├── .github ├── snippet-bot.yml ├── pull_request_template.md ├── workflows │ ├── tf-validate-ci.yml │ └── asm-acm-tutorial-ci.yaml └── header-checker-lint.yml ├── demos ├── asm-mcp-multi-clusters │ ├── terraform │ │ ├── outputs.tf │ │ ├── lab_materials │ │ │ ├── .krmignore │ │ │ ├── acm-policy-controller.yaml │ │ │ ├── istio-system │ │ │ │ ├── default-deny-authorization-policy.yaml │ │ │ │ ├── peerauthentication-mtls-strict.yaml │ │ │ │ └── mesh-configs.yaml │ │ │ ├── asm-ingressgateway │ │ │ │ ├── namespace.yaml │ │ │ │ ├── authorization-policy.yaml │ │ │ │ └── gateway.yaml │ │ │ ├── bank-of-anthos │ │ │ │ ├── namespace.yaml │ │ │ │ ├── frontend-virtualservice.yaml │ │ │ │ ├── transaction-history-with-fault-virtualservice.yaml │ │ │ │ └── manifests │ │ │ │ │ ├── config.yaml │ │ │ │ │ └── loadgenerator.yaml │ │ │ ├── policies │ │ │ │ ├── strict-mtls │ │ │ │ │ ├── mesh-level-strict-mtls.yaml │ │ │ │ │ ├── destinationrule-tls-enabled.yaml │ │ │ │ │ └── peerauthentication-strict-mtls.yaml │ │ │ │ ├── authorization-policies │ │ │ │ │ └── default-deny-authorization-policies.yaml │ │ │ │ └── sidecar-injection │ │ │ │ │ ├── pod-sidecar-injection-annotation.yaml │ │ │ │ │ ├── namespace-sidecar-injection-label.yaml │ │ │ │ │ └── namespace-sidecar-injection-annotation.yaml │ │ │ ├── multi-cluster-ingress │ │ │ │ ├── multi-cluster-ingress.yaml │ │ │ │ └── multi-cluster-service.yaml │ │ │ ├── gatekeeper-system │ │ │ │ └── config-referential-constraints.yaml │ │ │ └── vars.sh │ │ ├── runtime.yaml │ │ ├── sh │ │ │ └── prepare-lab.sh │ │ └── providers.tf │ ├── instructions │ │ └── img │ │ │ ├── cloudshell.png │ │ │ ├── table-view.png │ │ │ ├── topology.png │ │ │ ├── architecture.png │ │ │ ├── cloud-trace.png │ │ │ ├── policy-audit.png │ │ │ ├── slo-setup-1.png │ │ │ ├── slo-setup-2.png │ │ │ ├── slo-setup-3.png │ │ │ ├── slo-setup-4.png │ │ │ ├── slo-setup-5.png │ │ │ ├── slo-setup-6.png │ │ │ ├── slo-setup-7.png │ │ │ ├── slo-setup-8.png │ │ │ ├── bankofanthos-home.png │ │ │ ├── burn-rate-alert-1.png │ │ │ ├── burn-rate-alert-2.png │ │ │ ├── burn-rate-alert-3.png │ │ │ ├── burn-rate-alert-4.png │ │ │ ├── architecture-partial.png │ │ │ ├── bankofanthos-login.png │ │ │ ├── bankofanthos-services.png │ │ │ ├── control-plane-metrics.png │ │ │ ├── policy-audit-with-mtls.png │ │ │ ├── frontend-service-metrics.png │ │ │ ├── frontend-service-overview.png │ │ │ ├── policy-audit-without-mtls.png │ │ │ ├── frontend-service-metrics-degradated.png │ │ │ ├── bankofanthos-home-transactionhistory-error.png │ │ │ ├── transactionhistory-service-metrics-degradated.png │ │ │ └── gcp.svg │ └── README.md ├── README.md └── bank-of-anthos-asm-manifests │ ├── demo-manifests │ ├── README.md │ ├── frontend-custom-100-0.yml │ ├── frontend-custom-50-50.yml │ ├── frontend-delay-fault-injection.yml │ ├── frontend-http500-fault-injection.yml │ └── frontend-custom-http-header.yml │ └── deployment-manifests │ ├── README.md │ ├── asm-gateway.yaml │ └── loadgenerator.yaml ├── renovate.json ├── docs ├── helloserver │ ├── loadgen │ │ ├── requirements.txt │ │ ├── Dockerfile-base │ │ ├── Dockerfile │ │ └── loadgen.py │ ├── README.md │ └── server │ │ ├── Dockerfile │ │ └── server.yaml ├── ingress-gateway-asm-manifests │ ├── README.md │ ├── base │ │ ├── pdb-v1.yaml │ │ ├── namespace.yaml │ │ ├── kustomization.yaml │ │ └── gateway.yaml │ ├── kustomization.yaml │ └── with-authorization-policies │ │ ├── kustomization.yaml │ │ └── authorizationpolicy.yaml ├── egress-gateway-asm-manifests │ ├── asm-egress │ │ ├── serviceaccount.yaml │ │ ├── service.yaml │ │ ├── role.yaml │ │ └── deployment.yaml │ ├── serviceentry-https.yaml │ ├── serviceentry-http.yaml │ ├── gateway-http.yaml │ └── gateway-https.yaml ├── mtls-egress-ingress │ ├── terraform │ │ ├── kops-src │ │ │ ├── env-vars │ │ │ └── cluster │ │ │ │ └── b_create-kops-cluster.sh │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── clean-up-fw-rules-of-cluster.sh │ ├── client │ │ ├── httpbin-client │ │ │ ├── httpbin-external.yaml.tmpl │ │ │ ├── service-entry.yaml.tmpl │ │ │ ├── gateway-destinationrule-to-egressgateway.yaml.tmpl │ │ │ ├── get-logs-from-sleep-proxy.sh │ │ │ ├── virtualservice-destinationrule-from-egressgateway.yaml.tmpl │ │ │ └── clean-up.sh │ │ ├── mysql-client │ │ │ ├── service-entry.yaml.tmpl │ │ │ ├── gateway-destinationrule-to-egressgateway.yaml.tmpl │ │ │ ├── get-logs-from-mysql-client.sh │ │ │ ├── virtualservice-destinationrule-from-egressgateway.yaml.tmpl │ │ │ └── clean-up.sh │ │ ├── get-logs-from-egress.sh │ │ ├── features.yaml │ │ └── set-project-and-cluster-client.sh │ ├── server │ │ ├── mysql-server │ │ │ ├── gateway-patch.json │ │ │ ├── virtual-service.yaml.tmpl │ │ │ ├── gateway-mutual.yaml.tmpl │ │ │ ├── get-logs-from-mysql-server.sh │ │ │ └── clean-up.sh │ │ ├── httpbin-server │ │ │ ├── gateway-mutual.yaml.tmpl │ │ │ ├── virtual-service.yaml.tmpl │ │ │ ├── get-logs-from-httpbin-server.sh │ │ │ └── clean-up.sh │ │ ├── features.yaml │ │ ├── set-project-and-cluster-server.sh │ │ └── get-logs-from-ingress.sh │ ├── .gitignore │ ├── setup-istioctl.sh │ └── create-keys.sh ├── README.md ├── shared │ ├── asm-ingress-gateway │ │ ├── pdb-v1.yaml │ │ ├── autoscaling-v2.yaml │ │ └── gateway.yaml │ ├── online-boutique │ │ ├── virtual-service.yaml │ │ └── service-accounts │ │ │ └── service-accounts.yaml │ ├── service_port_name_suffix.yaml │ └── service_port_name.yaml ├── canary-service │ ├── README.md │ ├── vs-v2.yaml │ ├── vs-v1.yaml │ ├── destination-v1-v2.yaml │ ├── vs-split-traffic.yaml │ └── destination-vs-v1.yaml ├── asm-gke-terraform │ ├── providers.tf │ └── variables.tf ├── online-boutique-asm-manifests │ ├── base │ │ ├── all │ │ │ ├── namespace.yaml │ │ │ ├── virtualservice.yaml │ │ │ └── kustomization.yaml │ │ ├── kustomization.yaml │ │ ├── for-namespace │ │ │ └── kustomization.yaml │ │ ├── for-virtualservice-host │ │ │ └── kustomization.yaml │ │ └── for-memorystore │ │ │ └── kustomization.yaml │ ├── service-accounts │ │ ├── all │ │ │ ├── service-account-frontend.yaml │ │ │ ├── service-account-redis.yaml │ │ │ ├── service-account-adservice.yaml │ │ │ ├── service-account-cartservice.yaml │ │ │ ├── service-account-emailservice.yaml │ │ │ ├── service-account-loadgenerator.yaml │ │ │ ├── service-account-paymentservice.yaml │ │ │ ├── service-account-checkoutservice.yaml │ │ │ ├── service-account-currencyservice.yaml │ │ │ ├── service-account-shippingservice.yaml │ │ │ ├── service-account-productcatalogservice.yaml │ │ │ └── service-account-recommendationservice.yaml │ │ ├── kustomization.yaml │ │ └── for-memorystore │ │ │ └── kustomization.yaml │ ├── sidecars │ │ ├── kustomization.yaml │ │ ├── all │ │ │ ├── sidecar-redis.yaml │ │ │ ├── sidecar-adservice.yaml │ │ │ ├── sidecar-emailservice.yaml │ │ │ ├── sidecar-paymentservice.yaml │ │ │ ├── sidecar-currencyservice.yaml │ │ │ ├── sidecar-shippingservice.yaml │ │ │ ├── sidecar-cartservice.yaml │ │ │ ├── sidecar-loadgenerator.yaml │ │ │ ├── sidecar-productcatalogservice.yaml │ │ │ ├── sidecar-recommendationservice.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── sidecar-checkoutservice.yaml │ │ │ └── sidecar-frontend.yaml │ │ └── for-memorystore │ │ │ └── kustomization.yaml │ ├── authorization-policies │ │ ├── kustomization.yaml │ │ ├── for-memorystore │ │ │ └── kustomization.yaml │ │ ├── all │ │ │ ├── authorization-policy-redis.yaml │ │ │ ├── authorization-policy-frontend.yaml │ │ │ ├── authorization-policy-adservice.yaml │ │ │ ├── authorization-policy-emailservice.yaml │ │ │ ├── authorization-policy-paymentservice.yaml │ │ │ ├── authorization-policy-checkoutservice.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── authorization-policy-recommendationservice.yaml │ │ │ ├── authorization-policy-shippingservice.yaml │ │ │ ├── authorization-policy-cartservice.yaml │ │ │ ├── authorization-policy-currencyservice.yaml │ │ │ └── authorization-policy-productcatalogservice.yaml │ │ └── for-ingress-gateway │ │ │ └── kustomization.yaml │ └── kustomization.yaml ├── enabling-optional-features │ ├── mtls_strict_mode.yaml │ ├── direct_envoy_to_stdout.yaml │ ├── direct_envoy_stdout_proxy.yaml │ ├── cloud_trace.yaml │ ├── asmmulticloud_profile.yaml │ ├── asmgcp_profile.yaml │ ├── cloud_trace_addoncomponents.yaml │ ├── cloud_trace_sampling.yaml │ ├── gke_cni.yaml │ ├── gke_on_prem_cni.yaml │ └── enable_internal_load_balancer.yaml ├── ingress-gateway-external-lb │ └── README.md ├── authorization │ ├── currency-deny-all.yaml │ └── currency-allow-frontend-checkout.yaml ├── iap-integration │ ├── load_balancer_managed_certificate.yaml │ ├── load_balancer_ingress.yaml │ └── rctoken_istio_ingress_gateway.yaml ├── security │ ├── update-authentication-policies │ │ ├── security_auth_meshpolicy.yaml │ │ ├── security_auth_peerauthentication.yaml │ │ ├── security_auth_policy.yaml │ │ └── security_auth_requestauthentication.yaml │ └── update-auth-policies │ │ ├── auth_policy_oldtd.yaml │ │ └── auth_policy_clusterlocal.yaml └── migrate-to-managed-asm │ ├── service-entry.yaml │ ├── virtual-service.yaml │ └── virtual-service-in-cluster-asm.yaml ├── .gitignore ├── .editorconfig ├── CODEOWNERS ├── SECURITY.md ├── README.md └── CONTRIBUTING.md /.github/snippet-bot.yml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": [ 3 | "config:base" 4 | ] 5 | } 6 | -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/.krmignore: -------------------------------------------------------------------------------- 1 | acm-policy-controller.yaml -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/runtime.yaml: -------------------------------------------------------------------------------- 1 | runtime: terraform 2 | version: 1.0.1 -------------------------------------------------------------------------------- /docs/helloserver/loadgen/requirements.txt: -------------------------------------------------------------------------------- 1 | grequests==0.7.0 2 | requests==2.32.5 3 | schedule==1.2.2 4 | -------------------------------------------------------------------------------- /demos/README.md: -------------------------------------------------------------------------------- 1 | # Demos 2 | 3 | This directory contains code samples and scripts for content that does not live on cloud.google.com. -------------------------------------------------------------------------------- /docs/ingress-gateway-asm-manifests/README.md: -------------------------------------------------------------------------------- 1 | # Deploy an Ingress Gateway with Kustomize 2 | 3 | ``` 4 | kubectl apply -k . 5 | ``` -------------------------------------------------------------------------------- /docs/egress-gateway-asm-manifests/asm-egress/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: asm-egressgateway 5 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/terraform/kops-src/env-vars: -------------------------------------------------------------------------------- 1 | export PROJECT=vch-anthos-demo 2 | export KOPS_STATE_STORE=gs://vch-anthos-demo-kops-clusters 3 | export KOPS_FEATURE_FLAGS=AlphaAllowGCE 4 | -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/cloudshell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/cloudshell.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/table-view.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/table-view.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/topology.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/topology.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/architecture.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/cloud-trace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/cloud-trace.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/policy-audit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/policy-audit.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/slo-setup-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/slo-setup-1.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/slo-setup-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/slo-setup-2.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/slo-setup-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/slo-setup-3.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/slo-setup-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/slo-setup-4.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/slo-setup-5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/slo-setup-5.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/slo-setup-6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/slo-setup-6.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/slo-setup-7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/slo-setup-7.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/slo-setup-8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/slo-setup-8.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/bankofanthos-home.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/bankofanthos-home.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/burn-rate-alert-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/burn-rate-alert-1.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/burn-rate-alert-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/burn-rate-alert-2.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/burn-rate-alert-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/burn-rate-alert-3.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/burn-rate-alert-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/burn-rate-alert-4.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/architecture-partial.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/architecture-partial.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/bankofanthos-login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/bankofanthos-login.png -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Terraform 2 | **terraform.tfstate 3 | **terraform.tfstate.backup 4 | **.terraform.tfstate.* 5 | **.terraform 6 | **terraform.tfvars 7 | .terraform.lock.hcl 8 | 9 | # Misc. 10 | .DS_Store 11 | .idea/ 12 | -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/bankofanthos-services.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/bankofanthos-services.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/control-plane-metrics.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/control-plane-metrics.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/policy-audit-with-mtls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/policy-audit-with-mtls.png -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | # ASM Docs Samples 2 | 3 | This directory contains code samples for cloud.google.com. 4 | 5 | To setup a GKE environment to try out ASM, follow the README.md in the `/asm-gke-terraform` folder in this directory -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/frontend-service-metrics.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/frontend-service-metrics.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/frontend-service-overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/frontend-service-overview.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/policy-audit-without-mtls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/policy-audit-without-mtls.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/acm-policy-controller.yaml: -------------------------------------------------------------------------------- 1 | applySpecVersion: 1 2 | spec: 3 | policyController: 4 | enabled: true 5 | templateLibraryInstalled: true 6 | referentialRulesEnabled: true -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | # This file helps maintain consistent coding styles across text editors. 2 | 3 | root = true 4 | 5 | [*] 6 | insert_final_newline = true 7 | trim_trailing_whitespace = true 8 | indent_style = space 9 | indent_size = 2 10 | -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/frontend-service-metrics-degradated.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/frontend-service-metrics-degradated.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/istio-system/default-deny-authorization-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: deny-all 5 | namespace: istio-system 6 | spec: 7 | {} -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/bankofanthos-home-transactionhistory-error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/bankofanthos-home-transactionhistory-error.png -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/transactionhistory-service-metrics-degradated.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/HEAD/demos/asm-mcp-multi-clusters/instructions/img/transactionhistory-service-metrics-degradated.png -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/client/httpbin-client/httpbin-external.yaml.tmpl: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: httpbin-external 5 | spec: 6 | ports: 7 | - protocol: TCP 8 | port: 80 9 | name: http 10 | targetPort: 80 -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/server/mysql-server/gateway-patch.json: -------------------------------------------------------------------------------- 1 | [{ 2 | "op": "add", 3 | "path": "/spec/ports/0", 4 | "value": { 5 | "name": "tls-mysql", 6 | "protocol": "TCP", 7 | "targetPort": 13306, 8 | "port": 13306 9 | } 10 | }] 11 | -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/sh/prepare-lab.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Verify imported varables 4 | echo -e "PROJECT_ID is ${PROJECT_ID}" 5 | echo -e "MODULE PATH is ${MODULE_PATH}" 6 | 7 | gsutil -m cp -r ${MODULE_PATH}/lab_materials/* gs://${PROJECT_ID} 8 | -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/asm-ingressgateway/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | mesh.cloud.google.com/proxy: '{"managed": true}' 6 | labels: 7 | istio-injection: enabled 8 | name: asm-ingress -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/bank-of-anthos/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | mesh.cloud.google.com/proxy: '{"managed": true}' 6 | labels: 7 | istio-injection: enabled 8 | name: bank-of-anthos -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/istio-system/peerauthentication-mtls-strict.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: PeerAuthentication 3 | metadata: 4 | name: default 5 | namespace: istio-system 6 | spec: 7 | mtls: 8 | mode: STRICT 9 | -------------------------------------------------------------------------------- /demos/bank-of-anthos-asm-manifests/demo-manifests/README.md: -------------------------------------------------------------------------------- 1 | # Bank of Anthos ASM Demo Manifests 2 | 3 | This directory contains demo manifests for Anthos Service Mesh Traffic Management capabilities for the [Bank of Anthos](https://github.com/GoogleCloudPlatform/bank-of-anthos). -------------------------------------------------------------------------------- /demos/bank-of-anthos-asm-manifests/deployment-manifests/README.md: -------------------------------------------------------------------------------- 1 | # Bank of Anthos ASM Deployment Manifests 2 | 3 | This directory contains standard deployment manifests for the [Bank of Anthos](https://github.com/GoogleCloudPlatform/bank-of-anthos) application with Anthos Service Mesh Support. -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/istio-system/mesh-configs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | mesh: |- 4 | defaultConfig: 5 | tracing: 6 | stackdriver: {} 7 | kind: ConfigMap 8 | metadata: 9 | name: istio-asm-managed-rapid 10 | namespace: istio-system -------------------------------------------------------------------------------- /docs/egress-gateway-asm-manifests/serviceentry-https.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: ServiceEntry 3 | metadata: 4 | name: cnn 5 | spec: 6 | hosts: 7 | - edition.cnn.com 8 | ports: 9 | - number: 443 10 | name: tls 11 | protocol: TLS 12 | resolution: DNS -------------------------------------------------------------------------------- /docs/helloserver/loadgen/Dockerfile-base: -------------------------------------------------------------------------------- 1 | FROM python:3-slim as builder 2 | 3 | RUN apt-get -qq update \ 4 | && apt-get install -y --no-install-recommends \ 5 | g++ \ 6 | && rm -rf /var/lib/apt/lists/* 7 | 8 | # get packages 9 | COPY requirements.txt . 10 | RUN pip install -r requirements.txt -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/policies/strict-mtls/mesh-level-strict-mtls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: AsmPeerAuthnMeshStrictMtls 3 | metadata: 4 | name: mesh-level-strict-mtls 5 | spec: 6 | enforcementAction: deny 7 | parameters: 8 | strictnessLevel: High -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/policies/authorization-policies/default-deny-authorization-policies.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: AsmAuthzPolicyDefaultDeny 3 | metadata: 4 | name: default-deny-authorization-policies 5 | spec: 6 | enforcementAction: deny 7 | parameters: 8 | strictnessLevel: High -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | # See https://help.github.com/en/articles/about-code-owners 2 | # for more info about CODEOWNERS file. 3 | 4 | # These owners will be the default owners for everything in 5 | # the repo. Unless a later match takes precedence. 6 | /docs/mtls-egress-ingress/ @vhamburger @jeremysolarz 7 | 8 | * @GoogleCloudPlatform/anthos-dpe 9 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | To report a security issue, please use [g.co/vulnz](https://g.co/vulnz). 4 | 5 | The Google Security Team will respond within 5 working days of your report on g.co/vulnz. 6 | 7 | We use g.co/vulnz for our intake, and do coordination and disclosure here using GitHub Security Advisory to privately discuss and fix the issue. 8 | -------------------------------------------------------------------------------- /docs/egress-gateway-asm-manifests/serviceentry-http.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: ServiceEntry 3 | metadata: 4 | name: cnn 5 | spec: 6 | hosts: 7 | - edition.cnn.com 8 | ports: 9 | - number: 80 10 | name: http-port 11 | protocol: HTTP 12 | - number: 443 13 | name: https 14 | protocol: HTTPS 15 | resolution: DNS 16 | -------------------------------------------------------------------------------- /docs/egress-gateway-asm-manifests/asm-egress/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: asm-egressgateway 5 | labels: 6 | asm: egressgateway 7 | spec: 8 | ports: 9 | # Any ports exposed in Gateway resources should be exposed here. 10 | - name: http2 11 | port: 80 12 | - name: https 13 | port: 443 14 | selector: 15 | asm: egressgateway 16 | -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/multi-cluster-ingress/multi-cluster-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.gke.io/v1beta1 2 | kind: MultiClusterIngress 3 | metadata: 4 | name: frontend-multi-cluster-ingress 5 | namespace: asm-ingress 6 | spec: 7 | template: 8 | spec: 9 | backend: 10 | serviceName: frontend-multi-cluster-service 11 | servicePort: 80 12 | -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/asm-ingressgateway/authorization-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: asm-ingressgateway 5 | namespace: asm-ingress 6 | spec: 7 | selector: 8 | matchLabels: 9 | asm: ingressgateway 10 | rules: 11 | - to: 12 | - operation: 13 | ports: 14 | - "8080" -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/policies/strict-mtls/destinationrule-tls-enabled.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: DestinationRuleTLSEnabled 3 | metadata: 4 | name: destination-rule-tls-enabled 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: 10 | - networking.istio.io 11 | kinds: 12 | - DestinationRule -------------------------------------------------------------------------------- /docs/helloserver/loadgen/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM us-docker.pkg.dev/google-samples/containers/csm/helloserver/loadgen-base as final 2 | 3 | # Enable unbuffered logging 4 | ENV PYTHONUNBUFFERED=1 5 | 6 | RUN apt-get -qq update \ 7 | && apt-get install -y --no-install-recommends \ 8 | wget 9 | 10 | WORKDIR /loadgen 11 | 12 | # Add the application 13 | COPY . . 14 | 15 | EXPOSE 8080 16 | ENTRYPOINT [ "python", "loadgen.py" ] 17 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/server/mysql-server/virtual-service.yaml.tmpl: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: mysql-virtual-service 5 | spec: 6 | hosts: 7 | - "SERVICE_URL" 8 | gateways: 9 | - mysql-gateway 10 | tcp: 11 | - route: 12 | - destination: 13 | port: 14 | number: 3306 15 | host: mysql.default.svc.cluster.local -------------------------------------------------------------------------------- /docs/shared/asm-ingress-gateway/pdb-v1.yaml: -------------------------------------------------------------------------------- 1 | # Optional: PodDisruptionBudget will instruct Kubernetes to ensure at least 1 replica 2 | # is available when possible 3 | # Used on >=1.21 K8S versions 4 | apiVersion: policy/v1 5 | kind: PodDisruptionBudget 6 | metadata: 7 | name: asm-ingressgateway 8 | spec: 9 | maxUnavailable: 1 10 | selector: 11 | matchLabels: 12 | asm: ingressgateway 13 | app: asm-ingressgateway -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/asm-ingressgateway/gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: asm-ingressgateway 5 | namespace: asm-ingress 6 | spec: 7 | selector: 8 | asm: ingressgateway # ASM ingress gateway 9 | servers: 10 | - port: 11 | number: 80 12 | name: http 13 | protocol: HTTP 14 | hosts: 15 | - "*" 16 | -------------------------------------------------------------------------------- /docs/ingress-gateway-asm-manifests/base/pdb-v1.yaml: -------------------------------------------------------------------------------- 1 | # Optional: PodDisruptionBudget will instruct Kubernetes to ensure at least 1 replica 2 | # is available when possible 3 | # Used on >=1.21 K8S versions 4 | apiVersion: policy/v1 5 | kind: PodDisruptionBudget 6 | metadata: 7 | name: asm-ingressgateway 8 | spec: 9 | maxUnavailable: 1 10 | selector: 11 | matchLabels: 12 | asm: ingressgateway 13 | app: asm-ingressgateway -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/policies/strict-mtls/peerauthentication-strict-mtls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: AsmPeerAuthnStrictMtls 3 | metadata: 4 | name: peerauthentication-strict-mtls 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: 10 | - security.istio.io 11 | kinds: 12 | - PeerAuthentication 13 | parameters: 14 | strictnessLevel: High -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/bank-of-anthos/frontend-virtualservice.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: frontend 5 | namespace: bank-of-anthos 6 | spec: 7 | hosts: 8 | - "*" 9 | gateways: 10 | - asm-ingress/asm-ingressgateway 11 | http: 12 | - route: 13 | - destination: 14 | host: frontend 15 | port: 16 | number: 80 17 | -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/policies/sidecar-injection/pod-sidecar-injection-annotation.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: AsmSidecarInjection 3 | metadata: 4 | name: pod-sidecar-injection-annotation 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: 10 | - "" 11 | kinds: 12 | - Pod 13 | excludedNamespaces: 14 | - kube-system 15 | parameters: 16 | strictnessLevel: High -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/server/mysql-server/gateway-mutual.yaml.tmpl: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: mysql-gateway 5 | spec: 6 | selector: 7 | istio: ingressgateway # use Istio default gateway implementation 8 | servers: 9 | - port: 10 | number: 13306 11 | name: tls-mysql 12 | protocol: TLS 13 | tls: 14 | mode: MUTUAL 15 | credentialName: mysql-credential 16 | hosts: 17 | - "SERVICE_URL" -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/client/httpbin-client/service-entry.yaml.tmpl: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: ServiceEntry 3 | metadata: 4 | name: httpbin-serviceentry 5 | spec: 6 | hosts: 7 | - SERVICE_URL 8 | location: MESH_EXTERNAL 9 | ports: 10 | - number: 80 11 | name: http 12 | protocol: HTTP 13 | - number: 443 14 | name: https 15 | protocol: HTTPS 16 | resolution: DNS 17 | endpoints: 18 | - address: SERVICE_URL 19 | ports: 20 | https: 443 21 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/client/mysql-client/service-entry.yaml.tmpl: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: ServiceEntry 3 | metadata: 4 | name: mysql-external 5 | spec: 6 | hosts: 7 | - SERVICE_URL 8 | location: MESH_EXTERNAL 9 | ports: 10 | - number: 3306 11 | name: tcp 12 | protocol: TCP 13 | - number: 13306 14 | name: tls 15 | protocol: TLS 16 | resolution: DNS 17 | endpoints: 18 | - address: SERVICE_URL 19 | ports: 20 | tls: 13306 -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | ### Background 2 | 3 | 4 | ### Fixes 5 | 6 | 7 | ### Change Summary 8 | 9 | 10 | ### Additional Notes 11 | 12 | 13 | ### Testing Procedure 14 | 15 | 16 | ### Related PRs or Issues 17 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/server/httpbin-server/gateway-mutual.yaml.tmpl: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: gateway-mutual 5 | spec: 6 | selector: 7 | istio: ingressgateway # use istio default ingress gateway 8 | servers: 9 | - port: 10 | number: 443 11 | name: https 12 | protocol: HTTPS 13 | tls: 14 | mode: MUTUAL 15 | credentialName: httpbin-credential # must be the same as secret 16 | hosts: 17 | - SERVICE_URL -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/server/httpbin-server/virtual-service.yaml.tmpl: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: virtual-service 5 | spec: 6 | hosts: 7 | - "SERVICE_URL" 8 | gateways: 9 | - gateway-mutual 10 | http: 11 | - match: 12 | - uri: 13 | prefix: /status 14 | - uri: 15 | prefix: /delay 16 | route: 17 | - destination: 18 | port: 19 | number: 8000 20 | host: httpbin -------------------------------------------------------------------------------- /docs/egress-gateway-asm-manifests/asm-egress/role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | name: asm-egressgateway 5 | rules: 6 | - apiGroups: [""] 7 | resources: ["secrets"] 8 | verbs: ["get", "watch", "list"] 9 | --- 10 | apiVersion: rbac.authorization.k8s.io/v1 11 | kind: RoleBinding 12 | metadata: 13 | name: asm-egressgateway 14 | roleRef: 15 | apiGroup: rbac.authorization.k8s.io 16 | kind: Role 17 | name: asm-egressgateway 18 | subjects: 19 | - kind: ServiceAccount 20 | name: asm-egressgateway 21 | -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/gatekeeper-system/config-referential-constraints.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.gatekeeper.sh/v1alpha1 2 | kind: Config 3 | metadata: 4 | name: config 5 | namespace: gatekeeper-system 6 | spec: 7 | sync: 8 | syncOnly: 9 | - group: "" 10 | version: "v1" 11 | kind: "Namespace" 12 | - group: "security.istio.io" 13 | version: "v1beta1" 14 | kind: "PeerAuthentication" 15 | - group: "security.istio.io" 16 | version: "v1beta1" 17 | kind: "AuthorizationPolicy" 18 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/.gitignore: -------------------------------------------------------------------------------- 1 | certs 2 | certs.bak 3 | httpbin-certs 4 | mysql-certs 5 | mysql-eks-certs/ 6 | mtls-go-example 7 | .DS_Store 8 | .idea/ 9 | asm-dir 10 | istio-*-asm.*/ 11 | *.tar.gz 12 | **/*.tar.gz 13 | save 14 | !server/httpbin-server/httpbin.yaml 15 | server/httpbin-server/*.yaml 16 | client/httpbin-client/*.yaml 17 | !server/mysql-server/mysql.yaml 18 | server/mysql-server/*.yaml 19 | client/mysql-client/*.yaml 20 | /env-vars 21 | local-bin 22 | terraform.tfstate 23 | terraform.tfstate.backup 24 | .terraform.tfstate.* 25 | .terraform 26 | terraform.tfvars 27 | -------------------------------------------------------------------------------- /docs/canary-service/README.md: -------------------------------------------------------------------------------- 1 | ### Canary Service Deployment 2 | 3 | This directory contains `yaml` files for deploying a `v1` and `v2` of `productcatalogservice`, a service in Online Boutique, a microservice demo app. 4 | 5 | To try out a canary deployment, please follow the steps in this [tutorial](https://cloud.google.com/service-mesh/docs/by-example/canary-deployment), which will walk you through: 6 | * Deploying Online Boutique with Anthos Service Mesh, 7 | * Splitting traffic between the `v1` and `v2`, 8 | * Observe your traffic split in the GCP Console, 9 | * Rollout and Rollback 10 | 11 | -------------------------------------------------------------------------------- /docs/shared/asm-ingress-gateway/autoscaling-v2.yaml: -------------------------------------------------------------------------------- 1 | # Optional: HorizontalPodAutoscaler will automatically scale the gateway replica count based on 2 | # CPU utilization 3 | apiVersion: autoscaling/v2 4 | kind: HorizontalPodAutoscaler 5 | metadata: 6 | name: istio-ingressgateway 7 | spec: 8 | maxReplicas: 5 9 | metrics: 10 | - type: Resource 11 | resource: 12 | name: cpu 13 | target: 14 | type: Utilization 15 | averageUtilization: 80 16 | minReplicas: 3 17 | scaleTargetRef: 18 | apiVersion: apps/v1 19 | kind: Deployment 20 | name: istio-ingressgateway 21 | -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/bank-of-anthos/transaction-history-with-fault-virtualservice.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: transactionhistory-with-fault 5 | namespace: bank-of-anthos 6 | spec: 7 | hosts: 8 | - transactionhistory 9 | http: 10 | - route: 11 | - destination: 12 | host: transactionhistory 13 | fault: 14 | abort: 15 | percentage: 16 | value: 50 17 | httpStatus: 500 18 | delay: 19 | fixedDelay: 10s 20 | percentage: 21 | value: 50 -------------------------------------------------------------------------------- /docs/helloserver/README.md: -------------------------------------------------------------------------------- 1 | ## Sample App: helloserver 2 | 3 | The `helloserver` application is a small sample application designed to be used for "hello world" ASM or Istio demos. 4 | 5 | The application consists of two services: 6 | 1) `helloserver`, a tiny HTTP server written in Python. The `GET /` endpoint returns `hello world` 7 | 2) `loadgen`, a Python script that can generate a configurable number of requests to `helloserver`. The loadgen is designed to generate observability metrics for Istio and Kiali. 8 | 9 | For a more complex microservices example, see [microservices-demo](https://github.com/GoogleCloudPlatform/microservices-demo). -------------------------------------------------------------------------------- /docs/helloserver/server/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.14-slim as base 2 | FROM base as builder 3 | RUN apt-get -qq update \ 4 | && apt-get install -y --no-install-recommends \ 5 | g++ \ 6 | && rm -rf /var/lib/apt/lists/* 7 | 8 | # Enable unbuffered logging 9 | FROM base as final 10 | ENV PYTHONUNBUFFERED=1 11 | 12 | RUN apt-get -qq update \ 13 | && apt-get install -y --no-install-recommends \ 14 | wget 15 | 16 | WORKDIR /helloserver 17 | 18 | # Grab packages from builder 19 | COPY --from=builder /usr/local/lib/python3.* /usr/local/lib/ 20 | 21 | # Add the application 22 | COPY . . 23 | 24 | EXPOSE 8080 25 | ENTRYPOINT [ "python", "server.py" ] 26 | -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/multi-cluster-ingress/multi-cluster-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.gke.io/v1beta1 2 | kind: MultiClusterService 3 | metadata: 4 | name: frontend-multi-cluster-service 5 | namespace: asm-ingress 6 | spec: 7 | template: 8 | spec: 9 | selector: 10 | asm: ingressgateway 11 | ports: 12 | - name: frontend 13 | protocol: TCP 14 | port: 80 # servicePort defined in MultiClusterIngress 15 | targetPort: 8080 # port on the asm-ingressgateway Pod that requests gets sent to (container port) 16 | clusters: 17 | - link: "us-west2-a/gke-west2-a" 18 | - link: "us-central1-a/gke-central1-a" 19 | -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/policies/sidecar-injection/namespace-sidecar-injection-label.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: K8sRequiredLabels 3 | metadata: 4 | name: namespace-sidecar-injection-label 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: 10 | - "" 11 | kinds: 12 | - Namespace 13 | excludedNamespaces: 14 | - config-management-monitoring 15 | - config-management-system 16 | - default 17 | - gatekeeper-system 18 | - gke-connect 19 | - gke-mcs 20 | - istio-system 21 | - kube-node-lease 22 | - kube-public 23 | - kube-system 24 | - resource-group-system 25 | parameters: 26 | labels: 27 | - allowedRegex: enabled 28 | key: istio-injection -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | output "server_token" { 18 | sensitive = true 19 | value = data.local_file.kops_token.content 20 | } -------------------------------------------------------------------------------- /docs/asm-gke-terraform/providers.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | terraform { 16 | required_providers { 17 | google = { 18 | source = "hashicorp/google" 19 | version = "~> 7.0" 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /docs/asm-gke-terraform/variables.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | variable "region" { 16 | type = string 17 | default = "us-central1" 18 | description = "The region to host the cluster in (Autopilot clusters are always regional)" 19 | } -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/policies/sidecar-injection/namespace-sidecar-injection-annotation.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: K8sRequiredAnnotations 3 | metadata: 4 | name: namespace-sidecar-injection-annotation 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: 10 | - "" 11 | kinds: 12 | - Namespace 13 | excludedNamespaces: 14 | - config-management-monitoring 15 | - config-management-system 16 | - default 17 | - gatekeeper-system 18 | - gke-connect 19 | - gke-mcs 20 | - istio-system 21 | - kube-node-lease 22 | - kube-public 23 | - kube-system 24 | - resource-group-system 25 | parameters: 26 | annotations: 27 | - allowedRegex: '{"managed": true}' 28 | key: mesh.cloud.google.com/proxy -------------------------------------------------------------------------------- /docs/egress-gateway-asm-manifests/asm-egress/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: asm-egressgateway 5 | spec: 6 | selector: 7 | matchLabels: 8 | app: egressgateway 9 | template: 10 | metadata: 11 | annotations: 12 | # This is required to tell Anthos Service Mesh to inject the gateway with the 13 | # required configuration. 14 | inject.istio.io/templates: gateway 15 | labels: 16 | app: egressgateway 17 | spec: 18 | containers: 19 | - name: istio-proxy 20 | image: auto # The image will automatically update each time the pod starts. 21 | resources: 22 | limits: 23 | cpu: 2000m 24 | memory: 1024Mi 25 | requests: 26 | cpu: 100m 27 | memory: 128Mi 28 | serviceAccountName: istio-egressgateway 29 | -------------------------------------------------------------------------------- /docs/ingress-gateway-asm-manifests/base/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_base_namespace_namespace_asm_ingress] 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: asm-ingress 20 | labels: 21 | istio-injection: enabled 22 | # [END servicemesh_base_namespace_namespace_asm_ingress] -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/server/features.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_server_features_istiooperator] 17 | apiVersion: install.istio.io/v1alpha1 18 | kind: IstioOperator 19 | spec: 20 | meshConfig: 21 | accessLogFile: /dev/stdout 22 | # [END servicemesh_server_features_istiooperator] 23 | --- 24 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/client/httpbin-client/gateway-destinationrule-to-egressgateway.yaml.tmpl: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: istio-egressgateway-httpbin 5 | spec: 6 | selector: 7 | istio: egressgateway 8 | servers: 9 | - port: 10 | number: 443 11 | name: https 12 | protocol: HTTPS 13 | hosts: 14 | - SERVICE_URL 15 | tls: 16 | mode: ISTIO_MUTUAL 17 | --- 18 | apiVersion: networking.istio.io/v1alpha3 19 | kind: DestinationRule 20 | metadata: 21 | name: egressgateway-for-httpbin 22 | spec: 23 | host: istio-egressgateway.istio-system.svc.cluster.local 24 | subsets: 25 | - name: httpbin 26 | trafficPolicy: 27 | loadBalancer: 28 | simple: ROUND_ROBIN 29 | portLevelSettings: 30 | - port: 31 | number: 443 32 | tls: 33 | mode: ISTIO_MUTUAL 34 | sni: SERVICE_URL 35 | -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/base/all/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_namespace_namespace_onlineboutique] 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: onlineboutique 20 | labels: 21 | istio-injection: enabled 22 | # [END servicemesh_all_namespace_namespace_onlineboutique] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/service-accounts/all/service-account-frontend.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_service_account_frontend_serviceaccount_frontend] 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | name: frontend 20 | # [END servicemesh_all_service_account_frontend_serviceaccount_frontend] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/service-accounts/all/service-account-redis.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_service_account_redis_serviceaccount_redis_cart] 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | name: redis-cart 20 | # [END servicemesh_all_service_account_redis_serviceaccount_redis_cart] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/service-accounts/all/service-account-adservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_service_account_adservice_serviceaccount_adservice] 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | name: adservice 20 | # [END servicemesh_all_service_account_adservice_serviceaccount_adservice] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/service-accounts/all/service-account-cartservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_service_account_cartservice_serviceaccount_cartservice] 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | name: cartservice 20 | # [END servicemesh_all_service_account_cartservice_serviceaccount_cartservice] -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/client/get-logs-from-egress.sh: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_client_get_logs_from_egress] 17 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 18 | 19 | $DIR/./set-project-and-cluster-client.sh 20 | 21 | kubectl logs -n istio-system -l app=istio-egressgateway -f 22 | # [END servicemesh_client_get_logs_from_egress] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/service-accounts/all/service-account-emailservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_service_account_emailservice_serviceaccount_emailservice] 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | name: emailservice 20 | # [END servicemesh_all_service_account_emailservice_serviceaccount_emailservice] -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Anthos Service Mesh Samples 2 | 3 | This repository contains sample applications used in 4 | [Anthos Service Mesh](https://cloud.google.com/service-mesh/docs/overview). 5 | The code samples for the Google Cloud site can be found under the `docs` directory, and workshop material can be found in the `demos` directory. 6 | 7 | See the following resources to learn more: 8 | 9 | - [Anthos Service Mesh - How-To](https://cloud.google.com/service-mesh/docs/how-to) 10 | 11 | ## Contributing changes 12 | 13 | * See [CONTRIBUTING.md](CONTRIBUTING.md) 14 | * Add a new sample under the `docs` directory in this repository 15 | * If the sample contains Terraform scripts, then please add it accordingly to the `tf-validate-ci.yml` in `.github/workflows` 16 | * If you would like to make edits to an existing sample in the `docs` directory in this repository, please read the sample's README on how to contribute 17 | 18 | ## Licensing 19 | 20 | * See [LICENSE](LICENSE) 21 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/client/mysql-client/gateway-destinationrule-to-egressgateway.yaml.tmpl: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: istio-egressgateway-mysql 5 | spec: 6 | selector: 7 | istio: egressgateway 8 | servers: 9 | - port: 10 | number: 15443 11 | name: tls 12 | protocol: TLS 13 | hosts: 14 | - SERVICE_URL 15 | tls: 16 | mode: ISTIO_MUTUAL 17 | --- 18 | apiVersion: networking.istio.io/v1alpha3 19 | kind: DestinationRule 20 | metadata: 21 | name: egressgateway-for-mysql 22 | spec: 23 | host: istio-egressgateway.istio-system.svc.cluster.local 24 | subsets: 25 | - name: mysql 26 | trafficPolicy: 27 | loadBalancer: 28 | simple: ROUND_ROBIN 29 | portLevelSettings: 30 | - port: 31 | number: 15443 32 | tls: 33 | mode: ISTIO_MUTUAL 34 | sni: SERVICE_URL 35 | -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/service-accounts/all/service-account-loadgenerator.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_service_account_loadgenerator_serviceaccount_loadgenerator] 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | name: loadgenerator 20 | # [END servicemesh_all_service_account_loadgenerator_serviceaccount_loadgenerator] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/service-accounts/all/service-account-paymentservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_service_account_paymentservice_serviceaccount_paymentservice] 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | name: paymentservice 20 | # [END servicemesh_all_service_account_paymentservice_serviceaccount_paymentservice] -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/bank-of-anthos/manifests/config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: environment-config 5 | namespace: bank-of-anthos 6 | data: 7 | LOCAL_ROUTING_NUM: "883745000" 8 | PUB_KEY_PATH: "/root/.ssh/publickey" 9 | --- 10 | apiVersion: v1 11 | kind: ConfigMap 12 | metadata: 13 | name: service-api-config 14 | namespace: bank-of-anthos 15 | data: 16 | TRANSACTIONS_API_ADDR: "ledgerwriter:8080" 17 | BALANCES_API_ADDR: "balancereader:8080" 18 | HISTORY_API_ADDR: "transactionhistory:8080" 19 | CONTACTS_API_ADDR: "contacts:8080" 20 | USERSERVICE_API_ADDR: "userservice:8080" 21 | --- 22 | apiVersion: v1 23 | kind: ConfigMap 24 | metadata: 25 | name: demo-data-config 26 | namespace: bank-of-anthos 27 | data: 28 | USE_DEMO_DATA: "True" 29 | DEMO_LOGIN_USERNAME: "testuser" 30 | # All demo user accounts are hardcoded to use the login password 'password' 31 | DEMO_LOGIN_PASSWORD: "password" -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/service-accounts/all/service-account-checkoutservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_service_account_checkoutservice_serviceaccount_checkoutservice] 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | name: checkoutservice 20 | # [END servicemesh_all_service_account_checkoutservice_serviceaccount_checkoutservice] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/service-accounts/all/service-account-currencyservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_service_account_currencyservice_serviceaccount_currencyservice] 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | name: currencyservice 20 | # [END servicemesh_all_service_account_currencyservice_serviceaccount_currencyservice] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/service-accounts/all/service-account-shippingservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_service_account_shippingservice_serviceaccount_shippingservice] 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | name: shippingservice 20 | # [END servicemesh_all_service_account_shippingservice_serviceaccount_shippingservice] -------------------------------------------------------------------------------- /docs/enabling-optional-features/mtls_strict_mode.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_enabling_optional_features_mtls_strict_mode_istiooperator] 17 | apiVersion: install.istio.io/v1alpha1 18 | kind: IstioOperator 19 | spec: 20 | global: 21 | mtls: 22 | enabled: true 23 | # [END servicemesh_enabling_optional_features_mtls_strict_mode_istiooperator] 24 | --- 25 | -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_online_boutique_asm_manifests_base_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - all 20 | components: 21 | - for-namespace 22 | # [END servicemesh_online_boutique_asm_manifests_base_kustomization_kustomization] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/sidecars/kustomization.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2022 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_online_boutique_asm_manifests_sidecars_kustomization_kustomization] 17 | apiVersion: kustomize.config.k8s.io/v1beta1 18 | kind: Kustomization 19 | components: 20 | - all 21 | - for-namespace 22 | # [END servicemesh_online_boutique_asm_manifests_sidecars_kustomization_kustomization] -------------------------------------------------------------------------------- /docs/shared/online-boutique/virtual-service.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2022 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | apiVersion: networking.istio.io/v1alpha3 16 | kind: VirtualService 17 | metadata: 18 | name: frontend 19 | spec: 20 | hosts: 21 | - "*" 22 | gateways: 23 | - asm-ingress/asm-ingressgateway 24 | http: 25 | - route: 26 | - destination: 27 | host: frontend 28 | port: 29 | number: 80 -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/client/httpbin-client/get-logs-from-sleep-proxy.sh: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_httpbin_client_get_logs_from_sleep_proxy] 17 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 18 | 19 | $DIR/../set-project-and-cluster-client.sh 20 | 21 | kubectl logs -l app=sleep -c istio-proxy -f 22 | # [END servicemesh_httpbin_client_get_logs_from_sleep_proxy] -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/server/mysql-server/get-logs-from-mysql-server.sh: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_mysql_server_get_logs_from_mysql_server] 17 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 18 | 19 | . $DIR/../set-project-and-cluster-server.sh 20 | 21 | kubectl logs -l app=mysql -c istio-proxy -f 22 | # [END servicemesh_mysql_server_get_logs_from_mysql_server] -------------------------------------------------------------------------------- /docs/shared/service_port_name_suffix.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_shared_service_port_name_suffix_service_myservice] 17 | kind: Service 18 | metadata: 19 | name: myservice 20 | spec: 21 | ports: 22 | - number: 3306 23 | name: mysql 24 | - number: 80 25 | name: http-web 26 | # [END servicemesh_shared_service_port_name_suffix_service_myservice] 27 | --- 28 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/client/mysql-client/get-logs-from-mysql-client.sh: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_mysql_client_get_logs_from_mysql_client] 17 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 18 | 19 | $DIR/../set-project-and-cluster-client.sh 20 | 21 | kubectl logs -l run=mysql-client -c istio-proxy -f 22 | # [END servicemesh_mysql_client_get_logs_from_mysql_client] -------------------------------------------------------------------------------- /docs/shared/service_port_name.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_shared_service_port_name_service_ratings] 17 | apiVersion: v1 18 | kind: Service 19 | metadata: 20 | name: ratings 21 | labels: 22 | app: ratings 23 | service: ratings 24 | spec: 25 | ports: 26 | - port: 9080 27 | name: http 28 | # [END servicemesh_shared_service_port_name_service_ratings] 29 | --- 30 | -------------------------------------------------------------------------------- /docs/enabling-optional-features/direct_envoy_to_stdout.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_enabling_optional_features_direct_envoy_to_stdout_istiooperator] 17 | apiVersion: install.istio.io/v1alpha1 18 | kind: IstioOperator 19 | spec: 20 | meshConfig: 21 | accessLogFile: /dev/stdout 22 | # [END servicemesh_enabling_optional_features_direct_envoy_to_stdout_istiooperator] 23 | --- 24 | -------------------------------------------------------------------------------- /docs/ingress-gateway-external-lb/README.md: -------------------------------------------------------------------------------- 1 | ## Set up an external load balancer with an ASM Ingress Gateway 2 | 3 | Follow the guide [here](https://cloud.google.com/service-mesh/docs/external-lb-gateway) for a more detailed explanation. 4 | 5 | This [`ingress-gateway.yaml`](./ingress-gateway.yaml) configures the following resources in the cluster: 6 | 7 | - A Kubernetes `ServiceAccount` 8 | - A `Role` with read access to `Secrets` 9 | - A `RoleBinding` associating the created `Role` to the `ServiceAccount` 10 | - A `Deployment` of the **istio-proxy** container configured to run as the **ingress gateway** configuration using the `ServiceAccount` that was created 11 | - A Kubernetes `Service` of type `NodePort` exposing the ingress gateway `Deployment` 12 | - A `PodDisruptionBudget` on the ingress gateway `Deployment` to allow at most 1 `Pod` to be unavailable 13 | - A `HorizontalPodAutoscaler` on the ingress gateway `Deployment` to ensure that the average CPU utilization of the `Pods` is within 80% 14 | 15 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/server/httpbin-server/get-logs-from-httpbin-server.sh: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_httpbin_server_get_logs_from_httpbin_server] 17 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 18 | 19 | . $DIR/../set-project-and-cluster-server.sh 20 | 21 | kubectl logs -l app=httpbin -c istio-proxy -f 22 | # [END servicemesh_httpbin_server_get_logs_from_httpbin_server] -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/server/set-project-and-cluster-server.sh: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_server_set_project_and_cluster_server] 17 | # 18 | SERVER_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 19 | 20 | gcloud config set project ${PROJECT_ID} 21 | 22 | export KUBECONFIG="${SERVER_DIR}/../terraform/server-kubeconfig" 23 | # [END servicemesh_server_set_project_and_cluster_server] -------------------------------------------------------------------------------- /docs/enabling-optional-features/direct_envoy_stdout_proxy.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_enabling_optional_features_direct_envoy_stdout_proxy_istiooperator] 17 | apiVersion: install.istio.io/v1alpha1 18 | kind: IstioOperator 19 | spec: 20 | global: 21 | proxy: accessLogFile="/dev/stdout" 22 | # [END servicemesh_enabling_optional_features_direct_envoy_stdout_proxy_istiooperator] 23 | --- 24 | -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/service-accounts/all/service-account-productcatalogservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_service_account_productcatalogservice_serviceaccount_productcatalogservice] 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | name: productcatalogservice 20 | # [END servicemesh_all_service_account_productcatalogservice_serviceaccount_productcatalogservice] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/service-accounts/all/service-account-recommendationservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_service_account_recommendationservice_serviceaccount_recommendationservice] 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | name: recommendationservice 20 | # [END servicemesh_all_service_account_recommendationservice_serviceaccount_recommendationservice] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/service-accounts/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_online_boutique_asm_manifests_service_accounts_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - ../base/all 20 | components: 21 | - all 22 | # [END servicemesh_online_boutique_asm_manifests_service_accounts_kustomization_kustomization] -------------------------------------------------------------------------------- /docs/shared/asm-ingress-gateway/gateway.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: networking.istio.io/v1alpha3 16 | kind: Gateway 17 | metadata: 18 | name: asm-ingressgateway 19 | namespace: asm-ingress 20 | spec: 21 | selector: 22 | asm: ingressgateway # ASM ingress gateway 23 | servers: 24 | - port: 25 | number: 80 26 | name: http 27 | protocol: HTTP 28 | hosts: 29 | - "*" -------------------------------------------------------------------------------- /docs/ingress-gateway-asm-manifests/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_docs_ingress_gateway_asm_manifests_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | namespace: asm-ingress 19 | resources: 20 | - base 21 | components: 22 | - with-authorization-policies 23 | # [END servicemesh_docs_ingress_gateway_asm_manifests_kustomization_kustomization] -------------------------------------------------------------------------------- /docs/ingress-gateway-asm-manifests/with-authorization-policies/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_ingress_gateway_asm_manifests_with_authorization_policies_kustomization_component] 16 | apiVersion: kustomize.config.k8s.io/v1alpha1 17 | kind: Component 18 | resources: 19 | - authorizationpolicy.yaml 20 | # [END servicemesh_ingress_gateway_asm_manifests_with_authorization_policies_kustomization_component] -------------------------------------------------------------------------------- /docs/ingress-gateway-asm-manifests/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_ingress_gateway_asm_manifests_base_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - deployment-service.yaml 20 | - gateway.yaml 21 | - namespace.yaml 22 | - pdb-v1.yaml 23 | # [END servicemesh_ingress_gateway_asm_manifests_base_kustomization_kustomization] -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/client/features.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_client_features_istiooperator] 17 | apiVersion: install.istio.io/v1alpha1 18 | kind: IstioOperator 19 | spec: 20 | meshConfig: 21 | accessLogFile: /dev/stdout 22 | components: 23 | egressGateways: 24 | - name: istio-egressgateway 25 | enabled: true 26 | # [END servicemesh_client_features_istiooperator] 27 | --- 28 | -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/sidecars/all/sidecar-redis.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_sidecar_redis_sidecar_redis_cart] 16 | apiVersion: networking.istio.io/v1beta1 17 | kind: Sidecar 18 | metadata: 19 | name: redis-cart 20 | spec: 21 | workloadSelector: 22 | labels: 23 | app: redis-cart 24 | egress: 25 | - hosts: 26 | - istio-system/* 27 | # [END servicemesh_all_sidecar_redis_sidecar_redis_cart] -------------------------------------------------------------------------------- /docs/authorization/currency-deny-all.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_authorization_currency_deny_all_authorizationpolicy_currency_policy] 16 | apiVersion: security.istio.io/v1beta1 17 | kind: AuthorizationPolicy 18 | metadata: 19 | name: currency-policy 20 | spec: 21 | selector: 22 | matchLabels: 23 | app: currencyservice 24 | # [END servicemesh_authorization_currency_deny_all_authorizationpolicy_currency_policy] 25 | -------------------------------------------------------------------------------- /docs/enabling-optional-features/cloud_trace.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_enabling_optional_features_cloud_trace_istiooperator] 17 | apiVersion: install.istio.io/v1alpha1 18 | kind: IstioOperator 19 | spec: 20 | meshConfig: 21 | enableTracing: true 22 | values: 23 | global: 24 | proxy: 25 | tracer: stackdriver 26 | # [END servicemesh_enabling_optional_features_cloud_trace_istiooperator] 27 | --- 28 | -------------------------------------------------------------------------------- /docs/enabling-optional-features/asmmulticloud_profile.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_enabling_optional_features_asmmulticloud_profile_istiooperator] 17 | apiVersion: install.istio.io/v1alpha1 18 | kind: IstioOperator 19 | spec: 20 | components: 21 | egressGateways: 22 | - name: istio-egressgateway 23 | enabled: true 24 | # [END servicemesh_enabling_optional_features_asmmulticloud_profile_istiooperator] 25 | --- 26 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/server/get-logs-from-ingress.sh: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_server_get_logs_from_ingress] 17 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 18 | 19 | . $DIR/./set-project-and-cluster-server.sh 20 | 21 | kubectl logs -n istio-system "$(kubectl get pod -l istio=ingressgateway \ 22 | -n istio-system -o jsonpath='{.items[0].metadata.name}')" -f 23 | # [END servicemesh_server_get_logs_from_ingress] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/authorization-policies/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_online_boutique_asm_manifests_authorization_policies_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | components: 19 | - all 20 | - for-ingress-gateway 21 | - for-namespace 22 | # [END servicemesh_online_boutique_asm_manifests_authorization_policies_kustomization_kustomization] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/sidecars/all/sidecar-adservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_sidecar_adservice_sidecar_adservice] 16 | apiVersion: networking.istio.io/v1beta1 17 | kind: Sidecar 18 | metadata: 19 | name: adservice 20 | spec: 21 | workloadSelector: 22 | labels: 23 | app: adservice 24 | egress: 25 | - hosts: 26 | - istio-system/* 27 | # [END servicemesh_all_sidecar_adservice_sidecar_adservice] -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/client/set-project-and-cluster-client.sh: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_client_set_project_and_cluster_client] 17 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 18 | 19 | unset KUBECONFIG 20 | 21 | gcloud config set project ${PROJECT_ID} 22 | 23 | gcloud container clusters get-credentials client-cluster --region ${ZONE} --project ${PROJECT_ID} 24 | # [END servicemesh_client_set_project_and_cluster_client] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/sidecars/all/sidecar-emailservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_sidecar_emailservice_sidecar_emailservice] 16 | apiVersion: networking.istio.io/v1beta1 17 | kind: Sidecar 18 | metadata: 19 | name: emailservice 20 | spec: 21 | workloadSelector: 22 | labels: 23 | app: emailservice 24 | egress: 25 | - hosts: 26 | - istio-system/* 27 | # [END servicemesh_all_sidecar_emailservice_sidecar_emailservice] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/service-accounts/for-memorystore/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_service_accounts_for_memorystore_kustomization_component] 16 | apiVersion: kustomize.config.k8s.io/v1alpha1 17 | kind: Component 18 | patchesStrategicMerge: 19 | - |- 20 | apiVersion: v1 21 | kind: ServiceAccount 22 | metadata: 23 | name: redis-cart 24 | $patch: delete 25 | # [END servicemesh_service_accounts_for_memorystore_kustomization_component] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/sidecars/all/sidecar-paymentservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_sidecar_paymentservice_sidecar_paymentservice] 16 | apiVersion: networking.istio.io/v1beta1 17 | kind: Sidecar 18 | metadata: 19 | name: paymentservice 20 | spec: 21 | workloadSelector: 22 | labels: 23 | app: paymentservice 24 | egress: 25 | - hosts: 26 | - istio-system/* 27 | # [END servicemesh_all_sidecar_paymentservice_sidecar_paymentservice] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/sidecars/all/sidecar-currencyservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_sidecar_currencyservice_sidecar_currencyservice] 16 | apiVersion: networking.istio.io/v1beta1 17 | kind: Sidecar 18 | metadata: 19 | name: currencyservice 20 | spec: 21 | workloadSelector: 22 | labels: 23 | app: currencyservice 24 | egress: 25 | - hosts: 26 | - istio-system/* 27 | # [END servicemesh_all_sidecar_currencyservice_sidecar_currencyservice] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/sidecars/all/sidecar-shippingservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_sidecar_shippingservice_sidecar_shippingservice] 16 | apiVersion: networking.istio.io/v1beta1 17 | kind: Sidecar 18 | metadata: 19 | name: shippingservice 20 | spec: 21 | workloadSelector: 22 | labels: 23 | app: shippingservice 24 | egress: 25 | - hosts: 26 | - istio-system/* 27 | # [END servicemesh_all_sidecar_shippingservice_sidecar_shippingservice] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/base/for-namespace/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_base_for_namespace_kustomization_component] 16 | apiVersion: kustomize.config.k8s.io/v1alpha1 17 | kind: Component 18 | patchesJson6902: 19 | - target: 20 | kind: Namespace 21 | name: onlineboutique 22 | patch: |- 23 | - op: replace 24 | path: /metadata/name 25 | value: ONLINEBOUTIQUE_NAMESPACE 26 | # [END servicemesh_base_for_namespace_kustomization_component] -------------------------------------------------------------------------------- /docs/canary-service/vs-v2.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_canary_service_rollout_virtualservice_productcatalogservice] 16 | apiVersion: networking.istio.io/v1beta1 17 | kind: VirtualService 18 | metadata: 19 | name: productcatalogservice 20 | spec: 21 | hosts: 22 | - productcatalogservice 23 | http: 24 | - route: 25 | - destination: 26 | host: productcatalogservice 27 | subset: v2 28 | # [END servicemesh_canary_service_rollout_virtualservice_productcatalogservice] -------------------------------------------------------------------------------- /docs/enabling-optional-features/asmgcp_profile.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_enabling_optional_features_asmgcp_profile_istiooperator] 17 | apiVersion: install.istio.io/v1alpha1 18 | kind: IstioOperator 19 | spec: 20 | components: 21 | egressGateways: 22 | - enabled: true 23 | k8s: 24 | env: 25 | - name: CA_ADDR 26 | value: meshca.googleapis.com:443 27 | # [END servicemesh_enabling_optional_features_asmgcp_profile_istiooperator] 28 | --- 29 | -------------------------------------------------------------------------------- /docs/canary-service/vs-v1.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_canary_service_rollback_virtualservice_productcatalogservice] 16 | apiVersion: networking.istio.io/v1beta1 17 | kind: VirtualService 18 | metadata: 19 | name: productcatalogservice 20 | spec: 21 | hosts: 22 | - productcatalogservice 23 | http: 24 | - route: 25 | - destination: 26 | host: productcatalogservice 27 | subset: v1 28 | # [END servicemesh_canary_service_rollback_virtualservice_productcatalogservice] -------------------------------------------------------------------------------- /docs/ingress-gateway-asm-manifests/base/gateway.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_base_gateway_gateway_asm_ingressgateway] 16 | apiVersion: networking.istio.io/v1alpha3 17 | kind: Gateway 18 | metadata: 19 | name: asm-ingressgateway 20 | spec: 21 | selector: 22 | asm: ingressgateway 23 | servers: 24 | - port: 25 | number: 80 26 | name: http 27 | protocol: HTTP 28 | hosts: 29 | - "*" 30 | # [END servicemesh_base_gateway_gateway_asm_ingressgateway] -------------------------------------------------------------------------------- /docs/enabling-optional-features/cloud_trace_addoncomponents.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_enabling_optional_features_cloud_trace_addoncomponents_istiooperator] 17 | apiVersion: install.istio.io/v1alpha1 18 | kind: IstioOperator 19 | spec: 20 | addonComponents: 21 | tracing: 22 | enabled: true 23 | values: 24 | global: 25 | proxy: 26 | tracer: stackdriver 27 | # [END servicemesh_enabling_optional_features_cloud_trace_addoncomponents_istiooperator] 28 | --- 29 | -------------------------------------------------------------------------------- /docs/enabling-optional-features/cloud_trace_sampling.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_enabling_optional_features_cloud_trace_sampling_istiooperator] 17 | apiVersion: install.istio.io/v1alpha1 18 | kind: IstioOperator 19 | spec: 20 | meshConfig: 21 | enableTracing: true 22 | values: 23 | pilot: 24 | traceSampling: 100 25 | global: 26 | proxy: 27 | tracer: stackdriver 28 | # [END servicemesh_enabling_optional_features_cloud_trace_sampling_istiooperator] 29 | --- 30 | -------------------------------------------------------------------------------- /docs/iap-integration/load_balancer_managed_certificate.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_iap_integration_load_balancer_managed_certificate_managedcertificate_example_certificate] 17 | apiVersion: networking.gke.io/v1beta1 18 | kind: ManagedCertificate 19 | metadata: 20 | name: example-certificate 21 | namespace: istio-system 22 | spec: 23 | domains: 24 | - 25 | # [END servicemesh_iap_integration_load_balancer_managed_certificate_managedcertificate_example_certificate] 26 | --- 27 | -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/sidecars/all/sidecar-cartservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_sidecar_cartservice_sidecar_cartservice] 16 | apiVersion: networking.istio.io/v1beta1 17 | kind: Sidecar 18 | metadata: 19 | name: cartservice 20 | spec: 21 | workloadSelector: 22 | labels: 23 | app: cartservice 24 | egress: 25 | - hosts: 26 | - istio-system/* 27 | - ./redis-cart.onlineboutique.svc.cluster.local 28 | # [END servicemesh_all_sidecar_cartservice_sidecar_cartservice] -------------------------------------------------------------------------------- /docs/security/update-authentication-policies/security_auth_meshpolicy.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_update_authentication_policies_security_auth_meshpolicy_meshpolicy_default] 17 | apiVersion: authentication.istio.io/v1alpha1 18 | kind: MeshPolicy 19 | metadata: 20 | name: default 21 | labels: 22 | release: istio 23 | spec: 24 | peers: 25 | - mtls: 26 | mode: PERMISSIVE 27 | # [END servicemesh_update_authentication_policies_security_auth_meshpolicy_meshpolicy_default] 28 | --- 29 | -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/base/for-virtualservice-host/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_base_for_virtualservice_host_kustomization_component] 16 | apiVersion: kustomize.config.k8s.io/v1alpha1 17 | kind: Component 18 | patchesJson6902: 19 | - target: 20 | kind: VirtualService 21 | name: frontend 22 | patch: |- 23 | - op: replace 24 | path: /spec/hosts 25 | value: 26 | - HOST_NAME 27 | # [END servicemesh_base_for_virtualservice_host_kustomization_component] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/authorization-policies/for-memorystore/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_authorization_policies_for_memorystore_kustomization_component] 16 | apiVersion: kustomize.config.k8s.io/v1alpha1 17 | kind: Component 18 | patchesStrategicMerge: 19 | - |- 20 | apiVersion: security.istio.io/v1beta1 21 | kind: AuthorizationPolicy 22 | metadata: 23 | name: redis-cart 24 | $patch: delete 25 | # [END servicemesh_authorization_policies_for_memorystore_kustomization_component] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/sidecars/all/sidecar-loadgenerator.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_sidecar_loadgenerator_sidecar_loadgenerator] 16 | apiVersion: networking.istio.io/v1beta1 17 | kind: Sidecar 18 | metadata: 19 | name: loadgenerator 20 | spec: 21 | workloadSelector: 22 | labels: 23 | app: loadgenerator 24 | egress: 25 | - hosts: 26 | - istio-system/* 27 | - ./frontend.onlineboutique.svc.cluster.local 28 | # [END servicemesh_all_sidecar_loadgenerator_sidecar_loadgenerator] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/sidecars/all/sidecar-productcatalogservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_sidecar_productcatalogservice_sidecar_productcatalogservice] 16 | apiVersion: networking.istio.io/v1beta1 17 | kind: Sidecar 18 | metadata: 19 | name: productcatalogservice 20 | spec: 21 | workloadSelector: 22 | labels: 23 | app: productcatalogservice 24 | egress: 25 | - hosts: 26 | - istio-system/* 27 | # [END servicemesh_all_sidecar_productcatalogservice_sidecar_productcatalogservice] -------------------------------------------------------------------------------- /docs/security/update-authentication-policies/security_auth_peerauthentication.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_update_authentication_policies_security_auth_peerauthentication_peerauthentication_default] 17 | apiVersion: security.istio.io/v1beta1 18 | kind: PeerAuthentication 19 | metadata: 20 | name: default 21 | namespace: istio-system 22 | spec: 23 | mtls: 24 | mode: PERMISSIVE 25 | # [END servicemesh_update_authentication_policies_security_auth_peerauthentication_peerauthentication_default] 26 | --- 27 | -------------------------------------------------------------------------------- /docs/canary-service/destination-v1-v2.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2022 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_canary_service_destination_v1_v2_destinationrule_productcatalogservice] 17 | apiVersion: networking.istio.io/v1beta1 18 | kind: DestinationRule 19 | metadata: 20 | name: productcatalogservice 21 | spec: 22 | host: productcatalogservice 23 | subsets: 24 | - labels: 25 | version: v1 26 | name: v1 27 | - labels: 28 | version: v2 29 | name: v2 30 | # [END servicemesh_canary_service_destination_v1_v2_destinationrule_productcatalogservice] -------------------------------------------------------------------------------- /docs/enabling-optional-features/gke_cni.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_enabling_optional_features_gke_cni_istiooperator] 17 | apiVersion: install.istio.io/v1alpha1 18 | kind: IstioOperator 19 | spec: 20 | components: 21 | cni: 22 | enabled: true 23 | namespace: kube-system 24 | values: 25 | cni: 26 | cniBinDir: /home/kubernetes/bin 27 | excludeNamespaces: 28 | - istio-system 29 | - kube-system 30 | # [END servicemesh_enabling_optional_features_gke_cni_istiooperator] 31 | --- 32 | -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/base/all/virtualservice.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2022 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_all_virtualservice_virtualservice_frontend] 17 | apiVersion: networking.istio.io/v1alpha3 18 | kind: VirtualService 19 | metadata: 20 | name: frontend 21 | spec: 22 | hosts: 23 | - "*" 24 | gateways: 25 | - asm-ingress/asm-ingressgateway 26 | http: 27 | - route: 28 | - destination: 29 | host: frontend 30 | port: 31 | number: 80 32 | # [END servicemesh_all_virtualservice_virtualservice_frontend] 33 | -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/base/all/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_base_all_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - github.com/GoogleCloudPlatform/microservices-demo/kustomize/base?ref=main 20 | - virtualservice.yaml 21 | - namespace.yaml 22 | patchesStrategicMerge: 23 | - |- 24 | apiVersion: v1 25 | kind: Service 26 | metadata: 27 | name: frontend-external 28 | $patch: delete 29 | # [END servicemesh_base_all_kustomization_kustomization] 30 | -------------------------------------------------------------------------------- /demos/bank-of-anthos-asm-manifests/deployment-manifests/asm-gateway.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_deployment_manifests_asm_gateway_gateway_bank_of_anthos_gateway] 17 | apiVersion: networking.istio.io/v1beta1 18 | kind: Gateway 19 | metadata: 20 | name: bank-of-anthos-gateway 21 | spec: 22 | selector: 23 | istio: ingressgateway 24 | servers: 25 | - port: 26 | number: 80 27 | name: http 28 | protocol: HTTP 29 | hosts: 30 | - '*' 31 | # [END servicemesh_deployment_manifests_asm_gateway_gateway_bank_of_anthos_gateway] 32 | --- 33 | -------------------------------------------------------------------------------- /docs/enabling-optional-features/gke_on_prem_cni.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_enabling_optional_features_gke_on_prem_cni_istiooperator] 17 | apiVersion: install.istio.io/v1alpha1 18 | kind: IstioOperator 19 | spec: 20 | components: 21 | cni: 22 | enabled: true 23 | namespace: kube-system 24 | values: 25 | cni: 26 | cniBinDir: /opt/cni/bin 27 | excludeNamespaces: 28 | - istio-system 29 | - kube-system 30 | - gke-system 31 | # [END servicemesh_enabling_optional_features_gke_on_prem_cni_istiooperator] 32 | --- 33 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/terraform/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2018 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | variable "project_id" { 18 | description = "The project ID to host the cluster in" 19 | } 20 | 21 | variable "region" { 22 | description = "The region to host the cluster in" 23 | default = "us-central1" 24 | } 25 | 26 | variable "zones" { 27 | type = list(string) 28 | default = ["us-central1-a"] 29 | description = "The zone to host the cluster in (required if is a zonal cluster)" 30 | } 31 | 32 | variable "kops-gce" { 33 | type = string 34 | default = "AlphaAllowGCE" 35 | } -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_docs_online_boutique_asm_manifests_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - base/all 20 | components: 21 | - base/for-namespace 22 | - service-accounts/all 23 | - authorization-policies/all 24 | - authorization-policies/for-ingress-gateway 25 | - authorization-policies/for-namespace 26 | - sidecars/all 27 | - sidecars/for-namespace 28 | # [END servicemesh_docs_online_boutique_asm_manifests_kustomization_kustomization] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/sidecars/all/sidecar-recommendationservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_sidecar_recommendationservice_sidecar_recommendationservice] 16 | apiVersion: networking.istio.io/v1beta1 17 | kind: Sidecar 18 | metadata: 19 | name: recommendationservice 20 | spec: 21 | workloadSelector: 22 | labels: 23 | app: recommendationservice 24 | egress: 25 | - hosts: 26 | - istio-system/* 27 | - ./productcatalogservice.onlineboutique.svc.cluster.local 28 | # [END servicemesh_all_sidecar_recommendationservice_sidecar_recommendationservice] -------------------------------------------------------------------------------- /docs/ingress-gateway-asm-manifests/with-authorization-policies/authorizationpolicy.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_with_authorization_policies_authorizationpolicy_authorizationpolicy_asm_ingressgateway] 16 | apiVersion: security.istio.io/v1beta1 17 | kind: AuthorizationPolicy 18 | metadata: 19 | name: asm-ingressgateway 20 | spec: 21 | selector: 22 | matchLabels: 23 | asm: ingressgateway 24 | rules: 25 | - to: 26 | - operation: 27 | ports: 28 | - "8080" 29 | # [END servicemesh_with_authorization_policies_authorizationpolicy_authorizationpolicy_asm_ingressgateway] -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # How to Contribute 2 | 3 | We'd love to accept your patches and contributions to this project. There are 4 | just a few small guidelines you need to follow. 5 | 6 | ## Contributor License Agreement 7 | 8 | Contributions to this project must be accompanied by a Contributor License 9 | Agreement. You (or your employer) retain the copyright to your contribution; 10 | this simply gives us permission to use and redistribute your contributions as 11 | part of the project. Head over to to see 12 | your current agreements on file or to sign a new one. 13 | 14 | You generally only need to submit a CLA once, so if you've already submitted one 15 | (even if it was for a different project), you probably don't need to do it 16 | again. 17 | 18 | ## Code reviews 19 | 20 | All submissions, including submissions by project members, require review. We 21 | use GitHub pull requests for this purpose. Consult 22 | [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more 23 | information on using pull requests. 24 | 25 | ## Community Guidelines 26 | 27 | This project follows 28 | [Google's Open Source Community Guidelines](https://opensource.google.com/conduct/). -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/setup-istioctl.sh: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_mtls_egress_ingress_setup_istioctl] 17 | ASM_VERSION="1.6.11-asm.1" 18 | 19 | uname_out="$(uname -s)" 20 | case "${uname_out}" in 21 | Linux*) OS=linux-amd64;; 22 | Darwin*) OS=osx;; 23 | *) exit; 24 | esac 25 | 26 | SUFFIX=${ASM_VERSION}-${OS} 27 | 28 | curl -LO https://storage.googleapis.com/gke-release/asm/istio-${SUFFIX}.tar.gz 29 | tar xzf istio-${SUFFIX}.tar.gz 30 | 31 | cd istio-${ASM_VERSION} 32 | export PATH=$PWD/bin:$PATH 33 | 34 | # [END servicemesh_mtls_egress_ingress_setup_istioctl] -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/terraform/clean-up-fw-rules-of-cluster.sh: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_terraform_clean_up_fw_rules_of_cluster] 17 | #!/bin/bash 18 | 19 | x=1 20 | max=5 21 | 22 | while [ $x -le $max ] 23 | do 24 | echo "Deleting GKE FW-rules for the $x out of $max times." 25 | gcloud compute firewall-rules list --filter="name=example-vpc" \ 26 | --format="value(name)" | xargs -I {} gcloud compute firewall-rules delete {} -q 27 | x=$(( $x + 1 )) 28 | echo "Sleeping for 5 seconds now." 29 | sleep 5 30 | done 31 | 32 | # [END servicemesh_terraform_clean_up_fw_rules_of_cluster] -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/providers.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | terraform { 16 | required_providers { 17 | google = { 18 | source = "hashicorp/google" 19 | version = "7.13.0" 20 | } 21 | 22 | google-beta = { 23 | source = "hashicorp/google-beta" 24 | version = "7.13.0" 25 | } 26 | } 27 | } 28 | 29 | provider "google" { 30 | project = var.gcp_project_id 31 | region = var.gcp_region 32 | zone = var.gcp_zone 33 | } 34 | 35 | provider "google-beta" { 36 | project = var.gcp_project_id 37 | region = var.gcp_region 38 | zone = var.gcp_zone 39 | } 40 | -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/bank-of-anthos/manifests/loadgenerator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: loadgenerator 5 | namespace: bank-of-anthos 6 | --- 7 | apiVersion: apps/v1 8 | kind: Deployment 9 | metadata: 10 | name: loadgenerator 11 | namespace: bank-of-anthos 12 | spec: 13 | selector: 14 | matchLabels: 15 | app: loadgenerator 16 | replicas: 1 17 | template: 18 | metadata: 19 | labels: 20 | app: loadgenerator 21 | annotations: 22 | sidecar.istio.io/rewriteAppHTTPProbers: "true" 23 | spec: 24 | serviceAccountName: loadgenerator 25 | terminationGracePeriodSeconds: 5 26 | restartPolicy: Always 27 | containers: 28 | - name: loadgenerator 29 | image: gcr.io/bank-of-anthos-ci/loadgenerator:v0.5.4 30 | env: 31 | - name: FRONTEND_ADDR 32 | value: "frontend:80" 33 | - name: USERS 34 | value: "5" 35 | - name: LOG_LEVEL 36 | value: "error" 37 | resources: 38 | requests: 39 | cpu: 100m 40 | memory: 512Mi 41 | limits: 42 | cpu: 250m 43 | memory: 1Gi -------------------------------------------------------------------------------- /docs/iap-integration/load_balancer_ingress.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_iap_integration_load_balancer_ingress_ingress_example_ingress] 17 | apiVersion: extensions/v1beta1 18 | kind: Ingress 19 | metadata: 20 | name: example-ingress 21 | namespace: istio-system 22 | annotations: 23 | kubernetes.io/ingress.global-static-ip-name: example-static-ip 24 | networking.gke.io/managed-certificates: example-certificate 25 | spec: 26 | backend: 27 | serviceName: istio-ingressgateway 28 | servicePort: 80 29 | # [END servicemesh_iap_integration_load_balancer_ingress_ingress_example_ingress] 30 | --- 31 | -------------------------------------------------------------------------------- /docs/canary-service/vs-split-traffic.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2020 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_canary_service_vs_split_traffic_virtualservice_productcatalogservice] 16 | apiVersion: networking.istio.io/v1beta1 17 | kind: VirtualService 18 | metadata: 19 | name: productcatalogservice 20 | spec: 21 | hosts: 22 | - productcatalogservice 23 | http: 24 | - route: 25 | - destination: 26 | host: productcatalogservice 27 | subset: v1 28 | weight: 75 29 | - destination: 30 | host: productcatalogservice 31 | subset: v2 32 | weight: 25 33 | # [END servicemesh_canary_service_vs_split_traffic_virtualservice_productcatalogservice] -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/instructions/img/gcp.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/authorization-policies/all/authorization-policy-redis.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_authorization_policy_redis_authorizationpolicy_redis_cart] 16 | apiVersion: security.istio.io/v1beta1 17 | kind: AuthorizationPolicy 18 | metadata: 19 | name: redis-cart 20 | spec: 21 | selector: 22 | matchLabels: 23 | app: redis-cart 24 | rules: 25 | - from: 26 | - source: 27 | principals: 28 | - cluster.local/ns/onlineboutique/sa/cartservice 29 | to: 30 | - operation: 31 | ports: 32 | - "6379" 33 | # [END servicemesh_all_authorization_policy_redis_authorizationpolicy_redis_cart] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/sidecars/for-memorystore/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_sidecars_for_memorystore_kustomization_component] 16 | apiVersion: kustomize.config.k8s.io/v1alpha1 17 | kind: Component 18 | patchesJson6902: 19 | - target: 20 | kind: Sidecar 21 | name: cartservice 22 | patch: |- 23 | - op: replace 24 | path: /spec/egress/0/hosts 25 | value: 26 | - "istio-system/*" 27 | patchesStrategicMerge: 28 | - |- 29 | apiVersion: networking.istio.io/v1beta1 30 | kind: Sidecar 31 | metadata: 32 | name: redis-cart 33 | $patch: delete 34 | # [END servicemesh_sidecars_for_memorystore_kustomization_component] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/authorization-policies/all/authorization-policy-frontend.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_authorization_policy_frontend_authorizationpolicy_frontend] 16 | apiVersion: security.istio.io/v1beta1 17 | kind: AuthorizationPolicy 18 | metadata: 19 | name: frontend 20 | spec: 21 | selector: 22 | matchLabels: 23 | app: frontend 24 | rules: 25 | - from: 26 | - source: 27 | principals: 28 | - '*' 29 | to: 30 | - operation: 31 | methods: 32 | - GET 33 | - POST 34 | ports: 35 | - "8080" 36 | # [END servicemesh_all_authorization_policy_frontend_authorizationpolicy_frontend] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/sidecars/all/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_sidecars_all_kustomization_component] 16 | apiVersion: kustomize.config.k8s.io/v1alpha1 17 | kind: Component 18 | resources: 19 | - sidecar-adservice.yaml 20 | - sidecar-cartservice.yaml 21 | - sidecar-checkoutservice.yaml 22 | - sidecar-currencyservice.yaml 23 | - sidecar-emailservice.yaml 24 | - sidecar-frontend.yaml 25 | - sidecar-loadgenerator.yaml 26 | - sidecar-paymentservice.yaml 27 | - sidecar-productcatalogservice.yaml 28 | - sidecar-recommendationservice.yaml 29 | - sidecar-redis.yaml 30 | - sidecar-shippingservice.yaml 31 | # [END servicemesh_sidecars_all_kustomization_component] -------------------------------------------------------------------------------- /docs/authorization/currency-allow-frontend-checkout.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_authorization_currency_allow_frontend_checkout_authorizationpolicy_currency_policy] 16 | apiVersion: security.istio.io/v1beta1 17 | kind: AuthorizationPolicy 18 | metadata: 19 | name: currency-policy 20 | spec: 21 | selector: 22 | matchLabels: 23 | app: currencyservice 24 | rules: 25 | - from: 26 | - source: 27 | principals: ["cluster.local/ns/onlineboutique/sa/frontend"] 28 | - from: 29 | - source: 30 | principals: ["cluster.local/ns/onlineboutique/sa/checkoutservice"] 31 | # [END servicemesh_authorization_currency_allow_frontend_checkout_authorizationpolicy_currency_policy] 32 | -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/authorization-policies/for-ingress-gateway/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_authorization_policies_for_ingress_gateway_kustomization_component] 16 | apiVersion: kustomize.config.k8s.io/v1alpha1 17 | kind: Component 18 | patchesJson6902: 19 | - target: 20 | kind: AuthorizationPolicy 21 | name: frontend 22 | patch: |- 23 | - op: replace 24 | path: /spec/rules/0/from/0/source/principals 25 | value: 26 | - cluster.local/ns/ONLINEBOUTIQUE_NAMESPACE/sa/loadgenerator 27 | - cluster.local/ns/INGRESS_GATEWAY_NAMESPACE/sa/INGRESS_GATEWAY_NAME 28 | # [END servicemesh_authorization_policies_for_ingress_gateway_kustomization_component] -------------------------------------------------------------------------------- /docs/security/update-authentication-policies/security_auth_policy.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_update_authentication_policies_security_auth_policy_policy_jwt_example] 17 | # Alpha policy for authentication to enable Origin Authentication for service foo. 18 | apiVersion: authentication.istio.io/v1alpha1 19 | kind: Policy 20 | metadata: 21 | name: jwt-example 22 | spec: 23 | targets: 24 | - name: httpbin 25 | origins: 26 | - jwt: 27 | issuer: testing@secure.istio.io 28 | jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.5/security/tools/jwt/samples/jwks.json 29 | # [END servicemesh_update_authentication_policies_security_auth_policy_policy_jwt_example] 30 | --- 31 | -------------------------------------------------------------------------------- /docs/security/update-authentication-policies/security_auth_requestauthentication.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_update_authentication_policies_security_auth_requestauthentication_requestauthentication_jwt_example] 17 | apiVersion: security.istio.io/v1beta1 18 | kind: RequestAuthentication 19 | metadata: 20 | name: jwt-example 21 | spec: 22 | selector: 23 | matchLabels: 24 | app: httpbin 25 | jwtRules: 26 | - issuer: testing@secure.istio.io 27 | jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.5/security/tools/jwt/samples/jwks.json 28 | # [END servicemesh_update_authentication_policies_security_auth_requestauthentication_requestauthentication_jwt_example] 29 | --- 30 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/server/httpbin-server/clean-up.sh: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_httpbin_server_clean_up] 17 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 18 | 19 | . $DIR/../set-project-and-cluster-server.sh 20 | 21 | kubectl delete --ignore-not-found=true gateway gateway-mutual 22 | kubectl delete --ignore-not-found=true virtualservice virtual-service 23 | kubectl delete --ignore-not-found=true -n istio-system secret httpbin-credential \ 24 | httpbin-credential-cacert 25 | 26 | kubectl delete --ignore-not-found=true sa httpbin 27 | kubectl delete --ignore-not-found=true service httpbin 28 | kubectl delete --ignore-not-found=true deploy httpbin 29 | # [END servicemesh_httpbin_server_clean_up] -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/server/mysql-server/clean-up.sh: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_mysql_server_clean_up] 17 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 18 | 19 | . $DIR/../set-project-and-cluster-server.sh 20 | 21 | kubectl delete --ignore-not-found=true -n istio-system secret mysql-credential 22 | 23 | # todo remove ingress patch 24 | kubectl delete --ignore-not-found=true gateway mysql-gateway 25 | kubectl delete --ignore-not-found=true virtualservice mysql-virtual-service 26 | 27 | kubectl delete --ignore-not-found=true service mysql 28 | kubectl delete --ignore-not-found=true deploy mysql 29 | kubectl delete --ignore-not-found=true pvc mysql-pv-claim 30 | 31 | # [END servicemesh_mysql_server_clean_up] -------------------------------------------------------------------------------- /demos/bank-of-anthos-asm-manifests/demo-manifests/frontend-custom-100-0.yml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_demo_manifests_frontend_custom_100_0_virtualservice_frontend] 17 | apiVersion: networking.istio.io/v1beta1 18 | kind: VirtualService 19 | metadata: 20 | name: frontend 21 | spec: 22 | hosts: 23 | - '*' 24 | gateways: 25 | - bank-of-anthos-gateway 26 | http: 27 | - match: 28 | - uri: 29 | prefix: / 30 | route: 31 | - destination: 32 | host: frontend 33 | subset: v0-5-3 34 | weight: 0 35 | - destination: 36 | host: frontend 37 | subset: v0-5-3-custom 38 | weight: 100 39 | # [END servicemesh_demo_manifests_frontend_custom_100_0_virtualservice_frontend] 40 | --- 41 | -------------------------------------------------------------------------------- /demos/bank-of-anthos-asm-manifests/demo-manifests/frontend-custom-50-50.yml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_demo_manifests_frontend_custom_50_50_virtualservice_frontend] 17 | apiVersion: networking.istio.io/v1beta1 18 | kind: VirtualService 19 | metadata: 20 | name: frontend 21 | spec: 22 | hosts: 23 | - '*' 24 | gateways: 25 | - bank-of-anthos-gateway 26 | http: 27 | - match: 28 | - uri: 29 | prefix: / 30 | route: 31 | - destination: 32 | host: frontend 33 | subset: v0-5-3 34 | weight: 50 35 | - destination: 36 | host: frontend 37 | subset: v0-5-3-custom 38 | weight: 50 39 | # [END servicemesh_demo_manifests_frontend_custom_50_50_virtualservice_frontend] 40 | --- 41 | -------------------------------------------------------------------------------- /demos/bank-of-anthos-asm-manifests/demo-manifests/frontend-delay-fault-injection.yml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_demo_manifests_frontend_delay_fault_injection_virtualservice_frontend] 17 | apiVersion: networking.istio.io/v1beta1 18 | kind: VirtualService 19 | metadata: 20 | name: frontend 21 | spec: 22 | hosts: 23 | - '*' 24 | gateways: 25 | - bank-of-anthos-gateway 26 | http: 27 | - match: 28 | - uri: 29 | prefix: / 30 | route: 31 | - destination: 32 | host: frontend 33 | subset: v0-5-3 34 | fault: 35 | delay: 36 | fixedDelay: 10s 37 | percentage: 38 | value: 50 39 | # [END servicemesh_demo_manifests_frontend_delay_fault_injection_virtualservice_frontend] 40 | --- 41 | -------------------------------------------------------------------------------- /docs/security/update-auth-policies/auth_policy_oldtd.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_update_auth_policies_auth_policy_oldtd_authorizationpolicy_service_httpbin.default.svc.cluster.local] 17 | apiVersion: security.istio.io/v1beta1 18 | kind: AuthorizationPolicy 19 | metadata: 20 | name: service-httpbin.default.svc.cluster.local 21 | namespace: default 22 | spec: 23 | rules: 24 | - from: 25 | - source: 26 | principals: 27 | - old-td/ns/sleep-allow/sa/sleep 28 | to: 29 | - operation: 30 | methods: 31 | - GET 32 | selector: 33 | matchLabels: 34 | app: httpbin 35 | # [END servicemesh_update_auth_policies_auth_policy_oldtd_authorizationpolicy_service_httpbin.default.svc.cluster.local] 36 | --- 37 | -------------------------------------------------------------------------------- /demos/bank-of-anthos-asm-manifests/demo-manifests/frontend-http500-fault-injection.yml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_demo_manifests_frontend_http500_fault_injection_virtualservice_frontend] 17 | apiVersion: networking.istio.io/v1beta1 18 | kind: VirtualService 19 | metadata: 20 | name: frontend 21 | spec: 22 | hosts: 23 | - '*' 24 | gateways: 25 | - bank-of-anthos-gateway 26 | http: 27 | - match: 28 | - uri: 29 | prefix: / 30 | route: 31 | - destination: 32 | host: frontend 33 | subset: v0-5-3 34 | fault: 35 | abort: 36 | httpStatus: 500 37 | percentage: 38 | value: 50 39 | # [END servicemesh_demo_manifests_frontend_http500_fault_injection_virtualservice_frontend] 40 | --- 41 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/client/mysql-client/virtualservice-destinationrule-from-egressgateway.yaml.tmpl: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: direct-mysql-through-egress-gateway 5 | spec: 6 | hosts: 7 | - SERVICE_URL 8 | gateways: 9 | - istio-egressgateway-mysql 10 | - mesh 11 | tcp: 12 | - match: 13 | - gateways: 14 | - mesh 15 | port: 3306 16 | route: 17 | - destination: 18 | host: istio-egressgateway.istio-system.svc.cluster.local 19 | subset: mysql 20 | port: 21 | number: 15443 22 | weight: 100 23 | - match: 24 | - gateways: 25 | - istio-egressgateway-mysql 26 | port: 15443 27 | route: 28 | - destination: 29 | host: SERVICE_URL 30 | port: 31 | number: 13306 32 | weight: 100 33 | --- 34 | apiVersion: networking.istio.io/v1alpha3 35 | kind: DestinationRule 36 | metadata: 37 | name: originate-mtls-for-mysql 38 | spec: 39 | host: SERVICE_URL 40 | trafficPolicy: 41 | loadBalancer: 42 | simple: ROUND_ROBIN 43 | portLevelSettings: 44 | - port: 45 | number: 13306 46 | tls: 47 | mode: MUTUAL 48 | credentialName: client-credential 49 | sni: SERVICE_URL -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/authorization-policies/all/authorization-policy-adservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_authorization_policy_adservice_authorizationpolicy_adservice] 16 | apiVersion: security.istio.io/v1beta1 17 | kind: AuthorizationPolicy 18 | metadata: 19 | name: adservice 20 | spec: 21 | selector: 22 | matchLabels: 23 | app: adservice 24 | rules: 25 | - from: 26 | - source: 27 | principals: 28 | - cluster.local/ns/onlineboutique/sa/frontend 29 | to: 30 | - operation: 31 | paths: 32 | - /hipstershop.AdService/GetAds 33 | methods: 34 | - POST 35 | ports: 36 | - "9555" 37 | # [END servicemesh_all_authorization_policy_adservice_authorizationpolicy_adservice] -------------------------------------------------------------------------------- /docs/migrate-to-managed-asm/service-entry.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_migrate_to_managed_asm_service_entry_serviceentry_external_service_http] 16 | # This ServiceEntry instructs the mesh to 17 | # direct HTTP requests from the mesh that target v2.example.com to the specified IP address. 18 | apiVersion: networking.istio.io/v1alpha3 19 | kind: ServiceEntry 20 | metadata: 21 | name: external-service-http 22 | spec: 23 | hosts: 24 | - v2.example.com 25 | location: MESH_EXTERNAL 26 | ports: 27 | - number: 80 28 | name: http 29 | resolution: STATIC 30 | endpoints: 31 | - address: 1.2.3.4 # Replace this IP address with the IP address of the ASM ingress gateway. 32 | # [END servicemesh_migrate_to_managed_asm_service_entry_serviceentry_external_service_http] 33 | -------------------------------------------------------------------------------- /docs/security/update-auth-policies/auth_policy_clusterlocal.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_update_auth_policies_auth_policy_clusterlocal_authorizationpolicy_service_httpbin.default.svc.cluster.local] 17 | apiVersion: security.istio.io/v1beta1 18 | kind: AuthorizationPolicy 19 | metadata: 20 | name: service-httpbin.default.svc.cluster.local 21 | namespace: default 22 | spec: 23 | rules: 24 | - from: 25 | - source: 26 | principals: 27 | - cluster.local/ns/sleep-allow/sa/sleep 28 | to: 29 | - operation: 30 | methods: 31 | - GET 32 | selector: 33 | matchLabels: 34 | app: httpbin 35 | # [END servicemesh_update_auth_policies_auth_policy_clusterlocal_authorizationpolicy_service_httpbin.default.svc.cluster.local] 36 | --- 37 | -------------------------------------------------------------------------------- /docs/enabling-optional-features/enable_internal_load_balancer.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_enabling_optional_features_enable_internal_load_balancer_istiooperator] 17 | apiVersion: install.istio.io/v1alpha1 18 | kind: IstioOperator 19 | spec: 20 | profile: empty 21 | components: 22 | ingressGateways: 23 | - name: istio-ingressgateway 24 | enabled: true 25 | k8s: 26 | serviceAnnotations: 27 | cloud.google.com/load-balancer-type: internal 28 | service: 29 | ports: 30 | - name: status-port 31 | port: 15020 32 | - name: http2 33 | port: 80 34 | - name: https 35 | port: 443 36 | # [END servicemesh_enabling_optional_features_enable_internal_load_balancer_istiooperator] 37 | --- 38 | -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/authorization-policies/all/authorization-policy-emailservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_authorization_policy_emailservice_authorizationpolicy_emailservice] 16 | apiVersion: security.istio.io/v1beta1 17 | kind: AuthorizationPolicy 18 | metadata: 19 | name: emailservice 20 | spec: 21 | selector: 22 | matchLabels: 23 | app: emailservice 24 | rules: 25 | - from: 26 | - source: 27 | principals: 28 | - cluster.local/ns/onlineboutique/sa/checkoutservice 29 | to: 30 | - operation: 31 | paths: 32 | - /hipstershop.EmailService/SendOrderConfirmation 33 | methods: 34 | - POST 35 | ports: 36 | - "8080" 37 | # [END servicemesh_all_authorization_policy_emailservice_authorizationpolicy_emailservice] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/authorization-policies/all/authorization-policy-paymentservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_authorization_policy_paymentservice_authorizationpolicy_paymentservice] 16 | apiVersion: security.istio.io/v1beta1 17 | kind: AuthorizationPolicy 18 | metadata: 19 | name: paymentservice 20 | spec: 21 | selector: 22 | matchLabels: 23 | app: paymentservice 24 | rules: 25 | - from: 26 | - source: 27 | principals: 28 | - cluster.local/ns/onlineboutique/sa/checkoutservice 29 | to: 30 | - operation: 31 | paths: 32 | - /hipstershop.PaymentService/Charge 33 | methods: 34 | - POST 35 | ports: 36 | - "50051" 37 | # [END servicemesh_all_authorization_policy_paymentservice_authorizationpolicy_paymentservice] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/authorization-policies/all/authorization-policy-checkoutservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_authorization_policy_checkoutservice_authorizationpolicy_checkoutservice] 16 | apiVersion: security.istio.io/v1beta1 17 | kind: AuthorizationPolicy 18 | metadata: 19 | name: checkoutservice 20 | spec: 21 | selector: 22 | matchLabels: 23 | app: checkoutservice 24 | rules: 25 | - from: 26 | - source: 27 | principals: 28 | - cluster.local/ns/onlineboutique/sa/frontend 29 | to: 30 | - operation: 31 | paths: 32 | - /hipstershop.CheckoutService/PlaceOrder 33 | methods: 34 | - POST 35 | ports: 36 | - "5050" 37 | # [END servicemesh_all_authorization_policy_checkoutservice_authorizationpolicy_checkoutservice] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/authorization-policies/all/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_authorization_policies_all_kustomization_component] 16 | apiVersion: kustomize.config.k8s.io/v1alpha1 17 | kind: Component 18 | resources: 19 | - authorization-policy-adservice.yaml 20 | - authorization-policy-cartservice.yaml 21 | - authorization-policy-checkoutservice.yaml 22 | - authorization-policy-currencyservice.yaml 23 | - authorization-policy-emailservice.yaml 24 | - authorization-policy-frontend.yaml 25 | - authorization-policy-paymentservice.yaml 26 | - authorization-policy-productcatalogservice.yaml 27 | - authorization-policy-recommendationservice.yaml 28 | - authorization-policy-redis.yaml 29 | - authorization-policy-shippingservice.yaml 30 | # [END servicemesh_authorization_policies_all_kustomization_component] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/base/for-memorystore/kustomization.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2022 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_base_for_memorystore_kustomization_component] 17 | apiVersion: kustomize.config.k8s.io/v1alpha1 18 | kind: Component 19 | patchesJson6902: 20 | - target: 21 | kind: Deployment 22 | name: cartservice 23 | patch: |- 24 | - op: replace 25 | path: /spec/template/spec/containers/0/env/0 26 | value: 27 | name: REDIS_ADDR 28 | value: REDIS_IP:REDIS_PORT 29 | patchesStrategicMerge: 30 | - |- 31 | apiVersion: apps/v1 32 | kind: Deployment 33 | metadata: 34 | name: redis-cart 35 | $patch: delete 36 | - |- 37 | apiVersion: v1 38 | kind: Service 39 | metadata: 40 | name: redis-cart 41 | $patch: delete 42 | # [END servicemesh_base_for_memorystore_kustomization_component] -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/terraform/kops-src/cluster/b_create-kops-cluster.sh: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_cluster_b_create_kops_cluster] 17 | #!/bin/bash 18 | 19 | ## TF vars 20 | export PROJECT='${project}' 21 | export GCPZONE='${zone}' 22 | export KOPS_FEATURE_FLAGS='${kops-gce}' 23 | ### 24 | # Make those eventually configurable - but for now they are fixed 25 | 26 | #source ../env-vars 27 | echo "Installing and running kops cluster now" 28 | ./kops create cluster server-cluster.k8s.local --cloud gce --zones $GCPZONE --state "gs://$PROJECT-kops-clusters/"/ --project=$PROJECT --node-count=4 29 | #echo "Cluster object has been created:" 30 | echo "Starting cluster instances now" 31 | ./kops update cluster server-cluster.k8s.local --yes --state "gs://$PROJECT-kops-clusters"/ 32 | # [END servicemesh_cluster_b_create_kops_cluster] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/sidecars/all/sidecar-checkoutservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_sidecar_checkoutservice_sidecar_checkoutservice] 16 | apiVersion: networking.istio.io/v1beta1 17 | kind: Sidecar 18 | metadata: 19 | name: checkoutservice 20 | spec: 21 | workloadSelector: 22 | labels: 23 | app: checkoutservice 24 | egress: 25 | - hosts: 26 | - istio-system/* 27 | - ./cartservice.onlineboutique.svc.cluster.local 28 | - ./currencyservice.onlineboutique.svc.cluster.local 29 | - ./emailservice.onlineboutique.svc.cluster.local 30 | - ./paymentservice.onlineboutique.svc.cluster.local 31 | - ./productcatalogservice.onlineboutique.svc.cluster.local 32 | - ./shippingservice.onlineboutique.svc.cluster.local 33 | # [END servicemesh_all_sidecar_checkoutservice_sidecar_checkoutservice] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/sidecars/all/sidecar-frontend.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_sidecar_frontend_sidecar_frontend] 16 | apiVersion: networking.istio.io/v1beta1 17 | kind: Sidecar 18 | metadata: 19 | name: frontend 20 | spec: 21 | workloadSelector: 22 | labels: 23 | app: frontend 24 | egress: 25 | - hosts: 26 | - istio-system/* 27 | - ./adservice.onlineboutique.svc.cluster.local 28 | - ./cartservice.onlineboutique.svc.cluster.local 29 | - ./checkoutservice.onlineboutique.svc.cluster.local 30 | - ./currencyservice.onlineboutique.svc.cluster.local 31 | - ./productcatalogservice.onlineboutique.svc.cluster.local 32 | - ./recommendationservice.onlineboutique.svc.cluster.local 33 | - ./shippingservice.onlineboutique.svc.cluster.local 34 | # [END servicemesh_all_sidecar_frontend_sidecar_frontend] -------------------------------------------------------------------------------- /demos/bank-of-anthos-asm-manifests/demo-manifests/frontend-custom-http-header.yml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_demo_manifests_frontend_custom_http_header_virtualservice_frontend] 17 | apiVersion: networking.istio.io/v1beta1 18 | kind: VirtualService 19 | metadata: 20 | name: frontend 21 | spec: 22 | hosts: 23 | - '*' 24 | gateways: 25 | - bank-of-anthos-gateway 26 | http: 27 | - match: 28 | - uri: 29 | prefix: / 30 | headers: 31 | X-Beta-Tester: 32 | exact: 'true' 33 | route: 34 | - destination: 35 | host: frontend 36 | subset: v0-5-3-custom 37 | - match: 38 | - uri: 39 | prefix: / 40 | route: 41 | - destination: 42 | host: frontend 43 | subset: v0-5-3 44 | # [END servicemesh_demo_manifests_frontend_custom_http_header_virtualservice_frontend] 45 | --- 46 | -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/authorization-policies/all/authorization-policy-recommendationservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_authorization_policy_recommendationservice_authorizationpolicy_recommendationservice] 16 | apiVersion: security.istio.io/v1beta1 17 | kind: AuthorizationPolicy 18 | metadata: 19 | name: recommendationservice 20 | spec: 21 | selector: 22 | matchLabels: 23 | app: recommendationservice 24 | rules: 25 | - from: 26 | - source: 27 | principals: 28 | - cluster.local/ns/onlineboutique/sa/frontend 29 | to: 30 | - operation: 31 | paths: 32 | - /hipstershop.RecommendationService/ListRecommendations 33 | methods: 34 | - POST 35 | ports: 36 | - "8080" 37 | # [END servicemesh_all_authorization_policy_recommendationservice_authorizationpolicy_recommendationservice] -------------------------------------------------------------------------------- /docs/iap-integration/rctoken_istio_ingress_gateway.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_iap_integration_rctoken_istio_ingress_gateway_requestauthentication_ingressgateway_jwt_policy] 17 | apiVersion: security.istio.io/v1beta1 18 | kind: RequestAuthentication 19 | metadata: 20 | name: ingressgateway-jwt-policy 21 | namespace: istio-system 22 | spec: 23 | selector: 24 | matchLabels: 25 | app: istio-ingressgateway 26 | jwtRules: 27 | - issuer: https://cloud.google.com/iap 28 | jwksUri: https://www.gstatic.com/iap/verify/public_key-jwk 29 | audiences: 30 | - 31 | fromHeaders: 32 | - name: ingress-authorization 33 | prefix: 'Istio ' 34 | outputPayloadToHeader: verified-jwt 35 | forwardOriginalToken: true 36 | # [END servicemesh_iap_integration_rctoken_istio_ingress_gateway_requestauthentication_ingressgateway_jwt_policy] 37 | --- 38 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/client/mysql-client/clean-up.sh: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_mysql_client_clean_up] 17 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 18 | 19 | $DIR/../set-project-and-cluster-client.sh 20 | 21 | # todo cleanup cleanup.sh :D 22 | kubectl delete --ignore-not-found=true secret mysql-client-certs mysql-ca-certs 23 | kubectl delete --ignore-not-found=true secret mysql-client-certs mysql-ca-certs -n istio-system 24 | 25 | kubectl delete --ignore-not-found=true gateway istio-egressgateway-mysql 26 | kubectl delete --ignore-not-found=true destinationrule egressgateway-for-mysql 27 | 28 | kubectl delete --ignore-not-found=true virtualservice direct-mysql-through-egress-gateway 29 | kubectl delete --ignore-not-found=true destinationrule originate-mtls-for-mysql 30 | 31 | kubectl delete --ignore-not-found=true serviceentry mysql-external 32 | # [END servicemesh_mysql_client_clean_up] -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/README.md: -------------------------------------------------------------------------------- 1 | # Resources used during IstioCon 2022 for the Anthos Service Mesh (ASM) workshop 2 | 3 | The pre-provisioned infrastructure of this workshop is in the [terraform folder](./terraform). 4 | _**Important note**: These resources have been taken as-is from the Qwiklab platform in order to share them with a broader audience. But be aware that deploying the Terraform part as-is won't work and will need some extra adjustements._ 5 | 6 | The actual instructions of the workshop could be found [here](./instructions/en.md). 7 | 8 | Here is the architecture diagram for this setup: 9 | ![Architecture diagram](./instructions/img/architecture.png) 10 | 11 | This workshop is leveraging the [Bank of Anthos sample apps](https://github.com/GoogleCloudPlatform/bank-of-anthos): 12 | ![Bank of Anthos services](./instructions/img/bankofanthos-services.png) 13 | 14 | This content is to show case different services such as: 15 | - [Google Kubernetes Engine (GKE)](https://cloud.google.com/kubernetes-engine) 16 | - [Anthos Service Mesh (ASM)](https://cloud.google.com/service-mesh/docs) with Managed Control Plane (MCP) and Managed Data Plane (MDP) in Multi-clusters setup 17 | - [Anthos Config Management (ACM)](https://cloud.google.com/anthos/config-management) with Policy Controller 18 | - [Multi-cluster Ingress (MCI)](https://cloud.google.com/kubernetes-engine/docs/concepts/multi-cluster-ingress) 19 | - [Cloud Trace](https://cloud.google.com/trace) 20 | - [Cloud Monitoring](https://cloud.google.com/monitoring) with creation of SLOs -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/authorization-policies/all/authorization-policy-shippingservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_authorization_policy_shippingservice_authorizationpolicy_shippingservice] 16 | apiVersion: security.istio.io/v1beta1 17 | kind: AuthorizationPolicy 18 | metadata: 19 | name: shippingservice 20 | spec: 21 | selector: 22 | matchLabels: 23 | app: shippingservice 24 | rules: 25 | - from: 26 | - source: 27 | principals: 28 | - cluster.local/ns/onlineboutique/sa/frontend 29 | - cluster.local/ns/onlineboutique/sa/checkoutservice 30 | to: 31 | - operation: 32 | paths: 33 | - /hipstershop.ShippingService/GetQuote 34 | - /hipstershop.ShippingService/ShipOrder 35 | methods: 36 | - POST 37 | ports: 38 | - "50051" 39 | # [END servicemesh_all_authorization_policy_shippingservice_authorizationpolicy_shippingservice] -------------------------------------------------------------------------------- /.github/workflows/tf-validate-ci.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: tf-validate-ci 16 | on: 17 | push: 18 | branches: 19 | - main 20 | paths: 21 | - '.github/workflows/tf-validate-ci.yml' 22 | - 'demos/asm-mcp-multi-clusters/terraform/**' 23 | pull_request: 24 | jobs: 25 | job: 26 | runs-on: ubuntu-22.04 27 | strategy: 28 | matrix: 29 | # list of directories in the repo that hosts Terraform samples 30 | # update this list as new terraform samples are added to the repo 31 | tf-sample: [ 32 | 'demos/asm-mcp-multi-clusters/terraform', 33 | ] 34 | steps: 35 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 36 | - name: terraform init & validate 37 | env: 38 | SAMPLE_DIR: ${{ matrix.tf-sample }} 39 | run: | 40 | cd $SAMPLE_DIR 41 | terraform init -backend=false 42 | terraform validate 43 | -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/authorization-policies/all/authorization-policy-cartservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_authorization_policy_cartservice_authorizationpolicy_cartservice] 16 | apiVersion: security.istio.io/v1beta1 17 | kind: AuthorizationPolicy 18 | metadata: 19 | name: cartservice 20 | spec: 21 | selector: 22 | matchLabels: 23 | app: cartservice 24 | rules: 25 | - from: 26 | - source: 27 | principals: 28 | - cluster.local/ns/onlineboutique/sa/frontend 29 | - cluster.local/ns/onlineboutique/sa/checkoutservice 30 | to: 31 | - operation: 32 | paths: 33 | - /hipstershop.CartService/AddItem 34 | - /hipstershop.CartService/GetCart 35 | - /hipstershop.CartService/EmptyCart 36 | methods: 37 | - POST 38 | ports: 39 | - "7070" 40 | # [END servicemesh_all_authorization_policy_cartservice_authorizationpolicy_cartservice] -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/authorization-policies/all/authorization-policy-currencyservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_authorization_policy_currencyservice_authorizationpolicy_currencyservice] 16 | apiVersion: security.istio.io/v1beta1 17 | kind: AuthorizationPolicy 18 | metadata: 19 | name: currencyservice 20 | spec: 21 | selector: 22 | matchLabels: 23 | app: currencyservice 24 | rules: 25 | - from: 26 | - source: 27 | principals: 28 | - cluster.local/ns/onlineboutique/sa/frontend 29 | - cluster.local/ns/onlineboutique/sa/checkoutservice 30 | to: 31 | - operation: 32 | paths: 33 | - /hipstershop.CurrencyService/Convert 34 | - /hipstershop.CurrencyService/GetSupportedCurrencies 35 | methods: 36 | - POST 37 | ports: 38 | - "7000" 39 | # [END servicemesh_all_authorization_policy_currencyservice_authorizationpolicy_currencyservice] -------------------------------------------------------------------------------- /docs/canary-service/destination-vs-v1.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2022 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_canary_service_destination_vs_v1_destinationrule_productcatalogservice] 17 | apiVersion: networking.istio.io/v1beta1 18 | kind: DestinationRule 19 | metadata: 20 | name: productcatalogservice 21 | spec: 22 | host: productcatalogservice 23 | subsets: 24 | - labels: 25 | version: v1 26 | name: v1 27 | # [END servicemesh_canary_service_destination_vs_v1_destinationrule_productcatalogservice] 28 | --- 29 | # [START servicemesh_canary_service_destination_vs_v1_virtualservice_productcatalogservice] 30 | apiVersion: networking.istio.io/v1beta1 31 | kind: VirtualService 32 | metadata: 33 | name: productcatalogservice 34 | spec: 35 | hosts: 36 | - productcatalogservice 37 | http: 38 | - route: 39 | - destination: 40 | host: productcatalogservice 41 | subset: v1 42 | # [END servicemesh_canary_service_destination_vs_v1_virtualservice_productcatalogservice] -------------------------------------------------------------------------------- /.github/workflows/asm-acm-tutorial-ci.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: asm-acm-tutorial-ci 16 | on: 17 | push: 18 | branches: 19 | - main 20 | paths: 21 | - 'docs/online-boutique-asm-manifests/**' 22 | - 'docs/ingress-gateway-asm-manifests/**' 23 | - '.github/workflows/asm-acm-tutorial-ci.yaml' 24 | pull_request: 25 | paths: 26 | - 'docs/online-boutique-asm-manifests/**' 27 | - 'docs/ingress-gateway-asm-manifests/**' 28 | - '.github/workflows/asm-acm-tutorial-ci.yaml' 29 | jobs: 30 | job: 31 | runs-on: ubuntu-22.04 32 | steps: 33 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 34 | - name: kustomize build onlineboutique 35 | run: | 36 | cd docs/online-boutique-asm-manifests/ 37 | kubectl kustomize . 38 | - name: kustomize build ingressgateway 39 | run: | 40 | cd docs/ingress-gateway-asm-manifests/ 41 | kubectl kustomize . 42 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/create-keys.sh: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_mtls_egress_ingress_create_keys] 17 | . ./server/set-project-and-cluster-server.sh 18 | 19 | INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 20 | 21 | rm -rf certs 22 | mkdir certs 23 | [ ! -d mtls-go-example ] && git clone https://github.com/nicholasjackson/mtls-go-example.git 24 | cd mtls-go-example 25 | # delete old certs 26 | rm -rf 1_root 2_intermediate 3_application 4_client 27 | echo "Please enter a password for your security keys: " 28 | read SECURE_PASSWORD 29 | 30 | if [[ -z "$SECURE_PASSWORD" ]]; then 31 | printf '%s\n' "Please provide a password." 32 | exit 1 33 | fi 34 | 35 | yes | ./generate.sh $INGRESS_HOST.nip.io $SECURE_PASSWORD 36 | 37 | mv 1_root ../certs 38 | mv 2_intermediate ../certs 39 | mv 3_application ../certs 40 | mv 4_client ../certs 41 | # [END servicemesh_mtls_egress_ingress_create_keys] -------------------------------------------------------------------------------- /demos/asm-mcp-multi-clusters/terraform/lab_materials/vars.sh: -------------------------------------------------------------------------------- 1 | 2 | export WORKDIR=~ 3 | export PROJECT_ID=$(gcloud info --format='value(config.project)') 4 | export CLUSTER_1=gke-west2-a 5 | export CLUSTER_1_ZONE=us-west2-a 6 | export CLUSTER_2=gke-central1-a 7 | export CLUSTER_2_ZONE=us-central1-a 8 | export CLUSTER_INGRESS=gke-ingress-west1-a 9 | export CLUSTER_INGRESS_ZONE=us-west1-a 10 | export BANK_OF_ANTHOS_NAMESPACE=bank-of-anthos 11 | export INGRESS_GATEWAY_NAMESPACE=asm-ingress 12 | 13 | gcloud config set project ${PROJECT_ID} 14 | 15 | ASM_CONTROL_PLANE_METRICS_URL=$(echo "https://console.cloud.google.com/monitoring/metrics-explorer?pageState=%7B%22xyChart%22:%7B%22dataSets%22:%5B%7B%22timeSeriesFilter%22:%7B%22filter%22:%22metric.type%3D%5C%22istio.io%2Fcontrol%2Fproxy_clients%5C%22%20resource.type%3D%5C%22k8s_container%5C%22%20resource.label.%5C%22container_name%5C%22%3D%5C%22cr-asm-managed-rapid%5C%22%22,%22minAlignmentPeriod%22:%2260s%22,%22unitOverride%22:%221%22,%22aggregations%22:%5B%7B%22perSeriesAligner%22:%22ALIGN_MEAN%22,%22crossSeriesReducer%22:%22REDUCE_SUM%22,%22groupByFields%22:%5B%22metric.label.%5C%22revision%5C%22%22,%22metric.label.%5C%22proxy_version%5C%22%22%5D%7D,%7B%22crossSeriesReducer%22:%22REDUCE_NONE%22%7D%5D%7D,%22targetAxis%22:%22Y1%22,%22plotType%22:%22LINE%22%7D%5D,%22options%22:%7B%22mode%22:%22COLOR%22%7D,%22constantLines%22:%5B%5D,%22timeshiftDuration%22:%220s%22,%22y1Axis%22:%7B%22label%22:%22y1Axis%22,%22scale%22:%22LINEAR%22%7D%7D,%22isAutoRefresh%22:true,%22timeSelection%22:%7B%22timeRange%22:%221h%22%7D%7D&_ga=2.39844003.1070780175.1650643506-22581792.1650643506") -------------------------------------------------------------------------------- /.github/header-checker-lint.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # This file configures a GitHub Bot called "License Header Lint GCF": https://github.com/apps/license-header-lint-gcf 16 | # The bot runs a GitHub check called "header-check" (inside pull-requests) that warns us about invalid/missing license headers. 17 | # The schema for this configutation file is documented at https://github.com/googleapis/repo-automation-bots/tree/main/packages/header-checker-lint#header-checker-lint. 18 | 19 | allowedCopyrightHolders: 20 | - 'Google LLC' 21 | 22 | allowedLicenses: 23 | - 'Apache-2.0' 24 | 25 | # If you want to ignore certain files/folders, use ignoreFiles. 26 | # ignoreFiles: 27 | # - '**/requirements.txt' 28 | 29 | # If you want to ignore checking the license year, use ignoreLicenseYear. 30 | # ignoreLicenseYear: true # Useful when migrating in code licensed at previous years. 31 | 32 | sourceFileExtensions: 33 | - 'Dockerfile' 34 | - 'gitignore' 35 | - 'py' 36 | - 'sh' 37 | - 'tf' 38 | - 'yaml' 39 | - 'yml' 40 | -------------------------------------------------------------------------------- /docs/helloserver/server/server.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2020 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_helloserver_server_deployment_helloserver] 17 | apiVersion: apps/v1 18 | kind: Deployment 19 | metadata: 20 | name: helloserver 21 | spec: 22 | replicas: 1 23 | selector: 24 | matchLabels: 25 | app: helloserver 26 | template: 27 | metadata: 28 | labels: 29 | app: helloserver 30 | spec: 31 | containers: 32 | - image: gcr.io/google-samples/istio/helloserver:v0.0.1 33 | imagePullPolicy: Always 34 | name: main 35 | restartPolicy: Always 36 | terminationGracePeriodSeconds: 5 37 | # [END servicemesh_helloserver_server_deployment_helloserver] 38 | --- 39 | # [START servicemesh_helloserver_server_service_hellosvc] 40 | apiVersion: v1 41 | kind: Service 42 | metadata: 43 | name: hellosvc 44 | spec: 45 | ports: 46 | - name: http 47 | port: 80 48 | targetPort: 8080 49 | selector: 50 | app: helloserver 51 | type: LoadBalancer 52 | # [END servicemesh_helloserver_server_service_hellosvc] 53 | --- 54 | -------------------------------------------------------------------------------- /docs/helloserver/loadgen/loadgen.py: -------------------------------------------------------------------------------- 1 | # Copyright 2020 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | import threading 16 | import datetime 17 | import schedule 18 | import os 19 | import time 20 | import grequests 21 | 22 | def exception_handler(request, exception): 23 | print("Request failed: %s" % exception) 24 | 25 | 26 | def callserver(): 27 | urls = [url]*c # number of concurrent requests per second 28 | 29 | rs = (grequests.get(u) for u in urls) 30 | grequests.map(rs, exception_handler=exception_handler) 31 | print("%s request(s) complete to %s" % (c, url)) 32 | 33 | 34 | # start loadgen 35 | url = os.getenv('SERVER_ADDR') 36 | if url is None: 37 | print("SERVER_ADDR env variable is not defined") 38 | exit(1) 39 | 40 | c_str = os.getenv('REQUESTS_PER_SECOND') 41 | if c_str is None: 42 | print("REQUESTS_PER_SECOND env variable is not defined") 43 | exit(1) 44 | 45 | c = int(c_str) 46 | 47 | now = datetime.datetime.now() 48 | print("🚀 Starting loadgen: %s" % now) 49 | schedule.every(1).seconds.do(callserver) 50 | 51 | while 1: 52 | schedule.run_pending() 53 | time.sleep(1) -------------------------------------------------------------------------------- /docs/online-boutique-asm-manifests/authorization-policies/all/authorization-policy-productcatalogservice.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_all_authorization_policy_productcatalogservice_authorizationpolicy_productcatalogservice] 16 | apiVersion: security.istio.io/v1beta1 17 | kind: AuthorizationPolicy 18 | metadata: 19 | name: productcatalogservice 20 | spec: 21 | selector: 22 | matchLabels: 23 | app: productcatalogservice 24 | rules: 25 | - from: 26 | - source: 27 | principals: 28 | - cluster.local/ns/onlineboutique/sa/frontend 29 | - cluster.local/ns/onlineboutique/sa/checkoutservice 30 | - cluster.local/ns/onlineboutique/sa/recommendationservice 31 | to: 32 | - operation: 33 | paths: 34 | - /hipstershop.ProductCatalogService/GetProduct 35 | - /hipstershop.ProductCatalogService/ListProducts 36 | methods: 37 | - POST 38 | ports: 39 | - "3550" 40 | # [END servicemesh_all_authorization_policy_productcatalogservice_authorizationpolicy_productcatalogservice] -------------------------------------------------------------------------------- /docs/migrate-to-managed-asm/virtual-service.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_migrate_to_managed_asm_virtual_service_virtualservice_frontend_ingress] 16 | # This VirtualService splits HTTP traffic coming into the cluster you're migrating away from. 17 | # This VirtualService ensures that the traffic will be shared between both clusters. 18 | apiVersion: networking.istio.io/v1alpha3 19 | kind: VirtualService 20 | metadata: 21 | name: frontend-ingress 22 | spec: 23 | gateways: 24 | - frontend-gateway 25 | hosts: 26 | - '*' # In production, be more specific. 27 | http: 28 | - route: 29 | - destination: 30 | port: 31 | number: 80 32 | host: frontend # The name of the Service inside the cluster you're migrating away from. 33 | weight: 50 34 | - destination: 35 | port: 36 | number: 80 37 | host: v2.example.com # The temporary domain name of the frontend inside the cluster with managed ASM. 38 | weight: 50 39 | # [END servicemesh_migrate_to_managed_asm_virtual_service_virtualservice_frontend_ingress] 40 | -------------------------------------------------------------------------------- /docs/migrate-to-managed-asm/virtual-service-in-cluster-asm.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START servicemesh_migrate_to_managed_asm_virtual_service_in_cluster_asm_virtualservice_frontend_ingress] 16 | # This VirtualService splits HTTP traffic coming into the cluster you're migrating away from. 17 | # This VirtualService ensures that the traffic will be shared between both clusters. 18 | apiVersion: networking.istio.io/v1alpha3 19 | kind: VirtualService 20 | metadata: 21 | name: frontend 22 | spec: 23 | gateways: 24 | - asm-ingress/asm-ingressgateway 25 | hosts: 26 | - '*' # In production, be more specific. 27 | http: 28 | - route: 29 | - destination: 30 | port: 31 | number: 80 32 | host: frontend # The name of the Service inside the cluster you're migrating away from. 33 | weight: 50 34 | - destination: 35 | port: 36 | number: 80 37 | host: v2.example.com # The temporary domain name of the frontend inside the cluster with managed ASM. 38 | weight: 50 39 | # [END servicemesh_migrate_to_managed_asm_virtual_service_in_cluster_asm_virtualservice_frontend_ingress] 40 | -------------------------------------------------------------------------------- /docs/egress-gateway-asm-manifests/gateway-http.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: istio-egressgateway 5 | spec: 6 | selector: 7 | istio: egressgateway 8 | servers: 9 | - port: 10 | number: 80 11 | name: http 12 | protocol: HTTP 13 | hosts: 14 | - edition.cnn.com 15 | # tls: 16 | # mode: PASSTHROUGH 17 | # cipherSuites: 18 | # - ECDHE-ECDSA-AES256-GCM-SHA384 19 | # - ECDHE-ECDSA-AES128-GCM-SHA256 20 | # - ECDHE-RSA-AES256-GCM-SHA384 21 | # - ECDHE-RSA-AES128-GCM-SHA256 22 | # - ECDHE-ECDSA-AES256-CBC-SHA384 23 | # - ECDHE-ECDSA-AES128-CBC-SHA256 24 | # - ECDHE-RSA-AES256-CBC-SHA384 25 | # - ECDHE-RSA-AES128-CBC-SHA256 26 | --- 27 | apiVersion: networking.istio.io/v1alpha3 28 | kind: DestinationRule 29 | metadata: 30 | name: egressgateway-for-cnn 31 | spec: 32 | host: istio-egressgateway.default.svc.cluster.local 33 | subsets: 34 | - name: cnn 35 | --- 36 | apiVersion: networking.istio.io/v1alpha3 37 | kind: VirtualService 38 | metadata: 39 | name: direct-cnn-through-egress-gateway 40 | spec: 41 | hosts: 42 | - edition.cnn.com 43 | gateways: 44 | - istio-egressgateway 45 | - mesh 46 | http: 47 | - match: 48 | - gateways: 49 | - mesh 50 | port: 80 51 | route: 52 | - destination: 53 | host: istio-egressgateway.default.svc.cluster.local 54 | subset: cnn 55 | port: 56 | number: 80 57 | weight: 100 58 | - match: 59 | - gateways: 60 | - istio-egressgateway 61 | port: 80 62 | route: 63 | - destination: 64 | host: edition.cnn.com 65 | port: 66 | number: 80 67 | weight: 100 68 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/client/httpbin-client/virtualservice-destinationrule-from-egressgateway.yaml.tmpl: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: vs-alias 5 | spec: 6 | hosts: 7 | - httpbin-external 8 | http: 9 | - match: 10 | - uri: 11 | regex: ".*" 12 | rewrite: 13 | authority: SERVICE_URL 14 | route: 15 | - destination: 16 | host: istio-egressgateway.istio-system.svc.cluster.local 17 | subset: httpbin 18 | port: 19 | number: 443 20 | weight: 100 21 | --- 22 | apiVersion: networking.istio.io/v1alpha3 23 | kind: VirtualService 24 | metadata: 25 | name: direct-httpbin-through-egress-gateway 26 | spec: 27 | hosts: 28 | - SERVICE_URL 29 | gateways: 30 | - istio-egressgateway-httpbin 31 | - mesh 32 | http: 33 | - match: 34 | - gateways: 35 | - mesh 36 | port: 80 37 | route: 38 | - destination: 39 | host: istio-egressgateway.istio-system.svc.cluster.local 40 | subset: httpbin 41 | port: 42 | number: 443 43 | weight: 100 44 | - match: 45 | - gateways: 46 | - istio-egressgateway-httpbin 47 | port: 443 48 | route: 49 | - destination: 50 | host: SERVICE_URL 51 | port: 52 | number: 443 53 | weight: 100 54 | --- 55 | apiVersion: networking.istio.io/v1alpha3 56 | kind: DestinationRule 57 | metadata: 58 | name: originate-mtls-for-httpbin 59 | spec: 60 | host: SERVICE_URL 61 | trafficPolicy: 62 | loadBalancer: 63 | simple: ROUND_ROBIN 64 | portLevelSettings: 65 | - port: 66 | number: 443 67 | tls: 68 | mode: MUTUAL 69 | credentialName: client-credential 70 | sni: SERVICE_URL -------------------------------------------------------------------------------- /docs/shared/online-boutique/service-accounts/service-accounts.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: v1 16 | kind: ServiceAccount 17 | metadata: 18 | name: adservice 19 | --- 20 | apiVersion: v1 21 | kind: ServiceAccount 22 | metadata: 23 | name: cartservice 24 | --- 25 | apiVersion: v1 26 | kind: ServiceAccount 27 | metadata: 28 | name: checkoutservice 29 | --- 30 | apiVersion: v1 31 | kind: ServiceAccount 32 | metadata: 33 | name: currencyservice 34 | --- 35 | apiVersion: v1 36 | kind: ServiceAccount 37 | metadata: 38 | name: emailservice 39 | --- 40 | apiVersion: v1 41 | kind: ServiceAccount 42 | metadata: 43 | name: frontend 44 | --- 45 | apiVersion: v1 46 | kind: ServiceAccount 47 | metadata: 48 | name: loadgenerator 49 | --- 50 | apiVersion: v1 51 | kind: ServiceAccount 52 | metadata: 53 | name: paymentservice 54 | --- 55 | apiVersion: v1 56 | kind: ServiceAccount 57 | metadata: 58 | name: productcatalogservice 59 | --- 60 | apiVersion: v1 61 | kind: ServiceAccount 62 | metadata: 63 | name: recommendationservice 64 | --- 65 | apiVersion: v1 66 | kind: ServiceAccount 67 | metadata: 68 | name: redis-cart 69 | --- 70 | apiVersion: v1 71 | kind: ServiceAccount 72 | metadata: 73 | name: shippingservice 74 | -------------------------------------------------------------------------------- /docs/egress-gateway-asm-manifests/gateway-https.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: istio-egressgateway 5 | spec: 6 | selector: 7 | istio: egressgateway 8 | servers: 9 | - port: 10 | number: 443 11 | name: TLS 12 | protocol: TLS 13 | hosts: 14 | - edition.cnn.com 15 | tls: 16 | mode: PASSTHROUGH 17 | cipherSuites: 18 | - ECDHE-ECDSA-AES256-GCM-SHA384 19 | - ECDHE-ECDSA-AES128-GCM-SHA256 20 | - ECDHE-RSA-AES256-GCM-SHA384 21 | - ECDHE-RSA-AES128-GCM-SHA256 22 | - AES256-GCM-SHA384 23 | - AES128-GCM-SHA256 24 | # ECDHE-ECDSA-AES128-CBC-SHA256 ECDHE-ECDSA-AES256-CBC-SHA384 ECDHE-RSA-AES128-CBC-SHA256 ECDHE-RSA-AES256-CBC-SHA384 25 | --- 26 | apiVersion: networking.istio.io/v1alpha3 27 | kind: DestinationRule 28 | metadata: 29 | name: egressgateway-for-cnn 30 | spec: 31 | host: istio-egressgateway.default.svc.cluster.local 32 | subsets: 33 | - name: cnn 34 | --- 35 | apiVersion: networking.istio.io/v1alpha3 36 | kind: VirtualService 37 | metadata: 38 | name: direct-cnn-through-egress-gateway 39 | spec: 40 | hosts: 41 | - edition.cnn.com 42 | gateways: 43 | - mesh 44 | - istio-egressgateway 45 | tls: 46 | - match: 47 | - gateways: 48 | - mesh 49 | port: 443 50 | sniHosts: 51 | - edition.cnn.com 52 | route: 53 | - destination: 54 | host: istio-egressgateway.default.svc.cluster.local 55 | subset: cnn 56 | port: 57 | number: 443 58 | - match: 59 | - gateways: 60 | - istio-egressgateway 61 | port: 443 62 | sniHosts: 63 | - edition.cnn.com 64 | route: 65 | - destination: 66 | host: edition.cnn.com 67 | port: 68 | number: 443 69 | weight: 100 70 | -------------------------------------------------------------------------------- /demos/bank-of-anthos-asm-manifests/deployment-manifests/loadgenerator.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_deployment_manifests_loadgenerator_deployment_loadgenerator] 17 | apiVersion: apps/v1 18 | kind: Deployment 19 | metadata: 20 | name: loadgenerator 21 | spec: 22 | selector: 23 | matchLabels: 24 | app: loadgenerator 25 | replicas: 1 26 | template: 27 | metadata: 28 | labels: 29 | app: loadgenerator 30 | annotations: 31 | sidecar.istio.io/rewriteAppHTTPProbers: "true" 32 | spec: 33 | serviceAccountName: default 34 | terminationGracePeriodSeconds: 5 35 | restartPolicy: Always 36 | containers: 37 | - name: loadgenerator 38 | image: gcr.io/bank-of-anthos-ci/loadgenerator:v0.5.3 39 | env: 40 | - name: FRONTEND_ADDR 41 | value: "frontend:80" 42 | - name: USERS 43 | value: "5" 44 | - name: LOG_LEVEL 45 | value: "error" 46 | resources: 47 | requests: 48 | cpu: 100m 49 | memory: 512Mi 50 | limits: 51 | cpu: 500m 52 | memory: 1Gi 53 | # [END servicemesh_deployment_manifests_loadgenerator_deployment_loadgenerator] 54 | --- 55 | -------------------------------------------------------------------------------- /docs/mtls-egress-ingress/client/httpbin-client/clean-up.sh: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2021 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # [START servicemesh_httpbin_client_clean_up] 17 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 18 | 19 | $DIR/../set-project-and-cluster-client.sh 20 | 21 | kubectl delete --ignore-not-found=true secret httpbin-server-certs httpbin-ca-certs -n mesh-external 22 | kubectl delete --ignore-not-found=true secret httpbin-client-certs httpbin-ca-certs 23 | kubectl delete --ignore-not-found=true secret httpbin-client-certs httpbin-ca-certs -n istio-system 24 | 25 | kubectl delete --ignore-not-found=true service httpbin-external 26 | kubectl delete --ignore-not-found=true virtualservice vs-alias 27 | kubectl delete --ignore-not-found=true gateway istio-egressgateway-httpbin 28 | kubectl delete --ignore-not-found=true serviceentry httpbin-serviceentry 29 | kubectl delete --ignore-not-found=true virtualservice direct-httpbin-through-egress-gateway 30 | kubectl delete --ignore-not-found=true destinationrule originate-mtls-for-httpbin 31 | kubectl delete --ignore-not-found=true destinationrule egressgateway-for-httpbin 32 | kubectl delete --ignore-not-found=true svc sleep 33 | kubectl delete --ignore-not-found=true deployment sleep 34 | # [END servicemesh_httpbin_client_clean_up] --------------------------------------------------------------------------------