├── c3-1
    └── code.txt
├── c3-10
    └── code.txt
├── c3-11
    ├── httpbin-v1.yaml
    ├── httpbin-v2.yaml
    ├── mirror.yaml
    ├── svc.yaml
    └── vs.yaml
├── c3-17
    ├── code.txt
    ├── gateway.yaml
    └── httpbin.yaml
├── c3-18
    └── code.yaml
├── c3-19
    ├── code.yaml
    ├── demo.jwt
    └── jwks.json
├── c3-2
    └── code.txt
├── c3-3
    ├── gateway.yaml
    └── virtualservice.yaml
├── c3-4
    ├── code.txt
    └── serviceentry.yaml
├── c3-5
    └── code.txt
├── c3-6
    ├── code.txt
    ├── gateway.yaml
    └── vs.yaml
├── c3-7
    ├── gw.yaml
    ├── se.yaml
    └── vs.yaml
├── c3-8
    ├── retry.yaml
    ├── timeout.yaml
    ├── vs-rating.yaml
    └── vs.yaml
├── c3-9
    ├── circuitbreaking.yaml
    └── code.txt
├── c4-1
    └── code.yaml
├── c4-2
    └── code.yaml
├── c4-3
    ├── auth.yaml
    ├── cb.yaml
    ├── vs-normal.yaml
    ├── vs-retry.yaml
    └── vs-timeout.yaml
├── c4-4
    └── code.yaml
├── c4-5
    ├── configmap-v2.yaml
    ├── configmap.yaml
    ├── deployment.yaml
    └── grafana-deploy.yaml
├── c4-6
    ├── deployment.yaml
    └── filebeat.yaml
├── c4-7
    └── code.txt
├── 第一章 理论篇.pdf
├── 第三章 实验篇-安全.pdf
├── 第三章 实验篇-流量控制.pdf
├── 第三章-可观察性.pdf
├── 第二章 Istio入门篇.pdf
├── 第四章 实战篇-项目准备及构建过程.pdf
└── 第四章 实战篇.pdf


/c3-1/code.txt:
--------------------------------------------------------------------------------
1 | 本课代码可在官方安装包下获取：
2 | samples/bookinfo/platform/kube/bookinfo.yaml
3 | samples/bookinfo/networking/bookinfo-gateway.yaml


--------------------------------------------------------------------------------
/c3-10/code.txt:
--------------------------------------------------------------------------------
1 | 官方代码：
2 | kubectl apply -f samples/bookinfo/networking/virtual-service-all-v1.yaml
3 | kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml
4 | kubectl apply -f samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml


--------------------------------------------------------------------------------
/c3-11/httpbin-v1.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: httpbin-v1
 5 | spec:
 6 |   replicas: 1
 7 |   selector:
 8 |     matchLabels:
 9 |       app: httpbin
10 |       version: v1
11 |   template:
12 |     metadata:
13 |       labels:
14 |         app: httpbin
15 |         version: v1
16 |     spec:
17 |       containers:
18 |       - image: docker.io/kennethreitz/httpbin
19 |         imagePullPolicy: IfNotPresent
20 |         name: httpbin
21 |         command: ["gunicorn", "--access-logfile", "-", "-b", "0.0.0.0:80", "httpbin:app"]
22 |         ports:
23 |         - containerPort: 80
24 | 


--------------------------------------------------------------------------------
/c3-11/httpbin-v2.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: httpbin-v2
 5 | spec:
 6 |   replicas: 1
 7 |   selector:
 8 |     matchLabels:
 9 |       app: httpbin
10 |       version: v2
11 |   template:
12 |     metadata:
13 |       labels:
14 |         app: httpbin
15 |         version: v2
16 |     spec:
17 |       containers:
18 |       - image: docker.io/kennethreitz/httpbin
19 |         imagePullPolicy: IfNotPresent
20 |         name: httpbin
21 |         command: ["gunicorn", "--access-logfile", "-", "-b", "0.0.0.0:80", "httpbin:app"]
22 |         ports:
23 |         - containerPort: 80
24 | 


--------------------------------------------------------------------------------
/c3-11/mirror.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: VirtualService
 3 | metadata:
 4 |   name: httpbin
 5 | spec:
 6 |   hosts:
 7 |     - httpbin
 8 |   http:
 9 |   - route:
10 |     - destination:
11 |         host: httpbin
12 |         subset: v1
13 |       weight: 100
14 |     mirror:
15 |       host: httpbin
16 |       subset: v2
17 |     mirror_percentage: 
18 |       value: 100
19 | 


--------------------------------------------------------------------------------
/c3-11/svc.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: httpbin
 5 |   labels:
 6 |     app: httpbin
 7 | spec:
 8 |   ports:
 9 |   - name: http
10 |     port: 8000
11 |     targetPort: 80
12 |   selector:
13 |     app: httpbin
14 | 


--------------------------------------------------------------------------------
/c3-11/vs.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: VirtualService
 3 | metadata:
 4 |   name: httpbin
 5 | spec:
 6 |   hosts:
 7 |     - httpbin
 8 |   http:
 9 |   - route:
10 |     - destination:
11 |         host: httpbin
12 |         subset: v1
13 |       weight: 100
14 | ---
15 | apiVersion: networking.istio.io/v1alpha3
16 | kind: DestinationRule
17 | metadata:
18 |   name: httpbin
19 | spec:
20 |   host: httpbin
21 |   subsets:
22 |   - name: v1
23 |     labels:
24 |       version: v1
25 |   - name: v2
26 |     labels:
27 |       version: v2
28 | 


--------------------------------------------------------------------------------
/c3-17/code.txt:
--------------------------------------------------------------------------------
 1 | 1.为服务创建根证书和私钥：
 2 | openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt
 3 | 
 4 | 2.为httpbin.example.com创建证书和私钥：
 5 | openssl req -out httpbin.example.com.csr -newkey rsa:2048 -nodes -keyout httpbin.example.com.key -subj "/CN=httpbin.example.com/O=httpbin organization"
 6 | openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in httpbin.example.com.csr -out httpbin.example.com.crt
 7 | 
 8 | 3. 创建secret
 9 | kubectl create -n istio-system secret tls httpbin-credential --key=httpbin.example.com.key --cert=httpbin.example.com.crt
10 | 
11 | 4.定义网关,vs，见yaml
12 | 
13 | 5. 请求验证
14 | curl -HHost:httpbin.example.com \
15 | --resolve httpbin.example.com:443:127.0.0.1 \
16 | --cacert example.com.crt "https://httpbin.example.com:443/status/418"


--------------------------------------------------------------------------------
/c3-17/gateway.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: Gateway
 3 | metadata:
 4 |   name: mygateway
 5 | spec:
 6 |   selector:
 7 |     istio: ingressgateway 
 8 |   servers:
 9 |   - port:
10 |       number: 443
11 |       name: https
12 |       protocol: HTTPS
13 |     tls:
14 |       mode: SIMPLE
15 |       credentialName: httpbin-credential
16 |     hosts:
17 |     - httpbin.example.com
18 | 


--------------------------------------------------------------------------------
/c3-17/httpbin.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: httpbin
 5 |   labels:
 6 |     app: httpbin
 7 | spec:
 8 |   ports:
 9 |   - name: http
10 |     port: 8000
11 |   selector:
12 |     app: httpbin
13 | ---
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 |   name: httpbin
18 | spec:
19 |   replicas: 1
20 |   selector:
21 |     matchLabels:
22 |       app: httpbin
23 |       version: v1
24 |   template:
25 |     metadata:
26 |       labels:
27 |         app: httpbin
28 |         version: v1
29 |     spec:
30 |       containers:
31 |       - image: docker.io/citizenstig/httpbin
32 |         imagePullPolicy: IfNotPresent
33 |         name: httpbin
34 |         ports:
35 |         - containerPort: 8000
36 | 


--------------------------------------------------------------------------------
/c3-18/code.yaml:
--------------------------------------------------------------------------------
 1 | # 给default添加命名空间策略
 2 | # 兼容模式
 3 | kubectl apply -f - <<EOF
 4 | apiVersion: "security.istio.io/v1beta1"
 5 | kind: "PeerAuthentication"
 6 | metadata:
 7 |   name: "default"
 8 |   namespace: "default"
 9 | spec:
10 |   mtls:
11 |     mode: PERMISSIVE
12 | EOF
13 | 
14 | # 严格模式
15 | kubectl apply -f - <<EOF
16 | apiVersion: "security.istio.io/v1beta1"
17 | kind: "PeerAuthentication"
18 | metadata:
19 |   name: "default"
20 |   namespace: "default"
21 | spec:
22 |   mtls:
23 |     mode: STRICT
24 | EOF
25 | 
26 | # 注入即可访问
27 | kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml) -n testauth
28 | 
29 | # 添加全局策略，只添加
30 | kubectl apply -f - <<EOF
31 | apiVersion: "security.istio.io/v1beta1"
32 | kind: "PeerAuthentication"
33 | metadata:
34 |   name: "default"
35 | spec:
36 |   mtls:
37 |     mode: STRICT
38 | EOF


--------------------------------------------------------------------------------
/c3-19/code.yaml:
--------------------------------------------------------------------------------
 1 | #创建请求认证
 2 | kubectl apply -f - <<EOF
 3 | apiVersion: "security.istio.io/v1beta1"
 4 | kind: "RequestAuthentication"
 5 | metadata:
 6 |   name: "jwt-example"
 7 |   namespace: testjwt
 8 | spec:
 9 |   selector:
10 |     matchLabels:
11 |       app: httpbin
12 |   jwtRules:
13 |   - issuer: "testing@secure.istio.io"
14 |     jwksUri: "https://raw.githubusercontent.com/malphi/geektime-servicemesh/master/c3-19/jwks.json"
15 | EOF
16 | 
17 | #测试不合法的jwt访问
18 | kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n testjwt -- curl "http://httpbin.testjwt:8000/headers" -H "Authorization: Bearer invalidToken"
19 | 
20 | #测试没有授权策略时，都可以访问
21 | kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n testjwt -- curl "http://httpbin.testjwt:8000/headers" -s -o /dev/null -w "%{http_code}\n"
22 | 
23 | # 创建授权策略
24 | kubectl apply -f - <<EOF
25 | apiVersion: security.istio.io/v1beta1
26 | kind: AuthorizationPolicy
27 | metadata:
28 |   name: require-jwt
29 |   namespace: testjwt
30 | spec:
31 |   selector:
32 |     matchLabels:
33 |       app: httpbin
34 |   action: ALLOW
35 |   rules:
36 |   - from:
37 |     - source:
38 |        requestPrincipals: ["testing@secure.istio.io/testing@secure.istio.io"]
39 | EOF
40 | 
41 | #解析token
42 | TOKEN=$(curl https://raw.githubusercontent.com/malphi/geektime-servicemesh/master/c3-19/demo.jwt -s) && echo $TOKEN | cut -d '.' -f2 - | base64 --decode -
43 | 
44 | #测试带token的请求
45 | kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -n testjwt -- curl "http://httpbin.foo:8000/headers" -s -o /dev/null -H "Authorization: Bearer $TOKEN" -w "%{http_code}\n"
46 | 
47 | 


--------------------------------------------------------------------------------
/c3-19/demo.jwt:
--------------------------------------------------------------------------------
1 | eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9zP7c-LS9qd_vpdLG4Tn1A15NxfCjp5f7QNBUo-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZzvc7M__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCgefSj_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJ3Uc1MI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvHsU60_GhGbiSFzgPTAa9WTltbnarTbxudb_YEOx12JiwYToeX0DCPb43W1tzIBxgm8NxUg
2 | 


--------------------------------------------------------------------------------
/c3-19/jwks.json:
--------------------------------------------------------------------------------
1 | { "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}


--------------------------------------------------------------------------------
/c3-2/code.txt:
--------------------------------------------------------------------------------
1 | 本课官方代码如下：
2 | kubectl apply -f samples/bookinfo/networking/virtual-service-all-v1.yaml
3 | kubectl apply -f samples/bookinfo/networking/destination-rule-all.yaml
4 | 


--------------------------------------------------------------------------------
/c3-3/gateway.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: Gateway
 3 | metadata:
 4 |   name: test-gateway
 5 | spec:
 6 |   selector:
 7 |     istio: ingressgateway
 8 |   servers:
 9 |   - port:
10 |       number: 80
11 |       name: http
12 |       protocol: HTTP
13 |     hosts:
14 |     - "*"
15 | 


--------------------------------------------------------------------------------
/c3-3/virtualservice.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: VirtualService
 3 | metadata:
 4 |   name: test-gateway
 5 | spec:
 6 |   hosts:
 7 |   - "*"
 8 |   gateways:
 9 |   - test-gateway
10 |   http:
11 |   - match:
12 |     - uri:
13 |         prefix: /details
14 |     - uri:
15 |         exact: /health
16 |     route:
17 |     - destination:
18 |         host: details
19 |         port:
20 |           number: 9080
21 | 


--------------------------------------------------------------------------------
/c3-4/code.txt:
--------------------------------------------------------------------------------
1 | 官方代码：
2 | samples/sleep/sleep.yaml
3 | 
4 | //关闭访问
5 | kubectl get configmap istio -n istio-system -o yaml | sed 's/mode: ALLOW_ANY/mode: REGISTRY_ONLY/g' | kubectl replace -n istio-system -f -
6 | 


--------------------------------------------------------------------------------
/c3-4/serviceentry.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: ServiceEntry
 3 | metadata:
 4 |   name: httpbin-ext
 5 | spec:
 6 |   hosts:
 7 |   - httpbin.org
 8 |   ports:
 9 |   - number: 80
10 |     name: http
11 |     protocol: HTTP
12 |   resolution: DNS
13 |   location: MESH_EXTERNAL
14 | 


--------------------------------------------------------------------------------
/c3-5/code.txt:
--------------------------------------------------------------------------------
1 | 官方代码：
2 | samples/bookinfo/networking/virtual-service-all-v1.yaml
3 | // 转到v3
4 | samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml


--------------------------------------------------------------------------------
/c3-6/code.txt:
--------------------------------------------------------------------------------
1 | samples/httpbin/httpbin.yaml
2 | 


--------------------------------------------------------------------------------
/c3-6/gateway.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: Gateway
 3 | metadata:
 4 |   name: httpbin-gateway
 5 | spec:
 6 |   selector:
 7 |     istio: ingressgateway
 8 |   servers:
 9 |   - port:
10 |       number: 80
11 |       name: http
12 |       protocol: HTTP
13 |     hosts:
14 |     - "httpbin.example.com"
15 | 


--------------------------------------------------------------------------------
/c3-6/vs.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: VirtualService
 3 | metadata:
 4 |   name: httpbin
 5 | spec:
 6 |   hosts:
 7 |   - "httpbin.example.com"
 8 |   gateways:
 9 |   - httpbin-gateway
10 |   http:
11 |   - match:
12 |     - uri:
13 |         prefix: /status
14 |     - uri:
15 |         prefix: /delay
16 |     route:
17 |     - destination:
18 |         port:
19 |           number: 8000
20 |         host: httpbin
21 | 


--------------------------------------------------------------------------------
/c3-7/gw.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: Gateway
 3 | metadata:
 4 |   name: istio-egressgateway
 5 | spec:
 6 |   selector:
 7 |     istio: egressgateway
 8 |   servers:
 9 |   - port:
10 |       number: 80
11 |       name: http
12 |       protocol: HTTP
13 |     hosts:
14 |     - httpbin.org
15 | 


--------------------------------------------------------------------------------
/c3-7/se.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: ServiceEntry
 3 | metadata:
 4 |   name: httpbin
 5 | spec:
 6 |   hosts:
 7 |   - httpbin.org
 8 |   ports:
 9 |   - number: 80
10 |     name: http-port
11 |     protocol: HTTP
12 |   resolution: DNS
13 | 


--------------------------------------------------------------------------------
/c3-7/vs.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: VirtualService
 3 | metadata:
 4 |   name: vs-for-egressgateway
 5 | spec:
 6 |   hosts:
 7 |   - httpbin.org
 8 |   gateways:
 9 |   - istio-egressgateway
10 |   - mesh
11 |   http:
12 |   - match:
13 |     - gateways:
14 |       - mesh
15 |       port: 80
16 |     route:
17 |     - destination:
18 |         host: istio-egressgateway.istio-system.svc.cluster.local
19 |         subset: httpbin
20 |         port:
21 |           number: 80
22 |       weight: 100
23 |   - match:
24 |     - gateways:
25 |       - istio-egressgateway
26 |       port: 80
27 |     route:
28 |     - destination:
29 |         host: httpbin.org
30 |         port:
31 |           number: 80
32 |       weight: 100
33 | ---
34 | apiVersion: networking.istio.io/v1alpha3
35 | kind: DestinationRule
36 | metadata:
37 |   name: dr-for-egressgateway
38 | spec:
39 |   host: istio-egressgateway.istio-system.svc.cluster.local
40 |   subsets:
41 |   - name: httpbin
42 | 


--------------------------------------------------------------------------------
/c3-8/retry.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: VirtualService
 3 | metadata:
 4 |   name: ratings
 5 | spec:
 6 |   hosts:
 7 |   - ratings
 8 |   http:
 9 |   - fault:
10 |       delay:
11 |         percent: 100
12 |         fixedDelay: 5s
13 |     route:
14 |     - destination:
15 |         host: ratings
16 |         subset: v1
17 |     retries:
18 |       attempts: 2
19 |       perTryTimeout: 1s
20 | 


--------------------------------------------------------------------------------
/c3-8/timeout.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: VirtualService
 3 | metadata:
 4 |   name: reviews
 5 | spec:
 6 |   hosts:
 7 |   - reviews
 8 |   http:
 9 |   - route:
10 |     - destination:
11 |         host: reviews
12 |         subset: v2
13 |     timeout: 1s
14 | 


--------------------------------------------------------------------------------
/c3-8/vs-rating.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: VirtualService
 3 | metadata:
 4 |   name: ratings
 5 | spec:
 6 |   hosts:
 7 |   - ratings
 8 |   http:
 9 |   - fault:
10 |       delay:
11 |         percent: 100
12 |         fixedDelay: 2s
13 |     route:
14 |     - destination:
15 |         host: ratings
16 |         subset: v1
17 | 


--------------------------------------------------------------------------------
/c3-8/vs.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: VirtualService
 3 | metadata:
 4 |   name: reviews
 5 | spec:
 6 |   hosts:
 7 |     - reviews
 8 |   http:
 9 |   - route:
10 |     - destination:
11 |         host: reviews
12 |         subset: v2
13 | 


--------------------------------------------------------------------------------
/c3-9/circuitbreaking.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: DestinationRule
 3 | metadata:
 4 |   name: httpbin
 5 | spec:
 6 |   host: httpbin
 7 |   trafficPolicy:
 8 |     connectionPool:
 9 |       tcp:
10 |         maxConnections: 1
11 |       http:
12 |         http1MaxPendingRequests: 1
13 |         maxRequestsPerConnection: 1
14 |     outlierDetection:
15 |       consecutiveErrors: 1
16 |       interval: 1s
17 |       baseEjectionTime: 3m
18 |       maxEjectionPercent: 100
19 | 


--------------------------------------------------------------------------------
/c3-9/code.txt:
--------------------------------------------------------------------------------
1 | 安装fortio：
2 | samples/httpbin/sample-client/fortio-deploy.yaml
3 | 


--------------------------------------------------------------------------------
/c4-1/code.yaml:
--------------------------------------------------------------------------------
  1 | # 安装fluxctl
  2 | brew install fluxctl
  3 | 
  4 | # 创建ns
  5 | kubectl create ns flux
  6 | 
  7 | # 部署flux, 先clone repo https://github.com/fluxcd/flux.git
  8 | # 修改git 信息：https://github.com/fluxcd/flux/blob/master/deploy/flux-deployment.yaml
  9 | k apply -k deploy
 10 | 
 11 | # 方法2
 12 | fluxctl install \
 13 | --git-user=xxx \
 14 | --git-email=xxx@xxx \
 15 | --git-url=git@github.com:xxx/smdemo \
 16 | --namespace=flux | kubectl apply -f -
 17 | 
 18 | # 写入deploy key
 19 | export FLUX_FORWARD_NAMESPACE=flux
 20 | #获取ssh key
 21 | fluxctl identity --k8s-fwd-ns flux
 22 | 
 23 | # 建demo ns,添加注入
 24 | k create ns demo
 25 | k label namespace demo istio-injection=enabled
 26 | 
 27 | #### 添加httpbin 文件
 28 | apiVersion: v1
 29 | kind: ServiceAccount
 30 | metadata:
 31 |   name: httpbin
 32 | ---
 33 | apiVersion: v1
 34 | kind: Service
 35 | metadata:
 36 |   name: httpbin
 37 |   labels:
 38 |     app: httpbin
 39 | spec:
 40 |   ports:
 41 |   - name: http
 42 |     port: 8000
 43 |     targetPort: 80
 44 |   selector:
 45 |     app: httpbin
 46 | ---
 47 | apiVersion: apps/v1
 48 | kind: Deployment
 49 | metadata:
 50 |   name: httpbin
 51 | spec:
 52 |   replicas: 1
 53 |   selector:
 54 |     matchLabels:
 55 |       app: httpbin
 56 |       version: v1
 57 |   template:
 58 |     metadata:
 59 |       labels:
 60 |         app: httpbin
 61 |         version: v1
 62 |     spec:
 63 |       serviceAccountName: httpbin
 64 |       containers:
 65 |       - image: docker.io/kennethreitz/httpbin
 66 |         imagePullPolicy: IfNotPresent
 67 |         name: httpbin
 68 |         ports:
 69 |         - containerPort: 80
 70 |         
 71 |         
 72 | # 同步
 73 | fluxctl sync --k8s-fwd-ns flux
 74 | 
 75 | # 添加sleep
 76 | apiVersion: v1
 77 | kind: ServiceAccount
 78 | metadata:
 79 |   name: sleep
 80 |   namespace: demo
 81 | ---
 82 | apiVersion: v1
 83 | kind: Service
 84 | metadata:
 85 |   name: sleep
 86 |   namespace: demo
 87 |   labels:
 88 |     app: sleep
 89 | spec:
 90 |   ports:
 91 |   - port: 80
 92 |     name: http
 93 |   selector:
 94 |     app: sleep
 95 | ---
 96 | apiVersion: apps/v1
 97 | kind: Deployment
 98 | metadata:
 99 |   name: sleep
100 |   namespace: demo
101 | spec:
102 |   replicas: 1
103 |   selector:
104 |     matchLabels:
105 |       app: sleep
106 |   template:
107 |     metadata:
108 |       labels:
109 |         app: sleep
110 |     spec:
111 |       serviceAccountName: sleep
112 |       containers:
113 |       - name: sleep
114 |         image: governmentpaas/curl-ssl
115 |         command: ["/bin/sleep", "3650d"]
116 |         imagePullPolicy: IfNotPresent
117 |         volumeMounts:
118 |         - mountPath: /etc/sleep/tls
119 |           name: secret-volume
120 |       volumes:
121 |       - name: secret-volume
122 |         secret:
123 |           secretName: sleep-secret
124 |           optional: true


--------------------------------------------------------------------------------
/c4-2/code.yaml:
--------------------------------------------------------------------------------
  1 | # add repo
  2 | helm repo add flagger https://flagger.app
  3 | 
  4 | # install crd
  5 | kubectl apply -f https://raw.githubusercontent.com/weaveworks/flagger/master/artifacts/flagger/crd.yaml
  6 | 
  7 | # 部署flagger with istio
  8 | helm upgrade -i flagger flagger/flagger \
  9 | --namespace=istio-system \
 10 | --set crd.create=false \
 11 | --set meshProvider=istio \
 12 | --set metricsServer=http://prometheus.istio-system:9090
 13 | 
 14 | #slack
 15 | # https://api.slack.com/messaging/webhooks
 16 | helm upgrade -i flagger flagger/flagger \
 17 | --namespace=istio-system \
 18 | --set crd.create=false \
 19 | --set slack.url=https://hooks.slack.com/services/xxxxxx \
 20 | --set slack.channel=general \
 21 | --set slack.user=flagger
 22 | 
 23 | # grafana
 24 | helm upgrade -i flagger-grafana flagger/grafana \
 25 | --namespace=istio-system \
 26 | --set url=http://prometheus.istio-system:9090 \
 27 | --set user=admin \
 28 | --set password=admin
 29 | 
 30 | # 部署flagger,或者下载repo直接执行
 31 | kubectl apply -k github.com/weaveworks/flagger//kustomize/istio
 32 | 
 33 | # ingress for expose mesh
 34 | apiVersion: networking.istio.io/v1alpha3
 35 | kind: Gateway
 36 | metadata:
 37 |   name: public-gateway
 38 |   namespace: istio-system
 39 | spec:
 40 |   selector:
 41 |     istio: ingressgateway
 42 |   servers:
 43 |     - port:
 44 |         number: 80
 45 |         name: http
 46 |         protocol: HTTP
 47 |       hosts:
 48 |         - "*"
 49 |         
 50 | #部署应用和tester
 51 | kubectl apply -k github.com/weaveworks/flagger//kustomize/tester
 52 | #或者 先clone repo
 53 | k apply -f deployment.yaml -n demo
 54 | k apply -f service.yaml -n demo
 55 | 
 56 | # 添加hpa
 57 | k apply -n demo -f - <<EOF
 58 | apiVersion: autoscaling/v2beta1
 59 | kind: HorizontalPodAutoscaler
 60 | metadata:
 61 |   name: httpbin
 62 | spec:
 63 |   scaleTargetRef:
 64 |     apiVersion: apps/v1
 65 |     kind: Deployment
 66 |     name: httpbin
 67 |   minReplicas: 2
 68 |   maxReplicas: 4
 69 |   metrics:
 70 |   - type: Resource
 71 |     resource:
 72 |       name: cpu
 73 |       # scale up if usage is above
 74 |       # 99% of the requested CPU (100m)
 75 |       targetAverageUtilization: 99
 76 | EOF
 77 | 
 78 | # 创建 canary 分析
 79 | apiVersion: flagger.app/v1beta1
 80 | kind: Canary
 81 | metadata:
 82 |   name: httpbin
 83 |   namespace: demo
 84 | spec:
 85 |   # deployment reference
 86 |   targetRef:
 87 |     apiVersion: apps/v1
 88 |     kind: Deployment
 89 |     name: httpbin
 90 |   # the maximum time in seconds for the canary deployment
 91 |   # to make progress before it is rollback (default 600s)
 92 |   progressDeadlineSeconds: 60
 93 |   # HPA reference (optional)
 94 |   autoscalerRef:
 95 |     apiVersion: autoscaling/v2beta1
 96 |     kind: HorizontalPodAutoscaler
 97 |     name: httpbin
 98 |   service:
 99 |     # service port number
100 |     port: 8000
101 |     # container port number or name (optional)
102 |     targetPort: 80
103 |     # Istio gateways (optional)
104 |     gateways:
105 |     - public-gateway.istio-system.svc.cluster.local
106 |   analysis:
107 |     # schedule interval (default 60s)
108 |     interval: 30s
109 |     # max number of failed metric checks before rollback
110 |     threshold: 5
111 |     # max traffic percentage routed to canary
112 |     # percentage (0-100)
113 |     maxWeight: 100
114 |     # canary increment step
115 |     # percentage (0-100)
116 |     stepWeight: 20
117 |     metrics:
118 |     - name: request-success-rate
119 |       # minimum req success rate (non 5xx responses)
120 |       # percentage (0-100)
121 |       thresholdRange:
122 |         min: 99
123 |       interval: 1m
124 |     - name: latency
125 |       templateRef:
126 |         name: latency
127 |         namespace: istio-system
128 |       # maximum req duration P99
129 |       # milliseconds
130 |       thresholdRange:
131 |         max: 500
132 |       interval: 30s
133 |     # testing (optional)
134 |     webhooks:
135 |       - name: load-test
136 |         url: http://flagger-loadtester.test/
137 |         timeout: 5s
138 |         metadata:
139 |           cmd: "hey -z 1m -q 10 -c 2 http://httpbin-canary.demo:8000/headers"
140 | 
141 | # 创建metric for 1.5
142 | k apply -f - <<EOF
143 | apiVersion: flagger.app/v1beta1
144 | kind: MetricTemplate
145 | metadata:
146 |   name: latency
147 |   namespace: istio-system
148 | spec:
149 |   provider:
150 |     type: prometheus
151 |     address: http://prometheus.istio-system:9090
152 |   query: |
153 |     histogram_quantile(
154 |         0.99,
155 |         sum(
156 |             rate(
157 |                 istio_request_duration_milliseconds_bucket{
158 |                     reporter="destination",
159 |                     destination_workload_namespace="{{ namespace }}",
160 |                     destination_workload=~"{{ target }}"
161 |                 }[{{ interval }}]
162 |             )
163 |         ) by (le)
164 |     )
165 | EOF
166 | 
167 | # 触发灰度, dep/configmap/secret 都会触发
168 | kubectl -n demo set image deployment/httpbin httpbin=httpbin-v2
169 | 
170 | #循环访问
171 | k exec -it -n demo pod/sleep-6bdb595bcb-bstrp -c sleep sh
172 | while [ 1 ]; do curl http://httpbin.demo:8000/headers;sleep 2s; done
173 | 
174 | # 开始后查看Virtual Service
175 | k describe vs httpbin -ndemo
176 | 


--------------------------------------------------------------------------------
/c4-3/auth.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: security.istio.io/v1beta1
 2 | kind: AuthorizationPolicy
 3 | metadata:
 4 |  name: httpbin
 5 |  namespace: demo
 6 | spec:
 7 |  action: ALLOW
 8 |  rules:
 9 |  - from:
10 |    - source:
11 |        principals: ["cluster.local/ns/testauth/sa/sleep"]
12 |    - source:
13 |        namespaces: ["demo"]
14 | 


--------------------------------------------------------------------------------
/c4-3/cb.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: DestinationRule
 3 | metadata:
 4 |   name: httpbin
 5 |   namespace: demo
 6 | spec:
 7 |   host: httpbin
 8 |   trafficPolicy:
 9 |     connectionPool:
10 |       tcp:
11 |         maxConnections: 1
12 |       http:
13 |         http1MaxPendingRequests: 1
14 |         maxRequestsPerConnection: 1
15 |       outlierDetection:
16 |         consecutiveErrors: 1
17 |         interval: 1s
18 |         baseEjectionTime: 3m
19 |         maxEjectionPercent: 100


--------------------------------------------------------------------------------
/c4-3/vs-normal.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: VirtualService
 3 | metadata:
 4 |   name: httpbin
 5 |   namespace: demo
 6 | spec:
 7 |   hosts:
 8 |   - "*"
 9 |   gateways:
10 |   - httpbin-gateway
11 |   http:
12 |   - route:
13 |     - destination:
14 |         host: httpbin
15 |         port:
16 |           number: 8000
17 | 


--------------------------------------------------------------------------------
/c4-3/vs-retry.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: VirtualService
 3 | metadata:
 4 |   name: httpbin
 5 |   namespace: demo
 6 | spec:
 7 |   hosts:
 8 |   - "*"
 9 |   gateways:
10 |   - httpbin-gateway
11 |   http:
12 |   - route:
13 |     - destination:
14 |         host: httpbin
15 |         port:
16 |           number: 8000
17 |     retry:
18 |       attempts: 3
19 |       perTryTimeout: 1s
20 |     timeout: 8s
21 | 
22 | 


--------------------------------------------------------------------------------
/c4-3/vs-timeout.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.istio.io/v1alpha3
 2 | kind: VirtualService
 3 | metadata:
 4 |   name: httpbin
 5 |   namespace: demo
 6 | spec:
 7 |   hosts:
 8 |   - "*"
 9 |   gateways:
10 |   - httpbin-gateway
11 |   http:
12 |   - route:
13 |     - destination:
14 |         host: httpbin
15 |         port:
16 |           number: 8000
17 |     timeout: 1s
18 | 


--------------------------------------------------------------------------------
/c4-4/code.yaml:
--------------------------------------------------------------------------------
 1 | # 创建授权 - 特定服务，注意没有rule，表示deny当前服务
 2 | kubectl apply -f - <<EOF
 3 | apiVersion: security.istio.io/v1beta1
 4 | kind: AuthorizationPolicy
 5 | metadata:
 6 |   name: httpbin
 7 |   namespace: demo
 8 | spec:
 9 |   selector:
10 |     matchLabels:
11 |       app: httpbin
12 | EOF
13 | 
14 | #不通过：kubectl exec -it -n demo sleep-6bdb595bcb-wg6bc -c sleep -- curl "http://httpbin.demo:8000/get"
15 | #通过：kubectl exec -it -n demo sleep-6bdb595bcb-wg6bc -c sleep -- curl "http://httpbin-v2.demo:8000/get"
16 | 
17 | # 来源必须是demo ns
18 | apiVersion: security.istio.io/v1beta1
19 | kind: AuthorizationPolicy
20 | metadata:
21 |  name: httpbin
22 |  namespace: demo
23 | spec:
24 |  action: ALLOW
25 |  rules:
26 |  - from:
27 |    - source:
28 |        principals: ["cluster.local/ns/demo/sa/sleep"]
29 |    - source:
30 |        namespaces: ["demo"]
31 | 
32 | #通过：kubectl exec -it -n demo sleep-6bdb595bcb-wg6bc -c sleep -- curl "http://httpbin.demo:8000/get"
33 | #不通过： kubectl exec -it -n testauth sleep-57ddb67999-bwbkq -c sleep -- curl "http://httpbin.demo:8000/get"
34 | #修改service account 为testauth, 通过
35 | 
36 | 
37 | # 只容许特定接口
38 | kubectl apply -f - <<EOF
39 | apiVersion: security.istio.io/v1beta1
40 | kind: AuthorizationPolicy
41 | metadata:
42 |  name: httpbin
43 |  namespace: demo
44 | spec:
45 |  action: ALLOW
46 |  rules:
47 |  - from:
48 |    - source:
49 |        principals: ["cluster.local/ns/demo/sa/sleep"]
50 |    - source:
51 |        namespaces: ["demo"]
52 |    to:
53 |    - operation:
54 |        methods: ["GET"]
55 |        paths: ["/get"]
56 | EOF
57 | 
58 | #通过：kubectl exec -it -n demo sleep-6bdb595bcb-wg6bc -c sleep -- curl "http://httpbin.demo:8000/get"
59 | #不通： kubectl exec -it -n demo sleep-6bdb595bcb-wg6bc -c sleep -- curl "http://httpbin.demo:8000/ip"
60 | 
61 | 
62 | # 其他特定条件 - 请求头
63 | kubectl apply -f - <<EOF
64 | apiVersion: security.istio.io/v1beta1
65 | kind: AuthorizationPolicy
66 | metadata:
67 |  name: httpbin
68 |  namespace: demo
69 | spec:
70 |  action: ALLOW
71 |  rules:
72 |  - from:
73 |    - source:
74 |        principals: ["cluster.local/ns/demo/sa/sleep"]
75 |    - source:
76 |        namespaces: ["demo"]
77 |    to:
78 |    - operation:
79 |        methods: ["GET"]
80 |        paths: ["/get"]
81 |    when:
82 |    - key: request.headers[x-rfma-token]
83 |      values: ["test*"]
84 | EOF
85 | 
86 | #不通过：kubectl exec -it -n demo sleep-6bdb595bcb-wg6bc -c sleep -- curl "http://httpbin.demo:8000/get"
87 | #加token通过：kubectl exec -it -n demo sleep-6bdb595bcb-wg6bc -c sleep -- curl "http://httpbin.demo:8000/get" -H x-rfma-token:test1
88 | 


--------------------------------------------------------------------------------
/c4-5/configmap-v2.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: ConfigMap
 3 | metadata:
 4 |   name: prometheus-config
 5 |   namespace: monitoring
 6 | data:
 7 |   prometheus.yml: |-
 8 |     global:
 9 |       scrape_interval: 15s
10 |       scrape_timeout: 15s
11 |     scrape_configs:
12 |     - job_name: 'prometheus'
13 |       static_configs:
14 |       - targets: ['localhost:9090']
15 | 
16 |     - job_name: envoy-stats
17 |       honor_timestamps: true
18 |       metrics_path: /stats/prometheus
19 |       scheme: http
20 |       kubernetes_sd_configs:
21 |       - role: pod
22 |       relabel_configs:
23 |       - source_labels: [__meta_kubernetes_pod_container_port_name]
24 |         separator: ;
25 |         regex: .*-envoy-prom
26 |         replacement: $1
27 |         action: keep
28 |       - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
29 |         separator: ;
30 |         regex: ([^:]+)(?::\d+)?;(\d+)
31 |         target_label: __address__
32 |         replacement: $1:15090
33 |         action: replace
34 |       - separator: ;
35 |         regex: __meta_kubernetes_pod_label_(.+)
36 |         replacement: $1
37 |         action: labeldrop
38 |       - source_labels: [__meta_kubernetes_namespace]
39 |         separator: ;
40 |         regex: (.*)
41 |         target_label: namespace
42 |         replacement: $1
43 |         action: replace
44 |       - source_labels: [__meta_kubernetes_pod_name]
45 |         separator: ;
46 |         regex: (.*)
47 |         target_label: pod_name
48 |         replacement: $1
49 |         action: replace  


--------------------------------------------------------------------------------
/c4-5/configmap.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: ConfigMap
 3 | metadata:
 4 |   name: prometheus-config
 5 |   namespace: monitoring
 6 | data:
 7 |   prometheus.yml: |
 8 |     global:
 9 |       scrape_interval: 15s
10 |       scrape_timeout: 15s
11 |     scrape_configs:
12 |     - job_name: 'prometheus'
13 |       static_configs:
14 |       - targets: ['localhost:9090']
15 | 


--------------------------------------------------------------------------------
/c4-5/deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: prometheus
 5 |   namespace: monitoring
 6 |   labels:
 7 |     app: prometheus
 8 | spec:
 9 |   template:
10 |     metadata:
11 |       labels:
12 |         app: prometheus
13 |     spec:
14 |       serviceAccount: appmesh-prometheus
15 |       serviceAccountName: appmesh-prometheus
16 |       containers:
17 |       - image: prom/prometheus:v2.13.1
18 |         name: prometheus
19 |         command:
20 |         - "/bin/prometheus"
21 |         args:
22 |         - "--config.file=/etc/prometheus/prometheus.yml"
23 |         - "--storage.tsdb.path=/prometheus"
24 |         - "--storage.tsdb.retention=24h"
25 |         - "--web.enable-admin-api"  
26 |         - "--web.enable-lifecycle"  
27 |         ports:
28 |         - containerPort: 9090
29 |           protocol: TCP
30 |           name: http
31 |         volumeMounts:
32 |         - mountPath: /etc/prometheus
33 |           name: config-volume
34 |         - mountPath: /prometheus/data
35 |           name: data-volume
36 |         resources:
37 |           requests:
38 |             cpu: 100m
39 |             memory: 512Mi
40 |           limits:
41 |             cpu: 100m
42 |             memory: 512Mi
43 |       securityContext:
44 |         runAsUser: 0
45 |       volumes:
46 |       - configMap:
47 |           name: prometheus-config
48 |         name: config-volume
49 |       - emptyDir: {}
50 |         name: data-volume
51 | ---
52 | apiVersion: v1
53 | kind: Service
54 | metadata:
55 |   name: prometheus
56 |   namespace: monitoring
57 |   labels:
58 |     app: prometheus
59 | spec:
60 |   selector:
61 |     app: prometheus
62 |   type: NodePort
63 |   ports:
64 |     - name: web
65 |       port: 9090
66 |       targetPort: http
67 | 


--------------------------------------------------------------------------------
/c4-5/grafana-deploy.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   labels:
 5 |     app: grafana
 6 |   name: grafana
 7 |   namespace: monitoring
 8 | spec:
 9 |   replicas: 1
10 |   selector:
11 |     matchLabels:
12 |       app: grafana
13 |   template:
14 |     metadata:
15 |       labels:
16 |         app: grafana
17 |     spec:
18 |       containers:
19 |       - name: grafana
20 |         image: grafana/grafana:latest
21 |         imagePullPolicy: IfNotPresent
22 |         ports:
23 |         - containerPort: 3000
24 |           name: grafana
25 |         env:
26 |         - name: GRAFANA_PORT
27 |           value: "3000"
28 |         - name: GF_AUTH_BASIC_ENABLED
29 |           value: "false"
30 |         - name: GF_AUTH_ANONYMOUS_ENABLED
31 |           value: "true"
32 |         - name: GF_AUTH_ANONYMOUS_ORG_ROLE
33 |           value: Admin
34 |         resources:
35 |           limits:
36 |             cpu: 100m
37 |             memory: 256Mi
38 |           requests:
39 |             cpu: 100m
40 |             memory: 256Mi
41 |         volumeMounts:
42 |           - mountPath: /var/lib/grafana
43 |             name: grafana-storage
44 |       volumes:
45 |         - name: grafana-storage
46 |           emptyDir: {}
47 | ---
48 | apiVersion: v1
49 | kind: Service
50 | metadata:
51 |   name: grafana
52 |   namespace: monitoring
53 |   labels:
54 |     app: grafana
55 | spec:
56 |   selector:
57 |     app: grafana
58 |   type: NodePort
59 |   ports:
60 |     - name: http
61 |       port: 3000
62 |       targetPort: 3000
63 |       nodePort: 32000
64 | ---
65 | apiVersion: v1
66 | kind: ServiceAccount
67 | metadata:
68 |   name: grafana
69 |   namespace: monitoring


--------------------------------------------------------------------------------
/c4-6/deployment.yaml:
--------------------------------------------------------------------------------
 1 | kind: List
 2 | apiVersion: v1
 3 | items:
 4 | - apiVersion: apps/v1beta1
 5 |   kind: Deployment
 6 |   metadata:
 7 |     name: kibana
 8 |   spec:
 9 |     replicas: 1
10 |     template:
11 |       metadata:
12 |         name: kibana
13 |         labels:
14 |           app: kibana
15 |       spec:
16 |         containers:
17 |         - image: docker.elastic.co/kibana/kibana:6.4.0
18 |           name: kibana
19 |           env:
20 |           - name: ELASTICSEARCH_URL
21 |             value: "http://elasticsearch:9200"
22 |           ports:
23 |           - name: http
24 |             containerPort: 5601
25 | - apiVersion: v1
26 |   kind: Service
27 |   metadata:
28 |     name: kibana
29 |   spec:
30 |     type: NodePort
31 |     ports:
32 |     - name: http
33 |       port: 5601
34 |       targetPort: 5601 
35 |       nodePort: 32001
36 |     selector:
37 |       app: kibana            
38 | - apiVersion: apps/v1beta1
39 |   kind: Deployment
40 |   metadata:
41 |     name: elasticsearch
42 |   spec:
43 |     replicas: 1
44 |     template:
45 |       metadata:
46 |         name: elasticsearch
47 |         labels:
48 |           app: elasticsearch
49 |       spec:
50 |         containers:
51 |         - image: docker.elastic.co/elasticsearch/elasticsearch:6.4.0
52 |           name: elasticsearch
53 |           env:
54 |           - name: network.host
55 |             value: "_site_"
56 |           - name: node.name
57 |             value: "${HOSTNAME}"
58 |           - name: discovery.zen.ping.unicast.hosts
59 |             value: "${ELASTICSEARCH_NODEPORT_SERVICE_HOST}"
60 |           - name: cluster.name
61 |             value: "test-single"
62 |           - name: ES_JAVA_OPTS
63 |             value: "-Xms128m -Xmx128m"
64 |           volumeMounts:
65 |           - name: es-data
66 |             mountPath: /usr/share/elasticsearch/data
67 |         volumes:
68 |           - name: es-data
69 |             emptyDir: {}
70 | - apiVersion: v1
71 |   kind: Service
72 |   metadata: 
73 |     name: elasticsearch-nodeport
74 |   spec:
75 |     type: NodePort
76 |     ports:
77 |     - name: http
78 |       port: 9200
79 |       targetPort: 9200
80 |       nodePort: 32002
81 |     - name: tcp
82 |       port: 9300
83 |       targetPort: 9300
84 |       nodePort: 32003
85 |     selector:
86 |       app: elasticsearch
87 | - apiVersion: v1
88 |   kind: Service
89 |   metadata:
90 |     name: elasticsearch
91 |   spec:
92 |     clusterIP: None
93 |     ports:
94 |     - name: http
95 |       port: 9200
96 |     - name: tcp
97 |       port: 9300
98 |     selector:
99 |       app: elasticsearch


--------------------------------------------------------------------------------
/c4-6/filebeat.yaml:
--------------------------------------------------------------------------------
  1 | kind: List
  2 | apiVersion: v1
  3 | items:
  4 | - apiVersion: v1
  5 |   kind: ConfigMap
  6 |   metadata:
  7 |     name: filebeat-config
  8 |     labels:
  9 |       k8s-app: filebeat
 10 |       kubernetes.io/cluster-service: "true"
 11 |       app: filebeat-config
 12 |   data:
 13 |     filebeat.yml: |
 14 |       processors:
 15 |         - add_cloud_metadata:
 16 |       filebeat.modules:
 17 |       - module: system
 18 |       filebeat.inputs:
 19 |       - type: log
 20 |         paths:
 21 |           - /var/log/containers/*.log
 22 |         symlinks: true
 23 |       output.elasticsearch:
 24 |         hosts: ['elasticsearch:9200']
 25 |       logging.level: info        
 26 | - apiVersion: extensions/v1beta1
 27 |   kind: Deployment 
 28 |   metadata:
 29 |     name: filebeat
 30 |     labels:
 31 |       k8s-app: filebeat
 32 |       kubernetes.io/cluster-service: "true"
 33 |   spec:
 34 |     replicas: 1
 35 |     template:
 36 |       metadata:
 37 |         name: filebeat
 38 |         labels:
 39 |           app: filebeat
 40 |           k8s-app: filebeat
 41 |           kubernetes.io/cluster-service: "true"
 42 |       spec:
 43 |         containers:
 44 |         - image: docker.elastic.co/beats/filebeat:6.4.0
 45 |           name: filebeat
 46 |           args: [
 47 |             "-c", "/home/filebeat-config/filebeat.yml",
 48 |             "-e",
 49 |           ]
 50 |           securityContext:
 51 |             runAsUser: 0
 52 |           volumeMounts:
 53 |           - name: filebeat-storage
 54 |             mountPath: /var/log/containers
 55 |           - name: varlogpods
 56 |             mountPath: /var/log/pods
 57 |           - name: varlibdockercontainers
 58 |             mountPath: /var/lib/docker/containers
 59 |           - name: "filebeat-volume"
 60 |             mountPath: "/home/filebeat-config"
 61 |         volumes:
 62 |           - name: filebeat-storage
 63 |             hostPath:
 64 |               path: /var/log/containers
 65 |           - name: varlogpods
 66 |             hostPath:
 67 |               path: /var/log/pods
 68 |           - name: varlibdockercontainers
 69 |             hostPath:
 70 |               path: /var/lib/docker/containers
 71 |           - name: filebeat-volume
 72 |             configMap:
 73 |               name: filebeat-config
 74 | - apiVersion: rbac.authorization.k8s.io/v1beta1
 75 |   kind: ClusterRoleBinding
 76 |   metadata:
 77 |     name: filebeat
 78 |   subjects:
 79 |   - kind: ServiceAccount
 80 |     name: filebeat
 81 |     namespace: elk
 82 |   roleRef:
 83 |     kind: ClusterRole
 84 |     name: filebeat
 85 |     apiGroup: rbac.authorization.k8s.io
 86 | - apiVersion: rbac.authorization.k8s.io/v1beta1
 87 |   kind: ClusterRole
 88 |   metadata:
 89 |     name: filebeat
 90 |     labels:
 91 |       k8s-app: filebeat
 92 |   rules:
 93 |   - apiGroups: [""] # "" indicates the core API group
 94 |     resources:
 95 |     - namespaces
 96 |     - pods
 97 |     verbs:
 98 |     - get
 99 |     - watch
100 |     - list
101 | - apiVersion: v1
102 |   kind: ServiceAccount
103 |   metadata:
104 |     name: filebeat
105 |     namespace: elk
106 |     labels:
107 |       k8s-app: filebeat


--------------------------------------------------------------------------------
/c4-7/code.txt:
--------------------------------------------------------------------------------
 1 | 执行清单
 2 | 
 3 | # clone repo
 4 | https://github.com/jaegertracing/jaeger-operator.git
 5 | 
 6 | # 修改watch namespace 为空
 7 | WATCH_NAMESPACE = 
 8 | 
 9 | # install crd
10 | kubectl create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/crds/jaegertracing.io_jaegers_crd.yaml
11 | 
12 | # 创建 ns
13 | k create ns observability
14 | 
15 | # 1. install operator
16 | kubectl create -n observability -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/service_account.yaml
17 | kubectl create -n observability -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/role.yaml
18 | kubectl create -n observability -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/role_binding.yaml
19 | kubectl create -n observability -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/operator.yaml
20 | # install cluster role
21 | kubectl create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/cluster_role.yaml
22 | kubectl create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/cluster_role_binding.yaml
23 | 
24 | # apply jaeger
25 | k apply -f examples/simplest.yaml -n observability
26 | 
27 | # 2. 集成istio
28 | # --set values.global.tracer.zipkin.address=<jaeger-collector-service>.<jaeger-collector-namespace>:9411
29 | istioctl manifest apply \
30 | --set values.global.tracer.zipkin.address=simplest-collector.observability:9411 \
31 | --set values.tracing.ingress.enabled=true \
32 | --set values.pilot.traceSampling=100
33 | 
34 | 重启pod
35 | 
36 | #添加注入agent
37 | sidecar.jaegertracing.io/inject: "true"
38 | 
39 | kubectl patch deployment productpage-v1 -p "{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"date\":\"`date +'%s'`\"}}}}}"


--------------------------------------------------------------------------------
/第一章 理论篇.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/malphi/geektime-servicemesh/221a6ef100c25a05c7ddfbe6209c3f56510c8fce/第一章 理论篇.pdf


--------------------------------------------------------------------------------
/第三章 实验篇-安全.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/malphi/geektime-servicemesh/221a6ef100c25a05c7ddfbe6209c3f56510c8fce/第三章 实验篇-安全.pdf


--------------------------------------------------------------------------------
/第三章 实验篇-流量控制.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/malphi/geektime-servicemesh/221a6ef100c25a05c7ddfbe6209c3f56510c8fce/第三章 实验篇-流量控制.pdf


--------------------------------------------------------------------------------
/第三章-可观察性.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/malphi/geektime-servicemesh/221a6ef100c25a05c7ddfbe6209c3f56510c8fce/第三章-可观察性.pdf


--------------------------------------------------------------------------------
/第二章 Istio入门篇.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/malphi/geektime-servicemesh/221a6ef100c25a05c7ddfbe6209c3f56510c8fce/第二章 Istio入门篇.pdf


--------------------------------------------------------------------------------
/第四章 实战篇-项目准备及构建过程.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/malphi/geektime-servicemesh/221a6ef100c25a05c7ddfbe6209c3f56510c8fce/第四章 实战篇-项目准备及构建过程.pdf


--------------------------------------------------------------------------------
/第四章 实战篇.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/malphi/geektime-servicemesh/221a6ef100c25a05c7ddfbe6209c3f56510c8fce/第四章 实战篇.pdf


--------------------------------------------------------------------------------