ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

sidk still going and trying things

Browse Source
This commit is contained in:
Oriol 2023-04-14 15:58:30 +01:00
parent 4ef69ba81e
commit 325a316ae2
22 changed files with 799 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
Istio/README.md Normal file
View File

@ -0,0 +1,26 @@
## Glossary
https://istio.io/latest/docs/reference/glossary/
## Workload
https://istio.io/latest/docs/reference/glossary/#workload
https://kiali.io/docs/architecture/terminology/concepts/#workload
https://istio.io/latest/docs/ops/deployment/vm-architecture/
## Sidecar
https://kubebyexample.com/learning-paths/istio/intro
My current issues:
- Understanding authentication

2
Istio/bookshelf/README.md
View File

@ -1 +1 @@
# Example from istio, using it for testing purposes
# Example from istio, storing it for testing purposes

42
Istio/envoy/01-envoy_add_headers/README.md Normal file
View File

@ -0,0 +1,42 @@
https://github.com/istio/istio/wiki/EnvoyFilter-Samples
https://stackoverflow.com/questions/73262158/how-to-apply-envoyfilter-to-sidecar-inbound-and-gateway
https://istio.io/latest/docs/reference/config/networking/envoy-filter/
https://discuss.istio.io/t/adding-custom-response-headers-using-istios-1-6-0-envoy-lua-filter/7494
https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter
kubectl logs -f deployments/istiod -n istio-system
This somewhat is monitoring, can do cool stuff I don't know how or what to do
enable export access logs to stdout
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout
https://istio.io/latest/docs/ops/diagnostic-tools/component-logging/
https://dev.to/aws-builders/understanding-istio-access-logs-2k5o
```yaml
Note: Here I am using request_handle:logCritical method because default logLevel is WARN for Istio components. request_handle:logInfo can be used, if logLevel is set to Info.
```
https://youtu.be/yOtEG1luTwU

44
Istio/envoy/01-envoy_add_headers/deployment.yaml Normal file
View File

@ -0,0 +1,44 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
# annotations:
# sidecar.istio.io/componentLogLevel: info
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
annotations:
sidecar.istio.io/componentLogLevel: lua:info
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

33
Istio/envoy/01-envoy_add_headers/envoy.yaml Normal file
View File

@ -0,0 +1,33 @@
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: envoy-add-response-header
namespace: default
spec:
priority: 30
workloadSelector:
labels:
app: helloworld
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 80
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_response(response_handle)
response_handle:headers():add("numbers", "lots of numbers")
response_handle:logInfo("Added header `numbers`")
response_handle:logInfo(">>>> Executed `envoy-add-response-header` <<<<")
end

38
Istio/envoy/01-envoy_add_headers/envoy2.yaml Normal file
View File

@ -0,0 +1,38 @@
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: envoy-add-response-header2
namespace: default
spec:
priority: 40
workloadSelector:
labels:
app: helloworld
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 80
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_response(response_handle)
response_handle:headers():add("fruit", "watermelons")
response_handle:logCritical("Critical: Added header `fruit`")
response_handle:logErr("Error: Added header `fruit`")
response_handle:logWarn("Warning: Added header `fruit`")
response_handle:logInfo("Info: Added header `fruit`")
response_handle:logDebug("Debug: Added header `fruit`")
response_handle:logTrace("Trace: Added header `fruit`")
response_handle:logInfo(">>>> Executed `envoy-add-response-header2` <<<<")
end

36
Istio/envoy/01-envoy_add_headers/gateway.yaml Normal file
View File

@ -0,0 +1,36 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"

6
Istio/envoy/README.md Normal file
View File

@ -0,0 +1,6 @@
https://youtu.be/yOtEG1luTwU
Rate Limit:
https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/

7
Istio/istio-classic/README.md
View File

@ -8,4 +8,9 @@ https://youtu.be/QIkryA8HnQ0
https://github.com/redkubes/otomi-core/blob/main/charts/team-ns/templates/istio-gateway.yaml
https://istio.io/latest/docs/ops/diagnostic-tools/proxy-cmd/
https://istio.io/latest/docs/ops/diagnostic-tools/proxy-cmd/

118
Istio/istio-classic/ingress.yaml
View File

@ -1,34 +1,34 @@
apiVersion: v1
kind: Service
metadata:
name: istio-lb
namespace: istio-system
labels:
istio: istio-ingress
spec:
type: LoadBalancer
ports:
- port: 80
name: http
- port: 443
name: https
selector:
istio: istio-ingress
---
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: my-istio-operator
spec:
# profile: default
profile: empty
components:
ingressGateways:
- name: istio-ingress
enabled: true
label:
istio: my-istio-ingress
#apiVersion: v1
#kind: Service
#metadata:
# name: istio-lb
# namespace: istio-system
# labels:
# istio: istio-ingress
#spec:
# type: LoadBalancer
# ports:
# - port: 80
# name: http
# - port: 443
# name: https
# selector:
# istio: istio-ingress
#---
#apiVersion: install.istio.io/v1alpha1
#kind: IstioOperator
#metadata:
# namespace: istio-system
# name: my-istio-operator
#spec:
## profile: default
# profile: empty
# components:
# ingressGateways:
# - name: istio-ingress
# enabled: true
# label:
# istio: my-istio-ingress
---
#apiVersion: install.istio.io/v1alpha1
#kind: IstioOperator
@ -62,4 +62,58 @@ spec:
# gateways:
# istio-ingressgateway:
# sds:
# enabled: true
# enabled: true
---
apiVersion: v1
kind: Service
metadata:
annotations:
labels:
app: istio-ingressgateway
# install.operator.istio.io/owning-resource: unknown
# install.operator.istio.io/owning-resource-namespace: istio-system
istio: my-ingress-gateway
# istio.io/rev: default
operator.istio.io/component: IngressGateways
# operator.istio.io/managed: Reconcile
# operator.istio.io/version: 1.16.1
# release: istio
name: my-ingress-gateway
namespace: istio-system
resourceVersion: "880342"
uid: 289a34e8-fe45-43ad-8dad-bc3dc9534f5c
spec:
# allocateLoadBalancerNodePorts: true
# clusterIP: 10.110.130.2
# clusterIPs:
# - 10.110.130.2
externalTrafficPolicy: Cluster
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: status-port
nodePort: 30276
port: 15021
protocol: TCP
targetPort: 15021
- name: http2
nodePort: 32188
port: 80
protocol: TCP
targetPort: 8080
- name: https
# nodePort: 32437
port: 443
protocol: TCP
# targetPort: 8443
selector:
app: istio-ingressgateway
istio: ingressgateway
# sessionAffinity: None
type: LoadBalancer
status:
loadBalancer:
ingress:
- ip: 192.168.1.50

8
Istio/istio-classic/simple/README.md
View File

@ -16,4 +16,10 @@
## 03-hello_world_1_service_2_deployments_managed_version
## 04-hello_world_1_service_2_deployments_managed_version_defaultnt_namespace
## 04-hello_world_1_service_2_deployments_managed_version_defaultnt_namespace
## 05-hello_world_1_Service_Entry
do HTTPS ingress
tcp ingress to minecraft/factorio/zomboid

9
Istio/istio-classic/traffic_management/06-mTLS/README.md Normal file
View File

@ -0,0 +1,9 @@
https://istio.io/latest/docs/concepts/security/#authentication-policies
https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/
# Continues from
- 01-hello_world_1_service_1_deployment

48
Istio/istio-classic/traffic_management/06-mTLS/deployment.yaml Normal file
View File

@ -0,0 +1,48 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
#apiVersion: v1
#kind: ServiceAccount
#metadata:
# name: istio-helloworld
# labels:
# account:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
# serviceAccountName: istio-helloworld
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

36
Istio/istio-classic/traffic_management/06-mTLS/gateway.yaml Normal file
View File

@ -0,0 +1,36 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"

17
Istio/istio-classic/traffic_management/README.md Normal file
View File

@ -0,0 +1,17 @@
Should try to do a double Virtual Service chain
https://academy.tetrate.io/courses/take/istio-fundamentals/lessons/19068816-lab-2-observing-failure-injection
Internal TLS between gateway and services
mtls
https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/
automatic mtls (old)
https://istio.io/v1.4/docs/tasks/security/authentication/auto-mtls/

8
Istio/sidecar/01-visibility/README.md Normal file
View File

@ -0,0 +1,8 @@
https://github.com/steren/istio.github.io/blob/master/_docs/setup/kubernetes/sidecar-injection.md
https://istio.io/latest/docs/reference/config/networking/sidecar/
# Continues from
- 01-hello_world_1_service_1_deployment

48
Istio/sidecar/01-visibility/deployment.yaml Normal file
View File

@ -0,0 +1,48 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
#apiVersion: v1
#kind: ServiceAccount
#metadata:
# name: istio-helloworld
# labels:
# account:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
# serviceAccountName: istio-helloworld
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

36
Istio/sidecar/01-visibility/gateway.yaml Normal file
View File

@ -0,0 +1,36 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld
port:
number: 80
rewrite:
uri: "/"

11
Istio/sidecar/01-visibility/sidecar.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion:
networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: foo
spec:
egress:
- hosts:
- "./*"
- "istio-system/*"

235
Istio/sidecar/01-visibility/tmp.yaml Normal file
View File

@ -0,0 +1,235 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 80
name: http
selector:
app: helloworld
---
#apiVersion: v1
#kind: ServiceAccount
#metadata:
# name: istio-helloworld
# labels:
# account:
---
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: helloworld
name: helloworld-nginx
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
strategy: {}
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: helloworld
kubectl.kubernetes.io/default-logs-container: helloworld
prometheus.io/path: /stats/prometheus
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}'
creationTimestamp: null
labels:
app: helloworld
security.istio.io/tlsMode: istio
service.istio.io/canonical-name: helloworld
service.istio.io/canonical-revision: latest
spec:
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: helloworld
ports:
- containerPort: 80
resources:
requests:
cpu: 100m
- args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --log_output_level=default:info
- --concurrency
- "2"
env:
- name: JWT_POLICY
value: third-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: CA_ADDR
value: istiod.istio-system.svc:15012
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: PROXY_CONFIG
value: |
{}
- name: ISTIO_META_POD_PORTS
value: |-
[
{"containerPort":80}
]
- name: ISTIO_META_APP_CONTAINERS
value: helloworld
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
- name: ISTIO_META_INTERCEPTION_MODE
value: REDIRECT
- name: ISTIO_META_MESH_ID
value: cluster.local
- name: TRUST_DOMAIN
value: cluster.local
image: istio/proxyv2:1.16.1
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: 1
periodSeconds: 2
timeoutSeconds: 3
resources:
limits:
cpu: "2"
memory: 1Gi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- mountPath: /var/run/secrets/workload-spiffe-uds
name: workload-socket
- mountPath: /var/run/secrets/credential-uds
name: credential-socket
- mountPath: /var/run/secrets/workload-spiffe-credentials
name: workload-certs
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/lib/istio/data
name: istio-data
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /var/run/secrets/tokens
name: istio-token
- mountPath: /etc/istio/pod
name: istio-podinfo
initContainers:
- args:
- istio-iptables
- -p
- "15001"
- -z
- "15006"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -x
- ""
- -b
- '*'
- -d
- 15090,15021,15020
- --log_output_level=default:info
image: istio/proxyv2:1.16.1
name: istio-init
resources:
limits:
cpu: "2"
memory: 1Gi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
volumes:
- name: workload-socket
- name: credential-socket
- name: workload-certs
- emptyDir:
medium: Memory
name: istio-envoy
- emptyDir: {}
name: istio-data
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.labels
path: labels
- fieldRef:
fieldPath: metadata.annotations
path: annotations
name: istio-podinfo
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
- configMap:
name: istio-ca-root-cert
name: istiod-ca-cert
status: {}
---

23
Istio/sidecar/README.md Normal file
View File

@ -0,0 +1,23 @@
https://istio.io/latest/docs/reference/config/networking/sidecar/
https://istio.io/latest/docs/reference/glossary/#workload
I am not very sure on how or why to use this...
```yaml
apiVersion:
networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: foo
spec:
egress:
- hosts:
- "./*"
- "istio-system/*"
```

4
README.md
View File

@ -1,3 +1,5 @@
# Surely only the following folders work / have any meaningful information
- [Istio](./Istio)
- [Istio](./Istio)