ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

added service accounts targeting example

Browse Source 
quality improvements
This commit is contained in:
savagebidoof
2023-04-22 08:17:23 +02:00
parent 8bd07817dd
commit d0751fcbf8
28 changed files with 477 additions and 650 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
Istio/03-Sidecar/__02-egress-proxy-forwarding/01-namespace.yaml
View File

@ -1,7 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: foo
labels:
istio-injection: "enabled"
---

39
Istio/03-Sidecar/__02-egress-proxy-forwarding/02-deployment_1.yaml
View File

@ -1,39 +0,0 @@
## https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
spec:
ports:
- port: 8080
name: http
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

45
Istio/03-Sidecar/__02-egress-proxy-forwarding/02-deployment_2.yaml
View File

@ -1,45 +0,0 @@
## https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: internal
labels:
app: internal
namespace: foo
spec:
ports:
- port: 8080
name: http
- port: 80
name: http-default
selector:
app: internal
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: internal
labels:
app: internal
namespace: foo
spec:
replicas: 1
selector:
matchLabels:
app: internal
template:
metadata:
labels:
app: internal
service: apache
spec:
containers:
- name: internal
image: httpd
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

71
Istio/03-Sidecar/__02-egress-proxy-forwarding/03-default-sidecar.yaml
View File

@ -1,71 +0,0 @@
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: root-default
# namespace: default
namespace: istio-system
spec:
# workloadSelector:
# labels:
# app: helloworld
egress:
- hosts:
- "./*"
# - "istio-system/*"
# ingress:
# - port:
# number: 8080
# protocol: HTTP
# name: ingressport
# defaultEndpoint: 127.0.0.1:80
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: helloworld-default
namespace: default
# namespace: istio-system
spec:
# workloadSelector:
# labels:
# app: helloworld
# egress:
# - port:
# number: 8080
# protocol: HTTP
# name: egresshttp
## - "internal.foo.svc.cluster.local"
# hosts:
# - "foo/*"
# - hosts:
# - "istio-system/*"
ingress:
- port:
number: 8080
protocol: HTTP
name: ingressport
defaultEndpoint: 127.0.0.1:80
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: internal-default
namespace: foo
spec:
workloadSelector:
labels:
app: internal
egress:
- hosts:
- "./*"
- "istio-system/*"
#- "wikipedia.com"
ingress:
# - hosts:
# - "./*"
# - "istio-system/*"
- port:
number: 8080
protocol: HTTP
name: myingressport
defaultEndpoint: 127.0.0.1:80

51
Istio/03-Sidecar/__02-egress-proxy-forwarding/README.md
View File

@ -1,51 +0,0 @@
# Continues from
- 01-ingress-proxy-forwarding
# Description
This example configures the sidecar proxy on the pods created, to forward the traffic ongoing (egress)
- Configure egress to a different namespace?
> the configured meshconfig.rootNamespace namespace (istio-system by default)
https://istio.io/latest/docs/ops/best-practices/traffic-management/#cross-namespace-configuration
CANT MAKE IT WORK CANT MAKE IT WORK CANT MAKE IT WORK
istioctl install --set profile=default -y --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
---
kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}'
kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- /bin/bash
kubectl exec -i -t "$(kubectl get pod -l app=helloworld | tail -n 1 | awk '{print $1}')" -- curl internal.foo.svc.cluster.local
curl helloworld.default.svc.cluster.local
curl internal.foo.svc.cluster.local
curl: (6) Could not resolve host: internal.foo.svc.cluster.local
helloworld.default.svc.cluster.local:8080
kubectl exec -i -n foo -t "$(kubectl get pod -l app=internal -n foo | tail -n 1 | awk '{print $1}')" -- /bin/bash

46
Istio/03-Sidecar/__02-egress-proxy-forwarding/gateway.yaml
View File

@ -1,46 +0,0 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8080
rewrite:
uri: "/"
- match:
- uri:
exact: /internal
route:
- destination:
# host: helloworld.default.svc.cluster.local
host: internal.foo.svc.cluster.local
port:
number: 8080
rewrite:
uri: "/"

5
Istio/03-Sidecar/__02-egress-proxy-forwarding/patch/patch.yaml
View File

@ -1,5 +0,0 @@
spec:
meshConfig:
outboundTrafficPolicy:
mode: REGISTRY_ONLY
# Doesnt work

62
Istio/03-Sidecar/__02-egress-proxy-forwarding/sidecar.yaml
View File

@ -1,62 +0,0 @@
#apiVersion: networking.istio.io/v1beta1
#kind: Sidecar
#metadata:
# name: helloworld-default
# namespace: default
## namespace: istio-config
#spec:
## workloadSelector:
## labels:
## app: helloworld
## egress:
## - hosts:
## - "./*"
## - "istio-system/*"
# ingress:
# - port:
# number: 8080
# protocol: HTTP
# name: ingressport
# defaultEndpoint: 127.0.0.1:80
---
#apiVersion: networking.istio.io/v1alpha3
#kind: Sidecar
#metadata:
# name: helloworld-sidecar
#spec:
# workloadSelector:
# labels:
# app: helloworld
# ingress:
# - port:
# number: 8080
# protocol: HTTP
# name: ingressport
# defaultEndpoint: 127.0.0.1:80
#---
#apiVersion: networking.istio.io/v1beta1
#kind: Sidecar
#metadata:
# name: helloworld-default
# namespace: default
## namespace: istio-system
#spec:
# workloadSelector:
# labels:
# app: helloworld2
# egress:
# - port:
# number: 9080
# protocol: HTTP
# name: httpingress
# hosts:
# - "foo/*"
# - hosts:
# - "istio-system/*"
# ingress:
# - port:
# number: 8080
# protocol: HTTP
# name: ingressport
# defaultEndpoint: 127.0.0.1:80
#---

9
Istio/03-Sidecar/placeholder/01-namespace.yaml
View File

@ -1,9 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: visiblent
labels:
# istio-injection: "false"
istio-injection: "enabled"
f: "3"
---

66
Istio/03-Sidecar/placeholder/README.md
View File

@ -1,66 +0,0 @@
https://github.com/steren/istio.github.io/blob/master/_docs/setup/kubernetes/sidecar-injection.md
https://istio.io/latest/docs/reference/config/networking/sidecar/
# Continues from
- 01-hello_world_1_service_1_deployment
the labbel `workloadSelector` only affects the pods.
```yaml
workloadSelector:
```
whats this command again?
istioctl operator init
https://istio.io/latest/docs/ops/common-problems/injection/
```sh
kubectl create namespace istio-config
```
No fucking clue on how to make it NOT work.
https://istio.io/latest/blog/2021/discovery-selectors/#discovery-selectors-vs-sidecar-resource
https://istio.io/latest/docs/reference/config/networking/sidecar/
# Sidecar notes
Sidecar describes the configuration of the sidecar proxy that mediates inbound and outbound communication to the
workload instance it is attached to.
By default, Istio will program all sidecar proxies in the mesh with the necessary
configuration required to reach every workload instance in the mesh, as well as accept traffic on all the ports associated
with the workload.
The Sidecar configuration provides a way to fine tune the set of ports, protocols that the proxy will
accept when forwarding traffic to and from the workload. In addition, it is possible to restrict the set of services that
the proxy can reach when forwarding outbound traffic from workload instances.
The behavior of the system is undefined if two or more Sidecar configurations with a workloadSelector select the same workload instance.
https://youtu.be/lnYTqNfyzNk
https://www.youtube.com/watch?v=UJ86BNQEcTA

19
Istio/03-Sidecar/placeholder/deployment-SE.yaml
View File

@ -1,19 +0,0 @@
## https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
#---
#apiVersion: networking.istio.io/v1alpha3
#kind: ServiceEntry
#metadata:
# name: external-svc
# namespace: visiblent
#spec:
# hosts:
# - help.websiteos.com
# # /websiteos/example_of_a_simple_html_page.htm
## - http://help.websiteos.com/websiteos/example_of_a_simple_html_page.htm
# ports:
# - number: 80
# name: http
# protocol: HTTP
# resolution: DNS
# location: MESH_EXTERNAL
#---

51
Istio/03-Sidecar/placeholder/deployment.yaml
View File

@ -1,51 +0,0 @@
## https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
apiVersion: v1
kind: Service
metadata:
name: helliworld
labels:
app: helloworld
service: helloworld
# namespace: visiblent
spec:
ports:
- port: 8080
name: http
selector:
app: helloworld
#---
#apiVersion: v1
#kind: ServiceAccount
#metadata:
# name: istio-helloworld
# labels:
# account:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
# namespace: visiblent
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
# namespace: visiblent
spec:
# serviceAccountName: istio-helloworld
containers:
- name: helloworld
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 80

64
Istio/03-Sidecar/placeholder/gateway.yaml
View File

@ -1,64 +0,0 @@
# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- match:
- uri:
exact: /helloworld
route:
- destination:
host: helliworld
# host: helloworlddo
# host: helloworld-nginx-56c5c77cd7-9mxmf.visiblent
port:
number: 8080
rewrite:
uri: "/"
---
#apiVersion: networking.istio.io/v1alpha3
#kind: VirtualService
#metadata:
# name: helloworld-vs
#spec:
# hosts:
# - "*"
# gateways:
# - helloworld-gateway
# http:
# - timeout: 3s
# match:
# - uri:
# - exact: "/external"
# route:
# - destination:
# host: help.websiteos.com
# port:
# number: 80
# rewrite:
# uri: "/websiteos/example_of_a_simple_html_page.htm"
# headers:
# request:
# set:
# HOST: "help.websiteos.com"

47
Istio/03-Sidecar/placeholder/sidecar.yaml
View File

@ -1,47 +0,0 @@
## First we overide the default configuration.
# This configures the egress, to only allow egress within the same namespace, and to `istio-system`
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: istio-config
spec:
egress:
- hosts:
- "./*"
- "istio-system/*"
---
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: helloworlddo
# namespace: visiblent
spec:
workloadSelector:
labels:
app: helloworld
ingress:
# - bind: 192.168.1.50
# - bind: 172.17.121.220
- port:
number: 8080
protocol: HTTP
name: ingressport
defaultEndpoint: 127.0.0.1:80
# defaultEndpoint: unix:///var/run/someuds.sock
# captureMode: DEFAULT
# egress:
# - port:
# number: 80
# protocol: HTTP
# name: egressport
# hosts:
# - "prod-us1/*"
# - hosts:
# - "istio-system/*"
# egress:
# hosts:
# - "./*"
# - "istio-system/*"
# captureMode: DEFAULT

23
Istio/03-Sidecar/placeholder/tmp.yaml
View File

@ -1,23 +0,0 @@
#apiVersion:
# networking.istio.io/v1alpha3
#kind: Sidecar
#metadata:
# name: default
# namespace: default
#spec:
# egress:
# - hosts:
# - "./*"
# - "istio-system/*"
#---
#apiVersion: networking.istio.io/v1alpha3
#kind: Sidecar
#metadata:
# name: default-sidecar
# namespace: default
#spec:
# egress:
# - hosts:
# - "default/*"
# - "istio-system/*"
# - "staging/*"

53
Istio/03-Sidecar/placeholder/txt.txt
View File

@ -1,53 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: ratings
labels:
app: ratings
service: ratings
spec:
ports:
- port: 8443
name: https
targetPort: 80
selector:
app: ratings
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: ratings-peer-auth
namespace: prod-us1
spec:
selector:
matchLabels:
app: ratings
mtls:
mode: STRICT
portLevelMtls:
80:
mode: DISABLE
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: ratings
namespace: prod-us1
spec:
workloadSelector:
labels:
app: ratings
ingress:
- port:
number: 80
protocol: HTTPS
name: somename
defaultEndpoint: unix:///var/run/someuds.sock
tls:
mode: SIMPLE
privateKey: "/etc/certs/privatekey.pem"
serverCertificate: "/etc/certs/servercert.pem"

8
Istio/03-Sidecar/tmp-visibility/README.txt
View File

@ -1,8 +0,0 @@
https://github.com/steren/istio.github.io/blob/master/_docs/setup/kubernetes/sidecar-injection.md
https://istio.io/latest/docs/reference/config/networking/sidecar/
# Continues from
- 01-hello_world_1_service_1_deployment

27
Istio/03-Sidecar/tmp-visibility/sidecar.yaml
View File

@ -1,27 +0,0 @@
apiVersion:
networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: foo
spec:
egress:
- hosts:
- "./*"
- "istio-system/*"
---
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default-sidecar
namespace: default
spec:
workloadSelector:
labels:
version: v1
egress:
- hosts:
- "default/*"
- "istio-system/*"
- "staging/*"
---

11
Istio/03-Sidecar/tmp-visibility/workload.yaml
View File

@ -1,11 +0,0 @@
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default-sidecar
namespace: default
spec:
egress:
- hosts:
- "default/*"
- "istio-system/*"
- "staging/*"