├── .gitignore ├── 0_download_istio.sh ├── 0_setenv_minikube.sh ├── 0_setenv_tryopenshift.sh ├── 10_v2_safari_only.sh ├── 11_curl_minikube.sh ├── 12_clean_canary.sh ├── 14_dark_launch.sh ├── 15_clean_mirror.sh ├── 16_50_50.sh ├── 17_circuit_breaker.sh ├── 18_clean_cb.sh ├── 19_scale_v2_50_50.sh ├── 1_startMinikube.sh ├── 22_cleanup.sh ├── 2_install_istio_minikube.sh ├── 3_install_microservices.sh ├── 3_install_microservices_native.sh ├── 3_install_microservices_remote_minikube.sh ├── 3_install_microservices_remote_ocp4.sh ├── 4_deploy_recommendationv2.sh ├── 4_deploy_recommendationv2_native.sh ├── 4_deploy_recommendationv2_native_ocp4.sh ├── 4_deploy_recommendationv2_native_ocp4_step2.sh ├── 4_deploy_recommendationv2_ocp4.sh ├── 4_deploy_recommendationv2_ocp4_step2.sh ├── 5_replicas2_v2.sh ├── 6_replicas1_v2.sh ├── 7_all_v1.sh ├── 8_v2_25.sh ├── 9_v1_only.sh ├── Deployment-v2.yml ├── RecommendationResource.java ├── RecommendationVerticle.java ├── democlean_minikube.sh ├── egress_demo └── readme.adoc ├── istiofiles └── serviceentry-httpbin.yml ├── minikube_dashboards.sh ├── minishift_login.sh ├── mtls_demo ├── 1_exec_preference.sh ├── 2_mtls_policy.sh ├── 3_destination_rule_mtls.sh ├── 5_poll_minikube.sh ├── 5_poll_minishift.sh └── clean.sh ├── namespace_sticky.sh ├── poll_customer_minikube.sh ├── poll_customer_ocp4.sh ├── siege_it_minikube.sh └── white_list ├── acl_whitelist.yml ├── curl_cust2recommendation.sh ├── curl_nginx2customer.sh ├── curl_nginx2preference.sh ├── curl_nginx2recommendation.sh └── curl_reco2preference.sh /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | kiali 3 | istio-1.0.5 4 | istio-1.1.1 5 | istio-1.1.9 6 | istio-1.3.0 7 | istio-1.4.6 -------------------------------------------------------------------------------- /0_download_istio.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | curl -L https://github.com/istio/istio/releases/download/1.4.6/istio-1.4.6-osx.tar.gz | tar xz 4 | -------------------------------------------------------------------------------- /0_setenv_minikube.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo 'correct usage is source 0_setenv.sh' 4 | 5 | export MINIKUBE_HOME=/Users/burrsutter/devnation; 6 | # this is where the minikube executable is 7 | export PATH=$MINIKUBE_HOME/bin:$PATH 8 | export KUBECONFIG=$MINIKUBE_HOME/.kube/config 9 | export KUBE_EDITOR="code -w" 10 | 11 | export ISTIO_HOME=$MINIKUBE_HOME/scripts-istio/istio-1.4.6 12 | export PATH=$ISTIO_HOME/bin:$PATH 13 | 14 | echo 'the following after minikube as started' 15 | echo 'eval $(minikube --profile istio-mk docker-env)' -------------------------------------------------------------------------------- /0_setenv_tryopenshift.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo 'correct usage is source 0_setenv.sh' 4 | 5 | export PROJECT_HOME=/Users/burrsutter/tryopenshift; 6 | export PATH=$PROJECT_HOME/bin:$PATH 7 | # export KUBECONFIG=$PROJECT_HOME/.kube/config 8 | export KUBECONFIG=$PROJECT_HOME/azr-apr18/auth/kubeconfig 9 | export KUBE_EDITOR="code -w" 10 | 11 | export ISTIO_HOME=$PROJECT_HOME/scripts-istio/istio-1.4.6 12 | export PATH=$ISTIO_HOME/bin:$PATH 13 | -------------------------------------------------------------------------------- /10_v2_safari_only.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | command1="kubectl replace -f ../istio-tutorial/istiofiles/virtual-service-safari-recommendation-v2.yml -n tutorial" 4 | echo $command1 5 | $command1 -------------------------------------------------------------------------------- /11_curl_minikube.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}') 4 | 5 | GATEWAY_URL=$(minikube -p istio-mk ip):$INGRESS_PORT 6 | 7 | echo 8 | command1="curl -A Safari $GATEWAY_URL/customer" 9 | echo $command1 10 | $command1 11 | echo 12 | command2="curl -A Firefox $GATEWAY_URL/customer" 13 | echo $command2 14 | $command2 15 | echo 16 | 17 | -------------------------------------------------------------------------------- /12_clean_canary.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | kubectl delete virtualservice/recommendation -n tutorial 4 | kubectl delete destinationrule/recommendation -n tutorial -------------------------------------------------------------------------------- /14_dark_launch.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | command1="kubectl create -f ../istio-tutorial/istiofiles/destination-rule-recommendation-v1-v2.yml -n tutorial" 4 | echo $command1 5 | $command1 6 | echo 7 | 8 | command2="kubectl create -f ../istio-tutorial/istiofiles/virtual-service-recommendation-v1-mirror-v2.yml -n tutorial" 9 | echo $command2 10 | $command2 11 | echo 12 | 13 | command3="stern recommendation -c recommendation" 14 | echo $command3 15 | $command3 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /15_clean_mirror.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | kubectl delete virtualservice/recommendation -n tutorial 4 | kubectl delete destinationrule/recommendation -n tutorial -------------------------------------------------------------------------------- /16_50_50.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | command1="kubectl create -f ../istio-tutorial/istiofiles/destination-rule-recommendation-v1-v2.yml -n tutorial" 3 | echo $command1 4 | $command1 5 | 6 | command2="kubectl create -f ../istio-tutorial/istiofiles/virtual-service-recommendation-v1_and_v2_50_50.yml -n tutorial" 7 | echo $command2 8 | $command2 9 | 10 | echo "Add timeout to Recommendation" 11 | echo "Siege it" 12 | -------------------------------------------------------------------------------- /17_circuit_breaker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | command1="kubectl replace -f ../istio-tutorial/istiofiles/destination-rule-recommendation_cb_policy_version_v2.yml -n tutorial" 4 | echo $command1 5 | $command1 6 | 7 | 8 | echo "Now Siege it" -------------------------------------------------------------------------------- /18_clean_cb.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | kubectl delete virtualservice/recommendation -n tutorial 4 | kubectl delete destinationrule/recommendation -n tutorial -------------------------------------------------------------------------------- /19_scale_v2_50_50.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | command1="kubectl create -f ../istio-tutorial/istiofiles/destination-rule-recommendation-v1-v2.yml -n tutorial" 3 | echo $command1 4 | $command1 5 | 6 | command2="kubectl create -f ../istio-tutorial/istiofiles/virtual-service-recommendation-v1_and_v2_50_50.yml -n tutorial" 7 | echo $command2 8 | $command2 9 | 10 | command3="kubectl scale --replicas=2 deployment/recommendation-v2" 11 | echo $command3 12 | $command3 13 | 14 | echo "kubectl exec -it recommendation-v2-65b696556f-445zl /bin/bash" 15 | echo "curl localhost:8080/misbehave" 16 | 17 | 18 | -------------------------------------------------------------------------------- /1_startMinikube.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | minikube start -p istio-mk --memory=8192 --cpus=3 \ 4 | --kubernetes-version=v1.17.4 \ 5 | --vm-driver=virtualbox \ 6 | --disk-size=30g -------------------------------------------------------------------------------- /22_cleanup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | kubectl scale deployment recommendation-v2 --replicas=1 -n tutorial 4 | kubectl delete deployment recommendation-v2 5 | kubectl delete pod -l app=recommendation,version=v2 6 | kubectl delete virtualservice/recommendation 7 | kubectl delete destinationrule/recommendation -------------------------------------------------------------------------------- /2_install_istio_minikube.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | curl -L https://github.com/istio/istio/releases/download/1.3.0/istio-1.3.0-osx.tar.gz | tar xz 4 | 5 | cd istio-1.3.0 6 | 7 | for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done 8 | 9 | kubectl create -f install/kubernetes/istio-demo.yaml 10 | 11 | # the following handled by the minikube_dashboards.sh script 12 | # kubectl patch service/grafana -p '{"spec":{"type":"NodePort"}}' -n istio-system 13 | # kubectl patch service/prometheus -p '{"spec":{"type":"NodePort"}}' -n istio-system 14 | # kubectl patch service/tracing -p '{"spec":{"type":"NodePort"}}' -n istio-system 15 | # kubectl patch service/kiali -p '{"spec":{"type":"NodePort"}}' -n istio-system 16 | # kubectl patch service/istio-ingressgateway -p '{"spec":{"type":"NodePort"}}' -n istio-system 17 | -------------------------------------------------------------------------------- /3_install_microservices.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # https://redhat-developer-demos.github.io/istio-tutorial/istio-tutorial/1.0.0/1setup.html 4 | # https://redhat-developer-demos.github.io/istio-tutorial/istio-tutorial/1.0.0/2deploy-microservices.html 5 | # assumes (kubectl or oc) and istioctl and mvn in the PATH 6 | # assumes the 'docker' tool points to minikube/minishift 7 | # assumes this script is in a directory called 'scripts-istio' 8 | # which is a peer of 'istio-tutorial' 9 | # assumes you have 'kubens tutorial' or 'oc project tutorial' 10 | 11 | kubectl create namespace tutorial 12 | # oc adm policy add-scc-to-user privileged -z default -n tutorial 13 | kubens tutorial 14 | 15 | # Customer 16 | cd ../istio-tutorial/customer/java/quarkus 17 | mvn clean package -DskipTests 18 | docker build -t example/customer . 19 | 20 | kubectl apply -f <(istioctl kube-inject -f ../../kubernetes/Deployment.yml) -n tutorial 21 | kubectl create -f ../../kubernetes/Service.yml -n tutorial 22 | 23 | # for minikube, open a NodePort 24 | kubectl patch service/customer -p '{"spec":{"type":"NodePort"}}' -n tutorial 25 | 26 | # for minishift, create a Route 27 | # oc expose service customer 28 | 29 | # Preference 30 | cd ../../../preference/java/quarkus 31 | mvn clean package -DskipTests 32 | docker build -t example/preference:v1 . 33 | 34 | kubectl apply -f <(istioctl kube-inject -f ../../kubernetes/Deployment.yml) -n tutorial 35 | kubectl create -f ../../kubernetes/Service.yml -n tutorial 36 | 37 | # Recommendation 38 | cd ../../../recommendation/java/quarkus 39 | mvn clean package -DskipTests 40 | docker build -t example/recommendation:v1 . 41 | 42 | kubectl apply -f <(istioctl kube-inject -f ../../kubernetes/Deployment.yml) -n tutorial 43 | kubectl create -f ../../kubernetes/Service.yml -n tutorial 44 | 45 | kubectl create -f ../../../customer/kubernetes/Gateway.yml -n tutorial -------------------------------------------------------------------------------- /3_install_microservices_native.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # https://redhat-developer-demos.github.io/istio-tutorial/istio-tutorial/1.0.0/1setup.html 4 | # https://redhat-developer-demos.github.io/istio-tutorial/istio-tutorial/1.0.0/2deploy-microservices.html 5 | # assumes (kubectl or oc) and istioctl and mvn in the PATH 6 | # assumes the 'docker' tool points to minikube/minishift 7 | # assumes this script is in a directory called 'scripts-istio' 8 | # which is a peer of 'istio-tutorial' 9 | # assumes you have 'kubens tutorial' or 'oc project tutorial' 10 | 11 | export GRAALVM_HOME=~/tools/graalvm-ce-1.0.0-rc15/Contents/Home/ 12 | 13 | kubectl create namespace tutorial 14 | # oc adm policy add-scc-to-user privileged -z default -n tutorial 15 | kubens tutorial 16 | 17 | # Customer 18 | cd ../istio-tutorial/customer/java/quarkus 19 | mvn package -Pnative -Dnative-image.docker-build=true -DskipTests 20 | docker build -f src/main/docker/Dockerfile.native -t example/customer . 21 | 22 | kubectl apply -f <(istioctl kube-inject -f ../../kubernetes/Deployment.yml) -n tutorial 23 | kubectl create -f ../../kubernetes/Service.yml -n tutorial 24 | 25 | # for minikube, open a NodePort 26 | kubectl patch service/customer -p '{"spec":{"type":"NodePort"}}' -n tutorial 27 | 28 | # for minishift, create a Route 29 | # oc expose service customer 30 | 31 | # Preference 32 | cd ../../../preference/java/quarkus 33 | mvn package -Pnative -Dnative-image.docker-build=true -DskipTests 34 | docker build -f src/main/docker/Dockerfile.native -t example/preference:v1 . 35 | 36 | kubectl apply -f <(istioctl kube-inject -f ../../kubernetes/Deployment.yml) -n tutorial 37 | kubectl create -f ../../kubernetes/Service.yml -n tutorial 38 | 39 | # Recommendation 40 | cd ../../../recommendation/java/quarkus 41 | mvn package -Pnative -Dnative-image.docker-build=true -DskipTests 42 | docker build -f src/main/docker/Dockerfile.native -t example/recommendation:v1 . 43 | 44 | kubectl apply -f <(istioctl kube-inject -f ../../kubernetes/Deployment.yml) -n tutorial 45 | kubectl create -f ../../kubernetes/Service.yml -n tutorial 46 | 47 | kubectl create -f ../../../customer/kubernetes/Gateway.yml -n tutorial -------------------------------------------------------------------------------- /3_install_microservices_remote_minikube.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | kubectl create namespace tutorial 3 | kubectl config set-context --current --namespace=tutorial 4 | 5 | # Manual injection 6 | kubectl apply -f <(istioctl kube-inject -f ../istio-tutorial/customer/kubernetes/Deployment.yml) -n tutorial 7 | kubectl apply -f <(istioctl kube-inject -f ../istio-tutorial/preference/kubernetes/Deployment.yml) -n tutorial 8 | kubectl apply -f <(istioctl kube-inject -f ../istio-tutorial/recommendation/kubernetes/Deployment.yml) -n tutorial 9 | 10 | # OR auto-injection 11 | # kubectl label namespace tutorial istio-injection=enabled 12 | # kubectl apply -f ../istio-tutorial/customer/kubernetes/Deployment.yml -n tutorial 13 | # kubectl apply -f ../istio-tutorial/preference/kubernetes/Deployment.yml -n tutorial 14 | # kubectl apply -f ../istio-tutorial/recommendation/kubernetes/Deployment.yml -n tutorial 15 | 16 | # now create the Services 17 | kubectl create -f ../istio-tutorial/customer/kubernetes/Service.yml -n tutorial 18 | # kubectl patch service/customer -p '{"spec":{"type":"NodePort"}}' -n tutorial 19 | kubectl create -f ../istio-tutorial/preference/kubernetes/Service.yml -n tutorial 20 | kubectl create -f ../istio-tutorial/recommendation/kubernetes/Service.yml -n tutorial 21 | 22 | kubectl create -f ../istio-tutorial/customer/kubernetes/Gateway.yml -n tutorial 23 | -------------------------------------------------------------------------------- /3_install_microservices_remote_ocp4.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | kubectl create namespace tutorial 3 | kubectl config set-context $(kubectl config current-context) --namespace=tutorial 4 | 5 | # on minishift 6 | oc adm policy add-scc-to-user privileged -z default -n tutorial 7 | # kubectl label set istio-injection=enabled 8 | 9 | kubectl apply -f <(istioctl kube-inject -f ../istio-tutorial/customer/kubernetes/Deployment.yml) -n tutorial 10 | kubectl create -f ../istio-tutorial/customer/kubernetes/Service.yml -n tutorial 11 | kubectl apply -f <(istioctl kube-inject -f ../istio-tutorial/preference/kubernetes/Deployment.yml) -n tutorial 12 | kubectl create -f ../istio-tutorial/preference/kubernetes/Service.yml -n tutorial 13 | kubectl apply -f <(istioctl kube-inject -f ../istio-tutorial/recommendation/kubernetes/Deployment.yml) -n tutorial 14 | kubectl create -f ../istio-tutorial/recommendation/kubernetes/Service.yml -n tutorial 15 | 16 | kubectl apply -f ../istio-tutorial/customer/kubernetes/Gateway.yml -n tutorial 17 | 18 | -------------------------------------------------------------------------------- /4_deploy_recommendationv2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cd ../istio-tutorial/recommendation/java/quarkus 3 | 4 | mvn clean package -DskipTests 5 | 6 | docker build -t example/recommendation:v2 . 7 | 8 | kubectl apply -f <(istioctl kube-inject -f ../../kubernetes/Deployment-v2.yml) -n tutorial -------------------------------------------------------------------------------- /4_deploy_recommendationv2_native.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | export GRAALVM_HOME=~/tools/graalvm-ce-1.0.0-rc15/Contents/Home/ 4 | 5 | cd ../istio-tutorial/recommendation/java/quarkus 6 | 7 | mvn package -Pnative -Dnative-image.docker-build=true -DskipTests 8 | docker build -f src/main/docker/Dockerfile.native -t example/recommendation:v2 . 9 | 10 | kubectl apply -f <(istioctl kube-inject -f ../../kubernetes/Deployment-v2.yml) -n tutorial -------------------------------------------------------------------------------- /4_deploy_recommendationv2_native_ocp4.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | export GRAALVM_HOME=~/tools/graalvm-ce-1.0.0-rc16/Contents/Home/ 4 | 5 | cd ../istio-tutorial/recommendation/java/quarkus 6 | 7 | mvn package -Pnative -Dnative-image.docker-build=true -DskipTests 8 | docker build -f src/main/docker/Dockerfile.native -t dev.local/burrsutter/recommendation:v2 . 9 | 10 | -------------------------------------------------------------------------------- /4_deploy_recommendationv2_native_ocp4_step2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | docker login docker.io 4 | 5 | docker tag $1 docker.io/burrsutter/recommendation:v2 6 | 7 | docker push docker.io/burrsutter/recommendation:v2 8 | 9 | kubectl apply -f <(istioctl kube-inject -f Deployment-v2.yml) -n tutorial -------------------------------------------------------------------------------- /4_deploy_recommendationv2_ocp4.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cd ../istio-tutorial/recommendation/java/quarkus 3 | 4 | mvn clean package -DskipTests 5 | 6 | docker build -t dev.local/burrsutter/recommendation:v2 . 7 | 8 | -------------------------------------------------------------------------------- /4_deploy_recommendationv2_ocp4_step2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | docker login docker.io 4 | 5 | docker tag $1 docker.io/burrsutter/recommendation:v2 6 | 7 | docker push docker.io/burrsutter/recommendation:v2 8 | 9 | kubectl apply -f <(istioctl kube-inject -f Deployment-v2.yml) -n tutorial 10 | 11 | # kubectl apply -f <(istioctl kube-inject -f ../../kubernetes/Deployment-v2.yml) -n tutorial -------------------------------------------------------------------------------- /5_replicas2_v2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | command1="kubectl scale --replicas=2 deployment/recommendation-v2" 4 | echo $command1 5 | $command1 6 | -------------------------------------------------------------------------------- /6_replicas1_v2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | command1="kubectl scale --replicas=1 deployment/recommendation-v2" 4 | echo $command1 5 | $command1 -------------------------------------------------------------------------------- /7_all_v1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | command1="kubectl apply -f ../istio-tutorial/istiofiles/destination-rule-recommendation-v1-v2.yml -n tutorial" 3 | echo $command1 4 | $command1 5 | 6 | command2="kubectl apply -f ../istio-tutorial/istiofiles/virtual-service-recommendation-v1.yml -n tutorial" 7 | echo $command2 8 | $command2 9 | -------------------------------------------------------------------------------- /8_v2_25.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | command1="kubectl replace -f ../istio-tutorial/istiofiles/virtual-service-recommendation-v1_and_v2_75_25.yml -n tutorial" 3 | echo $command1 4 | $command1 -------------------------------------------------------------------------------- /9_v1_only.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | command1="kubectl replace -f ../istio-tutorial/istiofiles/virtual-service-recommendation-v1.yml -n tutorial" 3 | echo $command1 4 | $command1 5 | 6 | command2="kubectl describe virtualservice/recommendation" 7 | echo $command2 8 | $command2 -------------------------------------------------------------------------------- /Deployment-v2.yml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Deployment 3 | metadata: 4 | labels: 5 | app: recommendation 6 | version: v2 7 | name: recommendation-v2 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: recommendation 13 | version: v2 14 | template: 15 | metadata: 16 | labels: 17 | app: recommendation 18 | version: v2 19 | annotations: 20 | sidecar.istio.io/inject: "true" 21 | spec: 22 | containers: 23 | - env: 24 | - name: JAVA_OPTIONS 25 | value: -Xms15m -Xmx15m -Xmn15m 26 | image: docker.io/burrsutter/recommendation:v2 27 | imagePullPolicy: Always 28 | name: recommendation 29 | ports: 30 | - containerPort: 8080 31 | name: http 32 | protocol: TCP 33 | - containerPort: 8778 34 | name: jolokia 35 | protocol: TCP 36 | - containerPort: 9779 37 | name: prometheus 38 | protocol: TCP 39 | resources: 40 | requests: 41 | memory: "50Mi" 42 | cpu: "250m" # 1/4 core 43 | limits: 44 | memory: "120Mi" 45 | cpu: "500m" 46 | livenessProbe: 47 | httpGet: 48 | port: 8080 49 | path: / 50 | initialDelaySeconds: 5 51 | periodSeconds: 5 52 | timeoutSeconds: 10 53 | readinessProbe: 54 | httpGet: 55 | port: 8080 56 | path: /health 57 | initialDelaySeconds: 5 58 | periodSeconds: 5 59 | timeoutSeconds: 10 60 | securityContext: 61 | privileged: false 62 | -------------------------------------------------------------------------------- /RecommendationResource.java: -------------------------------------------------------------------------------- 1 | package com.redhat.developer.demos.recommendation.rest; 2 | 3 | import java.io.ByteArrayInputStream; 4 | import java.io.InputStream; 5 | import javax.json.Json; 6 | import javax.json.JsonObject; 7 | import javax.ws.rs.client.Client; 8 | import javax.ws.rs.client.ClientBuilder; 9 | import org.slf4j.Logger; 10 | import org.slf4j.LoggerFactory; 11 | 12 | import javax.ws.rs.GET; 13 | import javax.ws.rs.Path; 14 | import javax.ws.rs.core.Response; 15 | 16 | @Path("/") 17 | public class RecommendationResource { 18 | 19 | private static final String RESPONSE_STRING_FORMAT = "recommendation v1 from '%s': %d\n"; 20 | 21 | private static final String RESPONSE_STRING_NOW_FORMAT = "recommendation v3 %s from '%s': %d\n"; 22 | 23 | private final Logger logger = LoggerFactory.getLogger(getClass()); 24 | 25 | /** 26 | * Counter to help us see the lifecycle 27 | */ 28 | private int count = 0; 29 | 30 | /** 31 | * Flag for throwing a 503 when enabled 32 | */ 33 | private boolean misbehave = false; 34 | 35 | private static final String HOSTNAME = parseContainerIdFromHostname( 36 | System.getenv().getOrDefault("HOSTNAME", "unknown")); 37 | 38 | static String parseContainerIdFromHostname(String hostname) { 39 | return hostname.replaceAll("recommendation-v\\d+-", ""); 40 | } 41 | 42 | @GET 43 | public Response getRecommendations() { 44 | count++; 45 | logger.info(String.format("recommendation request from %s: %d", HOSTNAME, count)); 46 | 47 | // timeout(); 48 | 49 | logger.debug("recommendation service ready to return"); 50 | if (misbehave) { 51 | return doMisbehavior(); 52 | } 53 | return Response.ok(String.format(RESPONSE_STRING_FORMAT, HOSTNAME, count)).build(); 54 | // return Response.ok(String.format(RESPONSE_STRING_NOW_FORMAT, getNow(), HOSTNAME, count)).build(); 55 | } 56 | 57 | private void timeout() { 58 | try { 59 | Thread.sleep(3000); 60 | } catch (InterruptedException e) { 61 | logger.info("Thread interrupted"); 62 | } 63 | } 64 | 65 | private Response doMisbehavior() { 66 | logger.debug(String.format("Misbehaving %d", count)); 67 | return Response.status(Response.Status.SERVICE_UNAVAILABLE) 68 | .entity(String.format("recommendation misbehavior from '%s'\n", HOSTNAME)).build(); 69 | } 70 | 71 | @GET 72 | @Path("/misbehave") 73 | public Response flagMisbehave() { 74 | this.misbehave = true; 75 | logger.debug("'misbehave' has been set to 'true'"); 76 | return Response.ok("Following requests to / will return a 503\n").build(); 77 | } 78 | 79 | @GET 80 | @Path("/behave") 81 | public Response flagBehave() { 82 | this.misbehave = false; 83 | logger.debug("'misbehave' has been set to 'false'"); 84 | return Response.ok("Following requests to / will return 200\n").build(); 85 | } 86 | 87 | private String getNow() { 88 | final Client client = ClientBuilder.newClient(); 89 | final Response res = client.target("http://worldclockapi.com/api/json/cet/now").request().get(); 90 | final String jsonObject = res.readEntity(String.class); 91 | return Json.createReader(new ByteArrayInputStream(jsonObject.getBytes())).readObject().getString("currentDateTime"); 92 | } 93 | 94 | } -------------------------------------------------------------------------------- /RecommendationVerticle.java: -------------------------------------------------------------------------------- 1 | package com.redhat.developer.demos.recommendation; 2 | 3 | import io.vertx.core.AbstractVerticle; 4 | import io.vertx.core.Vertx; 5 | import io.vertx.core.json.JsonObject; 6 | import io.vertx.core.logging.Logger; 7 | import io.vertx.core.logging.LoggerFactory; 8 | import io.vertx.ext.healthchecks.HealthCheckHandler; 9 | import io.vertx.ext.healthchecks.Status; 10 | import io.vertx.ext.web.Router; 11 | import io.vertx.ext.web.RoutingContext; 12 | import io.vertx.ext.web.client.HttpResponse; 13 | import io.vertx.ext.web.client.WebClient; 14 | import io.vertx.ext.web.codec.BodyCodec; 15 | 16 | public class RecommendationVerticle extends AbstractVerticle { 17 | 18 | private static final String RESPONSE_STRING_FORMAT = "recommendation v1 from '%s': %d\n"; 19 | private static final String HTTP_NOW = "now.httpbin.org"; 20 | 21 | private static final String HOSTNAME = parseContainerIdFromHostname( 22 | System.getenv().getOrDefault("HOSTNAME", "unknown") 23 | ); 24 | 25 | private static final int LISTEN_ON = Integer.parseInt( 26 | System.getenv().getOrDefault("LISTEN_ON", "8080") 27 | ); 28 | 29 | static String parseContainerIdFromHostname(String hostname) { 30 | return hostname.replaceAll("recommendation-v\\d+-", ""); 31 | } 32 | 33 | private final Logger logger = LoggerFactory.getLogger(getClass()); 34 | 35 | /** 36 | * Counter to help us see the lifecycle 37 | */ 38 | private int count = 0; 39 | 40 | /** 41 | * Flag for throwing a 503 when enabled 42 | */ 43 | private boolean misbehave = false; 44 | 45 | @Override 46 | public void start() throws Exception { 47 | Router router = Router.router(vertx); 48 | // router.get("/").handler(this::timeout); 49 | router.get("/").handler(this::logging); 50 | router.get("/").handler(this::getRecommendations); 51 | // router.get("/").handler(this::getNow); 52 | router.get("/misbehave").handler(this::misbehave); 53 | router.get("/behave").handler(this::behave); 54 | 55 | HealthCheckHandler hc = HealthCheckHandler.create(vertx); 56 | hc.register("dummy-health-check", future -> future.complete(Status.OK())); 57 | router.get("/health").handler(hc); 58 | 59 | vertx.createHttpServer().requestHandler(router::accept).listen(LISTEN_ON); 60 | } 61 | 62 | private void logging(RoutingContext ctx) { 63 | logger.info(String.format("recommendation request from %s: %d", HOSTNAME, count)); 64 | ctx.next(); 65 | } 66 | 67 | private void timeout(RoutingContext ctx) { 68 | ctx.vertx().setTimer(3000, handler -> ctx.next()); 69 | } 70 | 71 | private void getRecommendations(RoutingContext ctx) { 72 | if (misbehave) { 73 | count = 0; 74 | logger.info(String.format("Misbehaving %d", count)); 75 | ctx.response().setStatusCode(503).end(String.format("recommendation misbehavior from '%s'\n", HOSTNAME)); 76 | } else { 77 | count++; 78 | ctx.response().end(String.format(RESPONSE_STRING_FORMAT, HOSTNAME, count)); 79 | } 80 | } 81 | 82 | private void getNow(RoutingContext ctx) { 83 | count++; 84 | final WebClient client = WebClient.create(vertx); 85 | client.get(80, HTTP_NOW, "/") 86 | .timeout(5000) 87 | .as(BodyCodec.jsonObject()) 88 | .send(ar -> { 89 | if (ar.succeeded()) { 90 | HttpResponse response = ar.result(); 91 | JsonObject body = response.body(); 92 | String now = body.getJsonObject("now").getString("rfc2822"); 93 | ctx.response().end(now + " " + String.format(RESPONSE_STRING_FORMAT, HOSTNAME, count)); 94 | } else { 95 | ctx.response().setStatusCode(503).end(ar.cause().getMessage()); 96 | } 97 | }); 98 | } 99 | 100 | private void misbehave(RoutingContext ctx) { 101 | this.misbehave = true; 102 | logger.info("'misbehave' has been set to 'true'"); 103 | ctx.response().end("Following requests to '/' will return a 503\n"); 104 | } 105 | 106 | private void behave(RoutingContext ctx) { 107 | this.misbehave = false; 108 | logger.info("'misbehave' has been set to 'false'"); 109 | ctx.response().end("Following requests to '/' will return a 200\n"); 110 | } 111 | 112 | public static void main(String[] args) { 113 | Vertx.vertx().deployVerticle(new RecommendationVerticle()); 114 | } 115 | 116 | } 117 | -------------------------------------------------------------------------------- /democlean_minikube.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | kubectl delete deployment/recommendation-v2 -n tutorial 4 | kubectl delete pod -l app=recommendation,version=v2 -n tutorial 5 | kubectl delete destinationrule recommendation -n tutorial 6 | kubectl delete virtualservice recommendation -n tutorial 7 | 8 | docker rmi example/recommendation:v2 9 | # cp RecommendationVerticle.java ../istio-tutorial/recommendation/java/vertx/src/main/java/com/redhat/developer/demos/recommendation/ 10 | cp RecommendationResource.java ../istio-tutorial/recommendation/java/quarkus/src/main/java/com/redhat/developer/demos/recommendation/rest/ 11 | 12 | -------------------------------------------------------------------------------- /egress_demo/readme.adoc: -------------------------------------------------------------------------------- 1 | = Egress Blocking with Istio 2 | 3 | === Create a namespace and make it "sticky" 4 | ---- 5 | kubectl create namespace egresstest 6 | kubectl config set-context --current --namespace=egresstest 7 | kubectl label namespace egresstest istio-injection=enabled 8 | ---- 9 | 10 | === Check the Configmap 11 | ---- 12 | kubectl get configmap istio -n istio-system -o yaml | grep -o "mode: ALLOW_ANY" 13 | mode: ALLOW_ANY 14 | ---- 15 | 16 | === or Edit the Configmap 17 | ---- 18 | export KUBE_EDITOR="code -w" 19 | kubectl edit configmap istio -n istio-system 20 | 21 | ctrl-f 22 | "outboundTrafficPolicy" 23 | ---- 24 | 25 | === Create a Deployment and find its Pod 26 | ---- 27 | kubectl create deployment nginx --image=nginx 28 | NGINXPOD=$(kubectl get pods -l app=nginx -o 'jsonpath={.items[0].metadata.name}') 29 | ---- 30 | 31 | === See the sidecar 32 | ---- 33 | kubectl describe pod $NGINXPOD 34 | 35 | # OR 36 | 37 | kubectl get pod $NGINXPOD -o json | jq ".spec.containers[].args" 38 | 39 | # OR 40 | 41 | kubectl get pod $NGINXPOD -o yaml | yq r - spec.containers[*].name 42 | ---- 43 | 44 | === Exec into the Pod 45 | ---- 46 | kubectl exec -it $NGINXPOD /bin/bash 47 | apt-get update # note: this will fail if egress is blocked 48 | apt-get -y install curl 49 | curl httpbin.org/user-agent 50 | { 51 | "user-agent": "curl/7.64.0" 52 | } 53 | 54 | # or another curl 55 | curl http://worldclockapi.com/api/json/cet/now 56 | {"$id":"1","currentDateTime":"2019-10-06T22:40+02:00","utcOffset":"02:00:00","isDayLightSavingsTime":true,"dayOfTheWeek":"Sunday","timeZoneName":"Central Europe Standard Time","currentFileTime":132148752561045719,"ordinalDate":"2019-279","serviceResponse":null} 57 | 58 | exit 59 | ---- 60 | 61 | === Now, block egress 62 | 63 | ---- 64 | kubectl get configmap istio -n istio-system -o yaml \ 65 | | sed 's/mode: ALLOW_ANY/mode: REGISTRY_ONLY/g' | \ 66 | kubectl replace -n istio-system -f - 67 | 68 | kubectl get configmap istio -n istio-system -o yaml | grep -o "mode: REGISTRY_ONLY" 69 | ---- 70 | 71 | === Try the curl again 72 | ---- 73 | kubectl exec -it $NGINXPOD /bin/bash 74 | 75 | curl httpbin.org/user-agent 76 | 77 | # silent failure, try verbose output 78 | 79 | curl -v httpbin.org/user-agent 80 | 81 | curl -v http://worldclockapi.com/api/json/cet/now 82 | ---- 83 | 84 | === Selectively open up egress 85 | ---- 86 | kubectl apply -f istiofiles/service-entry-egress-worldclockapi.yml 87 | ---- 88 | 89 | 90 | ---- 91 | kubectl exec -it $NGINXPOD /bin/bash 92 | 93 | curl -v http://worldclockapi.com/api/json/cet/now 94 | ---- 95 | 96 | 97 | === Unblock all egress 98 | 99 | ---- 100 | kubectl get configmap istio -n istio-system -o yaml \ 101 | | sed 's/mode: REGISTRY_ONLY/mode: ALLOW_ANY/g' | \ 102 | kubectl replace -n istio-system -f - 103 | 104 | kubectl get configmap istio -n istio-system -o yaml | grep -o "mode: ALLOW_ANY" 105 | ---- 106 | 107 | Note: it might take a few moments to take effect 108 | 109 | ---- 110 | kubectl exec -it $NGINXPOD /bin/bash 111 | 112 | curl httpbin.org/user-agent 113 | ---- 114 | -------------------------------------------------------------------------------- /istiofiles/serviceentry-httpbin.yml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: ServiceEntry 3 | metadata: 4 | name: httpbin-egress-rule 5 | spec: 6 | hosts: 7 | - httpbin.org 8 | ports: 9 | - name: http-80 10 | number: 80 11 | protocol: http 12 | -------------------------------------------------------------------------------- /minikube_dashboards.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | kubectl patch service/grafana -p '{"spec":{"type":"NodePort"}}' -n istio-system 5 | 6 | open http://$(minikube ip):$(kubectl get svc grafana -n istio-system -o 'jsonpath={.spec.ports[0].nodePort}') 7 | 8 | 9 | kubectl patch service/jaeger-query -p '{"spec":{"type":"NodePort"}}' -n istio-system 10 | 11 | open http://$(minikube ip):$(kubectl get svc jaeger-query -n istio-system -o 'jsonpath={.spec.ports[0].nodePort}') 12 | 13 | 14 | kubectl patch service/prometheus -p '{"spec":{"type":"NodePort"}}' -n istio-system 15 | 16 | open http://$(minikube ip):$(kubectl get svc prometheus -n istio-system -o 'jsonpath={.spec.ports[0].nodePort}') 17 | 18 | 19 | kubectl patch service/kiali -p '{"spec":{"type":"NodePort"}}' -n istio-system 20 | 21 | open http://$(minikube ip):$(kubectl get svc kiali -n istio-system -o 'jsonpath={.spec.ports[0].nodePort}')/kiali 22 | -------------------------------------------------------------------------------- /minishift_login.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | oc login $(minishift --profile istio-ms ip):8443 -u admin -p admin -------------------------------------------------------------------------------- /mtls_demo/1_exec_preference.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | PREFPOD=$(kubectl get pod -n tutorial -l app=preference -o \ 4 | 'jsonpath={.items[0].metadata.name}') 5 | 6 | kubectl exec -it $PREFPOD -n tutorial -c istio-proxy -- sudo tcpdump -A -s 0 'tcp port 8080 and (((ip[2:2]-((ip[0]&0xf)<<2))-((tcp[12]&0xf0)>>2))!= 0)' 7 | -------------------------------------------------------------------------------- /mtls_demo/2_mtls_policy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | kubectl apply -n tutorial -f ../../istio-tutorial/istiofiles/authentication-enable-tls.yml -------------------------------------------------------------------------------- /mtls_demo/3_destination_rule_mtls.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | kubectl apply -n tutorial -f ../../istio-tutorial/istiofiles/destination-rule-tls.yml -------------------------------------------------------------------------------- /mtls_demo/5_poll_minikube.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}') 4 | 5 | GATEWAY_URL=$(minikube ip):$INGRESS_PORT 6 | 7 | while true 8 | do curl http://${GATEWAY_URL}/customer 9 | sleep .3 10 | done 11 | 12 | -------------------------------------------------------------------------------- /mtls_demo/5_poll_minishift.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}') 4 | 5 | # GATEWAY_URL=$(minishift --profile istio-ms ip):$INGRESS_PORT 6 | 7 | # while true 8 | # do curl http://${GATEWAY_URL}/ 9 | #sleep .3 10 | # done 11 | 12 | IP=$(minishift --profile istio-ms ip) 13 | 14 | while true 15 | do curl istio-ingressgateway-istio-system.$IP.nip.io/customer 16 | sleep .3 17 | done 18 | 19 | -------------------------------------------------------------------------------- /mtls_demo/clean.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | kubectl delete -n tutorial -f ../../istio-tutorial/istiofiles/destination-rule-tls.yml 4 | kubectl delete -n tutorial -f ../../istio-tutorial/istiofiles/authentication-enable-tls.yml -------------------------------------------------------------------------------- /namespace_sticky.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | kubectl config set-context --current --namespace=$1 -------------------------------------------------------------------------------- /poll_customer_minikube.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}') 4 | 5 | GATEWAY_URL=$(minikube ip):$INGRESS_PORT 6 | 7 | while true 8 | do curl http://${GATEWAY_URL}/customer 9 | sleep .3 10 | done 11 | -------------------------------------------------------------------------------- /poll_customer_ocp4.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | URL=$(kubectl -n istio-system get routes -l app=istio-ingressgateway -o jsonpath='{.items[:1].spec.host}') 4 | echo $URL 5 | 6 | while true 7 | do curl $URL/customer 8 | sleep .3 9 | done 10 | 11 | 12 | -------------------------------------------------------------------------------- /siege_it_minikube.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}') 4 | 5 | GATEWAY_URL=$(minikube -p istio-mk ip):$INGRESS_PORT 6 | 7 | siege -r 2 -c 20 -v $GATEWAY_URL/customer 8 | 9 | # siege -r 40 -c 1 -v $GATEWAY_URL/customer 10 | -------------------------------------------------------------------------------- /white_list/acl_whitelist.yml: -------------------------------------------------------------------------------- 1 | apiVersion: "config.istio.io/v1alpha2" 2 | kind: instance 3 | metadata: 4 | name: appsource 5 | spec: 6 | compiledTemplate: listentry 7 | params: 8 | value: source.labels["app"] 9 | --- 10 | apiVersion: "config.istio.io/v1alpha2" 11 | kind: handler 12 | metadata: 13 | name: preferencewhitelist 14 | spec: 15 | compiledAdapter: listchecker 16 | params: 17 | overrides: ["preference"] 18 | blacklist: false 19 | --- 20 | apiVersion: "config.istio.io/v1alpha2" 21 | kind: rule 22 | metadata: 23 | name: checkfrompreference 24 | spec: 25 | match: destination.labels["app"] == "recommendation" 26 | actions: 27 | - handler: preferencewhitelist 28 | instances: 29 | - appsource 30 | --- 31 | apiVersion: "config.istio.io/v1alpha2" 32 | kind: handler 33 | metadata: 34 | name: customerwhitelist 35 | spec: 36 | compiledAdapter: listchecker 37 | params: 38 | overrides: ["customer"] 39 | blacklist: false 40 | --- 41 | apiVersion: "config.istio.io/v1alpha2" 42 | kind: rule 43 | metadata: 44 | name: checkfromcustomer 45 | spec: 46 | match: destination.labels["app"] == "preference" 47 | actions: 48 | - handler: customerwhitelist 49 | instances: 50 | - appsource 51 | 52 | -------------------------------------------------------------------------------- /white_list/curl_cust2recommendation.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | CUSTPOD=$(kubectl get pod -n tutorial -l app=customer -o \ 4 | 'jsonpath={.items[0].metadata.name}') 5 | 6 | kubectl exec -it $CUSTPOD -n tutorial -c customer -- curl recommendation:8080 7 | -------------------------------------------------------------------------------- /white_list/curl_nginx2customer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | NGINXPOD=$(kubectl get pod -n egresstest -l app=nginx -o \ 4 | 'jsonpath={.items[0].metadata.name}') 5 | 6 | kubectl exec -it $NGINXPOD -c nginx -n egresstest -- curl customer.tutorial.svc.cluster.local:8080 -------------------------------------------------------------------------------- /white_list/curl_nginx2preference.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | NGINXPOD=$(kubectl get pod -n egresstest -l app=nginx -o \ 4 | 'jsonpath={.items[0].metadata.name}') 5 | 6 | kubectl exec -it $NGINXPOD -c nginx -n egresstest -- curl preference.tutorial.svc.cluster.local:8080 -------------------------------------------------------------------------------- /white_list/curl_nginx2recommendation.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | NGINXPOD=$(kubectl get pod -n egresstest -l app=nginx -o \ 4 | 'jsonpath={.items[0].metadata.name}') 5 | 6 | kubectl exec -it $NGINXPOD -c nginx -n egresstest -- curl recommendation.tutorial.svc.cluster.local:8080 -------------------------------------------------------------------------------- /white_list/curl_reco2preference.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | RECOPOD=$(kubectl get pod -n tutorial -l app=recommendation -o \ 4 | 'jsonpath={.items[0].metadata.name}') 5 | 6 | kubectl exec -it $RECOPOD -n tutorial -c recommendation -- curl preference:8080 7 | --------------------------------------------------------------------------------