├── .gitignore ├── CONTRIBUTING.md ├── README.md ├── docs └── istio.md └── static ├── images ├── app_architecture.png ├── bluecompute_ce.png ├── bluecompute_web_home.png ├── diagram_bluecompute_istio.png ├── diagram_bluecompute_openshift.png ├── grafana_1_home.png ├── grafana_2_dashboard_select.png ├── grafana_3_web_dashboard.png ├── grafana_4_catalog_dashboard.png ├── jaeger_1_home.png ├── jaeger_2_web.png ├── jaeger_3_web_catalog.png ├── kiali_1_login.png ├── kiali_2_home.png ├── kiali_3_default_graph.png ├── kiali_4_gateway_web.png ├── kiali_5_web_status.png ├── kiali_6_workloads_web_info.png ├── kiali_7_services_catalog_destination.png ├── kiali_8_istio_config.png ├── microprofile_small.png ├── service_graph_1.png ├── service_graph_2_web.png └── spring_small.png └── templates ├── istio_auth_policies.yaml ├── istio_destination_rules.yaml ├── istio_gateway.yaml ├── istio_virtual_services.yaml ├── values-istio-basic.yaml ├── values-istio-gateway-tls.yaml └── values-istio-gateway.yaml /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/.gitignore -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ## Contributing to IBM Cloud Architecture reference applications 2 | Anyone can contribute to IBM Cloud Architecture reference applications and their associated projects, whether you are an IBMer or not. 3 | We welcome your collaboration & contributions happily, as our reference applications are meant to reflect your real world scenarios. 4 | There are multiple ways to contribute: report bugs and improvement suggestions, improve documentation, and contribute code. 5 | 6 | 7 | ## Bug reports, documentation changes, and feature requests 8 | 9 | If you would like to contribute your experience with an IBM Cloud Architecture project back to the project in the form of encountered bug reports, necessary documentation changes, or new feature requests, this can be done through the use of the repository's [**Issues**](#) list. 10 | 11 | Before opening a new issue, please reference the existing list to make sure a similar or duplicate item does not already exist. Otherwise, please be as explicit as possible when creating the new item and be sure to include the following: 12 | 13 | - **Bug reports** 14 | - Specific Project Version 15 | - Deployment environment 16 | - A minimal, but complete, setup of steps to recreate the problem 17 | - **Documentation changes** 18 | - URL to existing incorrect or incomplete documentation (either in the project's GitHub repo or external product documentation) 19 | - Updates required to correct current inconsistency 20 | - If possible, a link to a project fork, sample, or workflow to expose the gap in documentation. 21 | - **Feature requests** 22 | - Complete description of project feature request, including but not limited to, components of the existing project that are impacted, as well as additional components that may need to be created. 23 | - A minimal, but complete, setup of steps to recreate environment necessary to identify the new feature's current gap. 24 | 25 | The more explicit and thorough you are in opening GitHub Issues, the more efficient your interaction with the maintainers will be. When creating the GitHub Issue for your bug report, documentation change, or feature request, be sure to add as many relevant labels as necessary (that are defined for that specific project). These will vary by project, but will be helpful to the maintainers in quickly triaging your new GitHub issues. 26 | 27 | ## Code contributions 28 | 29 | We really value contributions, and to maximize the impact of code contributions, we request that any contributions follow the guidelines below. If you are new to open source contribution and would like some more pointers or guidance, you may want to check out [**Your First PR**](http://yourfirstpr.github.io/) and [**First Timers Only**](https://www.firsttimersonly.com/). These are a few projects that help on-board new contributors to the overall process. 30 | 31 | ### Coding and Pull Requests best practices 32 | - Please ensure you follow the coding standard and code formatting used throughout the existing code base. 33 | - This may vary project by project, but any specific diversion from normal language standards will be explicitly noted. 34 | - One feature / bug fix / documentation update per pull request 35 | - Always pull the latest changes from upstream and rebase before creating any pull request. 36 | - New pull requests should be created against the `integration` branch of the repository, if available. 37 | - This ensures new code is included in full-stack integration tests before being merged into the `master` branch 38 | - All new features must be accompanied by associated tests. 39 | - Make sure all tests pass locally before submitting a pull request. 40 | - Include tests with every feature enhancement, improve tests with every bug fix 41 | 42 | ### Github and git flow 43 | 44 | The internet is littered with guides and information on how to use and understand git. 45 | However, here's a compact guide that follows the suggested workflow 46 | 47 | ![Github flow](https://ibm-cloud-architecture.github.io/assets/img/github_flow.png) 48 | 49 | 1. Fork the desired repo in github. 50 | 51 | 2. Clone your repo to your local computer. 52 | 53 | 3. Add the upstream repository 54 | 55 | Note: Guide for step 1-3 here: [forking a repo](https://help.github.com/articles/fork-a-repo/) 56 | 57 | 4. Create new development branch off the targeted upstream branch. This will often be `master`. 58 | 59 | ``` 60 | git checkout -b master 61 | ``` 62 | 63 | 5. Do your work: 64 | - Write your code 65 | - Write your tests 66 | - Pass your tests locally 67 | - Commit your intermediate changes as you go and as appropriate 68 | - Repeat until satisfied 69 | 70 | 6. Fetch latest upstream changes (in case other changes had been delivered upstream while you were developing your new feature). 71 | 72 | ``` 73 | git fetch upstream 74 | ``` 75 | 7. Rebase to the latest upstream changes, resolving any conflicts. This will 'replay' your local commits, one by one, after the changes delivered upstream while you were locally developing, letting you manually resolve any conflict. 76 | 77 | ``` 78 | git branch --set-upstream-to=upstream/master 79 | git rebase 80 | ``` 81 | Instructions on how to manually resolve a conflict and commit the new change or skip your local replayed commit will be presented on screen by the git CLI. 82 | 83 | 8. Push the changes to your repository 84 | 85 | ``` 86 | git push origin 87 | ``` 88 | 89 | 9. Create a pull request against the same targeted upstream branch. 90 | 91 | [Creating a pull request](https://help.github.com/articles/creating-a-pull-request/) 92 | 93 | Once the pull request has been reviewed, accepted and merged into the main github repository, you should synchronise your remote and local forked github repository `master` branch with the upstream master branch. To do so: 94 | 95 | 10. Pull to your local forked repository the latest changes upstream (that is, the pull request). 96 | 97 | ``` 98 | git pull upstream master 99 | ``` 100 | 101 | 11. Push those latest upstream changes pulled locally to your remote forked repository. 102 | 103 | ``` 104 | git push origin master 105 | ``` 106 | 107 | ### What happens next? 108 | - All pull requests will be automatically built and unit tested by travis-ci, when implemented by that specific project. 109 | - You can determine if a given project is enabled for travis-ci unit tests by the existence of a `.travis.yml` file in the root of the repository or branch. 110 | - When in use, all travis-ci unit tests must pass completely before any further review or discussion takes place. 111 | - The repository maintainer will then inspect the commit and, if accepted, will pull the code into the upstream branch. 112 | - Should a maintainer or reviewer ask for changes to be made to the pull request, these can be made locally and pushed to your forked repository and branch. 113 | - Commits passing this stage will make it into the next release cycle for the given project. 114 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Cloud Native Java Microservices - Reference implementation based on Kubernetes 2 | 3 | ## Table of Contents 4 | 5 | * [Introduction](#introduction) 6 | * [Architecture](#architecture) 7 | * [Application Overview](#application-overview) 8 | * [Implementation](#implementation) 9 | * [References](#references) 10 | 11 | ## Introduction 12 | 13 | This project provides a reference implementation for running a Cloud Native Application which leverages the [**Java MicroProfile**](https://microprofile.io/) and [**Spring Boot**](https://projects.spring.io/spring-boot/) technologies for its microservices. The target cloud environment for the application is a [**Kubernetes-based**](https://kubernetes.io/) platform which might be [**Minikube**](https://kubernetes.io/docs/getting-started-guides/minikube/) / [**Docker Edge**](https://docs.docker.com/edge/) for development stages and [**IBM Cloud**](https://www.ibm.com/cloud/) or [**IBM Cloud Private**](https://www.ibm.com/cloud-computing/products/ibm-cloud-private/) for production stages. Our project also supports [Istio](https://istio.io) as our service mesh, with our guide [here](./docs/istio.md) for further Istio details. 14 | 15 | ## Architecture 16 | 17 |

18 | 19 |

20 | 21 | ## Application Overview 22 | 23 | The application is a simple store front shopping application that displays a catalog of antique computing devices, where users can search and buy products. It has a Web interface, and it relies on BFF (Backend for Frontend) services to interact with the backend data. 24 | 25 | There are several components of this architecture. 26 | 27 | * This OmniChannel application contains an [AngularJS](https://angularjs.org/) based web application. The diagram depicts it as a Browser. 28 | * The Web app invoke its own backend Microservices to fetch data, we call these components BFFs, following the [Backend for Frontends](http://samnewman.io/patterns/architectural/bff/) pattern. The Web BFF is implemented using the Node.js Express Framework. These Microservices are packaged as Docker containers and managed by the Kubernetes cluster. 29 | * These BFFs invoke another layer of reusable Java Microservices. They run inside a Kubernetes cluster, for example the [IBM Cloud Container Service](https://www.ibm.com/cloud-computing/bluemix/containers) or [IBM Cloud Private](https://www.ibm.com/cloud-computing/products/ibm-cloud-private/), using [Docker](https://www.docker.com/). 30 | * The Java Microservices retrieve their data from the following databases: 31 | * The Catalog service retrieves items from a searchable JSON datasource using [ElasticSearch](https://www.elastic.co/). 32 | * The Customer service stores and retrieves Customer data from a searchable JSON datasource using [IBM Cloudant](https://www.ibm.com/cloud/cloudant) 33 | * The Inventory and Orders Services use separate instances of [MySQL](https://www.mysql.com/). 34 | 35 | ## Implementation 36 | 37 | This application has been implemented using two of the most popular technologies used for Java microservices development. 38 | 39 | * [**Java MicroProfile Implementation**](https://github.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/tree/microprofile#cloud-native-development-with-microprofile-websphere-liberty-and-ibm-cloud-private) 40 | * [**Spring Boot Implementation**](https://github.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/tree/spring#run-a-cloud-native-microservices-application-on-a-kubernetes-cluster) 41 | 42 |

43 | 44 | 45 | 46 | 47 | 48 | 49 |              50 |

51 | 52 | ## References 53 | 54 | * [Java MicroProfile](https://microprofile.io/) 55 | * [Spring Boot](https://projects.spring.io/spring-boot/) 56 | * [Kubernetes](https://kubernetes.io/) 57 | * [Minikube](https://kubernetes.io/docs/getting-started-guides/minikube/) 58 | * [Docker Edge](https://docs.docker.com/edge/) 59 | * [IBM Cloud](https://www.ibm.com/cloud/) 60 | * [IBM Cloud Private](https://www.ibm.com/cloud-computing/products/ibm-cloud-private/) 61 | -------------------------------------------------------------------------------- /docs/istio.md: -------------------------------------------------------------------------------- 1 | # Exploring Istio Service Mesh Features with the Microservices Reference Architecture Application 2 | 3 | 4 | ## Table of Contents 5 | 6 | * [Introduction](#introduction) 7 | * [Requirements](#requirements) 8 | * [Blue-Compute Istiofied](#blue-compute-istiofied) 9 | * [Architecture](#architecture) 10 | * [Requirements for Pods and Services](#requirements-for-pods-and-services) 11 | * [Liveness and Readiness Probes](#liveness-and-readiness-probes) 12 | * [StatefulSet-Based Services](#statefulset-based-services) 13 | * [Custom Istio YAML Files](#custom-istio-yaml-files) 14 | * [Authentication Policy](#authentication-policy) 15 | * [Destination Rule](#destination-rule) 16 | * [Virtual Service](#virtual-service) 17 | * [Gateway](#gateway) 18 | * [Istio YAML files in the main bluecompute-ce chart](#istio-yaml-files-in-the-main-bluecompute-ce-chart) 19 | * [Recap](#recap) 20 | * [Deploying Istio and the Istiofied Bluecompute Helm Chart](#deploying-istio-and-the-istiofied-bluecompute-helm-chart) 21 | * [Validate the Application](#validate-the-application) 22 | * [Telemetry & Tracing](#telemetry--tracing) 23 | * [Generating Load](#generating-load) 24 | * [Access Grafana Dashboard](#access-grafana-dashboard) 25 | * [Access Service Graph Dashboard](#access-service-graph-dashboard) 26 | * [Access Jaeger Tracing Dashboard](#access-jaeger-tracing-dashboard) 27 | * [Access Kiali Dashboard](#access-kiali-dashboard) 28 | * [Cleanup](#cleanup) 29 | * [Conclusion](#conclusion) 30 | 31 | ## Introduction 32 | 33 | The journey to cloud-native microservices comes with great technical benefits. As we saw in the microservices reference 34 | architecture (Bluecompute) we were able to deploy, update, test, and manage individual microservices that comprise the 35 | overall application. By leveraging [Helm](https://helm.sh/), we are able to package these services into charts and 36 | package those into an umbrella chart that deploys the entire application stack conveniently and quickly. 37 | 38 | Having such flexibility comes at a price though. For example, the more microservices you have, the more complicated it 39 | becomes to manage, deploy, update, monitor, and debug. Thankfully, the Kubernetes community acknowledge these 40 | limitations and has provided us with the concept of a service mesh. As explained 41 | [here](https://istio.io/docs/concepts/what-is-istio/#what-is-a-service-mesh), the term "service mesh" describes the 42 | network of microservices that make up applications and the interactions between them. Examples of service mesh projects 43 | include [OpenShift](https://www.openshift.com/), developed by RedHat, and [Istio](https://istio.io/), co-developed by 44 | IBM and Google. Featured in Bluecompute, Istio aims to help you connect, secure, control, and observe your services in 45 | a standardized and language-agnostic way that doesn't require any code changes to the services. 46 | 47 | ## Requirements 48 | 49 | * Kubernetes Cluster 50 | * [IBM Cloud Kubernetes Service](https://www.ibm.com/cloud/container-service) - Create a Kubernetes cluster in IBM 51 | Cloud. The application runs in the Lite cluster, which is free of charge. Follow the instructions 52 | [here](https://console.bluemix.net/docs/containers/container_index.html). 53 | * [IBM Cloud Private](https://www.ibm.com/cloud/private) - Create a Kubernetes cluster in an on-premise datacenter. 54 | The community edition (IBM Cloud Private CE) is free of charge. Follow the instructions 55 | [here](https://www.ibm.com/support/knowledgecenter/en/SSBS6K_3.1.0/installing/installing.html) to install IBM Cloud Private CE. 56 | * [kubectl](https://kubernetes.io/docs/user-guide/kubectl-overview/) (Kubernetes CLI) - Follow the instructions 57 | [here](https://kubernetes.io/docs/tasks/tools/install-kubectl/) to install it on your platform. 58 | * [helm](https://github.com/kubernetes/helm) (Kubernetes package manager) - Follow the instructions 59 | [here](https://github.com/kubernetes/helm/blob/master/docs/install.md) to install it on your platform. 60 | * If using `IBM Cloud Private`, we recommend you follow these 61 | [instructions](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.0/app_center/create_helm_cli.html) to install `helm`. 62 | * If using IBM Cloud Kubernetes Service (IKS), please use the most up-to-date version of helm 63 | 64 | ## Blue-Compute Istiofied 65 | 66 | As with any complex application architecture, we had to make some changes to fully support the `bluecompute-ce` 67 | application in the Istio service mesh. Luckily, those changes were minimal but were necessary to leverage most of 68 | Istio's features and follow best practices. 69 | 70 | ### Architecture 71 | 72 | ![Architecture](../static/images/diagram_bluecompute_istio.png) 73 | 74 | You will notice that, compared to the original [architecture diagram](../static/images/app_architecture.png), the 75 | overall application remains the same with a few additions: 76 | 77 | * Instead of an Ingress Controller or NodePort, the application is now made publicly available via the Istio Ingress Gateway. 78 | * All service pods now have an [Envoy Proxy](https://istio.io/docs/concepts/what-is-istio/#envoy) sidecar container, 79 | which intercepts and routes traffic from the application container to and from the other services. 80 | * The exception are the [StatefulSet-Based Services](#statefulset-based-services) (Elasticsearch, CouchDB, and MariaDB), 81 | which don't work well with Istio at the moment. 82 | * All details explained in the [StatefulSet-Based Services](#statefulset-based-services) section. 83 | * The Envoy proxy can also be used to establish Mutual TLS connections between the services if desired, which we will 84 | explain in later sections. 85 | * The Envoy proxy is also used to collect rich metrics, which will explore in later sections. 86 | 87 | A majority of the application was successfully modified to work with and leverage Istio's features. For the services 88 | that couldn't be made to work with Istio, we were still able to expose them to the service mesh and establish 89 | connections with those services in the service mesh. More details on that in later session. 90 | 91 | Now let's go over what it took to get services to work with Istio in mode detail. 92 | 93 | ### Requirements for Pods and Services 94 | 95 | Istio needs basic information from each service in order to do things such routing traffic between multiple service 96 | versions and also add contextual information for its distributed tracing and telemetry features. 97 | 98 | The first requirement, which we fortunately had already implemented, was to name the service ports using the protocol 99 | name. For the bluecompute service, the service ports were named `http`. 100 | 101 | The second requirement was to have explicit `app` and `version` labels for each service deployment. Having these labels 102 | provides Istio with the enough context for its routing, tracing, and telemetry features, which we will explore in the 103 | later sections. 104 | 105 | Here is the YAML for the Inventory service, which includes the named `http` port and both the `app` and `version` 106 | labels: 107 | 108 | To learn more about all the requirements for pods and services, please look at Istio's 109 | [official documentation](https://istio.io/docs/setup/kubernetes/spec-requirements/). 110 | 111 | ### Liveness and Readiness Probes 112 | 113 | Liveness and Readiness probes are used in Kubernetes to run continuous health checks to determine if a deployment is 114 | healthy or not. When you bring Istio into the picture, the probes may stop working if you enable Mutual TLS encryption 115 | between services, which makes Kubernetes erroneously think that the services are unhealthy. The reason they stop 116 | working is because the liveness and readiness probes are run by the kubelets, which are not part of the service mesh 117 | and, therefore, do not benefit from Istio's Mutual TLS. 118 | 119 | Since we knew in advance that we wanted to use Mutual TLS between our services, we knew we had to find a way to 120 | implement liveness and readiness probes that would work in environments with Mutual TLS enabled or disabled. 121 | 122 | For further details, here's implementation specific details done in 123 | [Spring](https://github.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/tree/spring/docs/istio#liveness-and-readiness-probes). 124 | 125 | ### StatefulSet-Based Services 126 | 127 | In the `bluecompute-ce` chart we use a combination of Deployment and StatefulSet services to run the entire application. 128 | The StatefulSet service in the `bluecompute-ce` application include `Elasticsearch`, `MariaDB`, and `CouchDB`. 129 | These services benefit from StatefulSets because they provide a sticky identity for each of their pods, which is 130 | essential to keep the stateful nature of these services. 131 | 132 | Unfortunately, Istio does not fully support StatefulSets yet, which prevents the Elasticsearch, MariaDB, and CouchDB 133 | services from starting. If you look at the following document, it says that if you disable Mutual TLS, the StatefulSet 134 | services should just work, but that's not the case for these 135 | [workloads](https://istio.io/docs/setup/kubernetes/quick-start/#option-1-install-istio-without-mutual-tls-authentication-between-sidecars). 136 | 137 | **NOTE:** If you want to find out more about Istio and StatefulSets and whether it will be supported, here is an 138 | [issue](https://github.com/istio/istio/issues/10659) that currently tracking support for StatefulSets in Istio. 139 | 140 | In the meantime, we had to figure out another way to make the StatefulSet services work in Istio, even when Mutual TLS is enabled for the non-StatefulSet workloads. After doing some reading, we ended up doing the following: 141 | 142 | * Disabling automatic sidecar injection in Elasticsearch, MariaDB, and CouchDB. 143 | * We accomplished this by passing the `sidecar.istio.io/inject: "false"` annotation to their respective StatefulSets. 144 | Here is how it was done for each of those services: 145 | * [values-istio-basic.yaml#L166](../static/templates/values-istio-basic.yaml#L166) 146 | * [values-istio-basic.yaml#L175](../static/templates/values-istio-basic.yaml#L175) 147 | * [values-istio-basic.yaml#L184](../static/templates/values-istio-basic.yaml#L184) 148 | * [values-istio-basic.yaml#L265](../static/templates/values-istio-basic.yaml#L265) 149 | * [values-istio-basic.yaml#L424](../static/templates/values-istio-basic.yaml#L424) 150 | * [values-istio-basic.yaml#L413](../static/templates/values-istio-basic.yaml#L413) 151 | * This effectively takes out the services from the service mesh, which allowed them to start normally. 152 | * However, by leaving the services out from the service mesh, we are preventing the services in the service mesh from 153 | communicating with these services when Mutual TLS is enabled, which we overcame with the following. 154 | * **NOTE:** Luckily, the Elasticsearch and MariaDB helm charts had the ability to let you provide custom annotations. 155 | However, for the CouchDB, we had to fork and edit the chart to enable the ability to provide custom annotations, as 156 | shown in this [commit](https://github.com/fabiogomezdiaz/charts/commit/eb51b4f7f66837830385292b7d6220f8048a9537) 157 | * Created `DestinationRules` that explicitly indicate that Mutual TLS is not needed to communicate with Elasticsearch, 158 | MariaDB, and CouchDB. 159 | 160 | Here is a snippet of the Elasticsearch `DestinationRule`, where we disable the need for Mutual TLS: 161 | 162 | ```yaml 163 | apiVersion: networking.istio.io/v1alpha3 164 | kind: DestinationRule 165 | metadata: 166 | name: {{ template "bluecompute.elasticsearch.client.fullname" . }} 167 | spec: 168 | host: {{ template "bluecompute.elasticsearch.client.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local 169 | trafficPolicy: 170 | portLevelSettings: 171 | - port: 172 | number: 9200 173 | tls: 174 | mode: DISABLE 175 | - port: 176 | number: 9300 177 | tls: 178 | mode: DISABLE 179 | ``` 180 | 181 | By doing the above for Elasticsearch, MariaDB, and CouchDB, the services were able to start and we were able to have the 182 | Istio-enabled services communicate with them. If you are curious what all the Destination Rules look like for these 183 | services, take a look at them [here](../static/templates/istio_destination_rules.yaml) 184 | 185 | **NOTE:** The following article was useful for determining when to 186 | [disable sidecar injection](https://istio.io/help/ops/setup/injection/). 187 | 188 | ### Custom Istio YAML Files 189 | 190 | By doing the stuff we talked about above, the entire `bluecompute-ce` application is now able to leverage most of 191 | Istio's features automatically, such as automatic sidecar injection, Mutual TLS, Telemetry and Tracing. 192 | 193 | It is great to have Istio automatically inject sidecars, configure Authentication Policies (Mutual TLS), Destination 194 | Rules, and Virtual Services for you. However, sometimes your individual services might require more granular control. 195 | Perhaps not all application services can benefit from or require Mutual TLS. Perhaps, like in the case with 196 | Elasticsearch, MariaDB, and CouchDB, not all of your existing application services meet the requirements for service 197 | mesh support and must be handled on a 1x1 basis. In such cases, having Istio automatically handle everything for you is 198 | not ideal and you have to manually configure Istio settings for your services. 199 | 200 | In this section, we are going to cover 3 basic Istio YAML files that are present on each microservice's Helm chart: 201 | 202 | * Authentication Policy. 203 | * Destination Rule. 204 | * Virtual Service. 205 | * Gateway. 206 | 207 | #### Authentication Policy 208 | 209 | Istio allows you to configure Transport Authentication (Mutual TLS), also known as service-to-service authentication, 210 | on multiple levels: cluster, namespace, and service. To create a Service-specific Policy, let's look at the Inventory 211 | service policy: 212 | 213 | ```yaml 214 | apiVersion: "authentication.istio.io/v1alpha1" 215 | kind: "Policy" 216 | metadata: 217 | name: {{ template "inventory.fullname" . }} 218 | spec: 219 | targets: 220 | - name: {{ template "inventory.fullname" . }} 221 | ports: 222 | - number: {{ .Values.service.externalPort }} 223 | peers: 224 | {{- if eq .Values.istio.mTLS "ISTIO_MUTUAL" }} 225 | - mtls: {} 226 | {{- end }} 227 | ``` 228 | 229 | Where: 230 | 231 | * `spec.targets[0].ports[0].number` is the service port where this policy will be applied. 232 | * **NOTE:** This port is the service's application port, and NOT the management/health port used in liveness and 233 | readiness probes. 234 | * `spec.peers[0].mtls` is section that, if provided, enables Mutual TLS for the port above. 235 | * At the time of writing, there are no additional settings to configure for Mutual TLS, hence the value of `{}` in the 236 | `mtls` field. 237 | 238 | By using the above service-specific policy, Istio will isolate this service from any namespace or cluster specific policies. 239 | 240 | To learn more about Authentication Policies, read the this 241 | [document](https://istio.io/docs/concepts/security/#authentication-policies). 242 | 243 | #### Destination Rule 244 | 245 | A `DestinationRule` configures the set of policies to be applied to a request after VirtualService (explained in the 246 | following section) routing has occurred. They describe the circuit breakers, load balancer settings, TLS settings, and 247 | other settings for a specific service. A single `DestinationRule` can also include settings for multiple 248 | subsets/versions of the same service. Let's take a look at the Inventory service Destination Rule: 249 | 250 | ```yaml 251 | apiVersion: networking.istio.io/v1alpha3 252 | kind: DestinationRule 253 | metadata: 254 | name: {{ template "inventory.fullname" . }} 255 | spec: 256 | host: {{ template "inventory.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local 257 | trafficPolicy: 258 | loadBalancer: 259 | simple: {{ .Values.istio.loadBalancer }} 260 | portLevelSettings: 261 | - port: 262 | number: {{ .Values.service.externalPort }} 263 | tls: 264 | mode: {{ .Values.istio.mTLS }} 265 | subsets: 266 | - name: v1 267 | labels: 268 | version: v1 269 | ``` 270 | 271 | Where: 272 | 273 | * `spec.host` is the Fully Qualified Domain Name of the service in question. 274 | * `spec.trafficPolicy.loadBalancer.simple` is where you define the type of load balancing to apply on the service. 275 | * `spec.trafficPolicy.portLevelSettings` is where you specify the TLS mode for this service and the port number to 276 | apply it to. 277 | * **NOTE:** This port is the service's application port, and NOT the management/health port used in liveness and 278 | readiness probes. 279 | * `spec.subsets` is where list the available subsets/versions of the service and their individual settings, if any. 280 | * If not version-specific settings are passed here, each version will inherit the settings listed above. 281 | 282 | 283 | To learn more about Destination Rules, read this 284 | [document](https://istio.io/docs/concepts/traffic-management/#destination-rules). 285 | 286 | #### Virtual Service 287 | 288 | The last thing. A `VirtualService` defines the rules that control how requests for a service are routed within an Istio 289 | service mesh. For example, a virtual service could route requests to different versions of a service or to a completely 290 | different service than was requested. Requests can be routed based on the request source and destination, HTTP paths and 291 | header fields, and weights associated with individual service versions. Let's take a look at the Inventory service 292 | Virtual Service: 293 | 294 | ```yaml 295 | apiVersion: networking.istio.io/v1alpha3 296 | kind: VirtualService 297 | metadata: 298 | name: {{ template "inventory.fullname" . }} 299 | spec: 300 | hosts: 301 | {{- if or .Values.istio.gateway.enabled .Values.istio.gateway.name .Values.global.istio.gateway.name }} 302 | {{ toYaml .Values.istio.gateway.hosts }} 303 | {{- else }} 304 | - {{ template "inventory.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local 305 | {{- end }} 306 | {{- template "inventory.istio.gateway" . }} 307 | http: 308 | - match: 309 | - uri: 310 | prefix: {{ .Values.ingress.path }} 311 | route: 312 | - destination: 313 | host: {{ template "inventory.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local 314 | port: 315 | number: {{ .Values.service.externalPort }} 316 | subset: v1 317 | ``` 318 | 319 | Where: 320 | 321 | * `spec.hosts` is where you specify the Fully Qualified Domain Names (FQDN) of the service in question. 322 | * As you can see, in this field there is some logic that determines which FQDN to use, which can be a single hostname 323 | of multiple. 324 | * When an Istio Gateway (explained in the following section) is used to expose the service outside of the cluster, 325 | you need to provide the FQDN(s) that is used to access that service in this list so that the Virtual Service can route 326 | the external request to the correct service. 327 | * If not using a Gateway, then you need provide the internal FQDN for the service, which is in the form of 328 | `service.namespace.svc.cluster.local`. 329 | * `spec.gateways` is where you provide the gateway names, if any, to bind the Virtual Service to in order to route 330 | external cluster traffic to the service. 331 | * **NOTE:** You can't see `spec.gateways` field in the YAML above directly because we are using a Helm template to 332 | handle the gateway logic. Having an empty list of gateway names will cause an error. 333 | * `spec.http[0].match[0].uri.prefix` is where you specify the request path(s) that will be routed to the service. 334 | * `spec.http[0].route[0].destination.host` is the FQDN of the service to route the request path to. 335 | * This is useful if you want to route different paths to different subsets/versions of your service. 336 | * `spec.http[0].route[0].destination.port.number` is the application port number for the service subset/version. 337 | * `spec.http[0].route[0].destination.subset` is the subset/version to route the request to. 338 | 339 | Even though we are only using one subset/version for our service, from the YAML above you can already see how easy it is 340 | to apply routing rules for multiple service versions from one place. 341 | 342 | To learn more about Virtual Services, read this 343 | [document](https://istio.io/docs/concepts/traffic-management/#virtual-services). 344 | 345 | #### Gateway 346 | 347 | The last custom Istio YAML file we are going to look at is an Istio Gateway. A `Gateway` configures a load balancer for 348 | HTTP/TCP traffic, most commonly operating at the edge of the mesh to enable ingress traffic for an application. 349 | 350 | Unlike Kubernetes Ingress, Istio Gateway only configures the L4-L6 functions (for example, ports to expose, 351 | TLS configuration). Users can then use standard Istio rules to control HTTP requests as well as TCP traffic entering a 352 | Gateway by binding a VirtualService to it. Let's take a look at the Inventory service Gateway: 353 | 354 | ```yaml 355 | apiVersion: networking.istio.io/v1alpha3 356 | kind: Gateway 357 | metadata: 358 | name: {{ template "inventory.fullname" . }}-gateway 359 | spec: 360 | selector: 361 | istio: ingressgateway 362 | servers: 363 | - port: 364 | number: 80 365 | name: http 366 | protocol: HTTP 367 | tls: 368 | httpsRedirect: {{ .Values.istio.gateway.TLS.httpsRedirect }} 369 | hosts: 370 | {{ toYaml .Values.istio.gateway.hosts }} 371 | {{- if .Values.istio.gateway.TLS.enabled }} 372 | - port: 373 | number: 443 374 | name: https 375 | protocol: HTTPS 376 | tls: 377 | mode: {{ .Values.istio.gateway.TLS.mode }} 378 | serverCertificate: {{ .Values.istio.gateway.TLS.serverCertificate }} 379 | privateKey: {{ .Values.istio.gateway.TLS.privateKey }} 380 | {{- if and (eq .Values.istio.gateway.TLS.mode "MUTUAL") .Values.istio.gateway.TLS.caCertificates }} 381 | caCertificates: {{ .Values.istio.gateway.TLS.caCertificates }} 382 | {{- end }} 383 | hosts: 384 | {{ toYaml .Values.istio.gateway.hosts }} 385 | ``` 386 | 387 | Where: 388 | 389 | * `spec.servers[0].port` is where you can specify the port number (80 or 443), name, and protocol (HTTP or HTTPS) 390 | supported by the Gateway. 391 | * `spec.servers[0].tls` is where you can provide TLS settings for the port, such as `httpsRedirect` (to redirect HTTP 392 | traffic to HTTPS), TLS mode (Simple TLS, Mutual TLS, or none), and TLS certificate files (via `serverCertificate`, 393 | `privateKey`, and `caCertificates`). 394 | * `spec.servers[0].hosts` is where you provide the external FQDN(s) used to route traffic into the cluster. 395 | 396 | Remember that in order to leverage the gateway, the gateway must be bound to a `Virtual Service` by putting the gateway 397 | name in the `spec.gateways` field of the Virtual Service, as shown in the previous section. 398 | 399 | Assuming you enabled the gateway and bound it to the Virtual Service correctly, Istio will route external traffic to 400 | your service and collect Telemetry and Tracing information for it as well. 401 | 402 | To learn more about Gateways, read this [document](https://istio.io/docs/concepts/traffic-management/#gateways). 403 | 404 | #### Istio YAML files in the main bluecompute-ce chart 405 | 406 | All the Istio YAML files we talked about in the sections above are mostly specific to the individual microservice charts. 407 | The main `bluecompute-ce` leverages those YAML files along with additional Istio YAML files meant for the services 408 | Community Charts (MySQL, Elasticsearch, MariaDB, and CouchDB) that we cannot not edit directly. If you are curious to 409 | learn about those files, check them out here: 410 | 411 | * [istio_auth_policies.yaml](../static/templates/istio_auth_policies.yaml) 412 | * [istio_destination_rules.yaml](../static/templates/istio_destination_rules.yaml) 413 | * [istio_virtual_services.yaml](../static/templates/istio_virtual_services.yaml) 414 | 415 | The `bluecompute-ce` chart disables all of the individual gateways in favor of a global gateway, which you can checkout here: 416 | 417 | * [istio_gateway.yaml](../static/templates/istio_gateway.yaml) 418 | 419 | Lastly, in order to avoid tweaking multiple values files or typing long commands to install `bluecompute-ce` with Istio 420 | enabled, we decided to provide separate values files, which you can see here: 421 | 422 | * [values-istio-basic.yaml](../static/templates/values-istio-basic.yaml) 423 | * This file just enables Istio for all of the microservices using the settings and files we talked about before. 424 | * The only thing is that to access the web application we have to use port-forward the web application to our local machine. 425 | * [values-istio-gateway.yaml](../static/templates/values-istio-gateway.yaml) 426 | * This file is similar to the file above but has the settings to enable the Global Istio Gateway. 427 | * This chart assumes that you have created wildcard SSL certificate for the `bluecompute.com` domain name and uploaded 428 | they certificate and keys as secrets into the Kubernetes cluster. 429 | * More details on how to deploy the Gateway in the later section. 430 | * You can check out the Gateway settings here: 431 | * [values-istio-gateway.yaml#L11](../static/templates/values-istio-gateway.yaml#L11) 432 | 433 | #### Recap 434 | 435 | You have seen the basic Istio YAML files that we included on each microservice's Helm chart. Having these files will 436 | allow each microservice to have more control of its Istio settings rather than leave it all up to Istio and potentially 437 | run into issues if certain services are not ready for Istio prime-time yet. 438 | 439 | On top of the above Istio YAML files, each individual microservice has Istio YAML files to configure settings for their 440 | individual data stores, which are optional if you are using the main `bluecompute-ce` Helm chart but are useful if you 441 | are deploying each microservice and its datastore individually. 442 | 443 | ## Deploying Istio and the Istiofied Bluecompute Helm Chart 444 | 445 | Check the appropriate 446 | [Spring](https://github.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/blob/spring/docs/istio/README.md) or 447 | [Microprofile](https://github.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/tree/microprofile/docs/istio.md) 448 | branch for instructions on how to deploy Istio. 449 | 450 | ### Validate the Application 451 | 452 | In order to validate the application, you will need to access the IP address and port number of the Ingress Gateway, 453 | which will depend on the environment you are using. To access the IP address and port number, run the commands below 454 | based on your environment: 455 | 456 | ```bash 457 | # IKS Standard Clusters 458 | export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 459 | export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}') 460 | 461 | # IKS Free Clusters 462 | export INGRESS_HOST=$(kubectl get nodes -o jsonpath='{.items[0].status.addresses[?(@.type=="ExternalIP")].address}') 463 | export INGRESS_PORT=$(kubectl get svc istio-ingressgateway -n istio-system -o jsonpath='{.spec.ports[0].nodePort}') 464 | 465 | # IBM Cloud Private Cluster 466 | export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o 'jsonpath={.items[0].status.hostIP}') 467 | export INGRESS_PORT=$(kubectl get svc istio-ingressgateway -n istio-system -o 'jsonpath={.spec.ports[0].nodePort}') 468 | 469 | # Print the Gateway URL 470 | export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT 471 | echo $GATEWAY_URL 472 | ``` 473 | 474 | To validate the application, open a browser window and enter the gateway URL from above and press enter. 475 | You should be able to see the web application's home page, as shown below. 476 | 477 | ![BlueCompute Detail](../static/images/bluecompute_web_home.png?raw=true) 478 | 479 | You can reference 480 | [this link](https://github.com/ibm-cloud-architecture/refarch-cloudnative-bluecompute-web/tree/spring#validate-the-web-application) for validating the web application functionality. You should be able to see a catalog, be able to login, make orders, and see your orders listed in your profile (once you are logged in). 481 | 482 | ## Telemetry & Tracing 483 | 484 | Now that we have deployed the `bluecompute-ce` chart into an Istio-enabled cluster and validated its functionality, 485 | let's explore Istio's telemetry and tracing features by generating some load and opening the different telemetry and 486 | tracing dashboards. 487 | 488 | ### Generating Load 489 | 490 | Let's generate some load by performing multiple curl requests against the web service's `/catalog` endpoint through the 491 | Istio Gateway. By doing this, we generate telemetry and tracing metrics across the gateway and the web, catalog, and 492 | elasticsearch services. To generate the workload, open a new command prompt tab and enter the following command: 493 | 494 | ```bash 495 | # Load Generation 496 | echo "Generating load..." 497 | 498 | while true; do 499 | curl -s ${GATEWAY_URL}/catalog > /dev/null; 500 | echo -n .; 501 | sleep 0.2; 502 | done 503 | ``` 504 | 505 | Where `${GATEWAY_URL}` is the Ingress URL we obtained earlier. This script is going to run every 0.2 seconds 506 | indefinitely, unless we press `CTRL+C` to cancel it. 507 | 508 | ### Access Grafana Dashboard 509 | 510 | To access the Grafana dashboard, you will need to run the following port-forwarding command: 511 | 512 | ```bash 513 | kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=grafana -o jsonpath='{.items[0].metadata.name}') 3000:3000 &; 514 | ``` 515 | 516 | Now, open a new browser tab and go to http://localhost:3000 to open Grafana's home page, as shown below: 517 | 518 | ![Architecture](../static/images/grafana_1_home.png) 519 | 520 | Click on the drop-down next to `Home` and click on the `Istio Service Dashboard` (as shown below) to examine networking 521 | requests for the individual services. 522 | 523 | ![Architecture](../static/images/grafana_2_dashboard_select.png) 524 | 525 | On the service drop-down at the top left, select `web.default.svc.cluster.local` service. You should be presented with a 526 | dashboard similar to the following: 527 | 528 | ![Architecture](../static/images/grafana_3_web_dashboard.png) 529 | 530 | I'll leave it up to you to examine all the dashboards. The main thing I want to point out is the 531 | `Incoming Requests by Source And Response Code` dashboard at the bottom left. The load you see is generated from our 532 | script. If you were to interrupt the script, you will see, upon refreshing, that the load will go down to 0. Also notice 533 | that the source for all of these requests come directly from the `istio-ingressgateway.istio-system` since we are 534 | running our load generation script against the gateway itself instead of through a port-forwarding connection. 535 | 536 | Now let's examine the `catalog` service by clicking on the Service drop-down and selecting 537 | `catalog.default.svc.cluster.local`, which will show you a dashboard similar to the one below: 538 | 539 | ![Architecture](../static/images/grafana_4_catalog_dashboard.png) 540 | 541 | This is essentially the same dashboard. The traffic load should look about the same as with the `web` service. Notice in 542 | the `Incoming Requests by Source And Response Code` dashboard that all of the requests to the `catalog` service are 543 | coming from the `web.default` service, as expected. 544 | 545 | You should now have a general idea of how to use Grafana with Istio to see the networking load in your cluster. I 546 | encourage you to explore the other Grafana dashboards that come with Istio. 547 | 548 | ### Access Service Graph Dashboard 549 | 550 | Now let's explore `Service Graph` dashboard. Even though Grafana is helpful to debug networking for individual service, 551 | sometimes its more useful to see the bigger picture and take a look at a graph of all of your services and see how they 552 | are connected together. This is specially useful for new team members to understand your application's architecture, 553 | especially if it has grown incredibly complex. 554 | 555 | To access the Service Graph dashboard, you will need to run the following port-forwarding command: 556 | 557 | ```bash 558 | kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=servicegraph -o jsonpath='{.items[0].metadata.name}') 8088:8088 &; 559 | ``` 560 | 561 | Now, open a new browser tab and go to http://localhost:8088/force/forcegraph.html to open Service Graph dashboard, as 562 | shown below: 563 | 564 | ![Architecture](../static/images/service_graph_1.png) 565 | 566 | You might notice that the graph is constantly moving, that's because its constantly checking for new networking request 567 | and also detecting new services, which gives you an almost real-time application architecture updates. 568 | 569 | To examine an individual service incoming and outgoing connections, you just have to click on the node, which should 570 | open up a window that looks like the following: 571 | 572 | ![Architecture](../static/images/service_graph_2_web.png) 573 | 574 | The above dashboard should give you a better idea of all of the incoming and outgoing connections for an individual 575 | service, therefore, giving you a clearer picture of your entire stack networking-wise. 576 | 577 | ### Access Jaeger Tracing Dashboard 578 | 579 | Using Grafana and Service Graph is useful to understand your application's architecture and overall networking usage and 580 | identify bottlenecks. However, you are out of luck when it comes to debugging the individual services' actual networking 581 | calls. Luckily, Jaeger can help you with that by providing useful tracing information for each networking call in your 582 | service mesh. 583 | 584 | To access the Jaeger dashboard, you will need to run the following port-forwarding command: 585 | 586 | ```bash 587 | kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=jaeger -o jsonpath='{.items[0].metadata.name}') 16686:16686 &; 588 | ``` 589 | 590 | Now, open a new browser tab and go to http://localhost:16686 to open Jaeger dashboard, as shown below: 591 | ![Architecture](../static/images/jaeger_1_home.png) 592 | 593 | The above page lets you enter some criteria to start searching for traces. Let's search for traces for the `web` service 594 | by selecting `web` in the `Service` drop-down menu, followed by clicking `Find Traces`. If any traces were found, you 595 | will see a view similar to the following: 596 | ![Architecture](../static/images/jaeger_2_web.png) 597 | 598 | The view above shows you a list of matching traces along with a time graph that shows you trace duration over time. To 599 | view trace details, let's click on a trace that starts with `web: catalog.default.svc.cluster.local:8081/*`, which 600 | should reveal the following view: 601 | ![Architecture](../static/images/jaeger_3_web_catalog.png) 602 | 603 | In the view above you should be the number of spans. A span represents a logical unit of work in Jaeger that has an 604 | operation name, the start time of the operation, and the duration. Basically, a span is a networking step in the trace. 605 | From the above picture you see that there are 2 spans, the first is that of the request done by the `web` service to the 606 | `catalog` service. The second one is from the `catalog` service to the `elasticsearch` service. 607 | 608 | If you click on any of the spans and expand both the `Tags` and `Process` fields, you will see useful networking 609 | information for that span, including things such as request url, HTTP method, HTTP status code, amongst other things 610 | that should help you debug your services. 611 | 612 | ### Access Kiali Dashboard 613 | 614 | Using Grafana, Service Graph, and Jaeger tracing should give you more than enough information to learn your application's 615 | networking architecture, identify bottlenecks, and debug networking calls. This information alone is plenty to out carry 616 | day-to-day operations. However, there are instances when the tracing shows that a service is working as expected, but 617 | somehow, networking calls to other services still fail. Sometimes the issue comes from a bug in the individual service's 618 | Istio configuration, which you cannot access with the above mention dashboards. 619 | 620 | Luckily, Kiali can help you with that. Kiali is an open source project that works with Istio to visualize the service 621 | mesh topology, including features like circuit breakers or request rates. Kiali even includes Jaeger Tracing out of the 622 | box. 623 | 624 | To access the Kiali dashboard, you will need to run the following port-forwarding command: 625 | 626 | ```bash 627 | kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=kiali -o jsonpath='{.items[0].metadata.name}') 20001:20001 &; 628 | ``` 629 | 630 | Now, open a new browser tab and go to http://localhost:20001/kiali to open Kiali dashboard, as shown below: 631 | ![Architecture](../static/images/kiali_1_login.png) 632 | 633 | Login using `admin` and `secret` as the username and password, respectively, which come from the secret that you setup 634 | earlier when deploying Istio. If successful, you will be presented with the home page, which shows a graph of the 635 | services from all of the namespaces in your cluster. 636 | ![Architecture](../static/images/kiali_2_home.png) 637 | 638 | The above can be overwhelming to look at. Instead of looking at the entire cluster, let's just focus on the services in 639 | the `default` namespace, which is where `bluecompute-ce` is deployed. To view the services in the `default` namespace, 640 | click on the `Namespace` drop-down and select `default`, which should present you with the following view: 641 | ![Architecture](../static/images/kiali_3_default_graph.png) 642 | 643 | You should now see a much cleaner chart showing the services pertaining to `bluecompute-ce`. I personally like this 644 | graph better compared to `Service Graph`. From this graph you can click on the individual links between microservices 645 | and explore the request volume per second. Let's see what that looks like by clicking on the link between the 646 | `istio-ingressgateway` and `web` service, which should present you with the following view: 647 | ![Architecture](../static/images/kiali_4_gateway_web.png) 648 | 649 | Notice above that you can see the requests per second and graphs for different status codes. Also notice in the 650 | `Source app` and `Destination app` that you can see namespace and version of the microservices in question. Feel free to 651 | explore the other application links. 652 | 653 | If you click on the `Applications` menu on the left, followed by clicking on the `web` application, you will be able to 654 | see high level metrics for the application. Mostly the status of the health status of the deployment and the envoy side 655 | car and Inbound and Outboud metrics, as shown below: 656 | ![Architecture](../static/images/kiali_5_web_status.png) 657 | 658 | If you click on the `Workloads` menu on the left, followed by clicking on the `web` workload, you will be able to see 659 | pod specific information and metrics, including labels, container name and init container names, as shown below: 660 | ![Architecture](../static/images/kiali_6_workloads_web_info.png) 661 | 662 | If you click on the `Services` menu on the left, followed by clicking on the `catalog` service, you will be able to see 663 | service specific information and metrics, but also workloads that the service is associated with and source workloads 664 | from which it gets networking calls, as shown below. More importantly, you can also see the `Virtual Services` and 665 | `Destination Rules` associated with the service and their configuration. You can even click on `View YAML` to explore 666 | the actual YAML file that was used to deploy the Istio resources, which is great for debugging Istio configuration. 667 | ![Architecture](../static/images/kiali_7_services_catalog_destination.png) 668 | 669 | Lastly, if you want to only see a list of Istio resources, you can click on the `Istio Config` menu on the left. You 670 | will see things like `Virtual Services`, `Destination Rules`, and even `Gateways`. 671 | ![Architecture](../static/images/kiali_8_istio_config.png) 672 | 673 | The above should have provided you a high level view of Kiali's features and visibility into the Istio Service Mesh. 674 | Combined with Jaeger Tracing and even Grafana dashboard, if enabled, you should be able to use Kiali as the main 675 | entrypoint for all things service mesh. 676 | 677 | ## Cleanup 678 | 679 | To kill all port-forwarding connections, run the following command: 680 | 681 | ```bash 682 | killall kubectl 683 | ``` 684 | 685 | To delete Kiali secret, run the following command: 686 | 687 | ```bash 688 | kubectl delete secret kiali -n istio-system 689 | ``` 690 | 691 | To disable automatic sidecar injection, run the following command: 692 | 693 | ```bash 694 | kubectl label namespace default istio-injection- 695 | ``` 696 | 697 | To uninstall `bluecompute-ce` chart, run the following command: 698 | 699 | ```bash 700 | helm delete bluecompute --purge # --tls if using IBM Cloud Private 701 | ``` 702 | 703 | Lastly, to uninstall `istio` chart, run the following command: 704 | 705 | ```bash 706 | helm delete istio --purge # --tls if using IBM Cloud Private 707 | ``` 708 | 709 | ## Conclusion 710 | 711 | Congratulations for finishing reading this document. That was a lot of information. Let's recap the stuff we learned today: 712 | 713 | * Minimum requirements to allow pods to benefit from the service mesh features. 714 | * How to properly create liveness and readiness probes that will work in a service mesh, even when Mutual TLS is enabled. 715 | * Istio's current limitations with StatefulSet-based services and how to to get Deployment-based Istiofied services to communicate with StatefulSet services outside of the service mesh. 716 | * How to create custom Istio YAML files for more granular control of Istio configuration for each microservice. 717 | * Deployed Istio and enabled Grafana, Service Graph, Jaeger Tracing, and Kiali dashboards. 718 | * Deployed the Bluecompute into Istio-enabled cluster and enabled Istio Gateway. 719 | * Generated networking load against Istio Gateway to generate telemetry and tracing metrics for the web and catalog services. 720 | * Used Grafana to visualize the networking request volume on both services. 721 | * Used Service Graph to visualize Bluecompute's entire network architecture and view inbound and outbound request volume on each service. 722 | * Used Jaeger to search and analyze network traces for calls between the web and catalog services. 723 | * Used Kiali to do all the above plus exploring Istio configuration for each service. 724 | 725 | By doing all the above, you now have the ability to modify existing services/applications to leverage most of the Istio 726 | service mesh features and debug running applications using Istio's telemetry and tracing information. 727 | -------------------------------------------------------------------------------- /static/images/app_architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/app_architecture.png -------------------------------------------------------------------------------- /static/images/bluecompute_ce.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/bluecompute_ce.png -------------------------------------------------------------------------------- /static/images/bluecompute_web_home.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/bluecompute_web_home.png -------------------------------------------------------------------------------- /static/images/diagram_bluecompute_istio.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/diagram_bluecompute_istio.png -------------------------------------------------------------------------------- /static/images/diagram_bluecompute_openshift.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/diagram_bluecompute_openshift.png -------------------------------------------------------------------------------- /static/images/grafana_1_home.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/grafana_1_home.png -------------------------------------------------------------------------------- /static/images/grafana_2_dashboard_select.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/grafana_2_dashboard_select.png -------------------------------------------------------------------------------- /static/images/grafana_3_web_dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/grafana_3_web_dashboard.png -------------------------------------------------------------------------------- /static/images/grafana_4_catalog_dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/grafana_4_catalog_dashboard.png -------------------------------------------------------------------------------- /static/images/jaeger_1_home.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/jaeger_1_home.png -------------------------------------------------------------------------------- /static/images/jaeger_2_web.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/jaeger_2_web.png -------------------------------------------------------------------------------- /static/images/jaeger_3_web_catalog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/jaeger_3_web_catalog.png -------------------------------------------------------------------------------- /static/images/kiali_1_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/kiali_1_login.png -------------------------------------------------------------------------------- /static/images/kiali_2_home.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/kiali_2_home.png -------------------------------------------------------------------------------- /static/images/kiali_3_default_graph.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/kiali_3_default_graph.png -------------------------------------------------------------------------------- /static/images/kiali_4_gateway_web.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/kiali_4_gateway_web.png -------------------------------------------------------------------------------- /static/images/kiali_5_web_status.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/kiali_5_web_status.png -------------------------------------------------------------------------------- /static/images/kiali_6_workloads_web_info.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/kiali_6_workloads_web_info.png -------------------------------------------------------------------------------- /static/images/kiali_7_services_catalog_destination.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/kiali_7_services_catalog_destination.png -------------------------------------------------------------------------------- /static/images/kiali_8_istio_config.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/kiali_8_istio_config.png -------------------------------------------------------------------------------- /static/images/microprofile_small.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/microprofile_small.png -------------------------------------------------------------------------------- /static/images/service_graph_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/service_graph_1.png -------------------------------------------------------------------------------- /static/images/service_graph_2_web.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/service_graph_2_web.png -------------------------------------------------------------------------------- /static/images/spring_small.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-cloud-architecture/refarch-cloudnative-kubernetes/882d3f3dd1b8f73d229201cd6a332070281371cd/static/images/spring_small.png -------------------------------------------------------------------------------- /static/templates/istio_auth_policies.yaml: -------------------------------------------------------------------------------- 1 | {{ if and .Values.global.istio.enabled .Values.mysql.enabled }} 2 | apiVersion: "authentication.istio.io/v1alpha1" 3 | kind: "Policy" 4 | metadata: 5 | name: {{ template "bluecompute.mysql.fullname" . }} 6 | spec: 7 | targets: 8 | - name: {{ template "bluecompute.mysql.fullname" . }} 9 | ports: 10 | - number: {{ .Values.mysql.service.port }} 11 | peers: 12 | - mtls: {} 13 | {{ end }} -------------------------------------------------------------------------------- /static/templates/istio_destination_rules.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.global.istio.enabled }} 2 | {{ if .Values.mysql.enabled }} 3 | # MySQL 4 | apiVersion: networking.istio.io/v1alpha3 5 | kind: DestinationRule 6 | metadata: 7 | name: {{ template "bluecompute.mysql.fullname" . }} 8 | spec: 9 | host: {{ template "bluecompute.mysql.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local 10 | trafficPolicy: 11 | loadBalancer: 12 | simple: {{ .Values.mysql.istio.loadBalancer }} 13 | portLevelSettings: 14 | - port: 15 | number: {{ .Values.mysql.service.port }} 16 | tls: 17 | mode: {{ .Values.mysql.istio.mTLS }} 18 | {{ end }} 19 | --- 20 | {{ if .Values.elasticsearch.enabled }} 21 | # Elasticsearch 22 | apiVersion: networking.istio.io/v1alpha3 23 | kind: DestinationRule 24 | metadata: 25 | name: {{ template "bluecompute.elasticsearch.client.fullname" . }} 26 | spec: 27 | host: {{ template "bluecompute.elasticsearch.client.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local 28 | trafficPolicy: 29 | portLevelSettings: 30 | - port: 31 | number: 9200 32 | tls: 33 | mode: DISABLE 34 | - port: 35 | number: 9300 36 | tls: 37 | mode: DISABLE 38 | {{ end }} 39 | --- 40 | {{ if .Values.couchdb.enabled }} 41 | # CouchDB Service 42 | apiVersion: networking.istio.io/v1alpha3 43 | kind: DestinationRule 44 | metadata: 45 | name: {{ template "bluecompute.couchdb.svcname" . }} 46 | spec: 47 | host: {{ template "bluecompute.couchdb.svcname" . }}.{{ .Release.Namespace }}.svc.cluster.local 48 | trafficPolicy: 49 | portLevelSettings: 50 | - port: 51 | number: {{ .Values.couchdb.service.externalPort }} 52 | tls: 53 | mode: DISABLE 54 | --- 55 | # CouchDB Headless 56 | apiVersion: networking.istio.io/v1alpha3 57 | kind: DestinationRule 58 | metadata: 59 | name: {{ template "bluecompute.couchdb.fullname" . }} 60 | spec: 61 | host: {{ template "bluecompute.couchdb.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local 62 | trafficPolicy: 63 | portLevelSettings: 64 | - port: 65 | number: 5984 66 | tls: 67 | mode: DISABLE 68 | {{ end }} 69 | --- 70 | {{ if .Values.mariadb.enabled }} 71 | # MariaDB 72 | apiVersion: networking.istio.io/v1alpha3 73 | kind: DestinationRule 74 | metadata: 75 | name: {{ template "bluecompute.mariadb.fullname" . }} 76 | spec: 77 | host: {{ template "bluecompute.mariadb.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local 78 | trafficPolicy: 79 | portLevelSettings: 80 | - port: 81 | number: {{ .Values.mariadb.service.port }} 82 | tls: 83 | mode: DISABLE 84 | --- 85 | # MariaDB Slave 86 | {{ if .Values.mariadb.replication.enabled }} 87 | apiVersion: networking.istio.io/v1alpha3 88 | kind: DestinationRule 89 | metadata: 90 | name: {{ template "bluecompute.mariadb.slave.fullname" . }} 91 | spec: 92 | host: {{ template "bluecompute.mariadb.slave.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local 93 | trafficPolicy: 94 | portLevelSettings: 95 | - port: 96 | number: {{ .Values.mariadb.service.port }} 97 | tls: 98 | mode: DISABLE 99 | {{ end }} 100 | {{ end }} 101 | {{ end }} -------------------------------------------------------------------------------- /static/templates/istio_gateway.yaml: -------------------------------------------------------------------------------- 1 | {{ if and .Values.global.istio.enabled .Values.global.istio.gateway.enabled .Values.global.istio.gateway.name }} 2 | apiVersion: networking.istio.io/v1alpha3 3 | kind: Gateway 4 | metadata: 5 | name: {{ .Values.global.istio.gateway.name }} 6 | spec: 7 | selector: 8 | istio: ingressgateway 9 | servers: 10 | - port: 11 | number: 80 12 | name: http 13 | protocol: HTTP 14 | tls: 15 | httpsRedirect: {{ .Values.global.istio.gateway.TLS.httpsRedirect }} 16 | hosts: 17 | {{ toYaml .Values.global.istio.gateway.hosts }} 18 | {{- if .Values.global.istio.gateway.TLS.enabled }} 19 | - port: 20 | number: 443 21 | name: https 22 | protocol: HTTPS 23 | tls: 24 | mode: {{ .Values.global.istio.gateway.TLS.mode }} 25 | serverCertificate: {{ .Values.global.istio.gateway.TLS.serverCertificate }} 26 | privateKey: {{ .Values.global.istio.gateway.TLS.privateKey }} 27 | {{- if and (eq .Values.global.istio.gateway.TLS.mode "MUTUAL") .Values.global.istio.gateway.TLS.caCertificates }} 28 | caCertificates: {{ .Values.global.istio.gateway.TLS.caCertificates }} 29 | {{- end }} 30 | hosts: 31 | {{ toYaml .Values.global.istio.gateway.hosts }} 32 | {{- end }} 33 | {{ end }} -------------------------------------------------------------------------------- /static/templates/istio_virtual_services.yaml: -------------------------------------------------------------------------------- 1 | {{ if and .Values.global.istio.enabled .Values.mysql.enabled }} 2 | apiVersion: networking.istio.io/v1alpha3 3 | kind: VirtualService 4 | metadata: 5 | name: {{ template "bluecompute.mysql.fullname" . }} 6 | spec: 7 | hosts: 8 | - {{ template "bluecompute.mysql.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local 9 | http: 10 | - route: 11 | - destination: 12 | host: {{ template "bluecompute.mysql.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local 13 | #subset: v1 14 | {{ end }} -------------------------------------------------------------------------------- /static/templates/values-istio-basic.yaml: -------------------------------------------------------------------------------- 1 | # Declare variables to be passed into your templates. 2 | global: 3 | hs256key: 4 | secretName: bluecompute-hs256key 5 | secret: E6526VJkKYhyTFRFMC0pTECpHcZ7TGcq8pKsVVgz9KtESVpheEO284qKzfzg8HpWNBPeHOxNGlyudUHi6i8tFQJXC8PiI48RUpMh23vPDLGD35pCM0417gf58z5xlmRNii56fwRCmIhhV7hDsm3KO2jRv4EBVz7HrYbzFeqI45CaStkMYNipzSm2duuer7zRdMjEKIdqsby0JfpQpykHmC5L6hxkX0BT7XWqztTr6xHCwqst26O0g8r7bXSYjp4a 6 | cluster: 7 | name: "my-cluster" 8 | region: us-south 9 | istio: 10 | enabled: true 11 | gateway: 12 | enabled: false 13 | name: 14 | hosts: 15 | - "*.bluecompute.com" 16 | TLS: 17 | enabled: false 18 | # SIMPLE, MUTUAL 19 | mode: SIMPLE 20 | httpsRedirect: false 21 | serverCertificate: /etc/istio/ingressgateway-certs/tls.crt 22 | privateKey: /etc/istio/ingressgateway-certs/tls.key 23 | caCertificates: /etc/istio/ingressgateway-ca-certs/ca-chain.cert.pem 24 | 25 | ingress: 26 | enabled: false 27 | hostnames: 28 | app: #app.bluecompute.com 29 | api: #api.bluecompute.com 30 | annotations: 31 | ingress.bluemix.net/redirect-to-https: "True" 32 | enableTLS: false 33 | TLS: 34 | - secretName: bluecompute.com 35 | hosts: 36 | - bluecompute.com 37 | 38 | auth: 39 | enabled: true 40 | fullnameOverride: auth 41 | replicaCount: 1 42 | image: 43 | repository: ibmcase/bluecompute-auth 44 | tag: 0.6.0 45 | pullPolicy: Always 46 | service: 47 | type: ClusterIP 48 | externalPort: 8083 49 | nodePort: 32383 50 | resources: 51 | limits: 52 | memory: 384Mi 53 | requests: 54 | memory: 64Mi 55 | bash: 56 | image: 57 | repository: ibmcase/bluecompute-bash-curl-ssl 58 | tag: latest 59 | pullPolicy: IfNotPresent 60 | hs256key: 61 | secretName: 62 | secret: 63 | customer: 64 | url: http://customer:8082 65 | istio: 66 | enabled: false 67 | # ISTIO_MUTUAL, SIMPLE, DISABLE 68 | mTLS: ISTIO_MUTUAL 69 | # LEAST_CONN, ROUND_ROBIN 70 | loadBalancer: LEAST_CONN 71 | gateway: 72 | enabled: false 73 | name: 74 | hosts: 75 | - "auth.bluecompute.com" 76 | TLS: 77 | enabled: false 78 | # SIMPLE, MUTUAL 79 | mode: SIMPLE 80 | httpsRedirect: false 81 | 82 | catalog: 83 | enabled: true 84 | fullnameOverride: catalog 85 | replicaCount: 1 86 | image: 87 | repository: ibmcase/bluecompute-catalog 88 | tag: 0.6.0 89 | pullPolicy: Always 90 | service: 91 | type: ClusterIP 92 | externalPort: 8081 93 | nodePort: 32381 94 | resources: 95 | limits: 96 | memory: 384Mi 97 | requests: 98 | memory: 64Mi 99 | inventory: 100 | url: http://inventory:8080 101 | curl: 102 | image: alexeiled/curl 103 | imageTag: latest 104 | imagePullPolicy: IfNotPresent 105 | elasticsearch: 106 | protocol: http 107 | host: catalog-elasticsearch-client 108 | port: 9200 109 | username: 110 | password: 111 | healthcheck: "_cat/health" 112 | cacertificatebase64: 113 | istio: 114 | enabled: false 115 | # ISTIO_MUTUAL, SIMPLE, DISABLE 116 | mTLS: ISTIO_MUTUAL 117 | # LEAST_CONN, ROUND_ROBIN 118 | loadBalancer: LEAST_CONN 119 | gateway: 120 | enabled: false 121 | name: 122 | hosts: 123 | - "catalog.bluecompute.com" 124 | TLS: 125 | enabled: false 126 | # SIMPLE, MUTUAL 127 | mode: SIMPLE 128 | httpsRedirect: false 129 | 130 | elasticsearch: 131 | enabled: true 132 | fullnameOverride: catalog-elasticsearch 133 | protocol: http 134 | port: 9200 135 | username: 136 | password: 137 | healthcheck: "_cat/health" 138 | cacertificatebase64: 139 | appVersion: 6.6.1 140 | image: 141 | repository: docker.elastic.co/elasticsearch/elasticsearch-oss 142 | tag: 6.6.1 143 | pullPolicy: IfNotPresent 144 | #pullSecrets: 145 | #- sa-default 146 | serviceAccounts: 147 | client: 148 | create: false 149 | name: 150 | master: 151 | create: false 152 | name: 153 | data: 154 | create: false 155 | name: 156 | initImage: 157 | repository: "busybox" 158 | tag: "latest" 159 | pullPolicy: "Always" 160 | cluster: 161 | env: 162 | MINIMUM_MASTER_NODES: "2" 163 | client: 164 | replicas: 1 165 | serviceType: ClusterIP 166 | podAnnotations: 167 | sidecar.istio.io/inject: "false" 168 | master: 169 | replicas: 2 170 | persistence: 171 | enabled: false 172 | size: 4Gi 173 | storageClass: 174 | accessMode: ReadWriteOnce 175 | podAnnotations: 176 | sidecar.istio.io/inject: "false" 177 | data: 178 | replicas: 1 179 | persistence: 180 | enabled: false 181 | size: 30Gi 182 | storageClass: 183 | accessMode: ReadWriteOnce 184 | podAnnotations: 185 | sidecar.istio.io/inject: "false" 186 | sysctlInitContainer: 187 | enabled: true 188 | 189 | customer: 190 | enabled: true 191 | fullnameOverride: customer 192 | replicaCount: 1 193 | image: 194 | repository: ibmcase/bluecompute-customer 195 | tag: 0.6.0 196 | pullPolicy: Always 197 | service: 198 | type: ClusterIP 199 | externalPort: 8082 200 | nodePort: 32382 201 | resources: 202 | limits: 203 | memory: 384Mi 204 | requests: 205 | memory: 64Mi 206 | testUser: 207 | createUser: true 208 | username: user 209 | password: passw0rd 210 | bash: 211 | image: 212 | repository: ibmcase/bluecompute-bash-curl-ssl 213 | tag: latest 214 | pullPolicy: IfNotPresent 215 | hs256key: 216 | secretName: 217 | secret: 218 | couchdb: 219 | host: customer-couchdb-svc-couchdb 220 | protocol: http 221 | port: 5985 222 | existingSecret: 223 | adminUsername: user 224 | adminPassword: passw0rd 225 | database: customers 226 | istio: 227 | enabled: false 228 | # ISTIO_MUTUAL, SIMPLE, DISABLE 229 | mTLS: ISTIO_MUTUAL 230 | # LEAST_CONN, ROUND_ROBIN 231 | loadBalancer: LEAST_CONN 232 | gateway: 233 | enabled: false 234 | name: 235 | hosts: 236 | - "customer.bluecompute.com" 237 | TLS: 238 | enabled: false 239 | # SIMPLE, MUTUAL 240 | mode: SIMPLE 241 | httpsRedirect: false 242 | 243 | couchdb: 244 | enabled: true 245 | image: 246 | repository: "couchdb" 247 | tag: "2.3.0" 248 | pullPolicy: IfNotPresent 249 | fullnameOverride: customer-couchdb 250 | protocol: http 251 | createAdminSecret: true 252 | adminUsername: user 253 | adminPassword: passw0rd 254 | service: 255 | externalPort: 5985 256 | clusterSize: 1 257 | persistentVolume: 258 | enabled: false 259 | size: 10Gi 260 | accessModes: 261 | - ReadWriteOnce 262 | storageClass: 263 | helperImage: 264 | repository: kocolosk/couchdb-statefulset-assembler 265 | tag: 1.2.0 266 | pullPolicy: IfNotPresent 267 | initImage: 268 | repository: "busybox" 269 | tag: "latest" 270 | pullPolicy: "Always" 271 | podAnnotations: 272 | sidecar.istio.io/inject: "false" 273 | 274 | inventory: 275 | enabled: true 276 | fullnameOverride: inventory 277 | replicaCount: 1 278 | image: 279 | repository: ibmcase/bluecompute-inventory 280 | tag: 0.6.0 281 | pullPolicy: Always 282 | service: 283 | type: ClusterIP 284 | externalPort: 8080 285 | nodePort: 32380 286 | resources: 287 | limits: 288 | memory: 384Mi 289 | requests: 290 | memory: 64Mi 291 | mysql: 292 | host: inventory-mysql 293 | port: 3306 294 | existingSecret: 295 | user: dbuser 296 | password: password 297 | database: inventorydb 298 | # For mysql init container 299 | image: "mysql" 300 | imageTag: "5.7.14" 301 | imagePullPolicy: IfNotPresent 302 | istio: 303 | enabled: false 304 | # ISTIO_MUTUAL, SIMPLE, DISABLE 305 | mTLS: ISTIO_MUTUAL 306 | # LEAST_CONN, ROUND_ROBIN 307 | loadBalancer: LEAST_CONN 308 | gateway: 309 | enabled: false 310 | name: 311 | hosts: 312 | - "inventory.bluecompute.com" 313 | TLS: 314 | enabled: false 315 | # SIMPLE, MUTUAL 316 | mode: SIMPLE 317 | httpsRedirect: false 318 | 319 | mysql: 320 | enabled: true 321 | image: "mysql" 322 | imageTag: "5.7.14" 323 | imagePullPolicy: IfNotPresent 324 | fullnameOverride: inventory-mysql 325 | mysqlRootPassword: admin123 326 | mysqlUser: dbuser 327 | mysqlPassword: password 328 | mysqlDatabase: inventorydb 329 | service: 330 | port: 3306 331 | persistence: 332 | enabled: false 333 | size: 8Gi 334 | storageClass: 335 | accessMode: ReadWriteOnce 336 | existingClaim: 337 | subPath: 338 | annotations: {} 339 | istio: 340 | mTLS: ISTIO_MUTUAL 341 | loadBalancer: LEAST_CONN 342 | busybox: 343 | image: "busybox" 344 | tag: "latest" 345 | 346 | orders: 347 | enabled: true 348 | fullnameOverride: orders 349 | replicaCount: 1 350 | image: 351 | repository: ibmcase/bluecompute-orders 352 | tag: 0.6.0 353 | pullPolicy: Always 354 | service: 355 | type: ClusterIP 356 | externalPort: 8084 357 | nodePort: 32384 358 | resources: 359 | limits: 360 | memory: 384Mi 361 | requests: 362 | memory: 64Mi 363 | mysql: 364 | image: "mysql" 365 | imageTag: "5.7.14" 366 | imagePullPolicy: IfNotPresent 367 | hs256key: 368 | secretName: 369 | secret: 370 | mariadb: 371 | # Leaving empty so it gets name form release name and nameOverride 372 | host: 373 | port: 3307 374 | existingSecret: 375 | user: dbuser 376 | password: password 377 | database: ordersdb 378 | istio: 379 | enabled: false 380 | # ISTIO_MUTUAL, SIMPLE, DISABLE 381 | mTLS: ISTIO_MUTUAL 382 | # LEAST_CONN, ROUND_ROBIN 383 | loadBalancer: LEAST_CONN 384 | gateway: 385 | enabled: false 386 | name: 387 | hosts: 388 | - "orders.bluecompute.com" 389 | TLS: 390 | enabled: false 391 | # SIMPLE, MUTUAL 392 | mode: SIMPLE 393 | httpsRedirect: false 394 | 395 | mariadb: 396 | enabled: true 397 | image: 398 | registry: docker.io 399 | repository: bitnami/mariadb 400 | tag: 10.1.38 401 | pullPolicy: IfNotPresent 402 | service: 403 | port: 3307 404 | rootUser: 405 | password: admin123 406 | nameOverride: orders-mariadb 407 | db: 408 | user: dbuser 409 | password: password 410 | name: ordersdb 411 | replication: 412 | enabled: false 413 | master: 414 | persistence: 415 | enabled: false 416 | existingClaim: 417 | #mountPath: "" 418 | annotations: {} 419 | storageClass: 420 | accessMode: ReadWriteOnce 421 | size: 8Gi 422 | annotations: 423 | - key: sidecar.istio.io/inject 424 | value: "false" 425 | slave: 426 | replicas: 1 427 | persistence: 428 | enabled: false 429 | annotations: {} 430 | storageClass: 431 | accessMode: ReadWriteOnce 432 | size: 8Gi 433 | annotations: 434 | - key: sidecar.istio.io/inject 435 | value: "false" 436 | 437 | web: 438 | enabled: true 439 | fullnameOverride: web 440 | replicaCount: 1 441 | image: 442 | repository: ibmcase/bluecompute-web 443 | tag: 0.6.0 444 | pullPolicy: Always 445 | service: 446 | type: NodePort 447 | externalPort: 80 448 | nodePort: 31337 449 | resources: 450 | limits: 451 | cpu: 100m 452 | memory: 128Mi 453 | requests: 454 | cpu: 100m 455 | memory: 128Mi 456 | services: 457 | auth: 458 | protocol: http 459 | host: auth 460 | port: 8083 461 | catalog: 462 | protocol: http 463 | host: catalog 464 | port: 8081 465 | customer: 466 | protocol: http 467 | host: customer 468 | port: 8082 469 | orders: 470 | protocol: http 471 | host: orders 472 | port: 8084 473 | reviews: 474 | protocol: http 475 | host: 476 | port: 477 | istio: 478 | enabled: false 479 | # ISTIO_MUTUAL, SIMPLE, DISABLE 480 | mTLS: ISTIO_MUTUAL 481 | # LEAST_CONN, ROUND_ROBIN 482 | loadBalancer: LEAST_CONN 483 | gateway: 484 | enabled: true 485 | name: 486 | hosts: 487 | - "*" 488 | TLS: 489 | enabled: false 490 | # SIMPLE, MUTUAL 491 | mode: SIMPLE 492 | httpsRedirect: false -------------------------------------------------------------------------------- /static/templates/values-istio-gateway-tls.yaml: -------------------------------------------------------------------------------- 1 | # Declare variables to be passed into your templates. 2 | global: 3 | hs256key: 4 | secretName: bluecompute-hs256key 5 | secret: E6526VJkKYhyTFRFMC0pTECpHcZ7TGcq8pKsVVgz9KtESVpheEO284qKzfzg8HpWNBPeHOxNGlyudUHi6i8tFQJXC8PiI48RUpMh23vPDLGD35pCM0417gf58z5xlmRNii56fwRCmIhhV7hDsm3KO2jRv4EBVz7HrYbzFeqI45CaStkMYNipzSm2duuer7zRdMjEKIdqsby0JfpQpykHmC5L6hxkX0BT7XWqztTr6xHCwqst26O0g8r7bXSYjp4a 6 | cluster: 7 | name: "my-cluster" 8 | region: us-south 9 | istio: 10 | enabled: true 11 | gateway: 12 | enabled: true 13 | name: bluecompute-gateway 14 | hosts: 15 | - "*.bluecompute.com" 16 | TLS: 17 | enabled: true 18 | # SIMPLE, MUTUAL 19 | mode: SIMPLE 20 | httpsRedirect: true 21 | serverCertificate: /etc/istio/ingressgateway-certs/tls.crt 22 | privateKey: /etc/istio/ingressgateway-certs/tls.key 23 | caCertificates: /etc/istio/ingressgateway-ca-certs/ca-chain.cert.pem 24 | 25 | ingress: 26 | enabled: false 27 | hostnames: 28 | app: #app.bluecompute.com 29 | api: #api.bluecompute.com 30 | annotations: 31 | ingress.bluemix.net/redirect-to-https: "True" 32 | enableTLS: false 33 | TLS: 34 | - secretName: bluecompute.com 35 | hosts: 36 | - bluecompute.com 37 | 38 | auth: 39 | enabled: true 40 | fullnameOverride: auth 41 | replicaCount: 1 42 | image: 43 | repository: ibmcase/bluecompute-auth 44 | tag: 0.6.0 45 | pullPolicy: Always 46 | service: 47 | type: ClusterIP 48 | externalPort: 8083 49 | nodePort: 32383 50 | resources: 51 | limits: 52 | memory: 384Mi 53 | requests: 54 | memory: 64Mi 55 | bash: 56 | image: 57 | repository: ibmcase/bluecompute-bash-curl-ssl 58 | tag: latest 59 | pullPolicy: IfNotPresent 60 | hs256key: 61 | secretName: 62 | secret: 63 | customer: 64 | url: http://customer:8082 65 | istio: 66 | enabled: false 67 | # ISTIO_MUTUAL, SIMPLE, DISABLE 68 | mTLS: ISTIO_MUTUAL 69 | # LEAST_CONN, ROUND_ROBIN 70 | loadBalancer: LEAST_CONN 71 | gateway: 72 | enabled: false 73 | name: 74 | hosts: 75 | - "auth.bluecompute.com" 76 | TLS: 77 | enabled: false 78 | # SIMPLE, MUTUAL 79 | mode: SIMPLE 80 | httpsRedirect: false 81 | 82 | catalog: 83 | enabled: true 84 | fullnameOverride: catalog 85 | replicaCount: 1 86 | image: 87 | repository: ibmcase/bluecompute-catalog 88 | tag: 0.6.0 89 | pullPolicy: Always 90 | service: 91 | type: ClusterIP 92 | externalPort: 8081 93 | nodePort: 32381 94 | resources: 95 | limits: 96 | memory: 384Mi 97 | requests: 98 | memory: 64Mi 99 | inventory: 100 | url: http://inventory:8080 101 | curl: 102 | image: alexeiled/curl 103 | imageTag: latest 104 | imagePullPolicy: IfNotPresent 105 | elasticsearch: 106 | protocol: http 107 | host: catalog-elasticsearch-client 108 | port: 9200 109 | username: 110 | password: 111 | healthcheck: "_cat/health" 112 | cacertificatebase64: 113 | istio: 114 | enabled: false 115 | # ISTIO_MUTUAL, SIMPLE, DISABLE 116 | mTLS: ISTIO_MUTUAL 117 | # LEAST_CONN, ROUND_ROBIN 118 | loadBalancer: LEAST_CONN 119 | gateway: 120 | enabled: false 121 | name: 122 | hosts: 123 | - "catalog.bluecompute.com" 124 | TLS: 125 | enabled: false 126 | # SIMPLE, MUTUAL 127 | mode: SIMPLE 128 | httpsRedirect: false 129 | 130 | elasticsearch: 131 | enabled: true 132 | fullnameOverride: catalog-elasticsearch 133 | protocol: http 134 | port: 9200 135 | username: 136 | password: 137 | healthcheck: "_cat/health" 138 | cacertificatebase64: 139 | appVersion: 6.6.1 140 | image: 141 | repository: docker.elastic.co/elasticsearch/elasticsearch-oss 142 | tag: 6.6.1 143 | pullPolicy: IfNotPresent 144 | #pullSecrets: 145 | #- sa-default 146 | serviceAccounts: 147 | client: 148 | create: false 149 | name: 150 | master: 151 | create: false 152 | name: 153 | data: 154 | create: false 155 | name: 156 | initImage: 157 | repository: "busybox" 158 | tag: "latest" 159 | pullPolicy: "Always" 160 | cluster: 161 | env: 162 | MINIMUM_MASTER_NODES: "2" 163 | client: 164 | replicas: 1 165 | serviceType: ClusterIP 166 | podAnnotations: 167 | sidecar.istio.io/inject: "false" 168 | master: 169 | replicas: 2 170 | persistence: 171 | enabled: false 172 | size: 4Gi 173 | storageClass: 174 | accessMode: ReadWriteOnce 175 | podAnnotations: 176 | sidecar.istio.io/inject: "false" 177 | data: 178 | replicas: 1 179 | persistence: 180 | enabled: false 181 | size: 30Gi 182 | storageClass: 183 | accessMode: ReadWriteOnce 184 | podAnnotations: 185 | sidecar.istio.io/inject: "false" 186 | sysctlInitContainer: 187 | enabled: true 188 | 189 | customer: 190 | enabled: true 191 | fullnameOverride: customer 192 | replicaCount: 1 193 | image: 194 | repository: ibmcase/bluecompute-customer 195 | tag: 0.6.0 196 | pullPolicy: Always 197 | service: 198 | type: ClusterIP 199 | externalPort: 8082 200 | nodePort: 32382 201 | resources: 202 | limits: 203 | memory: 384Mi 204 | requests: 205 | memory: 64Mi 206 | testUser: 207 | createUser: true 208 | username: user 209 | password: passw0rd 210 | bash: 211 | image: 212 | repository: ibmcase/bluecompute-bash-curl-ssl 213 | tag: latest 214 | pullPolicy: IfNotPresent 215 | hs256key: 216 | secretName: 217 | secret: 218 | couchdb: 219 | host: customer-couchdb-svc-couchdb 220 | protocol: http 221 | port: 5985 222 | existingSecret: 223 | adminUsername: user 224 | adminPassword: passw0rd 225 | database: customers 226 | istio: 227 | enabled: false 228 | # ISTIO_MUTUAL, SIMPLE, DISABLE 229 | mTLS: ISTIO_MUTUAL 230 | # LEAST_CONN, ROUND_ROBIN 231 | loadBalancer: LEAST_CONN 232 | gateway: 233 | enabled: false 234 | name: 235 | hosts: 236 | - "customer.bluecompute.com" 237 | TLS: 238 | enabled: false 239 | # SIMPLE, MUTUAL 240 | mode: SIMPLE 241 | httpsRedirect: false 242 | 243 | couchdb: 244 | enabled: true 245 | image: 246 | repository: "couchdb" 247 | tag: "2.3.0" 248 | pullPolicy: IfNotPresent 249 | fullnameOverride: customer-couchdb 250 | protocol: http 251 | createAdminSecret: true 252 | adminUsername: user 253 | adminPassword: passw0rd 254 | service: 255 | externalPort: 5985 256 | clusterSize: 1 257 | persistentVolume: 258 | enabled: false 259 | size: 10Gi 260 | accessModes: 261 | - ReadWriteOnce 262 | storageClass: 263 | helperImage: 264 | repository: kocolosk/couchdb-statefulset-assembler 265 | tag: 1.2.0 266 | pullPolicy: IfNotPresent 267 | initImage: 268 | repository: "busybox" 269 | tag: "latest" 270 | pullPolicy: "Always" 271 | podAnnotations: 272 | sidecar.istio.io/inject: "false" 273 | 274 | inventory: 275 | enabled: true 276 | fullnameOverride: inventory 277 | replicaCount: 1 278 | image: 279 | repository: ibmcase/bluecompute-inventory 280 | tag: 0.6.0 281 | pullPolicy: Always 282 | service: 283 | type: ClusterIP 284 | externalPort: 8080 285 | nodePort: 32380 286 | resources: 287 | limits: 288 | memory: 384Mi 289 | requests: 290 | memory: 64Mi 291 | mysql: 292 | host: inventory-mysql 293 | port: 3306 294 | existingSecret: 295 | user: dbuser 296 | password: password 297 | database: inventorydb 298 | # For mysql init container 299 | image: "mysql" 300 | imageTag: "5.7.14" 301 | imagePullPolicy: IfNotPresent 302 | istio: 303 | enabled: false 304 | # ISTIO_MUTUAL, SIMPLE, DISABLE 305 | mTLS: ISTIO_MUTUAL 306 | # LEAST_CONN, ROUND_ROBIN 307 | loadBalancer: LEAST_CONN 308 | gateway: 309 | enabled: false 310 | name: 311 | hosts: 312 | - "inventory.bluecompute.com" 313 | TLS: 314 | enabled: false 315 | # SIMPLE, MUTUAL 316 | mode: SIMPLE 317 | httpsRedirect: false 318 | 319 | mysql: 320 | enabled: true 321 | image: "mysql" 322 | imageTag: "5.7.14" 323 | imagePullPolicy: IfNotPresent 324 | fullnameOverride: inventory-mysql 325 | mysqlRootPassword: admin123 326 | mysqlUser: dbuser 327 | mysqlPassword: password 328 | mysqlDatabase: inventorydb 329 | service: 330 | port: 3306 331 | persistence: 332 | enabled: false 333 | size: 8Gi 334 | storageClass: 335 | accessMode: ReadWriteOnce 336 | existingClaim: 337 | subPath: 338 | annotations: {} 339 | istio: 340 | mTLS: ISTIO_MUTUAL 341 | loadBalancer: LEAST_CONN 342 | busybox: 343 | image: "busybox" 344 | tag: "latest" 345 | 346 | orders: 347 | enabled: true 348 | fullnameOverride: orders 349 | replicaCount: 1 350 | image: 351 | repository: ibmcase/bluecompute-orders 352 | tag: 0.6.0 353 | pullPolicy: Always 354 | service: 355 | type: ClusterIP 356 | externalPort: 8084 357 | nodePort: 32384 358 | resources: 359 | limits: 360 | memory: 384Mi 361 | requests: 362 | memory: 64Mi 363 | mysql: 364 | image: "mysql" 365 | imageTag: "5.7.14" 366 | imagePullPolicy: IfNotPresent 367 | hs256key: 368 | secretName: 369 | secret: 370 | mariadb: 371 | # Leaving empty so it gets name form release name and nameOverride 372 | host: 373 | port: 3307 374 | existingSecret: 375 | user: dbuser 376 | password: password 377 | database: ordersdb 378 | istio: 379 | enabled: false 380 | # ISTIO_MUTUAL, SIMPLE, DISABLE 381 | mTLS: ISTIO_MUTUAL 382 | # LEAST_CONN, ROUND_ROBIN 383 | loadBalancer: LEAST_CONN 384 | gateway: 385 | enabled: false 386 | name: 387 | hosts: 388 | - "orders.bluecompute.com" 389 | TLS: 390 | enabled: false 391 | # SIMPLE, MUTUAL 392 | mode: SIMPLE 393 | httpsRedirect: false 394 | 395 | mariadb: 396 | enabled: true 397 | image: 398 | registry: docker.io 399 | repository: bitnami/mariadb 400 | tag: 10.1.38 401 | pullPolicy: IfNotPresent 402 | service: 403 | port: 3307 404 | rootUser: 405 | password: admin123 406 | nameOverride: orders-mariadb 407 | db: 408 | user: dbuser 409 | password: password 410 | name: ordersdb 411 | replication: 412 | enabled: false 413 | master: 414 | persistence: 415 | enabled: false 416 | existingClaim: 417 | #mountPath: "" 418 | annotations: {} 419 | storageClass: 420 | accessMode: ReadWriteOnce 421 | size: 8Gi 422 | annotations: 423 | - key: sidecar.istio.io/inject 424 | value: "false" 425 | slave: 426 | replicas: 1 427 | persistence: 428 | enabled: false 429 | annotations: {} 430 | storageClass: 431 | accessMode: ReadWriteOnce 432 | size: 8Gi 433 | annotations: 434 | - key: sidecar.istio.io/inject 435 | value: "false" 436 | 437 | web: 438 | enabled: true 439 | fullnameOverride: web 440 | replicaCount: 1 441 | image: 442 | repository: ibmcase/bluecompute-web 443 | tag: 0.6.0 444 | pullPolicy: Always 445 | service: 446 | type: NodePort 447 | externalPort: 80 448 | nodePort: 31337 449 | resources: 450 | limits: 451 | cpu: 100m 452 | memory: 128Mi 453 | requests: 454 | cpu: 100m 455 | memory: 128Mi 456 | services: 457 | auth: 458 | protocol: http 459 | host: auth 460 | port: 8083 461 | catalog: 462 | protocol: http 463 | host: catalog 464 | port: 8081 465 | customer: 466 | protocol: http 467 | host: customer 468 | port: 8082 469 | orders: 470 | protocol: http 471 | host: orders 472 | port: 8084 473 | reviews: 474 | protocol: http 475 | host: 476 | port: 477 | istio: 478 | enabled: false 479 | # ISTIO_MUTUAL, SIMPLE, DISABLE 480 | mTLS: ISTIO_MUTUAL 481 | # LEAST_CONN, ROUND_ROBIN 482 | loadBalancer: LEAST_CONN 483 | gateway: 484 | enabled: false 485 | name: 486 | hosts: 487 | - "web.bluecompute.com" 488 | TLS: 489 | enabled: false 490 | # SIMPLE, MUTUAL 491 | mode: SIMPLE 492 | httpsRedirect: false -------------------------------------------------------------------------------- /static/templates/values-istio-gateway.yaml: -------------------------------------------------------------------------------- 1 | # Declare variables to be passed into your templates. 2 | global: 3 | hs256key: 4 | secretName: bluecompute-hs256key 5 | secret: E6526VJkKYhyTFRFMC0pTECpHcZ7TGcq8pKsVVgz9KtESVpheEO284qKzfzg8HpWNBPeHOxNGlyudUHi6i8tFQJXC8PiI48RUpMh23vPDLGD35pCM0417gf58z5xlmRNii56fwRCmIhhV7hDsm3KO2jRv4EBVz7HrYbzFeqI45CaStkMYNipzSm2duuer7zRdMjEKIdqsby0JfpQpykHmC5L6hxkX0BT7XWqztTr6xHCwqst26O0g8r7bXSYjp4a 6 | cluster: 7 | name: "my-cluster" 8 | region: us-south 9 | istio: 10 | enabled: true 11 | gateway: 12 | enabled: true 13 | name: bluecompute-gateway 14 | hosts: 15 | - "*" 16 | TLS: 17 | enabled: false 18 | # SIMPLE, MUTUAL 19 | mode: SIMPLE 20 | httpsRedirect: false 21 | serverCertificate: /etc/istio/ingressgateway-certs/tls.crt 22 | privateKey: /etc/istio/ingressgateway-certs/tls.key 23 | caCertificates: /etc/istio/ingressgateway-ca-certs/ca-chain.cert.pem 24 | 25 | ingress: 26 | enabled: false 27 | hostnames: 28 | app: #app.bluecompute.com 29 | api: #api.bluecompute.com 30 | annotations: 31 | ingress.bluemix.net/redirect-to-https: "True" 32 | enableTLS: false 33 | TLS: 34 | - secretName: bluecompute.com 35 | hosts: 36 | - bluecompute.com 37 | 38 | auth: 39 | enabled: true 40 | fullnameOverride: auth 41 | replicaCount: 1 42 | image: 43 | repository: ibmcase/bluecompute-auth 44 | tag: 0.6.0 45 | pullPolicy: Always 46 | service: 47 | type: ClusterIP 48 | externalPort: 8083 49 | nodePort: 32383 50 | resources: 51 | limits: 52 | memory: 384Mi 53 | requests: 54 | memory: 64Mi 55 | bash: 56 | image: 57 | repository: ibmcase/bluecompute-bash-curl-ssl 58 | tag: latest 59 | pullPolicy: IfNotPresent 60 | hs256key: 61 | secretName: 62 | secret: 63 | customer: 64 | url: http://customer:8082 65 | istio: 66 | enabled: false 67 | # ISTIO_MUTUAL, SIMPLE, DISABLE 68 | mTLS: ISTIO_MUTUAL 69 | # LEAST_CONN, ROUND_ROBIN 70 | loadBalancer: LEAST_CONN 71 | gateway: 72 | enabled: false 73 | name: 74 | hosts: 75 | - "*" 76 | TLS: 77 | enabled: false 78 | # SIMPLE, MUTUAL 79 | mode: SIMPLE 80 | httpsRedirect: false 81 | 82 | catalog: 83 | enabled: true 84 | fullnameOverride: catalog 85 | replicaCount: 1 86 | image: 87 | repository: ibmcase/bluecompute-catalog 88 | tag: 0.6.0 89 | pullPolicy: Always 90 | service: 91 | type: ClusterIP 92 | externalPort: 8081 93 | nodePort: 32381 94 | resources: 95 | limits: 96 | memory: 384Mi 97 | requests: 98 | memory: 64Mi 99 | inventory: 100 | url: http://inventory:8080 101 | curl: 102 | image: alexeiled/curl 103 | imageTag: latest 104 | imagePullPolicy: IfNotPresent 105 | elasticsearch: 106 | protocol: http 107 | host: catalog-elasticsearch-client 108 | port: 9200 109 | username: 110 | password: 111 | healthcheck: "_cat/health" 112 | cacertificatebase64: 113 | istio: 114 | enabled: false 115 | # ISTIO_MUTUAL, SIMPLE, DISABLE 116 | mTLS: ISTIO_MUTUAL 117 | # LEAST_CONN, ROUND_ROBIN 118 | loadBalancer: LEAST_CONN 119 | gateway: 120 | enabled: false 121 | name: 122 | hosts: 123 | - "*" 124 | TLS: 125 | enabled: false 126 | # SIMPLE, MUTUAL 127 | mode: SIMPLE 128 | httpsRedirect: false 129 | 130 | elasticsearch: 131 | enabled: true 132 | fullnameOverride: catalog-elasticsearch 133 | protocol: http 134 | port: 9200 135 | username: 136 | password: 137 | healthcheck: "_cat/health" 138 | cacertificatebase64: 139 | appVersion: 6.6.1 140 | image: 141 | repository: docker.elastic.co/elasticsearch/elasticsearch-oss 142 | tag: 6.6.1 143 | pullPolicy: IfNotPresent 144 | #pullSecrets: 145 | #- sa-default 146 | serviceAccounts: 147 | client: 148 | create: false 149 | name: 150 | master: 151 | create: false 152 | name: 153 | data: 154 | create: false 155 | name: 156 | initImage: 157 | repository: "busybox" 158 | tag: "latest" 159 | pullPolicy: "Always" 160 | cluster: 161 | env: 162 | MINIMUM_MASTER_NODES: "2" 163 | client: 164 | replicas: 1 165 | serviceType: ClusterIP 166 | podAnnotations: 167 | sidecar.istio.io/inject: "false" 168 | master: 169 | replicas: 2 170 | persistence: 171 | enabled: false 172 | size: 4Gi 173 | storageClass: 174 | accessMode: ReadWriteOnce 175 | podAnnotations: 176 | sidecar.istio.io/inject: "false" 177 | data: 178 | replicas: 1 179 | persistence: 180 | enabled: false 181 | size: 30Gi 182 | storageClass: 183 | accessMode: ReadWriteOnce 184 | podAnnotations: 185 | sidecar.istio.io/inject: "false" 186 | sysctlInitContainer: 187 | enabled: true 188 | 189 | customer: 190 | enabled: true 191 | fullnameOverride: customer 192 | replicaCount: 1 193 | image: 194 | repository: ibmcase/bluecompute-customer 195 | tag: 0.6.0 196 | pullPolicy: Always 197 | service: 198 | type: ClusterIP 199 | externalPort: 8082 200 | nodePort: 32382 201 | resources: 202 | limits: 203 | memory: 384Mi 204 | requests: 205 | memory: 64Mi 206 | testUser: 207 | createUser: true 208 | username: user 209 | password: passw0rd 210 | bash: 211 | image: 212 | repository: ibmcase/bluecompute-bash-curl-ssl 213 | tag: latest 214 | pullPolicy: IfNotPresent 215 | hs256key: 216 | secretName: 217 | secret: 218 | couchdb: 219 | host: customer-couchdb-svc-couchdb 220 | protocol: http 221 | port: 5985 222 | existingSecret: 223 | adminUsername: user 224 | adminPassword: passw0rd 225 | database: customers 226 | istio: 227 | enabled: false 228 | # ISTIO_MUTUAL, SIMPLE, DISABLE 229 | mTLS: ISTIO_MUTUAL 230 | # LEAST_CONN, ROUND_ROBIN 231 | loadBalancer: LEAST_CONN 232 | gateway: 233 | enabled: false 234 | name: 235 | hosts: 236 | - "*" 237 | TLS: 238 | enabled: false 239 | # SIMPLE, MUTUAL 240 | mode: SIMPLE 241 | httpsRedirect: false 242 | 243 | couchdb: 244 | enabled: true 245 | image: 246 | repository: "couchdb" 247 | tag: "2.3.0" 248 | pullPolicy: IfNotPresent 249 | fullnameOverride: customer-couchdb 250 | protocol: http 251 | createAdminSecret: true 252 | adminUsername: user 253 | adminPassword: passw0rd 254 | service: 255 | externalPort: 5985 256 | clusterSize: 1 257 | persistentVolume: 258 | enabled: false 259 | size: 10Gi 260 | accessModes: 261 | - ReadWriteOnce 262 | storageClass: 263 | helperImage: 264 | repository: kocolosk/couchdb-statefulset-assembler 265 | tag: 1.2.0 266 | pullPolicy: IfNotPresent 267 | initImage: 268 | repository: "busybox" 269 | tag: "latest" 270 | pullPolicy: "Always" 271 | podAnnotations: 272 | sidecar.istio.io/inject: "false" 273 | 274 | inventory: 275 | enabled: true 276 | fullnameOverride: inventory 277 | replicaCount: 1 278 | image: 279 | repository: ibmcase/bluecompute-inventory 280 | tag: 0.6.0 281 | pullPolicy: Always 282 | service: 283 | type: ClusterIP 284 | externalPort: 8080 285 | nodePort: 32380 286 | resources: 287 | limits: 288 | memory: 384Mi 289 | requests: 290 | memory: 64Mi 291 | mysql: 292 | host: inventory-mysql 293 | port: 3306 294 | existingSecret: 295 | user: dbuser 296 | password: password 297 | database: inventorydb 298 | # For mysql init container 299 | image: "mysql" 300 | imageTag: "5.7.14" 301 | imagePullPolicy: IfNotPresent 302 | istio: 303 | enabled: false 304 | # ISTIO_MUTUAL, SIMPLE, DISABLE 305 | mTLS: ISTIO_MUTUAL 306 | # LEAST_CONN, ROUND_ROBIN 307 | loadBalancer: LEAST_CONN 308 | gateway: 309 | enabled: false 310 | name: 311 | hosts: 312 | - "*" 313 | TLS: 314 | enabled: false 315 | # SIMPLE, MUTUAL 316 | mode: SIMPLE 317 | httpsRedirect: false 318 | 319 | mysql: 320 | enabled: true 321 | image: "mysql" 322 | imageTag: "5.7.14" 323 | imagePullPolicy: IfNotPresent 324 | fullnameOverride: inventory-mysql 325 | mysqlRootPassword: admin123 326 | mysqlUser: dbuser 327 | mysqlPassword: password 328 | mysqlDatabase: inventorydb 329 | service: 330 | port: 3306 331 | persistence: 332 | enabled: false 333 | size: 8Gi 334 | storageClass: 335 | accessMode: ReadWriteOnce 336 | existingClaim: 337 | subPath: 338 | annotations: {} 339 | istio: 340 | mTLS: ISTIO_MUTUAL 341 | loadBalancer: LEAST_CONN 342 | busybox: 343 | image: "busybox" 344 | tag: "latest" 345 | 346 | orders: 347 | enabled: true 348 | fullnameOverride: orders 349 | replicaCount: 1 350 | image: 351 | repository: ibmcase/bluecompute-orders 352 | tag: 0.6.0 353 | pullPolicy: Always 354 | service: 355 | type: ClusterIP 356 | externalPort: 8084 357 | nodePort: 32384 358 | resources: 359 | limits: 360 | memory: 384Mi 361 | requests: 362 | memory: 64Mi 363 | mysql: 364 | image: "mysql" 365 | imageTag: "5.7.14" 366 | imagePullPolicy: IfNotPresent 367 | hs256key: 368 | secretName: 369 | secret: 370 | mariadb: 371 | # Leaving empty so it gets name form release name and nameOverride 372 | host: 373 | port: 3307 374 | existingSecret: 375 | user: dbuser 376 | password: password 377 | database: ordersdb 378 | istio: 379 | enabled: false 380 | # ISTIO_MUTUAL, SIMPLE, DISABLE 381 | mTLS: ISTIO_MUTUAL 382 | # LEAST_CONN, ROUND_ROBIN 383 | loadBalancer: LEAST_CONN 384 | gateway: 385 | enabled: false 386 | name: 387 | hosts: 388 | - "*" 389 | TLS: 390 | enabled: false 391 | # SIMPLE, MUTUAL 392 | mode: SIMPLE 393 | httpsRedirect: false 394 | 395 | mariadb: 396 | enabled: true 397 | image: 398 | registry: docker.io 399 | repository: bitnami/mariadb 400 | tag: 10.1.38 401 | pullPolicy: IfNotPresent 402 | service: 403 | port: 3307 404 | rootUser: 405 | password: admin123 406 | nameOverride: orders-mariadb 407 | db: 408 | user: dbuser 409 | password: password 410 | name: ordersdb 411 | replication: 412 | enabled: false 413 | master: 414 | persistence: 415 | enabled: false 416 | existingClaim: 417 | #mountPath: "" 418 | annotations: {} 419 | storageClass: 420 | accessMode: ReadWriteOnce 421 | size: 8Gi 422 | annotations: 423 | - key: sidecar.istio.io/inject 424 | value: "false" 425 | slave: 426 | replicas: 1 427 | persistence: 428 | enabled: false 429 | annotations: {} 430 | storageClass: 431 | accessMode: ReadWriteOnce 432 | size: 8Gi 433 | annotations: 434 | - key: sidecar.istio.io/inject 435 | value: "false" 436 | 437 | web: 438 | enabled: true 439 | fullnameOverride: web 440 | replicaCount: 1 441 | image: 442 | repository: ibmcase/bluecompute-web 443 | tag: 0.6.0 444 | pullPolicy: Always 445 | service: 446 | type: NodePort 447 | externalPort: 80 448 | nodePort: 31337 449 | resources: 450 | limits: 451 | cpu: 100m 452 | memory: 128Mi 453 | requests: 454 | cpu: 100m 455 | memory: 128Mi 456 | services: 457 | auth: 458 | protocol: http 459 | host: auth 460 | port: 8083 461 | catalog: 462 | protocol: http 463 | host: catalog 464 | port: 8081 465 | customer: 466 | protocol: http 467 | host: customer 468 | port: 8082 469 | orders: 470 | protocol: http 471 | host: orders 472 | port: 8084 473 | reviews: 474 | protocol: http 475 | host: 476 | port: 477 | istio: 478 | enabled: false 479 | # ISTIO_MUTUAL, SIMPLE, DISABLE 480 | mTLS: ISTIO_MUTUAL 481 | # LEAST_CONN, ROUND_ROBIN 482 | loadBalancer: LEAST_CONN 483 | gateway: 484 | enabled: false 485 | name: 486 | hosts: 487 | - "*" 488 | TLS: 489 | enabled: false 490 | # SIMPLE, MUTUAL 491 | mode: SIMPLE 492 | httpsRedirect: false --------------------------------------------------------------------------------