├── .github └── FUNDING.yml ├── .gitignore ├── 10-fault-injection.yaml ├── 11-loadbalancing.yaml ├── 12-logentry.yaml ├── 13-authentication.yaml ├── 3-kiali-secret.yaml ├── 4-label-default-namespace.yaml ├── 5-application-no-istio.yaml ├── 6-istio-gateway-rules.yaml ├── 7-external-service-entry.yaml ├── 8-enforce-mtls-only.yaml ├── 9-circuit-breaking.yaml ├── LICENSE ├── README.md └── mesh-arch.png /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | patreon: apssouza 4 | custom: ["https://www.buymeacoffee.com/apssouza"] 5 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ###################### 2 | # Project Specific 3 | ###################### 4 | 5 | 6 | ###################### 7 | # Node 8 | ###################### 9 | /node/ 10 | node_tmp/ 11 | node_modules/ 12 | npm-debug.log.* 13 | /.awcache/* 14 | /.cache-loader/* 15 | 16 | ###################### 17 | # SASS 18 | ###################### 19 | .sass-cache/ 20 | 21 | ###################### 22 | # Eclipse 23 | ###################### 24 | *.pydevproject 25 | .project 26 | .metadata 27 | tmp/ 28 | tmp/**/* 29 | *.tmp 30 | *.bak 31 | *.swp 32 | *~.nib 33 | local.properties 34 | .classpath 35 | .settings/ 36 | .loadpath 37 | .factorypath 38 | /src/main/resources/rebel.xml 39 | 40 | # External tool builders 41 | .externalToolBuilders/** 42 | 43 | # Locally stored "Eclipse launch configurations" 44 | *.launch 45 | 46 | # CDT-specific 47 | .cproject 48 | 49 | # PDT-specific 50 | .buildpath 51 | 52 | ###################### 53 | # Intellij 54 | ###################### 55 | .idea/ 56 | *.iml 57 | *.iws 58 | *.ipr 59 | *.ids 60 | *.orig 61 | classes/ 62 | out/ 63 | 64 | ###################### 65 | # Visual Studio Code 66 | ###################### 67 | .vscode/ 68 | 69 | ###################### 70 | # Maven 71 | ###################### 72 | /log/ 73 | /target/ 74 | 75 | ###################### 76 | # Gradle 77 | ###################### 78 | .gradle/ 79 | /build/ 80 | 81 | ###################### 82 | # Package Files 83 | ###################### 84 | *.jar 85 | *.war 86 | *.ear 87 | *.db 88 | 89 | ###################### 90 | # Windows 91 | ###################### 92 | # Windows image file caches 93 | Thumbs.db 94 | 95 | # Folder config file 96 | Desktop.ini 97 | 98 | ###################### 99 | # Mac OSX 100 | ###################### 101 | .DS_Store 102 | .svn 103 | 104 | # Thumbnails 105 | ._* 106 | 107 | # Files that might appear on external disk 108 | .Spotlight-V100 109 | .Trashes 110 | 111 | ###################### 112 | # Directories 113 | ###################### 114 | /bin/ 115 | /deploy/ 116 | 117 | ###################### 118 | # Logs 119 | ###################### 120 | *.log* 121 | 122 | ###################### 123 | # Others 124 | ###################### 125 | *.class 126 | *.*~ 127 | *~ 128 | .merge_file* 129 | 130 | ###################### 131 | # Gradle Wrapper 132 | ###################### 133 | !gradle/wrapper/gradle-wrapper.jar 134 | 135 | ###################### 136 | # Maven Wrapper 137 | ###################### 138 | !.mvn/wrapper/maven-wrapper.jar 139 | 140 | ###################### 141 | # ESLint 142 | ###################### 143 | .eslintcache 144 | -------------------------------------------------------------------------------- /10-fault-injection.yaml: -------------------------------------------------------------------------------- 1 | kind: VirtualService 2 | apiVersion: networking.istio.io/v1alpha3 3 | metadata: 4 | name: fleetman-vehicle-telemetry 5 | namespace: default 6 | spec: 7 | hosts: 8 | - fleetman-vehicle-telemetry 9 | http: 10 | - fault: 11 | abort: 12 | httpStatus: 503 13 | percentage: 14 | value: 60 15 | route: 16 | - destination: # vehicle speed will start fail 17 | host: fleetman-vehicle-telemetry 18 | 19 | --- 20 | kind: VirtualService 21 | apiVersion: networking.istio.io/v1alpha3 22 | metadata: 23 | name: fleetman-staff-service 24 | namespace: default 25 | spec: 26 | hosts: 27 | - fleetman-staff-service 28 | http: 29 | - match: 30 | - headers: 31 | x-my-header: 32 | exact: dark-test 33 | fault: 34 | delay: 35 | percentage: 36 | value: 100.0 37 | fixedDelay: 10s 38 | route: 39 | - destination: 40 | host: fleetman-staff-service 41 | 42 | - route: # Catch if there is no match 43 | - destination: 44 | host: fleetman-staff-service -------------------------------------------------------------------------------- /11-loadbalancing.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: DestinationRule 3 | metadata: 4 | name: greeter-server 5 | spec: 6 | host: greeter-server 7 | trafficPolicy: 8 | loadBalancer: 9 | simple: LEAST_CONN 10 | tls: 11 | mode: ISTIO_MUTUAL 12 | -------------------------------------------------------------------------------- /12-logentry.yaml: -------------------------------------------------------------------------------- 1 | # # Configuration for logentry instances 2 | # apiVersion: config.istio.io/v1alpha2 3 | # kind: instance 4 | # metadata: 5 | # name: newlog 6 | # namespace: istio-system 7 | # spec: 8 | # compiledTemplate: logentry 9 | # params: 10 | # severity: '"info"' 11 | # timestamp: request.time 12 | # variables: # Getting values from Envoy attributes https://istio.io/docs/reference/config/policy-and-telemetry/attribute-vocabulary/ 13 | # source: source.labels["app"] | source.workload.name | "unknown" 14 | # user: source.user | "unknown" 15 | # destination: destination.labels["app"] | destination.workload.name | "unknown" 16 | # responseCode: response.code | 0 17 | # responseSize: response.size | 0 18 | # latency: response.duration | "0ms" 19 | # monitored_resource_type: '"UNSPECIFIED"' 20 | # --- 21 | 22 | # # Configuration for a stdio handler 23 | # apiVersion: config.istio.io/v1alpha2 24 | # kind: handler 25 | # metadata: 26 | # name: newloghandler 27 | # namespace: istio-system 28 | # spec: 29 | # compiledAdapter: stdio 30 | # params: 31 | # severity_levels: 32 | # warning: 1 # Params.Level.WARNING 33 | # outputAsJson: true 34 | # --- 35 | 36 | # # Rule to send logentry instances to a stdio handler 37 | # apiVersion: config.istio.io/v1alpha2 38 | # kind: rule 39 | # metadata: 40 | # name: newlogstdio 41 | # namespace: istio-system 42 | # spec: 43 | # match: destination.service.host == "greeter-server.default.svc.cluster.local" #logging only greeter-server 44 | # actions: 45 | # - handler: newloghandler 46 | # instances: 47 | # - newlog 48 | # --- 49 | -------------------------------------------------------------------------------- /13-authentication.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: RequestAuthentication 3 | metadata: 4 | name: jwt-example 5 | spec: 6 | selector: 7 | matchLabels: 8 | app: webapp 9 | jwtRules: 10 | - issuer: "testing@secure.istio.io" 11 | jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json" 12 | 13 | --- 14 | apiVersion: security.istio.io/v1 15 | kind: AuthorizationPolicy 16 | metadata: 17 | name: require-jwt 18 | spec: 19 | selector: 20 | matchLabels: 21 | app: webapp 22 | action: ALLOW 23 | rules: 24 | - from: 25 | - source: 26 | requestPrincipals: ["testing@secure.istio.io/testing@secure.istio.io"] 27 | -------------------------------------------------------------------------------- /3-kiali-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | type: Opaque 4 | metadata: 5 | name: kiali 6 | namespace: istio-system 7 | labels: 8 | app: kiali 9 | data: 10 | username: YWRtaW4= #admin 11 | passphrase: YWRtaW4= #admin 12 | -------------------------------------------------------------------------------- /4-label-default-namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | istio-injection: enabled 6 | name: default 7 | -------------------------------------------------------------------------------- /5-application-no-istio.yaml: -------------------------------------------------------------------------------- 1 | # This is the application config, no Istio related config. You can replace this with you app Sk8 config 2 | 3 | 4 | apiVersion: v1 5 | kind: ServiceAccount 6 | metadata: 7 | name: position-simulator 8 | labels: 9 | account: position-simulator 10 | --- 11 | apiVersion: apps/v1 12 | kind: Deployment 13 | metadata: 14 | name: position-simulator 15 | spec: 16 | selector: 17 | matchLabels: 18 | app: position-simulator 19 | replicas: 1 20 | template: # template for the pods 21 | metadata: 22 | labels: 23 | app: position-simulator 24 | spec: 25 | serviceAccountName: position-simulator 26 | containers: 27 | - name: position-simulator 28 | image: richardchesterwood/istio-fleetman-position-simulator:6 29 | env: 30 | - name: SPRING_PROFILES_ACTIVE 31 | value: production-microservice 32 | command: ["java","-Xmx50m","-jar","webapp.jar"] 33 | imagePullPolicy: Always 34 | 35 | 36 | 37 | --- 38 | apiVersion: apps/v1 39 | kind: Deployment 40 | metadata: 41 | name: position-tracker 42 | spec: 43 | selector: 44 | matchLabels: 45 | app: position-tracker 46 | replicas: 1 47 | template: # template for the pods 48 | metadata: 49 | labels: 50 | app: position-tracker 51 | spec: 52 | containers: 53 | - name: position-tracker 54 | image: richardchesterwood/istio-fleetman-position-tracker:6 55 | env: 56 | - name: SPRING_PROFILES_ACTIVE 57 | value: production-microservice 58 | command: ["java","-Xmx50m","-jar","webapp.jar"] 59 | imagePullPolicy: Always 60 | --- 61 | apiVersion: apps/v1 62 | kind: Deployment 63 | metadata: 64 | name: api-gateway 65 | spec: 66 | selector: 67 | matchLabels: 68 | app: api-gateway 69 | replicas: 1 70 | template: # template for the pods 71 | metadata: 72 | labels: 73 | app: api-gateway 74 | spec: 75 | containers: 76 | - name: api-gateway 77 | image: richardchesterwood/istio-fleetman-api-gateway:6 78 | env: 79 | - name: SPRING_PROFILES_ACTIVE 80 | value: production-microservice 81 | command: ["java","-Xmx50m","-jar","webapp.jar"] 82 | imagePullPolicy: Always 83 | --- 84 | apiVersion: apps/v1 85 | kind: Deployment 86 | metadata: 87 | name: webapp 88 | spec: 89 | selector: 90 | matchLabels: 91 | app: webapp 92 | replicas: 1 93 | template: # template for the pods 94 | metadata: 95 | labels: 96 | app: webapp 97 | version: original 98 | spec: 99 | containers: 100 | - name: webapp 101 | image: richardchesterwood/istio-fleetman-webapp-angular:6 102 | env: 103 | - name: SPRING_PROFILES_ACTIVE 104 | value: production-microservice 105 | imagePullPolicy: Always 106 | --- 107 | apiVersion: apps/v1 108 | kind: Deployment 109 | metadata: 110 | name: webapp-experimental 111 | spec: 112 | selector: 113 | matchLabels: 114 | app: webapp 115 | replicas: 1 116 | template: # template for the pods 117 | metadata: 118 | labels: 119 | app: webapp 120 | version: experimental 121 | spec: 122 | containers: 123 | - name: webapp 124 | image: richardchesterwood/istio-fleetman-webapp-angular:6-experimental 125 | env: 126 | - name: SPRING_PROFILES_ACTIVE 127 | value: production-microservice 128 | imagePullPolicy: Always 129 | --- 130 | apiVersion: apps/v1 131 | kind: Deployment 132 | metadata: 133 | name: vehicle-telemetry 134 | spec: 135 | selector: 136 | matchLabels: 137 | app: vehicle-telemetry 138 | replicas: 1 139 | template: # template for the pods 140 | metadata: 141 | labels: 142 | app: vehicle-telemetry 143 | spec: 144 | containers: 145 | - name: vehicle-telemtry 146 | image: richardchesterwood/istio-fleetman-vehicle-telemetry:6 147 | env: 148 | - name: SPRING_PROFILES_ACTIVE 149 | value: production-microservice 150 | imagePullPolicy: Always 151 | --- 152 | apiVersion: apps/v1 153 | kind: Deployment 154 | metadata: 155 | name: staff-service 156 | spec: 157 | selector: 158 | matchLabels: 159 | app: staff-service 160 | replicas: 1 161 | template: # template for the pods 162 | metadata: 163 | labels: 164 | app: staff-service 165 | version: safe 166 | spec: 167 | containers: 168 | - name: staff-service 169 | image: richardchesterwood/istio-fleetman-staff-service:6-placeholder 170 | env: 171 | - name: SPRING_PROFILES_ACTIVE 172 | value: production-microservice 173 | imagePullPolicy: Always 174 | ports: 175 | - containerPort: 8080 176 | --- 177 | apiVersion: apps/v1 178 | kind: Deployment 179 | metadata: 180 | name: staff-service-photo-call 181 | spec: 182 | selector: 183 | matchLabels: 184 | app: staff-service 185 | replicas: 1 186 | template: # template for the pods 187 | metadata: 188 | labels: 189 | app: staff-service 190 | version: safe 191 | spec: 192 | containers: 193 | - name: staff-service 194 | image: richardchesterwood/istio-fleetman-staff-service:5 195 | env: 196 | - name: SPRING_PROFILES_ACTIVE 197 | value: production-microservice 198 | imagePullPolicy: Always 199 | ports: 200 | - containerPort: 8080 201 | --- 202 | 203 | apiVersion: apps/v1 204 | kind: Deployment 205 | metadata: 206 | name: photo-service 207 | spec: 208 | selector: 209 | matchLabels: 210 | app: photo-service 211 | replicas: 1 212 | template: # template for the pods 213 | metadata: 214 | labels: 215 | app: photo-service 216 | spec: 217 | containers: 218 | - name: photo-service 219 | image: richardchesterwood/istio-fleetman-photo-service:5 220 | env: 221 | - name: SPRING_PROFILES_ACTIVE 222 | value: production-microservice 223 | imagePullPolicy: Always 224 | --- 225 | 226 | apiVersion: apps/v1 227 | kind: Deployment 228 | metadata: 229 | name: staff-service-risky-version 230 | spec: 231 | selector: 232 | matchLabels: 233 | app: staff-service 234 | replicas: 1 235 | template: # template for the pods 236 | metadata: 237 | labels: 238 | app: staff-service 239 | version: risky 240 | spec: 241 | containers: 242 | - name: staff-service 243 | image: richardchesterwood/istio-fleetman-staff-service:6-bad 244 | env: 245 | - name: SPRING_PROFILES_ACTIVE 246 | value: production-microservice 247 | imagePullPolicy: Always 248 | ports: 249 | - containerPort: 8080 250 | --- 251 | ### Services ### 252 | apiVersion: v1 253 | kind: Service 254 | metadata: 255 | name: fleetman-webapp 256 | spec: 257 | # This defines which pods are going to be represented by this Service 258 | # The service becomes a network endpoint for either other services 259 | # or maybe external users to connect to (eg browser) 260 | selector: 261 | app: webapp 262 | ports: 263 | - name: http 264 | port: 80 265 | type: ClusterIP 266 | #NodePort 267 | --- 268 | apiVersion: v1 269 | kind: Service 270 | metadata: 271 | name: fleetman-position-tracker 272 | 273 | spec: 274 | # This defines which pods are going to be represented by this Service 275 | # The service becomes a network endpoint for either other services 276 | # or maybe external users to connect to (eg browser) 277 | selector: 278 | app: position-tracker 279 | ports: 280 | - name: http 281 | port: 8080 282 | type: ClusterIP 283 | --- 284 | 285 | apiVersion: v1 286 | kind: Service 287 | metadata: 288 | name: fleetman-api-gateway 289 | spec: 290 | selector: 291 | app: api-gateway 292 | ports: 293 | - name: http 294 | port: 8080 295 | type: ClusterIP 296 | --- 297 | 298 | apiVersion: v1 299 | kind: Service 300 | metadata: 301 | name: fleetman-vehicle-telemetry 302 | spec: 303 | selector: 304 | app: vehicle-telemetry 305 | ports: 306 | - name: http 307 | port: 8080 308 | type: ClusterIP 309 | --- 310 | 311 | apiVersion: v1 312 | kind: Service 313 | metadata: 314 | name: fleetman-staff-service 315 | spec: 316 | selector: 317 | app: staff-service 318 | ports: 319 | - name: http 320 | port: 8080 321 | type: ClusterIP 322 | 323 | --- 324 | 325 | apiVersion: v1 326 | kind: Service 327 | metadata: 328 | name: fleetman-photo-service 329 | spec: 330 | selector: 331 | app: photo-service 332 | ports: 333 | - name: http 334 | port: 8080 335 | type: ClusterIP 336 | 337 | 338 | 339 | ### GRPC ### 340 | 341 | --- 342 | apiVersion: apps/v1 343 | kind: Deployment 344 | metadata: 345 | name: greeter-server 346 | spec: 347 | replicas: 2 348 | selector: 349 | matchLabels: 350 | app: greeter-server 351 | template: 352 | metadata: 353 | labels: 354 | app: greeter-server 355 | spec: 356 | containers: 357 | - name: greeter-server 358 | image: apssouza/grpc-greeter:server-reqid 359 | imagePullPolicy: Always 360 | ports: 361 | - containerPort: 50051 362 | --- 363 | apiVersion: v1 364 | kind: Service 365 | metadata: 366 | name: greeter-server 367 | spec: 368 | ports: 369 | - name: grpc 370 | port: 50051 371 | protocol: TCP 372 | selector: 373 | app: greeter-server 374 | type: ClusterIP 375 | --- 376 | 377 | apiVersion: apps/v1 378 | kind: Deployment 379 | metadata: 380 | name: greeter-client 381 | spec: 382 | replicas: 1 383 | selector: 384 | matchLabels: 385 | app: greeter-client 386 | template: 387 | metadata: 388 | labels: 389 | app: greeter-client 390 | spec: 391 | containers: 392 | - name: greeter-client 393 | image: apssouza/grpc-greeter:client-reqid 394 | imagePullPolicy: Always 395 | ports: 396 | - containerPort: 50051 397 | --- 398 | apiVersion: v1 399 | kind: Service 400 | metadata: 401 | name: greeter-client 402 | spec: 403 | ports: 404 | - name: grpc 405 | port: 50051 406 | protocol: TCP 407 | selector: 408 | app: greeter-client 409 | type: ClusterIP 410 | --- 411 | -------------------------------------------------------------------------------- /6-istio-gateway-rules.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: ingress-gateway-configuration 5 | spec: 6 | selector: 7 | istio: ingressgateway # use Istio default gateway implementation 8 | servers: 9 | - port: 10 | number: 80 11 | name: http 12 | protocol: HTTP 13 | hosts: 14 | - "*" # Domain name of the external website 15 | --- 16 | kind: VirtualService 17 | apiVersion: networking.istio.io/v1alpha3 18 | metadata: 19 | name: fleetman-webapp 20 | namespace: default 21 | spec: 22 | hosts: # which incoming host are we applying the proxy rules to??? 23 | - "*" # Copy the value in the gateway hosts - usually a Domain Name 24 | gateways: 25 | - ingress-gateway-configuration 26 | http: 27 | - route: 28 | - destination: 29 | host: fleetman-webapp 30 | subset: original 31 | weight: 50 # 50% of the traffic goes to the original version 32 | - destination: 33 | host: fleetman-webapp 34 | subset: experimental 35 | weight: 50 # 50% of the traffic goes to the experimental version 36 | 37 | --- 38 | kind: DestinationRule 39 | apiVersion: networking.istio.io/v1alpha3 40 | metadata: 41 | name: fleetman-webapp 42 | namespace: default 43 | spec: 44 | host: fleetman-webapp 45 | subsets: 46 | - labels: 47 | version: original #pointing to deployment with label version=original 48 | name: original 49 | - labels: 50 | version: experimental #pointing to deployment with label version=experimental 51 | name: experimental 52 | -------------------------------------------------------------------------------- /7-external-service-entry.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: fleetman-driver-monitoring-external 5 | spec: 6 | type: ExternalName 7 | externalName: 2oujlno5e4.execute-api.us-east-1.amazonaws.com 8 | 9 | --- 10 | 11 | # The following example declares a external APIs accessed by internal applications over HTTPS and HTTP 12 | apiVersion: networking.istio.io/v1alpha3 13 | kind: ServiceEntry 14 | metadata: 15 | name: fleetman-driver-monitoring 16 | spec: 17 | hosts: 18 | - 2oujlno5e4.execute-api.us-east-1.amazonaws.com 19 | location: MESH_EXTERNAL 20 | ports: 21 | - number: 80 22 | name: http-port 23 | protocol: HTTP 24 | 25 | - number: 443 26 | name: https-port-for-tls-origination 27 | protocol: HTTPS 28 | resolution: DNS 29 | --- 30 | # The virtual service with port 80 match will forwarded the traffic to the external address 31 | # on port 443 as it only accept https calls 32 | apiVersion: networking.istio.io/v1alpha3 33 | kind: VirtualService 34 | metadata: 35 | name: fleetman-driver-monitoring 36 | spec: 37 | hosts: 38 | - 2oujlno5e4.execute-api.us-east-1.amazonaws.com 39 | http: 40 | - match: 41 | - port: 80 42 | route: 43 | - destination: 44 | host: 2oujlno5e4.execute-api.us-east-1.amazonaws.com 45 | port: 46 | number: 443 47 | --- 48 | 49 | apiVersion: networking.istio.io/v1alpha3 50 | kind: DestinationRule 51 | metadata: 52 | name: fleetman-driver-monitoring 53 | spec: 54 | host: 2oujlno5e4.execute-api.us-east-1.amazonaws.com 55 | trafficPolicy: 56 | portLevelSettings: # Traffic policy to specific port 57 | - port: 58 | number: 443 59 | tls: 60 | mode: SIMPLE 61 | -------------------------------------------------------------------------------- /8-enforce-mtls-only.yaml: -------------------------------------------------------------------------------- 1 | # This will enforce that ONLY traffic that is TLS is allowed between proxies 2 | apiVersion: security.istio.io/v1beta1 3 | kind: PeerAuthentication 4 | metadata: 5 | name: default 6 | spec: 7 | mtls: 8 | mode: STRICT 9 | 10 | --- 11 | 12 | # Configure Istio services to send mutual TLS traffic by setting DestinationRule 13 | apiVersion: "networking.istio.io/v1alpha3" 14 | kind: "DestinationRule" 15 | metadata: 16 | name: "default" 17 | namespace: "istio-system" 18 | spec: 19 | host: "*.local" # Every SINGLE SERVICE eg fleetman-staff-service.default.svc.cluster.local 20 | trafficPolicy: 21 | tls: 22 | mode: ISTIO_MUTUAL # This mode use cert generated by Istio 23 | 24 | #Adding the tls to the fleetman-webapp service as there is a DestinationRule overwriting the config above 25 | --- 26 | kind: DestinationRule 27 | apiVersion: networking.istio.io/v1alpha3 28 | metadata: 29 | name: fleetman-webapp-secure 30 | namespace: default 31 | spec: 32 | host: fleetman-webapp 33 | trafficPolicy: 34 | tls: 35 | mode: ISTIO_MUTUAL # This mode use cert generated by Istio 36 | -------------------------------------------------------------------------------- /9-circuit-breaking.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: DestinationRule 3 | metadata: 4 | name: circuit-breaker-for-the-entire-default-namespace 5 | spec: 6 | host: "*.default.svc.cluster.local" 7 | trafficPolicy: 8 | tls: 9 | mode: ISTIO_MUTUAL # This mode uses certs generated by Istio 10 | outlierDetection: # Circuit Breakers HAVE TO BE SWITCHED ON 11 | maxEjectionPercent: 100 # The max percent of hosts that can be ejected from the load balanced pool 12 | consecutive5xxErrors: 3 13 | interval: 10s 14 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Service mesh example 2 | 3 | This repository tries to provide a bootstrap example of a service mesh using Istio 4 | 5 | We have recorded some screencast presenting this project. [Check it out!](https://dzone.com/articles/programming-microservices-communication-with-istio-state) 6 | 7 | ![Alt text](mesh-arch.png?raw=true "microservices architecture") 8 | 9 | ### Enabled services: 10 | #### Features 11 | - Load balancing 12 | - Circuit breaker 13 | - TLS connection 14 | - Service discovery 15 | - Traffic management 16 | - External call monitoring 17 | - GRPC load balancing 18 | - Custom logging 19 | - Authentication 20 | - Fault injection 21 | - Traceability 22 | - Observability 23 | 24 | #### Telemetry 25 | - Grafana 26 | - Kiali 27 | - Jaeger 28 | 29 | 30 | 31 | --- 32 | 33 | 34 | 35 | 36 | # How to use 37 | * [Install Minikube](https://kubernetes.io/docs/tasks/tools/install-minikube/) 38 | * [Install istio](https://istio.io/v1.4/docs/setup/getting-started/) 39 | * [Setup Istio with MiniKube](https://istio.io/v1.4/docs/setup/platform-setup/minikube/) 40 | * `kubectl apply -f ./` 41 | 42 | 43 | Getting the url to access the system 44 | ``` 45 | export INGRESS_HOST=$(minikube ip) 46 | export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}') 47 | export GATEWAY=$INGRESS_HOST:$INGRESS_PORT 48 | echo $GATEWAY 49 | ``` 50 | 51 | Visit the address printed on the Browser 52 | 53 | ## Monitoring 54 | 55 | * istioctl dashboard kiali 56 | * istioctl dashboard grafana 57 | * istioctl dashboard jaeger 58 | 59 | ## Checking Circuit break 60 | Running the command below you will see 3 request failed 61 | then the circuit will open to the sick pod and no errors will appear anymore 62 | 63 | `while true; do curl $GATEWAY/api/vehicles/driver/City%20Truck; echo; done;` 64 | 65 | ## Checking Load balancing 66 | Running the command below you will see the logs from the call result from different hostname: 67 | 68 | `kubectl logs -l app=greeter-client -c greeter-client -f` 69 | 70 | ## Checking custom logging 71 | Running the command below you will see the logs printed: 72 | 73 | ``kubectl logs -n istio-system -l istio-mixer-type=telemetry -c mixer | grep "newlog" `` 74 | 75 | 76 | ## Authorization 77 | When enabled the JWT Authentication we need to set the JWT token to our request header 78 | 79 | Add to your request the Authorization with the token below 80 | 81 | ``Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9zP7c-LS9qd_vpdLG4Tn1A15NxfCjp5f7QNBUo-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZzvc7M__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCgefSj_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJ3Uc1MI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvHsU60_GhGbiSFzgPTAa9WTltbnarTbxudb_YEOx12JiwYToeX0DCPb43W1tzIBxgm8NxUg`` 82 | 83 | ### Cleanup 84 | 85 | * Delete the cluster 86 | ``kubectl delete -f ./`` 87 | 88 | ## That's all. Leave a star if it helped you! 89 | 90 | -------------------------------------------------------------------------------- /mesh-arch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/apssouza22/service-mesh-istio/fb3c16c30c0c5f850a4ddd163064c71b0856b5a8/mesh-arch.png --------------------------------------------------------------------------------