├── .DS_Store
├── Beacon Subscription.pdf
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── Slide50.jpg
├── _config.yml
├── examples
    ├── README.md
    └── app
    │   ├── README.md
    │   ├── bookinfo.yaml
    │   └── bookinfov2.yaml
├── src
    ├── README.md
    ├── bigip
    │   ├── bookinfo-route-reencrypt-ssl.yaml
    │   ├── f5-bigip-hostsubnet.yaml
    │   ├── f5-cluster-deployment-route_1.11.yaml
    │   ├── f5-override-as3-declaration.yaml
    │   └── test.yaml
    └── bookinfo
    │   ├── bookinfo-route-reencrypt-ssl.yaml
    │   ├── cert
    │       ├── f5adc.crt
    │       ├── f5adc.key
    │       ├── f5asean.local.ca.crt
    │       ├── httpbin.f5asean.local.crt
    │       └── httpbin.f5asean.local.key
    │   ├── config-bookinfo.yaml
    │   ├── config-bookinfo.yaml.bak_working
    │   ├── depoly-bookinfo-cj.yaml
    │   ├── depoly-bookinfo-cj.yaml.bak_working
    │   ├── index.html
    │   ├── secret-bookinfo-cert.sh
    │   ├── temp
    │       ├── bookinfo-nginx-ssl-modsec.yaml
    │       ├── bookinfo-scc.yaml
    │       ├── bookinfo.yaml
    │       ├── config-bookinfo.yaml
    │       ├── configmap-detail-nginx.yaml
    │       ├── configmap-productpage-nginx.yaml
    │       ├── deploy-detail-nginx.yaml
    │       ├── deploy-productpage-nginx.yaml
    │       ├── deploy-productpage-nginx.yaml.bak
    │       ├── deploy_bookinfo.yaml
    │       └── test.yaml
    │   └── testbookinfo
    │       └── config-bookinfo.yaml
└── sre-usecases
    ├── 01-targeted-canary
        ├── README.md
        └── images
        │   ├── apmLogin.png
        │   ├── apmPolicy.png
        │   ├── bookinfoPol.png
        │   ├── bookinfo_normal.png
        │   ├── bookinfo_test.png
        │   ├── bookinfo_testv1.png
        │   ├── bookinfo_testv2.png
        │   ├── e2e.png
        │   ├── nonginx.svg
        │   └── vs.png
    ├── 02-blue-green-deployment
        ├── README.md
        ├── blue-green.md
        ├── dns.md
        ├── gslb-setup.md
        ├── gslb.png
        ├── images
        │   ├── app1-1
        │   ├── app1-2
        │   ├── app1-22
        │   ├── aws-lb.png
        │   ├── blue-green
        │   ├── blue-green.png
        │   ├── blue.png
        │   ├── blue1
        │   ├── bluegreentopology
        │   ├── green.png
        │   ├── green1
        │   ├── gslb-pool
        │   ├── gslb-pool2
        │   ├── gslb-pool3
        │   ├── gslb-service
        │   ├── map.png
        │   ├── topology
        │   ├── topology.png
        │   └── unmap.png
        └── troubleshooting.md
    ├── 03-observability-for-targeted-canary-with-ELK

        ├── README.md
        ├── Targeted_Canary-Testing_ELK.mp4
        ├── iRules
        ├── images
        │   ├── Kibana10_add_panel.png
        │   ├── Kibana10_dashboard.png
        │   ├── Kibana10_dashboard_create.png
        │   ├── Kibana10_dashboard_final.png
        │   ├── Kibana10_dashboard_name.png
        │   ├── Kibana10_dashboard_save.png
        │   ├── Kibana10_select_panel.png
        │   ├── Kibana11_dashboard_refresh.png
        │   ├── Kibana11_dashboard_update.png
        │   ├── Kibana11_move_dashboard.png
        │   ├── Kibana1_main.png
        │   ├── Kibana2_management.png
        │   ├── Kibana3_management_detail.png
        │   ├── Kibana4_index_management.png
        │   ├── Kibana5_visualize.png
        │   ├── Kibana6_create.png
        │   ├── Kibana7_source.png
        │   ├── Kibana8_Buckets.png
        │   ├── Kibana8_Metrics.png
        │   ├── Kibana9_apply_save.png
        │   ├── Kibana9_save_name.png
        │   ├── elk_bigip.png
        │   ├── elk_default_pool.png
        │   ├── elk_dot.png
        │   ├── elk_log.png
        │   ├── elk_map.png
        │   ├── elk_pool.png
        │   ├── elk_pool_member.png
        │   ├── elk_response.png
        │   ├── elk_topology.png
        │   └── elk_vip.png
        ├── logstash.conf
        └── traffic_generator.sh
    ├── 05-north_south_protection
        ├── README.md
        ├── images
        │   ├── a
        │   ├── sre_usecase01-1.png
        │   ├── sre_usecase01-2.png
        │   ├── sre_usecase01_attack_01.png
        │   ├── sre_usecase01_attack_02.png
        │   ├── sre_usecase01_attack_03.png
        │   ├── sre_usecase01_attack_04.png
        │   ├── sre_usecase01_attack_05.png
        │   ├── sre_usecase01_attack_06.png
        │   ├── sre_usecase01_awaf_1.png
        │   ├── sre_usecase01_awaf_2.png
        │   ├── sre_usecase01_awaf_3.png
        │   ├── sre_usecase01_awaf_4.png
        │   ├── sre_usecase01_awaf_5.png
        │   ├── sre_usecase01_awaf_6.png
        │   ├── sre_usecase01_awaf_7.png
        │   ├── sre_usecase01_elk.png
        │   ├── sre_usecase01_elk_02.png
        │   └── sre_usecase01_elk_03.png
        └── scripts
        │   ├── dvwa-nap-config.yaml
        │   ├── dvwa-nap-deployment.yaml
        │   ├── dvwa-route-nap.yaml
        │   └── logstash.conf
    ├── 06-east_west_attack
        ├── README.md
        ├── create_ansible
        │   └── README.md
        ├── elk_config
        │   └── README.md
        ├── images
        │   ├── a
        │   ├── automation_process1.png
        │   ├── diagram.png
        │   ├── elk_dashboard.png
        │   └── terminating_pod.png
        ├── install_app
        │   └── README.md
        ├── nap_create
        │   └── README.md
        ├── scripts
        │   ├── ansible_ocp.yaml
        │   ├── critical-app-with-nap.yaml
        │   ├── devapp_deployment.yaml
        │   ├── logstash.conf
        │   ├── nap-config.yaml
        │   └── watcher_ocp.json
        └── simulate_demo
        │   └── README.md
    └── 07-enhanced_targeted_canary
        ├── README.md
        └── images
            ├── Slide10.jpeg
            ├── Slide11.jpeg
            ├── Slide12.jpeg
            ├── Slide13.jpeg
            ├── Slide14.jpeg
            ├── Slide15.jpeg
            ├── Slide16.jpeg
            ├── Slide17.jpeg
            ├── Slide18.jpeg
            ├── Slide19.jpeg
            ├── Slide20.jpeg
            ├── Slide21.jpeg
            ├── Slide22.jpeg
            ├── Slide23.jpeg
            ├── Slide24.jpeg
            ├── Slide25.jpeg
            ├── Slide26.jpeg
            ├── Slide27.jpeg
            ├── Slide29.jpeg
            ├── Slide30.jpeg
            ├── Slide31.jpeg
            ├── Slide32.jpeg
            ├── Slide33.jpeg
            ├── Slide34.jpeg
            ├── Slide35.jpeg
            ├── Slide36.jpeg
            ├── Slide37.jpeg
            ├── Slide38.jpeg
            ├── Slide39.jpeg
            ├── Slide40.jpeg
            ├── Slide41.jpeg
            ├── Slide42.jpeg
            ├── Slide43.jpeg
            ├── Slide45.jpeg
            ├── Slide47.jpeg
            ├── Slide48.jpeg
            ├── Slide49.jpeg
            ├── Slide50.jpg
            ├── Slide51.jpeg
            ├── Slide52.jpeg
            ├── Slide6.jpeg
            ├── Slide7.jpeg
            ├── Slide8.jpeg
            ├── Slide9.jpeg
            └── enhanced_1-1.png


/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/.DS_Store


--------------------------------------------------------------------------------
/Beacon Subscription.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/Beacon Subscription.pdf


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # How to Contribute
 2 | 
 3 | This project is [Apache 2.0 licensed](LICENSE) and accept contributions via
 4 | GitHub pull requests. This document outlines some of the conventions on
 5 | development workflow, commit message formatting, contact points and other
 6 | resources to make it easier to get your contribution accepted.
 7 | 
 8 | ## Certificate of Origin
 9 | 
10 | By contributing to this project you agree to the Developer Certificate of
11 | Origin (DCO).
12 | 
13 | ## Security Response
14 | 
15 | If you've found a security issue that you'd like to disclose confidentially, please contact F5 Security team.
16 | 
17 | ## Getting Started
18 | 
19 | - Fork the repository on GitHub
20 | - Read the [README](README.md) for build and test instructions
21 | - Play with the project, submit bugs, submit patches!
22 | 
23 | ### Contribution Flow
24 | 
25 | Anyone may [file issues][new-issue].
26 | For contributors who want to work up pull requests, the workflow is roughly:
27 | 
28 | 1. Create a topic branch from where you want to base your work (usually master).
29 | 2. Make commits of logical units.
30 | 3. Make sure your commit messages are in the proper format (see [below](#commit-message-format)).
31 | 4. Push your changes to a topic branch in your fork of the repository.
32 | 5. Make sure the tests pass, and add any new tests as appropriate.
33 | 6. Submit a pull request to the original repository.
34 | 7. The repo owners will respond to your issue promptly, following [the ususal Prow workflow][prow-review].
35 | 
36 | Thanks for your contributions!
37 | 
38 | ## Coding and Documenting Style
39 | 
40 | All the use cases should be developed and documented in a repeatable manner. In another word, you should include all the pieces neccessary for the user to dulplicate the use case in his/her own lab: 
41 | - Description of SRE use case with topology
42 | - Pre-requisites and dependencies
43 | - Step-by-step installation and deployment/implementation guide, with screenshots as needed
44 | - All the code/script/configuration/manifest used
45 | - List of limitations if any
46 | - Troubleshooting if possible
47 | 
48 | 
49 | ## Commit Message Format
50 | 
51 | We follow a rough convention for commit messages that is designed to answer two
52 | questions: what changed and why. The subject line should feature the what and
53 | the body of the commit should describe the why.
54 | 
55 | ```
56 | scripts: add the test-cluster command
57 | 
58 | this uses tmux to set up a test cluster that you can easily kill and
59 | start for debugging.
60 | 
61 | Fixes #38
62 | ```
63 | 
64 | The format can be described more formally as follows:
65 | 
66 | ```
67 | <subsystem>: <what changed>
68 | <BLANK LINE>
69 | <why this change was made>
70 | <BLANK LINE>
71 | <footer>
72 | ```
73 | 
74 | The first line is the subject and should be no longer than 70 characters, the
75 | second line is always blank, and other lines should be wrapped at 80 characters.
76 | This allows the message to be easier to read on GitHub as well as in various
77 | git tools.
78 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # SRE with F5 and OpenShift
 2 | ## Summary
 3 | This Site Reliability Engineering (or SRE) Multi-Cluster design is an F5 Alliances product showcase. It is initiated by the F5 Business Development organization.
 4 | 
 5 | ## Goal
 6 | 
 7 | The Purpose of the Multi-Cluster SRE demo is to show how the F5 product portfolio (BIG-IP, [Container Ingress Services](https://github.com/F5Networks/k8s-bigip-ctlr),  NGINX+, and F5 Cloud Service) can be used in conjunction with several other F5 Alliances integrations to help an SRE deploy, manage and secure modern applications.
 8 | 
 9 | 
10 | The Multi-Cluster SRE Design can be used:
11 | - as a self learning tool to get familiar with OpenShift, and F5 technologies (BIG-IP, Container Ingress Services, NGINX, and F5 Cloud service etc.) 
12 | - to build demos and proof of concepts (POC's)
13 | 
14 | 
15 | ## Prerequisites
16 | Although the respective requirements vary for each use case, in general you will need several prerequisites in place to begin.
17 | 
18 | - Subscribe to F5 Beacon [Click here](Beacon%20Subscription.pdf)
19 | - Access to git preferable a valid GitHub account
20 |   - https://github.com/
21 | - A minimum of two OpenShift clusters
22 |   - https://docs.openshift.com/container-platform/
23 | - Two Licensed BIG-IP VE appliances with Best licenses, one per cluster
24 |   - https://f5.com/products/trials/product-trials/product-trial
25 | - F5 Container Ingress Service - Installed
26 |   - https://clouddocs.f5.com/containers/v2/openshift/
27 | - Access to F5 Cloud Services (DNS Load Balancing)
28 |   - https://portal.cloudservices.f5.com/
29 | 
30 | 
31 | 
32 | ## Getting started
33 | 
34 | Once the necessary infrastructure and services are in place users will be able to go to each use case directory under [*sre-usecases*](sre-usecases), and follow  **README** for detailed implementation.
35 | 
36 | The SRE demo will be centered around the following distinct customer driven use cases:
37 | 
38 | 
39 | - [Scenario Use Case #1: Blue Green Deployment with F5 Cloud Services](./sre-usecases/02-blue-green-deployment/README.md)
40 | - [Scenario Use Case #2: Targeted Canary Deployment](sre-usecases/01-targeted-canary/README.md)
41 | - [Scenario Use Case #3: Observability with ELK](sre-usecases/03-observability-for-targeted-canary-with-ELK/README.md)
42 | - [Scenario Use Case #5: North-South Traffic Protection in the OpenShift Environment](sre-usecases/05-north_south_protection/README.md)
43 | - [Scenario Use Case #6: Protecting Critical Apps against East-West Attack](sre-usecases/06-east_west_attack/README.md)
44 | - [Scenario Use Case #7: Enhanced Targeted Canary Deployment](sre-usecases/07-enhanced_targeted_canary/README.md)
45 | 
46 | This project is WIP, with more use cases to be added.
47 | 
48 | ## Contribution
49 | 
50 | Please read [How to Contribute](CONTRIBUTING.md)
51 | 
52 | ## Support
53 | 
54 | This project is a community effort to promote container ingress service automation and is maintained by F5 BD. For any feature requests or issues, feel free to open an issue and we will give our best effort to address it.
55 | 


--------------------------------------------------------------------------------
/Slide50.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/Slide50.jpg


--------------------------------------------------------------------------------
/_config.yml:
--------------------------------------------------------------------------------
1 | theme: jekyll-theme-dinky


--------------------------------------------------------------------------------
/examples/README.md:
--------------------------------------------------------------------------------
 1 | # Customer Defined Use Cases
 2 | 
 3 | Coming Soon...
 4 | 
 5 | # Summary
 6 | 
 7 | The Site Reliability Engineering or SRE demo will be centered around three distinct customer driven use cases. 
 8 | 
 9 | # Goal
10 | TBD
11 | 
12 | ## Design Overview
13 | TBD
14 | 
15 | # Prerequisites
16 | TBD
17 | 
18 | # Getting Started
19 | TBD
20 | 
21 | # Support
22 | TBD
23 | 


--------------------------------------------------------------------------------
/examples/app/README.md:
--------------------------------------------------------------------------------
 1 | # Setting up Book Info Application(s)
 2 | 
 3 | ## Purpose
 4 | Book Info is a testing application that is published via the Istio project and a good example of a simplet multi microservice application.
 5 | 
 6 | This app will be used to demonstrate how to publish and update an application using the previously mentioned A/B Deployment method.
 7 | 
 8 | ## Setup and Installation
 9 | 
10 | 1. From your bastion host open up an OC connection to the OpenShift Environment.
11 | 2. Once logged into the OpenShift CLI use the follwoing CLI to create a new project and deploy Book Info to the cluster.
12 | 
13 | ### Login
14 | ```
15 | oc login -u username -p password
16 | ```
17 | ### Create project 
18 | ```
19 | oc new-project bookinfo
20 | ```
21 | 
22 | ### OCP Permissions for Bookinfo
23 | ```
24 | oc adm policy add-scc-to-user anyuid -z default -n bookinfo
25 | oc adm policy add-scc-to-user privileged -z default -n bookinfo
26 | ```
27 | 
28 | ### Deploy Bookinfo
29 | ```
30 | oc apply -f https://raw.githubusercontent.com/generic-admin/yourrepohere/master/bookinfo.yaml
31 | ```
32 | 
33 | ### Remove bookinfo
34 | ```
35 | oc delete -f https://raw.githubusercontent.com/generic-admin/yourrepohere/master/bookinfo.yaml
36 | ```
37 | 
38 | ### [Return to Index](README.md)
39 | 
40 | ## Notes
41 | Obviously the URLs above are placeholders you will need to fill in with you own, but just incase I figured I would call it out. It is perfectly ok to deploy this application to OpenShift at any time in the process prior to running the A/B Deployment automation task and leave it running.
42 | 


--------------------------------------------------------------------------------
/examples/app/bookinfov2.yaml:
--------------------------------------------------------------------------------
  1 | ##################################################################################################
  2 | # Details service
  3 | ##################################################################################################
  4 | apiVersion: v1
  5 | kind: Service
  6 | metadata:
  7 |   name: details
  8 |   labels:
  9 |     app: details
 10 |     service: details
 11 | spec:
 12 |   ports:
 13 |   - port: 9080
 14 |     name: http
 15 |   selector:
 16 |     app: details
 17 | ---
 18 | apiVersion: extensions/v1beta1
 19 | kind: Deployment
 20 | metadata:
 21 |   name: details-v1
 22 |   labels:
 23 |     app: details
 24 |     version: v1
 25 | spec:
 26 |   replicas: 1
 27 |   template:
 28 |     metadata:
 29 |       labels:
 30 |         app: details
 31 |         version: v1
 32 |     spec:
 33 |       containers:
 34 |       - name: details
 35 |         image: istio/examples-bookinfo-details-v1:1.13.0
 36 |         imagePullPolicy: IfNotPresent
 37 |         ports:
 38 |         - containerPort: 9080
 39 | ---
 40 | ##################################################################################################
 41 | # Ratings service
 42 | ##################################################################################################
 43 | apiVersion: v1
 44 | kind: Service
 45 | metadata:
 46 |   name: ratings
 47 |   labels:
 48 |     app: ratings
 49 |     service: ratings
 50 | spec:
 51 |   ports:
 52 |   - port: 9080
 53 |     name: http
 54 |   selector:
 55 |     app: ratings
 56 | ---
 57 | apiVersion: extensions/v1beta1
 58 | kind: Deployment
 59 | metadata:
 60 |   name: ratings-v1
 61 |   labels:
 62 |     app: ratings
 63 |     version: v1
 64 | spec:
 65 |   replicas: 1
 66 |   template:
 67 |     metadata:
 68 |       labels:
 69 |         app: ratings
 70 |         version: v1
 71 |     spec:
 72 |       containers:
 73 |       - name: ratings
 74 |         image: istio/examples-bookinfo-ratings-v1:1.13.0
 75 |         imagePullPolicy: IfNotPresent
 76 |         ports:
 77 |         - containerPort: 9080
 78 | ---
 79 | ##################################################################################################
 80 | # Reviews service
 81 | ##################################################################################################
 82 | apiVersion: v1
 83 | kind: Service
 84 | metadata:
 85 |   name: reviews
 86 |   labels:
 87 |     app: reviews
 88 |     service: reviews
 89 | spec:
 90 |   ports:
 91 |   - port: 9080
 92 |     name: http
 93 |   selector:
 94 |     app: reviews
 95 | ---
 96 | apiVersion: extensions/v1beta1
 97 | kind: Deployment
 98 | metadata:
 99 |   name: reviews-v1
100 |   labels:
101 |     app: reviews
102 |     version: v1
103 | spec:
104 |   replicas: 1
105 |   template:
106 |     metadata:
107 |       labels:
108 |         app: reviews
109 |         version: v1
110 |     spec:
111 |       containers:
112 |       - name: reviews
113 |         image: istio/examples-bookinfo-reviews-v1:1.13.0
114 |         imagePullPolicy: IfNotPresent
115 |         ports:
116 |         - containerPort: 9080
117 | ---
118 | apiVersion: extensions/v1beta1
119 | kind: Deployment
120 | metadata:
121 |   name: reviews-v2
122 |   labels:
123 |     app: reviews
124 |     version: v2
125 | spec:
126 |   replicas: 1
127 |   template:
128 |     metadata:
129 |       labels:
130 |         app: reviews
131 |         version: v2
132 |     spec:
133 |       containers:
134 |       - name: reviews
135 |         image: istio/examples-bookinfo-reviews-v2:1.13.0
136 |         imagePullPolicy: IfNotPresent
137 |         ports:
138 |         - containerPort: 9080
139 | ---
140 | apiVersion: extensions/v1beta1
141 | kind: Deployment
142 | metadata:
143 |   name: reviews-v3
144 |   labels:
145 |     app: reviews
146 |     version: v3
147 | spec:
148 |   replicas: 1
149 |   template:
150 |     metadata:
151 |       labels:
152 |         app: reviews
153 |         version: v3
154 |     spec:
155 |       containers:
156 |       - name: reviews
157 |         image: istio/examples-bookinfo-reviews-v3:1.13.0
158 |         imagePullPolicy: IfNotPresent
159 |         ports:
160 |         - containerPort: 9080
161 | ---
162 | ##################################################################################################
163 | # Productpage-v1 services
164 | ##################################################################################################
165 | apiVersion: v1
166 | kind: Service
167 | metadata:
168 |   name: productpage-v1
169 |   labels:
170 |     app: productpage-v1
171 |     service: productpage-v1
172 | spec:
173 |   ports:
174 |   - port: 9080
175 |     name: http
176 |   selector:
177 |     app: productpage-v1
178 | ---
179 | apiVersion: extensions/v1beta1
180 | kind: Deployment
181 | metadata:
182 |   name: productpage-v1
183 |   labels:
184 |     app: productpage-v1
185 |     version: v1
186 | spec:
187 |   replicas: 1
188 |   template:
189 |     metadata:
190 |       labels:
191 |         app: productpage-v1
192 |         version: v1
193 |     spec:
194 |       containers:
195 |       - name: productpage
196 |         image: istio/examples-bookinfo-productpage-v1:1.13.0
197 |         imagePullPolicy: IfNotPresent
198 |         ports:
199 |         - containerPort: 9080
200 | ---
201 | ##################################################################################################
202 | # Productpage-v2 services
203 | ##################################################################################################
204 | apiVersion: v1
205 | kind: Service
206 | metadata:
207 |   name: productpage-v2
208 |   labels:
209 |     app: productpage-v2
210 |     service: productpage-v2
211 | spec:
212 |   ports:
213 |   - port: 9080
214 |     name: http
215 |   selector:
216 |     app: productpage-v2
217 | ---
218 | apiVersion: extensions/v1beta1
219 | kind: Deployment
220 | metadata:
221 |   name: productpage-v2
222 |   labels:
223 |     app: productpage-v2
224 |     version: v2
225 | spec:
226 |   replicas: 1
227 |   template:
228 |     metadata:
229 |       labels:
230 |         app: productpage-v2
231 |         version: v2
232 |     spec:
233 |       containers:
234 |       - name: productpage-v2
235 |         image: istio/examples-bookinfo-productpage-v1:1.13.0
236 |         imagePullPolicy: IfNotPresent
237 |         ports:
238 |         - containerPort: 9080
239 | ---
240 | 


--------------------------------------------------------------------------------
/src/README.md:
--------------------------------------------------------------------------------
1 | Source Code Place Holder...


--------------------------------------------------------------------------------
/src/bigip/bookinfo-route-reencrypt-ssl.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Route
 3 | metadata:
 4 |     labels:
 5 |       name: f5-httpbin-route-reencrypt-ssl
 6 |     name: f5-httpbin-route-reencrypt-ssl
 7 |     namespace: bookinfo
 8 |     annotations:
 9 |       # annotations
10 |       # default clientssl profile
11 |       # default serverssl profile
12 |       virtual-server.f5.com/clientssl: /Common/clientssl
13 |       virtual-server.f5.com/serverssl: /Common/serverssl
14 |       # health monitor
15 |       virtual-server.f5.com/health: |
16 |         [
17 |           {
18 |             "path": "httpbindc2.f5se.io/",
19 |             "send": "HTTP GET /",
20 |             "monitor_type": "https",
21 |             "interval": 5,
22 |             "timeout": 16
23 |           }
24 |         ]
25 | spec:
26 |     host: httpbindc2.f5se.io
27 |     path: "/"
28 |     port:
29 |       targetPort: 8443
30 |     tls:
31 |       termination: reencrypt
32 |     to:
33 |       kind: Service
34 |       name: productpage
35 | 
36 | 


--------------------------------------------------------------------------------
/src/bigip/f5-bigip-hostsubnet.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: HostSubnet
 3 | metadata:
 4 |   name: openshift-f5-node
 5 |   annotations:
 6 |     pod.network.openshift.io/fixed-vnid-host: "0"
 7 | host: openshift-f5-node
 8 | hostIP: 10.69.32.29
 9 | subnet: "10.131.0.0/23"
10 | 


--------------------------------------------------------------------------------
/src/bigip/f5-cluster-deployment-route_1.11.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: k8s-bigip-ctlr
 5 |   namespace: kube-system
 6 | spec:
 7 |   replicas: 1
 8 |   selector:
 9 |     matchLabels:
10 |       app: k8s-bigip-ctlr
11 |   template:
12 |     metadata:
13 |       name: k8s-bigip-ctlr
14 |       labels:
15 |         app: k8s-bigip-ctlr
16 |     spec:
17 |       serviceAccountName: k8s-bigip-ctlr
18 |       containers:
19 |         - name: k8s-bigip-ctlr
20 |           image: "f5networks/k8s-bigip-ctlr:latest"
21 |           imagePullPolicy: IfNotPresent
22 |           env:
23 |             - name: BIGIP_USERNAME
24 |               valueFrom:
25 |                 secretKeyRef:
26 |                   name: bigip-login
27 |                   key: username
28 |             - name: BIGIP_PASSWORD
29 |               valueFrom:
30 |                 secretKeyRef:
31 |                   name: bigip-login
32 |                   key: password
33 |           command: ["/app/bin/k8s-bigip-ctlr"]
34 |           args: [
35 |             "--bigip-username=$(BIGIP_USERNAME)",
36 |             "--bigip-password=$(BIGIP_PASSWORD)",
37 |             "--bigip-url=10.105.250.100",
38 |             "--bigip-partition=openshift",
39 |             "--pool-member-type=cluster",
40 |             "--openshift-sdn-name=/Common/ose-tunnel",
41 |             "--manage-routes=true",
42 |             "--namespace=bookinfo",
43 |             "--route-vserver-addr=10.105.250.121",
44 |             "--route-http-vserver=bookinfo-http-dc1",
45 |             "--route-https-vserver=bookinfo-https-dc1",
46 |             # AS3 override functionality
47 |             "--override-as3-declaration=default/f5-override-as3-declaration",
48 |             "--insecure=true",
49 |             #"--log-as3-response=true",
50 |             "--agent=as3"
51 |           ]


--------------------------------------------------------------------------------
/src/bigip/f5-override-as3-declaration.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: ConfigMap
 3 | metadata:
 4 |   name: f5-override-as3-declaration
 5 |   namespace: default
 6 | data:
 7 |   template: |
 8 |     {
 9 |       "declaration": {
10 |         "openshift_AS3": {
11 |                 "Shared": {
12 |                     "bookinfo_https_dc1": {
13 |                         "policyIAM":
14 |                         {
15 |                           "bigip": "/Common/bookinfo"
16 |                         }
17 |                     }
18 |                 }
19 |             }
20 |         }
21 |     }


--------------------------------------------------------------------------------
/src/bigip/test.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: ConfigMap
 3 | metadata:
 4 |   name: f5-override-as3-declaration
 5 |   namespace: default
 6 | data:
 7 |   template: |
 8 |     {
 9 |       "declaration": {
10 |         "openshift_AS3": {
11 |                 "Shared": {
12 |                     "bookinfo_https_dc1": {
13 |                         "virtualAddresses": [
14 |                             "10.105.250.122"
15 |                         ],
16 |                "iRules": [
17 |               {
18 |                 "bigip": "/Common/_sys_APM_ExchangeSupport_helper"
19 |               }
20 |               ],  
21 |                          "policyEndpoint": [
22 |                         {
23 |                           "bigip": "/Common/bookinfo"
24 |                         }
25 |                         ], 
26 | 
27 |                         "policyIAM": [
28 |                         {
29 |                           "bigip": "/Common/bookinfo"
30 |                         }
31 |                         ],     
32 |                         "policyIAM": {
33 |                           "bigip": "/Common/bookinfo"
34 |                         }
35 |                     }
36 |                 }
37 |         }
38 |       }
39 |     }
40 | 


--------------------------------------------------------------------------------
/src/bookinfo/bookinfo-route-reencrypt-ssl.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Route
 3 | metadata:
 4 |     labels:
 5 |       name: f5-bookinfo-route-reencrypt-ssl
 6 |     name: f5-bookinfo-route-reencrypt-ssl
 7 |     namespace: bookinfo
 8 |     annotations:
 9 |       # annotations
10 |       # default clientssl profile
11 |       # default serverssl profile
12 |       virtual-server.f5.com/clientssl: /Common/clientssl
13 |       virtual-server.f5.com/serverssl: /Common/serverssl
14 |       # health monitor
15 |       virtual-server.f5.com/health: |
16 |         [
17 |           {
18 |             "path": "bookinfo.f5se.io/",
19 |             "send": "HTTP GET /",
20 |             "monitor_type": "https",
21 |             "interval": 5,
22 |             "timeout": 16
23 |           }
24 |         ]
25 | spec:
26 |     host: bookinfo.f5se.io
27 |     path: "/"
28 |     port:
29 |       targetPort: 8443
30 |     tls:
31 |       termination: reencrypt
32 |     to:
33 |       kind: Service
34 |       name: productpage


--------------------------------------------------------------------------------
/src/bookinfo/cert/f5adc.crt:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIEGzCCAgMCAQIwDQYJKoZIhvcNAQELBQAwUjELMAkGA1UEBhMCU0cxEjAQBgNV
 3 | BAcMCVNpbmdhcG9yZTEUMBIGA1UECgwLRjUgTmV0d29ya3MxGTAXBgNVBAMMEGNh
 4 | LmY1YXNlYW4ubG9jYWwwHhcNMTkwODMxMTIyMzQ4WhcNMjkwODI4MTIyMzQ4WjBV
 5 | MQswCQYDVQQGEwJTRzESMBAGA1UEBwwJU2luZ2Fwb3JlMRQwEgYDVQQKDAtGNSBO
 6 | ZXR3b3JrczEcMBoGA1UEAwwTZjVhZGMuZjVhc2Vhbi5sb2NhbDCCASIwDQYJKoZI
 7 | hvcNAQEBBQADggEPADCCAQoCggEBAMBvQRDQclnWdpffFFBfDV+yp5zmFvEcg9l1
 8 | g3GPvRMUGhLRXJIo1eWPZQgeYSIWEL4CjTGdsVLMn1tMpBh38vAVoIsaCAUSk9JX
 9 | O1zRS/wsLQJ/yTcs5AJJhqsieyjZ1zDTa/UMAxehQ8087jJTBWYAkL0kD48T/7yg
10 | HPM+nr9ekC10eXEXdTEJcH6XxZB91ElVf0iXUR0nwZbw906DHdaIiic+NitQb3gV
11 | bdNHMKfGqnu33sty88RHf0DCd3MDdaiTvi8ZsQ/uTf5KvlRUkRZTp16oj2B8j7dJ
12 | vS1N99LARGXMg81TsO0bIGaktYhRrBrmmT4uq2sfJH5CVxGt298CAwEAATANBgkq
13 | hkiG9w0BAQsFAAOCAgEArXenPr7kfktGNUdq6HQH4LgFfOk0sYf8JcMPtVchIfqe
14 | +wWbNMf9//QgM2PTqTB3kyjg9I5N6pzIf7eVq8lyVBQfeim5JUbdQ9080tMHqqgG
15 | nTrOCTfXzar2UXurpRry3ly1BgqDRaHpZ4T/40PyDLdDkbsGENuRRVt4u7qzBBUf
16 | 5sCG3JWDcrLCokG1604USWb9H5EhI3rniYYESmopXKsOiXQJ1nLyKVQlvqgIptlE
17 | NRTXpFCroC6SHqi2yUthvfih/R2KoBG7YARCBZQ2Nw0gT3Igz/CyhaqeiE5+XD4s
18 | 9bLzraOVfs3mbeAKTtgzFNYC7kFQUHUMHK6gbRCsN0MjKjX2Dm2BEUv7cKh0Eurw
19 | p8Rhbm8untE9OahDTgT5XQBvtPbi3pXqpKHVQqEc92yg66QNa8jBGkvUaIJbHILj
20 | w0wvFWwVfiSpTjdUkQuKYAYyGz7kTJ9H5hqmeKkKMv013WF23lIBLT8asjMhxpah
21 | meGtB8SHoOFNIBl6QNB8FRfM2sbbbN0XeraL8Ekq47C1LCMoLExhBAFTaKk2oTzC
22 | I8D4UkkQrUAYbDc5bPavtRF7AHGhgAdBgRBi63y/8FcXJcUW+tAPD9FkOm5NMDDS
23 | UVZADQ4GPoLQo/vt7HOloD7NqksbY+0q44ayUDSwDsnb/rq4hK2upGvjeAhE0L8=
24 | -----END CERTIFICATE-----
25 | 


--------------------------------------------------------------------------------
/src/bookinfo/cert/f5adc.key:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIIEpAIBAAKCAQEAwG9BENByWdZ2l98UUF8NX7KnnOYW8RyD2XWDcY+9ExQaEtFc
 3 | kijV5Y9lCB5hIhYQvgKNMZ2xUsyfW0ykGHfy8BWgixoIBRKT0lc7XNFL/CwtAn/J
 4 | NyzkAkmGqyJ7KNnXMNNr9QwDF6FDzTzuMlMFZgCQvSQPjxP/vKAc8z6ev16QLXR5
 5 | cRd1MQlwfpfFkH3USVV/SJdRHSfBlvD3ToMd1oiKJz42K1BveBVt00cwp8aqe7fe
 6 | y3LzxEd/QMJ3cwN1qJO+LxmxD+5N/kq+VFSRFlOnXqiPYHyPt0m9LU330sBEZcyD
 7 | zVOw7RsgZqS1iFGsGuaZPi6rax8kfkJXEa3b3wIDAQABAoIBAAVbE1SEeKpHbcWM
 8 | T+RswNKJBmE3hivvvzuuKZpfhcOiK5eafBkVSd65vvYa4lkwhAbFy2g2G1lSmJzR
 9 | 5T9JF1nXQECe2NpLShHwm5ZZvOOn1xjatZ7zgOUPZtAchZD9fx+8wqRvUSa3Nkvg
10 | BkEgTmYoXd7lwgkZZWS6kBO1CnYI/0wgkX9t7yNwRIG/sV1zO98/KAUtT/AoZEj6
11 | AmdAYN3H/Hz+hQDZDmjvDSiFq99xM7pXq1tX9s2PsqFwLXwEdIUBUclZ1h4ERnQ4
12 | fYM/umJjapndrquyFZ7Fir/ryAOfJNU9YQ15SB7e/n/YJILJw8U+bVy4AHUbGx4H
13 | 5LhafQECgYEA996U/5X5xlxH5YCfdPao9kqAEQtjw7V1ZAs/vsiHR8mzG0QTZQxs
14 | VWKmH+L/DFhClcN39JdVXQiTuzwdL/VgnOITPapM0LZAHe2emVAcfNfsm2mz2ccz
15 | 7Vy/MgK0DfcUZOPuWVkWPWTxsIjWu0oOavRZ8dcDRZPNBHfhimg0DtUCgYEAxr8s
16 | KQOd4kmcf3sii2NKk4rCch9CjcKZCkQSbj270dE0jaB/3q7h9d/ld4rU/6nARIDB
17 | XE6Yy9o6ecDiD+JqoY2KxuF8G+E0TBDSE6ZKYEwvVDKrps8SjgXjCCdwYPWdNniT
18 | LWwNghtfs2Xa1wZdSAbNaTUDX4KcMvP9mzlOYeMCgYB4fMDu0IdezeLBA9n/MBuH
19 | xUUlg+TV8HIE1JcC9VUVJ02h9mB7ISPUCaT5IQ2bgZe0VxULVzjOhWnSfPEvK9bv
20 | y9FQi2TVm5HlOml62v9ODGPeU+5x8SwjuI7UD45Yr39BX66vzedKprP5fTrsRZ5m
21 | jSrfrQXRH3xsLJ38+pQ7lQKBgQCDDN/Dk5zx73QAI2Od4bT1INQiiDZMX3qmaEh2
22 | 5MIKEhbDJIfsgAiDJkWa07KrenVLNlNJ2JGsKZPRYLwvmS6SpFBT368EezUOyzCa
23 | wFXetZ2nuVmyPmyPtZYEdG0Hoi0uE8eIde1aU06BbrIkgw/TRJkBvHEi826nsncR
24 | eXIT3QKBgQDT+/HLgNt+8QDn+ziOEgkMPM9mSJuwcZY7qsJ0tLq+5XTqaW9TljWE
25 | +kSxxYzGucqrPbkB3jniF5uMwAKYOVXwxUbAL7DuoO5lq5gMFacWSJ+LC3ecyQYX
26 | YFm8L8FXKKjbKpD8N0WH+v+OTlE4iBf99p2LVbeisaiOUatVJRA8tQ==
27 | -----END RSA PRIVATE KEY-----
28 | 


--------------------------------------------------------------------------------
/src/bookinfo/cert/f5asean.local.ca.crt:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIFdzCCA1+gAwIBAgIJAJd4zETmBFjyMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV
 3 | BAYTAlNHMRIwEAYDVQQHDAlTaW5nYXBvcmUxFDASBgNVBAoMC0Y1IE5ldHdvcmtz
 4 | MRkwFwYDVQQDDBBjYS5mNWFzZWFuLmxvY2FsMB4XDTE5MDgzMTEyMTg1NFoXDTIx
 5 | MDgzMDEyMTg1NFowUjELMAkGA1UEBhMCU0cxEjAQBgNVBAcMCVNpbmdhcG9yZTEU
 6 | MBIGA1UECgwLRjUgTmV0d29ya3MxGTAXBgNVBAMMEGNhLmY1YXNlYW4ubG9jYWww
 7 | ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2nRnSC7vMA50cNeBMcvfd
 8 | nwJRnHPxELYQDaXT8E2BCZF/7gM0ZdB78m3SDMRU8pXdmTWSvM/TRMQXKNKIxzsA
 9 | 30kHlxmgxtwSETl56gNNjJB1FPDggj8SUj0UAzUTfdIyZodBVYj0ye3+/TcmJ/Mh
10 | 5ioYLaJH0u3bAK6lrBGQHNpQYqnhhZDvuhiRfSm6QxmStdQdktn4kKuy+F8wouKC
11 | Cu5fl7xv0Hr6krAfjyA2hj8HC3EDyiz2jK5DZ3xqUb26UwugIfi6DvmW2ZdQAiV5
12 | F9ZXNmd2A7LPfQluYldZomqf0Rsw4tnyh759VqBdgswOXzAh6bbm49KIK2fclWLt
13 | x9/viLO37ng9CaB3MRgNpVlmQWrkf0HAO0GYRf1awheLJIoiDOWVJwQxZfKWCw3/
14 | D9lToOQ7Xm5NCECAQmIOfqSAPL/sHN0C9BmneEgl/GatcPwn1jxQGSWDxwtWdJFk
15 | HFatdE/JppKxtfgDfZI1FymQjXI+8fube77hfJLyCqOpKSx/ucYVbjuMYzjGJUsn
16 | DLHatuHJvGPYsFo9V/eFAbIROxsUDf1vAiyW4yDRlPuWuVAQSjmuqL34tqPCK24O
17 | LDrP54bTLIdeEWpdwXn2fgK9x95ByNwegLGv55w13AGNRsKa4Sw+gsvonnnbXmcu
18 | ZVTh7r+MciS1QJb+Q2AnXwIDAQABo1AwTjAdBgNVHQ4EFgQUvsqrJ/Q+CNhcDkb2
19 | Dwg71v0zWegwHwYDVR0jBBgwFoAUvsqrJ/Q+CNhcDkb2Dwg71v0zWegwDAYDVR0T
20 | BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAPLIRFintTjSGzx/MuOfH0m8n56J5
21 | IRQOaW6Rs2wXJJfsFbrnpjhQyS+/roV2xtPz9AtAGDxdVxU7VwSjq9RPzLY9xU0B
22 | iNF6O841x7N2OACX4FVsYth30fq1d5rmsBU56VhAG2Xnw3lMfm5NCTFdeB7hQTb4
23 | uWgMrPmwDEPD9h2Z3l1rd9o+y0nSXhQ4+PaoBm1yAteI0XlFhsGSZbPK1Sx3+UGG
24 | cAavfSnEuuU4Be2rFUakGBSFIVsuJimQRcVMk4js2CV0PfSEQex4XNtUeJu1vplU
25 | rVq9SQfZWpg7KGVIDNZBKJAdHBaBMcsbPm5422Dkj8Ax1NuF83mdcregw5nYVeUG
26 | Vj+9snbUZxY9D1uxMEHZ8QG3q65YTEQbffOQteRIL4y6KbOGrBwh8L21DTjPe3B2
27 | TfdWO5oHVBOra8GqbqCmuQj2VMTPobgdFVLZyq/sQ1KVeVFNVPxU10VJgTrp8UEm
28 | uJK5BpO0wg151IiirdfZDsExOea8yBTuVrf92VDLDWcBtdI+jUT9nMkPCMhrZR0Q
29 | SZGYGBW2D/gTiOJCDvDW+86BQQKS5hcR6CVw04QCEjUfD6TaPj5HFhfbHW3Mml0w
30 | 3ag7e+YtFgXuSutvUcCDoJGp7ma15SHTZmcO2CAX+/59ClzgG2dncOWRjUfQu7zz
31 | 6GYmEscC/lOgmYg=
32 | -----END CERTIFICATE-----
33 | 


--------------------------------------------------------------------------------
/src/bookinfo/cert/httpbin.f5asean.local.crt:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIEHTCCAgUCAQEwDQYJKoZIhvcNAQELBQAwUjELMAkGA1UEBhMCU0cxEjAQBgNV
 3 | BAcMCVNpbmdhcG9yZTEUMBIGA1UECgwLRjUgTmV0d29ya3MxGTAXBgNVBAMMEGNh
 4 | LmY1YXNlYW4ubG9jYWwwHhcNMTkwOTAxMDUzOTU0WhcNMjAwODMxMDUzOTU0WjBX
 5 | MQswCQYDVQQGEwJTRzESMBAGA1UEBwwJU2luZ2Fwb3JlMRQwEgYDVQQKDAtGNSBO
 6 | ZXR3b3JrczEeMBwGA1UEAwwVaHR0cGJpbi5mNWFzZWFuLmxvY2FsMIIBIjANBgkq
 7 | hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqC+GQHz4+8aZzS8lah2AAI38BUEs4XgA
 8 | C1b0PtKA9oNBvQOuUwqV9tl00pc+jH1YJsUk+QldKP1/Hpqocvdnz02CZ5c+NoOU
 9 | DlJm5l96stZgW3ymhhpJ8eijfgYND3lDVSd3Gi99OPUJmQogvJBUnmJK0mrzW6Zl
10 | UGwxLR0vDGLkYN1DyIReNUMlrXyRBrXIGRGBoLP/6TkWKsp77+NqhLhLsDTVQbMS
11 | y3u3FQfu9/l666kW7Qx579+JAaJ7BAPwmQngVhGU1Dvo6AAoWg883YXGCb51G0Up
12 | 64sJCMK0124aanIL60XT2KpzRDKYkEMgMEpu8vhEymZCMCSab5HxzQIDAQABMA0G
13 | CSqGSIb3DQEBCwUAA4ICAQA7z62sNLgSUlFB16bJ3VZpMXcudxQa2/wbWISx0wE8
14 | Qc20FzIPm285EGejkeXIAeq1JdHag79TuBIWAVQwCtsslhXwuU+yPmOWHkZw9unV
15 | NPKLOCfjA4MGiiV9tRVUZaPsWdWu7/GDWuwtrmP+/S1n94jhdvxx2QjO/ebV8oQK
16 | 8fnIp8f60Wxc34aoX4g7CUhtx59o3VixSpO29b+0SB4W2kqByqurg5D1UD6fz+pX
17 | C3CGwoljggd2ATcmRfxcSduQZW3q44WPcZcz78XOEMLODHRvxLsGq/3zIri1x72S
18 | iByFYQ4ryRMRJrlVt+MZAIhp9fjtSEAr7iiJVBiYJ/2CMsi+z84kxLkiLrzaPHPj
19 | rF7IjoorVeRSBdI20Jv+O/2fKHF6vRWK0WxWWdPYmsEhVXI3JjSfsvs6P19e1tfT
20 | KGD/he54u/xwqDzKBUOjHRk+JAehxNW/OnxL8uvT8ja+oI2BcsdNnRy5yT9e+V6W
21 | 4mNFvt4aGykNT5X5m4GPKKq2M8qIyCg6NppsujMlr6sDPTA6w/L/liJnl/rYfaEO
22 | CDgHDBrBvQv2OTQ60+FuAPKIRMGPWvX0fEp/rhRjrBnnJGZwwuDd0IEdzgwQJbvc
23 | nHhZt+M3XvSjpbct1hXmejR4j2ihG+DtqhgtGM3WkszJQheZXgFGye492p219A7r
24 | Gg==
25 | -----END CERTIFICATE-----
26 | 


--------------------------------------------------------------------------------
/src/bookinfo/cert/httpbin.f5asean.local.key:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIIEpQIBAAKCAQEAqC+GQHz4+8aZzS8lah2AAI38BUEs4XgAC1b0PtKA9oNBvQOu
 3 | UwqV9tl00pc+jH1YJsUk+QldKP1/Hpqocvdnz02CZ5c+NoOUDlJm5l96stZgW3ym
 4 | hhpJ8eijfgYND3lDVSd3Gi99OPUJmQogvJBUnmJK0mrzW6ZlUGwxLR0vDGLkYN1D
 5 | yIReNUMlrXyRBrXIGRGBoLP/6TkWKsp77+NqhLhLsDTVQbMSy3u3FQfu9/l666kW
 6 | 7Qx579+JAaJ7BAPwmQngVhGU1Dvo6AAoWg883YXGCb51G0Up64sJCMK0124aanIL
 7 | 60XT2KpzRDKYkEMgMEpu8vhEymZCMCSab5HxzQIDAQABAoIBAQCQviXaRjO565fe
 8 | AF9AzhalY4yrsQXBHZdcKv+VOXEHtrrSwuI6UXfys/9YZhXMrus4op5JPYfRiSjn
 9 | 285w8v+CZ4B9SqqeG+tF0CECztU4KEtRMRvXebR93uslwGtpD8Gk/YwBGzG33Rrf
10 | fNnjrotEq+8c3DKIg9HZvuMrolwlWWk4Zt03KYroCf3R+9E9pBKg+GFvtQvyD2+A
11 | cdCRDMIQhc56ohEd7bp1/vsw5ufnWMAG5m8rYfl3zJKm6ce9HThkSp4vrrWNCuEB
12 | A2LHZT++AGmGZLqlX81GdqGkhZQUIZTQQb8CL0+7jQykmtlyz3Q+mkdSh07J45xa
13 | S7eIRhLBAoGBANbIOpO/9qfm3UccCUvLADB78fe6HlSD1Ap8Iwtx3I619Mj08RcL
14 | IlEZCIMGh78FJz/bq9pM732QAxktLqATOonXu8jtDqUV7W9hfJh/POhBSMxS3/f/
15 | tr/Qm7bPEN8K62ejqxuLsTnGI5S0RhlJRLM+7xIzynwwPzJ/jONOUiZ5AoGBAMh2
16 | HNa7Qz0KDEOfA5UAWnpsm4B1o0dPOtPISJKsyf8o0vcmohIJXSFJUuP0o1B2su8F
17 | LPLoBYHO+Msiuj/xqbRO26WValy0PMg2HGwRJHODoLt7rByjdyneyVbzGdqMPfUw
18 | iewLKmJXKzYG/4q8IyrSFPS/xBqtXkVNl0xuRCD1AoGBAIvFp+Eo5oJjihLRmvcY
19 | 91mV/2RAWaaUV7QvDrtO8MJqhQ8V36MoWr+9870YzdQwrVcwRIj+0ke7JVkH/zSq
20 | 7shvfUQHiSVDvM1j+qpe+ysF+TMGp7wDTFFNl1gDLq6Hs6QxbZOyd7XqTJNkMc4Y
21 | 0T14sin9TEM/PpFFUlFGUc25AoGACZbU1FTK552WbpmpszP8IAUX/zIhaGTa3Iyl
22 | JBcN5p3OUbJQaGp4QQJf67WlJlE3SAXIW6pLsST0c8sqe6qUwqJPEYGvP9YDXlRw
23 | UZ8UTk5Knw1Qc2JCbgdRPE6OuwygXh0/S8JQ+blPwNre2IUdbYv1IqwVtmz6qHgI
24 | t8hCjA0CgYEArqotPtCxkAJ+ucptx4CHfGFSnjG1o0qruTaEWTx64OSEzQGk7Tzl
25 | 8lMLRXG79GcK64UweBE5bVevL0IHrFYGBGucfF7J2MGxZtcppcQE8WJsuPgfAT7r
26 | dZrlbWfWAY1cf2c93Ev3NOHsCaUME6mtYAlrFYX6wR7v0U5IcsBYru8=
27 | -----END RSA PRIVATE KEY-----
28 | 


--------------------------------------------------------------------------------
/src/bookinfo/config-bookinfo.yaml:
--------------------------------------------------------------------------------
  1 | ##################################################################################################
  2 | # Configmap Product Page
  3 | ##################################################################################################
  4 | apiVersion: v1
  5 | kind: ConfigMap
  6 | metadata:
  7 |   name: bookinfo-productpage-conf
  8 | data:
  9 |   productpage.conf: |-
 10 | 
 11 |     log_format elk_format_productpage 'time=[$time_local] client_ip=$remote_addr virtual=$server_name client_port=$remote_port xff_ip=$http_X_Forwarded_For lb_server=$upstream_addr http_host=$host http_method=$request_method http_request_uri=$request_uri status_code=$status content_type="$sent_http_content_type" content_length="$sent_http_content_length" response_time=$request_time referer="$http_referer" http_user_agent="$http_user_agent" x-request-id=$myid ';
 12 | 
 13 |     upstream productpageApp {
 14 |        server 127.0.0.1:9080;
 15 |     }
 16 | 
 17 |     server {
 18 |        listen 5000;
 19 |        server_name productpage-http;
 20 | 
 21 |        #error_log /var/log/nginx/internalApp.error.log info;
 22 |        access_log syslog:server=10.69.33.1:8516 elk_format_productpage;
 23 | 
 24 |        set  $myid $http_x_request_id;
 25 |        if ($http_x_request_id ~* "(\w+)-(\w+)" ) {
 26 |          set  $myid  $2;
 27 |        }
 28 | 
 29 |        location / {
 30 |         proxy_pass http://productpageApp;
 31 |        }
 32 |     }
 33 | 
 34 | 
 35 |     server {
 36 |        listen 8443 ssl;
 37 |        server_name productpage-https;
 38 | 
 39 |        #error_log /var/log/nginx/internalApp.error.log info;
 40 |        access_log syslog:server=10.69.33.1:8516 elk_format_productpage;
 41 | 
 42 |        set  $myid $http_x_request_id;
 43 |        if ($http_x_request_id ~* "(\w+)-(\w+)" ) {
 44 |          set  $myid  $2;
 45 |        }
 46 | 
 47 |        #modsecurity on;
 48 |        #modsecurity_rules_file /etc/nginx/modsec/main.conf;
 49 | 
 50 |        ssl_certificate      /app/cert/ssl-cert;
 51 |        ssl_certificate_key  /app/cert/ssl-key;
 52 |        #ssl_client_certificate /app/cert/ca-cert;
 53 |        #ssl_verify_client on;
 54 | 
 55 |        ssl_protocols TLSv1.2;
 56 |        ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!EECDH+3DES:!RSA+3DES:!MD5;
 57 |        ssl_prefer_server_ciphers on;
 58 | 
 59 |        location / {
 60 |         proxy_pass http://productpageApp;
 61 |        }
 62 |     }
 63 | ---
 64 | ##################################################################################################
 65 | # Configmap Detail Services
 66 | ##################################################################################################
 67 | apiVersion: v1
 68 | kind: ConfigMap
 69 | metadata:
 70 |   name: bookinfo-details-conf
 71 | data:
 72 |   details.conf: |-
 73 | 
 74 |     log_format elk_format_details 'time=[$time_local] client_ip=$remote_addr virtual=$server_name client_port=$remote_port xff_ip=$remote_addr lb_server=$upstream_addr http_host=$host http_method=$request_method http_request_uri=$request_uri status_code=$status content_type="$sent_http_content_type" content_length="$sent_http_content_length" response_time=$request_time referer="$http_referer" http_user_agent="$http_user_agent" x-request-id=$myid ';
 75 | 
 76 |     upstream detailsApp {
 77 |        server 127.0.0.1:9080;
 78 |     }
 79 | 
 80 |     server {
 81 |        listen 5000;
 82 |        server_name details;
 83 | 
 84 |        #error_log /var/log/nginx/internalApp.error.log info;
 85 |        access_log syslog:server=10.69.33.1:8516 elk_format_details;
 86 | 
 87 |        set  $myid $http_x_request_id;
 88 |        if ($http_x_request_id ~* "(\w+)-(\w+)" ) {
 89 |          set  $myid  $2;
 90 |        }
 91 | 
 92 |        location / {
 93 |         proxy_pass http://detailsApp;
 94 |        }
 95 |     }
 96 | ---
 97 | ##################################################################################################
 98 | # Configmap Rating Services
 99 | ##################################################################################################
100 | apiVersion: v1
101 | kind: ConfigMap
102 | metadata:
103 |   name: bookinfo-rating-conf
104 | data:
105 |   rating.conf: |-
106 | 
107 |     log_format elk_format_rating 'time=[$time_local] client_ip=$remote_addr virtual=$server_name client_port=$remote_port xff_ip=$remote_addr lb_server=$upstream_addr http_host=$host http_method=$request_method http_request_uri=$request_uri status_code=$status content_type="$sent_http_content_type" content_length="$sent_http_content_length" response_time=$request_time referer="$http_referer" http_user_agent="$http_user_agent" x-request-id=$myid ';
108 | 
109 |     upstream ratingApp {
110 |        server 127.0.0.1:9080;
111 |     }
112 | 
113 |     server {
114 |        listen 5000;
115 |        server_name rating;
116 | 
117 |        #error_log /var/log/nginx/internalApp.error.log info;
118 |        access_log syslog:server=10.69.33.1:8516 elk_format_rating;
119 | 
120 |        set  $myid $http_x_request_id;
121 |        if ($http_x_request_id ~* "(\w+)-(\w+)" ) {
122 |          set  $myid  $2;
123 |        }
124 | 
125 |        location / {
126 |         proxy_pass http://ratingApp;
127 |        }
128 |     }
129 | ---
130 | ##################################################################################################
131 | # Configmap Review Services
132 | ##################################################################################################
133 | apiVersion: v1
134 | kind: ConfigMap
135 | metadata:
136 |   name: bookinfo-review-conf
137 | data:
138 |   review.conf: |-
139 | 
140 |     log_format elk_format_review 'time=[$time_local] client_ip=$remote_addr virtual=$server_name client_port=$remote_port xff_ip=$remote_addr lb_server=$upstream_addr http_host=$host http_method=$request_method http_request_uri=$request_uri status_code=$status content_type="$sent_http_content_type" content_length="$sent_http_content_length" response_time=$request_time referer="$http_referer" http_user_agent="$http_user_agent" x-request-id=$myid ';
141 | 
142 |     upstream reviewApp {
143 |        server reviews-v1:9080;
144 |     }
145 | 
146 |     upstream reviewApp_test {
147 |        server reviews-v1:9080;
148 |        server reviews-v2:9080;
149 |        server reviews-v3:9080;
150 |     }
151 | 
152 |     # map to different upstream backends based on header
153 |     map $http_x_request_id $pool {
154 |        ~*test.* "reviewApp_test";
155 |        default "reviewApp";
156 |     }
157 | 
158 |     server {
159 |        listen 5000;
160 |        server_name review;
161 | 
162 |        #error_log /var/log/nginx/internalApp.error.log info;
163 |        access_log syslog:server=10.69.33.1:8516 elk_format_review;
164 |        #access_log /var/tmp/nginx-access.log elk_format_review;
165 | 
166 |        set  $myid $http_x_request_id;
167 |        if ($http_x_request_id ~* "(\w+)-(\w+)" ) {
168 |          set  $myid  $2;
169 |        }
170 | 
171 |        location / {
172 |         proxy_pass http://$pool;
173 |        }
174 |     }
175 | ---
176 | ##################################################################################################
177 | # Configmap default
178 | ##################################################################################################
179 | apiVersion: v1
180 | kind: ConfigMap
181 | metadata:
182 |   name: bookinfo-default-conf
183 | data:
184 |   default.conf: |-
185 | 
186 |     log_format elk_format 'time=[$time_local] client_ip=$remote_addr virtual=$server_name client_port=$remote_port xff_ip=$remote_addr lb_server=$upstream_addr http_host=$host http_method=$request_method http_request_uri=$request_uri status_code=$status content_type="$sent_http_content_type" content_length="$sent_http_content_length" response_time=$request_time referer="$http_referer" http_user_agent="$http_user_agent" x-request-id=$myid ';
187 | 
188 |     upstream internalApp {
189 |        server 127.0.0.1:9080;
190 |     }
191 | 
192 |     server {
193 |        listen 5000;
194 | 
195 |        #error_log /var/log/nginx/internalApp.error.log info;
196 |        access_log syslog:server=10.69.33.1:8516 elk_format;
197 | 
198 |        location / {
199 |         proxy_pass http://internalApp;
200 |        }
201 |     }
202 | ---
203 | 


--------------------------------------------------------------------------------
/src/bookinfo/config-bookinfo.yaml.bak_working:
--------------------------------------------------------------------------------
  1 | ##################################################################################################
  2 | # Configmap Product Page
  3 | ##################################################################################################
  4 | apiVersion: v1
  5 | kind: ConfigMap
  6 | metadata:
  7 |   name: bookinfo-productpage-conf
  8 | data:
  9 |   productpage.conf: |-
 10 | 
 11 |     log_format elk_format_productpage 'time=[$time_local] client_ip=$remote_addr virtual=$server_name client_port=$remote_port xff_ip=$http_X_Forwarded_For lb_server=$upstream_addr http_host=$host http_method=$request_method http_request_uri=$request_uri status_code=$status content_type="$sent_http_content_type" content_length="$sent_http_content_length" response_time=$request_time referer="$http_referer" http_user_agent="$http_user_agent" x-request-id=$myid ';
 12 | 
 13 |     upstream productpageApp {
 14 |        server 127.0.0.1:9080;
 15 |     }
 16 | 
 17 |     server {
 18 |        listen 5000;
 19 |        server_name productpage-http;
 20 | 
 21 |        #error_log /var/log/nginx/internalApp.error.log info;
 22 |        access_log syslog:server=10.69.33.1:8516 elk_format_productpage;
 23 | 
 24 |        set  $myid $http_x_request_id;
 25 |        if ($http_x_request_id ~* "(\w+)-(\w+)" ) {
 26 |          set  $myid  $2;
 27 |        }
 28 | 
 29 |        location / {
 30 |         proxy_pass http://productpageApp;
 31 |        }
 32 |     }
 33 | 
 34 | 
 35 |     server {
 36 |        listen 8443 ssl;
 37 |        server_name productpage-https;
 38 | 
 39 |        #error_log /var/log/nginx/internalApp.error.log info;
 40 |        access_log syslog:server=10.69.33.1:8516 elk_format_productpage;
 41 | 
 42 |        set  $myid $http_x_request_id;
 43 |        if ($http_x_request_id ~* "(\w+)-(\w+)" ) {
 44 |          set  $myid  $2;
 45 |        }
 46 | 
 47 |        #modsecurity on;
 48 |        #modsecurity_rules_file /etc/nginx/modsec/main.conf;
 49 | 
 50 |        ssl_certificate      /app/cert/ssl-cert;
 51 |        ssl_certificate_key  /app/cert/ssl-key;
 52 |        #ssl_client_certificate /app/cert/ca-cert;
 53 |        #ssl_verify_client on;
 54 | 
 55 |        ssl_protocols TLSv1.2;
 56 |        ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!EECDH+3DES:!RSA+3DES:!MD5;
 57 |        ssl_prefer_server_ciphers on;
 58 | 
 59 |        location / {
 60 |         proxy_pass http://productpageApp;
 61 |        }
 62 |     }
 63 | ---
 64 | ##################################################################################################
 65 | # Configmap Detail Services
 66 | ##################################################################################################
 67 | apiVersion: v1
 68 | kind: ConfigMap
 69 | metadata:
 70 |   name: bookinfo-details-conf
 71 | data:
 72 |   details.conf: |-
 73 | 
 74 |     log_format elk_format_details 'time=[$time_local] client_ip=$remote_addr virtual=$server_name client_port=$remote_port xff_ip=$remote_addr lb_server=$upstream_addr http_host=$host http_method=$request_method http_request_uri=$request_uri status_code=$status content_type="$sent_http_content_type" content_length="$sent_http_content_length" response_time=$request_time referer="$http_referer" http_user_agent="$http_user_agent" x-request-id=$myid ';
 75 | 
 76 |     upstream detailsApp {
 77 |        server 127.0.0.1:9080;
 78 |     }
 79 | 
 80 |     server {
 81 |        listen 5000;
 82 |        server_name details;
 83 | 
 84 |        #error_log /var/log/nginx/internalApp.error.log info;
 85 |        access_log syslog:server=10.69.33.1:8516 elk_format_details;
 86 | 
 87 |        set  $myid $http_x_request_id;
 88 |        if ($http_x_request_id ~* "(\w+)-(\w+)" ) {
 89 |          set  $myid  $2;
 90 |        }
 91 | 
 92 |        location / {
 93 |         proxy_pass http://detailsApp;
 94 |        }
 95 |     }
 96 | ---
 97 | ##################################################################################################
 98 | # Configmap Rating Services
 99 | ##################################################################################################
100 | apiVersion: v1
101 | kind: ConfigMap
102 | metadata:
103 |   name: bookinfo-rating-conf
104 | data:
105 |   rating.conf: |-
106 | 
107 |     log_format elk_format_rating 'time=[$time_local] client_ip=$remote_addr virtual=$server_name client_port=$remote_port xff_ip=$remote_addr lb_server=$upstream_addr http_host=$host http_method=$request_method http_request_uri=$request_uri status_code=$status content_type="$sent_http_content_type" content_length="$sent_http_content_length" response_time=$request_time referer="$http_referer" http_user_agent="$http_user_agent" x-request-id=$myid ';
108 | 
109 |     upstream ratingApp {
110 |        server 127.0.0.1:9080;
111 |     }
112 | 
113 |     server {
114 |        listen 5000;
115 |        server_name rating;
116 | 
117 |        #error_log /var/log/nginx/internalApp.error.log info;
118 |        access_log syslog:server=10.69.33.1:8516 elk_format_rating;
119 | 
120 |        set  $myid $http_x_request_id;
121 |        if ($http_x_request_id ~* "(\w+)-(\w+)" ) {
122 |          set  $myid  $2;
123 |        }
124 | 
125 |        location / {
126 |         proxy_pass http://ratingApp;
127 |        }
128 |     }
129 | ---
130 | ##################################################################################################
131 | # Configmap Review Services
132 | ##################################################################################################
133 | apiVersion: v1
134 | kind: ConfigMap
135 | metadata:
136 |   name: bookinfo-review-conf
137 | data:
138 |   review.conf: |-
139 | 
140 |     log_format elk_format_review 'time=[$time_local] client_ip=$remote_addr virtual=$server_name client_port=$remote_port xff_ip=$remote_addr lb_server=$upstream_addr http_host=$host http_method=$request_method http_request_uri=$request_uri status_code=$status content_type="$sent_http_content_type" content_length="$sent_http_content_length" response_time=$request_time referer="$http_referer" http_user_agent="$http_user_agent" x-request-id=$myid ';
141 | 
142 |     upstream reviewApp {
143 |        server reviews-v1:9080;
144 |     }
145 | 
146 |     upstream reviewApp_test {
147 |        server reviews-v1:9080;
148 |        server reviews-v2:9080;
149 |        server reviews-v3:9080;
150 |     }
151 | 
152 |     # map to different upstream backends based on header
153 |     map $http_x_request_id $pool {
154 |        ~*test.* "reviewApp_test";
155 |        default "reviewApp";
156 |     }
157 | 
158 |     server {
159 |        listen 5000;
160 |        server_name review;
161 | 
162 |        #error_log /var/log/nginx/internalApp.error.log info;
163 |        access_log syslog:server=10.69.33.1:8516 elk_format_review;
164 |        #access_log /var/tmp/nginx-access.log elk_format_review;
165 | 
166 |        set  $myid $http_x_request_id;
167 |        if ($http_x_request_id ~* "(\w+)-(\w+)" ) {
168 |          set  $myid  $2;
169 |        }
170 | 
171 |        location / {
172 |         proxy_pass http://$pool;
173 |        }
174 |     }
175 | ---
176 | ##################################################################################################
177 | # Configmap default
178 | ##################################################################################################
179 | apiVersion: v1
180 | kind: ConfigMap
181 | metadata:
182 |   name: bookinfo-default-conf
183 | data:
184 |   default.conf: |-
185 | 
186 |     log_format elk_format 'time=[$time_local] client_ip=$remote_addr virtual=$server_name client_port=$remote_port xff_ip=$remote_addr lb_server=$upstream_addr http_host=$host http_method=$request_method http_request_uri=$request_uri status_code=$status content_type="$sent_http_content_type" content_length="$sent_http_content_length" response_time=$request_time referer="$http_referer" http_user_agent="$http_user_agent" x-request-id=$myid ';
187 | 
188 |     upstream internalApp {
189 |        server 127.0.0.1:9080;
190 |     }
191 | 
192 |     server {
193 |        listen 5000;
194 | 
195 |        #error_log /var/log/nginx/internalApp.error.log info;
196 |        access_log syslog:server=10.69.33.1:8516 elk_format;
197 | 
198 |        location / {
199 |         proxy_pass http://internalApp;
200 |        }
201 |     }
202 | ---
203 | 


--------------------------------------------------------------------------------
/src/bookinfo/index.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 |   <head>
 4 |     <title>Simple Bookstore App</title>
 5 | <meta charset="utf-8">
 6 | <meta http-equiv="X-UA-Compatible" content="IE=edge">
 7 | <meta name="viewport" content="width=device-width, initial-scale=1">
 8 | 
 9 | <!-- Latest compiled and minified CSS -->
10 | <link rel="stylesheet" href="static/bootstrap/css/bootstrap.min.css">
11 | 
12 | <!-- Optional theme -->
13 | <link rel="stylesheet" href="static/bootstrap/css/bootstrap-theme.min.css">
14 | 
15 |   </head>
16 |   <body>
17 |     
18 |     
19 | <p>
20 |     <h3>Hello! This is a simple bookstore application consisting of three services as shown below</h3>
21 | </p>
22 | 
23 | <table class="table table-condensed table-bordered table-hover"><tr><th>name</th><td>http://details:9080</td></tr><tr><th>endpoint</th><td>details</td></tr><tr><th>children</th><td><table class="table table-condensed table-bordered table-hover"><tr><th>name</th><th>endpoint</th><th>children</th></tr><tr><td>http://details:9080</td><td>details</td><td></td></tr><tr><td>http://reviews:9080</td><td>reviews</td><td><table class="table table-condensed table-bordered table-hover"><tr><th>name</th><th>endpoint</th><th>children</th></tr><tr><td>http://ratings:9080</td><td>ratings</td><td></td></tr></table></td></tr></table></td></tr></table>
24 | 
25 | <p>
26 |     <h4>Click on one of the links below to auto generate a request to the backend as a real user or a tester
27 |     </h4>
28 | </p>
29 | <p><a href="/productpage?u=normal">Normal user</a></p>
30 | <p><a href="/productpage?u=test">Test user</a></p>
31 | 
32 | 
33 |     
34 | <!-- Latest compiled and minified JavaScript -->
35 | <script src="static/jquery.min.js"></script>
36 | 
37 | <!-- Latest compiled and minified JavaScript -->
38 | <script src="static/bootstrap/js/bootstrap.min.js"></script>
39 | 
40 |   </body>
41 | </html>
42 | 


--------------------------------------------------------------------------------
/src/bookinfo/secret-bookinfo-cert.sh:
--------------------------------------------------------------------------------
1 | oc create secret generic bookinfo-cert --from-file=ssl-key=./cert/httpbin.f5asean.local.key --from-file=ssl-cert=./cert/httpbin.f5asean.local.crt --from-file=ca-cert=./cert/f5asean.local.ca.crt --from-file=adc-cert=./cert/f5adc.crt --from-file=adc-key=./cert/f5adc.key
2 | 


--------------------------------------------------------------------------------
/src/bookinfo/temp/bookinfo-nginx-ssl-modsec.yaml:
--------------------------------------------------------------------------------
  1 | ##################################################################################################
  2 | # Details service
  3 | ##################################################################################################
  4 | apiVersion: v1
  5 | kind: Service
  6 | metadata:
  7 |   name: details
  8 |   labels:
  9 |     app: details
 10 |     service: details
 11 | spec:
 12 |   ports:
 13 |   - port: 9080
 14 |     name: http
 15 |   selector:
 16 |     app: details
 17 | ---
 18 | apiVersion: extensions/v1beta1
 19 | kind: Deployment
 20 | metadata:
 21 |   name: details-v1
 22 |   labels:
 23 |     app: details
 24 |     version: v1
 25 | spec:
 26 |   replicas: 1
 27 |   template:
 28 |     metadata:
 29 |       labels:
 30 |         app: details
 31 |         version: v1
 32 |     spec:
 33 |       containers:
 34 |       - name: details
 35 |         image: docker.io/maistra/examples-bookinfo-details-v1:0.12.0
 36 |         imagePullPolicy: IfNotPresent
 37 |         ports:
 38 |         - containerPort: 9080
 39 | ---
 40 | ##################################################################################################
 41 | # Ratings service
 42 | ##################################################################################################
 43 | apiVersion: v1
 44 | kind: Service
 45 | metadata:
 46 |   name: ratings
 47 |   labels:
 48 |     app: ratings
 49 |     service: ratings
 50 | spec:
 51 |   ports:
 52 |   - port: 9080
 53 |     name: http
 54 |   selector:
 55 |     app: ratings
 56 | ---
 57 | apiVersion: extensions/v1beta1
 58 | kind: Deployment
 59 | metadata:
 60 |   name: ratings-v1
 61 |   labels:
 62 |     app: ratings
 63 |     version: v1
 64 | spec:
 65 |   replicas: 1
 66 |   template:
 67 |     metadata:
 68 |       labels:
 69 |         app: ratings
 70 |         version: v1
 71 |     spec:
 72 |       containers:
 73 |       - name: ratings
 74 |         image: docker.io/maistra/examples-bookinfo-ratings-v1:0.12.0
 75 |         imagePullPolicy: IfNotPresent
 76 |         ports:
 77 |         - containerPort: 9080
 78 | ---
 79 | ##################################################################################################
 80 | # Reviews service
 81 | ##################################################################################################
 82 | apiVersion: v1
 83 | kind: Service
 84 | metadata:
 85 |   name: reviews
 86 |   labels:
 87 |     app: reviews
 88 |     service: reviews
 89 | spec:
 90 |   ports:
 91 |   - port: 9080
 92 |     name: http
 93 |   selector:
 94 |     app: reviews
 95 | ---
 96 | apiVersion: extensions/v1beta1
 97 | kind: Deployment
 98 | metadata:
 99 |   name: reviews-v1
100 |   labels:
101 |     app: reviews
102 |     version: v1
103 | spec:
104 |   replicas: 1
105 |   template:
106 |     metadata:
107 |       labels:
108 |         app: reviews
109 |         version: v1
110 |     spec:
111 |       containers:
112 |       - name: reviews
113 |         image: docker.io/maistra/examples-bookinfo-reviews-v1:0.12.0
114 |         imagePullPolicy: IfNotPresent
115 |         ports:
116 |         - containerPort: 9080
117 | ---
118 | apiVersion: extensions/v1beta1
119 | kind: Deployment
120 | metadata:
121 |   name: reviews-v2
122 |   labels:
123 |     app: reviews
124 |     version: v2
125 | spec:
126 |   replicas: 1
127 |   template:
128 |     metadata:
129 |       labels:
130 |         app: reviews
131 |         version: v2
132 |     spec:
133 |       containers:
134 |       - name: reviews
135 |         image: docker.io/maistra/examples-bookinfo-reviews-v2:0.12.0
136 |         imagePullPolicy: IfNotPresent
137 |         ports:
138 |         - containerPort: 9080
139 | ---
140 | apiVersion: extensions/v1beta1
141 | kind: Deployment
142 | metadata:
143 |   name: reviews-v3
144 |   labels:
145 |     app: reviews
146 |     version: v3
147 | spec:
148 |   replicas: 1
149 |   template:
150 |     metadata:
151 |       labels:
152 |         app: reviews
153 |         version: v3
154 |     spec:
155 |       containers:
156 |       - name: reviews
157 |         image: docker.io/maistra/examples-bookinfo-reviews-v3:0.12.0
158 |         imagePullPolicy: IfNotPresent
159 |         ports:
160 |         - containerPort: 9080
161 | ---
162 | ##################################################################################################
163 | # Productpage services
164 | ##################################################################################################
165 | apiVersion: v1
166 | kind: Service
167 | metadata:
168 |   name: productpage-nginx
169 |   labels:
170 |     app: productpage-nginx
171 |     service: productpage-nginx
172 | spec:
173 |   ports:
174 |   - port: 9080
175 |     name: http
176 |   selector:
177 |     app: productpage-nginx
178 | ---
179 | apiVersion: extensions/v1beta1
180 | kind: Deployment
181 | metadata:
182 |   name: productpage-v1-nginx
183 |   labels:
184 |     app: productpage-nginx
185 |     version: v1
186 | spec:
187 |   replicas: 1
188 |   template:
189 |     metadata:
190 |       labels:
191 |         app: productpage-nginx
192 |         version: v1
193 |     spec:
194 |       - name: nginx-waf
195 |         securityContext:
196 |           privileged: true
197 |           runAsUser: 0
198 |         image: cjunwchen/cj-centos-nginx-waf:latest
199 |         volumeMounts:
200 |           - name: config-volume
201 |             mountPath: /etc/nginx/nginx.conf
202 |             subPath: nginx.conf
203 |           - name: secret-volume
204 |             mountPath: /app/cert
205 |       containers:
206 |       - name: productpage-nginx
207 |         image: docker.io/maistra/examples-bookinfo-productpage-v1:0.12.0
208 |         imagePullPolicy: IfNotPresent
209 |         ports:
210 |         - containerPort: 9080
211 |       volumes:
212 |       - name: config-volume
213 |         configMap:
214 |           name: nginx-conf
215 |       - name: secret-volume
216 |         secret:
217 |           secretName: appa-cert
218 |           items:
219 |             - key: ssl-cert
220 |               path: ssl-cert
221 |             - key: ssl-key
222 |               path: ssl-key
223 |             - key: ca-cert
224 |               path: ca-cert
225 |             - key: adc-key
226 |               path: adc-key
227 |             - key: adc-cert
228 |               path: adc-cert
229 |       securityContext: {}
230 |       serviceAccount: bookinfo-sa
231 |       serviceAccountName: bookinfo-sa
232 | ---
233 | 


--------------------------------------------------------------------------------
/src/bookinfo/temp/bookinfo-scc.yaml:
--------------------------------------------------------------------------------
 1 | allowHostDirVolumePlugin: true
 2 | allowHostIPC: true
 3 | allowHostNetwork: true
 4 | allowHostPID: true
 5 | allowHostPorts: true
 6 | allowPrivilegeEscalation: true
 7 | allowPrivilegedContainer: true
 8 | allowedCapabilities:
 9 | - '*'
10 | allowedUnsafeSysctls:
11 | - '*'
12 | apiVersion: security.openshift.io/v1
13 | defaultAddCapabilities: null
14 | fsGroup:
15 |   type: RunAsAny
16 | groups:
17 | - system:cluster-admins
18 | - system:nodes
19 | - system:masters
20 | - system:authenticated
21 | kind: SecurityContextConstraints
22 | metadata:
23 |   annotations:
24 |     kubernetes.io/description: 'privileged allows access to all privileged and host
25 |       features and the ability to run as any user, any group, any fsGroup, and with
26 |       any SELinux context.  WARNING: this is the most relaxed SCC and should be used
27 |       only for cluster administration. Grant with caution.'
28 |   creationTimestamp: null
29 |   name: bookinfo-scc
30 |   selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/myscc
31 | priority: null
32 | readOnlyRootFilesystem: false
33 | requiredDropCapabilities: null
34 | runAsUser:
35 |   type: RunAsAny
36 | seLinuxContext:
37 |   type: RunAsAny
38 | seccompProfiles:
39 | - '*'
40 | supplementalGroups:
41 |   type: RunAsAny
42 | users:
43 | - system:admin
44 | - system:serviceaccount:openshift-infra:build-controller
45 | - system:serviceaccount:openshift-node:sync
46 | - system:serviceaccount:openshift-sdn:sdn
47 | - system:serviceaccount:management-infra:management-admin
48 | - system:serviceaccount:management-infra:inspector-admin
49 | - system:serviceaccount:appb:appb-sa
50 | - system:serviceaccount:appa:appa-sa
51 | volumes:
52 | - '*'
53 | 


--------------------------------------------------------------------------------
/src/bookinfo/temp/bookinfo.yaml:
--------------------------------------------------------------------------------
  1 | ##################################################################################################
  2 | # Details service
  3 | ##################################################################################################
  4 | apiVersion: v1
  5 | kind: Service
  6 | metadata:
  7 |   name: details
  8 |   labels:
  9 |     app: details
 10 |     service: details
 11 | spec:
 12 |   ports:
 13 |   - port: 9080
 14 |     name: http
 15 |   selector:
 16 |     app: details
 17 | ---
 18 | apiVersion: extensions/v1beta1
 19 | kind: Deployment
 20 | metadata:
 21 |   name: details-v1
 22 |   labels:
 23 |     app: details
 24 |     version: v1
 25 | spec:
 26 |   replicas: 1
 27 |   template:
 28 |     metadata:
 29 |       labels:
 30 |         app: details
 31 |         version: v1
 32 |     spec:
 33 |       containers:
 34 |       - name: details
 35 |         image: docker.io/maistra/examples-bookinfo-details-v1:0.12.0
 36 |         imagePullPolicy: IfNotPresent
 37 |         ports:
 38 |         - containerPort: 9080
 39 | ---
 40 | ##################################################################################################
 41 | # Ratings service
 42 | ##################################################################################################
 43 | apiVersion: v1
 44 | kind: Service
 45 | metadata:
 46 |   name: ratings
 47 |   labels:
 48 |     app: ratings
 49 |     service: ratings
 50 | spec:
 51 |   ports:
 52 |   - port: 9080
 53 |     name: http
 54 |   selector:
 55 |     app: ratings
 56 | ---
 57 | apiVersion: extensions/v1beta1
 58 | kind: Deployment
 59 | metadata:
 60 |   name: ratings-v1
 61 |   labels:
 62 |     app: ratings
 63 |     version: v1
 64 | spec:
 65 |   replicas: 1
 66 |   template:
 67 |     metadata:
 68 |       labels:
 69 |         app: ratings
 70 |         version: v1
 71 |     spec:
 72 |       containers:
 73 |       - name: ratings
 74 |         image: docker.io/maistra/examples-bookinfo-ratings-v1:0.12.0
 75 |         imagePullPolicy: IfNotPresent
 76 |         ports:
 77 |         - containerPort: 9080
 78 | ---
 79 | ##################################################################################################
 80 | # Reviews service
 81 | ##################################################################################################
 82 | apiVersion: v1
 83 | kind: Service
 84 | metadata:
 85 |   name: reviews
 86 |   labels:
 87 |     app: reviews
 88 |     service: reviews
 89 | spec:
 90 |   ports:
 91 |   - port: 9080
 92 |     name: http
 93 |   selector:
 94 |     app: reviews
 95 | ---
 96 | apiVersion: extensions/v1beta1
 97 | kind: Deployment
 98 | metadata:
 99 |   name: reviews-v1
100 |   labels:
101 |     app: reviews
102 |     version: v1
103 | spec:
104 |   replicas: 1
105 |   template:
106 |     metadata:
107 |       labels:
108 |         app: reviews
109 |         version: v1
110 |     spec:
111 |       containers:
112 |       - name: reviews
113 |         image: docker.io/maistra/examples-bookinfo-reviews-v1:0.12.0
114 |         imagePullPolicy: IfNotPresent
115 |         ports:
116 |         - containerPort: 9080
117 | ---
118 | apiVersion: extensions/v1beta1
119 | kind: Deployment
120 | metadata:
121 |   name: reviews-v2
122 |   labels:
123 |     app: reviews
124 |     version: v2
125 | spec:
126 |   replicas: 1
127 |   template:
128 |     metadata:
129 |       labels:
130 |         app: reviews
131 |         version: v2
132 |     spec:
133 |       containers:
134 |       - name: reviews
135 |         image: docker.io/maistra/examples-bookinfo-reviews-v2:0.12.0
136 |         imagePullPolicy: IfNotPresent
137 |         ports:
138 |         - containerPort: 9080
139 | ---
140 | apiVersion: extensions/v1beta1
141 | kind: Deployment
142 | metadata:
143 |   name: reviews-v3
144 |   labels:
145 |     app: reviews
146 |     version: v3
147 | spec:
148 |   replicas: 1
149 |   template:
150 |     metadata:
151 |       labels:
152 |         app: reviews
153 |         version: v3
154 |     spec:
155 |       containers:
156 |       - name: reviews
157 |         image: docker.io/maistra/examples-bookinfo-reviews-v3:0.12.0
158 |         imagePullPolicy: IfNotPresent
159 |         ports:
160 |         - containerPort: 9080
161 | ---
162 | ##################################################################################################
163 | # Productpage services
164 | ##################################################################################################
165 | apiVersion: v1
166 | kind: Service
167 | metadata:
168 |   name: productpage
169 |   labels:
170 |     app: productpage
171 |     service: productpage
172 | spec:
173 |   ports:
174 |   - port: 9080
175 |     name: http
176 |   selector:
177 |     app: productpage
178 | ---
179 | apiVersion: extensions/v1beta1
180 | kind: Deployment
181 | metadata:
182 |   name: productpage-v1
183 |   labels:
184 |     app: productpage
185 |     version: v1
186 | spec:
187 |   replicas: 1
188 |   template:
189 |     metadata:
190 |       labels:
191 |         app: productpage
192 |         version: v1
193 |     spec:
194 |       containers:
195 |       - name: productpage
196 |         image: docker.io/maistra/examples-bookinfo-productpage-v1:0.12.0
197 |         imagePullPolicy: IfNotPresent
198 |         ports:
199 |         - containerPort: 9080
200 | ---
201 | 


--------------------------------------------------------------------------------
/src/bookinfo/temp/config-bookinfo.yaml:
--------------------------------------------------------------------------------
 1 |     user  nginx;
 2 |     worker_processes  1;
 3 | 
 4 |     error_log  /var/log/nginx/error.log warn;
 5 |     pid        /var/run/nginx.pid;
 6 |     #load_module modules/ngx_http_modsecurity_module.so;
 7 | 
 8 |     events {
 9 |         worker_connections  1024;
10 |     }
11 | 
12 |     http {
13 |         include       /etc/nginx/mime.types;
14 |         default_type  application/octet-stream;
15 | 
16 |         sendfile        on;
17 |         keepalive_timeout  65;
18 | 
19 |         log_format elk_format_productpage 'time=[$time_local] client_ip=$remote_addr virtual=$server_name client_port=$remote_port xff_ip=$remote_addr lb_server=$upstream_addr http_host=$host http_method=$request_method http_request_uri=$request_uri status_code=$status content_type="$sent_http_content_type" content_length="$sent_http_content_length" response_time=$request_time referer="$http_referer" http_user_agent="$http_user_agent" x-request-id=$http_x_request_id ';
20 | 
21 |         upstream productpageApp {
22 |             server 127.0.0.1:9080;
23 |         }
24 | 
25 |         server {
26 |             listen 8443 ssl;
27 |             underscores_in_headers on;
28 |             server_name productpage-https;
29 | 
30 |             access_log syslog:server=10.69.33.1:8516 elk_format_productpage;
31 | 
32 |             #modsecurity on;
33 |             #modsecurity_rules_file /etc/nginx/modsec/main.conf;
34 | 
35 |             ssl_certificate      /app/cert/ssl-cert;
36 |             ssl_certificate_key  /app/cert/ssl-key;
37 |             #ssl_client_certificate /app/cert/ca-cert;
38 |             #ssl_verify_client on;
39 | 
40 |             ssl_protocols TLSv1.2;
41 |             ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!EECDH+3DES:!RSA+3DES:!MD5;
42 |             ssl_prefer_server_ciphers on;
43 | 
44 |             location / {
45 |                 proxy_pass         http://productpageApp;
46 |                 proxy_redirect     off;
47 |             }
48 |         }
49 | 
50 |         server {
51 |             listen 5000;
52 |             server_name productpage-http;
53 |             underscores_in_headers on;
54 | 
55 |             access_log syslog:server=10.69.33.1:8516 elk_format_productpage;
56 | 
57 |             #modsecurity on;
58 |             #modsecurity_rules_file /etc/nginx/modsec/main.conf;
59 | 
60 |             location / {
61 |                 #proxy_set_header proxy_host productpage;
62 |                 proxy_pass         http://productpageApp;
63 |                 proxy_redirect     off;
64 |             }
65 |         }
66 | 
67 |         server {
68 |             listen 8081 default_server;
69 |             #underscores_in_headers on;
70 | 
71 |             access_log syslog:server=10.69.33.1:8516 elk_format_productpage;
72 | 
73 |             location / {
74 |                 resolver 10.128.0.1 10.129.0.1 10.130.0.1 valid=10s;
75 |                 proxy_buffering    off;
76 |                 proxy_pass         http://$http_host:9080;
77 | 
78 |                 #proxy_ssl_certificate    /app/cert/adc-cert;
79 |                 #proxy_ssl_certificate_key   /app/cert/adc-key;
80 |             }
81 |         }
82 |     }
83 | ---
84 | 


--------------------------------------------------------------------------------
/src/bookinfo/temp/configmap-detail-nginx.yaml:
--------------------------------------------------------------------------------
 1 | #Config MAp to store ngninx.conf 
 2 | # kubectl apply -f nginx-config.yml
 3 | apiVersion: v1
 4 | kind: ConfigMap
 5 | metadata:
 6 |   name: nginx-conf-detail
 7 | data:
 8 |   nginx.conf: |-
 9 |     user  nginx;
10 |     worker_processes  1;
11 | 
12 |     error_log  /var/log/nginx/error.log warn;
13 |     pid        /var/run/nginx.pid;
14 |     #load_module modules/ngx_http_modsecurity_module.so;
15 | 
16 |     events {
17 |         worker_connections  1024;
18 |     }
19 | 
20 |     http {
21 |         include       /etc/nginx/mime.types;
22 |         default_type  application/octet-stream;
23 | 
24 |         sendfile        on;
25 |         keepalive_timeout  65;
26 | 
27 |         log_format elk_format 'time=[$time_local] proxy_host=$proxy_host client_ip=$remote_addr virtual=$server_name client_port=$remote_port xff_ip=$http_X_Forwarded_For lb_server=$upstream_addr http_host=$host http_method=$request_method http_request_uri=$request_uri status_code=$status content_type=$sent_http_content_type content_length=$sent_http_content_length response_time=$request_time referer="$http_referer" http_user_agent="$http_user_agent" x-request-id=$http_x_request_id ';
28 |         
29 |         upstream detail {
30 |             server 127.0.0.1:9080;
31 |         }
32 | 
33 |         server {
34 |             listen 8443 ssl;
35 |             underscores_in_headers on;
36 |             server_name detail-https;
37 | 
38 |             access_log syslog:server=10.69.33.1:8516 elk_format;	
39 |             
40 |             #modsecurity on;
41 |             #modsecurity_rules_file /etc/nginx/modsec/main.conf;
42 | 
43 |             ssl_certificate      /app/cert/ssl-cert;
44 |             ssl_certificate_key  /app/cert/ssl-key;
45 |             #ssl_client_certificate /app/cert/ca-cert;
46 |             #ssl_verify_client on;
47 | 
48 |             ssl_protocols TLSv1.2;
49 |             ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!EECDH+3DES:!RSA+3DES:!MD5;
50 |             ssl_prefer_server_ciphers on;
51 | 
52 |             location / {
53 |                 proxy_pass         http://detail;
54 |                 proxy_redirect     off;
55 |             }
56 |         }
57 | 
58 |         server {
59 |             listen 8080;
60 |             server_name detail-http;
61 |             underscores_in_headers on;
62 | 
63 |             #access_log syslog:server=10.69.33.1:8516 elk_format;
64 |             access_log /var/tmp/nginx-access.log elk_format;
65 | 
66 |             #modsecurity on;
67 |             #modsecurity_rules_file /etc/nginx/modsec/main.conf;
68 | 
69 |             location / {
70 |                 #proxy_set_header proxy_host detail;
71 |                 proxy_pass         http://detail;
72 |                 proxy_redirect     off;
73 |             }
74 |         }
75 | 
76 |         server {
77 |             listen 8081 default_server;
78 |             #underscores_in_headers on;
79 | 
80 |             location / {
81 |                 resolver 10.128.0.1 10.129.0.1 10.130.0.1 valid=10s;
82 |                 proxy_buffering    off;
83 |                 proxy_pass         https://$http_host:8443;
84 | 
85 |                 proxy_ssl_certificate    /app/cert/adc-cert;
86 |                 proxy_ssl_certificate_key   /app/cert/adc-key;
87 |             }
88 |         }
89 |     }
90 | 


--------------------------------------------------------------------------------
/src/bookinfo/temp/configmap-productpage-nginx.yaml:
--------------------------------------------------------------------------------
 1 | #Config MAp to store ngninx.conf 
 2 | # kubectl apply -f nginx-config.yml
 3 | apiVersion: v1
 4 | kind: ConfigMap
 5 | metadata:
 6 |   name: nginx-conf-productpage
 7 | data:
 8 |   nginx.conf: |-
 9 |     user  nginx;
10 |     worker_processes  1;
11 | 
12 |     error_log  /var/log/nginx/error.log warn;
13 |     pid        /var/run/nginx.pid;
14 |     #load_module modules/ngx_http_modsecurity_module.so;
15 | 
16 |     events {
17 |         worker_connections  1024;
18 |     }
19 | 
20 |     http {
21 |         include       /etc/nginx/mime.types;
22 |         default_type  application/octet-stream;
23 | 
24 |         sendfile        on;
25 |         keepalive_timeout  65;
26 | 
27 |         log_format elk_format_productpage 'time=[$time_local] client_ip=$remote_addr virtual=$server_name client_port=$remote_port xff_ip=$remote_addr lb_server=$upstream_addr http_host=$host http_method=$request_method http_request_uri=$request_uri status_code=$status content_type="$sent_http_content_type" content_length="$sent_http_content_length" response_time=$request_time referer="$http_referer" http_user_agent="$http_user_agent" x-request-id=$http_x_request_id ';
28 |  
29 |         upstream productpage {
30 |             server 127.0.0.1:9080;
31 |         }
32 | 
33 |         server {
34 |             listen 8443 ssl;
35 |             underscores_in_headers on;
36 |             server_name productpage-https;
37 | 
38 |             access_log syslog:server=10.69.33.1:8516 elk_format;	
39 |             
40 |             #modsecurity on;
41 |             #modsecurity_rules_file /etc/nginx/modsec/main.conf;
42 | 
43 |             ssl_certificate      /app/cert/ssl-cert;
44 |             ssl_certificate_key  /app/cert/ssl-key;
45 |             #ssl_client_certificate /app/cert/ca-cert;
46 |             #ssl_verify_client on;
47 | 
48 |             ssl_protocols TLSv1.2;
49 |             ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!EECDH+3DES:!RSA+3DES:!MD5;
50 |             ssl_prefer_server_ciphers on;
51 | 
52 |             location / {
53 |                 proxy_pass         http://productpage;
54 |                 proxy_redirect     off;
55 |             }
56 |         }
57 | 
58 |         server {
59 |             listen 8080;
60 |             server_name productpage-http;
61 |             underscores_in_headers on;
62 | 
63 |             access_log syslog:server=10.69.33.1:8516 elk_format;
64 |             #access_log /var/tmp/nginx-access.log elk_format;
65 | 
66 |             #modsecurity on;
67 |             #modsecurity_rules_file /etc/nginx/modsec/main.conf;
68 | 
69 |             location / {
70 |                 #proxy_set_header proxy_host productpage;
71 |                 proxy_pass         http://productpage;
72 |                 proxy_redirect     off;
73 |             }
74 |         }
75 | 
76 |         server {
77 |             listen 8081 default_server;
78 |             #underscores_in_headers on;
79 |             
80 |             access_log syslog:server=10.69.33.1:8516 elk_format;
81 | 
82 |             location / {
83 |                 resolver 10.128.0.1 10.129.0.1 10.130.0.1 valid=10s;
84 |                 proxy_buffering    off;
85 |                 proxy_pass         http://$http_host:9080;
86 | 
87 |                 #proxy_ssl_certificate    /app/cert/adc-cert;
88 |                 #proxy_ssl_certificate_key   /app/cert/adc-key;
89 |             }
90 |         }
91 |     }
92 | 


--------------------------------------------------------------------------------
/src/bookinfo/temp/deploy-detail-nginx.yaml:
--------------------------------------------------------------------------------
 1 | ##################################################################################################
 2 | # Productpage services
 3 | ##################################################################################################
 4 | apiVersion: apps.openshift.io/v1
 5 | kind: DeploymentConfig
 6 | metadata:
 7 |   labels:
 8 |     app: detail-sidecar
 9 |   name: detail-sidecar
10 | spec:
11 |   replicas: 1
12 |   selector:
13 |     app: detail-sidecar
14 |   template:
15 |     metadata:
16 |       labels:
17 |         app: detail-sidecar
18 |     spec:
19 |       containers:
20 |       - name: nginx-waf
21 |         securityContext:
22 |           privileged: true
23 |           runAsUser: 0
24 |         image: cjunwchen/cj-centos-nginx-waf:bookinfo
25 |         volumeMounts:
26 |           - name: config-volume
27 |             mountPath: /etc/nginx/nginx.conf
28 |             subPath: nginx.conf
29 |           - name: secret-volume
30 |             mountPath: /app/cert
31 |       - image: docker.io/maistra/examples-bookinfo-details-v1:0.12.0
32 |         name: detail-sidecar
33 |       volumes:
34 |       - name: config-volume
35 |         configMap:
36 |           name: nginx-conf-detail
37 |       - name: secret-volume
38 |         secret:
39 |           secretName: bookinfo-cert
40 |           items:
41 |             - key: ssl-cert
42 |               path: ssl-cert
43 |             - key: ssl-key
44 |               path: ssl-key
45 |             - key: ca-cert
46 |               path: ca-cert
47 |             - key: adc-key
48 |               path: adc-key
49 |             - key: adc-cert
50 |               path: adc-cert
51 |       securityContext: {}
52 |       serviceAccount: bookinfo-sa
53 |       serviceAccountName: bookinfo-sa
54 | ---
55 | apiVersion: v1
56 | kind: Service
57 | metadata:
58 |   name: detail
59 |   labels:
60 |     app: detail
61 | spec:
62 |   type: ClusterIP
63 |   ports:
64 |   - port: 8443
65 |     targetPort: 8443
66 |     name: https
67 |   - port: 9080
68 |     targetPort: 8080
69 |     name: http
70 |   selector:
71 |     app: detail-sidecar
72 | ---
73 | 


--------------------------------------------------------------------------------
/src/bookinfo/temp/deploy-productpage-nginx.yaml:
--------------------------------------------------------------------------------
  1 | apiVersion: v1
  2 | kind: ConfigMap
  3 | metadata:
  4 |   name: nginx-conf-productpage
  5 | data:
  6 |   nginx.conf: |-
  7 |     user  nginx;
  8 |     worker_processes  1;
  9 | 
 10 |     error_log  /var/log/nginx/error.log warn;
 11 |     pid        /var/run/nginx.pid;
 12 |     #load_module modules/ngx_http_modsecurity_module.so;
 13 | 
 14 |     events {
 15 |         worker_connections  1024;
 16 |     }
 17 | 
 18 |     http {
 19 |         include       /etc/nginx/mime.types;
 20 |         default_type  application/octet-stream;
 21 | 
 22 |         sendfile        on;
 23 |         keepalive_timeout  65;
 24 | 
 25 |         #log_format elk_format_productpage 'time=[$time_local] client_ip=$remote_addr virtual=$server_name client_port=$remote_port xff_ip=$remote_addr lb_server=$upstream_addr http_host=$host http_method=$request_method http_request_uri=$request_uri status_code=$status content_type="$sent_http_content_type" content_length="$sent_http_content_length" response_time=$request_time referer="$http_referer" http_user_agent="$http_user_agent" x-request-id=$http_x_request_id ';
 26 | 
 27 |         upstream productpageApp {
 28 |             server 127.0.0.1:9080;
 29 |         }
 30 | 
 31 |         server {
 32 |             listen 8443 ssl;
 33 |             underscores_in_headers on;
 34 |             server_name productpage-https;
 35 | 
 36 |             #access_log syslog:server=10.69.33.1:8516 elk_format_productpage;
 37 | 
 38 |             #modsecurity on;
 39 |             #modsecurity_rules_file /etc/nginx/modsec/main.conf;
 40 | 
 41 |             ssl_certificate      /app/cert/ssl-cert;
 42 |             ssl_certificate_key  /app/cert/ssl-key;
 43 |             #ssl_client_certificate /app/cert/ca-cert;
 44 |             #ssl_verify_client on;
 45 | 
 46 |             ssl_protocols TLSv1.2;
 47 |             ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!EECDH+3DES:!RSA+3DES:!MD5;
 48 |             ssl_prefer_server_ciphers on;
 49 | 
 50 |             location / {
 51 |                 proxy_pass         http://productpageApp;
 52 |                 proxy_redirect     off;
 53 |             }
 54 |         }
 55 | 
 56 |         server {
 57 |             listen 5000;
 58 |             server_name productpage-http;
 59 |             underscores_in_headers on;
 60 | 
 61 |             access_log syslog:server=10.69.33.1:8516 elk_format_productpage;
 62 |             #access_log /var/tmp/nginx-access.log elk_format;
 63 | 
 64 |             #modsecurity on;
 65 |             #modsecurity_rules_file /etc/nginx/modsec/main.conf;
 66 | 
 67 |             location / {
 68 |                 #proxy_set_header proxy_host productpage;
 69 |                 proxy_pass         http://productpageApp;
 70 |                 proxy_redirect     off;
 71 |             }
 72 |         }
 73 | 
 74 |     }
 75 | ---
 76 | ##################################################################################################
 77 | # Productpage services
 78 | ##################################################################################################
 79 | apiVersion: apps.openshift.io/v1
 80 | kind: DeploymentConfig
 81 | metadata:
 82 |   labels:
 83 |     app: productpage-sidecar
 84 |   name: productpage-sidecar
 85 | spec:
 86 |   replicas: 1
 87 |   selector:
 88 |     app: productpage-sidecar
 89 |   template:
 90 |     metadata:
 91 |       labels:
 92 |         app: productpage-sidecar
 93 |     spec:
 94 |       containers:
 95 |       - name: nginx-waf
 96 |         securityContext:
 97 |           privileged: true
 98 |           runAsUser: 0
 99 |         image: cjunwchen/cj-centos-nginx-waf:bookinfo
100 |         volumeMounts:
101 |           - name: config-volume
102 |             mountPath: /etc/nginx/nginx.conf
103 |             subPath: nginx.conf
104 |           - name: secret-volume
105 |             mountPath: /app/cert
106 |       - image: docker.io/maistra/examples-bookinfo-productpage-v1:0.12.0
107 |         securityContext:
108 |           runAsUser: 1000
109 |         name: productpage-sidecar
110 |       volumes:
111 |       - name: config-volume
112 |         configMap:
113 |           name: nginx-conf-productpage
114 |       - name: secret-volume
115 |         secret:
116 |           secretName: bookinfo-cert
117 |           items:
118 |             - key: ssl-cert
119 |               path: ssl-cert
120 |             - key: ssl-key
121 |               path: ssl-key
122 |             - key: ca-cert
123 |               path: ca-cert
124 |             - key: adc-key
125 |               path: adc-key
126 |             - key: adc-cert
127 |               path: adc-cert
128 |       securityContext: {}
129 |       serviceAccount: bookinfo-sa
130 |       serviceAccountName: bookinfo-sa
131 | ---
132 | apiVersion: v1
133 | kind: Service
134 | metadata:
135 |   name: productpage
136 |   labels:
137 |     app: productpage
138 | spec:
139 |   type: ClusterIP
140 |   ports:
141 |   - port: 8443
142 |     targetPort: 8443
143 |     name: https
144 |   - port: 5000
145 |     targetPort: 5000
146 |     name: http
147 |   selector:
148 |     app: productpage-sidecar
149 | ---
150 | 


--------------------------------------------------------------------------------
/src/bookinfo/temp/deploy-productpage-nginx.yaml.bak:
--------------------------------------------------------------------------------
 1 | ##################################################################################################
 2 | # Productpage services
 3 | ##################################################################################################
 4 | apiVersion: apps.openshift.io/v1
 5 | kind: DeploymentConfig
 6 | metadata:
 7 |   labels:
 8 |     app: productpage-sidecar
 9 |   name: productpage-sidecar
10 | spec:
11 |   replicas: 1
12 |   selector:
13 |     app: productpage-sidecar
14 |   template:
15 |     metadata:
16 |       labels:
17 |         app: productpage-sidecar
18 |     spec:
19 |       containers:
20 |       - name: nginx-waf
21 |         securityContext:
22 |           privileged: true
23 |           runAsUser: 0
24 |         image: cjunwchen/cj-centos-nginx-waf:bookinfo
25 |         volumeMounts:
26 |           - name: config-volume
27 |             mountPath: /etc/nginx/nginx.conf
28 |             subPath: nginx.conf
29 |           - name: secret-volume
30 |             mountPath: /app/cert
31 |       - image: docker.io/maistra/examples-bookinfo-productpage-v1:0.12.0
32 |         securityContext:
33 |           runAsUser: 1000
34 |         name: productpage-sidecar
35 |       volumes:
36 |       - name: config-volume
37 |         configMap:
38 |           name: nginx-conf-productpage
39 |       - name: secret-volume
40 |         secret:
41 |           secretName: bookinfo-cert
42 |           items:
43 |             - key: ssl-cert
44 |               path: ssl-cert
45 |             - key: ssl-key
46 |               path: ssl-key
47 |             - key: ca-cert
48 |               path: ca-cert
49 |             - key: adc-key
50 |               path: adc-key
51 |             - key: adc-cert
52 |               path: adc-cert
53 |       securityContext: {}
54 |       serviceAccount: bookinfo-sa
55 |       serviceAccountName: bookinfo-sa
56 | ---
57 | apiVersion: v1
58 | kind: Service
59 | metadata:
60 |   name: productpage
61 |   labels:
62 |     app: productpage
63 | spec:
64 |   type: ClusterIP
65 |   ports:
66 |   - port: 8443
67 |     targetPort: 8443
68 |     name: https
69 |   - port: 8080
70 |     targetPort: 8080
71 |     name: http
72 |   selector:
73 |     app: productpage-sidecar
74 | ---
75 | 


--------------------------------------------------------------------------------
/src/bookinfo/temp/deploy_bookinfo.yaml:
--------------------------------------------------------------------------------
  1 | ##################################################################################################
  2 | # Details service
  3 | ##################################################################################################
  4 | apiVersion: v1
  5 | kind: Service
  6 | metadata:
  7 |   name: details
  8 |   labels:
  9 |     app: details
 10 |     service: details
 11 | spec:
 12 |   ports:
 13 |   - port: 9080
 14 |     name: http
 15 |   selector:
 16 |     app: details
 17 | ---
 18 | apiVersion: extensions/v1beta1
 19 | kind: Deployment
 20 | metadata:
 21 |   name: details-v1
 22 |   labels:
 23 |     app: details
 24 |     version: v1
 25 | spec:
 26 |   replicas: 1
 27 |   template:
 28 |     metadata:
 29 |       labels:
 30 |         app: details
 31 |         version: v1
 32 |     spec:
 33 |       containers:
 34 |       - name: details
 35 |         image: docker.io/maistra/examples-bookinfo-details-v1:0.12.0
 36 |         imagePullPolicy: IfNotPresent
 37 |         ports:
 38 |         - containerPort: 9080
 39 | ---
 40 | ##################################################################################################
 41 | # Ratings service
 42 | ##################################################################################################
 43 | apiVersion: v1
 44 | kind: Service
 45 | metadata:
 46 |   name: ratings
 47 |   labels:
 48 |     app: ratings
 49 |     service: ratings
 50 | spec:
 51 |   ports:
 52 |   - port: 9080
 53 |     name: http
 54 |   selector:
 55 |     app: ratings
 56 | ---
 57 | apiVersion: extensions/v1beta1
 58 | kind: Deployment
 59 | metadata:
 60 |   name: ratings-v1
 61 |   labels:
 62 |     app: ratings
 63 |     version: v1
 64 | spec:
 65 |   replicas: 1
 66 |   template:
 67 |     metadata:
 68 |       labels:
 69 |         app: ratings
 70 |         version: v1
 71 |     spec:
 72 |       containers:
 73 |       - name: ratings
 74 |         image: docker.io/maistra/examples-bookinfo-ratings-v1:0.12.0
 75 |         imagePullPolicy: IfNotPresent
 76 |         ports:
 77 |         - containerPort: 9080
 78 | ---
 79 | ##################################################################################################
 80 | # Reviews service
 81 | ##################################################################################################
 82 | apiVersion: v1
 83 | kind: Service
 84 | metadata:
 85 |   name: reviews
 86 |   labels:
 87 |     app: reviews
 88 |     service: reviews
 89 | spec:
 90 |   ports:
 91 |   - port: 9080
 92 |     name: http
 93 |   selector:
 94 |     app: reviews
 95 | ---
 96 | apiVersion: extensions/v1beta1
 97 | kind: Deployment
 98 | metadata:
 99 |   name: reviews-v1
100 |   labels:
101 |     app: reviews
102 |     version: v1
103 | spec:
104 |   replicas: 1
105 |   template:
106 |     metadata:
107 |       labels:
108 |         app: reviews
109 |         version: v1
110 |     spec:
111 |       containers:
112 |       - name: reviews
113 |         image: docker.io/maistra/examples-bookinfo-reviews-v1:0.12.0
114 |         imagePullPolicy: IfNotPresent
115 |         ports:
116 |         - containerPort: 9080
117 | ---
118 | apiVersion: extensions/v1beta1
119 | kind: Deployment
120 | metadata:
121 |   name: reviews-v2
122 |   labels:
123 |     app: reviews
124 |     version: v2
125 | spec:
126 |   replicas: 1
127 |   template:
128 |     metadata:
129 |       labels:
130 |         app: reviews
131 |         version: v2
132 |     spec:
133 |       containers:
134 |       - name: reviews
135 |         image: docker.io/maistra/examples-bookinfo-reviews-v2:0.12.0
136 |         imagePullPolicy: IfNotPresent
137 |         ports:
138 |         - containerPort: 9080
139 | ---
140 | apiVersion: extensions/v1beta1
141 | kind: Deployment
142 | metadata:
143 |   name: reviews-v3
144 |   labels:
145 |     app: reviews
146 |     version: v3
147 | spec:
148 |   replicas: 1
149 |   template:
150 |     metadata:
151 |       labels:
152 |         app: reviews
153 |         version: v3
154 |     spec:
155 |       containers:
156 |       - name: reviews
157 |         image: docker.io/maistra/examples-bookinfo-reviews-v3:0.12.0
158 |         imagePullPolicy: IfNotPresent
159 |         ports:
160 |         - containerPort: 9080
161 | ---
162 | 


--------------------------------------------------------------------------------
/src/bookinfo/temp/test.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: details
 5 |   labels:
 6 |     app: details
 7 |     service: details
 8 | spec:
 9 |   ports:
10 |   - port: 9080
11 |     name: http
12 |   selector:
13 |     app: details
14 | ---
15 | apiVersion: extensions/v1beta1
16 | kind: Deployment
17 | metadata:
18 |   name: details-v1
19 |   labels:
20 |     app: details
21 |     version: v1
22 | spec:
23 |   replicas: 1
24 |   template:
25 |     metadata:
26 |       labels:
27 |         app: details
28 |         version: v1
29 |     spec:
30 |       containers:
31 |       - name: nginx-waf
32 |         securityContext:
33 |           privileged: true
34 |           runAsUser: 0
35 |         image: cjunwchen/cj-centos-nginx-waf:bookinfo
36 |         volumeMounts:
37 |           - name: config-volume
38 |             mountPath: /etc/nginx/nginx.conf
39 |             subPath: nginx.conf
40 |           - name: secret-volume
41 |             mountPath: /app/cert
42 |       - name: details
43 |         image: docker.io/maistra/examples-bookinfo-details-v1:0.12.0
44 |         imagePullPolicy: IfNotPresent
45 |         ports:
46 |         - containerPort: 9080
47 |       volumes:
48 |       - name: config-volume
49 |         configMap:
50 |           name: nginx-conf-detail
51 |       - name: secret-volume
52 |         secret:
53 |           secretName: bookinfo-cert
54 |           items:
55 |             - key: ssl-cert
56 |               path: ssl-cert
57 |             - key: ssl-key
58 |               path: ssl-key
59 |             - key: ca-cert
60 |               path: ca-cert
61 |             - key: adc-key
62 |               path: adc-key
63 |             - key: adc-cert
64 |               path: adc-cert
65 |       securityContext: {}
66 |       serviceAccount: bookinfo-sa
67 |       serviceAccountName: bookinfo-sa
68 | 


--------------------------------------------------------------------------------
/sre-usecases/01-targeted-canary/images/apmLogin.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/01-targeted-canary/images/apmLogin.png


--------------------------------------------------------------------------------
/sre-usecases/01-targeted-canary/images/apmPolicy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/01-targeted-canary/images/apmPolicy.png


--------------------------------------------------------------------------------
/sre-usecases/01-targeted-canary/images/bookinfoPol.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/01-targeted-canary/images/bookinfoPol.png


--------------------------------------------------------------------------------
/sre-usecases/01-targeted-canary/images/bookinfo_normal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/01-targeted-canary/images/bookinfo_normal.png


--------------------------------------------------------------------------------
/sre-usecases/01-targeted-canary/images/bookinfo_test.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/01-targeted-canary/images/bookinfo_test.png


--------------------------------------------------------------------------------
/sre-usecases/01-targeted-canary/images/bookinfo_testv1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/01-targeted-canary/images/bookinfo_testv1.png


--------------------------------------------------------------------------------
/sre-usecases/01-targeted-canary/images/bookinfo_testv2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/01-targeted-canary/images/bookinfo_testv2.png


--------------------------------------------------------------------------------
/sre-usecases/01-targeted-canary/images/e2e.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/01-targeted-canary/images/e2e.png


--------------------------------------------------------------------------------
/sre-usecases/01-targeted-canary/images/vs.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/01-targeted-canary/images/vs.png


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/README.md:
--------------------------------------------------------------------------------
 1 | # SRE Blue-Green Deployment with F5 and OpenShift
 2 | ## Summary
 3 | The Site Reliability Engineering or SRE demo will be centered around three distinct customer driven use cases. This lab will take you through setting up one of the 3 use cases: Bule-Green Deployment  .
 4 | 
 5 | ## Design
 6 | 
 7 | Demonstrate F5’s Blue-Green Deployment by using F5 Cloud Services, to minimise downtime as customer migrate application to new clusters, or from on-prem to off-prem.
 8 | 
 9 | ![E2E Architecture](images/bluegreentopology)
10 | 
11 | 
12 | ## Understanding Blue Green Deployment
13 | Blue-green deployment is a technique that reduces downtime and risk by running two identical production environments called Blue (or old OpenShift Cluster) and Green (new OpenShift Cluster).
14 | 
15 | As you prepare a new version of your software, deployment and the final stage of testing takes place in the environment that is not live: in this example, Green (or new OpenShift Cluster). Once you have deployed and fully tested the software in Green, you switch the router so all incoming requests now go to Green instead of Blue. Green is now live, and Blue is idle.
16 | 
17 | This technique can eliminate downtime due to app deployment. In addition, blue-green deployment reduces risk: if something unexpected happens with your new version on Green, you can immediately roll back to the last version by switching back to Blue.
18 | 
19 | ## Prerequisites
20 | - Two running OpenShift Clusters (for thie demo, we are running two clusters in AWS)
21 | - Enterprise DNS in place (for this demo, we are running AWS Route53)
22 | - Access to F5 Cloud Services (GSLB)
23 | - Ansible installed
24 | 
25 | Please note that if, all of the prerequisites from the main readme page have not yet been configured please return to that page until they have been completed.
26 | 
27 | Also note that in this demo we are using a GSLB tool, which allows the automatic creation of GSLB DNS entries in [F5 CloudServices](https://clouddocs.f5.com/cloud-services/latest/)' DNS LB service.  Please refer to [GSLB tool project page](https://github.com/f5devcentral/f5-bd-gslb-tool) for details of the tool.
28 | 
29 | ## Setup and Configuration
30 | Follow the links below in order to begin setup and configuration.
31 | 
32 | 1. [Getting familiar with F5 GSLB tool](https://github.com/f5devcentral/f5-bd-gslb-tool)
33 | 2. [Setting up DNS for F5 Cloud Services](https://github.com/f5devcentral/f5-bd-gslb-tool/wiki/Infrastucture-setup)
34 | 3. [Setting up GSLB tool](./gslb-setup.md)
35 | 4. [Building and Running the Blue-green Deployment](blue-green.md)
36 | 5. [Troubleshooting and FAQ](troubleshooting.md)
37 | 
38 | 
39 | ## Support
40 | 
41 | This project is a community effort to promote F5 container ingress service automation and is maintained by F5 BD. For any feature requests or issues, feel free to open an issue and we will give our best effort to address it
42 | 
43 | 
44 | 
45 | 


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/blue-green.md:
--------------------------------------------------------------------------------
  1 | # Building Blue-Green Deployment
  2 | 
  3 | Blue-green deployment uses two versions of the application running simultaneously in two identical production environments called Blue (OpenShift Cluster dRouter **aws1-az1** in this demo) and Green (OpenShift Cluster dRouter **aws2-az1**). 
  4 | 
  5 | First, you use the Route object to point to the current version. Then you start the new version and switch the Route to the new pods. After you test the new version and are satisfied with it, you can scale down the previous one and delete that Deployment.
  6 | 
  7 | For this demo, we’ll start with a simple app: “app1”. This app is an example Nginx HTTP server and a reverse proxy (nginx) application that serves static content, and displays the Openshift cluster version. 
  8 | 
  9 | Note that for each cluster, we assume you already have the application "app1" deployed, service created, and OpenShift route created. If you are looking for application migration, Red Hat provides a set of tooll: Custer Application Migration (CAM), and Control Plan Migration Assistance (CPMA).
 10 | 
 11 | ## Step 1: Map Route to Blue
 12 | To start with, we will configure F5 Cloud Service to send all traffic for app1.thebizdevops.net traffic to Blue, as shown in the graphic below:
 13 | ![blue](./images/blue1)
 14 | 
 15 | **Retrieve route from Blue**
 16 | 
 17 | Retrieve the routes of project “default" from the Blue deployment
 18 | ```
 19 | ./project-retrieve default aws1-az1
 20 |  ```
 21 | This command retrieves all the routes of the given project/namespace ("default") and the specified dRouter, ands store this information in the desired GSLB store.
 22 | 
 23 | **Publish route to F5 Cloud Service**
 24 | Next, we can submit this configuration into F5 Cloud Service with the *gslb-commit* command. 
 25 | 
 26 | ```
 27 | ./gslb-commit
 28 | PLAY [localhost] **************************************************************************************************************************************************************
 29 | Friday 01 May 2020  16:05:50 -0700 (0:00:00.822)       0:00:00.822 ************
 30 | ...
 31 | ...
 32 | f5aas-gslb-prepare-subscription : retrieve result ---------------------------------------------------------------------------------------------------------------------- 0.71s
 33 | f5aas-gslb-prepare-subscription : retrieve result ---------------------------------------------------------------------------------------------------------------------- 0.71s
 34 | f5aas-gslb-prepare-subscription : prepare the proximity rule JSON object, copy the template file ----------------------------------------------------------------------- 0.70s
 35 | 
 36 | ```
 37 | 
 38 | **Verify F5 Cloud Service**
 39 | Log into F5 Cloud Service, and verify that:
 40 | - service *gslb.thebizdevops.net* is created
 41 | - dRouter *aws1-az1* is added to the DNS load balancer pool
 42 | 
 43 | ![gslb-service](images/gslb-service)
 44 | ![gslb-pool](images/gslb-pool)
 45 | 
 46 | **Verify application**
 47 | Verify that the application is directed to Blue app (in our case, it shows OpenShift 4.2)
 48 | ![app1-1](images/app1-1)
 49 | 
 50 | ## Step 2: Test Route to Green (Optional)
 51 | 
 52 | Now that both apps are up and running, we will switch the router so all incoming requests go to the Green app and the Blue app, as shown below:
 53 | 
 54 | ![blue](./images/blue-green)
 55 | 
 56 | **Retrieve route from Green**
 57 | 
 58 | Retrieve the routes of project “default" from the Green deployment
 59 | ```
 60 | ./project-retrieve default aws2-az1
 61 |  ```
 62 | 
 63 | This command retrieves all the routes of the given project/namespace ("default") and the specified dRouter, ands store this information in the desired GSLB store.
 64 | 
 65 | Now, we have both Blue and Green routes in GSLB store.
 66 | 
 67 | **Set the traffic ratio**
 68 | 
 69 | Set the GSLB ratio for each deployment for a given project/namespace ("default"). 
 70 | ```
 71 |  ./project-ratios default '{"aws1-az1": "90", "aws2-az1": "10" }'
 72 |  ```
 73 |  We are setting the ratio to steer 90% of the traffic to Blue or "aws1-az1", and 10% to Green or "aws12-az1".
 74 | 
 75 | **Publish route to F5 Cloud Service**
 76 | Next, we can submit this configuration into F5 Cloud Service with the *gslb-commit* command. 
 77 | 
 78 | **Verify F5 Cloud Service**
 79 | 
 80 | After *gslb-commit* :
 81 | 
 82 | - F5 Cloud Service continues sending traffic for app1.thebizdevops.net to Green.
 83 | - Within a few seconds, F5 Cloud Service begins load balancing traffic between Blue (in our case, the app shows OpenShift 4.2) and Green (it shows OpenShift 4.3).
 84 | 
 85 | ![gslb-pool2](images/gslb-pool2)
 86 | 
 87 | 
 88 | ![app1-1](images/app1-1)
 89 | ![app1-2](images/app1-2)
 90 | 
 91 | We can run a shell script to verify the traffic ratio:
 92 | ```bash
 93 | ./demo.sh
 94 | Password:
 95 | 
 96 |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
 97 |                                  Dload  Upload   Total   Spent    Left  Speed
 98 | 100 37455  100 37455    0     0   9209      0  0:00:04  0:00:04 --:--:--  9211
 99 |     <h1>Welcome to your static nginx application on OpenShift 4.2</h1>
100 | -------------Client  1 -----------
101 | ===================================
102 | 
103 |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
104 |                                  Dload  Upload   Total   Spent    Left  Speed
105 | 100 37455  100 37455    0     0  94108      0 --:--:-- --:--:-- --:--:-- 93872
106 |     <h1>Welcome to your static nginx application on OpenShift 4.2</h1>
107 | -------------Client  2 -----------
108 | ===================================
109 | 
110 |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
111 |                                  Dload  Upload   Total   Spent    Left  Speed
112 | 100 37455  100 37455    0     0  97793      0 --:--:-- --:--:-- --:--:-- 97793
113 |     <h1>Welcome to your static nginx application on OpenShift 4.2</h1>
114 | -------------Client  3 -----------
115 | ===================================
116 | 
117 |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
118 |                                  Dload  Upload   Total   Spent    Left  Speed
119 | 100 37455  100 37455    0     0  98307      0 --:--:-- --:--:-- --:--:-- 98307
120 |     <h1>Welcome to your static nginx application on OpenShift 4.2</h1>
121 | -------------Client  4 -----------
122 | ===================================
123 | 
124 |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
125 |                                  Dload  Upload   Total   Spent    Left  Speed
126 | 100 37455  100 37455    0     0    98k      0 --:--:-- --:--:-- --:--:--   98k
127 |     <h1>Welcome to your static nginx application on OpenShift 4.2</h1>
128 | -------------Client  5 -----------
129 | ===================================
130 | 
131 |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
132 |                                  Dload  Upload   Total   Spent    Left  Speed
133 | 100 37455  100 37455    0     0  96533      0 --:--:-- --:--:-- --:--:-- 96533
134 |     <h1>Welcome to your static nginx application on OpenShift 4.2</h1>
135 | -------------Client  6 -----------
136 | ===================================
137 | 
138 |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
139 |                                  Dload  Upload   Total   Spent    Left  Speed
140 | 100 37455  100 37455    0     0  99880      0 --:--:-- --:--:-- --:--:-- 99614
141 |     <h1>Welcome to your static nginx application on OpenShift 4.3</h1>
142 | -------------Client  7 -----------
143 | ===================================
144 | 
145 | ```
146 | 
147 | ## Step 3: Unmap Route to Blue
148 | Once you verify Green is running as expected, stop routing requests to Blue.
149 | 
150 | ![green1](./images/green1)
151 | 
152 | **Set the traffic ratio**
153 | 
154 | ```
155 |  ./project-ratios default '{"aws1-az1": "0", "aws2-az1": "100" }'
156 |  ```
157 | 
158 | **Publish route to F5 Cloud Service**
159 | Next, we can submit this configuration into F5 Cloud Service with the *gslb-commit* command. 
160 | ![gslb-pool3](images/gslb-pool3)
161 | 
162 | F5 Cloud Service stops sending traffic to Blue. Now all traffic for app1.thebizdevops.net is sent to Green.
163 | 
164 | ![app1-22](images/app1-22)
165 | 


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/dns.md:
--------------------------------------------------------------------------------
 1 | ### 2. DNS Setup
 2 | 
 3 | An Openshift cluster typically has its own domain, for the applications, for example:
 4 | ```
 5 | *.apps.<cluster name>.mycompany.com
 6 | ```
 7 | On the other hand end users don’t use such long names for the applications and instead they would use instead:
 8 | ```
 9 | www.mycompany.com
10 | ```
11 | where www is typically reachable in the cluster as www.<apps>.<mycluster>.mycompany.com as well.
12 | 
13 | This scenario is typically setup as follows in DNS:
14 | 
15 | |DNS zone/name |	Description |
16 | |---------------------------------------------------------- |:--------------------------|
17 | |mycompany.com	| Usually hosted in corporate DNS, possibly in a Cloud DNS. |
18 | |Application’s main DNS names such as www.mycompany.com	| CNAME records pointing to A records of the cluster. Following the example www.apps.<cluster name>.mycompany.com |
19 | |<cluster>.mycompany.com	| Usually delegated to cluster DNS. |
20 | 
21 | 
22 | A DNS request performs the following steps for its resolution:
23 |  
24 | In the case the customer has several clusters the application’s main DNS names will contain CNAME records for each cluster, possibly weighted round robin. This type of solutions lack:
25 | -	Comprehensive health checking monitoring.
26 | -	Automation and integration with the Openshift cluster.
27 | -	Ability to shift workloads across clusters swiftly.
28 | F5 Cloud Services provides these features in an Anycast infrastructure around the globe with the ease of a Software As A Service solution which doesn’t require infrastructure modifications. This DNS
29 | When using F5 Cloud Services’ DNS LB the DNS resolution will look as follows:
30 |   
31 | 
32 | The overall DNS setup can be seen in the next diagram:
33 | 
34 |  
35 |  
36 | 
37 | ### 3. Delegating a subdomain to F5 Cloud Service
38 | 
39 | You can reference here for more inforation about F5 Cloud Services:
40 | https://clouddocs.f5.com/cloud-services/latest/
41 | https://clouddocs.f5.com/cloud-services/latest/f5-cloud-services-GSLB-FAQ.html
42 | 
43 | You can continue to manage DNS through your current provider and delegate a subdomain for which F5 Cloud Services will issue responses. Then you would create CNAME records on the primary DNS nameserver for any FQDNs you want to load balance, pointing to A records in the delegated subdomain. The process is more or less the same as with F5’s self-hosted product, BIG-IP DNS, and more instructions can be found here: https://support.f5.com/csp/article/K277
44 | 
45 | 
46 | 
47 | https://support.f5.com/csp/article/K277
48 | 
49 | 1. Create a new subdomain for which the BIG-IP DNS or BIG-IP Link Controller system is authoritative.
50 |    ex.  *ocp.thebizdevops.net*
51 | 2. Delegate authority for the entire subdomain to the F5 Cloud Service
52 |    For example, to delegate authority for the ocp.thebizdevops.net subdomain to the F5 Cloud Service DNS systems named
53 |    - ns1.f5cloudservices.com
54 |    - ns2.f5cloudservices.com
55 | 
56 | ```
57 | host -t NS ocp.thebizdevops.net
58 | ocp.thebizdevops.net name server ns1.f5cloudservices.com.
59 | ocp.thebizdevops.net name server ns2.f5cloudservices.com.
60 | ```
61 | 
62 | AWS Route53 Sub-Domain Delegation
63 | https://www.youtube.com/watch?v=nlff6mnmMeM
64 | 


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/gslb-setup.md:
--------------------------------------------------------------------------------
  1 | # Setting up GSLB Tool
  2 | 
  3 | ## PREREQUISITES
  4 | 
  5 | - Openshift routers must be exposed with a public IP.
  6 | - Openshift API endpoints must be reachable from where this tool is run. It can be either a public or a private address but it must be reachable.
  7 | - Ansible with Kubernetes modules.
  8 | - The jq utility which is available in most Linux distributions or can be downloaded for any OS from the project’s page: https://stedolan.github.io/jq/download/ . The utility must be in the $PATH.
  9 | - The bash shell.
 10 | 
 11 | ## Sample Topology in AWS
 12 | 
 13 | In this demo, we are running two OpenShift Clusters in AWS. For each cluster, we are referencing to a typical AWS OpenShift deployment with a two-tier LB arrangement shown below:
 14 | 
 15 | ![AWS arrangement](images/aws-lb.png)
 16 | 
 17 | Note that each OpenShift cluster is deployed into 3 different Availability Zones (or AZ's). Each AZ is treated independently as it has its own dRouter name (aws1-az1, aws1-az2, and aws1-az3). 
 18 | 
 19 | ## SETUP
 20 | 
 21 | 1. Download the package, ie: *gslb-tool-\<release date\>.tar.gz*
 22 | 2. Unpack it: 
 23 |    ```
 24 |    tar zxvf gslb-tool-<release date>.tar.gz
 25 |    ```
 26 | 3. Change working directory to the gslb-tool’s created directory: 
 27 |    ```
 28 |    cd gslb-tools-<release date>
 29 |    ```
 30 | 4. For convenience, add gslb-tool's working directory in the $PATH shell variable: 
 31 |    ```
 32 |    export PATH=$PATH:$PWD
 33 |    ```
 34 | 5. Edit the file *vars/credentials.yaml* and fill the following variables.
 35 | 
 36 | ```yaml
 37 | # Openshift user and password. One dictionary entry for each Openshift cluster.
 38 | k8s_user:
 39 |    aws1-az1: 
 40 |    aws1-az2: 
 41 |    aws1-az3:
 42 |    aws2-az1: 
 43 |    aws2-az2: 
 44 |    aws2-az3:
 45 | 
 46 | k8s_pass: 
 47 |    aws1-az1: 
 48 |    aws1-az2: 
 49 |    aws1-az3:
 50 |    aws2-az1: 
 51 |    aws2-az2: 
 52 |    aws2-az3:
 53 | 
 54 | # User and password for the F5 CloudServices account.
 55 | F5AAS_USER: 
 56 | F5AAS_PASS: 
 57 | ```
 58 | 
 59 | 6. Edit the file *vars/setup.yaml*. This file contains the deployment settings
 60 | 
 61 | The next variables apply to all deployments.
 62 | 
 63 | ```yaml
 64 | # DNS name configuration settings.
 65 | #
 66 | # BASE_DOMAIN: is the part of the part of the DNS domain name that is not delegated 
 67 | #              to F5 CloudServices DNS LB.
 68 | # GSLB_ZONE:   is the name prefixed to BASE_DOMAIN that is delegated 
 69 | #              to F5 CloudServices DNS LB.
 70 | #
 71 | GSLB_ZONE: gslb
 72 | BASE_DOMAIN: thebizdevops.net
 73 | #
 74 | # The resulting GSLB domain is "{{GSLB_ZONE}}.{{BASE_DOMAIN}}" and 
 75 | # the GSLB records would be www.ocp.f5bddemos.io, crm.ocp.f5bddemos.io 
 76 | # following the sample values above.
 77 | 
 78 | # At present it is only supported either "https" or "http" routes 
 79 | # but not both types simulateneously. 
 80 | # Set this according to your requirements.
 81 | ROUTES_TYPE: "http"
 82 | ```
 83 | 
 84 | The next variables are dictionaries that define the topology of the deployments. The following topologies are supported.
 85 | 
 86 | - Several Openshift/K8s deployments with a single router per deployment. This is the most typical scenario.
 87 | - Single Openshift/K8s deployment with several routers per deployment with or without route sharding.
 88 | - Any combination of the above. For example: deployment A may have one router, deployment B may have two routers with route sharding and deployment C could have 3 routers without route sharding.
 89 | 
 90 | A given Openshift/K8s deployment might have one or more routers, and we will assign a diferent name for each (dRouter for short).
 91 | 
 92 | Topology variables are indexed by these dRouter names. These topology variables are: 
 93 | 
 94 | - **apiEndpoint:** Contains the URL of the apiEndpoint of each dRouter. Deployments with several routers will have the same URL for different dRouters. 
 95 | 
 96 | - **publicAddress:** Contains the public IP address (host names should not be used) that is exposing each dRouter to the Internet. This will be load balanced by the F5 Cloud Services DNS LB. This IP is unique for each dRouter. An example using a typical scenario is shown next:
 97 | 
 98 | An example using a typical scenario is shown here:
 99 | 
100 | ```yaml
101 | apiEndpoint:
102 |    aws1-az1: "https://api.ocp42.thebizdevops.net:6443" 
103 |    aws1-az2: "https://api.ocp42.thebizdevops.net:6443" 
104 |    aws1-az3: "https://api.ocp42.thebizdevops.net:6443"
105 |    aws2-az1: "https://api.cluster1.thebizdevops.net:6443"
106 |    aws2-az2: "https://api.cluster1.thebizdevops.net:6443"
107 |    aws2-az3: "https://api.cluster1.thebizdevops.net:6443"
108 | 
109 | publicAddress:
110 |    onprem: "12.202.33.146"
111 |    aws1-az1: "13.28.76.70"
112 |    aws1-az2: "13.29.30.17"
113 |    aws1-az3: "13.14.35.34"
114 |    aws2-az1: "35.164.16.180"
115 |    aws2-az2: "54.69.118.228"
116 |    aws2-az3: "54.64.13.152"
117 | ```
118 | 
119 | ### SETUP VERIFICATION
120 | 
121 | To finish the setup, run the *gslb-tool-verify* to verify that all components are in place and the configuration is sound.
122 | ```
123 | gslb-tool-verify 
124 | ```
125 | If all checks succeed you will see a similar message to the next one at the end of the command run. 
126 | 
127 | ```
128 |  myansible  ./gslb-tool-verify
129 | >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
130 | >>> gslb-tool: Checking that all the requisite tools are in place...
131 | 
132 | 
133 | >>> gslb-tool: All the required utilities and modules are ready.
134 | 
135 | >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
136 | >>> gslb-tool: Checking reachability and login credentials to F5 Cloud Services...
137 | ...
138 | ...
139 | ...
140 | 
141 | >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
142 | >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
143 | >>> gslb-tool: All checks have succeeded. The tool is ready to be used.
144 | >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
145 | >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
146 | 
147 | ```
148 | The tool is ready to be used.
149 | 


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/gslb.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/gslb.png


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/app1-1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/app1-1


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/app1-2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/app1-2


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/app1-22:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/app1-22


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/aws-lb.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/aws-lb.png


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/blue-green:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/blue-green


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/blue-green.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/blue-green.png


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/blue.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/blue.png


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/blue1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/blue1


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/bluegreentopology:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/bluegreentopology


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/green.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/green.png


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/green1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/green1


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/gslb-pool:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/gslb-pool


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/gslb-pool2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/gslb-pool2


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/gslb-pool3:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/gslb-pool3


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/gslb-service:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/gslb-service


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/map.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/map.png


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/topology:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/topology


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/topology.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/topology.png


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/images/unmap.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/images/unmap.png


--------------------------------------------------------------------------------
/sre-usecases/02-blue-green-deployment/troubleshooting.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/02-blue-green-deployment/troubleshooting.md


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/Targeted_Canary-Testing_ELK.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/Targeted_Canary-Testing_ELK.mp4


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/iRules:
--------------------------------------------------------------------------------
  1 | when CLIENT_ACCEPTED {
  2 |     set timestamp [clock format [clock seconds] -format "%d/%h/%y:%T %Z" ]
  3 | }
  4 | 
  5 | when HTTP_REQUEST {
  6 |     # UUID injection
  7 |     if { [HTTP::cookie x-request-id] == "" } {
  8 |         append s [clock seconds] [IP::local_addr] [IP::client_addr] [expr { int(100000000 * rand()) }] [clock clicks] 
  9 | 
 10 |         set s [md5 $s] 
 11 | 
 12 |         binary scan $s c* s 
 13 |         lset s 8 [expr {([lindex $s 8] & 0x7F) | 0x40}] 
 14 |         lset s 6 [expr {([lindex $s 6] & 0x0F) | 0x40}] 
 15 |         set s [binary format c* $s] 
 16 |         binary scan $s H* s 
 17 | 
 18 |         set myuuid $s
 19 |         unset s 
 20 | 
 21 |         
 22 |         set inject_uuid_cookie 1
 23 |     } else {
 24 | 
 25 |         set myuuid [HTTP::cookie x-request-id]
 26 |         set inject_uuid_cookie 0
 27 |     }
 28 |     
 29 |     set xff_ip "[expr int(rand()*100)].[expr int(rand()*100)].[expr int(rand()*100)].[expr int(rand()*100)]"
 30 | 
 31 |     set hsl [HSL::open -proto UDP -pool pool_elk]
 32 |     set http_request "\"[HTTP::method] [HTTP::uri] HTTP/[HTTP::version]\""
 33 |     set http_request_time [clock clicks -milliseconds]
 34 |     set http_user_agent "\"[HTTP::header User-Agent]]\""
 35 |     set http_host [HTTP::host]
 36 |     set http_username [HTTP::username]
 37 |     set client_ip [IP::remote_addr]
 38 |     set client_port [TCP::remote_port]
 39 |     set http_request_uri [HTTP::uri]
 40 |     set http_method [HTTP::method]
 41 |     set referer "\"[HTTP::header value referer]\""
 42 |     
 43 |     if { [HTTP::uri] contains "test" } {
 44 |         HTTP::header insert "x-request-id" "test-$myuuid"
 45 |     
 46 |     } else {
 47 |         HTTP::header insert "x-request-id" $myuuid
 48 |     }
 49 |     HTTP::header insert "X-Forwarded-For" $xff_ip
 50 | }
 51 | 
 52 | 
 53 | when HTTP_RESPONSE {
 54 | 
 55 |     set syslogtime [clock format [clock seconds] -format "%h %e %H:%M:%S"]
 56 | 
 57 |     set response_time [expr {double([clock clicks -milliseconds] - $http_request_time)/1000}]
 58 | 
 59 |     set virtual [virtual]
 60 |     set content_length 0
 61 |     if { [HTTP::header exists "Content-Length"] } {
 62 |         set content_length \"[HTTP::header "Content-Length"]\"
 63 |     } else {
 64 |         set content_length \"-\"
 65 |     }
 66 |     set lb_server "[LB::server addr]:[LB::server port]"
 67 |     if { [string compare "$lb_server" ""] == 0 } {
 68 |         set lb_server ""
 69 |     }
 70 |     set status_code [HTTP::status]
 71 |     set content_type \"[HTTP::header "Content-type"]\"
 72 | 
 73 |     # construct log for elk, local6.info <182>
 74 |     set log_msg "<182>$syslogtime f5adc tmos: "
 75 |     #set log_msg ""
 76 |     append log_msg "time=\[$timestamp\] "
 77 |     append log_msg "client_ip=$client_ip "
 78 |     append log_msg "virtual=$virtual "
 79 |     append log_msg "client_port=$client_port "
 80 |     append log_msg "xff_ip=$xff_ip "
 81 |     append log_msg "lb_server=$lb_server "
 82 |     
 83 |     append log_msg "http_host=$http_host "
 84 |     append log_msg "http_method=$http_method "
 85 |     append log_msg "http_request_uri=$http_request_uri "
 86 |     
 87 |     append log_msg "status_code=$status_code "
 88 |     append log_msg "content_type=$content_type "
 89 |     append log_msg "content_length=$content_length "
 90 |     
 91 |     append log_msg "response_time=$response_time "
 92 |     append log_msg "referer=$referer "
 93 |     append log_msg "http_user_agent=$http_user_agent "
 94 |     append log_msg "x-request-id=$myuuid "
 95 | 
 96 |     if { $inject_uuid_cookie == 1} {
 97 |         HTTP::cookie insert name x-request-id value $myuuid path "/"
 98 |         set inject_uuid_cookie 0
 99 |     }
100 | 
101 |     # log local2. sending log to elk via log publisher
102 |     #log local2. $log_msg
103 |     HSL::send $hsl $log_msg
104 | 
105 | }
106 | 


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana10_add_panel.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana10_add_panel.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana10_dashboard.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana10_dashboard.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana10_dashboard_create.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana10_dashboard_create.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana10_dashboard_final.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana10_dashboard_final.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana10_dashboard_name.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana10_dashboard_name.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana10_dashboard_save.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana10_dashboard_save.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana10_select_panel.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana10_select_panel.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana11_dashboard_refresh.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana11_dashboard_refresh.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana11_dashboard_update.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana11_dashboard_update.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana11_move_dashboard.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana11_move_dashboard.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana1_main.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana1_main.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana2_management.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana2_management.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana3_management_detail.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana3_management_detail.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana4_index_management.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana4_index_management.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana5_visualize.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana5_visualize.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana6_create.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana6_create.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana7_source.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana7_source.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana8_Buckets.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana8_Buckets.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana8_Metrics.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana8_Metrics.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana9_apply_save.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana9_apply_save.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana9_save_name.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/Kibana9_save_name.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_bigip.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_bigip.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_default_pool.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_default_pool.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_dot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_dot.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_log.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_log.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_map.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_map.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_pool.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_pool.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_pool_member.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_pool_member.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_response.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_response.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_topology.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_topology.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_vip.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/03-observability-for-targeted-canary-with-ELK
/images/elk_vip.png


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/logstash.conf:
--------------------------------------------------------------------------------
 1 | input {
 2 |     udp {
 3 |         port => "8514"
 4 |         type => "f5-hsl"
 5 |     }
 6 |     syslog {
 7 |                 port => "8516"
 8 |                 type => "f5-nginx-access"
 9 |     }
10 | 
11 | }
12 | 
13 | filter {
14 |     if [type] == "f5-hsl" {
15 |         grok {
16 |             match => { "message" => "request_time=\[%{HTTPDATE:request_time}\] virtual=%{DATA:virtual} client_ip=%{IP:client_ip} client_port=%{NUMBER:client_port} xff_ip=%{IP:xff_ip} lb_server=%{DATA:lb_server} http_host=%{HOSTNAME:http_host} http_method=%{WORD:http_method} http_request_uri=%{DATA:http_request_uri} status_code=%{NUMBER:status_code:int} content_type=%{QS:content_type} content_length=%{QS:content_length} response_time=%{NUMBER:response_time:int} referer=%{QS:referer} http_user_agent=%{QS:http_user_agent} x-request-id=%{WORD:x-request-id}?"}
17 | }
18 |        geoip {
19 |                 source => xff_ip
20 |                 database => "/etc/logstash/GeoLite2-City.mmdb"
21 |         }
22 | 
23 |     }
24 | 
25 |     if [type] == "f5-nginx-access" {
26 |         grok {
27 |             match => { "message" => "time=\[%{HTTPDATE:request_time}\] client_ip=%{IP:client_ip} virtual=%{DATA:virtual} client_port=%{NUMBER:client_port} xff_ip=%{IP:xff_ip} lb_server=%{DATA:lb_server} http_host=%{HOSTNAME:http_host} http_method=%{WORD:http_method} http_request_uri=%{DATA:http_request_uri} status_code=%{NUMBER:status_code} content_type=%{QS:content_type} content_length=%{QS:content_length} response_time=%{NUMBER:response_time} referer=%{QS:referer} http_user_agent=%{QS:http_user_agent} x-request-id=%{WORD:x-request-id}?"}
28 |                 }
29 |                 ruby {
30 |                         code => "event.set('response_time_ms', event.get('response_time').to_f * 1000)"
31 |                 }
32 |         geoip {
33 |                 source => xff_ip
34 |                 database => "/etc/logstash/GeoLite2-City.mmdb"
35 |                 }
36 |         }
37 | }
38 | 
39 | output {
40 |     if [type] == "f5-hsl" {
41 |         elasticsearch {
42 |                 hosts => ["127.0.0.1:9200"]
43 |                 index => "logstash-f5-hsl"
44 |         }
45 |     }
46 |     if [type] == "f5-nginx-access" {
47 |         elasticsearch {
48 |                 hosts => ["127.0.0.1:9200"]
49 |                 index => "logstash-f5-nginx-access"
50 |         }
51 |     }
52 | 


--------------------------------------------------------------------------------
/sre-usecases/03-observability-for-targeted-canary-with-ELK
/traffic_generator.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | while [ 1 ]
 4 | do
 5 |         UserAgent=('Mozilla/5.0' 'AppleWebKit/537.36' 'Chrome/75.0.3770.142' 'Safari/537.36' 'Mozilla/5.5 Gecko' 'Firefox/40.0' 'Internet Explorer' 'Mozilla/5.0' 'AppleWebKit/605.1.15' 'Safari/604.1' 'Mozilla/5.3' 'AppleWebKit/537.36' 'Chrome/62.0' 'Mobile Safari/537.36' 'Opera 2.0' )
 6 | 
 7 |         seed=`echo "$(od -An -N4 -tu4 /dev/urandom) % 6" | bc`
 8 |         ua=${UserAgent[`echo "$seed % 4" | bc`]}
 9 | 
10 |         curl -k -H "user-agent: $ua" https://bookinfo.example.com
11 |         curl -k -H "user-agent: $ua" https://bookinfo.example.com/productpage
12 |         curl -k -H "user-agent: $ua" https://bookinfo.example.com/productpage?u=normal 
13 |         curl -k -H "user-agent: $ua" https://bookinfo.example.com/productpage?u=test
14 |         sleep 2
15 | done
16 | 


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/a:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01-1.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01-2.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01_attack_01.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01_attack_01.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01_attack_02.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01_attack_02.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01_attack_03.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01_attack_03.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01_attack_04.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01_attack_04.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01_attack_05.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01_attack_05.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01_attack_06.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01_attack_06.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01_awaf_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01_awaf_1.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01_awaf_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01_awaf_2.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01_awaf_3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01_awaf_3.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01_awaf_4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01_awaf_4.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01_awaf_5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01_awaf_5.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01_awaf_6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01_awaf_6.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01_awaf_7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01_awaf_7.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01_elk.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01_elk.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01_elk_02.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01_elk_02.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/images/sre_usecase01_elk_03.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/05-north_south_protection/images/sre_usecase01_elk_03.png


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/scripts/dvwa-nap-config.yaml:
--------------------------------------------------------------------------------
  1 | ##################################################################################################
  2 | # Configmap DVWA01
  3 | ##################################################################################################
  4 | apiVersion: v1
  5 | kind: ConfigMap
  6 | metadata:
  7 |   name: dvwa01-conf
  8 | data:
  9 |   nginx_sre.conf: | 
 10 |    
 11 |    upstream dvwa01 {
 12 |        server 127.0.0.1:80;	       
 13 |    }
 14 |  
 15 |     server {
 16 |        listen 8080;
 17 |        server_name dvwa01-http;
 18 |        proxy_http_version 1.1;
 19 |        
 20 |        real_ip_header X-Forwarded-For;     
 21 |        set_real_ip_from 0.0.0.0/0;
 22 |     
 23 |        app_protect_enable on;
 24 |        app_protect_security_log_enable on;
 25 |        app_protect_policy_file "/etc/nginx/NginxSRELabPolicy.json";
 26 |        app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=52.187.13.8:5003;
 27 | 
 28 |        location / {
 29 |            client_max_body_size 0;
 30 |            default_type text/html;
 31 |            proxy_pass http://dvwa01;
 32 |            proxy_set_header Host $host;
 33 |        }
 34 |    }
 35 |   NginxSRELabPolicy.json: |
 36 |     {
 37 |       "policy": {
 38 |         "name": "SRE_DVWA01_POLICY",
 39 |         "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" },
 40 |         "applicationLanguage": "utf-8",
 41 |         "enforcementMode": "blocking",
 42 |         "response-pages": [
 43 |             {
 44 |                 "responseContent": "<html><head><title>SRE DevSecOps - DVWA01 - Blocking Page</title></head><body><font color=green size=10>NGINX App Protect Blocking Page - DVWA01 Server</font><br><br>Please consult with your administrator.<br><br>Your support ID is: <%TS.request.ID()%><br><br><a href='javascript:history.back();'>[Go Back]</a></body></html>",
 45 |                 "responseHeader": "HTTP/1.1 302 OK\\r\\nCache-Control: no-cache\\r\\nPragma: no-cache\\r\\nConnection: close",
 46 |                 "responseActionType": "custom",
 47 |                 "responsePageType": "default"
 48 |             }
 49 |         ],
 50 |         "blocking-settings": {
 51 |             "violations": [
 52 |                 {
 53 |                     "name": "VIOL_FILETYPE",
 54 |                     "alarm": true,
 55 |                     "block": true
 56 |                 }
 57 |             ]
 58 |         },
 59 |         "filetypes": [
 60 |             {
 61 |                 "name": "*",
 62 |                 "type": "wildcard",
 63 |                 "allowed": true,
 64 |                 "checkPostDataLength": false,
 65 |                 "postDataLength": 4096,
 66 |                 "checkRequestLength": false,
 67 |                 "requestLength": 8192,
 68 |                 "checkUrlLength": true,
 69 |                 "urlLength": 2048,
 70 |                 "checkQueryStringLength": true,
 71 |                 "queryStringLength": 2048,
 72 |                 "responseCheck": false
 73 |             },
 74 |             {
 75 |                 "name": "pdf",
 76 |                 "allowed": false
 77 |             }
 78 |         ]
 79 |     }
 80 |     }
 81 | ---
 82 | ##################################################################################################
 83 | # Configmap DVWA02
 84 | ##################################################################################################
 85 | apiVersion: v1
 86 | kind: ConfigMap
 87 | metadata:
 88 |   name: dvwa02-conf
 89 | data:
 90 |   nginx_sre.conf: | 
 91 |    
 92 |    upstream dvwa02 {
 93 |        server 127.0.0.1:80;	       
 94 |    }
 95 |  
 96 |     server {
 97 |        listen 8080;
 98 |        server_name dvwa02-http;
 99 |        proxy_http_version 1.1;
100 |        
101 |        real_ip_header X-Forwarded-For;     
102 |        set_real_ip_from 0.0.0.0/0;
103 |     
104 |        app_protect_enable on;
105 |        app_protect_security_log_enable on;
106 |        app_protect_policy_file "/etc/nginx/NginxSRELabPolicy.json";
107 |        app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=52.187.13.8:5003;
108 | 
109 |        location / {
110 |            client_max_body_size 0;
111 |            default_type text/html;
112 |            proxy_pass http://dvwa02;
113 |            proxy_set_header Host $host;
114 |        }
115 |    }
116 |   NginxSRELabPolicy.json: |
117 |     {
118 |       "policy": {
119 |         "name": "SRE_DVWA02_POLICY",
120 |         "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" },
121 |         "applicationLanguage": "utf-8",
122 |         "enforcementMode": "blocking",
123 |         "response-pages": [
124 |             {
125 |                 "responseContent": "<html><head><title>SRE DevSecOps - DVWA02 - Blocking Page</title></head><body><font color=green size=10>NGINX App Protect Blocking Page - DVWA02 Server</font><br><br>Please consult with your administrator.<br><br>Your support ID is: <%TS.request.ID()%><br><br><a href='javascript:history.back();'>[Go Back]</a></body></html>",
126 |                 "responseHeader": "HTTP/1.1 302 OK\\r\\nCache-Control: no-cache\\r\\nPragma: no-cache\\r\\nConnection: close",
127 |                 "responseActionType": "custom",
128 |                 "responsePageType": "default"
129 |             }
130 |         ],
131 |         "blocking-settings": {
132 |             "violations": [
133 |                 {
134 |                     "name": "VIOL_FILETYPE",
135 |                     "alarm": true,
136 |                     "block": true
137 |                 }
138 |             ]
139 |         },
140 |         "filetypes": [
141 |             {
142 |                 "name": "*",
143 |                 "type": "wildcard",
144 |                 "allowed": true,
145 |                 "checkPostDataLength": false,
146 |                 "postDataLength": 4096,
147 |                 "checkRequestLength": false,
148 |                 "requestLength": 8192,
149 |                 "checkUrlLength": true,
150 |                 "urlLength": 2048,
151 |                 "checkQueryStringLength": true,
152 |                 "queryStringLength": 2048,
153 |                 "responseCheck": false
154 |             },
155 |             {
156 |                 "name": "jpg",
157 |                 "allowed": false
158 |             }
159 |         ]
160 |     }
161 |     }
162 | ---
163 | 


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/scripts/dvwa-nap-deployment.yaml:
--------------------------------------------------------------------------------
  1 | ##################################################################################################
  2 | # DVWA App01
  3 | ##################################################################################################
  4 | apiVersion: v1
  5 | kind: Service
  6 | metadata:
  7 |   name: dvwa01
  8 |   labels:
  9 |     app: dvwa01
 10 |     service: dvwa01
 11 | spec:
 12 |   ports:
 13 |   - port: 8080
 14 |     targetPort: 8080
 15 |     name: http
 16 |   selector:
 17 |     app: dvwa01
 18 | ---
 19 | apiVersion: apps/v1
 20 | kind: Deployment
 21 | metadata:
 22 |   name: dvwa01-v1
 23 |   labels:
 24 |     app: dvwa01
 25 |     version: v1
 26 | spec:
 27 |   replicas: 1
 28 |   selector:
 29 |     matchLabels:
 30 |       app: dvwa01
 31 |       version: v1
 32 |   template:
 33 |     metadata:
 34 |       labels:
 35 |         app: dvwa01
 36 |         version: v1
 37 |     spec:
 38 |       containers:
 39 |       - env:
 40 |         - name: TZ
 41 |           value: UTC
 42 |         name: nginx01
 43 |         image: network1211/jameslee:latest
 44 |         volumeMounts:
 45 |         - name: config-volume
 46 |           mountPath: /etc/nginx/conf.d/nginx_sre.conf
 47 |           subPath: nginx_sre.conf
 48 |         - name: config-volume
 49 |           mountPath: /etc/nginx/NginxSRELabPolicy.json
 50 |           subPath: NginxSRELabPolicy.json
 51 |       - env:
 52 |         - name: TZ
 53 |           value: UTC
 54 |         name: dvwa01
 55 |         image: network1211/dvwa01:2.0
 56 |         imagePullPolicy: IfNotPresent
 57 |         ports:
 58 |         - containerPort: 80
 59 |       volumes:
 60 |       - name: config-volume
 61 |         configMap:
 62 |           name: dvwa01-conf
 63 | ---
 64 | ##################################################################################################
 65 | # DVWA App02
 66 | ##################################################################################################
 67 | apiVersion: v1
 68 | kind: Service
 69 | metadata:
 70 |   name: dvwa02
 71 |   labels:
 72 |     app: dvwa02
 73 |     service: dvwa02
 74 | spec:
 75 |   ports:
 76 |   - port: 8080
 77 |     targetPort: 8080
 78 |     name: http
 79 |   selector:
 80 |     app: dvwa02
 81 | ---
 82 | apiVersion: apps/v1
 83 | kind: Deployment
 84 | metadata:
 85 |   name: dvwa02-v1
 86 |   labels:
 87 |     app: dvwa02
 88 |     version: v1
 89 | spec:
 90 |   replicas: 1
 91 |   selector:
 92 |     matchLabels:
 93 |       app: dvwa02
 94 |       version: v1
 95 |   template:
 96 |     metadata:
 97 |       labels:
 98 |         app: dvwa02
 99 |         version: v1
100 |     spec:
101 |       containers:
102 |       - env:
103 |         - name: TZ
104 |           value: UTC
105 |         name: nginx02
106 |         image: network1211/jameslee:latest
107 |         volumeMounts:
108 |         - name: config-volume
109 |           mountPath: /etc/nginx/conf.d/nginx_sre.conf
110 |           subPath: nginx_sre.conf
111 |         - name: config-volume
112 |           mountPath: /etc/nginx/NginxSRELabPolicy.json
113 |           subPath: NginxSRELabPolicy.json
114 |       - env:
115 |         - name: TZ
116 |           value: UTC
117 |         name: dvwa02
118 |         image: network1211/dvwa02:2.0
119 |         imagePullPolicy: IfNotPresent
120 |         ports:
121 |         - containerPort: 80
122 |       volumes:
123 |       - name: config-volume
124 |         configMap:
125 |           name: dvwa02-conf
126 | 


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/scripts/dvwa-route-nap.yaml:
--------------------------------------------------------------------------------
 1 | ##################################################################################################
 2 | # DVWA01 Route
 3 | ##################################################################################################
 4 | apiVersion: v1
 5 | kind: Route
 6 | metadata:
 7 |     labels:
 8 |       name: f5-dvwa01-route
 9 |     name: f5-dvwa01-route
10 |     namespace: devsecops
11 |     annotations:
12 |       # health monitor
13 |       virtual-server.f5.com/health: |
14 |         [
15 |           {
16 |             "path": "dvwa01.devsecops.com/",
17 |             "send": "",
18 |             "protocol": "tcp",
19 |             "interval": 10,
20 |             "timeout": 20
21 |           }
22 |         ]
23 | spec:
24 |     host: dvwa01.devsecops.com
25 |     path: "/"
26 |     port:
27 |       targetPort: 8080
28 |     to:
29 |       kind: Service
30 |       name: dvwa01
31 | ---
32 | ##################################################################################################
33 | # DVWA02 Route
34 | ##################################################################################################
35 | apiVersion: v1
36 | kind: Route
37 | metadata:
38 |     labels:
39 |       name: f5-dvwa02-route
40 |     name: f5-dvwa02-route
41 |     namespace: devsecops
42 |     annotations:
43 |       # health monitor
44 |       virtual-server.f5.com/health: |
45 |         [
46 |           {
47 |             "path": "dvwa02.devsecops.com/",
48 |             "send": "",
49 |             "protocol": "tcp",
50 |             "interval": 10,
51 |             "timeout": 20
52 |           }
53 |         ]
54 | spec:
55 |     host: dvwa02.devsecops.com
56 |     path: "/"
57 |     port:
58 |       targetPort: 8080
59 |     to:
60 |       kind: Service
61 |       name: dvwa02
62 | 


--------------------------------------------------------------------------------
/sre-usecases/05-north_south_protection/scripts/logstash.conf:
--------------------------------------------------------------------------------
 1 | input {
 2 |     syslog {
 3 |         port => 5003
 4 |         type => f5elk
 5 |         }
 6 | }
 7 | 
 8 | filter {
 9 | if [type] == "f5elk" {
10 |         
11 |         grok {
12 |             match => {
13 |                 "message" => [
14 |                 ",attack_type=\"%{DATA:attack_type}\"",
15 |                 ",blocking_exception_reason=\"%{DATA:blocking_exception_reason}\"",
16 |                 ",date_time=\"%{DATA:date_time}\"",
17 |                 ",dest_port=\"%{DATA:dest_port}\"",
18 |                 ",ip_client=\"%{DATA:ip_client}\"",
19 |                 ",is_truncated=\"%{DATA:is_truncated}\"",
20 |                 ",method=\"%{DATA:method}\"",
21 |                 ",policy_name=\"%{DATA:policy_name}\"",
22 |                 ",protocol=\"%{DATA:protocol}\"",
23 |                 ",request_status=\"%{DATA:request_status}\"",
24 |                 ",response_code=\"%{DATA:response_code}\"",
25 |                 ",severity=\"%{DATA:severity}\"",
26 |                 ",sig_cves=\"%{DATA:sig_cves}\"",
27 |                 ",sig_ids=\"%{DATA:sig_ids}\"",
28 |                 ",sig_names=\"%{DATA:sig_names}\"",
29 |                 ",sig_set_names=\"%{DATA:sig_set_names}\"",
30 |                 ",src_port=\"%{DATA:src_port}\"",
31 |                 ",sub_violations=\"%{DATA:sub_violations}\"",
32 |                 ",support_id=\"%{DATA:support_id}\"",
33 |                 ",unit_hostname=\"%{DATA:unit_hostname}\"",
34 |                 ",uri=\"%{DATA:uri}\"",
35 |                 ",violation_rating=\"%{DATA:violation_rating}\"",
36 |                 ",vs_name=\"%{DATA:vs_name}\"",
37 |                 ",x_forwarded_for_header_value=\"%{DATA:x_forwarded_for_header_value}\"",
38 |                 ",outcome=\"%{DATA:outcome}\"",
39 |                 ",outcome_reason=\"%{DATA:outcome_reason}\"",
40 |                 ",violations=\"%{DATA:violations}\"",
41 |                 ",violation_details=\"%{DATA:violation_details}\"",
42 |                 ",request=\"%{DATA:request}\""
43 |                 ]
44 |         }
45 |     break_on_match => false
46 |   }
47 |   
48 |         mutate {
49 |         split => { "attack_type" => "," }
50 |         split => { "sig_ids" => "," }
51 |         split => { "sig_names" => "," }
52 |         split => { "sig_cves" => "," }
53 |         split => { "staged_sig_ids" => "," }
54 |         split => { "staged_sig_names" => "," }
55 |         split => { "staged_sig_cves" => "," }
56 |         split => { "sig_set_names" => "," }
57 |         split => { "threat_campaign_names" => "," }
58 |         split => { "staged_threat_campaign_names" => "," }
59 |         split => { "violations" => "," }
60 |         split => { "sub_violations" => "," }
61 |   
62 |         remove_field => [ "date_time", "message" ]
63 |         }
64 | 
65 |         if [x_forwarded_for_header_value] != "N/A" {
66 |                 mutate { add_field => { "source_host" => "%{x_forwarded_for_header_value}"}}
67 |                 } else {
68 |                         mutate { add_field => { "source_host" => "%{ip_client}"}}
69 |                 }
70 |   
71 |    geoip {
72 |     source => "source_host"
73 |     database => "/etc/logstash/GeoLite2-City.mmdb"
74 | }
75 | }
76 | }
77 | 
78 | output {
79 | if [type] == 'f5elk' {
80 |          elasticsearch {
81 |                 hosts => ["127.0.0.1:9200"]
82 |                 index => "f5elk-%{+YYYY.MM.dd}"
83 |         }
84 | }
85 | }
86 | 


--------------------------------------------------------------------------------
/sre-usecases/06-east_west_attack/README.md:
--------------------------------------------------------------------------------
 1 | # Getting Started
 2 | 
 3 | ## Summary
 4 | In a typical data center security design, advanced application security solutions are deployed at the edge of a Kubernetes or OpenShift environment. 
 5 | With F5 CIS integration, edge WAF could get a certain level of visibility for the specific pod inside Kubernetes or OpenShift cluster. 
 6 | But it is still can not stop the attack within the cluster.  To overcome this challenge, 'NAP(NGINX App Protect)' could be deployed as a POD or service proxy in Kubernetes or OpenShift cluster. 
 7 | The NAP(NGINX App Protect) delivers Layer 7 visibility and granular control for the applications while enabling the advanced level of the application security policies. 
 8 | With NAP deployment, DevSecOps can ensure only legitimate traffic allowed while all other unwanted traffics blocked. 
 9 | The NAP can monitor the traffic traversing namespace boundaries between pods and provide the advanced application protection at the layer-7 level for East-West traffic. 
10 | 
11 | ## Prerequisites
12 | - ELK(Elasticsearch, Logstash, Kibana) installed (required Platinum or Trial license)
13 | - Ansible installed on the same server with ELK
14 | - Evaluation license of NAP(NGINX App Protect)
15 | - You can request the evaluation license of the NGINX App Protect in [here](https://www.nginx.com/free-trial-request/).
16 | - Minimum 1 x OCP cluster installed.
17 | - You have to prepare two laptops - one for OCP admin console, one for dev_user console(infected machine)
18 | 
19 | ## Use-Case Scenario
20 | 1. The malware of 'Phishing email' infects the developer's laptop. 
21 | 2. Attacker steals the ID/PW of the developer using the malware. In this demo, the stolen ID is 'dev_user.' 
22 | 3. Attacker login the 'Test App' on the 'dev-test01' namespace, owned by the 'dev_user'. 
23 | 4. Attacker starts the network-scanning on the internal subnet of the OpenShift cluster. And the attacker finds the 'critical-app' application.
24 | 5. Attacker starts the web-based attack against 'critical-app'. 
25 | 6. NGINX App Protect protects the 'critical-app'; thus, the attack traffic is blocked immediately. 
26 | 7. NGINX exports the alert details to the external Elasticsearch.
27 | 8. If this specific alert meets the pre-defined condition, Elasticsearch will trigger the pre-defined Ansible playbook. 
28 | 9. Ansible playbook access to OpenShift and delete the malicious 'POD" automatically. 
29 | 
30 | *Since this demo focuses on the attack inside the OpenShift cluster, the demo does not include the 'Step#1' and 'Step#2'(Phishing email part).*
31 | 
32 | ![Demo flow](images/diagram.png)
33 | 
34 | ## Security Automation Process
35 | ![automation process](images/automation_process1.png)
36 | 
37 | ## Setup and Configuration
38 | Follow the links below to begin setup and configuration.
39 | 
40 | 1. [Prepare the 'NGINX App Protect' container image](nap_create/README.md)
41 | 2. [Install demo applications, and NGINX App Protect on the OpenShift](install_app/README.md)
42 | 3. [Create the Ansible Playbook](create_ansible/README.md)
43 | 4. [Configuring the 'Watcher' and 'Logstash' of Elasticsearch](elk_config/README.md)
44 | 5. [Simulate the demo](simulate_demo/README.md)
45 | 


--------------------------------------------------------------------------------
/sre-usecases/06-east_west_attack/create_ansible/README.md:
--------------------------------------------------------------------------------
 1 | ## Create the Ansible Playbook
 2 | 
 3 | 1. Create the Ansible playbook
 4 | - You have to add your file path in the yaml file. 
 5 | 
 6 | ```
 7 | ansible_ocp.yaml
 8 | 
 9 | ---
10 | - hosts: localhost
11 |   gather_facts: false
12 | 
13 |   tasks:
14 |   - name: Login to OCP cluster
15 |     k8s_auth:
16 |       host: https://yourocpdomain:6443
17 |       username: kubeadmin
18 |       password: your_ocp_password
19 |       validate_certs: no
20 |     register: k8s_auth_result
21 | 
22 |   - name: Extract IP Address
23 |     command: cat /yourpath/ip.txt
24 |     register: badpod_ip
25 | 
26 |   - name: Extract App Label from OpenShift
27 |     shell: |
28 |       sudo oc get pods -A -o json --field-selector status.podIP={{ badpod_ip.stdout }} |
29 |       grep "\"app\":" |
30 |       awk '{print $2}' |
31 |       sed 's/,//'
32 |     register: app_label
33 | 
34 |   - name: Delete Malicious Deployments
35 |     shell: |
36 |       sudo oc delete all --selector app={{ app_label.stdout }} -A
37 |     register: delete_pod
38 |   
39 |   - name: Delete IP and Info File
40 |     command: rm -rf /yourpath/ip.txt
41 | 
42 |   - name: OCP Service Deletion Completed
43 |     debug:
44 |       msg: "{{ delete_pod.stdout }}"
45 | ```
46 | 
47 | 
48 | 


--------------------------------------------------------------------------------
/sre-usecases/06-east_west_attack/elk_config/README.md:
--------------------------------------------------------------------------------
  1 | ## Configuring the 'Watcher' and 'Logstash' of Elasticsearch
  2 | 
  3 | 1. Configuring the 'Watcher' of Kibana
  4 | - You need an Elastic Platinum license or Eval license to use this feature on the Kibana. 
  5 | - Go to Kibana UI. 
  6 | - Management -> Watcher -> Create -> Create advanced watcher
  7 | - Copy and paste below JSON code
  8 | 
  9 | ```
 10 | watcher_ocp.json
 11 | 
 12 | {
 13 |   "trigger": {
 14 |     "schedule": {
 15 |       "interval": "1m"
 16 |     }
 17 |   },
 18 |   "input": {
 19 |     "search": {
 20 |       "request": {
 21 |         "search_type": "query_then_fetch",
 22 |         "indices": [
 23 |           "nginx-*"
 24 |         ],
 25 |         "rest_total_hits_as_int": true,
 26 |         "body": {
 27 |           "query": {
 28 |             "bool": {
 29 |               "must": [
 30 |                 {
 31 |                   "match": {
 32 |                     "outcome_reason": "SECURITY_WAF_VIOLATION"
 33 |                   }
 34 |                 },
 35 |                 {
 36 |                   "match": {
 37 |                     "x_forwarded_for_header_value": "N/A"
 38 |                   }
 39 |                 },
 40 |                 {
 41 |                   "range": {
 42 |                     "@timestamp": {
 43 |                       "gte": "now-1h",
 44 |                       "lte": "now"
 45 |                     }
 46 |                   }
 47 |                 }
 48 |               ]
 49 |             }
 50 |           }
 51 |         }
 52 |       }
 53 |     }
 54 |   },
 55 |   "condition": {
 56 |     "compare": {
 57 |       "ctx.payload.hits.total": {
 58 |         "gt": 0
 59 |       }
 60 |     }
 61 |   },
 62 |   "actions": {
 63 |     "logstash_logging": {
 64 |       "webhook": {
 65 |         "scheme": "http",
 66 |         "host": "localhost",
 67 |         "port": 1234,
 68 |         "method": "post",
 69 |         "path": "/{{watch_id}}",
 70 |         "params": {},
 71 |         "headers": {},
 72 |         "body": "{{ctx.payload.hits.hits.0._source.ip_client}}"
 73 |       }
 74 |     },
 75 |     "logstash_exec": {
 76 |       "webhook": {
 77 |         "scheme": "http",
 78 |         "host": "localhost",
 79 |         "port": 9001,
 80 |         "method": "post",
 81 |         "path": "/{{watch_id}}",
 82 |         "params": {},
 83 |         "headers": {},
 84 |         "body": "{{ctx.payload.hits.hits[0].total}}"
 85 |       }
 86 |     }
 87 |   }
 88 | }
 89 | ```
 90 | 
 91 | 2. Configuring 'logstash.conf' file
 92 | Below is the final version of the 'logstash.conf' file.
 93 | *Please note that you have to start the logstash with 'sudo' privilege.*
 94 | 
 95 | ```
 96 | logstash.conf
 97 | 
 98 | input {
 99 |     syslog {
100 |         port => 5003
101 |         type => nginx
102 |         }
103 | 
104 |     http {
105 |         port => 1234
106 |         type => watcher1
107 |         }
108 | 
109 |     http {
110 |         port => 9001
111 |         type => ansible1
112 |         }
113 | }
114 | 
115 | filter {
116 | if [type] == "nginx" {
117 |         
118 |         grok {
119 |             match => {
120 |                 "message" => [
121 |                 ",attack_type=\"%{DATA:attack_type}\"",
122 |                 ",blocking_exception_reason=\"%{DATA:blocking_exception_reason}\"",
123 |                 ",date_time=\"%{DATA:date_time}\"",
124 |                 ",dest_port=\"%{DATA:dest_port}\"",
125 |                 ",ip_client=\"%{DATA:ip_client}\"",
126 |                 ",is_truncated=\"%{DATA:is_truncated}\"",
127 |                 ",method=\"%{DATA:method}\"",
128 |                 ",policy_name=\"%{DATA:policy_name}\"",
129 |                 ",protocol=\"%{DATA:protocol}\"",
130 |                 ",request_status=\"%{DATA:request_status}\"",
131 |                 ",response_code=\"%{DATA:response_code}\"",
132 |                 ",severity=\"%{DATA:severity}\"",
133 |                 ",sig_cves=\"%{DATA:sig_cves}\"",
134 |                 ",sig_ids=\"%{DATA:sig_ids}\"",
135 |                 ",sig_names=\"%{DATA:sig_names}\"",
136 |                 ",sig_set_names=\"%{DATA:sig_set_names}\"",
137 |                 ",src_port=\"%{DATA:src_port}\"",
138 |                 ",sub_violations=\"%{DATA:sub_violations}\"",
139 |                 ",support_id=\"%{DATA:support_id}\"",
140 |                 ",unit_hostname=\"%{DATA:unit_hostname}\"",
141 |                 ",uri=\"%{DATA:uri}\"",
142 |                 ",violation_rating=\"%{DATA:violation_rating}\"",
143 |                 ",vs_name=\"%{DATA:vs_name}\"",
144 |                 ",x_forwarded_for_header_value=\"%{DATA:x_forwarded_for_header_value}\"",
145 |                 ",outcome=\"%{DATA:outcome}\"",
146 |                 ",outcome_reason=\"%{DATA:outcome_reason}\"",
147 |                 ",violations=\"%{DATA:violations}\"",
148 |                 ",violation_details=\"%{DATA:violation_details}\"",
149 |                 ",request=\"%{DATA:request}\""
150 |                 ]
151 |         }
152 |     break_on_match => false
153 |   }
154 |   
155 |         mutate {
156 |         split => { "attack_type" => "," }
157 |         split => { "sig_ids" => "," }
158 |         split => { "sig_names" => "," }
159 |         split => { "sig_cves" => "," }
160 |         split => { "staged_sig_ids" => "," }
161 |         split => { "staged_sig_names" => "," }
162 |         split => { "staged_sig_cves" => "," }
163 |         split => { "sig_set_names" => "," }
164 |         split => { "threat_campaign_names" => "," }
165 |         split => { "staged_threat_campaign_names" => "," }
166 |         split => { "violations" => "," }
167 |         split => { "sub_violations" => "," }
168 |   
169 |         remove_field => [ "date_time", "message" ]
170 |         }
171 | 
172 |         if [x_forwarded_for_header_value] != "N/A" {
173 |                 mutate { add_field => { "source_host" => "%{x_forwarded_for_header_value}"}}
174 |                 } else {
175 |                         mutate { add_field => { "source_host" => "%{ip_client}"}}
176 |                 }
177 |   
178 |    geoip {
179 |     source => "source_host"
180 |     database => "/etc/logstash/GeoLite2-City.mmdb"
181 | }
182 | }
183 | }
184 | 
185 | output {
186 | 
187 | if [type] == 'nginx' {
188 |          elasticsearch {
189 |                 hosts => ["127.0.0.1:9200"]
190 |                 index => "nginx-%{+YYYY.MM.dd}"
191 |         }
192 | }
193 | 
194 | if [type] == 'watcher1' {
195 |   file {
196 |     path => "/yourpath/ip.txt"
197 |     codec => line { format => "%{message}"}
198 |   }
199 | }
200 | 
201 | if [type] == 'ansible1' {
202 |   exec {
203 |           command => "ansible-playbook /yourpath/ansible_ocp.yaml"
204 |   }
205 | }
206 | }
207 | ```
208 | 
209 | 
210 | 
211 | 


--------------------------------------------------------------------------------
/sre-usecases/06-east_west_attack/images/a:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/sre-usecases/06-east_west_attack/images/automation_process1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/06-east_west_attack/images/automation_process1.png


--------------------------------------------------------------------------------
/sre-usecases/06-east_west_attack/images/diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/06-east_west_attack/images/diagram.png


--------------------------------------------------------------------------------
/sre-usecases/06-east_west_attack/images/elk_dashboard.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/06-east_west_attack/images/elk_dashboard.png


--------------------------------------------------------------------------------
/sre-usecases/06-east_west_attack/images/terminating_pod.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/06-east_west_attack/images/terminating_pod.png


--------------------------------------------------------------------------------
/sre-usecases/06-east_west_attack/nap_create/README.md:
--------------------------------------------------------------------------------
  1 | ## Prepare the 'NGINX App Protect' container image
  2 | 
  3 | ### Configuration Step
  4 | #### *Please make sure that you already have the evaluation license from the F5 for your NAP.* 
  5 | #### *The evaluation license includes 1x'.crt' file and 1x'.key' file. These are required in this step.*
  6 | #### *You need to have your own 'Docker Hub' account.*
  7 | 
  8 | ##### Create Dockerfile to build the 'NGINX App Protect' base image
  9 | You can find a more detailed explanation from the document portal of the NGINX [here](https://docs.nginx.com/nginx-app-protect/admin-guide/#docker-deployment).
 10 | Below is the sample 'Dockerfile' config which used in this demo. 
 11 | 
 12 | ```
 13 | Dockerfile
 14 | 
 15 | # For CentOS 7:
 16 | FROM centos:7.4.1708
 17 | 
 18 | # Download certificate and key from the customer portal (https://cs.nginx.com)
 19 | # and copy to the build context:
 20 | COPY nginx-repo.crt nginx-repo.key /etc/ssl/nginx/
 21 | 
 22 | # Install prerequisite packages:
 23 | RUN yum -y install wget ca-certificates epel-release
 24 | 
 25 | # Add NGINX Plus repo to Yum:
 26 | RUN wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.repo
 27 |     
 28 | # Install NGINX App Protect:
 29 | RUN yum -y install app-protect \
 30 |     && yum clean all \
 31 |     && rm -rf /var/cache/yum \
 32 |     && rm -rf /etc/ssl/nginx
 33 |  
 34 | # Forward request logs to Docker log collector:
 35 | RUN ln -sf /dev/stdout /var/log/nginx/access.log \
 36 |     && ln -sf /dev/stderr /var/log/nginx/error.log
 37 |         
 38 | # Copy configuration files:
 39 | COPY nginx.conf custom_log_format.json /etc/nginx/
 40 | COPY entrypoint.sh  ./
 41 |     
 42 | CMD ["sh", "/entrypoint.sh"] 
 43 | ```
 44 | 
 45 | And build your docker image for NAP. (You have to place your NGINX 'crt' and 'key' files on the same directory.)
 46 | ```
 47 | sudo docker build --no-cache -t app-protect .
 48 | ```
 49 | 
 50 | Once you successfully complete your NAP installation, you should be able to find your NAP image like below. 
 51 | ```
 52 | [james@James-Int-Centos nginx_sre]$ sudo docker images
 53 | REPOSITORY                TAG                 IMAGE ID            CREATED             SIZE
 54 | app-protect               latest              69eab65e11f0        32 seconds ago      580MB
 55 | ```
 56 | 
 57 | You have to access the shell of the NAP image and move to /etc/nginx directory. 
 58 | ```
 59 | [james@James-Int-Centos nginx_sre]$ sudo docker run -ti 69eab65e11f0 /bin/bash
 60 | [root@a7de84db35b0 /]# 
 61 | [root@a7de84db35b0 /]# cd /etc/nginx/
 62 | [root@a7de84db35b0 nginx]# ls
 63 | NginxApiSecurityPolicy.json  NginxDefaultPolicy.json  NginxStrictPolicy.json  conf.d  custom_log_format.json  fastcgi_params  koi-utf  koi-win  mime.types  modules  nginx.conf  scgi_params  uwsgi_params  win-utf
 64 | [root@a7de84db35b0 nginx]#
 65 | ```
 66 | 
 67 | Open the 'nginx.conf' file using vi editor and update the context like below. 
 68 | ```
 69 | [root@9b298513fad7 nginx]# cat nginx.conf 
 70 | user nginx;
 71 | 
 72 | worker_processes auto;
 73 | load_module modules/ngx_http_app_protect_module.so;
 74 | 
 75 | error_log /var/log/nginx/error.log debug;
 76 | 
 77 | events {
 78 |     worker_connections 10240;
 79 | }
 80 | 
 81 | http {
 82 |     include /etc/nginx/mime.types;
 83 |     default_type application/octet-stream;
 84 |     sendfile on;
 85 |     keepalive_timeout 65;
 86 |     include /etc/nginx/conf.d/nginx_sre.conf;
 87 | }
 88 | ```
 89 | 
 90 | And logout from the NAP image using 'exit' command. 
 91 | 
 92 | Now, you need to login to your docker account using the command line below. 
 93 | ```
 94 | root@James-Ext-ubuntu:/home/james# docker login --username=yourusername 
 95 | Password: yourpassword
 96 | WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
 97 | Configure a credential helper to remove this warning. See
 98 | https://docs.docker.com/engine/reference/commandline/login/#credentials-store
 99 | 
100 | Login Succeeded
101 | ```
102 | 
103 | After login, you have to save the configuration changes to your NAP image and upload it to your docker hub repo. 
104 | ```
105 | [root@James-Int-Centos nginx_sre]# docker ps -a
106 | CONTAINER ID        IMAGE                         COMMAND                CREATED             STATUS                     PORTS               NAMES
107 | a7de84db35b0        69eab65e11f0                  "/bin/bash"            9 minutes ago       Up 9 minutes                                   confident_bell
108 | 
109 | [root@James-Int-Centos nginx_sre]# docker commit a7de84db35b0
110 | sha256:307d826879dd9766dcbc17bdfe9260eda4f26d84688cf446759d832b16614d22
111 | [root@James-Int-Centos nginx_sre]# 
112 | 
113 | [root@James-Int-Centos nginx_sre]# docker images
114 | REPOSITORY                TAG                 IMAGE ID            CREATED             SIZE
115 | <none>                    <none>              307d826879dd        7 seconds ago       580MB
116 | app-protect               latest              69eab65e11f0        16 minutes ago      580MB
117 | 
118 | [root@James-Int-Centos nginx_sre]# docker tag 307d826879dd your_docker_hub_id/app-protect:latest
119 | [root@James-Int-Centos nginx_sre]# 
120 | [root@James-Int-Centos nginx_sre]# docker images
121 | REPOSITORY                TAG                 IMAGE ID            CREATED              SIZE
122 | your_id/app-protect       latest              307d826879dd        About a minute ago   580MB
123 | app-protect               latest              69eab65e11f0        17 minutes ago       580MB
124 | 
125 | [root@James-Int-Centos nginx_sre]# docker push your_id/app-protect 
126 | The push refers to repository [docker.io/your_id/app-protect]
127 | .
128 | .
129 | latest: digest: sha256:abbe81a2845b1ae0d36b14efbcc2dd11b9f401139ce57ec528d3b74244385871 size: 1989
130 | [root@James-Int-Centos nginx_sre]#
131 | ```
132 | 
133 | 
134 | 
135 | 


--------------------------------------------------------------------------------
/sre-usecases/06-east_west_attack/scripts/ansible_ocp.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - hosts: localhost
 3 |   gather_facts: false
 4 | 
 5 |   tasks:
 6 |   - name: Login to OCP cluster
 7 |     k8s_auth:
 8 |       host: https://yourocpdomain:6443
 9 |       username: kubeadmin
10 |       password: your_ocp_password
11 |       validate_certs: no
12 |     register: k8s_auth_result
13 | 
14 |   - name: Extract IP Address
15 |     command: cat /yourpath/ip.txt
16 |     register: badpod_ip
17 | 
18 |   - name: Extract App Label from OpenShift
19 |     shell: |
20 |       sudo oc get pods -A -o json --field-selector status.podIP={{ badpod_ip.stdout }} |
21 |       grep "\"app\":" |
22 |       awk '{print $2}' |
23 |       sed 's/,//'
24 |     register: app_label
25 | 
26 |   - name: Delete Malicious Deployments
27 |     shell: |
28 |       sudo oc delete all --selector app={{ app_label.stdout }} -A
29 |     register: delete_pod
30 |   
31 |   - name: Delete IP and Info File
32 |     command: rm -rf /yourpath/ip.txt
33 | 
34 |   - name: OCP Service Deletion Completed
35 |     debug:
36 |       msg: "{{ delete_pod.stdout }}"
37 | 


--------------------------------------------------------------------------------
/sre-usecases/06-east_west_attack/scripts/critical-app-with-nap.yaml:
--------------------------------------------------------------------------------
 1 | ##################################################################################################
 2 | # Deploy Critical App with NGINX App Protect
 3 | ##################################################################################################
 4 | apiVersion: v1
 5 | kind: Service
 6 | metadata:
 7 |   name: critical-app
 8 |   labels:
 9 |     app: critical-app
10 |     service: critical-app
11 | spec:
12 |   ports:
13 |   - port: 8888
14 |     targetPort: 8888
15 |     name: http
16 |   selector:
17 |     app: critical-app
18 | ---
19 | apiVersion: apps/v1
20 | kind: Deployment
21 | metadata:
22 |   name: critical-app-v1
23 |   labels:
24 |     app: critical-app
25 |     version: v1
26 | spec:
27 |   replicas: 1
28 |   selector:
29 |     matchLabels:
30 |       app: critical-app
31 |       version: v1
32 |   template:
33 |     metadata:
34 |       labels:
35 |         app: critical-app
36 |         version: v1
37 |     spec:
38 |       containers:
39 |       - env:
40 |         - name: TZ
41 |           value: UTC
42 |         name: nginx01
43 |         image: yourcontainerimagepath (eg. your_docker_hub_id/app-protect:latest)
44 |         volumeMounts:
45 |         - name: config-volume
46 |           mountPath: /etc/nginx/conf.d/nginx_sre.conf
47 |           subPath: nginx_sre.conf
48 |         - name: config-volume
49 |           mountPath: /etc/nginx/NginxSRELabPolicy.json
50 |           subPath: NginxSRELabPolicy.json
51 |       - env:
52 |         - name: TZ
53 |           value: UTC
54 |         name: critical-app
55 |         image: network1211/ubuntu01:12.0
56 |         imagePullPolicy: IfNotPresent
57 |         ports:
58 |         - containerPort: 80
59 |         command: [ "bash" ]
60 |         args: [ "/start.sh" ]
61 |       volumes:
62 |       - name: config-volume
63 |         configMap:
64 |           name: critical-app-conf
65 | ---
66 | 


--------------------------------------------------------------------------------
/sre-usecases/06-east_west_attack/scripts/devapp_deployment.yaml:
--------------------------------------------------------------------------------
 1 | ##################################################################################################
 2 | # Deploy Dev App
 3 | ##################################################################################################
 4 | apiVersion: apps/v1
 5 | kind: Deployment
 6 | metadata:
 7 |   name: dev-test-v1
 8 |   labels:
 9 |     app: dev-test
10 |     version: v1
11 | spec:
12 |   replicas: 1
13 |   selector:
14 |     matchLabels:
15 |       app: dev-test
16 |       version: v1
17 |   template:
18 |     metadata:
19 |       labels:
20 |         app: dev-test
21 |         version: v1
22 |     spec:
23 |       containers:
24 |       - env:
25 |         - name: TZ
26 |           value: UTC
27 |         name: dev-test
28 |         image: network1211/ubuntu02:5.0
29 |         imagePullPolicy: IfNotPresent
30 |         command: [ "bash" ]
31 |         stdin: true
32 | ---
33 | 


--------------------------------------------------------------------------------
/sre-usecases/06-east_west_attack/scripts/logstash.conf:
--------------------------------------------------------------------------------
  1 | input {
  2 |     syslog {
  3 |         port => 5003
  4 |         type => nginx
  5 |         }
  6 | 
  7 |     http {
  8 |         port => 1234
  9 |         type => watcher1
 10 |         }
 11 | 
 12 |     http {
 13 |         port => 9001
 14 |         type => ansible1
 15 |         }
 16 | }
 17 | 
 18 | filter {
 19 | if [type] == "nginx" {
 20 |         
 21 |         grok {
 22 |             match => {
 23 |                 "message" => [
 24 |                 ",attack_type=\"%{DATA:attack_type}\"",
 25 |                 ",blocking_exception_reason=\"%{DATA:blocking_exception_reason}\"",
 26 |                 ",date_time=\"%{DATA:date_time}\"",
 27 |                 ",dest_port=\"%{DATA:dest_port}\"",
 28 |                 ",ip_client=\"%{DATA:ip_client}\"",
 29 |                 ",is_truncated=\"%{DATA:is_truncated}\"",
 30 |                 ",method=\"%{DATA:method}\"",
 31 |                 ",policy_name=\"%{DATA:policy_name}\"",
 32 |                 ",protocol=\"%{DATA:protocol}\"",
 33 |                 ",request_status=\"%{DATA:request_status}\"",
 34 |                 ",response_code=\"%{DATA:response_code}\"",
 35 |                 ",severity=\"%{DATA:severity}\"",
 36 |                 ",sig_cves=\"%{DATA:sig_cves}\"",
 37 |                 ",sig_ids=\"%{DATA:sig_ids}\"",
 38 |                 ",sig_names=\"%{DATA:sig_names}\"",
 39 |                 ",sig_set_names=\"%{DATA:sig_set_names}\"",
 40 |                 ",src_port=\"%{DATA:src_port}\"",
 41 |                 ",sub_violations=\"%{DATA:sub_violations}\"",
 42 |                 ",support_id=\"%{DATA:support_id}\"",
 43 |                 ",unit_hostname=\"%{DATA:unit_hostname}\"",
 44 |                 ",uri=\"%{DATA:uri}\"",
 45 |                 ",violation_rating=\"%{DATA:violation_rating}\"",
 46 |                 ",vs_name=\"%{DATA:vs_name}\"",
 47 |                 ",x_forwarded_for_header_value=\"%{DATA:x_forwarded_for_header_value}\"",
 48 |                 ",outcome=\"%{DATA:outcome}\"",
 49 |                 ",outcome_reason=\"%{DATA:outcome_reason}\"",
 50 |                 ",violations=\"%{DATA:violations}\"",
 51 |                 ",violation_details=\"%{DATA:violation_details}\"",
 52 |                 ",request=\"%{DATA:request}\""
 53 |                 ]
 54 |         }
 55 |     break_on_match => false
 56 |   }
 57 |   
 58 |         mutate {
 59 |         split => { "attack_type" => "," }
 60 |         split => { "sig_ids" => "," }
 61 |         split => { "sig_names" => "," }
 62 |         split => { "sig_cves" => "," }
 63 |         split => { "staged_sig_ids" => "," }
 64 |         split => { "staged_sig_names" => "," }
 65 |         split => { "staged_sig_cves" => "," }
 66 |         split => { "sig_set_names" => "," }
 67 |         split => { "threat_campaign_names" => "," }
 68 |         split => { "staged_threat_campaign_names" => "," }
 69 |         split => { "violations" => "," }
 70 |         split => { "sub_violations" => "," }
 71 |   
 72 |         remove_field => [ "date_time", "message" ]
 73 |         }
 74 | 
 75 |         if [x_forwarded_for_header_value] != "N/A" {
 76 |                 mutate { add_field => { "source_host" => "%{x_forwarded_for_header_value}"}}
 77 |                 } else {
 78 |                         mutate { add_field => { "source_host" => "%{ip_client}"}}
 79 |                 }
 80 |   
 81 |    geoip {
 82 |     source => "source_host"
 83 |     database => "/etc/logstash/GeoLite2-City.mmdb"
 84 | }
 85 | }
 86 | }
 87 | 
 88 | output {
 89 | 
 90 | if [type] == 'nginx' {
 91 |          elasticsearch {
 92 |                 hosts => ["127.0.0.1:9200"]
 93 |                 index => "nginx-%{+YYYY.MM.dd}"
 94 |         }
 95 | }
 96 | 
 97 | if [type] == 'watcher1' {
 98 |   file {
 99 |     path => "/yourpath/ip.txt"
100 |     codec => line { format => "%{message}"}
101 |   }
102 | }
103 | 
104 | if [type] == 'ansible1' {
105 |   exec {
106 |           command => "ansible-playbook /yourpath/ansible_ocp.yaml"
107 |   }
108 | }
109 | }
110 | 


--------------------------------------------------------------------------------
/sre-usecases/06-east_west_attack/scripts/nap-config.yaml:
--------------------------------------------------------------------------------
  1 | ##################################################################################################
  2 | # Configmap Critical-App
  3 | ##################################################################################################
  4 | apiVersion: v1
  5 | kind: ConfigMap
  6 | metadata:
  7 |   name: critical-app-conf
  8 | data:
  9 |   nginx_sre.conf: | 
 10 |    
 11 |    upstream critical-app {
 12 |        server 127.0.0.1:80;	       
 13 |    }
 14 |  
 15 |     server {
 16 |        listen 8888;
 17 |        server_name critical-app-http;
 18 |        proxy_http_version 1.1;
 19 |        
 20 |        real_ip_header X-Forwarded-For;     
 21 |        set_real_ip_from 0.0.0.0/0;
 22 |     
 23 |        app_protect_enable on;
 24 |        app_protect_security_log_enable on;
 25 |        app_protect_policy_file "/etc/nginx/NginxSRELabPolicy.json";
 26 |        app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=your_elk_server_ip_here;
 27 | 
 28 |        location / {
 29 |            client_max_body_size 0;
 30 |            default_type text/html;
 31 |            proxy_pass http://critical-app;
 32 |            proxy_set_header Host $host;
 33 |        }
 34 |    }
 35 |   NginxSRELabPolicy.json: |
 36 |     {
 37 |        "policy" : {
 38 |           "name" : "NGINX_App_Protect_Policy",
 39 |           "description" : "NGINX App Protect Strict Policy",
 40 |           "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" },
 41 |           "applicationLanguage": "utf-8",
 42 |           "enforcementMode": "blocking",
 43 |           "response-pages": [
 44 |               {
 45 |                   "responseContent": "<html><head><title>SRE DevSecOps - East-West Attack Blocking</title></head><body><font color=green size=10>NGINX App Protect Blocking Page</font><br><br>Please consult with your administrator.<br><br>Your support ID is: <%TS.request.ID()%><br><br><a href='javascript:history.back();'>[Go Back]</a></body></html>",
 46 |                   "responseHeader": "HTTP/1.1 302 OK\\r\\nCache-Control: no-cache\\r\\nPragma: no-cache\\r\\nConnection: close",
 47 |                   "responseActionType": "custom",
 48 |                   "responsePageType": "default"
 49 |               }
 50 |           ],
 51 |           "blocking-settings" : {
 52 |               "evasions" : [
 53 |                   {
 54 |                      "description" : "Multiple decoding",
 55 |                      "maxDecodingPasses" : 2
 56 |                   }
 57 |               ],
 58 |               "http-protocols" : [
 59 |                  {
 60 |                     "description" : "Host header contains IP address",
 61 |                     "enabled" : false
 62 |                  }
 63 |               ],
 64 |               "violations" : [
 65 |                   {
 66 |                      "alarm" : true,
 67 |                      "block" : true,
 68 |                      "description" : "Violation Rating Need Examination detected",
 69 |                      "name" : "VIOL_RATING_NEED_EXAMINATION"
 70 |                   }
 71 |               ]
 72 |           },
 73 |           "signature-sets" : [
 74 |                {
 75 |                   "alarm" : true,
 76 |                   "block" : true,
 77 |                   "name" : "CVE Signatures"
 78 |                },
 79 |                {
 80 |                   "alarm" : true,
 81 |                   "block" : true,
 82 |                   "name" : "Buffer Overflow Signatures"
 83 |                },
 84 |                {
 85 |                   "alarm" : true,
 86 |                  "block" : true,
 87 |                   "name" : "Authentication/Authorization Attack Signatures"
 88 |                },
 89 |                {
 90 |                   "alarm" : true,
 91 |                   "block" : true,
 92 |                   "name" : "High Accuracy Signatures"
 93 |                },
 94 |                {
 95 |                   "alarm" : true,
 96 |                   "block" : true,
 97 |                   "name" : "SQL Injection Signatures"
 98 |                },
 99 |                {
100 |                   "alarm" : true,
101 |                   "block" : true,
102 |                   "name" : "Cross Site Scripting Signatures"
103 |                },
104 |                {
105 |                   "alarm" : true,
106 |                   "block" : true,
107 |                   "name" : "OS Command Injection Signatures"
108 |                },
109 |                {
110 |                   "alarm" : true,
111 |                   "block" : true,
112 |                   "name" : "HTTP Response Splitting Signatures"
113 |                },
114 |                {
115 |                   "alarm" : true,
116 |                   "block" : true,
117 |                   "name" : "Path Traversal Signatures"
118 |                },
119 |                {
120 |                   "alarm" : true,
121 |                   "block" : true,
122 |                   "name" : "XPath Injection Signatures"
123 |                },
124 |                {
125 |                   "alarm" : true,
126 |                   "block" : true,
127 |                   "name" : "Command Execution Signatures"
128 |                },
129 |                {
130 |                   "alarm" : true,
131 |                   "block" : true,
132 |                   "name" : "Server Side Code Injection Signatures"
133 |                },
134 |                {
135 |                   "alarm" : true,
136 |                   "block" : true,
137 |                   "name" : "Information Leakage Signatures"
138 |                },
139 |                {
140 |                   "alarm" : true,
141 |                   "block" : true,
142 |                   "name" : "Directory Indexing Signatures"
143 |                },
144 |                {
145 |                   "alarm" : true,
146 |                   "block" : true,
147 |                   "name" : "Remote File Include Signatures"
148 |                },
149 |                {
150 |                   "alarm" : true,
151 |                   "block" : true,
152 |                   "name" : "Predictable Resource Location Signatures"
153 |                },
154 |                {
155 |                   "alarm" : true,
156 |                   "block" : true,
157 |                   "name" : "Other Application Attacks Signatures"
158 |                },
159 |                {
160 |                   "alarm" : true,
161 |                   "block" : true,
162 |                   "name" : "High Accuracy Detection Evasion Signatures"
163 |                },
164 |                {
165 |                   "alarm" : true,
166 |                   "block" : true,
167 |                   "name" : "Generic Detection Signatures (High/Medium Accuracy)"
168 |                }
169 |           ]
170 |        }
171 |     }    
172 | ---
173 | 


--------------------------------------------------------------------------------
/sre-usecases/06-east_west_attack/scripts/watcher_ocp.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "trigger": {
 3 |     "schedule": {
 4 |       "interval": "1m"
 5 |     }
 6 |   },
 7 |   "input": {
 8 |     "search": {
 9 |       "request": {
10 |         "search_type": "query_then_fetch",
11 |         "indices": [
12 |           "nginx-*"
13 |         ],
14 |         "rest_total_hits_as_int": true,
15 |         "body": {
16 |           "query": {
17 |             "bool": {
18 |               "must": [
19 |                 {
20 |                   "match": {
21 |                     "outcome_reason": "SECURITY_WAF_VIOLATION"
22 |                   }
23 |                 },
24 |                 {
25 |                   "match": {
26 |                     "x_forwarded_for_header_value": "N/A"
27 |                   }
28 |                 },
29 |                 {
30 |                   "range": {
31 |                     "@timestamp": {
32 |                       "gte": "now-1h",
33 |                       "lte": "now"
34 |                     }
35 |                   }
36 |                 }
37 |               ]
38 |             }
39 |           }
40 |         }
41 |       }
42 |     }
43 |   },
44 |   "condition": {
45 |     "compare": {
46 |       "ctx.payload.hits.total": {
47 |         "gt": 0
48 |       }
49 |     }
50 |   },
51 |   "actions": {
52 |     "logstash_logging": {
53 |       "webhook": {
54 |         "scheme": "http",
55 |         "host": "localhost",
56 |         "port": 1234,
57 |         "method": "post",
58 |         "path": "/{{watch_id}}",
59 |         "params": {},
60 |         "headers": {},
61 |         "body": "{{ctx.payload.hits.hits.0._source.ip_client}}"
62 |       }
63 |     },
64 |     "logstash_exec": {
65 |       "webhook": {
66 |         "scheme": "http",
67 |         "host": "localhost",
68 |         "port": 9001,
69 |         "method": "post",
70 |         "path": "/{{watch_id}}",
71 |         "params": {},
72 |         "headers": {},
73 |         "body": "{{ctx.payload.hits.hits[0].total}}"
74 |       }
75 |     }
76 |   }
77 | }
78 | 


--------------------------------------------------------------------------------
/sre-usecases/06-east_west_attack/simulate_demo/README.md:
--------------------------------------------------------------------------------
  1 | ### Simulate the demo
  2 | 
  3 | *You should start the Kibana watcher and logstash first before proceeding this step.*
  4 | 
  5 | #### Kubeadmin Console
  6 | 1. Please make sure you're logged in to the OCP cluster using 'kubeadmin' account. And confirm the 'critical-app' is running correctly.
  7 | ```
  8 | j.lee$ oc whoami
  9 | kube:admin
 10 | j.lee$ 
 11 | j.lee$ oc get projects
 12 | NAME                                               DISPLAY NAME   STATUS
 13 | critical-app                                                      Active
 14 | default                                                           Active
 15 | dev-test02                                                        Active
 16 | kube-node-lease                                                   Active
 17 | kube-public                                                       Active
 18 | kube-system                                                       Active
 19 | openshift                                                         Active
 20 | openshift-apiserver                                               Active
 21 | openshift-apiserver-operator                                      Active
 22 | openshift-authentication                                          Active
 23 | openshift-authentication-operator                                 Active
 24 | openshift-cloud-credential-operator                               Active
 25 | 
 26 | j.lee$ oc get pods -o wide
 27 | NAME                               READY   STATUS    RESTARTS   AGE   IP            NODE                                             NOMINATED NODE   READINESS GATES
 28 | critical-app-v1-5c6546765f-wjhl9   2/2     Running   1          85m   10.129.2.71   ip-10-0-180-68.ap-southeast-1.compute.internal   <none>           <none>
 29 | j.lee$ 
 30 | ```
 31 | 
 32 | #### dev_user Console
 33 | 1. Please make sure you're logged in to the OCP cluster using 'dev_user' account on the 'infected machine'. And confirm the 'dev-test-app' is running correctly.
 34 | ```
 35 | PS C:\Users\ljwca\Documents\ocp> oc whoami
 36 | dev_user
 37 | PS C:\Users\ljwca\Documents\ocp>
 38 | PS C:\Users\ljwca\Documents\ocp> oc get projects
 39 | NAME         DISPLAY NAME   STATUS
 40 | dev-test02                  Active
 41 | PS C:\Users\ljwca\Documents\ocp>
 42 | PS C:\Users\ljwca\Documents\ocp> oc get pods -o wide
 43 | NAME                           READY   STATUS    RESTARTS   AGE   IP            NODE                                              NOMINATED NODE   READINESS GATES
 44 | dev-test-v1-674f467644-t94dc   1/1     Running   0          6s    10.128.2.38   ip-10-0-155-159.ap-southeast-1.compute.internal   <none>           <none>
 45 | ```
 46 | 
 47 | 2. Login to 'dev-test' container using 'remote shell' command of the OCP
 48 | ```
 49 | PS C:\Users\ljwca\Documents\ocp> oc rsh dev-test-v1-674f467644-t94dc
 50 | $
 51 | $ uname -a
 52 | Linux dev-test-v1-674f467644-t94dc 4.18.0-193.14.3.el8_2.x86_64 #1 SMP Mon Jul 20 15:02:29 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 53 | $
 54 | ```
 55 | 
 56 | 3. Network scanning
 57 | - This step takes 1~2 hours to complete all scanning. 
 58 | ```
 59 | $ nmap -sP 10.128.0.0/14
 60 | Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-29 17:20 UTC
 61 | Nmap scan report for ip-10-128-0-1.ap-southeast-1.compute.internal (10.128.0.1)
 62 | Host is up (0.0025s latency).
 63 | Nmap scan report for ip-10-128-0-2.ap-southeast-1.compute.internal (10.128.0.2)
 64 | Host is up (0.0024s latency).
 65 | Nmap scan report for 10-128-0-3.metrics.openshift-authentication-operator.svc.cluster.local (10.128.0.3)
 66 | Host is up (0.0023s latency).
 67 | Nmap scan report for 10-128-0-4.metrics.openshift-kube-scheduler-operator.svc.cluster.local (10.128.0.4)
 68 | Host is up (0.0027s latency).
 69 | .
 70 | .
 71 | .
 72 | ```
 73 | After completion of the scanning, you will be able to find the 'critical-app' on the list. 
 74 | 
 75 | 4. Application Scanning for the target
 76 | - You can find the 'open' service ports on the target using nmap. 
 77 | ```
 78 | $ nmap 10.129.2.71
 79 | Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-29 17:23 UTC
 80 | Nmap scan report for 10-129-2-71.critical-app.critical-app.svc.cluster.local (10.129.2.71)
 81 | Host is up (0.0012s latency).
 82 | Not shown: 998 closed ports
 83 | PORT     STATE SERVICE
 84 | 80/tcp   open  http
 85 | 8888/tcp open  sun-answerbook
 86 | 
 87 | Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
 88 | $
 89 | ```
 90 | 
 91 | But you will see the 403 error when you try to access the server using port 80. This happens because the default Apache access control only allows the traffic from the NGINX App Protect. 
 92 | ```
 93 | $ curl http://10.129.2.71/
 94 | <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 95 | <html><head>
 96 | <title>403 Forbidden</title>
 97 | </head><body>
 98 | <h1>Forbidden</h1>
 99 | <p>You don't have permission to access this resource.</p>
100 | <hr>
101 | <address>Apache/2.4.46 (Debian) Server at 10.129.2.71 Port 80</address>
102 | </body></html>
103 | $
104 | ```
105 | 
106 | Now, you can see the response through the port 8888. 
107 | ```
108 | $ curl http://10.129.2.71:8888/
109 | <html>
110 | <head>
111 | <title>
112 | Network Operation Utility - NSLOOKUP
113 | </title>
114 | </head>
115 | <body>
116 | 
117 |     <font color=blue size=12>NSLOOKUP TOOL</font><br><br>
118 |     <h2>Please type the domain name into the below box.</h2>
119 |     <h1>
120 | 
121 |     <form action="/index.php" method="POST">
122 | 
123 |         <p>
124 | 
125 |         <label for="target">DNS lookup:</label>
126 |         <input type="text" id="target" name="target" value="www.f5.com">
127 | 
128 |         <button type="submit" name="form" value="submit">Lookup</button>
129 | 
130 |         </p>
131 | 
132 |     </form>
133 |     </h1>
134 |     <font color=red>This site is vulnerable to Web Exploit. Please use this site as a test purpose only.</font>
135 | 
136 | </body>
137 | 
138 | </html>
139 | $
140 | ```
141 | 
142 | 5. Performing the 'Command Injection' attack
143 | ```
144 | $ curl -d "target=www.f5.com|cat /etc/passwd&form=submit" -X POST http://10.129.2.71:8888/index.php
145 | <html><head><title>SRE DevSecOps - East-West Attack Blocking</title></head><body><font color=green size=10>NGINX App Protect Blocking Page</font><br><br>Please consult with your administrator.<br><br>Your support ID is: 878077205548544462<br><br><a href='javascript:history.back();'>[Go Back]</a></body></html>$
146 | $
147 | ```
148 | 
149 | 6. Verify the logs in Kibana dashboard
150 | - You shoudl be able to see the NAP alerts on your ELK.
151 | ![](https://github.com/network1211/f5-security-automation-ansible/blob/master/devsecops/malicious_pod/images/elk_dashboard.png)
152 | 
153 | 7. Verify the Ansible terminates the malicious pod
154 | - Ansible deletes the malicious POD
155 | ![](https://github.com/network1211/f5-security-automation-ansible/blob/master/devsecops/malicious_pod/images/terminating_pod.png)
156 | 
157 | 
158 | 
159 | 
160 | 
161 | 
162 | 
163 | 
164 | 
165 | 


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/README.md:
--------------------------------------------------------------------------------
 1 | # Enhanced Targeted Canary deployment with F5 and OpenShift
 2 | ## Summary
 3 | Canary deployment is an S/W releasing technique to reduce the risk of introducing new features or a new version in production for the DevOps team. In our SRE demo series, we already introduced how our customers easily can release their new S/W version with minimum risk using the canary deployment model. You can find more details of 'SRE Canary Deployment' use-case in [here](sre-usecases/01-targeted-canary/README.md).
 4 | In this use-case, we've enhanced our existing canary deployment use-case with F5 APM(Access Policy Manager), NGINX+, Microsoft Azure AD, and Red Hat OpenShift. You can learn how F5 components help to apply canary deployment in your containerized environment in this demo.
 5 | 
 6 | ## Prerequisites
 7 | - BIG-IP APM and NGINX+ already installed
 8 | - Running OpenShift Cluster (3.11 used in this demo) 
 9 | - Must complete to install F5 CIS, bookinfo application and NGINX+ (You can find the installation steps in [here](sre-usecases/01-targeted-canary/README.md).
10 | 
11 | ## Use Case Scenario
12 | This use case is to demonstrate the concept of Targeted Canary Deployment for two user groups - 'F5 employee' and 'Non-F5 employee':
13 | 
14 | 1. Developer can promote and target new versions of the same microservice (v1,v2,v3) to targeted users (Group1-F5 employee / Group2-nonF5 employee) respectively, without involving and waiting for the infrastructure operations team (NoOps).
15 | 2. BIG-IP APM in N-S will authenticate users through the interaction with an external MS Azure AD B2C service using OAuth. 
16 | 3. Once the user is authenticated successfully by MS Azure AD, Azure AD sends the user-specific information through JWT(JSON Web Token). 
17 | 4. After APM receives the token from the Azure AD, then it creates a new JWT and passes it to the backend NGINX+.
18 | 5. Once the NGINX+ receives the token, it extracts the user data and direct users to the correct microservice version based on the policy.
19 | 
20 | ![demo flow](images/enhanced_1-1.png)
21 | 
22 | ## Configuration Steps
23 | 
24 | ## 1. Configuring Microsoft Azure AD B2C
25 | ![step-1](images/Slide6.jpeg)
26 | ![step-2](images/Slide7.jpeg)
27 | ![step-3](images/Slide8.jpeg)
28 | ![step-4](images/Slide9.jpeg)
29 | ![step-5](images/Slide10.jpeg)
30 | ![step-6](images/Slide11.jpeg)
31 | ![step-7](images/Slide12.jpeg)
32 | ![step-8](images/Slide13.jpeg)
33 | ![step-9](images/Slide14.jpeg)
34 | ![step-10](images/Slide15.jpeg)
35 | ![step-11](images/Slide16.jpeg)
36 | ![step-12](images/Slide17.jpeg)
37 | ![step-13](images/Slide18.jpeg)
38 | ![step-14](images/Slide19.jpeg)
39 | ![step-15](images/Slide20.jpeg)
40 | ![step-16](images/Slide21.jpeg)
41 | ![step-17](images/Slide22.jpeg)
42 | ![step-18](images/Slide23.jpeg)
43 | ![step-19](images/Slide24.jpeg)
44 | ![step-20](images/Slide25.jpeg)
45 | ![step-21](images/Slide26.jpeg)
46 | ![step-22](images/Slide27.jpeg)
47 | 
48 | ## 2. Configuring F5 APM(Access Policy Manager)
49 | ![step-1](images/Slide29.jpeg)
50 | ![step-2](images/Slide30.jpeg)
51 | ![step-3](images/Slide31.jpeg)
52 | ![step-4](images/Slide32.jpeg)
53 | ![step-5](images/Slide33.jpeg)
54 | ![step-6](images/Slide34.jpeg)
55 | ![step-7](images/Slide35.jpeg)
56 | ![step-8](images/Slide36.jpeg)
57 | ![step-9](images/Slide37.jpeg)
58 | ![step-10](images/Slide38.jpeg)
59 | ![step-11](images/Slide39.jpeg)
60 | ![step-12](images/Slide40.jpeg)
61 | ![step-13](images/Slide41.jpeg)
62 | ![step-14](images/Slide42.jpeg)
63 | ![step-15](images/Slide43.jpeg)
64 | 
65 | ## 3. Configuring NGINX Plus
66 | ![step-1](images/Slide45.jpeg)
67 | 
68 | ## 4. Verifying Result
69 | ![step-1](images/Slide47.jpeg)
70 | ![step-2](images/Slide48.jpeg)
71 | ![step-3](images/Slide49.jpeg)
72 | ![step-4](images/Slide50.jpg)
73 | ![step-5](images/Slide51.jpeg)
74 | ![step-6](images/Slide52.jpeg)
75 | 
76 | 
77 | 


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide10.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide10.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide11.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide11.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide12.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide12.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide13.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide13.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide14.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide14.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide15.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide15.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide16.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide16.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide17.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide17.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide18.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide18.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide19.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide19.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide20.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide20.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide21.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide21.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide22.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide22.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide23.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide23.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide24.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide24.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide25.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide25.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide26.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide26.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide27.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide27.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide29.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide29.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide30.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide30.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide31.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide31.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide32.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide32.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide33.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide33.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide34.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide34.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide35.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide35.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide36.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide36.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide37.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide37.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide38.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide38.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide39.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide39.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide40.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide40.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide41.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide41.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide42.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide42.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide43.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide43.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide45.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide45.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide47.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide47.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide48.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide48.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide49.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide49.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide50.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide50.jpg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide51.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide51.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide52.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide52.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide6.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide6.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide7.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide7.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide8.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide8.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/Slide9.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/Slide9.jpeg


--------------------------------------------------------------------------------
/sre-usecases/07-enhanced_targeted_canary/images/enhanced_1-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/f5devcentral/f5-bd-sre-demo/6bc0c2d266c3ed9902d8f0c051ba6bff142b3f47/sre-usecases/07-enhanced_targeted_canary/images/enhanced_1-1.png


--------------------------------------------------------------------------------