Minor organization refactor.

Partially done 06-mTLS from the traffic management documentation.

Deleted some unnecessary files.

some other minor changes

Calico/README.md

@@ -0,0 +1,12 @@
+
+## Eventually
+
+https://medium.com/expedia-group-tech/network-policies-with-calico-for-kubernetes-networking-875c0ebbcfb3
+
+https://docs.tigera.io/calico/latest/network-policy/get-started/calico-policy/calico-network-policy
+
+https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart
+
+https://docs.tigera.io/archive/v3.7/getting-started/kubernetes/
+
+https://hustcat.github.io/getting-started-with-calico/

Istio/01-simple/01-hello_world_1_service_1_deployment/README.md

@@ -14,7 +14,7 @@ https://istio.io/latest/docs/reference/config/networking/destination-rule/#Traff
 https://istio.io/latest/docs/reference/config/networking/destination-rule/#LoadBalancerSettings
 
 > Contains service account configurations, yet they are commented as not "necessary".
- 
+
 
 ## Files
 
@@ -94,9 +94,7 @@ gateway.networking.istio.io/helloworld-gateway created
 virtualservice.networking.istio.io/helloworld-vs created
 ```
 
-## Wait for the pods to be ready
-
-(I think it deploys 2 pods as there is the Envoy Proxy pod besides the Nginx deployment)
+## Wait for the deployment to be ready
 
 ```shell
 $ kubectl get deployment helloworld-nginx -w 

Istio/01-simple/05-hello_world_1_Service_Entry/README.md

@@ -8,3 +8,4 @@ https://github.com/istio/istio/issues/29463
 
 
 Funny example I guess.
+Q

Istio/01-simple/05-hello_world_1_Service_Entry/gateway.yaml

@@ -38,7 +38,7 @@ spec:
     - timeout: 3s
       match:
         - uri:
-            - exact: "/external"
+            exact: "/external"
       route:
         - destination:
             host: help.websiteos.com

Istio/01-simple/README.md

@@ -21,8 +21,18 @@ ALL NEEDS DOCUMENTATION
 - 05-hello_world_1_Service_Entry
 
 
+
+
+
+
+
+
 # TODO
 
 do HTTPS ingress
 
-tcp ingress to minecraft/factorio/zomboid
+tcp ingress to minecraft/factorio/zomboid
+
+Service Entry with outbound policy set to `REGISTRY_ONLY`
+istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout  --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
+(no funca)

Istio/02-traffic_management/06-mTLS/01-namespace.yaml

@@ -0,0 +1,7 @@
+#apiVersion: v1
+#kind: Namespace
+#metadata:
+#  name: foo
+#  labels:
+#    istio-injection: "enabled"
+#---

Istio/02-traffic_management/06-mTLS/README.md

@@ -0,0 +1,188 @@
+https://istio.io/latest/docs/concepts/security/#authentication-policies
+
+https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/
+
+https://istio.io/latest/docs/concepts/security/#mutual-tls-authentication
+
+
+# Continues from
+
+- 01-hello_world_1_service_1_deployment
+
+
+
+
+
+Nowadays, by default, Istio will have mTLS automatically enabled, allowing the Istio Sidecars to **automatically** negotiate the TLS traffic between them.encrypted
+
+To avoid this behavior, the pod requires to not have a Istio Sidecar set to that pod, for that reason on this example we set up 2 deployments, 1 with a sidecar, and a second without a sidecar.
+
+From the Kiali dashboard we will review the mTLS label displayed
+
+> **Note:**\
+> If the PeerAuthentication is deployed in the `istio-system` namespace, it will affect all the namespaces in the cluster.
+
+
+
+# Walkthrough
+
+
+<!-- ### uninstall Istio (if installed) -->
+
+<!-- ```shell -->
+<!-- $ istioctl uninstall --purge -y -->
+<!-- All Istio resources will be pruned from the cluster -->
+
+<!-- Removed IstioOperator:istio-system:installed-state. -->
+<!-- Removed Deployment:istio-system:istio-ingressgateway. -->
+<!-- Removed Deployment:istio-system:istiod. -->
+<!-- Removed Service:istio-system:istio-ingressgateway. -->
+<!-- ... -->
+<!-- ``` -->
+
+<!-- ### Install Istio on privileged mode -->
+
+<!-- and auto mTLS disabled -->
+<!--   --set values.global.mtls.auto=true --set values.global.mtls.enabled=false -->
+
+<!-- ```shell -->
+<!-- $ stioctl install --set profile=default -y --set values.global.proxy.privileged=true -->
+<!-- ✔ Istio core installed -->
+<!-- ✔ Istiod installed -->
+<!-- ✔ Ingress gateways installed -->
+<!-- ✔ Installation complete -->
+
+<!-- Making this installation the default for injection and validation. -->
+
+<!-- Thank you for installing Istio 1.17.  Please take a few minutes to tell us about your install/upgrade experience!  https://forms.gle/hMHGiwZHPU7UQRWe9 -->
+
+<!-- ``` -->
+
+<!-- If you installed Istio with values.global.proxy.privileged=true, you can use tcpdump to verify traffic is encrypted or not. -->
+
+
+## Deploy the resources
+
+```shell
+ kubectl apply -f ./
+peerauthentication.security.istio.io/default-mtls created
+service/helloworld created
+deployment.apps/helloworld-nginx created
+service/byeworld created
+deployment.apps/byeworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+## Install telemetry addons
+
+[Source Folder](https://github.com/istio/istio/tree/master/samples/addons)
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/grafana.yaml && \
+kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/kiali.yaml && \
+kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml && \
+kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml
+```
+
+## Wait for deployments to be ready
+
+```shell
+$ kubectl get pods -A -w
+```
+
+## Kiali
+
+## Access the Kiali dashboard
+
+The following command will tunnel from this device, towards the Kiali dashboard running, automatically accessing through the default browser.
+
+```shell
+istioctl dashboard kiali
+```
+
+## Display services menu
+
+![Kiali menu, displaying 3 services. helloworld, byeworld and kubernetes][./src/06-kiali-services.png]
+
+> **Highlight:**\
+> On the column located at the right, we can notice a note saying `Missing Sidecar`
+
+> **Note:**\
+> If there are no resources being displayed, at the top left, select the corresponding namespaces where the resources are located.
+> On my case, it's the `default` namespace.
+
+### Byeworld
+
+On the service `byeworld` (reminder that it's pods had the Istio sidecar injection disabled), it displays the message `No mTLS`, meaning that mTLS (Mutual TLS between Istio sidecards) is not available.
+
+![][./src/06-kiali-services-byeworld.png]
+
+### Helloworld
+
+On the service `helloworld`, it displays the message `mTLS`
+
+![][./src/06-kiali-services-helloworld.pngk]
+
+## Test resources
+### Curl / LB requests / requests from external traffic
+
+#### helloworld
+
+The service works as intended as we can reach the `helloworld` service.
+
+```shell
+$  curl 192.168.1.50/helloworld -s | grep "<title>.*</title>"
+<title>Welcome to nginx!</title>
+```
+
+#### byeworld
+
+The `byeworld` service also seems to work, even tho the deployment has no sidecar enabled, and for such the `PeerAuthentication` rule is not being maintained. \
+Yet, as there is no sidecar, this rule is not applied, and for such the traffic is allowed towards the service and pod.
+
+```shell
+$  curl 192.168.1.50/byeworld -s | grep "<title>.*</title>"
+<title>Welcome to nginx!</title>
+```
+
+### Connectivity between the deployments
+
+#### helloworld towards byeworld
+
+It works.
+
+```shell
+$  kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl http://byeworld.default.svc.cluster.local:9090 | grep "<title>.*</title>"
+<title>Welcome to nginx!</title>
+```
+
+#### byeworld towards helloworld
+
+It fails.
+
+Currently the rule from `PeerAuthentication` that requires the traffic to use mTLS, is currently being applied by the Istio sidecar from the `helloworld` pod.
+
+As `byeworld` pods don't have the Istio sidecar enabled, the mTLS traffic is not being managed, and for such, it fails to obvey the rule set by the `PeerAuthentication` configuration set, resulted on this issue.
+
+```shell
+$  kubectl exec -i -t "$(kubectl get pod -l app=byeworld | tail -n 1 | awk '{print $1}')" -- curl http://helloworld.default.svc.cluster.local:8080
+curl: (56) Recv failure: Connection reset by peer
+command terminated with exit code 56
+```
+
+## Delete the PeerAuthentication configuration set
+
+
+```shell
+$ kubectl delete peerauthentications.security.istio.io default-mtls
+```
+
+### connectivity between byeworld towards helloworld
+
+As the rule is no longer being set, and for such not being applied, the traffic from `byeworld` is able to reach the service `helloworld` without having the need to using mTLS.
+
+```shell
+$ kubectl exec -i -t "$(kubectl get pod -l app=byeworld | tail -n 1 | awk '{print $1}')" -- curl http://helloworld.default.svc.cluster.local:8080 | grep "<title>.*</title>"
+<title>Welcome to nginx!</title>
+```

Istio/02-traffic_management/06-mTLS/authentication.yaml

@@ -0,0 +1,8 @@
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: default-mtls
+  namespace: default
+spec:
+  mtls:
+    mode: STRICT

Istio/02-traffic_management/06-mTLS/deployment.yaml

@@ -8,8 +8,9 @@ metadata:
     service: helloworld
 spec:
   ports:
-    - port: 80
+    - port: 8080
       name: http
+      targetPort: 80
   selector:
     app: helloworld
 ---

Istio/02-traffic_management/06-mTLS/deployment_2.yaml

@@ -0,0 +1,50 @@
+# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: byeworld
+  labels:
+    app: byeworld
+    service: byeworld
+spec:
+  ports:
+    - port: 9090
+      name: http
+      targetPort: 80
+  selector:
+    app: byeworld
+#---
+#apiVersion: v1
+#kind: ServiceAccount
+#metadata:
+#  name: istio-helloworld
+#  labels:
+#    account:
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: byeworld-nginx
+  labels:
+    app: byeworld
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: byeworld
+  template:
+    metadata:
+      labels:
+        app: byeworld
+        sidecar.istio.io/inject: "false"
+    spec:
+#      serviceAccountName: istio-byeworld
+      containers:
+        - name: byeworld
+          image: nginx
+          resources:
+            requests:
+              cpu: "100m"
+          imagePullPolicy: IfNotPresent #Always
+          ports:
+            - containerPort: 80

Istio/02-traffic_management/06-mTLS/gateway.yaml

@@ -29,8 +29,19 @@ spec:
             exact: /helloworld
       route:
         - destination:
-            host: helloworld
+            host: helloworld.default.svc.cluster.local
             port:
-              number: 80
+              number: 8080
+      rewrite:
+        uri: "/"
+    - match:
+        - uri:
+            exact: /byeworld
+      route:
+        - destination:
+            host: byeworld.default.svc.cluster.local
+            port:
+              number: 9090
+#            protocol: HTTPS
       rewrite:
         uri: "/"

Istio/02-traffic_management/README.md

@@ -1,3 +1,17 @@
+# Examples
+
+ALL NEEDS DOCUMENTATION
+
+- 01-2_deployments_method
+- 02-DirectResponse-HTTP-Body
+- 03-HTTPRewrite
+- 04-HTTPRedirect
+- 05a-FaultInjection-delay
+- 05b-FaultInjection-abort
+- 06-mTLS  (would need some documentation review, mainly go over the differences respective to the template/prior configuration used)
+
+
+# TODO
 
 
 

Istio/MeshConfig/01-Outboud-Traffic-Policy/README.md

@@ -0,0 +1,102 @@
+# Continues from
+
+- 05-hello_world_1_Service_Entry
+
+# Description
+
+On this example compares the behavior between setting up the MeshConfig `OutboundTrafficPolicy.mode` setting to `REGISTRY_ONLY` and `ALLOW_ANY`.
+
+- ALLOW_ANY: Allows all egress/outbound traffic from the mesh.
+
+- REGISTRY_ONLY: Restricted to services that figure in the service registry a and the ServiceEntry objects.
+
+More info regarding this configuration at the pertintent documentation (https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-OutboundTrafficPolicy-Mode)
+
+## Runthrough
+
+### Set ALLOW_ANY outbound traffic policy
+
+```shell
+istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout  --set meshConfig.outboundTrafficPolicy.mode=ALLOW_ANY
+```
+
+### Deploy resources
+
+```shell
+$ kubectl apply -f ./
+service/helloworld created
+deployment.apps/helloworld-nginx created
+serviceentry.networking.istio.io/external-svc created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+### Get LB IP
+
+```shell
+$ kubectl get svc istio-ingressgateway -n istio-system
+NAME                   TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)                                      AGE
+istio-ingressgateway   LoadBalancer   10.97.47.216   192.168.1.50   15021:31316/TCP,80:32012/TCP,443:32486/TCP   39h
+```
+
+### Test deployments
+
+```shell
+$ curl 192.168.1.50/helloworld -I
+HTTP/1.1 200 OK
+server: istio-envoy
+date: Thu, 20 Apr 2023 18:03:18 GMT
+content-type: text/html
+content-length: 615
+last-modified: Tue, 28 Mar 2023 15:01:54 GMT
+etag: "64230162-267"
+accept-ranges: bytes
+x-envoy-upstream-service-time: 73
+```
+
+```shell
+$ curl 192.168.1.50/external -I
+HTTP/1.1 200 OK
+date: Thu, 20 Apr 2023 18:03:24 GMT
+content-type: text/html
+content-length: 5186
+last-modified: Mon, 17 Mar 2014 17:25:03 GMT
+expires: Thu, 31 Dec 2037 23:55:55 GMT
+cache-control: max-age=315360000
+x-envoy-upstream-service-time: 228
+server: istio-envoy
+```
+
+
+### Test egress the helloworld deployment
+
+It returns a 301 code, meaning that it was able to reach the destination and it was attempted to redirect the traffic from HTTP to HTTPS.
+
+```shell
+$ kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl wikipedia.com -I
+HTTP/1.1 301 Moved Permanently
+server: envoy
+date: Thu, 20 Apr 2023 18:06:57 GMT
+content-type: text/html
+content-length: 169
+location: https://wikipedia.com/
+x-envoy-upstream-service-time: 65
+```
+
+### Set REGISTRY_ONLY outbound traffic policy
+
+```shell
+istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout  --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
+```
+
+### Test (again) egress the helloworld deployment
+
+It returns a 502 code, meaning that it wasn't able to reach the destination.
+
+```shell
+$ kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl wikipedia.com -I
+HTTP/1.1 502 Bad Gateway
+date: Thu, 20 Apr 2023 18:08:37 GMT
+server: envoy
+transfer-encoding: chunked
+```

Istio/MeshConfig/01-Outboud-Traffic-Policy/deployment.yaml

@@ -0,0 +1,57 @@
+# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld
+  labels:
+    app: helloworld
+    service: helloworld
+spec:
+  ports:
+    - port: 80
+      name: http
+  selector:
+    app: helloworld
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: helloworld-nginx
+  labels:
+    app: helloworld
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: helloworld
+  template:
+    metadata:
+      labels:
+        app: helloworld
+    spec:
+      containers:
+        - name: helloworld
+          image: nginx
+          resources:
+            requests:
+              cpu: "100m"
+          imagePullPolicy: IfNotPresent #Always
+          ports:
+            - containerPort: 80
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: external-svc
+spec:
+  hosts:
+    - help.websiteos.com
+    # /websiteos/example_of_a_simple_html_page.htm
+#    - http://help.websiteos.com/websiteos/example_of_a_simple_html_page.htm
+  ports:
+    - number: 80
+      name: http
+      protocol: HTTP
+  resolution: DNS
+  location: MESH_EXTERNAL
+---

Istio/MeshConfig/01-Outboud-Traffic-Policy/gateway.yaml

@@ -0,0 +1,52 @@
+# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: helloworld-gateway
+spec:
+  selector:
+    istio: ingressgateway # use istio default controller
+  servers:
+    - port:
+        number: 80
+        name: http
+        protocol: HTTP
+      hosts:
+        - "*"
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: helloworld-vs
+spec:
+  hosts:
+    - "*"
+  gateways:
+    - helloworld-gateway
+  http:
+    - match:
+        - uri:
+            exact: /helloworld
+      route:
+        - destination:
+            host: helloworld
+            port:
+              number: 80
+      rewrite:
+        uri: "/"
+
+    - timeout: 3s
+      match:
+        - uri:
+            exact: "/external"
+      route:
+        - destination:
+            host: help.websiteos.com
+            port:
+              number: 80
+      rewrite:
+        uri: "/websiteos/example_of_a_simple_html_page.htm"
+      headers:
+        request:
+          set:
+            HOST: "help.websiteos.com"

Istio/MeshConfig/README.md

@@ -0,0 +1,10 @@
+
+# Examples
+
+- 01-Outboud-Traffic-Policy
+
+
+
+## Additional
+
+https://istio.io/latest/docs/tasks/observability/distributed-tracing/mesh-and-proxy-config/

Istio/README.md

@@ -24,3 +24,29 @@ https://kubebyexample.com/learning-paths/istio/intro
 My current issues:
 
 - Understanding authentication
+
+
+https://tetrate.io/blog/istio-how-to-enforce-egress-traffic-using-istios-authorization-policies/
+
+
+
+
+
+
+
+
+Multiple Ingress
+
+https://youtu.be/QIkryA8HnQ0
+
+
+
+https://github.com/redkubes/otomi-core/blob/main/charts/team-ns/templates/istio-gateway.yaml
+
+
+https://istio.io/latest/docs/ops/diagnostic-tools/proxy-cmd/
+
+
+
+Using service accounts
+

Istio/istio-classic/README.md

@@ -1,35 +0,0 @@
-
-# Examples
-
-ALL NEEDS DOCUMENTATION
-
-- 01-2_deployments_method
-- 02-DirectResponse-HTTP-Body
-- 03-HTTPRewrite
-- 04-HTTPRedirect
-- 05a-FaultInjection-delay
-- 05b-FaultInjection-abort
-
-
-# TODO
-06-mTLS (pending)
-
-
-
-
-
-Multiple Ingress
-
-https://youtu.be/QIkryA8HnQ0
-
-
-
-https://github.com/redkubes/otomi-core/blob/main/charts/team-ns/templates/istio-gateway.yaml
-
-
-https://istio.io/latest/docs/ops/diagnostic-tools/proxy-cmd/
-
-
-
-Using service accounts
-

Istio/istio-classic/traffic_management/06-mTLS/README.md

@@ -1,9 +0,0 @@
-https://istio.io/latest/docs/concepts/security/#authentication-policies
-
-https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/
-
-
-
-# Continues from
-
-- 01-hello_world_1_service_1_deployment

Istio/sidecar/01-ingress-proxy-forwarding/README.md

@@ -2,7 +2,9 @@
 
 - 01-hello_world_1_service_1_deployment
 
-# TO TRAFFIC PATH DIAGRAM    etc -> "POD" -> sidecar -> service container
+# TO TRAFFIC PATH DIAGRAM
+
+`etc -> "POD" -> sidecar -> service container`
 
 # Description
 

Istio/sidecar/01-ingress-proxy-forwarding/deployment.yaml

@@ -4,7 +4,7 @@ kind: Service
 metadata:
   name: helloworld
   labels:
-    app-name: helloworld
+    app: helloworld
 spec:
   ports:
     - port: 8080

Istio/sidecar/02-egress-proxy-forwarding/README.md

@@ -1,12 +0,0 @@
-# Continues from
-
-- 01-hello_world_1_service_1_deployment
-
-# Description
-
-
-This example configures the sidecar proxy on the pods created, to forward the traffic ongoing (egress)
-
-- Configure egress to a different namespace?
-
-

Istio/sidecar/02-egress-proxy-forwarding/sidecar.yaml

@@ -1,14 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: Sidecar
-metadata:
-  name: helloworld-sidecar
-spec:
-  workloadSelector:
-    labels:
-      app: helloworld
-  ingress:
-    - port:
-        number: 8080
-        protocol: HTTP
-        name: ingressport
-      defaultEndpoint: 127.0.0.1:80

Istio/sidecar/README.md

@@ -7,6 +7,7 @@
 
 
 
+Duplicate 01, and show how it also affects traffic between services.00
 
 
 
@@ -17,9 +18,55 @@ mtls
 
 
 
+examples showing application priority (root < namespace < workload)
+
+
+
+
+istioctl install profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
+
+
+
+
+```shell
+$ kubectl get istiooperators.install.istio.io -n istio-system
+NAME              REVISION   STATUS   AGE
+installed-state                       8d
+```
+
+kubectl patch istiooperators installed-state -n istio-system --patch-file patch.txt
+
+
+kubectl patch istiooperators installed-state -n istio-system --patch-file patch.yaml  --type merge
+
+
+
+
 
 
 ---
+Set the default behavior of the sidecar for handling outbound traffic from the application. If your application uses one or more external services that are not known apriori, setting the policy to ALLOW_ANY will cause the sidecars to route any unknown traffic originating from the application to its requested destination.
+
+
+
+---
+https://stackoverflow.com/questions/75093144/istio-sidecar-is-not-restricting-pod-connections-as-desired
+
+https://github.com/istio/istio/issues/33387
+
+https://gist.github.com/GregHanson/3567f5a23bcd58ad1a8acf2a4d1155eb
+
+
+https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/?_ga=2.259114634.1481027401.1681916557-32589553.1681916557#change-to-the-blocking-by-default-policy
+
+
+
+
+
+
+
+https://docs.tetrate.io/service-bridge/1.6.x/en-us/operations     ?
+
 
 https://istio.io/latest/docs/reference/config/networking/sidecar/
 

Istio/sidecar/__02-egress-proxy-forwarding/02-deployment_1.yaml

@@ -4,7 +4,7 @@ kind: Service
 metadata:
   name: helloworld
   labels:
-    app-name: helloworld
+    app: helloworld
 spec:
   ports:
     - port: 8080

Istio/sidecar/__02-egress-proxy-forwarding/02-deployment_2.yaml

@@ -2,38 +2,41 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: helloworld
+  name: internal
   labels:
-    app-name: helloworld
-  namespace: not-default
+    app: internal
+  namespace: foo
 spec:
   ports:
     - port: 8080
       name: http
+    - port: 80
+      name: http-default
   selector:
-    app: helloworld
+    app: internal
+
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: helloworld-nginx
+  name: internal
   labels:
-    app: helloworld
-    namespace: not-default
+    app: internal
+  namespace: foo
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: helloworld
+      app: internal
   template:
     metadata:
       labels:
-        app: helloworld
-#      namespace: not-default
+        app: internal
+        service: apache
     spec:
       containers:
-        - name: helloworld
-          image: nginx
+        - name: internal
+          image: httpd
           resources:
             requests:
               cpu: "100m"

Istio/sidecar/__02-egress-proxy-forwarding/03-default-sidecar.yaml

@@ -0,0 +1,71 @@
+apiVersion: networking.istio.io/v1beta1
+kind: Sidecar
+metadata:
+  name: root-default
+#  namespace: default
+  namespace: istio-system
+spec:
+#  workloadSelector:
+#    labels:
+#      app: helloworld
+  egress:
+    - hosts:
+        - "./*"
+#        - "istio-system/*"
+#  ingress:
+#    - port:
+#        number: 8080
+#        protocol: HTTP
+#        name: ingressport
+#      defaultEndpoint: 127.0.0.1:80
+---
+apiVersion: networking.istio.io/v1beta1
+kind: Sidecar
+metadata:
+  name: helloworld-default
+  namespace: default
+#  namespace: istio-system
+spec:
+  #  workloadSelector:
+  #    labels:
+  #      app: helloworld
+#  egress:
+#    - port:
+#        number: 8080
+#        protocol: HTTP
+#        name: egresshttp
+##        - "internal.foo.svc.cluster.local"
+#      hosts:
+#        - "foo/*"
+#    - hosts:
+#        - "istio-system/*"
+  ingress:
+    - port:
+        number: 8080
+        protocol: HTTP
+        name: ingressport
+      defaultEndpoint: 127.0.0.1:80
+---
+apiVersion: networking.istio.io/v1beta1
+kind: Sidecar
+metadata:
+  name: internal-default
+  namespace: foo
+spec:
+  workloadSelector:
+    labels:
+      app: internal
+  egress:
+    - hosts:
+        - "./*"
+        - "istio-system/*"
+        #- "wikipedia.com"
+  ingress:
+#    - hosts:
+#        - "./*"
+#        - "istio-system/*"
+    - port:
+        number: 8080
+        protocol: HTTP
+        name: myingressport
+      defaultEndpoint: 127.0.0.1:80

Istio/sidecar/__02-egress-proxy-forwarding/README.md

@@ -0,0 +1,51 @@
+# Continues from
+
+- 01-ingress-proxy-forwarding
+
+# Description
+
+This example configures the sidecar proxy on the pods created, to forward the traffic ongoing (egress)
+
+- Configure egress to a different namespace?
+
+
+> the configured meshconfig.rootNamespace namespace (istio-system by default)
+https://istio.io/latest/docs/ops/best-practices/traffic-management/#cross-namespace-configuration
+
+
+
+
+CANT MAKE IT WORK CANT MAKE IT WORK CANT MAKE IT WORK
+
+
+
+
+
+
+istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout  --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
+
+
+
+
+
+
+---
+
+kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}'
+
+kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- /bin/bash
+
+kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl internal.foo.svc.cluster.local
+
+
+curl helloworld.default.svc.cluster.local
+
+
+curl internal.foo.svc.cluster.local
+curl: (6) Could not resolve host: internal.foo.svc.cluster.local
+
+
+helloworld.default.svc.cluster.local:8080
+
+
+ kubectl exec -i -n foo -t "$(kubectl get pod -l app=internal -n foo | tail -n 1 | awk '{print $1}')" -- /bin/bash

Istio/sidecar/__02-egress-proxy-forwarding/patch/patch.yaml

@@ -0,0 +1,5 @@
+spec:
+  meshConfig:
+    outboundTrafficPolicy:
+      mode: REGISTRY_ONLY
+# Doesnt work

Istio/sidecar/__02-egress-proxy-forwarding/sidecar.yaml

@@ -0,0 +1,62 @@
+#apiVersion: networking.istio.io/v1beta1
+#kind: Sidecar
+#metadata:
+#  name: helloworld-default
+#  namespace: default
+##  namespace: istio-config
+#spec:
+##  workloadSelector:
+##    labels:
+##      app: helloworld
+##  egress:
+##    - hosts:
+##        - "./*"
+##        - "istio-system/*"
+#  ingress:
+#    - port:
+#        number: 8080
+#        protocol: HTTP
+#        name: ingressport
+#      defaultEndpoint: 127.0.0.1:80
+---
+#apiVersion: networking.istio.io/v1alpha3
+#kind: Sidecar
+#metadata:
+#  name: helloworld-sidecar
+#spec:
+#  workloadSelector:
+#    labels:
+#      app: helloworld
+#  ingress:
+#    - port:
+#        number: 8080
+#        protocol: HTTP
+#        name: ingressport
+#      defaultEndpoint: 127.0.0.1:80
+#---
+#apiVersion: networking.istio.io/v1beta1
+#kind: Sidecar
+#metadata:
+#  name: helloworld-default
+#  namespace: default
+##  namespace: istio-system
+#spec:
+#  workloadSelector:
+#      labels:
+#        app: helloworld2
+#  egress:
+#    - port:
+#        number: 9080
+#        protocol: HTTP
+#        name: httpingress
+#      hosts:
+#        - "foo/*"
+#    - hosts:
+#        - "istio-system/*"
+#  ingress:
+#    - port:
+#        number: 8080
+#        protocol: HTTP
+#        name: ingressport
+#      defaultEndpoint: 127.0.0.1:80
+#---

Istio/troubleshooting/README.md

@@ -0,0 +1,11 @@
+IDK put some text in thQereSQ
+
+
+
+### Start the packet capture process
+
+```shell
+$ kubectl exec -n default  "$(kubectl get pod -n default -l app1 =helloworld -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port 80  -A
+tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
+listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
+```

metallib/README.md

@@ -37,53 +37,5 @@ EOF
 ```
 
 
-```sh
-kubectl delete -f - << EOF
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  namespace: metallb-system
-  name: config
-data:
-  config: |
-    address-pools:
-    - name: default
-      protocol: layer2
-      addresses:
-      - 192.168.1.50-192.168.1.130
-EOF
-```
-
-
-
-```sh
-kubectl apply -f - << EOF
-apiVersion: metallb.io/v1beta1
-kind: IPAddressPool
-metadata:
-  name: first-pool
-  namespace: metallb-system
-spec:
-  addresses:
-  - 192.168.1.50-192.168.1.130
-EOF
-```
-
-
-
-
-```sh
-kubectl delete -f - << EOF
-apiVersion: metallb.io/v1beta1
-kind: IPAddressPool
-metadata:
-  name: first-pool
-  namespace: metallb-system
-spec:
-  addresses:
-  - 192.168.1.50-192.168.1.130
-EOF
-```
-
 
 # https://github.com/metallb/metallb/blob/main/design/pool-configuration.md

metallib/deployment.yaml

@@ -1,9 +0,0 @@
-#kubectl create deployment demo --image=httpd --port=80
-#kubectl expose deployment demo
-#
-#kubectl create ingress demo-localhost --class=nginx \
-#--rule="demo.localdev.me/*=demo:80"
-#
-#
-#
-## kubectl port-forward --namespace=ingress-nginx service/ingress-nginx-controller 8080:80