├── book-demos ├── NOTES.md ├── cleanup.sh ├── demo.sh ├── reset.sh ├── resources │ ├── env.sh │ ├── fakeservice.yaml │ ├── httpbin-dr.yaml │ ├── httpbin.yaml │ └── sleep.yaml └── setup.sh ├── cert-rotation ├── .gitignore ├── Readme.md ├── check-current-istio-certs.sh ├── cleanup.sh ├── demo-cacerts.sh ├── demo-intermediate.sh ├── demo-multiple-roots-intermediate.sh ├── demo-multiple-roots.sh ├── generate-certs.sh ├── reset-istio-ca.sh ├── resources │ ├── default-peerauth.yaml │ ├── httpbin.yaml │ ├── pwfile │ └── sleep.yaml ├── setup.sh └── verify-certs.sh ├── conference-demo ├── 00-install-istio.sh ├── 01-setup-gateway.sh ├── 02-rollout-to-workloads.sh ├── 03-rollout-hold-app.sh ├── 04-vault.sh ├── NOTES.md ├── cleanup.sh ├── demo copy.sh ├── reset.sh ├── resources │ ├── authorization-policy.yaml │ ├── control-plane-hold-app.yaml │ ├── control-plane.yaml │ ├── httpbin.yaml │ ├── ingress-gateways.yaml │ ├── istiod-service.yaml │ ├── peerauth-strict.yaml │ ├── request-auth.yaml │ ├── sample-apps-canary │ │ └── web-api.yaml │ ├── vault-istiod │ │ ├── NOTES.md │ │ ├── init-ca-in-pod.sh │ │ ├── install-vault.sh │ │ ├── istiod-deploy.yaml │ │ └── prep-vault-ca.sh │ └── web-api-ingress.yaml ├── setup.sh └── token-export.sh ├── debug-cors-jwt ├── call-preflight-nomatch-origin.sh ├── call-preflight.sh ├── call-service-bad-token-nomatch-origin.sh ├── call-service-bad-token.sh ├── call-service-no-token.sh ├── call-service-nomatch-origin.sh ├── call-service.sh ├── cleanup.sh ├── envoy │ ├── envoy-conf-cors-simple.yaml │ ├── envoy-conf-cors.yaml │ └── envoy-conf.yaml ├── gloo │ └── default-vs.yaml ├── istio │ ├── cors │ │ └── istio-web-vs.yaml │ ├── istio-web-vs.yaml │ ├── no-cors │ │ └── istio-web-vs.yaml │ └── security │ │ ├── gateway │ │ ├── authorization-policy.yaml │ │ ├── cors-bypass-jwt-envoyfilter.yaml │ │ ├── cors-reorder-envoyfilter-1.6.yaml │ │ ├── cors-reorder-envoyfilter.yaml │ │ └── request-auth.yaml │ │ └── web-api │ │ ├── authorization-policy.yaml │ │ ├── cors-bypass-jwt-envoyfilter.yaml │ │ └── request-auth.yaml ├── notes.md ├── setup.sh └── token-export.sh ├── gateway-injection ├── NOTES.md ├── cleanup.sh ├── demo.sh ├── reset.sh ├── resources │ ├── default-peerauth-strict.yaml │ ├── demo-gateway.yaml │ ├── demo-gw-vs.yaml │ ├── fake-gateway.yaml │ ├── fake-gw-vs.yaml │ ├── fakeservice.yaml │ ├── httpbin-dr.yaml │ ├── httpbin.yaml │ └── sleep.yaml └── setup.sh ├── health-check ├── NOTES.md ├── cleanup.sh ├── demo.sh ├── reset.sh ├── resources │ ├── liveness-http-same-port.yaml │ ├── peerauth-mtls.yaml │ └── sleep.yaml └── setup.sh ├── istio-csr ├── NOTES.md ├── cleanup.sh ├── demo.sh ├── reset.sh ├── resources │ ├── ca-bootstrap.yaml │ ├── certs │ │ ├── root-ca.crt │ │ └── root-ca.key │ ├── default-peerauth-strict.yaml │ ├── istio-csr-values.yaml │ ├── istio-operator.yaml │ └── sleep.yaml └── setup.sh ├── istio-mtls-demo ├── README.md ├── bin │ ├── call_service.sh │ ├── call_service_jwt.sh │ └── poll_gateway.sh ├── cleanup.sh ├── demo-jwt.sh ├── demo-permissive.sh ├── demo.sh ├── example-pcap │ └── .gitkeep ├── pcap │ └── .gitignore ├── reset.sh ├── resources │ ├── install │ │ └── istio-1.5.yaml │ ├── istio │ │ ├── default-peerauth-strict.yaml │ │ ├── istioinaction-peerauth.yaml │ │ ├── istioinaction-requestauth.yaml │ │ ├── web-api-gw-vs.yaml │ │ └── web-api-gw.yaml │ ├── jwt │ │ ├── cert.pem │ │ ├── key.pem │ │ ├── token-iss-soloio.jwt │ │ └── token-iss-soloio.txt │ └── k8s │ │ ├── purchase-history-v1.yaml │ │ ├── recommendation.yaml │ │ ├── sleep.yaml │ │ └── web-api.yaml └── setup.sh ├── istio-sds-gateway ├── cleanup.sh ├── demo.sh ├── reset.sh ├── resources │ ├── catalog-vs.yaml │ ├── cert-hello-v1.yaml │ ├── certs │ │ ├── 1_root │ │ │ ├── certs │ │ │ │ └── ca.cert.pem │ │ │ ├── index.txt │ │ │ ├── index.txt.attr │ │ │ ├── index.txt.old │ │ │ ├── newcerts │ │ │ │ └── 100212.pem │ │ │ ├── private │ │ │ │ └── ca.key.pem │ │ │ ├── serial │ │ │ └── serial.old │ │ ├── 2_intermediate │ │ │ ├── certs │ │ │ │ ├── ca-chain.cert.pem │ │ │ │ └── intermediate.cert.pem │ │ │ ├── csr │ │ │ │ └── intermediate.csr.pem │ │ │ ├── index.txt │ │ │ ├── index.txt.attr │ │ │ ├── index.txt.attr.old │ │ │ ├── index.txt.old │ │ │ ├── newcerts │ │ │ │ ├── 100212.pem │ │ │ │ └── 100213.pem │ │ │ ├── private │ │ │ │ └── intermediate.key.pem │ │ │ ├── serial │ │ │ └── serial.old │ │ ├── 3_application │ │ │ ├── certs │ │ │ │ └── apiserver.istioinaction.io.cert.pem │ │ │ ├── csr │ │ │ │ └── apiserver.istioinaction.io.csr.pem │ │ │ └── private │ │ │ │ └── apiserver.istioinaction.io.key.pem │ │ └── 4_client │ │ │ ├── certs │ │ │ └── apiserver.istioinaction.io.cert.pem │ │ │ ├── csr │ │ │ └── apiserver.istioinaction.io.csr.pem │ │ │ └── private │ │ │ └── apiserver.istioinaction.io.key.pem │ ├── certs2 │ │ ├── 1_root │ │ │ ├── certs │ │ │ │ └── ca.cert.pem │ │ │ ├── index.txt │ │ │ ├── index.txt.attr │ │ │ ├── index.txt.old │ │ │ ├── newcerts │ │ │ │ └── 100212.pem │ │ │ ├── private │ │ │ │ └── ca.key.pem │ │ │ ├── serial │ │ │ └── serial.old │ │ ├── 2_intermediate │ │ │ ├── certs │ │ │ │ ├── ca-chain.cert.pem │ │ │ │ └── intermediate.cert.pem │ │ │ ├── csr │ │ │ │ └── intermediate.csr.pem │ │ │ ├── index.txt │ │ │ ├── index.txt.attr │ │ │ ├── index.txt.attr.old │ │ │ ├── index.txt.old │ │ │ ├── newcerts │ │ │ │ ├── 100212.pem │ │ │ │ └── 100213.pem │ │ │ ├── private │ │ │ │ └── intermediate.key.pem │ │ │ ├── serial │ │ │ └── serial.old │ │ ├── 3_application │ │ │ ├── certs │ │ │ │ └── catalog.istioinaction.io.cert.pem │ │ │ ├── csr │ │ │ │ └── catalog.istioinaction.io.csr.pem │ │ │ └── private │ │ │ │ └── catalog.istioinaction.io.key.pem │ │ └── 4_client │ │ │ ├── certs │ │ │ └── catalog.istioinaction.io.cert.pem │ │ │ ├── csr │ │ │ └── catalog.istioinaction.io.csr.pem │ │ │ └── private │ │ │ └── catalog.istioinaction.io.key.pem │ ├── coolstore-gw-tls-redirect.yaml │ ├── coolstore-gw-tls-sds-multi.yaml │ ├── coolstore-gw-tls-sds.yaml │ ├── coolstore-gw-tls.yaml │ ├── coolstore-gw.yaml │ ├── coolstore-vs.yaml │ ├── fakeservice-2.yaml │ └── fakeservice.yaml └── setup.sh ├── istio-spire ├── cleanup-all.sh ├── hack │ ├── demo.sh │ └── resources │ │ ├── agent-account.yaml │ │ ├── agent-cluster-role.yaml │ │ ├── agent-configmap.yaml │ │ ├── agent-daemonset.yaml │ │ ├── client-deployment.yaml │ │ ├── kustomization.yaml │ │ ├── server-account.yaml │ │ ├── server-cluster-role.yaml │ │ ├── server-configmap.yaml │ │ ├── server-service.yaml │ │ ├── server-statefulset.yaml │ │ ├── spire-bundle-configmap.yaml │ │ └── spire-namespace.yaml ├── resources │ ├── istio-spire-config.yaml │ ├── sleep-spire.yaml │ └── spire-quickstart.yaml ├── scripts │ ├── check.sh │ ├── cleanup-kind.sh │ ├── deploy.sh │ ├── kind1.yaml │ ├── metallb1.yaml │ └── setup-kind.sh └── setup-all.sh ├── istiod-service └── istiod-service.yaml ├── kiali-istio-1.7 ├── .gitignore ├── NOTES.md ├── boot-minikube.sh ├── cleanup.sh ├── demo.sh ├── reset.sh ├── resources │ ├── kiali-auth-anonym.yaml │ ├── kiali-auth-login.yaml │ ├── kiali-auth-oidc-template.yaml │ └── kiali-auth-token.yaml ├── setup.sh └── temp │ └── kiali-auth-oidc.yaml ├── locality-routing ├── NOTES.md ├── cleanup.sh ├── demo.sh ├── reset.sh ├── resources │ ├── fakeservice │ │ ├── fakeservice-bad.yaml │ │ ├── fakeservice-dr-allow-500s.yaml │ │ ├── fakeservice-dr.yaml │ │ ├── fakeservice-good.yaml │ │ ├── fakeservice-svc.yaml │ │ └── fakeservice-vs.yaml │ ├── httpbin-dr.yaml │ ├── httpbin.yaml │ └── sleep.yaml └── setup.sh ├── multicluster-1.8 ├── cleanup-apps.sh ├── cleanup-clusters.sh ├── demo.sh ├── env.sh ├── reset.sh ├── resources │ ├── certs │ │ ├── README.md │ │ ├── ca-cert.pem │ │ ├── ca-key.pem │ │ ├── cert-chain.pem │ │ └── root-cert.pem │ ├── istio │ │ ├── cluster1-ewgw-operator.yaml │ │ ├── cluster1-operator.yaml │ │ ├── cluster2-ewgw-operator.yaml │ │ ├── cluster2-operator.yaml │ │ ├── expose-services.yaml │ │ └── values-istio-multicluster-gateways.yaml │ └── k8s │ │ ├── helloworld.yaml │ │ ├── httpbin.yaml │ │ └── sleep.yaml ├── setup-apps.sh ├── setup-clusters.sh └── temp │ ├── .gitkeep │ └── httpbin-se.yaml ├── multicluster-eds ├── .gitignore ├── NOTES.md ├── certs │ ├── cluster1 │ │ ├── ca-cert.pem │ │ ├── ca-key.pem │ │ ├── cert-chain.pem │ │ └── root-cert.pem │ ├── cluster2 │ │ ├── ca-cert.pem │ │ ├── ca-key.pem │ │ ├── cert-chain.pem │ │ └── root-cert.pem │ ├── cluster3 │ │ ├── ca-cert.pem │ │ ├── ca-key.pem │ │ ├── cert-chain.pem │ │ └── root-cert.pem │ ├── root-ca.conf │ ├── root-cert.csr │ ├── root-cert.pem │ ├── root-cert.srl │ └── root-key.pem ├── cleanup-kind.sh ├── deploy.sh ├── istio │ ├── cluster1.yaml │ ├── cluster2.yaml │ ├── cluster3.yaml │ ├── ew-gateway1.yaml │ ├── ew-gateway2.yaml │ ├── ew-gateway3.yaml │ ├── expose-services.yaml │ ├── helloworld.yaml │ └── sleep.yaml ├── setup-istio-multicluster.sh ├── setup-kind.sh ├── setup-sample-apps.sh └── verify-setup.sh ├── multicluster ├── cleanup-apps.sh ├── cleanup-clusters.sh ├── demo.sh ├── env.sh ├── reset.sh ├── resources │ ├── certs │ │ ├── README.md │ │ ├── ca-cert.pem │ │ ├── ca-key.pem │ │ ├── cert-chain.pem │ │ └── root-cert.pem │ ├── istio │ │ └── values-istio-multicluster-gateways.yaml │ └── k8s │ │ ├── httpbin.yaml │ │ └── sleep.yaml ├── setup-apps.sh ├── setup-clusters.sh └── temp │ ├── .gitkeep │ └── httpbin-se.yaml ├── resilience-demo ├── 00-demo-canary.sh ├── 10-demo-retry.sh ├── 20-demo-timeout.sh ├── 30-demo-circuit-breaker.sh ├── README.md ├── bin │ └── poll_gateway.sh ├── cleanup.sh ├── reset.sh ├── resources │ ├── istio │ │ ├── disable-auto-retries.yaml │ │ ├── ph-all-v1.yaml │ │ ├── ph-dr-cb.yaml │ │ ├── ph-dr-circuit-breaking.yaml │ │ ├── ph-v1-retry.yaml │ │ ├── ph-v1-timeout.yaml │ │ ├── ph-v1-v2-0-100.yaml │ │ ├── ph-v1-v2-50-50.yaml │ │ ├── ph-v1-v2-90-10.yaml │ │ ├── recommendation-vs-retry.yaml │ │ ├── web-api-gw-vs.yaml │ │ └── web-api-gw.yaml │ └── k8s │ │ ├── purchase-history-v1-delay-100.yaml │ │ ├── purchase-history-v1-error-50.yaml │ │ ├── purchase-history-v1.yaml │ │ ├── purchase-history-v2.yaml │ │ ├── recommendation.yaml │ │ └── web-api.yaml └── setup.sh ├── revision-tags-gateway-injection ├── 00-demo-gw-injection.sh ├── 10-demo-revision-tag.sh ├── 20-install-control-plane.sh ├── 30-canary-cp.sh ├── NOTES.md ├── cleanup.sh ├── demo copy.sh ├── reset.sh ├── resources │ ├── canary │ │ ├── purchase-history-v1.yaml │ │ ├── recommendation.yaml │ │ ├── sleep.yaml │ │ └── web-api.yaml │ ├── istio-ingress-deployment.yaml │ ├── istio-ingress-prod-canary.yaml │ ├── istio-ingress-prod-stable.yaml │ ├── manualinject │ │ ├── purchase-history-v1.yaml │ │ ├── recommendation.yaml │ │ ├── sleep.yaml │ │ └── web-api.yaml │ ├── sleep.yaml │ └── web-api-gw.yaml └── setup.sh ├── sample-apps ├── purchase-history-v1.yaml ├── recommendation.yaml ├── setup.sh ├── sleep.yaml ├── web-api-gw-vs.yaml ├── web-api-gw.yaml └── web-api.yaml ├── servicemeshcon-eu21 ├── 00-crawl.sh ├── 01-walk.sh ├── NOTES.md ├── cleanup.sh ├── reset.sh ├── resources │ ├── authorization-policy.yaml │ ├── control-plane.yaml │ ├── httpbin.yaml │ ├── ingress-gateways.yaml │ ├── istiod-service.yaml │ ├── peerauth-strict.yaml │ ├── request-auth.yaml │ ├── sample-apps-canary │ │ └── web-api.yaml │ ├── vault-istiod │ │ ├── NOTES.md │ │ ├── init-ca-in-pod.sh │ │ ├── install-vault.sh │ │ ├── istiod-deploy.yaml │ │ └── prep-vault-ca.sh │ └── web-api-ingress.yaml ├── setup.sh └── token-export.sh ├── sidecar ├── NOTES.md ├── bookinfo-sidecar.yaml ├── boot-100-svcs.sh ├── clean-env.sh ├── demo.sh ├── install-bookinfo.sh └── purge-bookinfo-mem.sh ├── tcp-complex-routing ├── db-serviceentry.yaml └── postgres-vs.yaml ├── template ├── NOTES.md ├── cleanup.sh ├── demo.sh ├── reset.sh ├── resources │ ├── fakeservice.yaml │ ├── httpbin-dr.yaml │ ├── httpbin.yaml │ └── sleep.yaml └── setup.sh ├── upgrade-best-practices ├── 00-1-deploy-istio-ingress.sh ├── 00-2-upgrade-workloads.sh ├── NOTES.md ├── cleanup.sh ├── reset.sh ├── resources │ ├── canary │ │ ├── purchase-history-v1.yaml │ │ ├── recommendation.yaml │ │ ├── sleep.yaml │ │ └── web-api.yaml │ ├── istio-ingress-deployment.yaml │ ├── istio-ingress-prod-canary.yaml │ ├── istio-ingress-prod-stable.yaml │ ├── manualinject │ │ ├── purchase-history-v1.yaml │ │ ├── recommendation.yaml │ │ ├── sleep.yaml │ │ └── web-api.yaml │ └── sleep.yaml ├── scenario-1-ing-gw │ ├── canary │ │ ├── canary-dr.yaml │ │ ├── canary-vs.yaml │ │ ├── purchase-history-v1.yaml │ │ ├── recommendation.yaml │ │ ├── sleep.yaml │ │ ├── web-api-gw-canary-100.yaml │ │ ├── web-api-gw-canary-30.yaml │ │ ├── web-api-gw-stable.yaml │ │ └── web-api.yaml │ ├── ingress-gw.yaml │ └── web-api-gw.yaml └── setup.sh ├── util.sh ├── vm-demo-1.11 ├── .gitignore ├── 00-install-istio.sh ├── 01-create-files-to-transfer-to-vm.sh ├── 02-overlay-whitebox.sh ├── 03-copy-work-files-to-vm.sh ├── 04-create-serviceentry.sh ├── 05-whitebox-sidecar.sh ├── NOTES.md ├── cleanup.sh ├── demo.sh ├── env.sh ├── resources │ ├── fakeservice.yaml │ ├── httpbin.yaml │ ├── istio │ │ ├── expose-istiod.yaml │ │ ├── expose-services.yaml │ │ ├── security │ │ │ ├── peerauth-disable.yaml │ │ │ ├── peerauth-permissive.yaml │ │ │ └── peerauth-strict.yaml │ │ ├── sidecar-hack.yaml │ │ ├── sidecar-hack2.yaml │ │ ├── sidecar-whitebox-vm.yaml │ │ ├── vm-cluster-eastwest.yaml │ │ ├── vm-cluster.yaml │ │ ├── vmservice-serviceentry.yaml │ │ └── workloadgroup.yaml │ ├── package │ │ ├── clean-vm.sh │ │ ├── index.html │ │ ├── istio.service │ │ ├── prep-vm-nonroot.sh │ │ ├── prep-vm.sh │ │ ├── run-http-for-whitebox.sh │ │ ├── run-http.sh │ │ ├── start-istio.sh │ │ ├── stop-istio.sh │ │ └── tail-istio-log.sh │ └── sleep.yaml └── vm-ip.sh ├── vm-demo-1.8-cli ├── .gitignore ├── 00-install-istio-preview-profile.sh ├── 01-prep-namespaces.sh ├── 02-create-files-to-transfer-to-vm.sh ├── 03-copy-work-files-to-vm.sh ├── 04-create-serviceentry.sh ├── NOTES.md ├── cleanup.sh ├── demo.sh ├── env.sh ├── reset.sh ├── resources │ ├── clean-vm.sh │ ├── fakeservice.yaml │ ├── httpbin.yaml │ ├── index.html │ ├── peerauth-disable.yaml │ ├── peerauth-permissive.yaml │ ├── peerauth-strict.yaml │ ├── prep-vm.sh │ ├── run-http.sh │ ├── sleep.yaml │ ├── start-istio.sh │ ├── stop-istio.sh │ ├── tail-istio-log.sh │ ├── vmintegration-multi-network.yaml │ ├── vmservice-serviceentry.yaml │ └── workloadgroup.yaml └── vm-ip.sh ├── vm-demo-1.8 ├── .gitignore ├── 00-install-istio-preview-profile.sh ├── 01-prep-namespaces.sh ├── 02-create-files-to-transfer-to-vm.sh ├── 03-copy-work-files-to-vm.sh ├── 04-register-vm-with-istio.sh ├── 04a-service-entry.sh ├── 04b-workloadentry.sh ├── 04c-service.sh ├── NOTES.md ├── cleanup.sh ├── demo.sh ├── env.sh ├── istio-sidecar.deb ├── reset.sh └── resources │ ├── clean-vm.sh │ ├── fakeservice.yaml │ ├── httpbin.yaml │ ├── index.html │ ├── ingressgateway-multi-network.yaml │ ├── peerauth-disable.yaml │ ├── peerauth-permissive.yaml │ ├── peerauth-strict.yaml │ ├── prep-vm.sh │ ├── run-http.sh │ ├── sleep.yaml │ ├── start-istio.sh │ ├── stop-istio.sh │ ├── tail-istio-log.sh │ ├── vmintegration-multi-network.yaml │ └── vmintegration.yaml └── vm-demo ├── .gitignore ├── 00-install-istio-mesh-expansion.sh ├── 01-prep-namespaces.sh ├── 02-create-files-to-transfer-to-vm.sh ├── 03-copy-work-files-to-vm.sh ├── 04-register-vm-with-istio.sh ├── 04a-service-entry.sh ├── 04b-workloadentry.sh ├── 04c-service.sh ├── NOTES.md ├── cleanup.sh ├── demo.sh ├── env.sh ├── reset.sh └── resources ├── clean-vm.sh ├── dns ├── README.md ├── dnsmasq.conf └── resolved.conf ├── fakeservice.yaml ├── httpbin.yaml ├── index.html ├── ingressgateway-multi-network.yaml ├── peerauth-disable.yaml ├── peerauth-permissive.yaml ├── peerauth-strict.yaml ├── prep-vm.sh ├── run-http.sh ├── sleep.yaml ├── start-istio.sh ├── stop-istio.sh ├── tail-istio-log.sh ├── vmintegration-multi-network.yaml └── vmintegration.yaml /book-demos/NOTES.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/christian-posta/istio-demos/262e7a6f74578824ab0129fde7828faa3642bfcf/book-demos/NOTES.md -------------------------------------------------------------------------------- /book-demos/cleanup.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/christian-posta/istio-demos/262e7a6f74578824ab0129fde7828faa3642bfcf/book-demos/cleanup.sh -------------------------------------------------------------------------------- /book-demos/demo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . $(dirname ${BASH_SOURCE})/../util.sh 4 | SOURCE_DIR=$PWD 5 | 6 | -------------------------------------------------------------------------------- /book-demos/reset.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/christian-posta/istio-demos/262e7a6f74578824ab0129fde7828faa3642bfcf/book-demos/reset.sh -------------------------------------------------------------------------------- /book-demos/resources/env.sh: -------------------------------------------------------------------------------- 1 | BOOK_SRC=/Users/ceposta/Dropbox/istioinaction 2 | -------------------------------------------------------------------------------- /book-demos/resources/httpbin-dr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: DestinationRule 3 | metadata: 4 | name: httpbin-cb-policy 5 | spec: 6 | host: httpbin 7 | trafficPolicy: 8 | connectionPool: 9 | http: 10 | http2MaxRequests: 10 11 | maxRequestsPerConnection: 10 12 | outlierDetection: 13 | consecutiveErrors: 1 14 | interval: 1m 15 | baseEjectionTime: 30s -------------------------------------------------------------------------------- /book-demos/setup.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/christian-posta/istio-demos/262e7a6f74578824ab0129fde7828faa3642bfcf/book-demos/setup.sh -------------------------------------------------------------------------------- /cert-rotation/.gitignore: -------------------------------------------------------------------------------- 1 | certs 2 | -------------------------------------------------------------------------------- /cert-rotation/Readme.md: -------------------------------------------------------------------------------- 1 | Flow of demo.. 2 | 3 | * Install Istio 1.6.4 4 | * Call `setup.sh` 5 | * `demo-cacerts.sh` 6 | * `demo-intermediate.sh` 7 | * `demo-multiple-roots.sh` 8 | * `demo-multiple-roots-intermediate.sh` 9 | 10 | 11 | At any point you can call `verify-certs.sh` to check they were created as expected 12 | 13 | At any point, you can call `reset-istio-ca.sh` to put the CA back into default settings 14 | 15 | You can call `check-current-istio-certs.sh` to verify that the certs are in the correct state, depending on expectations. You can pass a dir in like we do in the demos. For example, you can call `check-current-istio-certs.sh ./certs/intermediate-rootA` -------------------------------------------------------------------------------- /cert-rotation/cleanup.sh: -------------------------------------------------------------------------------- 1 | 2 | rm -fr ./certs 3 | 4 | kubectl delete -f resources/sleep.yaml 5 | kubectl delete -f resources/httpbin.yaml -------------------------------------------------------------------------------- /cert-rotation/reset-istio-ca.sh: -------------------------------------------------------------------------------- 1 | kubectl delete secret cacerts -n istio-system 2 | kubectl delete secret istio-ca-secret -n istio-system 3 | kubectl delete cm -n istio-system istio-security 4 | kubectl delete po --wait=false -n istio-system -l app=istiod 5 | rm -f ./certs/current-istio/*.* 6 | 7 | echo "Let's wait until istiod comes up and writes all the config maps" 8 | sleep 30s 9 | kubectl delete po -n default --all 10 | -------------------------------------------------------------------------------- /cert-rotation/resources/default-peerauth.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "security.istio.io/v1beta1" 2 | kind: "PeerAuthentication" 3 | metadata: 4 | name: "default" 5 | spec: 6 | mtls: 7 | mode: STRICT -------------------------------------------------------------------------------- /cert-rotation/resources/pwfile: -------------------------------------------------------------------------------- 1 | abc123 -------------------------------------------------------------------------------- /cert-rotation/setup.sh: -------------------------------------------------------------------------------- 1 | 2 | echo "verifying everything looks good" 3 | 4 | . ./verify-certs.sh 5 | 6 | 7 | echo "set up sample services" 8 | istioctl kube-inject -f ./resources/sleep.yaml | kubectl apply -f - 9 | istioctl kube-inject -f ./resources/httpbin.yaml | kubectl apply -f - 10 | 11 | 12 | echo "remove the hpa for istiod" 13 | kubectl delete -n istio-system hpa/istiod 14 | 15 | echo "Turning mTLS to strict" 16 | kubectl apply -f resources/default-peerauth.yaml -n istio-system -------------------------------------------------------------------------------- /cert-rotation/verify-certs.sh: -------------------------------------------------------------------------------- 1 | 2 | BASE="./certs" 3 | ROOTA_DIR="$BASE/ROOTA" 4 | ROOTB_DIR="$BASE/ROOTB" 5 | INTERMEDIATE_A="$BASE/intermediate-rootA" 6 | INTERMEDIATE_A2="$BASE/intermediate-rootA2" 7 | INTERMEDIATE_B="$BASE/intermediate-rootB" 8 | 9 | echo "verifying root certs for CA-A" 10 | diff $ROOTA_DIR/certs/root_ca.crt $INTERMEDIATE_A/root-cert.pem 11 | step certificate verify $INTERMEDIATE_A/ca-cert.pem --roots $INTERMEDIATE_A/root-cert.pem 12 | 13 | echo "verifying root certs for CA-A2" 14 | diff $ROOTA_DIR/certs/root_ca.crt $INTERMEDIATE_A2/root-cert.pem 15 | step certificate verify $INTERMEDIATE_A2/ca-cert.pem --roots $INTERMEDIATE_A2/root-cert.pem 16 | 17 | echo "verifying root certs for CA-B" 18 | diff $ROOTB_DIR/certs/root_ca.crt $INTERMEDIATE_B/root-cert.pem 19 | step certificate verify $INTERMEDIATE_B/ca-cert.pem --roots $INTERMEDIATE_B/root-cert.pem -------------------------------------------------------------------------------- /conference-demo/00-install-istio.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . $(dirname ${BASH_SOURCE})/../util.sh 4 | SOURCE_DIR=$PWD 5 | 6 | desc "We want to install the control plane components without any gateways" 7 | run "cat ./resources/control-plane.yaml" 8 | run "kubectl create ns istio-system" 9 | run "kubectl apply -f ./resources/istiod-service.yaml" 10 | run "istioctl install -y -n istio-system -f ./resources/control-plane.yaml --revision 1-9-5" 11 | 12 | backtotop 13 | desc "Verify control plane installed correctly" 14 | read -s 15 | run "kubectl get po -n istio-system" 16 | -------------------------------------------------------------------------------- /conference-demo/NOTES.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/christian-posta/istio-demos/262e7a6f74578824ab0129fde7828faa3642bfcf/conference-demo/NOTES.md -------------------------------------------------------------------------------- /conference-demo/cleanup.sh: -------------------------------------------------------------------------------- 1 | kubectl delete ns istioinaction 2 | kubectl delete ns istio-ingress 3 | istioctl x uninstall --purge -y 4 | kubectl delete ns istio-system 5 | kubectl delete ns vault -------------------------------------------------------------------------------- /conference-demo/demo copy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . $(dirname ${BASH_SOURCE})/../util.sh 4 | SOURCE_DIR=$PWD 5 | 6 | desc "We want to install the control plane components without any gateways" 7 | run "cat ./resources/control-plane.yaml" 8 | run "kubectl create ns istio-system" 9 | run "istioctl install -y -n istio-system -f ./resources/control-plane.yaml --revision 1-8-3" 10 | 11 | backtotop 12 | desc "Verify control plane installed correctly" 13 | read -s 14 | 15 | run "kubectl get po -n istio-system" 16 | run "kubectl logs -f -n istio-system deploy/istiod" 17 | 18 | desc "This is a problem... " 19 | read -s 20 | 21 | backtotop 22 | desc "Let's work around this until Tags feature gets in" 23 | read -s 24 | run "kubectl apply -f ./resources/istiod-service.yaml" 25 | 26 | desc "Now let's check the logs" 27 | run "kubectl logs -f -n istio-system deploy/istiod" 28 | -------------------------------------------------------------------------------- /conference-demo/reset.sh: -------------------------------------------------------------------------------- 1 | kubectl label namespace istioinaction istio.io/rev- 2 | kubectl delete deploy/web-api-canary -n istioinaction 3 | 4 | istioctl x uninstall -y --purge 5 | kubectl delete ns istio-system 6 | 7 | kubectl -n istioinaction rollout restart deploy/web-api 8 | kubectl -n istioinaction rollout restart deploy/recommendation 9 | kubectl -n istioinaction rollout restart deploy/purchase-history-v1 10 | kubectl -n istioinaction rollout restart deploy/sleep -------------------------------------------------------------------------------- /conference-demo/resources/authorization-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: authpolicy 5 | namespace: istio-ingress 6 | spec: 7 | action: ALLOW 8 | rules: 9 | - to: 10 | - operation: 11 | paths: 12 | - /* 13 | when: 14 | - key: request.auth.claims[iss] 15 | values: 16 | - solo.io 17 | selector: 18 | matchLabels: 19 | app: istio-ingressgateway 20 | -------------------------------------------------------------------------------- /conference-demo/resources/control-plane-hold-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | metadata: 4 | name: control-plane 5 | spec: 6 | profile: minimal 7 | meshConfig: 8 | defaultConfig: 9 | holdApplicationUntilProxyStarts: true 10 | proxyMetadata: 11 | ISTIO_META_DNS_CAPTURE: "true" 12 | enablePrometheusMerge: true 13 | -------------------------------------------------------------------------------- /conference-demo/resources/control-plane.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | metadata: 4 | name: control-plane 5 | spec: 6 | profile: minimal 7 | meshConfig: 8 | defaultConfig: 9 | proxyMetadata: 10 | ISTIO_META_DNS_CAPTURE: "true" 11 | enablePrometheusMerge: true 12 | -------------------------------------------------------------------------------- /conference-demo/resources/ingress-gateways.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | metadata: 4 | name: istio-ingress-gw-install 5 | spec: 6 | profile: empty 7 | values: 8 | gateways: 9 | istio-ingressgateway: 10 | autoscaleEnabled: false 11 | components: 12 | ingressGateways: 13 | - name: istio-ingressgateway 14 | namespace: istio-ingress 15 | enabled: true 16 | k8s: 17 | overlays: 18 | - apiVersion: apps/v1 19 | kind: Deployment 20 | name: istio-ingressgateway 21 | patches: 22 | - path: spec.template.spec.containers[name:istio-proxy].lifecycle 23 | value: 24 | preStop: 25 | exec: 26 | command: ["sh", "-c", "sleep 5"] 27 | 28 | -------------------------------------------------------------------------------- /conference-demo/resources/istiod-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | app: istiod 6 | istio: pilot 7 | release: istio 8 | name: istiod 9 | namespace: istio-system 10 | spec: 11 | type: ClusterIP 12 | ports: 13 | - name: grpc-xds 14 | port: 15010 15 | - name: https-dns 16 | port: 15012 17 | - name: https-webhook 18 | port: 443 19 | targetPort: 15017 20 | - name: http-monitoring 21 | port: 15014 22 | selector: 23 | app: istiod 24 | 25 | -------------------------------------------------------------------------------- /conference-demo/resources/peerauth-strict.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: PeerAuthentication 3 | metadata: 4 | name: default 5 | namespace: istio-system 6 | spec: 7 | mtls: 8 | mode: STRICT -------------------------------------------------------------------------------- /conference-demo/resources/request-auth.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: RequestAuthentication 3 | metadata: 4 | name: jwt-soloio-reqauth 5 | namespace: istio-ingress 6 | spec: 7 | jwtRules: 8 | - issuer: solo.io 9 | jwks: | 10 | { "keys":[ {"kty":"RSA","e":"AQAB","kid":"858d304f-6df9-463e-a763-b735a4449857","n":"x7s5_6vgGPoW1PKkSMkau-Xr9JVZJNbqKXJ7RWKCqPxL5Vtj8II7lPi8d-x60f54oJTnyL_0zMVVsSq3msDhqzBSMpCUCR2q-pHjS_29rrFBlBHy1ty8kiMo-qXZn3SmSqGRo53bdWoiQ6ZWVZ2mkgYpdlNzNaSUe8AOQKnxBC3rBwx3-0g9RJvd4MM46YkN6Epr_NUKN___osqzfVfNoG9YLp1pbatjpqvO1XlxX4qCNLScY5FOFrkTf95O3a3Y195o89D9XwULWT1baVuO_z7Ueug68b0t51mGXuEC572DmEbc8xHLnVfLM18QADvOnSzqY6vtIQcuGE_V_c7ATQ"}]} 11 | selector: 12 | matchLabels: 13 | app: istio-ingressgateway 14 | -------------------------------------------------------------------------------- /conference-demo/resources/sample-apps-canary/web-api.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: web-api-canary 5 | labels: 6 | app: web-api 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: web-api 12 | release: canary 13 | template: 14 | metadata: 15 | labels: 16 | app: web-api 17 | release: canary 18 | sidecar.istio.io/inject: "true" 19 | annotations: 20 | spec: 21 | containers: 22 | - name: web-api 23 | image: nicholasjackson/fake-service:v0.7.8 24 | ports: 25 | - containerPort: 8080 26 | env: 27 | - name: "LISTEN_ADDR" 28 | value: "0.0.0.0:8080" 29 | - name: "UPSTREAM_URIS" 30 | value: "http://recommendation:8080" 31 | - name: "NAME" 32 | value: "web-api" 33 | - name: "MESSAGE" 34 | value: "Hello From Web API" 35 | -------------------------------------------------------------------------------- /conference-demo/resources/vault-istiod/init-ca-in-pod.sh: -------------------------------------------------------------------------------- 1 | kubectl cp ./prep-vault-ca.sh vault/vault-0:/vault 2 | kubectl exec -it -n vault po/vault-0 -- sh -c "/vault/prep-vault-ca.sh" -------------------------------------------------------------------------------- /conference-demo/resources/vault-istiod/install-vault.sh: -------------------------------------------------------------------------------- 1 | kubectl create ns vault 2 | helm install vault hashicorp/vault --set "server.dev.enabled=true" -n vault 3 | 4 | -------------------------------------------------------------------------------- /conference-demo/resources/vault-istiod/prep-vault-ca.sh: -------------------------------------------------------------------------------- 1 | #kubectl exec -it -n vault po/vault-0 -- sh -c "" 2 | 3 | vault auth enable kubernetes 4 | 5 | vault write auth/kubernetes/config token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt 6 | 7 | vault write auth/kubernetes/role/gen-int-ca-istio bound_service_account_names=istiod-service-account bound_service_account_namespaces=istio-system policies=gen-int-ca-istio ttl=2400h 8 | 9 | vault secrets enable pki 10 | 11 | vault write -format=json pki/root/generate/internal common_name="pki-ca-root" ttl=187600h 12 | 13 | vault secrets enable -path pki_int pki 14 | 15 | ## policy 16 | vault policy write gen-int-ca-istio - < temp/kiali-auth-oidc.yaml -------------------------------------------------------------------------------- /kiali-istio-1.7/temp/kiali-auth-oidc.yaml: -------------------------------------------------------------------------------- 1 | # Source: kiali-operator/templates/kiali-cr.yaml 2 | apiVersion: kiali.io/v1alpha1 3 | kind: Kiali 4 | metadata: 5 | namespace: istio-system 6 | name: kiali 7 | labels: 8 | helm.sh/chart: kiali-operator-v1.22.0 9 | app: kiali-operator 10 | app.kubernetes.io/name: kiali-operator 11 | app.kubernetes.io/instance: kiali-operator 12 | version: "v1.22.0" 13 | app.kubernetes.io/version: "v1.22.0" 14 | app.kubernetes.io/managed-by: Helm 15 | annotations: 16 | ansible.operator-sdk/verbosity: "1" 17 | spec: 18 | auth: 19 | strategy: openid 20 | openid: 21 | client_id: "kiali-app" 22 | insecure_skip_verify_tls: true 23 | issuer_uri: "https://192-168-64-115.nip.io:32000" 24 | username_claim: "email" 25 | deployment: 26 | accessible_namespaces: 27 | - '**' 28 | image_version: v1.22 29 | -------------------------------------------------------------------------------- /locality-routing/NOTES.md: -------------------------------------------------------------------------------- 1 | 2 | Need to run this on a cluster with nodes in different AZs 3 | 4 | 5 | istioctl proxy-config endpoints sleep-666475687f-6rr4h --cluster "outbound|80||fakeservice.default.svc.cluster.local" -o json 6 | 7 | https://github.com/nicholasjackson/fake-service -------------------------------------------------------------------------------- /locality-routing/cleanup.sh: -------------------------------------------------------------------------------- 1 | kubectl delete -f resources/sleep.yaml 2 | kubectl delete -f resources/httpbin.yaml 3 | kubectl delete -f resources/httpbin-dr.yaml 4 | kubectl delete -f resources/fakeservice/fakeservice-vs.yaml 5 | kubectl delete -f resources/fakeservice/fakeservice-dr.yaml 6 | kubectl delete -f resources/fakeservice/fakeservice-good.yaml 7 | kubectl delete -f resources/fakeservice/fakeservice-svc.yaml -------------------------------------------------------------------------------- /locality-routing/reset.sh: -------------------------------------------------------------------------------- 1 | kubectl delete -f resources/fakeservice/fakeservice-dr.yaml 2 | kubectl apply -f resources/fakeservice/fakeservice-good.yaml -------------------------------------------------------------------------------- /locality-routing/resources/fakeservice/fakeservice-dr-allow-500s.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: DestinationRule 3 | metadata: 4 | name: fakeservice-cb-policy 5 | spec: 6 | host: fakeservice 7 | trafficPolicy: 8 | connectionPool: 9 | http: 10 | http2MaxRequests: 10 11 | maxRequestsPerConnection: 10 12 | outlierDetection: 13 | baseEjectionTime: 30s 14 | consecutive5xxErrors: 0 15 | consecutiveGatewayErrors: 5 16 | interval: 15s 17 | maxEjectionPercent: 25 18 | minHealthPercent: 50 -------------------------------------------------------------------------------- /locality-routing/resources/fakeservice/fakeservice-dr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: DestinationRule 3 | metadata: 4 | name: fakeservice-cb-policy 5 | spec: 6 | host: fakeservice 7 | trafficPolicy: 8 | connectionPool: 9 | http: 10 | http2MaxRequests: 10 11 | maxRequestsPerConnection: 10 12 | outlierDetection: 13 | consecutive5xxErrors: 1 14 | maxEjectionPercent: 51 15 | interval: 15s 16 | baseEjectionTime: 30s 17 | minHealthPercent: 0 18 | -------------------------------------------------------------------------------- /locality-routing/resources/fakeservice/fakeservice-svc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: fakeservice 5 | --- 6 | apiVersion: v1 7 | kind: Service 8 | metadata: 9 | labels: 10 | app: fakeservice 11 | name: fakeservice 12 | spec: 13 | ports: 14 | - name: http 15 | port: 80 16 | protocol: TCP 17 | targetPort: 8080 18 | selector: 19 | app: fakeservice -------------------------------------------------------------------------------- /locality-routing/resources/fakeservice/fakeservice-vs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: VirtualService 3 | metadata: 4 | name: fakeservice-vs 5 | spec: 6 | hosts: 7 | - fakeservice.default.svc.cluster.local 8 | http: 9 | - name: "default-fakeservice-route" 10 | retries: 11 | attempts: 0 12 | route: 13 | - destination: 14 | host: fakeservice.default.svc.cluster.local -------------------------------------------------------------------------------- /locality-routing/resources/httpbin-dr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: DestinationRule 3 | metadata: 4 | name: httpbin-cb-policy 5 | spec: 6 | host: httpbin 7 | trafficPolicy: 8 | connectionPool: 9 | http: 10 | http2MaxRequests: 10 11 | maxRequestsPerConnection: 10 12 | outlierDetection: 13 | consecutiveErrors: 1 14 | interval: 1m 15 | baseEjectionTime: 30s -------------------------------------------------------------------------------- /locality-routing/setup.sh: -------------------------------------------------------------------------------- 1 | echo "Make sure you have Istio installed! (press ENTER to continue)" 2 | read -s 3 | 4 | kubectl apply -f resources/sleep.yaml 5 | kubectl apply -f resources/fakeservice/fakeservice-vs.yaml 6 | kubectl apply -f resources/fakeservice/fakeservice-good.yaml 7 | kubectl apply -f resources/fakeservice/fakeservice-svc.yaml -------------------------------------------------------------------------------- /multicluster-1.8/cleanup-apps.sh: -------------------------------------------------------------------------------- 1 | . ./env.sh 2 | 3 | # Install on Cluster 1 4 | kubectl --context $CLUSTER_1 delete namespace sample 5 | 6 | 7 | 8 | # Install on Cluster 1 9 | kubectl --context $CLUSTER_2 delete namespace sample 10 | -------------------------------------------------------------------------------- /multicluster-1.8/cleanup-clusters.sh: -------------------------------------------------------------------------------- 1 | . ./env.sh 2 | 3 | # Install on Cluster 1 4 | istioctl --context $CLUSTER_1 x uninstall -y --purge 5 | kubectl --context $CLUSTER_1 delete namespace istio-system 6 | 7 | 8 | # Install on Cluster 1 9 | istioctl --context $CLUSTER_2 x uninstall -y --purge 10 | kubectl --context $CLUSTER_2 delete namespace istio-system -------------------------------------------------------------------------------- /multicluster-1.8/env.sh: -------------------------------------------------------------------------------- 1 | 2 | export CLUSTER_1="istio-cluster-1" 3 | export CLUSTER_2="istio-cluster-2" 4 | 5 | export CTX_CLUSTER1=$CLUSTER_1 6 | export CTX_CLUSTER2=$CLUSTER_2 7 | #export CLUSTER_1="management-plane-context" 8 | #export CLUSTER_2="remote-cluster-context" -------------------------------------------------------------------------------- /multicluster-1.8/reset.sh: -------------------------------------------------------------------------------- 1 | . ./env.sh 2 | 3 | kubectl --context $CLUSTER_1 -n foo delete -f temp/httpbin-se.yaml 4 | 5 | rm temp/*.* -------------------------------------------------------------------------------- /multicluster-1.8/resources/istio/cluster1-operator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | spec: 4 | values: 5 | global: 6 | meshID: mesh1 7 | multiCluster: 8 | clusterName: cluster1 9 | network: network1 -------------------------------------------------------------------------------- /multicluster-1.8/resources/istio/cluster2-operator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | spec: 4 | values: 5 | global: 6 | meshID: mesh1 7 | multiCluster: 8 | clusterName: cluster2 9 | network: network2 -------------------------------------------------------------------------------- /multicluster-1.8/resources/istio/expose-services.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: cross-network-gateway 5 | namespace: istio-system 6 | spec: 7 | selector: 8 | istio: eastwestgateway 9 | servers: 10 | - port: 11 | number: 15443 12 | name: tls 13 | protocol: TLS 14 | tls: 15 | mode: AUTO_PASSTHROUGH 16 | hosts: 17 | - "*.local" 18 | -------------------------------------------------------------------------------- /multicluster-1.8/resources/istio/values-istio-multicluster-gateways.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | spec: 4 | addonComponents: 5 | istiocoredns: 6 | enabled: true 7 | 8 | components: 9 | egressGateways: 10 | - name: istio-egressgateway 11 | enabled: true 12 | 13 | values: 14 | global: 15 | # Provides dns resolution for global services 16 | podDNSSearchNamespaces: 17 | - global 18 | - "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" 19 | 20 | multiCluster: 21 | enabled: true 22 | 23 | controlPlaneSecurityEnabled: true 24 | 25 | # Multicluster with gateways requires a root CA 26 | # Cluster local CAs are bootstrapped with the root CA. 27 | security: 28 | selfSigned: false 29 | 30 | gateways: 31 | istio-egressgateway: 32 | env: 33 | # Needed to route traffic via egress gateway if desired. 34 | ISTIO_META_REQUESTED_NETWORK_VIEW: "external" 35 | -------------------------------------------------------------------------------- /multicluster-1.8/setup-apps.sh: -------------------------------------------------------------------------------- 1 | 2 | . ./env.sh 3 | 4 | kubectl create --context="${CTX_CLUSTER1}" namespace sample 5 | kubectl create --context="${CTX_CLUSTER2}" namespace sample 6 | 7 | kubectl label --context="${CTX_CLUSTER1}" namespace sample istio-injection=enabled 8 | kubectl label --context="${CTX_CLUSTER2}" namespace sample istio-injection=enabled 9 | 10 | kubectl apply --context="${CTX_CLUSTER1}" -f resources/k8s/helloworld.yaml -l service=helloworld -n sample 11 | kubectl apply --context="${CTX_CLUSTER2}" -f resources/k8s/helloworld.yaml -l service=helloworld -n sample 12 | 13 | kubectl apply --context="${CTX_CLUSTER1}" -f resources/k8s/helloworld.yaml -l version=v1 -n sample 14 | kubectl apply --context="${CTX_CLUSTER2}" -f resources/k8s/helloworld.yaml -l version=v2 -n sample 15 | 16 | kubectl apply --context="${CTX_CLUSTER1}" -f resources/k8s/sleep.yaml -n sample 17 | kubectl apply --context="${CTX_CLUSTER2}" -f resources/k8s/sleep.yaml -n sample -------------------------------------------------------------------------------- /multicluster-1.8/temp/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/christian-posta/istio-demos/262e7a6f74578824ab0129fde7828faa3642bfcf/multicluster-1.8/temp/.gitkeep -------------------------------------------------------------------------------- /multicluster-1.8/temp/httpbin-se.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: ServiceEntry 3 | metadata: 4 | name: httpbin-bar 5 | spec: 6 | hosts: 7 | # must be of form name.namespace.global 8 | - httpbin.bar.global 9 | # Treat remote cluster services as part of the service mesh 10 | # as all clusters in the service mesh share the same root of trust. 11 | location: MESH_INTERNAL 12 | ports: 13 | - name: http1 14 | number: 8000 15 | protocol: http 16 | resolution: DNS 17 | addresses: 18 | # the IP address to which httpbin.bar.global will resolve to 19 | # must be unique for each remote service, within a given cluster. 20 | # This address need not be routable. Traffic for this IP will be captured 21 | # by the sidecar and routed appropriately. 22 | - 240.0.0.2 23 | endpoints: 24 | # This is the routable address of the ingress gateway in cluster2 that 25 | # sits in front of sleep.foo service. Traffic from the sidecar will be 26 | # routed to this address. 27 | - address: 35.233.234.111 28 | ports: 29 | http1: 15443 # Do not change this port value 30 | -------------------------------------------------------------------------------- /multicluster-eds/.gitignore: -------------------------------------------------------------------------------- 1 | kind*.yaml 2 | metallb*.yaml 3 | -------------------------------------------------------------------------------- /multicluster-eds/certs/root-ca.conf: -------------------------------------------------------------------------------- 1 | [ req ] 2 | encrypt_key = no 3 | prompt = no 4 | utf8 = yes 5 | default_md = sha256 6 | default_bits = 4096 7 | req_extensions = req_ext 8 | x509_extensions = req_ext 9 | distinguished_name = req_dn 10 | [ req_ext ] 11 | subjectKeyIdentifier = hash 12 | basicConstraints = critical, CA:true 13 | keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign 14 | [ req_dn ] 15 | O = Istio 16 | CN = Root CA 17 | -------------------------------------------------------------------------------- /multicluster-eds/certs/root-cert.srl: -------------------------------------------------------------------------------- 1 | 773FA51B6B928154254DFAA7838EF7285B70EDBA 2 | -------------------------------------------------------------------------------- /multicluster-eds/cleanup-kind.sh: -------------------------------------------------------------------------------- 1 | kind delete cluster --name kind1 2 | kind delete cluster --name kind2 3 | kind delete cluster --name kind3 4 | 5 | kubectl config delete-context istio-1 6 | kubectl config delete-context istio-2 7 | kubectl config delete-context istio-3 8 | -------------------------------------------------------------------------------- /multicluster-eds/istio/cluster1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | metadata: 4 | name: control-plane-install 5 | namespace: istio-system 6 | spec: 7 | profile: minimal 8 | values: 9 | global: 10 | meshID: mesh1 11 | multiCluster: 12 | clusterName: cluster1 13 | network: network1 14 | -------------------------------------------------------------------------------- /multicluster-eds/istio/cluster2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | spec: 4 | profile: minimal 5 | values: 6 | global: 7 | meshID: mesh1 8 | multiCluster: 9 | clusterName: cluster2 10 | network: network1 -------------------------------------------------------------------------------- /multicluster-eds/istio/cluster3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | spec: 4 | profile: minimal 5 | values: 6 | global: 7 | meshID: mesh1 8 | multiCluster: 9 | clusterName: cluster3 10 | network: network1 -------------------------------------------------------------------------------- /multicluster-eds/istio/expose-services.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: cross-network-gateway 5 | spec: 6 | selector: 7 | istio: eastwestgateway 8 | servers: 9 | - port: 10 | number: 15443 11 | name: tls 12 | protocol: TLS 13 | tls: 14 | mode: AUTO_PASSTHROUGH 15 | hosts: 16 | - "*.local" 17 | -------------------------------------------------------------------------------- /multicluster-eds/setup-kind.sh: -------------------------------------------------------------------------------- 1 | ./deploy.sh 1 istio-1 2 | ./deploy.sh 2 istio-2 3 | ./deploy.sh 3 istio-3 4 | 5 | kubectl config use-context istio-1 -------------------------------------------------------------------------------- /multicluster-eds/verify-setup.sh: -------------------------------------------------------------------------------- 1 | # Assume that we have Istio installed on all the three clusters 2 | 3 | 4 | echo "Calling from cluster 1" 5 | for i in {1..10} 6 | do 7 | kubectl exec --context istio-1 -n sample -c sleep deploy/sleep -- curl -sS helloworld.sample:5000/hello 8 | done 9 | 10 | 11 | 12 | 13 | 14 | echo "Calling from cluster 2" 15 | for i in {1..10} 16 | do 17 | kubectl exec --context istio-2 -n sample -c sleep deploy/sleep -- curl -sS helloworld.sample:5000/hello 18 | done 19 | 20 | 21 | 22 | 23 | echo "Calling from cluster 3" 24 | for i in {1..10} 25 | do 26 | kubectl exec --context istio-3 -n sample -c sleep deploy/sleep -- curl -sS helloworld.sample:5000/hello 27 | done -------------------------------------------------------------------------------- /multicluster/cleanup-apps.sh: -------------------------------------------------------------------------------- 1 | . ./env.sh 2 | 3 | # Install on Cluster 1 4 | kubectl --context $CLUSTER_1 delete namespace foo 5 | 6 | 7 | 8 | # Install on Cluster 1 9 | kubectl --context $CLUSTER_2 delete namespace bar 10 | -------------------------------------------------------------------------------- /multicluster/cleanup-clusters.sh: -------------------------------------------------------------------------------- 1 | . ./env.sh 2 | 3 | # Install on Cluster 1 4 | istioctl --context $CLUSTER_1 manifest generate -f resources/istio/values-istio-multicluster-gateways.yaml | kubectl delete -f - 5 | kubectl --context $CLUSTER_1 delete namespace istio-system 6 | 7 | 8 | # Install on Cluster 1 9 | istioctl --context $CLUSTER_2 manifest generate -f resources/istio/values-istio-multicluster-gateways.yaml | kubectl delete -f - 10 | kubectl --context $CLUSTER_2 delete namespace istio-system -------------------------------------------------------------------------------- /multicluster/env.sh: -------------------------------------------------------------------------------- 1 | 2 | #export CLUSTER_1="gke-istio-cluster-1" 3 | #export CLUSTER_2="gke-istio-cluster-2" 4 | 5 | 6 | export CLUSTER_1="management-plane-context" 7 | export CLUSTER_2="remote-cluster-context" -------------------------------------------------------------------------------- /multicluster/reset.sh: -------------------------------------------------------------------------------- 1 | . ./env.sh 2 | 3 | kubectl --context $CLUSTER_1 -n foo delete -f temp/httpbin-se.yaml 4 | 5 | rm temp/*.* -------------------------------------------------------------------------------- /multicluster/resources/istio/values-istio-multicluster-gateways.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | spec: 4 | addonComponents: 5 | istiocoredns: 6 | enabled: true 7 | 8 | components: 9 | egressGateways: 10 | - name: istio-egressgateway 11 | enabled: true 12 | 13 | values: 14 | global: 15 | # Provides dns resolution for global services 16 | podDNSSearchNamespaces: 17 | - global 18 | - "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" 19 | 20 | multiCluster: 21 | enabled: true 22 | 23 | controlPlaneSecurityEnabled: true 24 | 25 | # Multicluster with gateways requires a root CA 26 | # Cluster local CAs are bootstrapped with the root CA. 27 | security: 28 | selfSigned: false 29 | 30 | gateways: 31 | istio-egressgateway: 32 | env: 33 | # Needed to route traffic via egress gateway if desired. 34 | ISTIO_META_REQUESTED_NETWORK_VIEW: "external" 35 | -------------------------------------------------------------------------------- /multicluster/setup-apps.sh: -------------------------------------------------------------------------------- 1 | 2 | . ./env.sh 3 | 4 | # Install on Cluster 1 5 | kubectl --context $CLUSTER_1 create namespace foo 6 | kubectl --context $CLUSTER_1 label namespace foo istio-injection=enabled 7 | kubectl --context $CLUSTER_1 apply -n foo -f resources/k8s/sleep.yaml 8 | 9 | 10 | 11 | # Install on Cluster 1 12 | kubectl --context $CLUSTER_2 create namespace bar 13 | kubectl --context $CLUSTER_2 label namespace bar istio-injection=enabled 14 | kubectl --context $CLUSTER_2 apply -n bar -f resources/k8s/httpbin.yaml 15 | 16 | -------------------------------------------------------------------------------- /multicluster/temp/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/christian-posta/istio-demos/262e7a6f74578824ab0129fde7828faa3642bfcf/multicluster/temp/.gitkeep -------------------------------------------------------------------------------- /multicluster/temp/httpbin-se.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: ServiceEntry 3 | metadata: 4 | name: httpbin-bar 5 | spec: 6 | hosts: 7 | # must be of form name.namespace.global 8 | - httpbin.bar.global 9 | # Treat remote cluster services as part of the service mesh 10 | # as all clusters in the service mesh share the same root of trust. 11 | location: MESH_INTERNAL 12 | ports: 13 | - name: http1 14 | number: 8000 15 | protocol: http 16 | resolution: DNS 17 | addresses: 18 | # the IP address to which httpbin.bar.global will resolve to 19 | # must be unique for each remote service, within a given cluster. 20 | # This address need not be routable. Traffic for this IP will be captured 21 | # by the sidecar and routed appropriately. 22 | - 240.0.0.2 23 | endpoints: 24 | # This is the routable address of the ingress gateway in cluster2 that 25 | # sits in front of sleep.foo service. Traffic from the sidecar will be 26 | # routed to this address. 27 | - address: 35.233.234.111 28 | ports: 29 | http1: 15443 # Do not change this port value 30 | -------------------------------------------------------------------------------- /resilience-demo/10-demo-retry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . $(dirname ${BASH_SOURCE})/../util.sh 4 | SOURCE_DIR=$PWD 5 | 6 | desc "Let's disable automatic retries" 7 | run "kubectl apply -n resilience -f resources/istio/disable-auto-retries.yaml" 8 | 9 | desc "Let's simulate some issues with v1 deployment. We'll deploy a version of the svc that generates faults 50% of the time" 10 | read -s 11 | 12 | 13 | #desc "first we need to disable automatic retries otherwise we won't see the faults" 14 | desc "Deploy updated v1 svc" 15 | run "kubectl apply -f $(relative resources/k8s/purchase-history-v1-error-50.yaml) -n resilience" 16 | run "kubectl get pod -w -n resilience" 17 | 18 | desc "Now, let's add a Retry policy for our service to smooth out the errors" 19 | run "cat $(relative resources/istio/ph-v1-retry.yaml)" 20 | run "kubectl apply -f $(relative resources/istio/ph-v1-retry.yaml) -n resilience" 21 | 22 | desc "Note, this helps with most of the errors.. let's discuss what's happening here" 23 | desc "Clean up/restore -- will come back to retries" 24 | -------------------------------------------------------------------------------- /resilience-demo/20-demo-timeout.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . $(dirname ${BASH_SOURCE})/../util.sh 4 | SOURCE_DIR=$PWD 5 | 6 | 7 | desc "Let's deploy a service that has some delays:" 8 | 9 | run "kubectl apply -f $(relative resources/k8s/purchase-history-v1-delay-100.yaml) -n resilience" 10 | run "kubectl get pod -w -n resilience" 11 | 12 | desc "This is no good -- we don't want customers to wait because of this delay" 13 | read -s 14 | desc "Let's enforce timeouts" 15 | 16 | read -s 17 | 18 | run "cat $(relative resources/istio/ph-v1-timeout.yaml)" 19 | run "kubectl apply -f $(relative resources/istio/ph-v1-timeout.yaml) -n resilience" 20 | 21 | desc "Now we see errors. That's no good either, but it's better than unbounded latency" 22 | 23 | read -s 24 | desc "What else can we do?" 25 | 26 | -------------------------------------------------------------------------------- /resilience-demo/30-demo-circuit-breaker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . $(dirname ${BASH_SOURCE})/../util.sh 4 | SOURCE_DIR=$PWD 5 | 6 | desc "Let's use Istio's circuit breaking / outlier detection to kick out those timedout calls" 7 | read -s 8 | 9 | run "cat $(relative resources/istio/ph-dr-circuit-breaking.yaml)" 10 | run "kubectl apply -f $(relative resources/istio/ph-dr-circuit-breaking.yaml) -n resilience" 11 | 12 | desc "Now we see the offending, delayed service timed out and ejected from the pool" 13 | read -s 14 | 15 | desc "but every time it's timed out and evaluted for ejection, it still throws a 504!!!" 16 | read -s 17 | desc "how can we work around this!?" 18 | read -s 19 | 20 | desc "easy: just retry!" 21 | 22 | run "kubectl apply -f $(relative resources/istio/recommendation-vs-retry.yaml) -n resilience" 23 | -------------------------------------------------------------------------------- /resilience-demo/README.md: -------------------------------------------------------------------------------- 1 | ## Demo prep 2 | 3 | 1. Install Istio 4 | 5 | ``` 6 | istioctl install -y 7 | ``` 8 | 9 | 1. Install Addons 10 | 11 | ``` 12 | kubectl apply -f $ISTIO_DIR/samples/addons 13 | ``` 14 | 15 | 1. Set up the demo environment 16 | 17 | ``` 18 | ./setup.sh 19 | ``` 20 | 21 | 1. Run each of the demos (ideally in succession -- they build on each other) 22 | 23 | * `./00-demo-canary.sh` 24 | * `./10-demo-canary.sh` 25 | * `./20-demo-canary.sh` 26 | * `./30-demo-canary.sh` 27 | 28 | 29 | 1. At any point in the demo, can show grafana dashboard 30 | 31 | 32 | ``` 33 | istioctl dashboard grafana 34 | ``` 35 | 36 | -------------------------------------------------------------------------------- /resilience-demo/bin/poll_gateway.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # for gke 3 | URL=$(k get svc -n istio-system | grep ingressgateway | awk '{ print $4 }') 4 | echo "$URL" 5 | 6 | while true 7 | do curl -H "Host: resilience.istioinaction.io" $URL 8 | sleep .4 9 | done 10 | 11 | -------------------------------------------------------------------------------- /resilience-demo/cleanup.sh: -------------------------------------------------------------------------------- 1 | 2 | kubectl delete ns resilience 3 | 4 | 5 | -------------------------------------------------------------------------------- /resilience-demo/reset.sh: -------------------------------------------------------------------------------- 1 | # Delete VSs we don't want around 2 | kubectl delete -n resilience virtualservices.networking purchase-history-vs 3 | kubectl delete -n resilience virtualservices.networking recommendation-vs 4 | kubectl delete -n resilience destinationrule purchase-history-dr 5 | 6 | # delete v2 of PH 7 | kubectl delete -n resilience -f resources/k8s/purchase-history-v2.yaml 8 | kubectl delete -n resilience -f resources/k8s/purchase-history-v1-error-50.yaml 9 | 10 | kubectl apply -n resilience -f resources/k8s/web-api.yaml 11 | kubectl apply -n resilience -f resources/k8s/recommendation.yaml 12 | kubectl apply -n resilience -f resources/k8s/purchase-history-v1.yaml 13 | 14 | # set all traffic to v1 15 | kubectl apply -n resilience -f resources/istio/ph-all-v1.yaml 16 | -------------------------------------------------------------------------------- /resilience-demo/resources/istio/ph-all-v1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: purchase-history-vs 5 | spec: 6 | hosts: 7 | - purchase-history 8 | http: 9 | - route: 10 | - destination: 11 | host: purchase-history 12 | subset: version-v1 13 | weight: 100 14 | --- 15 | apiVersion: networking.istio.io/v1alpha3 16 | kind: DestinationRule 17 | metadata: 18 | name: purchase-history-dr 19 | spec: 20 | host: purchase-history 21 | subsets: 22 | - name: version-v1 23 | labels: 24 | version: v1 25 | - name: version-v2 26 | labels: 27 | version: v2 28 | -------------------------------------------------------------------------------- /resilience-demo/resources/istio/ph-dr-cb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.istio.io/v1alpha3 3 | kind: DestinationRule 4 | metadata: 5 | name: recommendation 6 | spec: 7 | host: recommendation 8 | trafficPolicy: 9 | outlierDetection: 10 | consecutiveErrors: 1 11 | baseEjectionTime: 5s 12 | interval: 5s 13 | maxEjectionPercent: 100 14 | subsets: 15 | - name: version-v1 16 | labels: 17 | version: v1 18 | - name: version-v2 19 | labels: 20 | version: v2 -------------------------------------------------------------------------------- /resilience-demo/resources/istio/ph-dr-circuit-breaking.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.istio.io/v1alpha3 3 | kind: DestinationRule 4 | metadata: 5 | name: purchase-history-dr 6 | spec: 7 | host: purchase-history 8 | trafficPolicy: 9 | outlierDetection: 10 | consecutive5xxErrors: 1 11 | baseEjectionTime: 5s 12 | interval: 5s 13 | maxEjectionPercent: 100 14 | subsets: 15 | - name: version-v1 16 | labels: 17 | version: v1 18 | - name: version-v2 19 | labels: 20 | version: v2 21 | -------------------------------------------------------------------------------- /resilience-demo/resources/istio/ph-v1-retry.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: purchase-history-vs 5 | spec: 6 | hosts: 7 | - purchase-history 8 | http: 9 | - route: 10 | - destination: 11 | host: purchase-history 12 | subset: version-v1 13 | weight: 100 14 | retries: 15 | attempts: 3 16 | -------------------------------------------------------------------------------- /resilience-demo/resources/istio/ph-v1-timeout.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: purchase-history-vs 5 | spec: 6 | hosts: 7 | - purchase-history 8 | http: 9 | - route: 10 | - destination: 11 | host: purchase-history 12 | subset: version-v1 13 | weight: 100 14 | timeout: 1s 15 | 16 | -------------------------------------------------------------------------------- /resilience-demo/resources/istio/ph-v1-v2-0-100.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: purchase-history-vs 5 | spec: 6 | hosts: 7 | - purchase-history 8 | http: 9 | - route: 10 | - destination: 11 | host: purchase-history 12 | subset: version-v1 13 | weight: 0 14 | - destination: 15 | host: purchase-history 16 | subset: version-v2 17 | weight: 100 18 | -------------------------------------------------------------------------------- /resilience-demo/resources/istio/ph-v1-v2-50-50.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: purchase-history-vs 5 | spec: 6 | hosts: 7 | - purchase-history 8 | http: 9 | - route: 10 | - destination: 11 | host: purchase-history 12 | subset: version-v1 13 | weight: 50 14 | - destination: 15 | host: purchase-history 16 | subset: version-v2 17 | weight: 50 18 | -------------------------------------------------------------------------------- /resilience-demo/resources/istio/ph-v1-v2-90-10.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: purchase-history-vs 5 | spec: 6 | hosts: 7 | - purchase-history 8 | http: 9 | - route: 10 | - destination: 11 | host: purchase-history 12 | subset: version-v1 13 | weight: 90 14 | - destination: 15 | host: purchase-history 16 | subset: version-v2 17 | weight: 10 18 | -------------------------------------------------------------------------------- /resilience-demo/resources/istio/recommendation-vs-retry.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: recommendation-vs 5 | spec: 6 | hosts: 7 | - recommendation 8 | http: 9 | - route: 10 | - destination: 11 | host: recommendation 12 | retries: 13 | attempts: 3 14 | retryOn: 5xx 15 | perTryTimeout: 2s 16 | 17 | -------------------------------------------------------------------------------- /resilience-demo/resources/istio/web-api-gw-vs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: web-api-gw-vs 5 | spec: 6 | hosts: 7 | - "resilience.istioinaction.io" 8 | gateways: 9 | - web-api-gateway 10 | http: 11 | - route: 12 | - destination: 13 | host: web-api 14 | port: 15 | number: 8080 16 | -------------------------------------------------------------------------------- /resilience-demo/resources/istio/web-api-gw.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: web-api-gateway 5 | spec: 6 | selector: 7 | istio: ingressgateway 8 | servers: 9 | - port: 10 | number: 80 11 | name: http 12 | protocol: HTTP 13 | hosts: 14 | - "resilience.istioinaction.io" -------------------------------------------------------------------------------- /resilience-demo/resources/k8s/purchase-history-v1-delay-100.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: purchase-history-v1-delay 6 | labels: 7 | app: purchase-history-v1-delay 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | deploy: purchase-history-v1-delay 13 | version: v1 14 | template: 15 | metadata: 16 | labels: 17 | deploy: purchase-history-v1-delay 18 | app: purchase-history 19 | version: v1 20 | annotations: 21 | spec: 22 | containers: 23 | - name: purchase-history 24 | image: nicholasjackson/fake-service:v0.7.8 25 | ports: 26 | - containerPort: 8080 27 | env: 28 | - name: "LISTEN_ADDR" 29 | value: "0.0.0.0:8080" 30 | - name: "NAME" 31 | value: "purchase-history-v1" 32 | - name: "SERVER_TYPE" 33 | value: "http" 34 | - name: "MESSAGE" 35 | value: "Hello From Purchase History (v1 - delayed)!" 36 | - name: "TIMING_50_PERCENTILE" 37 | value: "3000ms" 38 | -------------------------------------------------------------------------------- /resilience-demo/resources/k8s/purchase-history-v1-error-50.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: purchase-history-v1-error 6 | labels: 7 | app: purchase-history-v1-error 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | deploy: purchase-history-v1-error 13 | version: v1 14 | template: 15 | metadata: 16 | labels: 17 | app: purchase-history 18 | deploy: purchase-history-v1-error 19 | version: v1 20 | annotations: 21 | spec: 22 | containers: 23 | - name: purchase-history 24 | image: nicholasjackson/fake-service:v0.7.8 25 | ports: 26 | - containerPort: 8080 27 | env: 28 | - name: "LISTEN_ADDR" 29 | value: "0.0.0.0:8080" 30 | - name: "NAME" 31 | value: "purchase-history-v1" 32 | - name: "SERVER_TYPE" 33 | value: "http" 34 | - name: "MESSAGE" 35 | value: "Hello From Purchase History (v1)!" 36 | - name: "ERROR_RATE" 37 | value: "0.5" 38 | - name: "ERROR_CODE" 39 | value: "503" 40 | - name: "ERROR_TYPE" 41 | value: "http_error" 42 | -------------------------------------------------------------------------------- /resilience-demo/resources/k8s/purchase-history-v2.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: purchase-history-v2 6 | labels: 7 | app: purchase-history-v2 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | deploy: purchase-history-v2 13 | version: v2 14 | template: 15 | metadata: 16 | labels: 17 | deploy: purchase-history-v2 18 | app: purchase-history 19 | version: v2 20 | annotations: 21 | spec: 22 | containers: 23 | - name: purchase-history 24 | image: nicholasjackson/fake-service:v0.7.8 25 | ports: 26 | - containerPort: 8080 27 | env: 28 | - name: "LISTEN_ADDR" 29 | value: "0.0.0.0:8080" 30 | - name: "NAME" 31 | value: "purchase-history-v2" 32 | - name: "MESSAGE" 33 | value: "Hello From Purchase History (v2)!" 34 | -------------------------------------------------------------------------------- /resilience-demo/resources/k8s/recommendation.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: recommendation 5 | labels: 6 | app: recommendation 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: recommendation 12 | template: 13 | metadata: 14 | labels: 15 | app: recommendation 16 | annotations: 17 | spec: 18 | containers: 19 | - name: recommendation 20 | image: nicholasjackson/fake-service:v0.7.8 21 | ports: 22 | - containerPort: 8080 23 | env: 24 | - name: "LISTEN_ADDR" 25 | value: "0.0.0.0:8080" 26 | - name: "UPSTREAM_URIS" 27 | value: "http://purchase-history:8080" 28 | - name: "NAME" 29 | value: "recommendation" 30 | - name: "MESSAGE" 31 | value: "Hello From Recommendations!" 32 | 33 | --- 34 | # Service to expose recommendation frontend 35 | 36 | apiVersion: v1 37 | kind: Service 38 | metadata: 39 | name: recommendation 40 | spec: 41 | selector: 42 | app: recommendation 43 | ports: 44 | - name: http 45 | protocol: TCP 46 | port: 8080 47 | targetPort: 8080 48 | -------------------------------------------------------------------------------- /resilience-demo/resources/k8s/web-api.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: web-api 5 | labels: 6 | app: web-api 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: web-api 12 | template: 13 | metadata: 14 | labels: 15 | app: web-api 16 | annotations: 17 | spec: 18 | containers: 19 | - name: web-api 20 | image: nicholasjackson/fake-service:v0.7.8 21 | ports: 22 | - containerPort: 8080 23 | env: 24 | - name: "LISTEN_ADDR" 25 | value: "0.0.0.0:8080" 26 | - name: "UPSTREAM_URIS" 27 | value: "http://recommendation:8080" 28 | - name: "NAME" 29 | value: "web-api" 30 | - name: "MESSAGE" 31 | value: "Hello From Web API" 32 | 33 | --- 34 | # Service to expose web frontend 35 | 36 | apiVersion: v1 37 | kind: Service 38 | metadata: 39 | name: web-api 40 | spec: 41 | selector: 42 | app: web-api 43 | ports: 44 | - name: http 45 | protocol: TCP 46 | port: 8080 47 | targetPort: 8080 48 | -------------------------------------------------------------------------------- /resilience-demo/setup.sh: -------------------------------------------------------------------------------- 1 | # Install Istio 2 | #istioctl manifest apply -y 3 | 4 | # Install Sample app 5 | kubectl create ns resilience 6 | kubectl label namespace resilience istio-injection=enabled --overwrite 7 | kubectl apply -n resilience -f resources/k8s/web-api.yaml 8 | kubectl apply -n resilience -f resources/k8s/recommendation.yaml 9 | kubectl apply -n resilience -f resources/k8s/purchase-history-v1.yaml 10 | 11 | # Install Istio resources 12 | kubectl apply -n resilience -f resources/istio/web-api-gw.yaml 13 | kubectl apply -n resilience -f resources/istio/web-api-gw-vs.yaml 14 | 15 | kubectl apply -n resilience -f resources/istio/ph-all-v1.yaml 16 | -------------------------------------------------------------------------------- /revision-tags-gateway-injection/20-install-control-plane.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . $(dirname ${BASH_SOURCE})/../util.sh 4 | SOURCE_DIR=$PWD 5 | 6 | desc "Let's install a new control plane with new revision" 7 | desc "Let's make sure we can upgrade" 8 | run "istioctl1.10 x precheck" 9 | run "istioctl1.10 analyze" 10 | 11 | desc "We should be good to install!" 12 | run "istioctl1.10 install -y --set profile=minimal --revision 1-10-0" 13 | run "kubectl -n istio-system get po" 14 | 15 | desc "Let's add a new tag for this as prod-canary" 16 | run "istioctl1.10 x revision tag set prod-canary --revision 1-10-0 --overwrite" 17 | 18 | desc "We now have two control planes and two tags" 19 | run "istioctl1.10 x revision tag list" 20 | 21 | desc "Everything still on the default tag" 22 | run "istioctl1.10 ps" 23 | 24 | -------------------------------------------------------------------------------- /revision-tags-gateway-injection/30-canary-cp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . $(dirname ${BASH_SOURCE})/../util.sh 4 | SOURCE_DIR=$PWD 5 | 6 | 7 | desc "Let's restart the workloads in sample-ns" 8 | run "kubectl delete po --all -n sample-ns" 9 | 10 | desc "Now we see some workloads on the new canary revision" 11 | run "istioctl1.10 ps" 12 | 13 | desc "If things look good, we can change the stable-prod tag" 14 | run "istioctl1.10 x revision tag set prod-stable --revision 1-10-0 --overwrite" 15 | run "istioctl1.10 ps" 16 | 17 | desc "Now let's restart the workloads" 18 | run "kubectl delete po -n istioinaction --all" 19 | run "istioctl1.10 ps" 20 | 21 | -------------------------------------------------------------------------------- /revision-tags-gateway-injection/NOTES.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/christian-posta/istio-demos/262e7a6f74578824ab0129fde7828faa3642bfcf/revision-tags-gateway-injection/NOTES.md -------------------------------------------------------------------------------- /revision-tags-gateway-injection/cleanup.sh: -------------------------------------------------------------------------------- 1 | istioctl1.9 x uninstall -y --purge 2 | kubectl delete ns istioinaction istio-ingress istio-system 3 | -------------------------------------------------------------------------------- /revision-tags-gateway-injection/demo copy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . $(dirname ${BASH_SOURCE})/../util.sh 4 | SOURCE_DIR=$PWD 5 | 6 | -------------------------------------------------------------------------------- /revision-tags-gateway-injection/reset.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/christian-posta/istio-demos/262e7a6f74578824ab0129fde7828faa3642bfcf/revision-tags-gateway-injection/reset.sh -------------------------------------------------------------------------------- /revision-tags-gateway-injection/resources/canary/recommendation.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: recommendation 5 | labels: 6 | app: recommendation 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: recommendation 12 | template: 13 | metadata: 14 | labels: 15 | app: recommendation 16 | annotations: 17 | spec: 18 | containers: 19 | - name: recommendation 20 | image: nicholasjackson/fake-service:v0.7.8 21 | ports: 22 | - containerPort: 8080 23 | env: 24 | - name: "LISTEN_ADDR" 25 | value: "0.0.0.0:8080" 26 | - name: "UPSTREAM_URIS" 27 | value: "http://purchase-history:8080" 28 | - name: "NAME" 29 | value: "recommendation" 30 | - name: "MESSAGE" 31 | value: "Hello From Recommendations!" 32 | 33 | --- 34 | # Service to expose recommendation frontend 35 | 36 | apiVersion: v1 37 | kind: Service 38 | metadata: 39 | name: recommendation 40 | spec: 41 | selector: 42 | app: recommendation 43 | ports: 44 | - name: http 45 | protocol: TCP 46 | port: 8080 47 | targetPort: 8080 -------------------------------------------------------------------------------- /revision-tags-gateway-injection/resources/canary/sleep.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: sleep-canary 5 | namespace: istioinaction 6 | spec: 7 | replicas: 1 8 | selector: 9 | matchLabels: 10 | app: sleep 11 | template: 12 | metadata: 13 | labels: 14 | app: sleep 15 | istio.io/rev: prod-canary 16 | spec: 17 | serviceAccountName: sleep 18 | containers: 19 | - name: sleep 20 | image: governmentpaas/curl-ssl 21 | command: ["/bin/sleep", "3650d"] 22 | imagePullPolicy: IfNotPresent 23 | volumeMounts: 24 | - mountPath: /etc/sleep/tls 25 | name: secret-volume 26 | volumes: 27 | - name: secret-volume 28 | secret: 29 | secretName: sleep-secret 30 | optional: true 31 | --- 32 | -------------------------------------------------------------------------------- /revision-tags-gateway-injection/resources/canary/web-api.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: web-api 5 | labels: 6 | app: web-api 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: web-api 12 | template: 13 | metadata: 14 | labels: 15 | app: web-api 16 | istio.io/rev: prod-canary 17 | spec: 18 | containers: 19 | - name: web-api 20 | image: nicholasjackson/fake-service:v0.7.8 21 | ports: 22 | - containerPort: 8080 23 | env: 24 | - name: "LISTEN_ADDR" 25 | value: "0.0.0.0:8080" 26 | - name: "UPSTREAM_URIS" 27 | value: "http://recommendation:8080" 28 | - name: "NAME" 29 | value: "web-api" 30 | - name: "MESSAGE" 31 | value: "Hello From Web API" 32 | 33 | --- 34 | # Service to expose web frontend 35 | 36 | apiVersion: v1 37 | kind: Service 38 | metadata: 39 | name: web-api 40 | spec: 41 | selector: 42 | app: web-api 43 | ports: 44 | - name: http 45 | protocol: TCP 46 | port: 8080 47 | targetPort: 8080 -------------------------------------------------------------------------------- /revision-tags-gateway-injection/resources/istio-ingress-prod-canary.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: istioinaction-gw-1-10-0 5 | namespace: istioinaction 6 | spec: 7 | selector: 8 | matchLabels: 9 | ingress: istioinaction-gw 10 | template: 11 | metadata: 12 | annotations: 13 | # here we specify to use the gateway template 14 | inject.istio.io/templates: gateway 15 | labels: 16 | ingress: istioinaction-gw 17 | 18 | # we will label this with the tag prod-canary 19 | istio.io/rev: prod-canary 20 | spec: 21 | containers: 22 | - name: istio-proxy 23 | image: auto 24 | 25 | -------------------------------------------------------------------------------- /revision-tags-gateway-injection/resources/istio-ingress-prod-stable.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: istioinaction-gw-1-9-5 5 | spec: 6 | selector: 7 | matchLabels: 8 | ingress: istioinaction-gw 9 | template: 10 | metadata: 11 | annotations: 12 | # here we specify to use the gateway template 13 | inject.istio.io/templates: gateway 14 | labels: 15 | ingress: istioinaction-gw 16 | 17 | # we will label this with the tag prod-canary 18 | istio.io/rev: prod-stable 19 | spec: 20 | containers: 21 | - name: istio-proxy 22 | image: auto 23 | 24 | -------------------------------------------------------------------------------- /revision-tags-gateway-injection/resources/manualinject/recommendation.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: recommendation 5 | labels: 6 | app: recommendation 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: recommendation 12 | template: 13 | metadata: 14 | labels: 15 | app: recommendation 16 | annotations: 17 | spec: 18 | containers: 19 | - name: recommendation 20 | image: nicholasjackson/fake-service:v0.7.8 21 | ports: 22 | - containerPort: 8080 23 | env: 24 | - name: "LISTEN_ADDR" 25 | value: "0.0.0.0:8080" 26 | - name: "UPSTREAM_URIS" 27 | value: "http://purchase-history:8080" 28 | - name: "NAME" 29 | value: "recommendation" 30 | - name: "MESSAGE" 31 | value: "Hello From Recommendations!" 32 | 33 | --- 34 | # Service to expose recommendation frontend 35 | 36 | apiVersion: v1 37 | kind: Service 38 | metadata: 39 | name: recommendation 40 | spec: 41 | selector: 42 | app: recommendation 43 | ports: 44 | - name: http 45 | protocol: TCP 46 | port: 8080 47 | targetPort: 8080 -------------------------------------------------------------------------------- /revision-tags-gateway-injection/resources/manualinject/sleep.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: sleep-canary 5 | namespace: istioinaction 6 | spec: 7 | replicas: 1 8 | selector: 9 | matchLabels: 10 | app: sleep 11 | template: 12 | metadata: 13 | annotations: 14 | sidecar.istio.io/inject: "true" 15 | labels: 16 | app: sleep 17 | istio.io/rev: prod-canary 18 | spec: 19 | serviceAccountName: sleep 20 | containers: 21 | - name: sleep 22 | image: governmentpaas/curl-ssl 23 | command: ["/bin/sleep", "3650d"] 24 | imagePullPolicy: IfNotPresent 25 | volumeMounts: 26 | - mountPath: /etc/sleep/tls 27 | name: secret-volume 28 | volumes: 29 | - name: secret-volume 30 | secret: 31 | secretName: sleep-secret 32 | optional: true 33 | --- 34 | -------------------------------------------------------------------------------- /revision-tags-gateway-injection/resources/manualinject/web-api.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: web-api 5 | labels: 6 | app: web-api 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: web-api 12 | template: 13 | metadata: 14 | labels: 15 | app: web-api 16 | istio.io/rev: prod-canary 17 | spec: 18 | containers: 19 | - name: web-api 20 | image: nicholasjackson/fake-service:v0.7.8 21 | ports: 22 | - containerPort: 8080 23 | env: 24 | - name: "LISTEN_ADDR" 25 | value: "0.0.0.0:8080" 26 | - name: "UPSTREAM_URIS" 27 | value: "http://recommendation:8080" 28 | - name: "NAME" 29 | value: "web-api" 30 | - name: "MESSAGE" 31 | value: "Hello From Web API" 32 | 33 | --- 34 | # Service to expose web frontend 35 | 36 | apiVersion: v1 37 | kind: Service 38 | metadata: 39 | name: web-api 40 | spec: 41 | selector: 42 | app: web-api 43 | ports: 44 | - name: http 45 | protocol: TCP 46 | port: 8080 47 | targetPort: 8080 -------------------------------------------------------------------------------- /revision-tags-gateway-injection/resources/web-api-gw.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: web-api-gateway 5 | namespace: istioinaction 6 | spec: 7 | selector: 8 | ingress: istioinaction-gw 9 | servers: 10 | - port: 11 | number: 80 12 | name: http 13 | protocol: HTTP 14 | hosts: 15 | - "istioinaction.io" 16 | --- 17 | apiVersion: networking.istio.io/v1alpha3 18 | kind: VirtualService 19 | metadata: 20 | name: web-api-gw-vs 21 | namespace: istioinaction 22 | spec: 23 | # best practice to always use exportTo, especially for 24 | # gateway routing 25 | exportTo: 26 | - "istioinaction" 27 | hosts: 28 | - "istioinaction.io" 29 | gateways: 30 | - web-api-gateway 31 | http: 32 | - route: 33 | - destination: 34 | host: web-api 35 | port: 36 | number: 8080 37 | -------------------------------------------------------------------------------- /revision-tags-gateway-injection/setup.sh: -------------------------------------------------------------------------------- 1 | istioctl1.9 install -y --set profile=minimal 2 | 3 | pushd ../sample-apps 4 | kubectl create ns istioinaction 5 | kubectl label namespace istioinaction istio-injection=enabled --overwrite 6 | kubectl apply -n istioinaction -f web-api.yaml 7 | kubectl apply -n istioinaction -f recommendation.yaml 8 | kubectl apply -n istioinaction -f purchase-history-v1.yaml 9 | kubectl apply -n istioinaction -f sleep.yaml 10 | kubectl apply -n default -f sleep.yaml 11 | 12 | kubectl create ns sample-ns 13 | kubectl apply -n sample-ns -f sleep.yaml 14 | popd 15 | 16 | -------------------------------------------------------------------------------- /sample-apps/recommendation.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: recommendation 5 | labels: 6 | app: recommendation 7 | prod: stable 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: recommendation 13 | prod: stable 14 | template: 15 | metadata: 16 | labels: 17 | app: recommendation 18 | prod: stable 19 | annotations: 20 | spec: 21 | containers: 22 | - name: recommendation 23 | image: nicholasjackson/fake-service:v0.7.8 24 | ports: 25 | - containerPort: 8080 26 | env: 27 | - name: "LISTEN_ADDR" 28 | value: "0.0.0.0:8080" 29 | - name: "UPSTREAM_URIS" 30 | value: "http://purchase-history:8080" 31 | - name: "NAME" 32 | value: "recommendation" 33 | - name: "MESSAGE" 34 | value: "Hello From Recommendations!" 35 | 36 | --- 37 | # Service to expose recommendation frontend 38 | 39 | apiVersion: v1 40 | kind: Service 41 | metadata: 42 | name: recommendation 43 | spec: 44 | selector: 45 | app: recommendation 46 | ports: 47 | - name: http 48 | protocol: TCP 49 | port: 8080 50 | targetPort: 8080 -------------------------------------------------------------------------------- /sample-apps/setup.sh: -------------------------------------------------------------------------------- 1 | # Install Sample app 2 | kubectl create ns istioinaction 3 | kubectl label namespace istioinaction istio-injection=enabled --overwrite 4 | kubectl apply -n istioinaction -f web-api.yaml 5 | kubectl apply -n istioinaction -f recommendation.yaml 6 | kubectl apply -n istioinaction -f purchase-history-v1.yaml 7 | 8 | kubectl apply -n istioinaction -f sleep.yaml 9 | 10 | # Install Istio resources 11 | kubectl apply -n istioinaction -f web-api-gw.yaml 12 | kubectl apply -n istioinaction -f web-api-gw-vs.yaml 13 | -------------------------------------------------------------------------------- /sample-apps/web-api-gw-vs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: web-api-gw-vs 5 | spec: 6 | hosts: 7 | - "istioinaction.io" 8 | gateways: 9 | - web-api-gateway 10 | http: 11 | - route: 12 | - destination: 13 | host: web-api 14 | port: 15 | number: 8080 16 | -------------------------------------------------------------------------------- /sample-apps/web-api-gw.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: web-api-gateway 5 | spec: 6 | selector: 7 | istio: ingressgateway 8 | servers: 9 | - port: 10 | number: 80 11 | name: http 12 | protocol: HTTP 13 | hosts: 14 | - "istioinaction.io" -------------------------------------------------------------------------------- /sample-apps/web-api.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: web-api 5 | labels: 6 | app: web-api 7 | prod: stable 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: web-api 13 | prod: stable 14 | template: 15 | metadata: 16 | labels: 17 | app: web-api 18 | prod: stable 19 | annotations: 20 | spec: 21 | containers: 22 | - name: web-api 23 | image: nicholasjackson/fake-service:v0.7.8 24 | ports: 25 | - containerPort: 8080 26 | env: 27 | - name: "LISTEN_ADDR" 28 | value: "0.0.0.0:8080" 29 | - name: "UPSTREAM_URIS" 30 | value: "http://recommendation:8080" 31 | - name: "NAME" 32 | value: "web-api" 33 | - name: "MESSAGE" 34 | value: "Hello From Web API" 35 | 36 | --- 37 | # Service to expose web frontend 38 | 39 | apiVersion: v1 40 | kind: Service 41 | metadata: 42 | name: web-api 43 | spec: 44 | selector: 45 | app: web-api 46 | ports: 47 | - name: http 48 | protocol: TCP 49 | port: 8080 50 | targetPort: 8080 -------------------------------------------------------------------------------- /servicemeshcon-eu21/NOTES.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/christian-posta/istio-demos/262e7a6f74578824ab0129fde7828faa3642bfcf/servicemeshcon-eu21/NOTES.md -------------------------------------------------------------------------------- /servicemeshcon-eu21/cleanup.sh: -------------------------------------------------------------------------------- 1 | kubectl delete ns istioinaction 2 | istioctl x uninstall --purge 3 | kubectl delete ns istio-system 4 | kubectl delete ns vault -------------------------------------------------------------------------------- /servicemeshcon-eu21/reset.sh: -------------------------------------------------------------------------------- 1 | kubectl label namespace istioinaction istio-injection- 2 | kubectl delete deploy/web-api-canary -n istioinaction 3 | 4 | istioctl x uninstall -y --purge 5 | kubectl delete ns istio-system 6 | 7 | kubectl -n istioinaction rollout restart deploy/web-api 8 | kubectl -n istioinaction rollout restart deploy/recommendation 9 | kubectl -n istioinaction rollout restart deploy/purchase-history-v1 10 | kubectl -n istioinaction rollout restart deploy/sleep -------------------------------------------------------------------------------- /servicemeshcon-eu21/resources/authorization-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: authpolicy 5 | namespace: istio-system 6 | spec: 7 | action: ALLOW 8 | rules: 9 | - to: 10 | - operation: 11 | paths: 12 | - /* 13 | when: 14 | - key: request.auth.claims[iss] 15 | values: 16 | - solo.io 17 | selector: 18 | matchLabels: 19 | app: istio-ingressgateway 20 | -------------------------------------------------------------------------------- /servicemeshcon-eu21/resources/control-plane.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | metadata: 4 | name: control-plane 5 | spec: 6 | profile: minimal 7 | meshConfig: 8 | defaultConfig: 9 | proxyMetadata: 10 | ISTIO_META_DNS_CAPTURE: "true" 11 | enablePrometheusMerge: true 12 | -------------------------------------------------------------------------------- /servicemeshcon-eu21/resources/ingress-gateways.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | metadata: 4 | name: istio-ingress-gw-install 5 | spec: 6 | profile: empty 7 | values: 8 | gateways: 9 | istio-ingressgateway: 10 | autoscaleEnabled: false 11 | components: 12 | ingressGateways: 13 | - name: istio-ingressgateway 14 | namespace: istio-system 15 | enabled: true 16 | k8s: 17 | overlays: 18 | - apiVersion: apps/v1 19 | kind: Deployment 20 | name: istio-ingressgateway 21 | patches: 22 | - path: spec.template.spec.containers[name:istio-proxy].lifecycle 23 | value: 24 | preStop: 25 | exec: 26 | command: ["sh", "-c", "sleep 5"] 27 | 28 | -------------------------------------------------------------------------------- /servicemeshcon-eu21/resources/istiod-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | app: istiod 6 | istio: pilot 7 | release: istio 8 | name: istiod 9 | namespace: istio-system 10 | spec: 11 | type: ClusterIP 12 | ports: 13 | - name: grpc-xds 14 | port: 15010 15 | - name: https-dns 16 | port: 15012 17 | - name: https-webhook 18 | port: 443 19 | targetPort: 15017 20 | - name: http-monitoring 21 | port: 15014 22 | selector: 23 | app: istiod 24 | 25 | -------------------------------------------------------------------------------- /servicemeshcon-eu21/resources/peerauth-strict.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: PeerAuthentication 3 | metadata: 4 | name: default 5 | namespace: istio-system 6 | spec: 7 | mtls: 8 | mode: STRICT -------------------------------------------------------------------------------- /servicemeshcon-eu21/resources/request-auth.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: RequestAuthentication 3 | metadata: 4 | name: jwt-soloio-reqauth 5 | namespace: istio-system 6 | spec: 7 | jwtRules: 8 | - issuer: solo.io 9 | jwks: | 10 | { "keys":[ {"kty":"RSA","e":"AQAB","kid":"858d304f-6df9-463e-a763-b735a4449857","n":"x7s5_6vgGPoW1PKkSMkau-Xr9JVZJNbqKXJ7RWKCqPxL5Vtj8II7lPi8d-x60f54oJTnyL_0zMVVsSq3msDhqzBSMpCUCR2q-pHjS_29rrFBlBHy1ty8kiMo-qXZn3SmSqGRo53bdWoiQ6ZWVZ2mkgYpdlNzNaSUe8AOQKnxBC3rBwx3-0g9RJvd4MM46YkN6Epr_NUKN___osqzfVfNoG9YLp1pbatjpqvO1XlxX4qCNLScY5FOFrkTf95O3a3Y195o89D9XwULWT1baVuO_z7Ueug68b0t51mGXuEC572DmEbc8xHLnVfLM18QADvOnSzqY6vtIQcuGE_V_c7ATQ"}]} 11 | selector: 12 | matchLabels: 13 | app: istio-ingressgateway 14 | -------------------------------------------------------------------------------- /servicemeshcon-eu21/resources/sample-apps-canary/web-api.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: web-api-canary 5 | labels: 6 | app: web-api 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: web-api 12 | release: canary 13 | template: 14 | metadata: 15 | labels: 16 | app: web-api 17 | release: canary 18 | sidecar.istio.io/inject: "true" 19 | annotations: 20 | spec: 21 | containers: 22 | - name: web-api 23 | image: nicholasjackson/fake-service:v0.7.8 24 | ports: 25 | - containerPort: 8080 26 | env: 27 | - name: "LISTEN_ADDR" 28 | value: "0.0.0.0:8080" 29 | - name: "UPSTREAM_URIS" 30 | value: "http://recommendation:8080" 31 | - name: "NAME" 32 | value: "web-api" 33 | - name: "MESSAGE" 34 | value: "Hello From Web API" 35 | -------------------------------------------------------------------------------- /servicemeshcon-eu21/resources/vault-istiod/init-ca-in-pod.sh: -------------------------------------------------------------------------------- 1 | kubectl cp ./prep-vault-ca.sh vault/vault-0:/vault 2 | kubectl exec -it -n vault po/vault-0 -- sh -c "/vault/prep-vault-ca.sh" -------------------------------------------------------------------------------- /servicemeshcon-eu21/resources/vault-istiod/install-vault.sh: -------------------------------------------------------------------------------- 1 | kubectl create ns vault 2 | helm install vault hashicorp/vault --set "server.dev.enabled=true" -n vault 3 | 4 | -------------------------------------------------------------------------------- /servicemeshcon-eu21/resources/vault-istiod/prep-vault-ca.sh: -------------------------------------------------------------------------------- 1 | #kubectl exec -it -n vault po/vault-0 -- sh -c "" 2 | 3 | vault auth enable kubernetes 4 | 5 | vault write auth/kubernetes/config token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt 6 | 7 | vault write auth/kubernetes/role/gen-int-ca-istio bound_service_account_names=istiod-service-account bound_service_account_namespaces=istio-system policies=gen-int-ca-istio ttl=2400h 8 | 9 | vault secrets enable pki 10 | 11 | vault write -format=json pki/root/generate/internal common_name="pki-ca-root" ttl=187600h 12 | 13 | vault secrets enable -path pki_int pki 14 | 15 | ## policy 16 | vault policy write gen-int-ca-istio - <> "${WORK_DIR}"/files/sidecar.env 6 | echo "ISTIO_META_INTERCEPTION_MODE=NONE" >> "${WORK_DIR}"/files/sidecar.env 7 | echo "ISTIO_INBOUND_INTERCEPTION_MODE=NONE" >> "${WORK_DIR}"/files/sidecar.env 8 | 9 | 10 | -------------------------------------------------------------------------------- /vm-demo-1.11/03-copy-work-files-to-vm.sh: -------------------------------------------------------------------------------- 1 | source env.sh 2 | 3 | 4 | tar -czf work.tar.gz ./work 5 | gcloud beta compute scp --scp-flag="-r" --zone "$VM_ZONE" work.tar.gz $VM_NAME:~ 6 | 7 | rm work.tar.gz -------------------------------------------------------------------------------- /vm-demo-1.11/04-create-serviceentry.sh: -------------------------------------------------------------------------------- 1 | . $(dirname ${BASH_SOURCE})/../util.sh 2 | SOURCE_DIR=$PWD 3 | 4 | 5 | source ./env.sh 6 | 7 | 8 | 9 | kubectl -n ${VM_NAMESPACE} apply -f resources/istio/vmservice-serviceentry.yaml 10 | 11 | #desc "Verify this service made it into istios service registry" 12 | #run "kubectl exec -it deploy/sleep -- curl localhost:15000/clusters | grep vmservice" 13 | -------------------------------------------------------------------------------- /vm-demo-1.11/05-whitebox-sidecar.sh: -------------------------------------------------------------------------------- 1 | . $(dirname ${BASH_SOURCE})/../util.sh 2 | SOURCE_DIR=$PWD 3 | 4 | 5 | source ./env.sh 6 | 7 | 8 | 9 | kubectl -n ${VM_NAMESPACE} apply -f resources/istio/sidecar-whitebox-vm.yaml 10 | 11 | 12 | -------------------------------------------------------------------------------- /vm-demo-1.11/cleanup.sh: -------------------------------------------------------------------------------- 1 | 2 | source env.sh 3 | 4 | istioctl x uninstall --purge -y 5 | 6 | kubectl delete ns istio-system 7 | kubectl delete ns istioinaction 8 | kubectl delete ns vm-services -------------------------------------------------------------------------------- /vm-demo-1.11/demo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . $(dirname ${BASH_SOURCE})/../util.sh 4 | SOURCE_DIR=$PWD 5 | 6 | -------------------------------------------------------------------------------- /vm-demo-1.11/env.sh: -------------------------------------------------------------------------------- 1 | 2 | # ceposta-linux-builds 3 | #VM_NAME="ceposta-linux-builds" 4 | #VM_ZONE="us-west1-b" 5 | 6 | # ceposta-disconnected-vm 7 | VM_NAME="ceposta-disconnected-vm" 8 | VM_ZONE="us-central1-a" 9 | 10 | LINUX_RUNAS_USER="ceposta" 11 | VM_APP="python-http" 12 | VM_NAMESPACE="vm-services" 13 | WORK_DIR="./work" 14 | SERVICE_ACCOUNT="my-vm" 15 | ISTIO_VERSION="" 16 | CLUSTER_NETWORK="main-network" 17 | VM_NETWORK="vm-network" 18 | CLUSTER_ID="cluster1" 19 | -------------------------------------------------------------------------------- /vm-demo-1.11/resources/istio/expose-services.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: cross-network-gateway 5 | namespace: istio-system 6 | spec: 7 | selector: 8 | istio: eastwestgateway 9 | servers: 10 | - port: 11 | number: 15443 12 | name: tls 13 | protocol: TLS 14 | tls: 15 | mode: AUTO_PASSTHROUGH 16 | hosts: 17 | - "*.local" 18 | -------------------------------------------------------------------------------- /vm-demo-1.11/resources/istio/security/peerauth-disable.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: PeerAuthentication 3 | metadata: 4 | name: default 5 | namespace: istio-system 6 | spec: 7 | mtls: 8 | mode: DISABLE -------------------------------------------------------------------------------- /vm-demo-1.11/resources/istio/security/peerauth-permissive.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: PeerAuthentication 3 | metadata: 4 | name: default 5 | namespace: istio-system 6 | spec: 7 | mtls: 8 | mode: PERMISSIVE -------------------------------------------------------------------------------- /vm-demo-1.11/resources/istio/security/peerauth-strict.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: PeerAuthentication 3 | metadata: 4 | name: default 5 | namespace: istio-system 6 | spec: 7 | mtls: 8 | mode: STRICT -------------------------------------------------------------------------------- /vm-demo-1.11/resources/istio/sidecar-whitebox-vm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Sidecar 3 | metadata: 4 | name: whitebox-vm 5 | namespace: vm-services 6 | spec: 7 | workloadSelector: 8 | labels: 9 | app: python-http 10 | ingress: 11 | - port: 12 | number: 9090 13 | protocol: HTTP 14 | name: python-http 15 | captureMode: NONE 16 | bind: 0.0.0.0 17 | defaultEndpoint: 127.0.0.1:7001 18 | egress: 19 | - port: 20 | number: 8888 21 | protocol: HTTP_PROXY 22 | name: httpbin-egress 23 | captureMode: NONE 24 | bind: 127.0.0.1 25 | hosts: 26 | - "istioinaction/httpbin.istioinaction.svc.cluster.local" 27 | - hosts: 28 | - "istio-system/*" 29 | -------------------------------------------------------------------------------- /vm-demo-1.11/resources/istio/vm-cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | metadata: 3 | namespace: istio-system 4 | name: istio-control-plane 5 | kind: IstioOperator 6 | spec: 7 | profile: minimal 8 | meshConfig: 9 | defaultConfig: 10 | proxyMetadata: 11 | ISTIO_META_DNS_CAPTURE: "true" 12 | ISTIO_META_DNS_AUTO_ALLOCATE: "true" 13 | components: 14 | pilot: 15 | k8s: 16 | env: 17 | - name: PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION 18 | value: "true" 19 | - name: PILOT_ENABLE_WORKLOAD_ENTRY_HEALTHCHECKS 20 | value: "true" 21 | values: 22 | global: 23 | meshID: mesh1 24 | multiCluster: 25 | # ${CLUSTER_ID} 26 | clusterName: cluster1 27 | # ${CLUSTER_NETWORK} 28 | network: main-network 29 | 30 | 31 | -------------------------------------------------------------------------------- /vm-demo-1.11/resources/istio/vmservice-serviceentry.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: ServiceEntry 3 | metadata: 4 | name: vm-workload-svc 5 | namespace: vm-services 6 | spec: 7 | hosts: 8 | - vmservice.example.com 9 | location: MESH_INTERNAL 10 | ports: 11 | - number: 80 12 | name: http 13 | protocol: HTTP 14 | targetPort: 9090 15 | resolution: STATIC 16 | workloadSelector: 17 | labels: 18 | app: python-http -------------------------------------------------------------------------------- /vm-demo-1.11/resources/istio/workloadgroup.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: WorkloadGroup 3 | metadata: 4 | # ${VM_APP} 5 | name: python-http 6 | # ${VM_NAMESPACE} 7 | namespace: vm-services 8 | spec: 9 | metadata: 10 | annotations: {} 11 | labels: 12 | # ${VM_APP} 13 | app: python-http 14 | template: 15 | # ${VM_NETWORK} 16 | network: "vm-network" 17 | # ${SERVICE_ACCOUNT} 18 | serviceAccount: my-vm 19 | 20 | -------------------------------------------------------------------------------- /vm-demo-1.11/resources/package/clean-vm.sh: -------------------------------------------------------------------------------- 1 | export ROOT_FOLDER=work 2 | export FILES=./files 3 | 4 | # Flush iptables 5 | echo "Flushing iptables" 6 | sudo iptables -F -t nat 7 | 8 | echo "Stopping istio" 9 | ./stop-istio.sh 10 | 11 | rm /etc/certs/*.* 12 | rm -fr /var/run/secrets/istio 13 | rm -fr /var/run/secrets/tokens 14 | 15 | 16 | # Install sidecar 17 | echo "Remove sidecar" 18 | sudo dpkg -P istio-sidecar 19 | rm -fr /var/lib/istio 20 | 21 | sudo sed -i '/istio/d' /etc/hosts 22 | sudo sed -i '/vm-services/d' /etc/hosts 23 | 24 | sudo rm -fr /etc/istio/proxy 25 | sudo rm -fr /var/log/istio 26 | 27 | sudo systemctl reset-failed 28 | sudo systemctl daemon-reload 29 | 30 | -------------------------------------------------------------------------------- /vm-demo-1.11/resources/package/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Congrats! This works! 4 | 5 | -------------------------------------------------------------------------------- /vm-demo-1.11/resources/package/istio.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=istio-sidecar: The Istio sidecar 3 | Documentation=http://istio.io/ 4 | 5 | [Service] 6 | User=istio-proxy 7 | Group=istio-proxy 8 | ExecStart=/usr/local/bin/istio-start.sh 9 | ExecStopPost=/usr/local/bin/istio-start.sh clean 10 | Restart=always 11 | StartLimitInterval=0 12 | RestartSec=10 13 | 14 | 15 | [Install] 16 | WantedBy=multi-user.target -------------------------------------------------------------------------------- /vm-demo-1.11/resources/package/prep-vm-nonroot.sh: -------------------------------------------------------------------------------- 1 | 2 | sudo cp ./istio.service /lib/systemd/system/istio.service 3 | sudo systemctl daemon-reload 4 | -------------------------------------------------------------------------------- /vm-demo-1.11/resources/package/run-http-for-whitebox.sh: -------------------------------------------------------------------------------- 1 | # python -m SimpleHTTPServer 9090 2 | python3 -m http.server 7001 -------------------------------------------------------------------------------- /vm-demo-1.11/resources/package/run-http.sh: -------------------------------------------------------------------------------- 1 | # python -m SimpleHTTPServer 9090 2 | python3 -m http.server 9090 -------------------------------------------------------------------------------- /vm-demo-1.11/resources/package/start-istio.sh: -------------------------------------------------------------------------------- 1 | sudo systemctl start istio 2 | 3 | # systemctl list-units --type=service 4 | # start istio 5 | # cat /usr/local/bin/istio-start.sh 6 | 7 | echo "to see logs, run" 8 | echo "journalctl -u istio.service" 9 | 10 | tail -f /var/log/istio/istio.log 11 | 12 | 13 | -------------------------------------------------------------------------------- /vm-demo-1.11/resources/package/stop-istio.sh: -------------------------------------------------------------------------------- 1 | sudo systemctl stop istio -------------------------------------------------------------------------------- /vm-demo-1.11/resources/package/tail-istio-log.sh: -------------------------------------------------------------------------------- 1 | tail -f /var/log/istio/istio.log -------------------------------------------------------------------------------- /vm-demo-1.11/vm-ip.sh: -------------------------------------------------------------------------------- 1 | source env.sh 2 | 3 | VM_IP=$(gcloud compute instances describe --zone "$VM_ZONE" "$VM_NAME" --project "solo-public" --format='get(networkInterfaces[0].accessConfigs[0].natIP)') 4 | echo $VM_IP -------------------------------------------------------------------------------- /vm-demo-1.8-cli/.gitignore: -------------------------------------------------------------------------------- 1 | work 2 | -------------------------------------------------------------------------------- /vm-demo-1.8-cli/00-install-istio-preview-profile.sh: -------------------------------------------------------------------------------- 1 | source env.sh 2 | 3 | kubectl create ns istio-system 4 | 5 | # we want to enable the DNS capture 6 | istioctl1.8 install -y -f resources/vmintegration-multi-network.yaml 7 | cat ~/dev/istio/latest-1.8/samples/multicluster/expose-istiod.yaml | kubectl apply -f - 8 | cat ~/dev/istio/latest-1.8/samples/multicluster/expose-services.yaml | kubectl apply -f - 9 | #cat ~/dev/istio/latest-1.8/samples/multicluster/expose-istiod.yaml | sed 's/eastwestgateway/ingressgateway/' | kubectl apply -f - 10 | #cat ~/dev/istio/latest-1.8/samples/multicluster/expose-services.yaml | sed 's/eastwestgateway/ingressgateway/' | kubectl apply -f - 11 | 12 | 13 | -------------------------------------------------------------------------------- /vm-demo-1.8-cli/01-prep-namespaces.sh: -------------------------------------------------------------------------------- 1 | 2 | source env.sh 3 | 4 | kubectl create namespace $VM_NAMESPACE 5 | kubectl create serviceaccount $SERVICE_ACCOUNT -n $VM_NAMESPACE -------------------------------------------------------------------------------- /vm-demo-1.8-cli/02-create-files-to-transfer-to-vm.sh: -------------------------------------------------------------------------------- 1 | . $(dirname ${BASH_SOURCE})/../util.sh 2 | SOURCE_DIR=$PWD 3 | 4 | 5 | source ./env.sh 6 | 7 | rm -fr ${WORK_DIR} 8 | mkdir -p ${WORK_DIR} 9 | 10 | 11 | cp resources/prep-vm.sh ${WORK_DIR} 12 | cp resources/clean-vm.sh ${WORK_DIR} 13 | cp resources/start-istio.sh ${WORK_DIR} 14 | cp resources/stop-istio.sh ${WORK_DIR} 15 | cp resources/tail-istio-log.sh ${WORK_DIR} 16 | cp resources/run-http.sh ${WORK_DIR} 17 | cp resources/index.html ${WORK_DIR} 18 | 19 | # enable this once they fix https://github.com/istio/istio/issues/29151 20 | #istioctl1.8 x workload group create --name "${VM_APP}" --namespace "${VM_NAMESPACE}" --labels app="${VM_APP}" --serviceAccount "${SERVICE_ACCOUNT}" > ${WORK_DIR}/workloadgroup.yaml 21 | 22 | # for auto registration 23 | desc "Creat workloadgroup.yaml" 24 | run "cat resources/workloadgroup.yaml" 25 | run "kubectl -n ${VM_NAMESPACE} apply -f resources/workloadgroup.yaml" 26 | 27 | desc "Create files" 28 | run "istioctl1.8 x workload entry configure -f resources/workloadgroup.yaml -o "${WORK_DIR}/files" --autoregister" 29 | 30 | touch "${WORK_DIR}"/sidecar.env 31 | echo "ISTIO_META_AUTO_REGISTER_GROUP=python-http" >> "${WORK_DIR}"/files/sidecar.env -------------------------------------------------------------------------------- /vm-demo-1.8-cli/03-copy-work-files-to-vm.sh: -------------------------------------------------------------------------------- 1 | source env.sh 2 | 3 | 4 | tar -czf work.tar.gz ./work 5 | gcloud beta compute scp --scp-flag="-r" --zone "$VM_ZONE" work.tar.gz $VM_NAME:~ 6 | 7 | rm work.tar.gz -------------------------------------------------------------------------------- /vm-demo-1.8-cli/04-create-serviceentry.sh: -------------------------------------------------------------------------------- 1 | . $(dirname ${BASH_SOURCE})/../util.sh 2 | SOURCE_DIR=$PWD 3 | 4 | 5 | source ./env.sh 6 | 7 | desc "Creat serviceentry" 8 | run "cat resources/vmservice-serviceentry.yaml" 9 | run "kubectl -n ${VM_NAMESPACE} apply -f resources/vmservice-serviceentry.yaml" 10 | 11 | desc "Verify this service made it into istios service registry" 12 | run "kubectl exec -it deploy/sleep -- curl localhost:15000/clusters | grep vmservice" 13 | -------------------------------------------------------------------------------- /vm-demo-1.8-cli/NOTES.md: -------------------------------------------------------------------------------- 1 | Some helpful commands: 2 | 3 | gcloud beta compute scp --scp-flag="-r" --zone "us-west1-b" ./work ceposta-linux-builds:~ 4 | 5 | gcloud beta compute ssh --zone "us-west1-b" "ceposta-linux-builds" --project "solo-public" 6 | gcloud beta compute ssh --zone "us-central1-a" "ceposta-disconnected-vm" --project "solo-public" 7 | 8 | 9 | 10 | sudo iptables -t nat -L 11 | 12 | Enable firewall rules for services running on compute: 13 | 14 | gcloud compute firewall-rules create test-http-8080 --allow tcp:9090 --source-tags=ceposta-linux-builds --source-ranges=0.0.0.0/0 --description="Allow testing http apps" 15 | 16 | 17 | python -m SimpleHTTPServer 9090 18 | 19 | sudo systemctl start istio 20 | 21 | systemctl list-units --type=service 22 | 23 | sudo systemctl reset-failed 24 | sudo systemctl daemon-reload 25 | 26 | start istio 27 | cat /usr/local/bin/istio-start.sh 28 | 29 | echo "to see logs, run" 30 | echo "journalctl -u istio.service" 31 | 32 | tail -f /var/log/istio/istio.log 33 | 34 | 35 | echo {} | grpcurl -d @ -cacert ./files/root-cert.pem istiod.istio-system.svc:15012 envoy.service.discovery.v3.AggregatedDiscoveryService/StreamAggregatedResources 36 | -------------------------------------------------------------------------------- /vm-demo-1.8-cli/cleanup.sh: -------------------------------------------------------------------------------- 1 | 2 | source env.sh 3 | 4 | . ./reset.sh 5 | 6 | kubectl delete namespace vm-services 7 | -------------------------------------------------------------------------------- /vm-demo-1.8-cli/demo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . $(dirname ${BASH_SOURCE})/../util.sh 4 | SOURCE_DIR=$PWD 5 | 6 | -------------------------------------------------------------------------------- /vm-demo-1.8-cli/env.sh: -------------------------------------------------------------------------------- 1 | 2 | # ceposta-linux-builds 3 | VM_NAME="ceposta-linux-builds" 4 | VM_ZONE="us-west1-b" 5 | 6 | # ceposta-disconnected-vm 7 | #VM_NAME="ceposta-disconnected-vm" 8 | #VM_ZONE="us-central1-a" 9 | 10 | VM_APP="python-http" 11 | CLUSTER_NAME="demo-cluster-name" 12 | VM_NAMESPACE="vm-services" 13 | WORK_DIR="./work" 14 | SERVICE_ACCOUNT="my-vm" 15 | ISTIO_VERSION="" 16 | 17 | -------------------------------------------------------------------------------- /vm-demo-1.8-cli/reset.sh: -------------------------------------------------------------------------------- 1 | kubectl delete -f resources/peerauth-strict.yaml 2 | rm -fr ./work 3 | -------------------------------------------------------------------------------- /vm-demo-1.8-cli/resources/clean-vm.sh: -------------------------------------------------------------------------------- 1 | export ROOT_FOLDER=work 2 | export FILES=./files 3 | 4 | # Flush iptables 5 | echo "Flushing iptables" 6 | sudo iptables -F -t nat 7 | 8 | echo "Stopping istio" 9 | ./stop-istio.sh 10 | 11 | rm /etc/certs/*.* 12 | rm -fr /var/run/secrets/istio 13 | rm -fr /var/run/secrets/tokens 14 | 15 | 16 | # Install sidecar 17 | echo "Remove sidecar" 18 | sudo dpkg -P istio-sidecar 19 | rm -fr /var/lib/istio 20 | 21 | sudo sed -i '/istio/d' /etc/hosts 22 | sudo sed -i '/vm-services/d' /etc/hosts 23 | 24 | sudo rm -fr /etc/istio/proxy 25 | sudo rm -fr /var/log/istio 26 | 27 | sudo systemctl reset-failed 28 | sudo systemctl daemon-reload 29 | 30 | -------------------------------------------------------------------------------- /vm-demo-1.8-cli/resources/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Congrats! This works! 4 | 5 | -------------------------------------------------------------------------------- /vm-demo-1.8-cli/resources/peerauth-disable.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: PeerAuthentication 3 | metadata: 4 | name: default 5 | namespace: istio-system 6 | spec: 7 | mtls: 8 | mode: DISABLE -------------------------------------------------------------------------------- /vm-demo-1.8-cli/resources/peerauth-permissive.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: PeerAuthentication 3 | metadata: 4 | name: default 5 | namespace: istio-system 6 | spec: 7 | mtls: 8 | mode: PERMISSIVE -------------------------------------------------------------------------------- /vm-demo-1.8-cli/resources/peerauth-strict.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: PeerAuthentication 3 | metadata: 4 | name: default 5 | namespace: istio-system 6 | spec: 7 | mtls: 8 | mode: STRICT -------------------------------------------------------------------------------- /vm-demo-1.8-cli/resources/run-http.sh: -------------------------------------------------------------------------------- 1 | python -m SimpleHTTPServer 9090 -------------------------------------------------------------------------------- /vm-demo-1.8-cli/resources/start-istio.sh: -------------------------------------------------------------------------------- 1 | sudo systemctl start istio 2 | 3 | # systemctl list-units --type=service 4 | # start istio 5 | # cat /usr/local/bin/istio-start.sh 6 | 7 | echo "to see logs, run" 8 | echo "journalctl -u istio.service" 9 | 10 | tail -f /var/log/istio/istio.log -------------------------------------------------------------------------------- /vm-demo-1.8-cli/resources/stop-istio.sh: -------------------------------------------------------------------------------- 1 | sudo systemctl stop istio -------------------------------------------------------------------------------- /vm-demo-1.8-cli/resources/tail-istio-log.sh: -------------------------------------------------------------------------------- 1 | tail -f /var/log/istio/istio.log -------------------------------------------------------------------------------- /vm-demo-1.8-cli/resources/vmservice-serviceentry.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: ServiceEntry 3 | metadata: 4 | name: vm-workload-svc 5 | namespace: vm-services 6 | spec: 7 | hosts: 8 | - vmservice.example.com 9 | location: MESH_INTERNAL 10 | ports: 11 | - number: 80 12 | name: http 13 | protocol: HTTP 14 | targetPort: 9090 15 | resolution: STATIC 16 | workloadSelector: 17 | labels: 18 | app: python-http -------------------------------------------------------------------------------- /vm-demo-1.8-cli/resources/workloadgroup.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: WorkloadGroup 3 | metadata: 4 | name: python-http 5 | namespace: vm-services 6 | spec: 7 | metadata: 8 | annotations: {} 9 | labels: 10 | app: python-http 11 | template: 12 | ports: {} 13 | serviceAccount: my-vm 14 | labels: 15 | app: python-http 16 | -------------------------------------------------------------------------------- /vm-demo-1.8-cli/vm-ip.sh: -------------------------------------------------------------------------------- 1 | source env.sh 2 | 3 | VM_IP=$(gcloud compute instances describe --zone "$VM_ZONE" "$VM_NAME" --project "solo-public" --format='get(networkInterfaces[0].accessConfigs[0].natIP)') 4 | echo $VM_IP -------------------------------------------------------------------------------- /vm-demo-1.8/.gitignore: -------------------------------------------------------------------------------- 1 | work 2 | -------------------------------------------------------------------------------- /vm-demo-1.8/00-install-istio-preview-profile.sh: -------------------------------------------------------------------------------- 1 | source env.sh 2 | 3 | kubectl create ns istio-system 4 | 5 | # we want to enable the DNS capture 6 | istioctl1.8 install -y -f resources/vmintegration-multi-network.yaml 7 | cat ~/dev/istio/latest-1.8/samples/multicluster/expose-istiod.yaml | kubectl apply -f - 8 | cat ~/dev/istio/latest-1.8/samples/multicluster/expose-services.yaml | kubectl apply -f - 9 | #cat ~/dev/istio/latest-1.8/samples/multicluster/expose-istiod.yaml | sed 's/eastwestgateway/ingressgateway/' | kubectl apply -f - 10 | #cat ~/dev/istio/latest-1.8/samples/multicluster/expose-services.yaml | sed 's/eastwestgateway/ingressgateway/' | kubectl apply -f - 11 | 12 | 13 | -------------------------------------------------------------------------------- /vm-demo-1.8/01-prep-namespaces.sh: -------------------------------------------------------------------------------- 1 | 2 | source env.sh 3 | 4 | kubectl create namespace $VM_NAMESPACE 5 | kubectl create serviceaccount $SERVICE_ACCOUNT -n $VM_NAMESPACE -------------------------------------------------------------------------------- /vm-demo-1.8/03-copy-work-files-to-vm.sh: -------------------------------------------------------------------------------- 1 | source env.sh 2 | 3 | 4 | tar -czf work.tar.gz ./work 5 | gcloud beta compute scp --scp-flag="-r" --zone "$VM_ZONE" work.tar.gz $VM_NAME:~ 6 | 7 | rm work.tar.gz -------------------------------------------------------------------------------- /vm-demo-1.8/04-register-vm-with-istio.sh: -------------------------------------------------------------------------------- 1 | source env.sh 2 | 3 | VM_IP=$(gcloud compute instances describe --zone "us-west1-b" "ceposta-linux-builds" --project "solo-public" --format='get(networkInterfaces[0].accessConfigs[0].natIP)') 4 | 5 | 6 | cat < 2 | 3 | Congrats! This works! 4 | 5 | -------------------------------------------------------------------------------- /vm-demo-1.8/resources/ingressgateway-multi-network.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: cluster-aware-gateway 5 | namespace: istio-system 6 | spec: 7 | selector: 8 | istio: ingressgateway 9 | servers: 10 | - port: 11 | number: 443 12 | name: tls 13 | protocol: TLS 14 | tls: 15 | mode: AUTO_PASSTHROUGH 16 | hosts: 17 | - "*.local" -------------------------------------------------------------------------------- /vm-demo-1.8/resources/peerauth-disable.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: PeerAuthentication 3 | metadata: 4 | name: default 5 | namespace: istio-system 6 | spec: 7 | mtls: 8 | mode: DISABLE -------------------------------------------------------------------------------- /vm-demo-1.8/resources/peerauth-permissive.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: PeerAuthentication 3 | metadata: 4 | name: default 5 | namespace: istio-system 6 | spec: 7 | mtls: 8 | mode: PERMISSIVE -------------------------------------------------------------------------------- /vm-demo-1.8/resources/peerauth-strict.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: PeerAuthentication 3 | metadata: 4 | name: default 5 | namespace: istio-system 6 | spec: 7 | mtls: 8 | mode: STRICT -------------------------------------------------------------------------------- /vm-demo-1.8/resources/run-http.sh: -------------------------------------------------------------------------------- 1 | python -m SimpleHTTPServer 9090 -------------------------------------------------------------------------------- /vm-demo-1.8/resources/start-istio.sh: -------------------------------------------------------------------------------- 1 | sudo systemctl start istio 2 | 3 | # systemctl list-units --type=service 4 | # start istio 5 | # cat /usr/local/bin/istio-start.sh 6 | 7 | echo "to see logs, run" 8 | echo "journalctl -u istio.service" 9 | 10 | tail -f /var/log/istio/istio.log -------------------------------------------------------------------------------- /vm-demo-1.8/resources/stop-istio.sh: -------------------------------------------------------------------------------- 1 | sudo systemctl stop istio -------------------------------------------------------------------------------- /vm-demo-1.8/resources/tail-istio-log.sh: -------------------------------------------------------------------------------- 1 | tail -f /var/log/istio/istio.log -------------------------------------------------------------------------------- /vm-demo-1.8/resources/vmintegration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | metadata: 3 | namespace: istio-system 4 | name: example-istiocontrolplane 5 | kind: IstioOperator 6 | spec: 7 | profile: preview 8 | -------------------------------------------------------------------------------- /vm-demo/.gitignore: -------------------------------------------------------------------------------- 1 | work 2 | -------------------------------------------------------------------------------- /vm-demo/00-install-istio-mesh-expansion.sh: -------------------------------------------------------------------------------- 1 | source env.sh 2 | kubectl create ns istio-system 3 | istioctl1.7 install -f resources/vmintegration-multi-network.yaml 4 | 5 | -------------------------------------------------------------------------------- /vm-demo/01-prep-namespaces.sh: -------------------------------------------------------------------------------- 1 | 2 | source env.sh 3 | 4 | kubectl create namespace vm-services 5 | kubectl create serviceaccount my-vm -n vm-services -------------------------------------------------------------------------------- /vm-demo/03-copy-work-files-to-vm.sh: -------------------------------------------------------------------------------- 1 | source env.sh 2 | 3 | 4 | tar -czf work.tar.gz ./work 5 | gcloud beta compute scp --scp-flag="-r" --zone "$VM_ZONE" work.tar.gz $VM_NAME:~ 6 | 7 | rm work.tar.gz -------------------------------------------------------------------------------- /vm-demo/04-register-vm-with-istio.sh: -------------------------------------------------------------------------------- 1 | source env.sh 2 | 3 | VM_IP=$(gcloud compute instances describe --zone "us-west1-b" "ceposta-linux-builds" --project "solo-public" --format='get(networkInterfaces[0].accessConfigs[0].natIP)') 4 | 5 | 6 | cat < 2 | 3 | Congrats! This works! 4 | 5 | -------------------------------------------------------------------------------- /vm-demo/resources/ingressgateway-multi-network.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: cluster-aware-gateway 5 | namespace: istio-system 6 | spec: 7 | selector: 8 | istio: ingressgateway 9 | servers: 10 | - port: 11 | number: 443 12 | name: tls 13 | protocol: TLS 14 | tls: 15 | mode: AUTO_PASSTHROUGH 16 | hosts: 17 | - "*.local" -------------------------------------------------------------------------------- /vm-demo/resources/peerauth-disable.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: PeerAuthentication 3 | metadata: 4 | name: default 5 | namespace: istio-system 6 | spec: 7 | mtls: 8 | mode: DISABLE -------------------------------------------------------------------------------- /vm-demo/resources/peerauth-permissive.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: PeerAuthentication 3 | metadata: 4 | name: default 5 | namespace: istio-system 6 | spec: 7 | mtls: 8 | mode: PERMISSIVE -------------------------------------------------------------------------------- /vm-demo/resources/peerauth-strict.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: PeerAuthentication 3 | metadata: 4 | name: default 5 | namespace: istio-system 6 | spec: 7 | mtls: 8 | mode: STRICT -------------------------------------------------------------------------------- /vm-demo/resources/run-http.sh: -------------------------------------------------------------------------------- 1 | python -m SimpleHTTPServer 9090 -------------------------------------------------------------------------------- /vm-demo/resources/start-istio.sh: -------------------------------------------------------------------------------- 1 | sudo systemctl start istio 2 | 3 | # systemctl list-units --type=service 4 | # start istio 5 | # cat /usr/local/bin/istio-start.sh 6 | 7 | echo "to see logs, run" 8 | echo "journalctl -u istio.service" 9 | 10 | tail -f /var/log/istio/istio.log -------------------------------------------------------------------------------- /vm-demo/resources/stop-istio.sh: -------------------------------------------------------------------------------- 1 | sudo systemctl stop istio -------------------------------------------------------------------------------- /vm-demo/resources/tail-istio-log.sh: -------------------------------------------------------------------------------- 1 | tail -f /var/log/istio/istio.log -------------------------------------------------------------------------------- /vm-demo/resources/vmintegration-multi-network.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | metadata: 3 | namespace: istio-system 4 | name: example-istiocontrolplane 5 | kind: IstioOperator 6 | spec: 7 | values: 8 | global: 9 | meshExpansion: 10 | enabled: true 11 | multiCluster: 12 | clusterName: kube-cluster 13 | network: main-network 14 | meshNetworks: 15 | main-network: 16 | endpoints: 17 | - fromRegistry: kube-cluster 18 | gateways: 19 | - registry_service_name: istio-ingressgateway.istio-system.svc.cluster.local 20 | port: 443 21 | vm-network: 22 | -------------------------------------------------------------------------------- /vm-demo/resources/vmintegration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | metadata: 3 | namespace: istio-system 4 | name: example-istiocontrolplane 5 | kind: IstioOperator 6 | spec: 7 | values: 8 | global: 9 | meshExpansion: 10 | enabled: true --------------------------------------------------------------------------------