Files rebasing

2023-05-10 10:15:00 +02:00
parent fb34758197
commit c7c1f8cb9c
72 changed files with 7 additions and 29 deletions
--- a/05-Sidecar/01-ingress-proxy-forwarding/Deployment.yaml
+++ b/05-Sidecar/01-ingress-proxy-forwarding/Deployment.yaml
@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: helloworld-nginx
+  labels:
+    app: helloworld
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: helloworld
+  template:
+    metadata:
+      labels:
+        app: helloworld
+    spec:
+      containers:
+        - name: helloworld
+          image: nginx
+          resources:
+            requests:
+              cpu: "100m"
+          imagePullPolicy: IfNotPresent #Always
+          ports:
+            - containerPort: 80
--- a/05-Sidecar/01-ingress-proxy-forwarding/Gateway.yaml
+++ b/05-Sidecar/01-ingress-proxy-forwarding/Gateway.yaml
@ -0,0 +1,35 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: helloworld-gateway
+spec:
+  selector:
+    istio: ingressgateway # use istio default controller
+  servers:
+    - port:
+        number: 80
+        name: http
+        protocol: HTTP
+      hosts:
+        - "*"
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: helloworld-vs
+spec:
+  hosts:
+    - "*"
+  gateways:
+    - helloworld-gateway
+  http:
+    - match:
+        - uri:
+            exact: /helloworld
+      route:
+        - destination:
+            host: helloworld.default.svc.cluster.local
+            port:
+              number: 8080
+      rewrite:
+        uri: "/"
--- a/05-Sidecar/01-ingress-proxy-forwarding/README.md
+++ b/05-Sidecar/01-ingress-proxy-forwarding/README.md
@ -0,0 +1,172 @@
+# Continues from
+
+- 01-hello_world_1_service_1_deployment
+
+# TO TRAFFIC PATH DIAGRAM
+
+`etc -> "POD" -> sidecar -> service container`
+
+# Description
+
+This example configures the sidecar proxy on the pods created, to forward the traffic incoming from the port `8080` to the port `80`
+
+## Files
+
+- deployment.yaml
+- gateway.yaml
+- sidecar.yaml
+
+> Added the `sidecar.yaml` file.
+
+## deployment.yaml
+
+### Creates
+
+#### Service
+
+- helloworld
+
+#### Deployments
+
+- helloworld-nginx  (Nginx container)
+
+## gateway.yaml
+
+### Creates
+
+#### Gateway
+
+##### helloworld-gateway
+
+###### Configuration
+
+```yml
+...
+spec:
+  selector:
+    istio: ingressgateway # use istio default controller
+  servers:
+    - port:
+        number: 80
+        name: http
+        protocol: HTTP
+      hosts:
+        - "*"
+```
+
+#### VirtualService
+
+##### helloworld-vs
+
+###### Configuration
+
+```yaml
+...
+spec:
+  hosts:
+    - "*"
+  gateways:
+    - helloworld-gateway
+  http:
+    - match:
+        - uri:
+            exact: /helloworld
+      route:
+        - destination:
+            host: helloworld.default.svc.cluster.local
+            port:
+              number: 8080
+      rewrite:
+        uri: "/"
+```
+
+- On this example, we are using the port `8080` as a destination.
+
+## sidecar.yaml
+
+### creates
+
+#### sidecar
+
+##### helloworld-sidecar
+
+###### Configuration
+
+```yaml
+...
+spec:
+  workloadSelector:
+    labels:
+      app: helloworld
+  ingress:
+    - port:
+        number: 8080
+        protocol: HTTP
+        name: ingressport
+      defaultEndpoint: 127.0.0.1:80
+````
+
+workloadSelector:
+
+> `workloadSelector` is used to target the `PODS`, on which apply this sidecar configuration. \
+> Bear in mind that this configuration doesn't target kinds `Service`, nor `Deployment`, it's applied to a kind `Pod` or `ServiceEntry` \
+> If there is no `workloadSelector` specified, it will be used as default configuration for the namespace on which was created. \
+> More info in the [Istio documentation for workloadSelector](https://istio.io/latest/docs/reference/config/networking/sidecar/#WorkloadSelector)
+
+ingress:
+
+> Configure the behavior of the ingress traffic.\
+> On this "grabs"/targets the ingress traffic with port 8080, and forwards it to the port IP `127.0.0.1` (loopback) respective to the destination pod, with the destination port set to 80, which is the port that the service is currently listening to.
+
+# Run example
+
+## Deploy resources
+
+```shell
+$ kubectl apply -f ./
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+sidecar.networking.istio.io/helloworld-sidecar created
+```
+
+## Wait for the pods to be ready
+
+```shell
+$ kubectl get deployment helloworld-nginx -w
+NAME               READY   UP-TO-DATE   AVAILABLE   AGE
+helloworld-nginx   1/1     1            1           39s
+```
+
+## Test the service
+
+### Get LB IP
+
+```shell
+$ kubectl get svc istio-ingressgateway -n istio-system
+NAME                   TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)                                      AGE
+istio-ingressgateway   LoadBalancer   10.97.47.216   192.168.1.50   15021:31316/TCP,80:32012/TCP,443:32486/TCP   39h
+```
+
+### Curl
+
+```shell
+$ curl 192.168.1.50/helloworld -s | grep "<title>.*</title>"
+<title>Welcome to nginx!</title>
+```
+
+### Delete the sidecar configuration to force failure.
+
+
+```shell
+$ kubectl delete sidecars.networking.istio.io helloworld-sidecar
+sidecar.networking.istio.io "helloworld-sidecar" deleted
+```
+### Curl again
+
+```shell
+$ curl 192.168.1.50/helloworld -s
+upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: delayed connect error: 111
+```
+
--- a/05-Sidecar/01-ingress-proxy-forwarding/Service.yaml
+++ b/05-Sidecar/01-ingress-proxy-forwarding/Service.yaml
@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld
+  labels:
+    app: helloworld
+spec:
+  ports:
+    - port: 8080
+      name: http
+  selector:
+    app: helloworld
--- a/05-Sidecar/01-ingress-proxy-forwarding/Sidecar.yaml
+++ b/05-Sidecar/01-ingress-proxy-forwarding/Sidecar.yaml
@ -0,0 +1,14 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Sidecar
+metadata:
+  name: helloworld-sidecar
+spec:
+  workloadSelector:
+    labels:
+      app: helloworld
+  ingress:
+    - port:
+        number: 8080
+        protocol: HTTP
+        name: ingressport
+      defaultEndpoint: 127.0.0.1:80
--- a/05-Sidecar/README.md
+++ b/05-Sidecar/README.md
@ -0,0 +1,157 @@
+
+## Examples
+
+- 01-ingress-proxy-forwarding
+
+-
+
+
+
+Duplicate 01, and show how it also affects traffic between services.00
+
+
+
+
+egress from (pod to pod)
+
+mtls
+
+
+
+examples showing application priority (root < namespace < workload)
+
+
+
+
+istioctl install profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
+
+
+
+
+```shell
+$ kubectl get istiooperators.install.istio.io -n istio-system
+NAME              REVISION   STATUS   AGE
+installed-state                       8d
+```
+
+kubectl patch istiooperators installed-state -n istio-system --patch-file patch.txt
+
+
+kubectl patch istiooperators installed-state -n istio-system --patch-file patch.yaml  --type merge
+
+
+
+
+
+
+---
+Set the default behavior of the sidecar for handling outbound traffic from the application. If your application uses one or more external services that are not known apriori, setting the policy to ALLOW_ANY will cause the sidecars to route any unknown traffic originating from the application to its requested destination.
+
+
+
+---
+https://stackoverflow.com/questions/75093144/istio-sidecar-is-not-restricting-pod-connections-as-desired
+
+https://github.com/istio/istio/issues/33387
+
+https://gist.github.com/GregHanson/3567f5a23bcd58ad1a8acf2a4d1155eb
+
+
+https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/?_ga=2.259114634.1481027401.1681916557-32589553.1681916557#change-to-the-blocking-by-default-policy
+
+
+
+
+
+
+
+https://docs.tetrate.io/service-bridge/1.6.x/en-us/operations     ?
+
+
+https://istio.io/latest/docs/reference/config/networking/sidecar/
+
+
+https://istio.io/latest/docs/reference/glossary/#workload
+
+
+I am not very sure on how or why to use this...
+
+
+
+NOT HOW TO TRIGGER / UNTRIGGER IT
+
+```yaml
+apiVersion:
+ networking.istio.io/v1alpha3
+kind: Sidecar
+metadata:
+  name: default
+  namespace: foo
+spec:
+  egress:
+    - hosts:
+      - "./*"
+      - "istio-system/*"
+```
+
+
+
+whats this again??
+
+istio operator right? ye, but what is it again? I think I checked this time ago when doing something about creating a new ingress
+
+
+kubectl get io -A
+
+
+2023-04-17T00:08:00.086475Z     info    validationController    Not ready to switch validation to fail-closed: dummy invalid config not rejected
+
+
+2023-04-17T00:08:04.012630Z     info    validationServer        configuration is invalid: gateway must have at least one server
+
+
+
+
+kubectl logs -f deployments/istiod -n istio-system   
+
+https://istio.io/latest/docs/reference/config/networking/sidecar/
+
+
+
+
+  egress:
+  - port:
+      number: 8080
+      protocol: HTTP
+    hosts:
+    - "staging/*"
+
+
+
+With the YAML above, the sidecar proxies the traffic that’s bound for port 8080 for services running in the staging namespace.
+
+
+
+
+
+
+
+
+- Confirm pod ingress port forwarding
+
+- Confirm it can reach other places / namespaces / resources (pod egress)
+
+- mtls (somehow)
+
+
+# Ingress
+
+Does stuff
+
+# Egress
+
+What is "bind"
+
+# CaptureMode
+
+Not my problem rn