @@ Currently, the resources are under a relocation and the folders might contain th └── HTTPS-NGINX-DOCKERFILE ``` +#### "Why is 07 missing" + +Previously there was a folder that got refactored. + +Eventually the spot will be filled back. + +Want to avoid renaming folders unless required as it could break link references within the documentation. # Glossary -- 2.47.2 From c1aec3ae4c824d1b1086e1063cd75c93edc3bb47 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 11:21:30 +0200 Subject: [PATCH 19/22] Renamed file to capitalized first letter. --- .../{gateway.yaml => Gateway.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/{gateway.yaml => Gateway.yaml} (100%) diff --git a/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/gateway.yaml b/08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Gateway.yaml similarity index 100% rename from 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/gateway.yaml rename to 08-AuthorizationPolicy/02-AuthorizationPolicy-Target-Service-Accounts/Gateway.yaml -- 2.47.2 From df8eea778ce178f424e16e37f3940d643fee45e0 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 12:11:34 +0200 Subject: [PATCH 20/22] Documented examples from `11-Fault_Injection`: - 01-FaultInjection-delay - 02-FaultInjection-abort Added a section README.md to the section: - 11-Fault_Injection --- .../Deployment.yaml} | 15 -- .../01-FaultInjection-delay/Gateway.yaml | 14 + .../01-FaultInjection-delay/README.md | 251 ++++++++++++++++++ .../01-FaultInjection-delay/Service.yaml | 13 + .../VirtualService.yaml} | 20 +- .../Deployment.yaml} | 15 -- .../02-FaultInjection-abort/Gateway.yaml | 14 + .../02-FaultInjection-abort/README.md | 240 +++++++++++++++++ .../02-FaultInjection-abort/Service.yaml | 13 + .../VirtualService.yaml} | 20 +- .../05a-FaultInjection-delay/README.md | 7 - .../05b-FaultInjection-abort/README.md | 11 - 11-Fault_Injection/README.md | 9 + 13 files changed, 558 insertions(+), 84 deletions(-) rename 11-Fault_Injection/{05b-FaultInjection-abort/deployment.yaml => 01-FaultInjection-delay/Deployment.yaml} (63%) create mode 100755 11-Fault_Injection/01-FaultInjection-delay/Gateway.yaml create mode 100755 11-Fault_Injection/01-FaultInjection-delay/README.md create mode 100644 11-Fault_Injection/01-FaultInjection-delay/Service.yaml rename 11-Fault_Injection/{05a-FaultInjection-delay/gateway.yaml => 01-FaultInjection-delay/VirtualService.yaml} (50%) mode change 100755 => 100644 rename 11-Fault_Injection/{05a-FaultInjection-delay/deployment.yaml => 02-FaultInjection-abort/Deployment.yaml} (63%) create mode 100755 11-Fault_Injection/02-FaultInjection-abort/Gateway.yaml create mode 100755 11-Fault_Injection/02-FaultInjection-abort/README.md create mode 100644 11-Fault_Injection/02-FaultInjection-abort/Service.yaml rename 11-Fault_Injection/{05b-FaultInjection-abort/gateway.yaml => 02-FaultInjection-abort/VirtualService.yaml} (50%) mode change 100755 => 100644 delete mode 100755 11-Fault_Injection/05a-FaultInjection-delay/README.md delete mode 100755 11-Fault_Injection/05b-FaultInjection-abort/README.md create mode 100644 11-Fault_Injection/README.md diff --git a/11-Fault_Injection/05b-FaultInjection-abort/deployment.yaml b/11-Fault_Injection/01-FaultInjection-delay/Deployment.yaml similarity index 63% rename from 11-Fault_Injection/05b-FaultInjection-abort/deployment.yaml rename to 11-Fault_Injection/01-FaultInjection-delay/Deployment.yaml index 01dd2b0..233fd2c 100755 --- a/11-Fault_Injection/05b-FaultInjection-abort/deployment.yaml +++ b/11-Fault_Injection/01-FaultInjection-delay/Deployment.yaml @@ -1,18 +1,3 @@ -# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - port: 80 - name: http - selector: - app: helloworld ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/11-Fault_Injection/01-FaultInjection-delay/Gateway.yaml b/11-Fault_Injection/01-FaultInjection-delay/Gateway.yaml new file mode 100755 index 0000000..bbd9d67 --- /dev/null +++ b/11-Fault_Injection/01-FaultInjection-delay/Gateway.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" \ No newline at end of file diff --git a/11-Fault_Injection/01-FaultInjection-delay/README.md b/11-Fault_Injection/01-FaultInjection-delay/README.md new file mode 100755 index 0000000..d319472 --- /dev/null +++ b/11-Fault_Injection/01-FaultInjection-delay/README.md @@ -0,0 +1,251 @@ +--- +gitea: none +include_toc: true +--- + +# Description + +Based on the [previous example](../../01-Getting_Started/01-hello_world_1_service_1_deployment), we configure a "fault" that will make the backend take 10 more seconds before receiving the request. + +This will be applied to a 90% of the incoming traffic that matches the rule and will allow to confirm in a secure environment how the application would behave in such difficult situations, and apply the modifications required to avoid issue in case there would be a network issue. + + + +This example configures: + + Generic Kubernetes resources: + - 1 Service + - 1 Deployments + + Istio resources: + - 1 Gateway + - 1 Virtual Service + + +# Based on + +- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment) +- https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPFaultInjection-Delay + +# Configuration + +## Service + +Creates a service named `helloworld`. + +This service listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod. + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld +``` + +## Deployment + +Deploys a Nginx server that listens for the port `80`. + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 +``` + +## Gateway + +Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic. + +It doesn't filter for any specific host. + +The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to. + +The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +``` + +## VirtualService + +The Virtual Service resources are used to route and filter the received traffic from the gateway resources, and route it towards the desired destination. + +On this example we select the gateway `helloworld-gateway`, which is the [gateway that 's described in the `Gateway` section](#gateway). + +On this resource, we are also not limiting the incoming traffic to any specific host, allowing for all the incoming traffic to go through the rules set. + +Here we created a rule that will be applied on `HTTP` related traffic (including `HTTPS` and `HTTP2`) when the destination path is exactly `/helloworld`. + +This traffic will be forwarded to the port `80` of the destination service `helloworld` (the full path URL equivalent would be `helloworld.$NAMESPACE.svc.cluster.local`). + +There will be an internal URL rewrite set, as if the URL is not modified, it would attempt to reach to the `/helloworld` path from the Nginx deployment, which currently has no content and would result in an error code `404` (Not found). + +Additionally, we apply a "fault", where a 90% of the traffic will have 10 seconds extra of delay. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" + fault: + delay: + percentage: + value: 90 + fixedDelay: 10s +``` + +# Walkthrough + +## Deploy resources + +Deploy the resources. + +```shell +kubectl apply -f ./ +``` +```text +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +service/helloworld created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Wait for the pods to be ready + +Wait for the Nginx deployments to be up and ready. + +```shell +kubectl get deployment helloworld-nginx -w +``` +```text +NAME READY UP-TO-DATE AVAILABLE AGE +helloworld-nginx 1/1 1 1 12s +``` + +## Test the service + +### Get LB IP + +To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway). + +On my environment, the IP is the `192.168.1.50`. + +```shell +kubectl get svc -l istio=ingressgateway -A +``` +```text +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h +``` + +### helloworld + +We will use the `curl` command and feed it a template to provide us with some timings and as well of confirming the status code from the request. + +Since the fault that we set had a 90% chance of triggering, if you are "unlucky", and get instantly the response from the backend, you might need to run the command multiple times in order to get the fault triggered. + +```shell +curl -w @- -o /dev/null -s 192.168.1.50/helloworld <<'EOF' + http_code: %{http_code}\n + time_namelookup: %{time_namelookup}\n + time_connect: %{time_connect}\n + time_appconnect: %{time_appconnect}\n + time_pretransfer: %{time_pretransfer}\n + time_redirect: %{time_redirect}\n + time_starttransfer: %{time_starttransfer}\n + ----------\n + time_total: %{time_total}\n +EOF +``` + +```text + http_code: 200 + time_namelookup: 0.000010 + time_connect: 0.000671 + time_appconnect: 0.000000 + time_pretransfer: 0.000689 + time_redirect: 0.000000 + time_starttransfer: 10.008781 + ---------- + time_total: 10.008817 +``` + +From the command output, we can observe that the request took more than 10 seconds to be replied, and as well the status code was successful, meaning that the application was able to handle the request. + +## Cleanup + +Finally, a cleanup from the resources deployed. + +```shell +kubectl delete -f ./ +``` +```text +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +service "helloworld" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +# Links of interest + +- https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPFaultInjection-Delay \ No newline at end of file diff --git a/11-Fault_Injection/01-FaultInjection-delay/Service.yaml b/11-Fault_Injection/01-FaultInjection-delay/Service.yaml new file mode 100644 index 0000000..271ce25 --- /dev/null +++ b/11-Fault_Injection/01-FaultInjection-delay/Service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld \ No newline at end of file diff --git a/11-Fault_Injection/05a-FaultInjection-delay/gateway.yaml b/11-Fault_Injection/01-FaultInjection-delay/VirtualService.yaml old mode 100755 new mode 100644 similarity index 50% rename from 11-Fault_Injection/05a-FaultInjection-delay/gateway.yaml rename to 11-Fault_Injection/01-FaultInjection-delay/VirtualService.yaml index fce0b98..b06e3c9 --- a/11-Fault_Injection/05a-FaultInjection-delay/gateway.yaml +++ b/11-Fault_Injection/01-FaultInjection-delay/VirtualService.yaml @@ -1,19 +1,3 @@ -# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: - istio: ingressgateway # use istio default controller - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" ---- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: @@ -35,7 +19,7 @@ spec: rewrite: uri: "/" fault: - delay: + delay: percentage: - value: 90 + value: 90 fixedDelay: 10s \ No newline at end of file diff --git a/11-Fault_Injection/05a-FaultInjection-delay/deployment.yaml b/11-Fault_Injection/02-FaultInjection-abort/Deployment.yaml similarity index 63% rename from 11-Fault_Injection/05a-FaultInjection-delay/deployment.yaml rename to 11-Fault_Injection/02-FaultInjection-abort/Deployment.yaml index 01dd2b0..233fd2c 100755 --- a/11-Fault_Injection/05a-FaultInjection-delay/deployment.yaml +++ b/11-Fault_Injection/02-FaultInjection-abort/Deployment.yaml @@ -1,18 +1,3 @@ -# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - port: 80 - name: http - selector: - app: helloworld ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/11-Fault_Injection/02-FaultInjection-abort/Gateway.yaml b/11-Fault_Injection/02-FaultInjection-abort/Gateway.yaml new file mode 100755 index 0000000..bbd9d67 --- /dev/null +++ b/11-Fault_Injection/02-FaultInjection-abort/Gateway.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" \ No newline at end of file diff --git a/11-Fault_Injection/02-FaultInjection-abort/README.md b/11-Fault_Injection/02-FaultInjection-abort/README.md new file mode 100755 index 0000000..5d52178 --- /dev/null +++ b/11-Fault_Injection/02-FaultInjection-abort/README.md @@ -0,0 +1,240 @@ +--- +gitea: none +include_toc: true +--- + +# Description + +Based on the [previous example](../02-FaultInjection-abort), where we configure a "fault" that will make the backend take 10 more seconds before receiving the request, this time will make the request abort, resulting in a failed request (503 status code). + +This will be applied to a 90% of the incoming traffic that matches the rule and will allow to confirm in a secure environment how the application would behave in such difficult situations, and apply the modifications required to avoid issue in case there would be a network issue. + + +This example configures: + + Generic Kubernetes resources: + - 1 Service + - 1 Deployments + + Istio resources: + - 1 Gateway + - 1 Virtual Service + + +# Based on + +- [02-FaultInjection-abort](../02-FaultInjection-abort) +- https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPFaultInjection-Abort + +# Configuration + +## Service + +Creates a service named `helloworld`. + +This service listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod. + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld +``` + +## Deployment + +Deploys a Nginx server that listens for the port `80`. + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 +``` + +## Gateway + +Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic. + +It doesn't filter for any specific host. + +The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to. + +The Istio `default` profile creates a Load Balancer in the namespace `istio-system` that has the label `istio: ingressgateway` set, allowing us to target that specific Load Balancer and assign this gateway resource to it. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +``` + +## VirtualService + +The Virtual Service resources are used to route and filter the received traffic from the gateway resources, and route it towards the desired destination. + +On this example we select the gateway `helloworld-gateway`, which is the [gateway that 's described in the `Gateway` section](#gateway). + +On this resource, we are also not limiting the incoming traffic to any specific host, allowing for all the incoming traffic to go through the rules set. + +Here we created a rule that will be applied on `HTTP` related traffic (including `HTTPS` and `HTTP2`) when the destination path is exactly `/helloworld`. + +This traffic will be forwarded to the port `80` of the destination service `helloworld` (the full path URL equivalent would be `helloworld.$NAMESPACE.svc.cluster.local`). + +There will be an internal URL rewrite set, as if the URL is not modified, it would attempt to reach to the `/helloworld` path from the Nginx deployment, which currently has no content and would result in an error code `404` (Not found). + +Additionally, we apply a "fault", where a 90% of the traffic will be aborted and receive a 503 status code. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" + fault: + abort: + percentage: + value: 90 + httpStatus: 503 +``` + +# Walkthrough + +## Deploy resources + +Deploy the resources. + +```shell +kubectl apply -f ./ +``` +```text +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +service/helloworld created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Wait for the pods to be ready + +Wait for the Nginx deployments to be up and ready. + +```shell +kubectl get deployment helloworld-nginx -w +``` +```text +NAME READY UP-TO-DATE AVAILABLE AGE +helloworld-nginx 1/1 1 1 12s +``` + +## Test the service + +### Get LB IP + +To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway). + +On my environment, the IP is the `192.168.1.50`. + +```shell +kubectl get svc -l istio=ingressgateway -A +``` +```text +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h +``` + +### helloworld + +We will use the `curl` command and feed it a template to provide us with the status code from the request. + +Since the fault that we set had a 90% chance of triggering, if you are "unlucky", and get instantly the response from the backend, you might need to run the command multiple times in order to get the fault triggered. + +```shell +curl -w @- -o /dev/null -s 192.168.1.21/helloworld <<'EOF' + http_code: %{http_code}\n + ----------\n + time_total: %{time_total}\n +EOF +``` + +```text + http_code: 503 + ---------- + time_total: 0.037870 +``` + +From the command output, we can observe that the request resulted in a 503 status code. + +We could continue sending curls until we receive a successful `200` status code. + +## Cleanup + +Finally, a cleanup from the resources deployed. + +```shell +kubectl delete -f ./ +``` +```text +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +service "helloworld" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +# Links of interest + +- https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPFaultInjection-Abort \ No newline at end of file diff --git a/11-Fault_Injection/02-FaultInjection-abort/Service.yaml b/11-Fault_Injection/02-FaultInjection-abort/Service.yaml new file mode 100644 index 0000000..271ce25 --- /dev/null +++ b/11-Fault_Injection/02-FaultInjection-abort/Service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld \ No newline at end of file diff --git a/11-Fault_Injection/05b-FaultInjection-abort/gateway.yaml b/11-Fault_Injection/02-FaultInjection-abort/VirtualService.yaml old mode 100755 new mode 100644 similarity index 50% rename from 11-Fault_Injection/05b-FaultInjection-abort/gateway.yaml rename to 11-Fault_Injection/02-FaultInjection-abort/VirtualService.yaml index d6865b4..d0852a1 --- a/11-Fault_Injection/05b-FaultInjection-abort/gateway.yaml +++ b/11-Fault_Injection/02-FaultInjection-abort/VirtualService.yaml @@ -1,19 +1,3 @@ -# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: - istio: ingressgateway # use istio default controller - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" ---- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: @@ -35,7 +19,7 @@ spec: rewrite: uri: "/" fault: - abort: + abort: percentage: - value: 90 + value: 90 httpStatus: 503 \ No newline at end of file diff --git a/11-Fault_Injection/05a-FaultInjection-delay/README.md b/11-Fault_Injection/05a-FaultInjection-delay/README.md deleted file mode 100755 index 081d8fc..0000000 --- a/11-Fault_Injection/05a-FaultInjection-delay/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# Continues from - -- 01-hello_world_1_service_1_deployment - - -https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPFaultInjection-Delay - diff --git a/11-Fault_Injection/05b-FaultInjection-abort/README.md b/11-Fault_Injection/05b-FaultInjection-abort/README.md deleted file mode 100755 index b69a0af..0000000 --- a/11-Fault_Injection/05b-FaultInjection-abort/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Continues from - -- 05a-FaultInjection-delay - - -https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPFaultInjection-Abort - - - -curl 192.168.1.50/helloworld -I - diff --git a/11-Fault_Injection/README.md b/11-Fault_Injection/README.md new file mode 100644 index 0000000..9965ee0 --- /dev/null +++ b/11-Fault_Injection/README.md @@ -0,0 +1,9 @@ + +## Description + +This section focuses on applying configurations to test the resiliency from the deployed applications. + +## Examples + +- 01-FaultInjection-delay +- 02-FaultInjection-abort -- 2.47.2 From 1cf75d5902625dd12369c3351d52bceab9c202d1 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 12:21:42 +0200 Subject: [PATCH 21/22] Deglossed the files. --- .../{deployment.yaml => Deployment.yaml} | 20 ----- .../05-TCP-FORWARDING/Gateway.yaml | 20 +++++ .../05-TCP-FORWARDING/Service.yaml | 19 +++++ .../{gateway.yaml => VirtualService.yaml} | 21 ------ .../06-TLS-PASSTHROUGH/Deployment.yaml | 26 +++++++ .../06-TLS-PASSTHROUGH/Gateway.yaml | 17 +++++ .../06-TLS-PASSTHROUGH/Service.yaml | 16 ++++ .../{gateway.yaml => VirtualService.yaml} | 18 ----- .../06-TLS-PASSTHROUGH/deployment.yaml | 73 ------------------- 9 files changed, 98 insertions(+), 132 deletions(-) rename 03-Gateway_Ingress/05-TCP-FORWARDING/{deployment.yaml => Deployment.yaml} (62%) create mode 100755 03-Gateway_Ingress/05-TCP-FORWARDING/Gateway.yaml create mode 100644 03-Gateway_Ingress/05-TCP-FORWARDING/Service.yaml rename 03-Gateway_Ingress/05-TCP-FORWARDING/{gateway.yaml => VirtualService.yaml} (58%) mode change 100755 => 100644 create mode 100755 03-Gateway_Ingress/06-TLS-PASSTHROUGH/Deployment.yaml create mode 100755 03-Gateway_Ingress/06-TLS-PASSTHROUGH/Gateway.yaml create mode 100644 03-Gateway_Ingress/06-TLS-PASSTHROUGH/Service.yaml rename 03-Gateway_Ingress/06-TLS-PASSTHROUGH/{gateway.yaml => VirtualService.yaml} (55%) mode change 100755 => 100644 delete mode 100755 03-Gateway_Ingress/06-TLS-PASSTHROUGH/deployment.yaml diff --git a/03-Gateway_Ingress/05-TCP-FORWARDING/deployment.yaml b/03-Gateway_Ingress/05-TCP-FORWARDING/Deployment.yaml similarity index 62% rename from 03-Gateway_Ingress/05-TCP-FORWARDING/deployment.yaml rename to 03-Gateway_Ingress/05-TCP-FORWARDING/Deployment.yaml index 92c59bd..5e7af48 100755 --- a/03-Gateway_Ingress/05-TCP-FORWARDING/deployment.yaml +++ b/03-Gateway_Ingress/05-TCP-FORWARDING/Deployment.yaml @@ -1,23 +1,3 @@ -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - port: 8080 - name: http-web - targetPort: 80 - protocol: TCP - - port: 8443 - name: https-web - targetPort: 443 - protocol: TCP - selector: - app: helloworld ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/03-Gateway_Ingress/05-TCP-FORWARDING/Gateway.yaml b/03-Gateway_Ingress/05-TCP-FORWARDING/Gateway.yaml new file mode 100755 index 0000000..f7e0c2b --- /dev/null +++ b/03-Gateway_Ingress/05-TCP-FORWARDING/Gateway.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: tcp-1 + protocol: TCP + hosts: + - "*" + - port: + number: 443 + name: tcp-2 + protocol: TCP + hosts: + - "*" \ No newline at end of file diff --git a/03-Gateway_Ingress/05-TCP-FORWARDING/Service.yaml b/03-Gateway_Ingress/05-TCP-FORWARDING/Service.yaml new file mode 100644 index 0000000..81cb088 --- /dev/null +++ b/03-Gateway_Ingress/05-TCP-FORWARDING/Service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http-web + targetPort: 80 + protocol: TCP + - port: 8443 + name: https-web + targetPort: 443 + protocol: TCP + selector: + app: helloworld \ No newline at end of file diff --git a/03-Gateway_Ingress/05-TCP-FORWARDING/gateway.yaml b/03-Gateway_Ingress/05-TCP-FORWARDING/VirtualService.yaml old mode 100755 new mode 100644 similarity index 58% rename from 03-Gateway_Ingress/05-TCP-FORWARDING/gateway.yaml rename to 03-Gateway_Ingress/05-TCP-FORWARDING/VirtualService.yaml index 036596c..79b0c48 --- a/03-Gateway_Ingress/05-TCP-FORWARDING/gateway.yaml +++ b/03-Gateway_Ingress/05-TCP-FORWARDING/VirtualService.yaml @@ -1,25 +1,4 @@ apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 80 - name: tcp-1 - protocol: TCP - hosts: - - "*" - - port: - number: 443 - name: tcp-2 - protocol: TCP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: helloworld-vs diff --git a/03-Gateway_Ingress/06-TLS-PASSTHROUGH/Deployment.yaml b/03-Gateway_Ingress/06-TLS-PASSTHROUGH/Deployment.yaml new file mode 100755 index 0000000..700f9cb --- /dev/null +++ b/03-Gateway_Ingress/06-TLS-PASSTHROUGH/Deployment.yaml @@ -0,0 +1,26 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: oriolfilter/https-nginx-demo + resources: + requests: + cpu: "100m" + imagePullPolicy: Always #Always + ports: + - containerPort: 80 + - containerPort: 443 \ No newline at end of file diff --git a/03-Gateway_Ingress/06-TLS-PASSTHROUGH/Gateway.yaml b/03-Gateway_Ingress/06-TLS-PASSTHROUGH/Gateway.yaml new file mode 100755 index 0000000..e4cf71f --- /dev/null +++ b/03-Gateway_Ingress/06-TLS-PASSTHROUGH/Gateway.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway + namespace: default +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: https-web + protocol: HTTPS + hosts: + - "*" + tls: + mode: PASSTHROUGH diff --git a/03-Gateway_Ingress/06-TLS-PASSTHROUGH/Service.yaml b/03-Gateway_Ingress/06-TLS-PASSTHROUGH/Service.yaml new file mode 100644 index 0000000..5f48363 --- /dev/null +++ b/03-Gateway_Ingress/06-TLS-PASSTHROUGH/Service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - name: https + port: 8443 + targetPort: 443 + protocol: TCP + appProtocol: HTTPS + selector: + app: helloworld \ No newline at end of file diff --git a/03-Gateway_Ingress/06-TLS-PASSTHROUGH/gateway.yaml b/03-Gateway_Ingress/06-TLS-PASSTHROUGH/VirtualService.yaml old mode 100755 new mode 100644 similarity index 55% rename from 03-Gateway_Ingress/06-TLS-PASSTHROUGH/gateway.yaml rename to 03-Gateway_Ingress/06-TLS-PASSTHROUGH/VirtualService.yaml index 2f092f6..fd451f8 --- a/03-Gateway_Ingress/06-TLS-PASSTHROUGH/gateway.yaml +++ b/03-Gateway_Ingress/06-TLS-PASSTHROUGH/VirtualService.yaml @@ -1,22 +1,4 @@ apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway - namespace: default -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 443 - name: https-web - protocol: HTTPS - hosts: - - "*" - tls: - mode: PASSTHROUGH ---- -apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: helloworld-vs diff --git a/03-Gateway_Ingress/06-TLS-PASSTHROUGH/deployment.yaml b/03-Gateway_Ingress/06-TLS-PASSTHROUGH/deployment.yaml deleted file mode 100755 index f94f650..0000000 --- a/03-Gateway_Ingress/06-TLS-PASSTHROUGH/deployment.yaml +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - name: https - port: 8443 - targetPort: 443 - protocol: TCP - appProtocol: HTTPS - selector: - app: helloworld ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: helloworld-nginx - labels: - app: helloworld -spec: - replicas: 1 - selector: - matchLabels: - app: helloworld - template: - metadata: - labels: - app: helloworld - spec: - containers: - - name: helloworld - image: oriolfilter/https-nginx-demo - resources: - requests: - cpu: "100m" - imagePullPolicy: Always #Always - ports: - - containerPort: 80 - - containerPort: 443 -#--- -#apiVersion: apps/v1 -#kind: Deployment -#metadata: -# name: nginx -# labels: -# app: nginx -# version: v1 -#spec: -# replicas: 1 -# selector: -# matchLabels: -# app: nginx -# version: v1 -# template: -# metadata: -# labels: -# app: nginx -# version: v1 -# spec: -# # serviceAccountName: istio-helloworld -# containers: -# - name: nginx -# image: nginx -# resources: -# requests: -# cpu: "100m" -# imagePullPolicy: IfNotPresent -# ports: -# - containerPort: 80 \ No newline at end of file -- 2.47.2 From 68efcde1fa6b5bf462826ba224c8902cd2baa341 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sat, 14 Oct 2023 12:22:17 +0200 Subject: [PATCH 22/22] Added a section README.md to the sections: - 90-MixConfigs - 99-resources --- 90-MixConfigs/REDME.md | 16 ++++++++++++++-- 99-resources/README.md | 16 ++++++++++++++++ 2 files changed, 30 insertions(+), 2 deletions(-) create mode 100644 99-resources/README.md diff --git a/90-MixConfigs/REDME.md b/90-MixConfigs/REDME.md index e8909b7..f476c80 100644 --- a/90-MixConfigs/REDME.md +++ b/90-MixConfigs/REDME.md @@ -1,3 +1,15 @@ -# Examples of mix configurations +## Description + +This section is to put non-specific examples, being able to be as flexible as I desire. + +## Examples + +- 01-HTTPS-Gateway_Service_Entry +- Minecraft + + +# i.e of mix configurations + +ie. gateway with HTTPS traffic through simple TLS, and a Service Entry as a backend. + -ie. gateway with HTTPS traffic through simple TLS, and a Service Entry as a backend. \ No newline at end of file diff --git a/99-resources/README.md b/99-resources/README.md new file mode 100644 index 0000000..1bf3f17 --- /dev/null +++ b/99-resources/README.md @@ -0,0 +1,16 @@ +## Description + +This section is reserved in case I need to provide any resource whatsoever. + +For example, it contains the files used to create a Docker image for a Nginx server that contains an HTTPS web service, which is used for the examples shared. + +## Contents + +- HTTPS-NGINX-DOCKERFILE + + +## i.e of mix configurations + +ie. gateway with HTTPS traffic through simple TLS, and a Service Entry as a backend. + + -- 2.47.2