diff --git a/06-Envoy/01-envoy_add_headers/README.md b/.placeholder/06-Envoy/01-envoy_add_headers/README.md similarity index 100% rename from 06-Envoy/01-envoy_add_headers/README.md rename to .placeholder/06-Envoy/01-envoy_add_headers/README.md diff --git a/06-Envoy/01-envoy_add_headers/deployment.yaml b/.placeholder/06-Envoy/01-envoy_add_headers/deployment.yaml similarity index 100% rename from 06-Envoy/01-envoy_add_headers/deployment.yaml rename to .placeholder/06-Envoy/01-envoy_add_headers/deployment.yaml diff --git a/06-Envoy/01-envoy_add_headers/envoy.yaml b/.placeholder/06-Envoy/01-envoy_add_headers/envoy.yaml similarity index 100% rename from 06-Envoy/01-envoy_add_headers/envoy.yaml rename to .placeholder/06-Envoy/01-envoy_add_headers/envoy.yaml diff --git a/06-Envoy/01-envoy_add_headers/envoy2.yaml b/.placeholder/06-Envoy/01-envoy_add_headers/envoy2.yaml similarity index 100% rename from 06-Envoy/01-envoy_add_headers/envoy2.yaml rename to .placeholder/06-Envoy/01-envoy_add_headers/envoy2.yaml diff --git a/06-Envoy/01-envoy_add_headers/gateway.yaml b/.placeholder/06-Envoy/01-envoy_add_headers/gateway.yaml similarity index 100% rename from 06-Envoy/01-envoy_add_headers/gateway.yaml rename to .placeholder/06-Envoy/01-envoy_add_headers/gateway.yaml diff --git a/06-Envoy/README.md b/.placeholder/06-Envoy/README.md similarity index 100% rename from 06-Envoy/README.md rename to .placeholder/06-Envoy/README.md diff --git a/07-MeshConfig/01-Outboud-Traffic-Policy/README.md b/.placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/README.md similarity index 100% rename from 07-MeshConfig/01-Outboud-Traffic-Policy/README.md rename to .placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/README.md diff --git a/07-MeshConfig/01-Outboud-Traffic-Policy/deployment.yaml b/.placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/deployment.yaml similarity index 100% rename from 07-MeshConfig/01-Outboud-Traffic-Policy/deployment.yaml rename to .placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/deployment.yaml diff --git a/07-MeshConfig/01-Outboud-Traffic-Policy/gateway.yaml b/.placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/gateway.yaml similarity index 100% rename from 07-MeshConfig/01-Outboud-Traffic-Policy/gateway.yaml rename to .placeholder/07-MeshConfig/01-Outboud-Traffic-Policy/gateway.yaml diff --git a/07-MeshConfig/README.md b/.placeholder/07-MeshConfig/README.md similarity index 100% rename from 07-MeshConfig/README.md rename to .placeholder/07-MeshConfig/README.md diff --git a/00-Troubleshooting/README.md b/00-Troubleshooting/README.md index fcb5ad1..7a78d48 100644 --- a/00-Troubleshooting/README.md +++ b/00-Troubleshooting/README.md @@ -3,6 +3,63 @@ gitea: none include_toc: true --- + +# Logs + +> **Note:**\ +> Remember that you can use the command `watch` or `watch -n 5` (where 5 refers every 5 seconds) in case of being interested on execute this commands periodically. + +## Istiod + +```shell +kubectl logs -n istio-system -f deployments/istiod +``` + +## Istio-Proxy Pod + +This will display the logs from a deployment while targeting the `istio-proxy` container from the targeted pod/deployment. + +As well will attach the session to stream new logs. (`-f` `--follow`) + +```shell +kubectl logs deployments/helloworld-default -f -c istio-proxy +``` + +```text +[2023-05-15T00:42:03.699Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.111.90.232:8080 172.17.121.65:52006 - - +[2023-05-15T00:42:24.785Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 2 1 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" inbound|80|| 127.0.0.6:51695 172.17.121.65:80 172.17.121.65:43786 outbound_.80_._.helloworld.default.svc.cluster.local default +[2023-05-15T00:42:24.784Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 5 4 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" outbound|80||helloworld.default.svc.cluster.local 172.17.121.65:43786 10.111.90.232:80 172.17.121.65:57030 - default +[2023-05-15T00:43:23.209Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 6 5 "-" "curl/7.74.0" "e1f0a2f3-93ff-4c41-8cb3-6d3a53fce065" "helloworld.foo.svc.cluster.local" "172.17.247.42:80" outbound|80||helloworld.foo.svc.cluster.local 172.17.121.65:55040 10.109.248.148:80 172.17.121.65:60520 - default +[2023-05-15T00:43:29.751Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40370 - - +[2023-05-15T00:43:31.979Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40402 - - +``` + +## Ingress + +The service targeted, `istio-ingressgateway`, is an Ingress Load Balancer service from Istio. + +```shell +kubectl logs -n istio-system services/istio-ingressgateway +``` +#### Invalid TLS context has neither subject CN nor SAN names + +The TLS certificate specified don't have the field CN or the field SAN. + +To address this issue, issue a new certificate that has at least one of those fields. + +#### initial fetch timed out for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secretthread + +This is due not being able to retrieve the TLS configuration assigned to the gateway. + +It's Important that the secret is located in the same namespace as the Istio Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. + + + + + + + + # Istioctl analyze `istioctl analyze` reviews the current configuration set. @@ -67,57 +124,24 @@ listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes ... ``` -# Logs - -> **Note:**\ -> Remember that you can use the command `watch` or `watch -n 5` (where 5 refers every 5 seconds) in case of being interested on execute this commands periodically. - -## Istiod +# Istioctl proxy-status +> **Note:** Shorthand is `ps` ```shell -kubectl logs -n istio-system -f deployments/istiod +istioctl ps ``` - -## Istio-Proxy Pod - -This will display the logs from a deployment while targeting the `istio-proxy` container from the targeted pod/deployment. - -As well will attach the session to stream new logs. (`-f` `--follow`) - -```shell -kubectl logs deployments/helloworld-default -f -c istio-proxy -``` - ```text -[2023-05-15T00:42:03.699Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.111.90.232:8080 172.17.121.65:52006 - - -[2023-05-15T00:42:24.785Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 2 1 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" inbound|80|| 127.0.0.6:51695 172.17.121.65:80 172.17.121.65:43786 outbound_.80_._.helloworld.default.svc.cluster.local default -[2023-05-15T00:42:24.784Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 5 4 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" outbound|80||helloworld.default.svc.cluster.local 172.17.121.65:43786 10.111.90.232:80 172.17.121.65:57030 - default -[2023-05-15T00:43:23.209Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 6 5 "-" "curl/7.74.0" "e1f0a2f3-93ff-4c41-8cb3-6d3a53fce065" "helloworld.foo.svc.cluster.local" "172.17.247.42:80" outbound|80||helloworld.foo.svc.cluster.local 172.17.121.65:55040 10.109.248.148:80 172.17.121.65:60520 - default -[2023-05-15T00:43:29.751Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40370 - - -[2023-05-15T00:43:31.979Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40402 - - +NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION +helloworld-6798765f88-ql26n.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-dbf5ff64-9kxxs 1.17.2 +helloworld2-dc9cb5db6-m47x7.default Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-dbf5ff64-9kxxs 1.17.2 +istio-egressgateway-676bf68b54-d28fn.istio-system Kubernetes SYNCED SYNCED SYNCED NOT SENT NOT SENT istiod-dbf5ff64-9kxxs 1.17.2 +istio-ingressgateway-8d56c999d-nv7ph.istio-system Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-dbf5ff64-9kxxs 1.17.2 ``` -## Ingress - -The service targeted, `istio-ingressgateway`, is an Ingress Load Balancer service from Istio. - -```shell -kubectl logs -n istio-system services/istio-ingressgateway -``` -#### Invalid TLS context has neither subject CN nor SAN names - -The TLS certificate specified don't have the field CN or the field SAN. - -To address this issue, issue a new certificate that has at least one of those fields. - -#### initial fetch timed out for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secretthread - -This is due not being able to retrieve the TLS configuration assigned to the gateway. - -It's Important that the secret is located in the same namespace as the Istio Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. - # Istioctl proxy-config +> **Note:** Shorthand is `pc` + ## Check listeners diff --git a/01-Getting_Started/01-hello_world_1_service_1_deployment/README.md b/01-Getting_Started/01-hello_world_1_service_1_deployment/README.md index 13ebeb3..0641ada 100755 --- a/01-Getting_Started/01-hello_world_1_service_1_deployment/README.md +++ b/01-Getting_Started/01-hello_world_1_service_1_deployment/README.md @@ -219,7 +219,7 @@ I would like to put emphasis on the following line returned: server: istio-envoy ``` -This means that the contents returned was performed by the Istio service, instead of the Nginx or any other possible backend service. +This means that the contents returned was performed by the Istio service, therefore, the request was able to reach Istio and received a response from it. ## Cleanup diff --git a/01-Getting_Started/03-hello_world_1_service_2_deployments_managed_version/VirtualService.yaml b/01-Getting_Started/03-hello_world_1_service_2_deployments_managed_version/VirtualService.yaml index 3b39a70..97b9642 100644 --- a/01-Getting_Started/03-hello_world_1_service_2_deployments_managed_version/VirtualService.yaml +++ b/01-Getting_Started/03-hello_world_1_service_2_deployments_managed_version/VirtualService.yaml @@ -19,13 +19,13 @@ spec: port: number: 80 subset: v1 - weight: 20 + weight: 80 - destination: # host: helloworld (OLD) host: helloworld.default.svc.cluster.local port: number: 80 subset: v2 - weight: 80 + weight: 20 rewrite: uri: "/" \ No newline at end of file diff --git a/02-Traffic_management/README.md b/02-Traffic_management/README.md index 95eb471..9efb673 100644 --- a/02-Traffic_management/README.md +++ b/02-Traffic_management/README.md @@ -1 +1,2 @@ -This gloves the resources `Virtual Service` and `Destination Rule` \ No newline at end of file +This gloves the resources `Virtual Service` and `Destination Rule`. + diff --git a/03-Gateway_Ingress/07-HTTPS-Gateway-Simple-TLS/Deployment.yaml b/03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/Deployment.yaml similarity index 100% rename from 03-Gateway_Ingress/07-HTTPS-Gateway-Simple-TLS/Deployment.yaml rename to 03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/Deployment.yaml diff --git a/03-Gateway_Ingress/07-HTTPS-Gateway-Simple-TLS/Gateway.yaml b/03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/Gateway.yaml similarity index 100% rename from 03-Gateway_Ingress/07-HTTPS-Gateway-Simple-TLS/Gateway.yaml rename to 03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/Gateway.yaml diff --git a/03-Gateway_Ingress/07-HTTPS-Gateway-Simple-TLS/README.md b/03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/README.md similarity index 97% rename from 03-Gateway_Ingress/07-HTTPS-Gateway-Simple-TLS/README.md rename to 03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/README.md index ff66d5e..7f22253 100644 --- a/03-Gateway_Ingress/07-HTTPS-Gateway-Simple-TLS/README.md +++ b/03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/README.md @@ -5,7 +5,7 @@ include_toc: true # Based on -- [01-hello_world_1_service_1_deployment](../../01-Getting%20Started/01-hello_world_1_service_1_deployment) +- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment) # Description diff --git a/03-Gateway_Ingress/07-HTTPS-Gateway-Simple-TLS/Service.yaml b/03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/Service.yaml similarity index 100% rename from 03-Gateway_Ingress/07-HTTPS-Gateway-Simple-TLS/Service.yaml rename to 03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/Service.yaml diff --git a/03-Gateway_Ingress/07-HTTPS-Gateway-Simple-TLS/VirtualService.yaml b/03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/VirtualService.yaml similarity index 100% rename from 03-Gateway_Ingress/07-HTTPS-Gateway-Simple-TLS/VirtualService.yaml rename to 03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/VirtualService.yaml diff --git a/03-Gateway_Ingress/08a-HTTPS-min-TLS-version/Deployment.yaml b/03-Gateway_Ingress/04a-HTTPS-min-TLS-version/Deployment.yaml similarity index 100% rename from 03-Gateway_Ingress/08a-HTTPS-min-TLS-version/Deployment.yaml rename to 03-Gateway_Ingress/04a-HTTPS-min-TLS-version/Deployment.yaml diff --git a/03-Gateway_Ingress/08a-HTTPS-min-TLS-version/Gateway.yaml b/03-Gateway_Ingress/04a-HTTPS-min-TLS-version/Gateway.yaml similarity index 100% rename from 03-Gateway_Ingress/08a-HTTPS-min-TLS-version/Gateway.yaml rename to 03-Gateway_Ingress/04a-HTTPS-min-TLS-version/Gateway.yaml diff --git a/03-Gateway_Ingress/08a-HTTPS-min-TLS-version/README.md b/03-Gateway_Ingress/04a-HTTPS-min-TLS-version/README.md similarity index 98% rename from 03-Gateway_Ingress/08a-HTTPS-min-TLS-version/README.md rename to 03-Gateway_Ingress/04a-HTTPS-min-TLS-version/README.md index 76708e4..74374f7 100644 --- a/03-Gateway_Ingress/08a-HTTPS-min-TLS-version/README.md +++ b/03-Gateway_Ingress/04a-HTTPS-min-TLS-version/README.md @@ -5,7 +5,7 @@ include_toc: true # Based on -- [07-HTTPS-Gateway-Simple-TLS](../07-HTTPS-Gateway-Simple-TLS) +- [07-HTTPS-Gateway-Simple-TLS](../03-HTTPS-Gateway-Simple-TLS) # Description diff --git a/03-Gateway_Ingress/08a-HTTPS-min-TLS-version/Service.yaml b/03-Gateway_Ingress/04a-HTTPS-min-TLS-version/Service.yaml similarity index 100% rename from 03-Gateway_Ingress/08a-HTTPS-min-TLS-version/Service.yaml rename to 03-Gateway_Ingress/04a-HTTPS-min-TLS-version/Service.yaml diff --git a/03-Gateway_Ingress/08a-HTTPS-min-TLS-version/VirtualService.yaml b/03-Gateway_Ingress/04a-HTTPS-min-TLS-version/VirtualService.yaml similarity index 100% rename from 03-Gateway_Ingress/08a-HTTPS-min-TLS-version/VirtualService.yaml rename to 03-Gateway_Ingress/04a-HTTPS-min-TLS-version/VirtualService.yaml diff --git a/03-Gateway_Ingress/08b-HTTPS-max-TLS-version/Deployment.yaml b/03-Gateway_Ingress/04b-HTTPS-max-TLS-version/Deployment.yaml similarity index 100% rename from 03-Gateway_Ingress/08b-HTTPS-max-TLS-version/Deployment.yaml rename to 03-Gateway_Ingress/04b-HTTPS-max-TLS-version/Deployment.yaml diff --git a/03-Gateway_Ingress/08b-HTTPS-max-TLS-version/Gateway.yaml b/03-Gateway_Ingress/04b-HTTPS-max-TLS-version/Gateway.yaml similarity index 100% rename from 03-Gateway_Ingress/08b-HTTPS-max-TLS-version/Gateway.yaml rename to 03-Gateway_Ingress/04b-HTTPS-max-TLS-version/Gateway.yaml diff --git a/03-Gateway_Ingress/08b-HTTPS-max-TLS-version/README.md b/03-Gateway_Ingress/04b-HTTPS-max-TLS-version/README.md similarity index 98% rename from 03-Gateway_Ingress/08b-HTTPS-max-TLS-version/README.md rename to 03-Gateway_Ingress/04b-HTTPS-max-TLS-version/README.md index e3833f4..ae1d63d 100644 --- a/03-Gateway_Ingress/08b-HTTPS-max-TLS-version/README.md +++ b/03-Gateway_Ingress/04b-HTTPS-max-TLS-version/README.md @@ -5,7 +5,7 @@ include_toc: true # Based on -- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) +- [08a-HTTPS-min-TLS-version](../04a-HTTPS-min-TLS-version) # Description diff --git a/03-Gateway_Ingress/08b-HTTPS-max-TLS-version/Service.yaml b/03-Gateway_Ingress/04b-HTTPS-max-TLS-version/Service.yaml similarity index 100% rename from 03-Gateway_Ingress/08b-HTTPS-max-TLS-version/Service.yaml rename to 03-Gateway_Ingress/04b-HTTPS-max-TLS-version/Service.yaml diff --git a/03-Gateway_Ingress/08b-HTTPS-max-TLS-version/VirtualService.yaml b/03-Gateway_Ingress/04b-HTTPS-max-TLS-version/VirtualService.yaml similarity index 100% rename from 03-Gateway_Ingress/08b-HTTPS-max-TLS-version/VirtualService.yaml rename to 03-Gateway_Ingress/04b-HTTPS-max-TLS-version/VirtualService.yaml diff --git a/03-Gateway_Ingress/10-TCP-FORWARDING/README.md b/03-Gateway_Ingress/05-TCP-FORWARDING/README.md similarity index 98% rename from 03-Gateway_Ingress/10-TCP-FORWARDING/README.md rename to 03-Gateway_Ingress/05-TCP-FORWARDING/README.md index 9b250eb..34d1ce3 100644 --- a/03-Gateway_Ingress/10-TCP-FORWARDING/README.md +++ b/03-Gateway_Ingress/05-TCP-FORWARDING/README.md @@ -5,7 +5,7 @@ include_toc: true # Based on -- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) +- [08a-HTTPS-min-TLS-version](../04a-HTTPS-min-TLS-version) # Description diff --git a/03-Gateway_Ingress/10-TCP-FORWARDING/deployment.yaml b/03-Gateway_Ingress/05-TCP-FORWARDING/deployment.yaml similarity index 100% rename from 03-Gateway_Ingress/10-TCP-FORWARDING/deployment.yaml rename to 03-Gateway_Ingress/05-TCP-FORWARDING/deployment.yaml diff --git a/03-Gateway_Ingress/10-TCP-FORWARDING/gateway.yaml b/03-Gateway_Ingress/05-TCP-FORWARDING/gateway.yaml similarity index 100% rename from 03-Gateway_Ingress/10-TCP-FORWARDING/gateway.yaml rename to 03-Gateway_Ingress/05-TCP-FORWARDING/gateway.yaml diff --git a/03-Gateway_Ingress/11-TLS-PASSTHROUGH/README.md b/03-Gateway_Ingress/06-TLS-PASSTHROUGH/README.md similarity index 99% rename from 03-Gateway_Ingress/11-TLS-PASSTHROUGH/README.md rename to 03-Gateway_Ingress/06-TLS-PASSTHROUGH/README.md index c7b16d4..1172b82 100644 --- a/03-Gateway_Ingress/11-TLS-PASSTHROUGH/README.md +++ b/03-Gateway_Ingress/06-TLS-PASSTHROUGH/README.md @@ -5,7 +5,7 @@ include_toc: true # Based on -- [10-TCP-FORWARDING](../10-TCP-FORWARDING) +- [10-TCP-FORWARDING](../05-TCP-FORWARDING) # Description diff --git a/03-Gateway_Ingress/11-TLS-PASSTHROUGH/deployment.yaml b/03-Gateway_Ingress/06-TLS-PASSTHROUGH/deployment.yaml similarity index 100% rename from 03-Gateway_Ingress/11-TLS-PASSTHROUGH/deployment.yaml rename to 03-Gateway_Ingress/06-TLS-PASSTHROUGH/deployment.yaml diff --git a/03-Gateway_Ingress/11-TLS-PASSTHROUGH/gateway.yaml b/03-Gateway_Ingress/06-TLS-PASSTHROUGH/gateway.yaml similarity index 100% rename from 03-Gateway_Ingress/11-TLS-PASSTHROUGH/gateway.yaml rename to 03-Gateway_Ingress/06-TLS-PASSTHROUGH/gateway.yaml diff --git a/03-Gateway_Ingress/12-HTTP-to-HTTPS-traffic-redirect/Gateway.yaml b/03-Gateway_Ingress/07-HTTP-to-HTTPS-traffic-redirect/Gateway.yaml similarity index 100% rename from 03-Gateway_Ingress/12-HTTP-to-HTTPS-traffic-redirect/Gateway.yaml rename to 03-Gateway_Ingress/07-HTTP-to-HTTPS-traffic-redirect/Gateway.yaml diff --git a/03-Gateway_Ingress/12-HTTP-to-HTTPS-traffic-redirect/README.md b/03-Gateway_Ingress/07-HTTP-to-HTTPS-traffic-redirect/README.md similarity index 98% rename from 03-Gateway_Ingress/12-HTTP-to-HTTPS-traffic-redirect/README.md rename to 03-Gateway_Ingress/07-HTTP-to-HTTPS-traffic-redirect/README.md index fc7e371..2eb8e66 100644 --- a/03-Gateway_Ingress/12-HTTP-to-HTTPS-traffic-redirect/README.md +++ b/03-Gateway_Ingress/07-HTTP-to-HTTPS-traffic-redirect/README.md @@ -5,7 +5,7 @@ include_toc: true # Based on -- [07-HTTPS-Gateway-Simple-TLS](../07-HTTPS-Gateway-Simple-TLS) +- [07-HTTPS-Gateway-Simple-TLS](../03-HTTPS-Gateway-Simple-TLS) # Description diff --git a/04-Backends/05-Service_Entry/Gateway.yaml b/04-Backends/01-Service_Entry/Gateway.yaml similarity index 100% rename from 04-Backends/05-Service_Entry/Gateway.yaml rename to 04-Backends/01-Service_Entry/Gateway.yaml diff --git a/04-Backends/05-Service_Entry/README.md b/04-Backends/01-Service_Entry/README.md similarity index 90% rename from 04-Backends/05-Service_Entry/README.md rename to 04-Backends/01-Service_Entry/README.md index cadf166..a9a340f 100755 --- a/04-Backends/05-Service_Entry/README.md +++ b/04-Backends/01-Service_Entry/README.md @@ -143,7 +143,7 @@ virtualservice.networking.istio.io/helloworld-vs created ### Get LB IP ```shell -$ kubectl get svc -l istio=ingressgateway -A +kubectl get svc -l istio=ingressgateway -A ``` ```text NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE @@ -177,14 +177,15 @@ curl 192.168.1.50/external We don't receive any output. -This could be due, even if we resolve the destination IP for the URL `info.cern.ch`, the destination might have a Reverse Proxy or any other ingress resource that could condition handling this request. +Even if we resolve the destination IP for the URL `info.cern.ch`, the destination might have a **Reverse Proxy** or any other ingress resource that could condition handling this request. -Due to the `HOST` field not being modified after we set the request, it might not be able to pass the filtering set, weather it is security wise, for example, requiring such field to allow the request; or it being a routing condition, which due not having this field specified, it's not able to route the request towards the destination desired. +Due to the `HOST` field not being modified after we set the request, it might not be able to pass the filtering rules set on the destination server, on this scenario being the service responsible for receiving requests with the URL `info.cern.ch`. ```shell curl 192.168.1.50/external-noh ``` ```text + ``` ## Cleanup diff --git a/04-Backends/05-Service_Entry/ServiceEntry.yaml b/04-Backends/01-Service_Entry/ServiceEntry.yaml similarity index 100% rename from 04-Backends/05-Service_Entry/ServiceEntry.yaml rename to 04-Backends/01-Service_Entry/ServiceEntry.yaml diff --git a/04-Backends/05-Service_Entry/VirtualService.yaml b/04-Backends/01-Service_Entry/VirtualService.yaml similarity index 100% rename from 04-Backends/05-Service_Entry/VirtualService.yaml rename to 04-Backends/01-Service_Entry/VirtualService.yaml diff --git a/04-Backends/09-HTTPS-backend/README.md b/04-Backends/02-HTTPS-backend/README.md similarity index 99% rename from 04-Backends/09-HTTPS-backend/README.md rename to 04-Backends/02-HTTPS-backend/README.md index 8eefa08..901a345 100644 --- a/04-Backends/09-HTTPS-backend/README.md +++ b/04-Backends/02-HTTPS-backend/README.md @@ -5,7 +5,7 @@ include_toc: true # Based on -- [08a-HTTPS-min-TLS-version](../../03-Gateway_Ingress/08a-HTTPS-min-TLS-version) +- [08a-HTTPS-min-TLS-version](../../03-Gateway_Ingress/04a-HTTPS-min-TLS-version) # Description diff --git a/04-Backends/09-HTTPS-backend/authentication.yaml b/04-Backends/02-HTTPS-backend/authentication.yaml similarity index 100% rename from 04-Backends/09-HTTPS-backend/authentication.yaml rename to 04-Backends/02-HTTPS-backend/authentication.yaml diff --git a/04-Backends/09-HTTPS-backend/deployment.yaml b/04-Backends/02-HTTPS-backend/deployment.yaml similarity index 100% rename from 04-Backends/09-HTTPS-backend/deployment.yaml rename to 04-Backends/02-HTTPS-backend/deployment.yaml diff --git a/04-Backends/09-HTTPS-backend/gateway.yaml b/04-Backends/02-HTTPS-backend/gateway.yaml similarity index 100% rename from 04-Backends/09-HTTPS-backend/gateway.yaml rename to 04-Backends/02-HTTPS-backend/gateway.yaml diff --git a/05-Sidecar/02-egress-proxy/README.md b/05-Sidecar/02-egress-proxy/README.md index 10c6ca0..9654487 100755 --- a/05-Sidecar/02-egress-proxy/README.md +++ b/05-Sidecar/02-egress-proxy/README.md @@ -288,21 +288,21 @@ foo helloworld-foo 1/1 1 1 10s Reminder of the **egress** criteria that has been configured to be met: -[ ] Port `80`. +- [ ] Port `80`. -[ ] `HTTP` protocol. +- [ ] `HTTP` protocol. -[ ] Namespace destination `foo`. +- [ ] Namespace destination `foo`. #### Curl helloworld.foo.svc.cluster.local:80 On this scenario we meet the following criteria: -[x] Port `80`. +- [x] Port `80`. -[x] `HTTP` protocol. +- [x] `HTTP` protocol. -[x] Namespace destination `foo`. +- [x] Namespace destination `foo`. ```shell NAMESPACE="default" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.foo.svc.cluster.local:80 -sI @@ -326,11 +326,11 @@ x-envoy-upstream-service-time: 10 #### Curl helloworld.foo.svc.cluster.local:8080 -[ ] Port `80`. +- [ ] Port `80`. -[x] `HTTP` protocol. +- [x] `HTTP` protocol. -[x] Namespace destination `foo`. +- [x] Namespace destination `foo`. ```shell @@ -375,11 +375,11 @@ For such, instead the is sent towards `BlackHoleCluster`. #### Curl helloworld.default.svc.cluster.local:80 -[x] Port `80`. +- [x] Port `80`. -[x] `HTTP` protocol. +- [x] `HTTP` protocol. -[ ] Namespace destination `foo`. +- [ ] Namespace destination `foo`. ```shell @@ -432,11 +432,11 @@ For such it raises a `direct response` with status code `502`, as the `istio-pro #### Curl helloworld.default.svc.cluster.local:8080 -[x] Port `8080`. +- [x] Port `8080`. -[x] `HTTP` protocol. +- [x] `HTTP` protocol. -[ ] Namespace destination `foo`. +- [ ] Namespace destination `foo`. ```shell @@ -479,11 +479,11 @@ We can see, how the `istio-proxy` container, from the `helloworld` POD, in the n Reminder of the **egress** criteria that has been configured to be met: -[ ] Port `8080`. +- [ ] Port `8080`. -[ ] `HTTP` protocol. +- [ ] `HTTP` protocol. -[ ] Namespace destination `foo` or `default`. +- [ ] Namespace destination `foo` or `default`. @@ -492,11 +492,11 @@ Reminder of the **egress** criteria that has been configured to be met: On this scenario we meet the following criteria: -[ ] Port `8080`. +- [ ] Port `8080`. -[x] `HTTP` protocol. +- [x] `HTTP` protocol. -[x] Namespace destination `foo` or `default`. +- [x] Namespace destination `foo` or `default`. ```shell NAMESPACE="foo" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.foo.svc.cluster.local:80 -sI @@ -538,11 +538,11 @@ We can see, how the `istio-proxy` container, from the `helloworld` POD, in the n On this scenario we meet the following criteria: -[x] Port `8080`. +- [x] Port `8080`. -[x] `HTTP` protocol. +- [x] `HTTP` protocol. -[x] Namespace destination `foo` or `default`. +- [x] Namespace destination `foo` or `default`. ```shell NAMESPACE="foo" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.foo.svc.cluster.local:8080 -sI @@ -568,11 +568,11 @@ x-envoy-upstream-service-time: 77 On this scenario we meet the following criteria: -[ ] Port `8080`. +- [ ] Port `8080`. -[x] `HTTP` protocol. +- [x] `HTTP` protocol. -[x] Namespace destination `foo` or `default`. +- [x] Namespace destination `foo` or `default`. ```shell NAMESPACE="foo" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.default.svc.cluster.local:80 -sI @@ -612,11 +612,11 @@ We can see, how the `istio-proxy` container, from the `helloworld` POD, in the n On this scenario we meet the following criteria: -[x] Port `8080`. +- [x] Port `8080`. -[x] `HTTP` protocol. +- [x] `HTTP` protocol. -[x] Namespace destination `foo` or `default`. +- [x] Namespace destination `foo` or `default`. ```shell NAMESPACE="foo" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.default.svc.cluster.local:8080 -sI diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml b/09-Ingress/01-Create-Istio-LoadBalancer/01-Namespace.yaml similarity index 68% rename from 09-Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml rename to 09-Ingress/01-Create-Istio-LoadBalancer/01-Namespace.yaml index b9d9719..dca2b2b 100644 --- a/09-Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml +++ b/09-Ingress/01-Create-Istio-LoadBalancer/01-Namespace.yaml @@ -3,5 +3,4 @@ kind: Namespace metadata: name: istio-ingress labels: - istio-injection: "enabled" ---- \ No newline at end of file + istio-injection: "enabled" \ No newline at end of file diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml b/09-Ingress/01-Create-Istio-LoadBalancer/Deployment.yaml similarity index 53% rename from 09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml rename to 09-Ingress/01-Create-Istio-LoadBalancer/Deployment.yaml index 36e6b76..233fd2c 100755 --- a/09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml +++ b/09-Ingress/01-Create-Istio-LoadBalancer/Deployment.yaml @@ -1,25 +1,3 @@ -# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - port: 80 - name: http - selector: - app: helloworld ---- -#apiVersion: v1 -#kind: ServiceAccount -#metadata: -# name: istio-helloworld -# labels: -# account: ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -36,7 +14,6 @@ spec: labels: app: helloworld spec: -# serviceAccountName: istio-helloworld containers: - name: helloworld image: nginx diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/Gateway.yaml b/09-Ingress/01-Create-Istio-LoadBalancer/Gateway.yaml index 38b5390..61a4e1a 100755 --- a/09-Ingress/01-Create-Istio-LoadBalancer/Gateway.yaml +++ b/09-Ingress/01-Create-Istio-LoadBalancer/Gateway.yaml @@ -1,36 +1,14 @@ -# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: helloworld-gateway spec: selector: - istio: myingressgateway # use istio default controller + istio: myingressgateway # Uses the selector we just deployed servers: - port: number: 80 name: http protocol: HTTP hosts: - - "*" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: helloworld-vs -spec: - hosts: - - "*" - gateways: - - helloworld-gateway - http: - - match: - - uri: - exact: /helloworld - route: - - destination: - host: helloworld - port: - number: 80 - rewrite: - uri: "/" \ No newline at end of file + - "*" \ No newline at end of file diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/ingress.yaml b/09-Ingress/01-Create-Istio-LoadBalancer/IstioOperator/IstioOperator.yaml similarity index 100% rename from 09-Ingress/01-Create-Istio-LoadBalancer/ingress.yaml rename to 09-Ingress/01-Create-Istio-LoadBalancer/IstioOperator/IstioOperator.yaml diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/README.md b/09-Ingress/01-Create-Istio-LoadBalancer/README.md index dbc677d..bc5f83d 100644 --- a/09-Ingress/01-Create-Istio-LoadBalancer/README.md +++ b/09-Ingress/01-Create-Istio-LoadBalancer/README.md @@ -4,41 +4,31 @@ include_toc: true --- -# Based on - -- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment) - # Description -On this example, a new Istio Ingress Load Balancer is deployed. +On this example, a new Istio Ingress Load Balancer is deployed through the usage of an `IstioOperator` object, as well deploys a simple service for testing purposes. -The previous example has been modified to utilize the Ingress resource just deployed. -# Changelog +This example configures: -## Gateway + Generic Kubernetes resources: + - 1 Service + - 1 Deployment + + Istio resources: + - 1 Ingress Gateway Load Balancer + - 1 Gateway + - 1 Virtual Service -```yaml -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: - istio: myingressgateway # use istio default controller - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" -``` +> **Note:**\ +> I don't intend to explain thing related to Kubernetes unless necessary. -The selector `Istio` has been updated to `myingressgateway`, to match the selector of the Istio Ingress Load Balancer that will be created. +# Configuration ## Namespace +Creates the namespace `istio-ingress` with the `istio-injection` enabled. + ```yaml apiVersion: v1 kind: Namespace @@ -48,10 +38,67 @@ metadata: istio-injection: "enabled" ``` -The namespace `istio-ingress` will have the label `istio-injection` with the contents set to `enabled` to allow Istio to automatically inject the Istio sidecars to the resources within that namespace, unless specified otherwise. +## Service + +Creates a service named `helloworld`. + +This service listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod. + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld +``` + +## Deployment + +Deploys a Nginx server that listens for the port `80`. + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 +``` ## IstioOperator + +Deploys an Istio Ingress Load Balancer named `myistio-ingressgateway`. + +It will contain the selector `istio: myingressgateway`. + ```yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator @@ -75,28 +122,104 @@ spec: injectionTemplate: gateway ``` -The following configuration will create an Istio Ingress Load Balancer named `myistio-ingressgateway`, located at the namespace `istio-ingress`. +## Gateway -The label `istio`, refers to the selector that the `Gateway` resources will use to specify the targeted Istio resource. +Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic. + +It doesn't filter for any specific host. + +The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to. + +On this scenario, we want to target the Istio Ingress Load Balancer we just created, therefore the value of the selector will be `istio: myingressgateway`. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: myingressgateway # Uses the selector we just deployed + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +``` + +## VirtualService + +The Virtual Service resources are used to route and filter the received traffic from the gateway resources, and route it towards the desired destination. + +On this example we select the gateway `helloworld-gateway`, which is the [gateway that 's described in the `Gateway` section](#gateway). + +On this resource, we are also not limiting the incoming traffic to any specific host, allowing for all the incoming traffic to go through the rules set. + +Here we created a rule that will be applied on `HTTP` related traffic (including `HTTPS` and `HTTP2`) when the destination path is exactly `/helloworld`. + +This traffic will be forwarded to the port `80` of the destination service `helloworld` (the full path URL equivalent would be `helloworld.$NAMESPACE.svc.cluster.local`). + +Additionally, there will be an internal URL rewrite set, as if the URL is not modified, it would attempt to reach to the `/helloworld` path from the Nginx deployment, which currently has no content and would result in an error code `404` (Not found). + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" +``` # Walkthrough ## Deploy resources -### Create namespace +Deploy the resources. ```shell -kubectl apply -f 01-namespace.yaml +kubectl apply -f ./ ``` ```text namespace/istio-ingress created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +service/helloworld created ``` -### Create / Install the Istio Ingress resource +## Wait for the deployment to be ready +Wait for the Nginx deployment to be up and ready. ```shell -istioctl install -f ingress.yaml +kubectl get deployment helloworld-nginx -w +``` +```text +NAME READY UP-TO-DATE AVAILABLE AGE +helloworld-nginx 1/1 1 1 16s +``` + +## Install the Istio Ingress Gateway Load Balancer + +Press `y` to install. + +```shell +istioctl install -f IstioOperator/IstioOperator.yaml ``` ```text This will install the Istio 1.17.2 empty profile into the cluster. Proceed? (y/N) y @@ -105,92 +228,73 @@ This will install the Istio 1.17.2 empty profile into the cluster. Proceed? (y/N Thank you for installing Istio 1.17. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/hMHGiwZHPU7UQRWe9 ``` -### Deploy gateway +## Test the service + +### Get LB IP + +To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway). + +On my environment, the IP is the `192.168.1.50`. ```shell -kubectl apply -f Gateway.yaml +kubectl get svc -l istio=myingressgateway -A ``` ```text - -gateway.networking.istio.io/helloworld-gateway created -virtualservice.networking.istio.io/helloworld-vs created +NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +istio-ingress myistio-ingressgateway LoadBalancer 10.96.116.25 192.168.1.51 15021:31681/TCP,80:31993/TCP,443:32596/TCP 116s ``` -### Deploy deployment +### Curl /helloworld + +Due to accessing the path `/helloworld`, we are triggering the rule set on the [VirtualService configuration](#virtualservice), sending a request to the Nginx backend and returning us its contents. ```shell -kubectl apply -f deployment-nomtls.yaml +curl 192.168.1.51/helloworld -s | grep ".*" ``` ```text -service/helloworld created -deployment.apps/helloworld-nginx created +Welcome to nginx! ``` -## Testing deployment +### Curl /other + +What happens if we access a path or URL that doesn't trigger any rule? -### Get Load Balancer IP ```shell -kubectl get svc -n istio-ingress +curl 192.168.1.51/other -s -I ``` ```text -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -myistio-ingressgateway LoadBalancer 10.102.158.128 192.168.1.51 15021:31181/TCP,80:30090/TCP,443:31285/TCP 5m10s -``` - -### Curl - -The request results in status code `200`, meaning a correct handling of the request. - -```shell -curl 192.168.1.51/helloworld -I -``` -```text -HTTP/1.1 200 OK +HTTP/1.1 404 Not Found +date: Sat, 01 Jul 2023 13:27:14 GMT server: istio-envoy -date: Sun, 23 Apr 2023 06:40:57 GMT -content-type: text/html -content-length: 615 -last-modified: Tue, 28 Mar 2023 15:01:54 GMT -etag: "64230162-267" -accept-ranges: bytes -x-envoy-upstream-service-time: 15 +transfer-encoding: chunked ``` -# Cleanup -[Yeah no idea, gl with that.](https://stackoverflow.com/a/55731730) +We receive a status code `404`. + +I would like to put emphasis on the following line returned: + +```text +server: istio-envoy +``` + +This means that the contents returned was performed by the Istio service, therefore, the request was able to reach Istio and received a response from it. + +## Cleanup + +Finally, a cleanup from the resources deployed. + +It might take a minute or two, don't **panik** if that's the case. + +Take into account that deleting the namespace will also delete the resources in it, **so be careful!** ```shell -kubectl delete -f ./deployment-nomtls.yaml -kubectl delete -f ./Gateway.yaml +kubectl delete -f ./ ``` ```text -service "helloworld" deleted +namespace "istio-ingress" deleted deployment.apps "helloworld-nginx" deleted gateway.networking.istio.io "helloworld-gateway" deleted +service "helloworld" deleted virtualservice.networking.istio.io "helloworld-vs" deleted -``` - -```shell -istioctl uninstall --purge -``` - -Also read that "just removing" the namespace works to purge the config/remove resources. - -Meanwhile, I did that (and seems like it performed correctly), I am not entirely sure about it. I'm not bothered myself as the environment where I am performing the tests is intended to be destroyed anytime and recreated, yet in a production environment I am not sure how this would need to be approached. - -Maybe with a `kubectl get all -A` and through `grep` and `less` find resources and configurations, and delete them manually. - -```shell -kubectl delete namespace istio-ingress -``` - -# Troubleshooting - -## curl: (7) Failed to connect to 192.168.1.51 port 80 after 2 ms: Couldn't connect to server - -Ensure that the gateway is using the correct `selector` to target the Istio Ingress Load Balancer created. - -# Links of interest - -- https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway \ No newline at end of file +``` \ No newline at end of file diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/Service.yaml b/09-Ingress/01-Create-Istio-LoadBalancer/Service.yaml new file mode 100644 index 0000000..271ce25 --- /dev/null +++ b/09-Ingress/01-Create-Istio-LoadBalancer/Service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld \ No newline at end of file diff --git a/09-Ingress/01-Create-Istio-LoadBalancer/VirtualService.yaml b/09-Ingress/01-Create-Istio-LoadBalancer/VirtualService.yaml new file mode 100644 index 0000000..205231b --- /dev/null +++ b/09-Ingress/01-Create-Istio-LoadBalancer/VirtualService.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" \ No newline at end of file diff --git a/10-mTLS_PeerAuthentication/01-disable-mTLS/README.md b/10-mTLS_PeerAuthentication/01-disable-mTLS/README.md index 52cbaf7..e7a94c7 100644 --- a/10-mTLS_PeerAuthentication/01-disable-mTLS/README.md +++ b/10-mTLS_PeerAuthentication/01-disable-mTLS/README.md @@ -558,7 +558,7 @@ On this scenario, we met a fatal error, not allowing us to access the service, u From my understanding, not only from this interaction, but from investigating through Istio forums (yet I don't have the link handy, so take this words with some grains of salt), **the traffic cannot be double terminated**, for such if we have an `HTTPS` backend, we might require to disable `mTLS` in order to communicate with it. We also would need to set a [Destination Rule like we did further above](#destination-rule), to specify that the traffic must be terminated with the backend (`tls.mode: STRICT`). -Yet this depends on which would be our architecture, due also being able to set up [TLS Passthrough](../../03-Gateway_Ingress/11-TLS-PASSTHROUGH), or use a [TCP Forwarding](../../03-Gateway_Ingress/10-TCP-FORWARDING). +Yet this depends on which would be our architecture, due also being able to set up [TLS Passthrough](../../03-Gateway_Ingress/06-TLS-PASSTHROUGH), or use a [TCP Forwarding](../../03-Gateway_Ingress/05-TCP-FORWARDING). ```shell curl 192.168.1.50/https-mTLS diff --git a/90-MixConfigs/06-HTTPS-Gateway_Service_Entry/DestinationRule.yaml b/90-MixConfigs/01-HTTPS-Gateway_Service_Entry/DestinationRule.yaml similarity index 100% rename from 90-MixConfigs/06-HTTPS-Gateway_Service_Entry/DestinationRule.yaml rename to 90-MixConfigs/01-HTTPS-Gateway_Service_Entry/DestinationRule.yaml diff --git a/90-MixConfigs/06-HTTPS-Gateway_Service_Entry/Gateway.yaml b/90-MixConfigs/01-HTTPS-Gateway_Service_Entry/Gateway.yaml similarity index 100% rename from 90-MixConfigs/06-HTTPS-Gateway_Service_Entry/Gateway.yaml rename to 90-MixConfigs/01-HTTPS-Gateway_Service_Entry/Gateway.yaml diff --git a/90-MixConfigs/06-HTTPS-Gateway_Service_Entry/README.md b/90-MixConfigs/01-HTTPS-Gateway_Service_Entry/README.md similarity index 91% rename from 90-MixConfigs/06-HTTPS-Gateway_Service_Entry/README.md rename to 90-MixConfigs/01-HTTPS-Gateway_Service_Entry/README.md index 3a1f688..67f432d 100755 --- a/90-MixConfigs/06-HTTPS-Gateway_Service_Entry/README.md +++ b/90-MixConfigs/01-HTTPS-Gateway_Service_Entry/README.md @@ -8,7 +8,7 @@ The page used as a destination is my own [GitHub page](https://github.com/). # Based on -- [05-hello_world_1_Service_Entry](../../04-Backends/05-Service_Entry) +- [05-hello_world_1_Service_Entry](../../04-Backends/01-Service_Entry) # Configuration @@ -24,10 +24,10 @@ Bear in mind that when Istio is communicating with resources externals to the me Also, policy enforcement is performed in the client side instead of the server side. -> **Note:**/ +> **Note:**\ > For more information regarding the `resolution` field or the `location` field, refer to the following official Istio documentations: -> [ServiceEntry.Location](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location) -> [ServiceEntry.Resolution](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Resolution) +> - [ServiceEntry.Location](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location) +> - [ServiceEntry.Resolution](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Resolution) ```yaml apiVersion: networking.istio.io/v1alpha3 @@ -75,7 +75,7 @@ The path `/external` will forward the request towards the destination URL `githu Highlight that the destination is `github.com`, which is the same as the contents set on the field `host` from the [ServiceEntry resource configured above](#serviceentry). -As seen [in the previous example, where the host that didn't have the `HOST` header wasn't able to receive a response by the destination](../../04-Backends/05-Service_Entry/#external-noh), we configured the `HOST` header to match the URL from the external service. +As seen [in the previous example, where the host that didn't have the `HOST` header wasn't able to receive a response by the destination](../../04-Backends/01-Service_Entry/#external-noh), we configured the `HOST` header to match the URL from the external service. ```yaml apiVersion: networking.istio.io/v1alpha3 @@ -108,7 +108,7 @@ spec: ## DestinationRule -As seen in the example [02-Traffic_management/09-HTTPS-backend](../../04-Backends/09-HTTPS-backend), where we configure Istio to use an `HTTPS` backend, the same configuration is applied on this case (yes, I am aware that a `ServiceEntry` is also a backend). +As seen in the example [02-Traffic_management/09-HTTPS-backend](../../04-Backends/02-HTTPS-backend), where we configure Istio to use an `HTTPS` backend, the same configuration is applied on this case (yes, I am aware that a `ServiceEntry` is also a backend). For such, we deploy a `DestinationRule` setting to expect to terminate the TLS traffic, for the traffic with resource destination `github.com`, and port `8443`, which matches the settings set in our [ServiceEntry](#serviceentry) deployed. diff --git a/90-MixConfigs/06-HTTPS-Gateway_Service_Entry/ServiceEntry.yaml b/90-MixConfigs/01-HTTPS-Gateway_Service_Entry/ServiceEntry.yaml similarity index 100% rename from 90-MixConfigs/06-HTTPS-Gateway_Service_Entry/ServiceEntry.yaml rename to 90-MixConfigs/01-HTTPS-Gateway_Service_Entry/ServiceEntry.yaml diff --git a/90-MixConfigs/06-HTTPS-Gateway_Service_Entry/VirtualService.yaml b/90-MixConfigs/01-HTTPS-Gateway_Service_Entry/VirtualService.yaml similarity index 100% rename from 90-MixConfigs/06-HTTPS-Gateway_Service_Entry/VirtualService.yaml rename to 90-MixConfigs/01-HTTPS-Gateway_Service_Entry/VirtualService.yaml diff --git a/90-MixConfigs/06-HTTPS-Gateway_Service_Entry/src/github-screenshot.png b/90-MixConfigs/01-HTTPS-Gateway_Service_Entry/src/github-screenshot.png similarity index 100% rename from 90-MixConfigs/06-HTTPS-Gateway_Service_Entry/src/github-screenshot.png rename to 90-MixConfigs/01-HTTPS-Gateway_Service_Entry/src/github-screenshot.png diff --git a/90-MixConfigs/Minecraft/ConfigMap.yaml b/90-MixConfigs/Minecraft/ConfigMap.yaml new file mode 100644 index 0000000..390ce6d --- /dev/null +++ b/90-MixConfigs/Minecraft/ConfigMap.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: minecraft-config + namespace: default + labels: + app: minecraft +data: + EULA: "TRUE" + MEMORY: 1G + TYPE: "FOLIA" + FORCE_REDOWNLOAD: "FALSE" + VERSION: "1.19.4" + MOTD: "My minecraft world!" + ONLINE_MODE: "FALSE" + ENABLE_QUERY: "TRUE" + ENABLE_RCON: "FALSE" + ALLOW_NETHER: "FALSE" + GENERATE_STRUCTURES: "FALSE" + SNOOPER_ENABLED: "FALSE" + SPAWN_ANIMALS: "FALSE" + SPAWN_MONSTERS: "FALSE" + SPAWN_NPCS: "FALSE" + ENABLE_AUTOPAUSE: "TRUE" \ No newline at end of file diff --git a/90-MixConfigs/Minecraft/Deployment.yaml b/90-MixConfigs/Minecraft/Deployment.yaml new file mode 100644 index 0000000..30ce502 --- /dev/null +++ b/90-MixConfigs/Minecraft/Deployment.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minecraft-1 + namespace: default + labels: + app: minecraft +spec: + replicas: 1 + selector: + matchLabels: + app: minecraft + template: + metadata: + labels: + app: minecraft + spec: + containers: + - name: minecraft + image: itzg/minecraft-server + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 25565 + envFrom: + - configMapRef: + name: minecraft-config + env: + - name: MOTD + value: "World 1 Server" \ No newline at end of file diff --git a/90-MixConfigs/Minecraft/Gateway.yaml b/90-MixConfigs/Minecraft/Gateway.yaml new file mode 100644 index 0000000..7b47906 --- /dev/null +++ b/90-MixConfigs/Minecraft/Gateway.yaml @@ -0,0 +1,15 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: minecraft-gateway + namespace: default +spec: + selector: + istio: games + servers: + - port: + number: 25565 + name: tcp-1 + protocol: TCP + hosts: + - "*" \ No newline at end of file diff --git a/90-MixConfigs/Minecraft/Istio-Ingress/Ingress.yaml b/90-MixConfigs/Minecraft/Istio-Ingress/Ingress.yaml new file mode 100644 index 0000000..363127c --- /dev/null +++ b/90-MixConfigs/Minecraft/Istio-Ingress/Ingress.yaml @@ -0,0 +1,27 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + name: ingress +spec: + profile: empty # Do not install CRDs or the control plane + components: + ingressGateways: + - name: ingress-games-gateway + namespace: istio-system + enabled: true + label: + # Set a unique label for the gateway. This is required to ensure Gateways + # can select this workload + istio: games + k8s: + service: + ports: + - port: 25565 + targetPort: 25565 + name: minecraft-port + protocol: TCP + values: + gateways: + istio-ingressgateway: + # Enable gateway injection + injectionTemplate: gateway diff --git a/90-MixConfigs/Minecraft/README.md b/90-MixConfigs/Minecraft/README.md new file mode 100644 index 0000000..dc8ba28 --- /dev/null +++ b/90-MixConfigs/Minecraft/README.md @@ -0,0 +1 @@ +https://github.com/itzg/docker-minecraft-server/#server-configuration \ No newline at end of file diff --git a/90-MixConfigs/Minecraft/Service.yaml b/90-MixConfigs/Minecraft/Service.yaml new file mode 100644 index 0000000..a9fca20 --- /dev/null +++ b/90-MixConfigs/Minecraft/Service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: minecraft + namespace: default + labels: + app: minecraft + world: "1" +spec: + ports: + - port: 25565 + name: tcp-minecraft + protocol: TCP +# nodePort: 30000 + selector: + app: minecraft + world: "1" +# type: NodePort \ No newline at end of file diff --git a/90-MixConfigs/Minecraft/VirtualService.yaml b/90-MixConfigs/Minecraft/VirtualService.yaml new file mode 100644 index 0000000..abc7170 --- /dev/null +++ b/90-MixConfigs/Minecraft/VirtualService.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: minecraft-1 + namespace: default +spec: + hosts: + - "*" + gateways: + - minecraft-gateway + tcp: + - match: + - port: 25565 + route: + - destination: + host: minecraft.default.svc.cluster.local + port: + number: 25565 \ No newline at end of file diff --git a/README.md b/README.md index e1de249..503a4d1 100755 --- a/README.md +++ b/README.md @@ -1,92 +1,20 @@ # Disclaimer: -I have absolutely used as a reference and or template other party configurations/files. +I have absolutely used as a reference and/or template other parties configurations/files as well of documentations and examples. I have tried to reference as much as possible as long it's relevant/useful for the reader. -Refer to the specific `README.md` in each example for more information, as the documentation is still in progress. - -As per the moment, most of the examples are located in 02-Traffic_management. +Refer to the specific `README.md` in each example for more information, as (**my**) documentation is still in progress. Currently, the resources are under a relocation and the folders might contain things that don't _really match the topic_. -# Stuff -## Directories - -```text -├── 00-Troubleshooting -├── 01-Getting_Started -│   ├── 01-hello_world_1_service_1_deployment -│   ├── 02-hello_world_1_service_2_deployments_unmanaged -│   ├── 03-hello_world_1_service_2_deployments_managed_version -│   └── 04-hello_world_1_service_2_deployments_managed_version_foo_namespace -├── 02-Traffic_management -│   ├── 01-2_deployments_method -│   ├── 02-DirectResponse-HTTP-Body -│   ├── 03-HTTPRewrite -│   ├── 04-HTTPRedirect -│   ├── 05a-FaultInjection-delay -│   ├── 05b-FaultInjection-abort -│   ├── 05-hello_world_1_Service_Entry -│   ├── 06-hello_world_1_HTTPS-Service_Entry -│   │   └── src -│   ├── 06-mTLS -│   ├── 07-HTTPS-Gateway-Simple-TLS -│   ├── 08a-HTTPS-min-TLS-version -│   ├── 08b-HTTPS-max-TLS-version -│   ├── 09-HTTPS-backend -│   ├── 10-TCP-FORWARDING -│   ├── 11-TLS-PASSTHROUGH -│   ├── 12-HTTP-to-HTTPS-traffic-redirect -│   └── src -├── 03-Sidecar -│   └── 01-ingress-proxy-forwarding -├── 04-Envoy -│   └── 01-envoy_add_headers -├── 05-MeshConfig -│   └── 01-Outboud-Traffic-Policy -├── 06-AuthorizationPolicy -│   ├── 01-target-namespaces -│   ├── 02-target-service-accounts -│   └── 03-target-deployments -├── 09-Ingress -│   └── 01-Create-Istio-LoadBalancer -├── 10-PeerAuthentication -│   ├── 01-disable-mTLS -│   └── 02-portLevelMtls -├── 99-resources -│   └── HTTPS-NGINX-DOCKERFILE -└── XX-CirtcuitBreaking -``` - -## Glossary +# Glossary https://istio.io/latest/docs/reference/glossary/ -## Workload - -https://istio.io/latest/docs/reference/glossary/#workload - -https://kiali.io/docs/architecture/terminology/concepts/#workload -https://istio.io/latest/docs/ops/deployment/vm-architecture/ - - -## Sidecar - -https://kubebyexample.com/learning-paths/istio/intro - - -# Notes for myself - -Internal and external authentication should be set together. - - -https://istio.io/latest/docs/ops/diagnostic-tools/proxy-cmd/ - -https://istio.io/latest/docs/ops/deployment/deployment-models/ ## Services port names @@ -106,12 +34,66 @@ https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selec -# Workload selector is cool - -- https://istio.io/latest/docs/reference/config/type/workload-selector/#WorkloadSelector - # Links of interest +- https://istio.io/latest/docs/ + - https://istiobyexample.dev/ -- https://www.istioworkshop.io/ \ No newline at end of file +- https://www.istioworkshop.io/ + +- https://istio.io/latest/news/ + +- https://istio.io/latest/blog/ + +- https://istio.io/latest/about/ecosystem/ + +# Tree of folders + +```text +├── 00-Troubleshooting +├── 01-Getting_Started +│   ├── 01-hello_world_1_service_1_deployment +│   ├── 02-hello_world_1_service_2_deployments_unmanaged +│   ├── 03-hello_world_1_service_2_deployments_managed_version +│   └── 04-hello_world_1_service_2_deployments_managed_version_foo_namespace +├── 02-Traffic_management +│   ├── 01-header_routing +│   ├── 02-DirectResponse-HTTP-Body +│   ├── 03-HTTPRewrite +│   └── 04-HTTPRedirect +├── 03-Gateway_Ingress +│   ├── 01-Host_Based_Routing +│   ├── 02-Restrict_Namespaces +│   ├── 03-HTTPS-Gateway-Simple-TLS +│   ├── 04a-HTTPS-min-TLS-version +│   ├── 04b-HTTPS-max-TLS-version +│   ├── 05-TCP-FORWARDING +│   ├── 06-TLS-PASSTHROUGH +│   └── 07-HTTP-to-HTTPS-traffic-redirect +├── 04-Backends +│   ├── 01-Service_Entry +│   └── 02-HTTPS-backend +├── 05-Sidecar +│   ├── 01-ingress-proxy-forwarding +│   └── 02-egress-proxy +├── 08-AuthorizationPolicy +│   ├── 01-target-namespaces +│   ├── 02-target-service-accounts +│   └── 03-target-deployments +├── 09-Ingress +│   └── 01-Create-Istio-LoadBalancer +├── 10-mTLS_PeerAuthentication +│   ├── 01-disable-mTLS +│   ├── 02-portLevelMtls +│   └── 06-mTLS +├── 11-Fault_Injection +│   ├── 05a-FaultInjection-delay +│   └── 05b-FaultInjection-abort +├── 12-CircuitBreaking +├── 90-MixConfigs +│   ├── 01-HTTPS-Gateway_Service_Entry +│   └── Minecraft +└── 99-resources + └── HTTPS-NGINX-DOCKERFILE +``` \ No newline at end of file