├── Envoy └── istio-proxy-configs │ └── README.adoc ├── README.adoc ├── Scenario-0-Deploy-In-ServiceMesh ├── README.adoc ├── hello-openshift │ ├── add-hello-openshift-gw-vs-for-http.sh │ └── deploy-hello-openshift.sh ├── httpbin-namespace.yaml └── travel-agency │ └── 0-initial-service-mesh-config.yaml ├── Scenario-2-Split-Istio-Configs-By-Namespace ├── README.adoc ├── graphs │ ├── travel-app-external-graph.png │ ├── travel-app-graph.png │ └── travel-workload-graph.png ├── sidecar-all-mesh.yaml ├── sidecar-override-travel-namespaces.yaml ├── smcp-2.0.yaml └── smmr.yaml ├── Scenario-3-Apply-WASM-Extension ├── README.adoc ├── sm-extension.yaml ├── smcp-2.0.yaml └── smmr.yaml ├── Scenario-4-Cross-Cluster-Traffic-Management ├── README.adoc ├── create-greeting-client.sh ├── create-greeting-remote-service.sh ├── create-healthcheck-503-service.sh ├── create-smcp-smmr-2.0-sc-4b.sh ├── create-smcp-smmr-2.1.sh ├── images │ ├── 4a-envoyfilter-hc-scenario │ │ ├── Lab-2-Failover-Custom-HC-State-1.png │ │ ├── Lab-2-Failover-Custom-HC-State-2.png │ │ ├── Lab-2-Failover-Custom-HC-State-3.png │ │ └── Lab-2-Failover-Custom-HC-State-Sequence.png │ ├── 4b-multiple-gw-scenario │ │ └── Lab-3-Additional-GW-Bypass-Custom-HC.png │ └── basic-scenario │ │ ├── Lab-1-CU-BCU-Failover-State-1.png │ │ ├── Lab-1-CU-BCU-Failover-State-2.png │ │ ├── Lab-1-CU-BCU-Failover-State-3.png │ │ └── Lab-1-CU-BCU-Failover-State-Sequence.png ├── smcp-2.0.yaml ├── smmr-greetings-client.yaml ├── smmr-greetings-service.yaml └── sub-scenarios │ ├── 4a-fault-detection-via-EnvoyFilter │ ├── additional-sm-hc-and-outlier-detection-on-greeting-remote-from-gw.sh │ ├── additional-sm-hc-uri-set-200-success.sh │ ├── additional-sm-hc-uri-set-503-fail.sh │ ├── istio-envoy-filter-status-check-cluster.yaml │ ├── istio-envoy-filter-status-check.yaml │ └── rest-greeting-remote-503-outlier-detection-dr.yaml │ └── 4b-multiple-gateways-different-health-behavior │ └── additional-smcp-gw-vs-to-bypass-hc.sh ├── Scenario-6-EnvoyFilters ├── README.adoc └── remove-headers.adoc ├── Scenario-Arch-1-ServiceMesh-Separations └── README.adoc ├── Scenario-D1-Offline-Deployments └── README.adoc ├── Scenario-MTLS-1-External-Request-Per-Service-Cert ├── README.adoc ├── create-certs-secured-gw-vs-route-for-cert-manager-user-case.sh └── create-sm-for-cert-manager-use-case.sh ├── Scenario-MTLS-2-Internal-SM-MTLS └── README.adoc ├── Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling ├── README-OSSM-AT-THE-EDGE-CONFIGS.adoc ├── README.adoc ├── create-greeting-client-1a-unencrypted-permissive-with-build.sh ├── create-greeting-client-1a-unencrypted-permissive.sh ├── create-greeting-client-1a.sh ├── create-greeting-client-1b-encrypted-APP-NAMESPACE.sh ├── create-greeting-client-1b-encrypted-with-build.sh ├── create-greeting-client-1b-encrypted.sh ├── create-greeting-client-service-1b-egress-unencrypted.sh ├── create-greeting-service-1a-with-build.sh ├── create-greeting-service-1a.sh ├── create-smcp-2.1.1-registry_only-strict-mtls.sh ├── images │ ├── 1-allow-any-passthroughcluster.png │ ├── 2-prometheus-passthroughcluster-greeting-remote-service-metrics.png │ ├── 3-REGISTRY_ONLY_Blackhole_Blocking.png │ ├── 4-apply-SE-REGISTRY_ONLY.png │ ├── 5-STRICT-mTLS-Fails-External.png │ ├── 6-STRICT-mTLS-DISABLE-FOR-External.png │ ├── 7-A-GW-IN.png │ ├── 7-ISTIO-CONFIG-MTLS-SIDECAR.png │ ├── 7-client-side.png │ ├── 7-service-side.png │ ├── 7B-IN-VS.png │ ├── 7C-OUT-SE.png │ ├── 7D-OUT-DR.png │ ├── 7E-OUT-VS.png │ ├── incoming-non-mesh-non-mtls.png │ ├── option-1a-mtls-3-in-mesh-svc-to-external-via-sidecar-with-mtls.png │ ├── option-1b-mtls-3-in-mesh-svc-to-external-via-egress-gateway-NO-mtls.png │ ├── option-1b-mtls-3-in-mesh-svc-to-external-via-egress-gateway-with-mtls.png │ ├── spec.proxy.networking.trafficControl.policy.allow_any.png │ ├── spec.proxy.networking.trafficControl.policy.registry_only.png │ └── spec.proxy.networking.trafficControl.policy.registry_only.with_serviceentry.png ├── smcp-2.1.1-allow_any-auto-mtls.yaml ├── smcp-2.1.1-registry_only-auto-mtls.yaml ├── smcp-2.1.1-registry_only-strict-mtls.yaml ├── test-greeting-client-allow-any.sh └── test-greeting-client-non-mesh.sh ├── Scenario-MTLS-4-Turn-Off-MTLS ├── README.adoc ├── images │ ├── all-but-details-with-mtls.png │ ├── error-without-peerauthentication-disable.png │ └── no-security-applied.png └── test-ssl-handshakes.sh ├── Scenario-Observability-Scenarios ├── README.adoc ├── images │ ├── SM-TRACE-Arch-Options.png │ └── istio-jaeger-production.png ├── jaeger-daemonset.yaml ├── jaeger-production-elastic.yaml ├── jaeger-small-production-elastic.yaml ├── smcp-2.1.1-external-jaeger-daemonset-resource.yaml └── smcp-2.1.1-external-jaeger-production-resource.yaml ├── Scenario-Platform-1-Federation ├── 0-execute-federation-setup-AWS-GCP-LB.sh ├── 0-execute-federation-setup-AWS-LB.sh ├── 0-operator-subscription.yaml ├── 0-setup-ocp-login-vars.sh ├── README.adoc ├── add-operators-subscriptions-sm.sh └── images │ └── east-west-sides.png ├── Scenario-Platform-Sizing └── README.adoc ├── Scenario-RBAC-1-SA-On-Workloads-Resources-Restrictions ├── README.adoc ├── deny_all_greeting_client_ns.yaml ├── sc1b-deny_sa-based_greeting_client_ns.yaml └── smcp-2.1.yaml ├── Scenarios-Arch-2-ServiceMesh-Observability └── README.adoc ├── coded-services ├── quarkus-opentracing │ ├── .dockerignore │ ├── .gitignore │ ├── .mvn │ │ └── wrapper │ │ │ ├── MavenWrapperDownloader.java │ │ │ ├── maven-wrapper.jar │ │ │ └── maven-wrapper.properties │ ├── ISTIO-YAML │ │ ├── create-quarkus-opentracing-jaeger-daemonset.sh │ │ ├── create-quarkus-opentracing-jaeger-sidecar.sh │ │ └── hello-traced-quarkus-deployment-with-sidecar.yaml │ ├── README.md │ ├── create-quarkus-opentracing-docker-image.sh │ ├── mvnw │ ├── mvnw.cmd │ ├── pom.xml │ └── src │ │ ├── main │ │ ├── docker │ │ │ ├── Dockerfile.jvm │ │ │ ├── Dockerfile.legacy-jar │ │ │ ├── Dockerfile.native │ │ │ └── Dockerfile.native-distroless │ │ ├── java │ │ │ └── org │ │ │ │ └── acme │ │ │ │ └── opentracing │ │ │ │ ├── FrancophoneService.java │ │ │ │ ├── ResourceClient.java │ │ │ │ └── TracedResource.java │ │ └── resources │ │ │ ├── META-INF │ │ │ └── resources │ │ │ │ └── index.html │ │ │ └── application.properties │ │ └── test │ │ └── java │ │ └── org │ │ └── acme │ │ └── opentracing │ │ ├── NativeTracedResourceIT.java │ │ └── TracedResourceTest.java ├── quarkus-rest-503 │ ├── .dockerignore │ ├── .gitignore │ ├── ISTIO-YAML │ │ ├── istio-envoy-filter-status-check-cluster.yaml │ │ ├── istio-envoy-filter-status-check.yaml │ │ ├── istio-hello.remote-route.yaml │ │ ├── istio-status-check-gateway-vs.yaml │ │ ├── quarkus-rest-503-outlier-detection-dr.yaml │ │ └── rest-greeting-remote-503-outlier-detection-dr.yaml │ ├── README.md │ ├── mvnw │ ├── mvnw.cmd │ ├── pom.xml │ └── src │ │ ├── main │ │ ├── docker │ │ │ ├── Dockerfile.jvm │ │ │ ├── Dockerfile.legacy-jar │ │ │ ├── Dockerfile.native │ │ │ └── Dockerfile.native-distroless │ │ ├── java │ │ │ └── org │ │ │ │ └── acme │ │ │ │ └── getting │ │ │ │ └── started │ │ │ │ └── GreetingResource.java │ │ └── resources │ │ │ ├── META-INF │ │ │ └── resources │ │ │ │ └── index.html │ │ │ └── application.properties │ │ └── test │ │ └── java │ │ └── org │ │ └── acme │ │ └── getting │ │ └── started │ │ ├── GreetingResourceTest.java │ │ └── NativeGreetingResourceIT.java ├── quarkus-rest-client-greeting │ ├── .dockerignore │ ├── .gitignore │ ├── .mvn │ │ └── wrapper │ │ │ ├── MavenWrapperDownloader.java │ │ │ ├── maven-wrapper.jar │ │ │ └── maven-wrapper.properties │ ├── ISTIO-YAML │ │ ├── RETEST-REMOTE-FAILOVER.yaml │ │ ├── RETEST-REMOTE-loadBalancer.yaml │ │ ├── istio-hello-client-gateway.yaml │ │ ├── test-DR-Target-Subset.yaml │ │ ├── test-GW.yaml │ │ ├── test-SE.yaml │ │ └── test-VS.yaml │ ├── README.md │ ├── mvnw │ ├── mvnw.cmd │ ├── pom.xml │ └── src │ │ ├── main │ │ ├── docker │ │ │ ├── Dockerfile.jvm │ │ │ ├── Dockerfile.legacy-jar │ │ │ ├── Dockerfile.native │ │ │ └── Dockerfile.native-distroless │ │ ├── java │ │ │ └── org │ │ │ │ └── acme │ │ │ │ └── rest │ │ │ │ └── client │ │ │ │ ├── CountriesResource.java │ │ │ │ ├── CountriesService.java │ │ │ │ ├── Country.java │ │ │ │ ├── GreetingsResource.java │ │ │ │ └── GreetingsService.java │ │ └── resources │ │ │ └── application.properties │ │ └── test │ │ └── java │ │ └── org │ │ └── acme │ │ └── rest │ │ └── client │ │ ├── CountriesResourceIT.java │ │ └── CountriesResourceTest.java └── quarkus-rest-greeting-remote │ ├── .dockerignore │ ├── .gitignore │ ├── .mvn │ └── wrapper │ │ ├── MavenWrapperDownloader.java │ │ ├── maven-wrapper.jar │ │ └── maven-wrapper.properties │ ├── .s2i │ └── environment │ ├── ISTIO-YAML │ ├── istio-hello.remote-route.yaml │ └── istio-helloworld-gateway.yaml │ ├── README.md │ ├── mvnw │ ├── mvnw.cmd │ ├── pom.xml │ └── src │ ├── main │ ├── docker │ │ ├── Dockerfile.jvm │ │ ├── Dockerfile.legacy-jar │ │ ├── Dockerfile.native │ │ └── Dockerfile.native-distroless │ ├── java │ │ └── org │ │ │ └── acme │ │ │ └── getting │ │ │ └── started │ │ │ ├── GreetingResource.java │ │ │ ├── GreetingService.java │ │ │ ├── StatusResource.java │ │ │ └── StatusSetResource.java │ └── resources │ │ ├── META-INF │ │ └── resources │ │ │ └── index.html │ │ └── application.properties │ └── test │ └── java │ └── org │ └── acme │ └── getting │ └── started │ ├── GreetingResourceTest.java │ └── NativeGreetingResourceIT.java └── scripts ├── add-operators-subscriptions-sm-2.1-MANUAL.sh ├── add-operators-subscriptions-sm-2.1.1-MANUAL.sh ├── add-operators-subscriptions-sm-2.1.1.sh ├── add-operators-subscriptions-sm-2.1.sh ├── add-operators-subscriptions-sm.sh ├── certs ├── README.adoc ├── add-configure-certs-manager.sh ├── app-default.conf ├── certs-manager-self-signed-issuer.yaml ├── create-app-csr-certs-keys.sh ├── create-ca-root-certs-keys.sh └── create-client-certs-keys.sh └── create-membership.sh /Envoy/istio-proxy-configs/README.adoc: -------------------------------------------------------------------------------- 1 | = How to Configure the `istio-proxy` 2 | :toc: 3 | 4 | == Configure via annotations 5 | 6 | === link:https://istio.io/latest/docs/reference/config/annotations/[proxy.istio.io/config] in a `Deployment` 7 | 8 | * link:https://istio.io/latest/docs/reference/config/annotations/[proxy.istio.io/config] Overrides for the proxy configuration for this specific proxy. Available options can be found at https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig 9 | 10 | ---- 11 | template: 12 | metadata: 13 | annotations: 14 | readiness.status.sidecar.istio.io/applicationPorts: "" 15 | proxy.istio.io/config: | 16 | tracing: <1> 17 | zipkin: <2> 18 | address: zipkin.istio-system:9411 <3> 19 | sampling: 10 <4> 20 | custom_tags: 21 | http.header.portal: 22 | header: 23 | name: portal 24 | http.header.device: 25 | header: 26 | name: device 27 | http.header.user: 28 | header: 29 | name: user 30 | http.header.travel: 31 | header: 32 | name: travel 33 | ---- 34 | 35 | <1> Modify `istio-proxy` tracing configuration (see: link:https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#Tracing[Tracing] for configuration options 36 | <2> Utilize `zipkin` client 37 | <3> link:https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#Tracing-Zipkin[Address configuration] 38 | <4> Tracing Samples (10%) 39 | 40 | === Annotations for Envoy Resource CPU/Limits 41 | 42 | See link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html-single/service_mesh#ossm-migrating-differences-annotation_ossm-upgrade[Annotation Changes in 2.x upgrade] 43 | 44 | * `sidecar.istio.io/proxyCPULimit` (replacing `sidecar.maistra.io/proxyCPULimit`) 45 | * `sidecar.istio.io/proxyMemoryLimit` (replacing ``sidecar.maistra.io/proxyMemoryLimit`) 46 | 47 | === Annotations on address/ports 48 | 49 | See link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html-single/service_mesh#ossm-migrating-differences-annotation_ossm-upgrade[Annotation Changes in 2.x upgrade] 50 | 51 | * `sidecar.istio.io/discoveryAddress` (*_is no longer supported_*) 52 | * Default 'discovery address' has moved from `pilot..svc:15010` (or port `15011`, if `mtls` is enabled) to `istiod-..svc:15012`. 53 | * The 'health status port' is no longer configurable and is hard-coded to `15021`. (ie. custom status port, for example, `status.sidecar.istio.io/port`, you must remove the override before moving the workload to a v2.0 control plane. Readiness checks can still be disabled by setting the status port to 0.) 54 | 55 | === Annotations around Health Probes 56 | 57 | * `sidecar.istio.io/rewriteAppHTTPProbers: "true"|"false"`: For the httpGet probes, set your deployments/deploymentConfigs with annotation sidecar.istio.io/rewriteAppHTTPProbers: "true" or a dedicated port for the probe that is not capture by the envoy will be needed. As if it is not set, then istio-proxy will identify this as traffic reaching the upstream host and will break the connections. When that annotation is present, then the probes are going to be rewritten and handled by the envoy and therefore the issue disappears and probes will work (see: link:https://access.redhat.com/solutions/6736921[After encrypting (mTLS ) a ServiceMesh control plane applications Liveness health check does not work ]) 58 | * Istio link:https://istio.io/latest/docs/ops/configuration/mesh/app-health-check/[Health Checking of Istio Services] suggests the opposite though 59 | 60 | === Annotation to allow non-mesh Route Access to services 61 | 62 | * `maistra.io/expose-route: "true"`: It is possible to use the OCP route from a non-mesh service on OCP Service Mesh. To do that, it is necessary to label the deployment with `maistra.io/expose-route: "true"` (see: link:https://access.redhat.com/solutions/6707431[Is it possible to use the OpenShift Container Platform routes from non-mesh services in a service mesh enlisted namespace? ] 63 | 64 | 65 | 66 | == Configure via `ServiceMeshControlPlane` 67 | -------------------------------------------------------------------------------- /README.adoc: -------------------------------------------------------------------------------- 1 | = Purpose 2 | 3 | `Service Mesh` scenario configurations 4 | 5 | == Application Driven Capabilities on the `Service Mesh` 6 | * ./Scenario-1-Service-And-Weight-Splitting/README.adoc[Traffic Management - Cross-Cluster Mesh Services] 7 | * link:./Scenario-2-Split-Istio-Configs-By-Namespace/README.adoc[Configuration/Visibility Split Per Namespace] 8 | * link:./Scenario-3-Apply-WASM-Extension/README.adoc[Apply WASM Extension] 9 | * link:./Scenario-4-Cross-Cluster-Traffic-Management/README.adoc[Traffic Management - Cross-Cluster (non-Federated) Mesh Services] 10 | * link:./Scenario-6-EnvoyFilters/README.adoc[Envoy Filter Implementation Examples] 11 | 12 | == `Service Mesh` Platform Architectures 13 | * External storage of metrics (ES, Jaeger etc.) 14 | * *TODO:* [Observability Architectures] 15 | * link:[Service Mesh Topology Architectures] 16 | * *TODO:* [Sizing Control Plane & Data Plane] 17 | * Performance Testing/Tuning 18 | * link:Scenario-Platform-1-Federation/[Federation Demo Auto Setup] 19 | 20 | == `Service Mesh` Security 21 | * Authentication/Authorisation 22 | * link:./Scenario-RBAC-1-SA-On-Workloads-Resources-Restrictions/README.adoc[RBAC Scenarios] 23 | * link:./Scenario-MTLS-1-External-Request-Per-Service-Cert/README.adoc[Securing Ingress Traffic to Deployments in the ServiceMesh with TLS] 24 | * link:./Scenario-MTLS-2-Internal-SM-MTLS/README.adoc[Securing inter-deployment in the ServiceMesh with TLS] 25 | * *New* link:./Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/README.adoc[Securing ServiceMesh egress traffic to external services with TLS] 26 | * link:./Scenario-MTLS-4-Turn-Off-MTLS/README.adoc[How to exclude a single Service from mTLS handshakes] 27 | 28 | == `Envoy` Modifications & Capabilities 29 | 30 | * link:./Envoy/istio-proxy-configs[Configure] `istio-proxy` 31 | 32 | == `Service Mesh` Deployment Scenarios 33 | * *TODO:* link:./Scenario-D1-Offline-Deployments/README.adoc[Disconnected Environment Deployments] 34 | 35 | 36 | == `Service Mesh` DAY-2 Operation Scenarios 37 | * link:https://github.com/skoussou/openshift-service-mesh-application-troubleshooting[Troubleshooting Applications in the Service Mesh] 38 | * *TODO:* link:./Scenario-Observability-Scenarios/README.adoc[Observability Scenarios] 39 | 40 | 41 | -------------------------------------------------------------------------------- /Scenario-0-Deploy-In-ServiceMesh/hello-openshift/add-hello-openshift-gw-vs-for-http.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | NAMESPACE=$1 4 | 5 | echo '-------------------------------------------------------------------------' 6 | echo 'hello-openshift deployed in namespace : '$NAMESPACE 7 | echo '-------------------------------------------------------------------------' 8 | 9 | 10 | echo "################# Gateway - hello-openshift-gateway [$NAMESPACE] #################" 11 | 12 | echo "apiVersion: networking.istio.io/v1alpha3 13 | kind: Gateway 14 | metadata: 15 | name: hello-openshift-gateway 16 | spec: 17 | selector: 18 | istio: ingressgateway 19 | servers: 20 | - port: 21 | number: 80 22 | name: hello-openshift 23 | protocol: HTTP 24 | hosts: 25 | - '*'" | oc apply -n $NAMESPACE -f - 26 | 27 | 28 | 29 | echo "################# VirtualService - hello-openshift [$NAMESPACE] #################" 30 | echo "apiVersion: networking.istio.io/v1beta1 31 | kind: VirtualService 32 | metadata: 33 | name: hello-openshift 34 | spec: 35 | gateways: 36 | - hello-openshift-gateway 37 | hosts: 38 | - '*' 39 | http: 40 | - match: 41 | - uri: 42 | exact: / 43 | route: 44 | - destination: 45 | host: hello-openshift 46 | port: 47 | number: 8080" | oc apply -n $NAMESPACE -f - 48 | -------------------------------------------------------------------------------- /Scenario-0-Deploy-In-ServiceMesh/hello-openshift/deploy-hello-openshift.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | NAMESPACE=$1 4 | ISTIO_NAMESPACE=$2 5 | 6 | echo '-------------------------------------------------------------------------' 7 | echo 'hello-openshift deployed in namespace : '$NAMESPACE 8 | echo 'istio namespace : '$ISTIO_NAMESPACE 9 | echo '-------------------------------------------------------------------------' 10 | 11 | echo "################# Deployment - hello-openshift [$NAMESPACE] #################" 12 | echo "apiVersion: apps/v1 13 | kind: Deployment 14 | metadata: 15 | name: hello-openshift 16 | labels: 17 | app: hello-openshift 18 | version: 1.0.0 19 | spec: 20 | replicas: 1 21 | selector: 22 | matchLabels: 23 | app: hello-openshift 24 | template: 25 | metadata: 26 | annotations: 27 | sidecar.istio.io/inject: 'true' 28 | labels: 29 | app: hello-openshift 30 | version: 1.0.0 31 | spec: 32 | containers: 33 | - name: hello-openshift 34 | image: openshift/hello-openshift:latest 35 | ports: 36 | - containerPort: 8080 37 | protocol: TCP 38 | - containerPort: 8888 39 | protocol: TCP" | oc apply -n $NAMESPACE -f - 40 | 41 | echo "################# Service - hello-openshift [$NAMESPACE] #################" 42 | echo "apiVersion: v1 43 | kind: Service 44 | metadata: 45 | name: hello-openshift 46 | labels: 47 | app: hello-openshift 48 | app.kubernetes.io/name: hello-openshift 49 | version: 1.0.0 50 | spec: 51 | ports: 52 | - name: 8080-tcp 53 | protocol: TCP 54 | port: 8080 55 | targetPort: 8080 56 | - name: 8888-tcp 57 | protocol: TCP 58 | port: 8888 59 | targetPort: 8888 60 | selector: 61 | app: hello-openshift" | oc apply -n $NAMESPACE -f - 62 | 63 | echo "################# Route - hello-openshift [$ISTIO_NAMESPACE] #################" 64 | echo "kind: Route 65 | apiVersion: route.openshift.io/v1 66 | metadata: 67 | name: hello-openshift 68 | spec: 69 | host: hello.openshift.com 70 | to: 71 | kind: Service 72 | name: istio-ingressgateway 73 | weight: 100 74 | port: 75 | targetPort: http 76 | wildcardPolicy: None" | oc apply -n $ISTIO_NAMESPACE -f - 77 | -------------------------------------------------------------------------------- /Scenario-0-Deploy-In-ServiceMesh/httpbin-namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: Namespace 2 | apiVersion: v1 3 | metadata: 4 | name: httpbin 5 | labels: 6 | name: httpbin 7 | -------------------------------------------------------------------------------- /Scenario-0-Deploy-In-ServiceMesh/travel-agency/0-initial-service-mesh-config.yaml: -------------------------------------------------------------------------------- 1 | kind: Gateway 2 | apiVersion: networking.istio.io/v1alpha3 3 | metadata: 4 | name: control-gateway 5 | namespace: travel-control 6 | spec: 7 | servers: 8 | - hosts: 9 | - >- 10 | istio-ingressgateway-istio-wasm-poc.apps.cluster-6tzwm.6tzwm.sandbox256.opentlc.com 11 | port: 12 | name: http 13 | number: 80 14 | protocol: HTTP 15 | selector: 16 | istio: ingressgateway 17 | --- 18 | kind: VirtualService 19 | apiVersion: networking.istio.io/v1alpha3 20 | metadata: 21 | name: control 22 | namespace: travel-control 23 | spec: 24 | hosts: 25 | - >- 26 | istio-ingressgateway-istio-wasm-poc.apps.cluster-6tzwm.6tzwm.sandbox256.opentlc.com 27 | gateways: 28 | - travel-control/control-gateway 29 | http: 30 | - route: 31 | - destination: 32 | host: control.travel-control.svc.cluster.local 33 | subset: v1 34 | weight: 100 35 | --- 36 | kind: DestinationRule 37 | apiVersion: networking.istio.io/v1alpha3 38 | metadata: 39 | name: control 40 | namespace: travel-control 41 | spec: 42 | host: control.travel-control.svc.cluster.local 43 | subsets: 44 | - labels: 45 | version: v1 46 | name: v1 47 | -------------------------------------------------------------------------------- /Scenario-2-Split-Istio-Configs-By-Namespace/graphs/travel-app-external-graph.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-2-Split-Istio-Configs-By-Namespace/graphs/travel-app-external-graph.png -------------------------------------------------------------------------------- /Scenario-2-Split-Istio-Configs-By-Namespace/graphs/travel-app-graph.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-2-Split-Istio-Configs-By-Namespace/graphs/travel-app-graph.png -------------------------------------------------------------------------------- /Scenario-2-Split-Istio-Configs-By-Namespace/graphs/travel-workload-graph.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-2-Split-Istio-Configs-By-Namespace/graphs/travel-workload-graph.png -------------------------------------------------------------------------------- /Scenario-2-Split-Istio-Configs-By-Namespace/sidecar-all-mesh.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Sidecar 3 | metadata: 4 | name: default 5 | namespace: istio-system-tenant-2 6 | spec: 7 | egress: 8 | - hosts: 9 | - "./*" 10 | - "istio-system-tenant-2/*" 11 | -------------------------------------------------------------------------------- /Scenario-2-Split-Istio-Configs-By-Namespace/sidecar-override-travel-namespaces.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Sidecar 3 | metadata: 4 | name: override 5 | spec: 6 | egress: 7 | - hosts: 8 | - "./*" 9 | - "istio-system-tenant-2/*" 10 | - "travel-control/*" 11 | - "travel-portal/*" 12 | - "travel-agency/*" 13 | -------------------------------------------------------------------------------- /Scenario-2-Split-Istio-Configs-By-Namespace/smcp-2.0.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: maistra.io/v2 2 | kind: ServiceMeshControlPlane 3 | metadata: 4 | name: tenant-2 5 | namespace: istio-system-tenant-2 6 | spec: 7 | tracing: 8 | sampling: 10000 9 | type: Jaeger 10 | general: 11 | logging: 12 | logAsJSON: true 13 | profiles: 14 | - default 15 | proxy: 16 | accessLogging: 17 | file: 18 | name: /dev/stdout 19 | policy: 20 | type: Istiod 21 | addons: 22 | grafana: 23 | enabled: true 24 | jaeger: 25 | install: 26 | storage: 27 | type: Memory 28 | kiali: 29 | enabled: true 30 | prometheus: 31 | enabled: true 32 | version: v2.0 33 | telemetry: 34 | type: Istiod 35 | -------------------------------------------------------------------------------- /Scenario-2-Split-Istio-Configs-By-Namespace/smmr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: maistra.io/v1 2 | kind: ServiceMeshMemberRoll 3 | metadata: 4 | name: default 5 | namespace: istio-system-tenant-2 6 | spec: 7 | members: 8 | - httpbin2 9 | - travel-agency 10 | - travel-portal 11 | - travel-control 12 | -------------------------------------------------------------------------------- /Scenario-3-Apply-WASM-Extension/README.adoc: -------------------------------------------------------------------------------- 1 | = Apply WASM Mesh Extension 2 | :toc: 3 | 4 | * ServiceMesh Version: 2.0 5 | * Purpose: Extend the capabilities of the Mesh with a WASM Extension 6 | 7 | == Setup ServiceMesh installation 8 | 9 | * Pre-Requisites 10 | 11 | `ServiceMesh` Operators Installation *TBD* 12 | 13 | * Setup 14 | 15 | 1. Control Plane Namespace Creation 16 | 17 | oc new-project 18 | 19 | 2. SMCP 20 | 21 | oc apply -f smcp-2.0.yaml 22 | 23 | ** or modify/apply the following 24 | 25 | apiVersion: maistra.io/v2 26 | kind: ServiceMeshControlPlane 27 | metadata: 28 | name: 29 | namespace: 30 | spec: 31 | techPreview: 32 | wasmExtensions: 33 | enabled: true 34 | tracing: 35 | sampling: 10000 36 | type: Jaeger 37 | general: 38 | logging: 39 | logAsJSON: true 40 | profiles: 41 | - default 42 | proxy: 43 | accessLogging: 44 | file: 45 | name: /dev/stdout 46 | policy: 47 | type: Istiod 48 | addons: 49 | grafana: 50 | enabled: true 51 | jaeger: 52 | install: 53 | storage: 54 | type: Memory 55 | kiali: 56 | enabled: true 57 | prometheus: 58 | enabled: true 59 | version: v2.0 60 | telemetry: 61 | type: Istiod 62 | 63 | ** Reset 64 | 65 | oc delete -f smcp-2.0.yaml 66 | 67 | 3. SMBR 68 | 69 | oc apply -f smmr.yaml 70 | 71 | ** Reset 72 | 73 | oc delete -f smmr.yaml 74 | 75 | 4. ServiceMeshExtension 76 | 77 | oc apply -f sm-extension.yaml 78 | 79 | ** Reset 80 | 81 | oc delete -f sm-extension.yaml 82 | 83 | 84 | == Setup Mesh Deployments 85 | 86 | * Create 87 | 88 | link:../Scenario-0-Deploy-In-ServiceMesh/README.adoc#httpbin[Deploy httpbin] 89 | 90 | * Remove 91 | oc delete project httpbin 92 | 93 | 94 | == Testing 95 | 96 | * Before Applying WASM `ServiceMeshExtension` (no `custom-header: test` header) 97 | 98 | ---- 99 | curl -i -X GET "http://istio-ingressgateway-istio-wasm-poc.apps.cluster-6tzwm.6tzwm.sandbox256.opentlc.com/response-headers?freeform=" -H "accept: application/json" 100 | HTTP/1.1 200 OK 101 | server: istio-envoy 102 | date: Tue, 12 Oct 2021 09:26:55 GMT 103 | content-type: application/json 104 | content-length: 87 105 | freeform: 106 | access-control-allow-origin: * 107 | access-control-allow-credentials: true 108 | x-envoy-upstream-service-time: 5 109 | set-cookie: 7166af6d5626ff0abdebe2a0badfa327=cc90fe62b70bb43bfc57828493faca96; path=/; HttpOnly 110 | cache-control: private 111 | 112 | { 113 | "Content-Length": "87", 114 | "Content-Type": "application/json", 115 | "freeform": "" 116 | } 117 | ---- 118 | 119 | * After Applying WASM `ServiceMeshExtension` (has `custom-header: test` header) 120 | 121 | ** `oc logs -f httpbin-599849d486-qkrw4 -c istio-proxy` (look for envoy proxy ready) 122 | ** Retest 123 | 124 | ---- 125 | curl -i -X GET "http://istio-ingressgateway-istio-wasm-poc.apps.cluster-6tzwm.6tzwm.sandbox256.opentlc.com/response-headers?freeform=" -H "accept: application/json" 126 | HTTP/1.1 200 OK 127 | server: istio-envoy 128 | date: Tue, 12 Oct 2021 09:24:43 GMT 129 | content-type: application/json 130 | content-length: 87 131 | freeform: 132 | access-control-allow-origin: * 133 | access-control-allow-credentials: true 134 | x-envoy-upstream-service-time: 2 135 | custom-header: test 136 | set-cookie: 7166af6d5626ff0abdebe2a0badfa327=cc90fe62b70bb43bfc57828493faca96; path=/; HttpOnly 137 | cache-control: private 138 | 139 | { 140 | "Content-Length": "87", 141 | "Content-Type": "application/json", 142 | "freeform": "" 143 | } 144 | ---- 145 | 146 | == Resources 147 | 148 | * https://docs.openshift.com/container-platform/4.6/service_mesh/v2x/ossm-extensions.html#webassembly-extensions[WebAssembly extensions] 149 | * https://github.com/proxy-wasm/proxy-wasm-rust-sdk/blob/v0.1.4/examples/http_auth_random.rs[proxy-wasm-rust-sdk]= Apply WASM Mesh Extension 150 | 151 | 152 | 153 | -------------------------------------------------------------------------------- /Scenario-3-Apply-WASM-Extension/sm-extension.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: maistra.io/v1alpha1 2 | kind: ServiceMeshExtension 3 | metadata: 4 | name: header-append 5 | spec: 6 | config: test 7 | image: quay.io/maistra-dev/header-append-filter:2.0 8 | phase: PostAuthZ 9 | priority: 1000 10 | workloadSelector: 11 | labels: 12 | app: httpbin 13 | -------------------------------------------------------------------------------- /Scenario-3-Apply-WASM-Extension/smcp-2.0.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: maistra.io/v2 2 | kind: ServiceMeshControlPlane 3 | metadata: 4 | name: tenant-3 5 | namespace: istio-system-wasm-poc-tenant-3 6 | spec: 7 | techPreview: 8 | wasmExtensions: 9 | enabled: true 10 | tracing: 11 | sampling: 10000 12 | type: Jaeger 13 | general: 14 | logging: 15 | logAsJSON: true 16 | profiles: 17 | - default 18 | proxy: 19 | accessLogging: 20 | file: 21 | name: /dev/stdout 22 | policy: 23 | type: Istiod 24 | addons: 25 | grafana: 26 | enabled: true 27 | jaeger: 28 | install: 29 | storage: 30 | type: Memory 31 | kiali: 32 | enabled: true 33 | prometheus: 34 | enabled: true 35 | version: v2.0 36 | telemetry: 37 | type: Istiod 38 | -------------------------------------------------------------------------------- /Scenario-3-Apply-WASM-Extension/smmr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: maistra.io/v1 2 | kind: ServiceMeshMemberRoll 3 | metadata: 4 | name: default 5 | namespace: istio-system-wasm-poc-tenant-3 6 | spec: 7 | members: 8 | - httpbin 9 | -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/create-greeting-remote-service.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SM_CP_NS=$1 4 | SM_MR_NS=$2 5 | SM_REMOTE_ROUTE=$3 6 | #eg. hello.remote.com 7 | REMOTE_SERVICE_ROUTE=$4 8 | CLUSTER_NAME=$5 9 | 10 | echo 'ServiceMesh Namespace : '$SM_CP_NS 11 | echo 'ServiceMesh Member Namespace : '$SM_MR_NS 12 | echo 'ServiceMesh (Remote) Ingress Gateway Route : '$SM_REMOTE_ROUTE 13 | echo 'Remote Cluster Name : '$CLUSTER_NAME 14 | echo 'Remote Service Route : '$REMOTE_SERVICE_ROUTE 15 | 16 | cd ../coded-services/quarkus-rest-greeting-remote 17 | oc new-project $SM_MR_NS 18 | oc project $SM_MR_NS 19 | 20 | mvn clean package -Dquarkus.kubernetes.deploy=true -DskipTests 21 | 22 | echo 'sleeping 15s' 23 | sleep 15 24 | oc patch dc/rest-greeting-remote -p '{"spec":{"template":{"metadata":{"annotations":{"sidecar.istio.io/inject": "true"}}}}}' -n $SM_MR_NS 25 | oc set env dc/rest-greeting-remote GREETINGS_SVC_LOCATION=$REMOTE_SERVICE_ROUTE -n $SM_MR_NS 26 | oc set env dc/rest-greeting-remote GREETING_LOCATION=$CLUSTER_NAME -n $SM_MR_NS 27 | #echo 'sleeping 15s' 28 | #sleep 15 29 | oc rollout latest dc/rest-greeting-remote -n $SM_MR_NS 30 | 31 | 32 | echo "################# Route - hello-remote [$SM_CP_NS] #################" 33 | echo "kind: Route 34 | apiVersion: route.openshift.io/v1 35 | metadata: 36 | name: hello-remote 37 | spec: 38 | host: ${REMOTE_SERVICE_ROUTE} 39 | to: 40 | kind: Service 41 | name: istio-ingressgateway 42 | weight: 100 43 | port: 44 | targetPort: http2 45 | wildcardPolicy: None" | oc apply -n $SM_CP_NS -f - 46 | 47 | echo "################# Gateway - rest-greeting-remote-gateway [$SM_MR_NS] #################" 48 | echo "apiVersion: networking.istio.io/v1alpha3 49 | kind: Gateway 50 | metadata: 51 | name: rest-greeting-remote-gateway 52 | spec: 53 | selector: 54 | istio: ingressgateway # use istio default controller 55 | servers: 56 | - port: 57 | number: 80 58 | name: http 59 | protocol: HTTP 60 | hosts: 61 | - ${SM_REMOTE_ROUTE} 62 | - ${REMOTE_SERVICE_ROUTE} " | oc apply -n $SM_MR_NS -f - 63 | 64 | echo "################# VirtualService - rest-greeting-remote [$SM_MR_NS] #################" 65 | echo "apiVersion: networking.istio.io/v1alpha3 66 | kind: VirtualService 67 | metadata: 68 | name: rest-greeting-remote 69 | spec: 70 | hosts: 71 | - ${SM_REMOTE_ROUTE} 72 | - ${REMOTE_SERVICE_ROUTE} 73 | gateways: 74 | - rest-greeting-remote-gateway 75 | - mesh 76 | http: 77 | - match: 78 | - uri: 79 | exact: /hello 80 | - uri: 81 | prefix: /hello 82 | route: 83 | - destination: 84 | host: rest-greeting-remote 85 | port: 86 | number: 8080 " | oc apply -n $SM_MR_NS -f - 87 | 88 | 89 | 90 | 91 | -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/create-healthcheck-503-service.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SM_MR_NS=$1 4 | SM_REMOTE_ROUTE=$2 5 | # eg. fail (503 default) or success (200) 6 | STATE=$3 7 | 8 | echo 'ServiceMesh Member Namespace : '$SM_MR_NS 9 | echo 'ServiceMesh (Remote) Ingress Gateway Route : '$SM_REMOTE_ROUTE 10 | echo 'State to be returned (503/200) : '$STATE 11 | 12 | cd ../coded-services/quarkus-rest-503 13 | oc project $SM_MR_NS 14 | 15 | mvn clean package -Dquarkus.kubernetes.deploy=true -DskipTests 16 | 17 | echo 'sleeping 15s' 18 | sleep 15 19 | oc patch dc/quarkus-rest-503 -p '{"spec":{"template":{"metadata":{"annotations":{"sidecar.istio.io/inject": "true"}}}}}' -n $SM_MR_NS 20 | oc set env dc/quarkus-rest-503 ERROR_FLAG=$STATE -n $SM_MR_NS 21 | 22 | oc rollout latest dc/quarkus-rest-503 -n $SM_MR_NS 23 | 24 | echo "################# Gateway - quarkus-rest-503-gateway [$SM_MR_NS] #################" 25 | echo "apiVersion: networking.istio.io/v1alpha3 26 | kind: Gateway 27 | metadata: 28 | name: quarkus-rest-503-gateway 29 | spec: 30 | selector: 31 | istio: ingressgateway # use istio default controller 32 | servers: 33 | - port: 34 | number: 80 35 | name: http 36 | protocol: HTTP 37 | hosts: 38 | - ${SM_REMOTE_ROUTE} 39 | exportTo: 40 | - '*'" | oc apply -n $SM_MR_NS -f - 41 | 42 | echo "################# VirtualService - quarkus-rest-503 [$SM_MR_NS] #################" 43 | echo "apiVersion: networking.istio.io/v1alpha3 44 | kind: VirtualService 45 | metadata: 46 | name: quarkus-rest-503 47 | spec: 48 | hosts: 49 | - ${SM_REMOTE_ROUTE} 50 | - rest-greeting-remote.${SM_MR_NS}.svc.cluster.local 51 | gateways: 52 | - quarkus-rest-503-gateway 53 | - mesh 54 | http: 55 | - match: 56 | - uri: 57 | exact: /status 58 | - uri: 59 | prefix: /status 60 | route: 61 | - destination: 62 | host: quarkus-rest-503.${SM_MR_NS}.svc.cluster.local 63 | port: 64 | number: 8080 65 | exportTo: 66 | - '*'" | oc apply -n $SM_MR_NS -f - 67 | 68 | 69 | 70 | 71 | -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/create-smcp-smmr-2.0-sc-4b.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SM_CP_NS=$1 4 | SM_TENANT_NO=$2 5 | SM_MR_NS=$3 6 | 7 | echo 'ServiceMesh Namespace '$SM_CP_NS 8 | echo 'ServiceMesh tenant-'$SM_TENANT_NO 9 | echo 'ServiceMesh Member Namespace '$SM_MR_NS 10 | 11 | #oc apply -f smcp-2.0.yaml -n $SM_CP_NS 12 | 13 | echo "apiVersion: maistra.io/v2 14 | kind: ServiceMeshControlPlane 15 | metadata: 16 | name: tenant-$SM_TENANT_NO 17 | spec: 18 | addons: 19 | grafana: 20 | enabled: true 21 | jaeger: 22 | install: 23 | storage: 24 | type: Memory 25 | kiali: 26 | enabled: true 27 | prometheus: 28 | enabled: true 29 | general: 30 | logging: 31 | logAsJSON: true 32 | policy: 33 | type: Istiod 34 | profiles: 35 | - default 36 | proxy: 37 | accessLogging: 38 | file: 39 | name: /dev/stdout 40 | networking: 41 | trafficControl: 42 | outbound: 43 | policy: REGISTRY_ONLY 44 | gateways: 45 | additionalIngress: 46 | admin-ingressgateway: 47 | enabled: true 48 | runtime: 49 | deployment: 50 | autoScaling: 51 | enabled: false 52 | service: 53 | metadata: 54 | labels: 55 | app: admin-ingressgateway 56 | selector: 57 | app: admin-ingressgateway 58 | telemetry: 59 | type: Istiod 60 | tracing: 61 | sampling: 10000 62 | type: Jaeger 63 | version: v2.0" | oc apply -n $SM_CP_NS -f - 64 | 65 | 66 | 67 | echo "apiVersion: maistra.io/v1 68 | kind: ServiceMeshMemberRoll 69 | metadata: 70 | name: default 71 | spec: 72 | members: 73 | - ${SM_MR_NS}" | oc apply -n $SM_CP_NS -f - 74 | 75 | 76 | -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/create-smcp-smmr-2.1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SM_CP_NS=$1 4 | SM_TENANT_NO=$2 5 | SM_MR_NS=$3 6 | 7 | echo 'ServiceMesh Namespace '$SM_CP_NS 8 | echo 'ServiceMesh tenant-'$SM_TENANT_NO 9 | echo 'ServiceMesh Member Namespace '$SM_MR_NS 10 | 11 | #oc apply -f smcp-2.0.yaml -n $SM_CP_NS 12 | 13 | echo "apiVersion: maistra.io/v2 14 | kind: ServiceMeshControlPlane 15 | metadata: 16 | name: tenant-$SM_TENANT_NO 17 | spec: 18 | addons: 19 | grafana: 20 | enabled: true 21 | jaeger: 22 | install: 23 | storage: 24 | type: Memory 25 | kiali: 26 | enabled: true 27 | prometheus: 28 | enabled: true 29 | general: 30 | logging: 31 | logAsJSON: true 32 | policy: 33 | type: Istiod 34 | profiles: 35 | - default 36 | proxy: 37 | accessLogging: 38 | file: 39 | name: /dev/stdout 40 | networking: 41 | trafficControl: 42 | outbound: 43 | policy: REGISTRY_ONLY 44 | telemetry: 45 | type: Istiod 46 | tracing: 47 | sampling: 10000 48 | type: Jaeger 49 | version: v2.1" | oc apply -n $SM_CP_NS -f - 50 | 51 | 52 | 53 | echo "apiVersion: maistra.io/v1 54 | kind: ServiceMeshMemberRoll 55 | metadata: 56 | name: default 57 | spec: 58 | members: 59 | - ${SM_MR_NS}" | oc apply -n $SM_CP_NS -f - 60 | 61 | 62 | -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/images/4a-envoyfilter-hc-scenario/Lab-2-Failover-Custom-HC-State-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-4-Cross-Cluster-Traffic-Management/images/4a-envoyfilter-hc-scenario/Lab-2-Failover-Custom-HC-State-1.png -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/images/4a-envoyfilter-hc-scenario/Lab-2-Failover-Custom-HC-State-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-4-Cross-Cluster-Traffic-Management/images/4a-envoyfilter-hc-scenario/Lab-2-Failover-Custom-HC-State-2.png -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/images/4a-envoyfilter-hc-scenario/Lab-2-Failover-Custom-HC-State-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-4-Cross-Cluster-Traffic-Management/images/4a-envoyfilter-hc-scenario/Lab-2-Failover-Custom-HC-State-3.png -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/images/4a-envoyfilter-hc-scenario/Lab-2-Failover-Custom-HC-State-Sequence.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-4-Cross-Cluster-Traffic-Management/images/4a-envoyfilter-hc-scenario/Lab-2-Failover-Custom-HC-State-Sequence.png -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/images/4b-multiple-gw-scenario/Lab-3-Additional-GW-Bypass-Custom-HC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-4-Cross-Cluster-Traffic-Management/images/4b-multiple-gw-scenario/Lab-3-Additional-GW-Bypass-Custom-HC.png -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/images/basic-scenario/Lab-1-CU-BCU-Failover-State-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-4-Cross-Cluster-Traffic-Management/images/basic-scenario/Lab-1-CU-BCU-Failover-State-1.png -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/images/basic-scenario/Lab-1-CU-BCU-Failover-State-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-4-Cross-Cluster-Traffic-Management/images/basic-scenario/Lab-1-CU-BCU-Failover-State-2.png -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/images/basic-scenario/Lab-1-CU-BCU-Failover-State-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-4-Cross-Cluster-Traffic-Management/images/basic-scenario/Lab-1-CU-BCU-Failover-State-3.png -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/images/basic-scenario/Lab-1-CU-BCU-Failover-State-Sequence.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-4-Cross-Cluster-Traffic-Management/images/basic-scenario/Lab-1-CU-BCU-Failover-State-Sequence.png -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/smcp-2.0.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: maistra.io/v2 2 | kind: ServiceMeshControlPlane 3 | metadata: 4 | name: 5 | spec: 6 | addons: 7 | grafana: 8 | enabled: true 9 | jaeger: 10 | install: 11 | storage: 12 | type: Memory 13 | kiali: 14 | enabled: true 15 | prometheus: 16 | enabled: true 17 | general: 18 | logging: 19 | logAsJSON: true 20 | policy: 21 | type: Istiod 22 | profiles: 23 | - default 24 | proxy: 25 | accessLogging: 26 | file: 27 | name: /dev/stdout 28 | networking: 29 | trafficControl: 30 | outbound: 31 | policy: REGISTRY_ONLY 32 | telemetry: 33 | type: Istiod 34 | tracing: 35 | sampling: 10000 36 | type: Jaeger 37 | version: v2.0 38 | -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/smmr-greetings-client.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: maistra.io/v1 2 | kind: ServiceMeshMemberRoll 3 | metadata: 4 | name: default 5 | spec: 6 | members: 7 | - greetings-client 8 | -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/smmr-greetings-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: maistra.io/v1 2 | kind: ServiceMeshMemberRoll 3 | metadata: 4 | name: default 5 | spec: 6 | members: 7 | - greetings-service 8 | -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/sub-scenarios/4a-fault-detection-via-EnvoyFilter/additional-sm-hc-and-outlier-detection-on-greeting-remote-from-gw.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SERVICE_NAME=$1 4 | SERVICE_NAMESPACE=$2 5 | SERVICE_HEALTHCHECK_URI=$3 6 | GW_APP_NAME=$4 7 | GW_NAMESPACE=$5 8 | 9 | echo 'SERVICE_NAME '$SERVICE_NAME 10 | echo 'SERVICE_NAMESPACE '$SERVICE_NAMESPACE 11 | echo 'SERVICE_HEALTHCHECK_URI '$SERVICE_HEALTHCHECK_URI 12 | echo 'GW_APP_NAME '$GW_APP_NAME 13 | echo 'GW_NAMESPACE '$GW_NAMESPACE 14 | echo '' 15 | echo '' 16 | echo "################# EnvoyFilter - ${SERVICE_NAME}-status-check-healthcheck [$GW_NAMESPACE] #################" 17 | echo "apiVersion: networking.istio.io/v1alpha3 18 | kind: EnvoyFilter 19 | metadata: 20 | name: ${SERVICE_NAME}-status-check-healthcheck 21 | spec: 22 | workloadSelector: 23 | labels: 24 | app: ${GW_APP_NAME} 25 | configPatches: 26 | - applyTo: CLUSTER 27 | match: 28 | cluster: 29 | service: ${SERVICE_NAME}.${SERVICE_NAMESPACE}.svc.cluster.local 30 | context: GATEWAY 31 | patch: 32 | operation: MERGE 33 | value: 34 | health_checks: 35 | - always_log_health_check_failures: true 36 | event_log_path: /dev/stdout 37 | healthy_threshold: 1 38 | http_health_check: 39 | host: >- 40 | ${SERVICE_NAME}.${SERVICE_NAMESPACE}.svc.cluster.local 41 | path: ${SERVICE_HEALTHCHECK_URI} 42 | interval: 5s 43 | timeout: 5s 44 | unhealthy_threshold: 1" 45 | 46 | echo "apiVersion: networking.istio.io/v1alpha3 47 | kind: EnvoyFilter 48 | metadata: 49 | name: ${SERVICE_NAME}-status-check-healthcheck 50 | spec: 51 | workloadSelector: 52 | labels: 53 | app: ${GW_APP_NAME} 54 | configPatches: 55 | - applyTo: CLUSTER 56 | match: 57 | cluster: 58 | service: ${SERVICE_NAME}.${SERVICE_NAMESPACE}.svc.cluster.local 59 | context: GATEWAY 60 | patch: 61 | operation: MERGE 62 | value: 63 | health_checks: 64 | - always_log_health_check_failures: true 65 | event_log_path: /dev/stdout 66 | healthy_threshold: 1 67 | http_health_check: 68 | host: >- 69 | ${SERVICE_NAME}.${SERVICE_NAMESPACE}.svc.cluster.local 70 | path: ${SERVICE_HEALTHCHECK_URI} 71 | interval: 5s 72 | timeout: 5s 73 | unhealthy_threshold: 1" | oc apply -n $GW_NAMESPACE -f - 74 | 75 | echo "################# EnvoyFilter - ${SERVICE_NAME}-status-check-healthcheck [$GW_NAMESPACE] #################" 76 | echo "kind: DestinationRule 77 | apiVersion: networking.istio.io/v1alpha3 78 | metadata: 79 | name: ${SERVICE_NAME}-503-outlier-detection-dr 80 | spec: 81 | host: ${SERVICE_NAME}.${SERVICE_NAMESPACE}.svc.cluster.local 82 | trafficPolicy: 83 | outlierDetection: 84 | baseEjectionTime: 1m 85 | consecutive5xxErrors: 1 86 | interval: 30s 87 | maxEjectionPercent: 100" 88 | 89 | echo "kind: DestinationRule 90 | apiVersion: networking.istio.io/v1alpha3 91 | metadata: 92 | name: ${SERVICE_NAME}-503-outlier-detection-dr 93 | spec: 94 | host: ${SERVICE_NAME}.${SERVICE_NAMESPACE}.svc.cluster.local 95 | trafficPolicy: 96 | outlierDetection: 97 | baseEjectionTime: 1m 98 | consecutive5xxErrors: 1 99 | interval: 30s 100 | maxEjectionPercent: 100" | oc apply -n $SERVICE_NAMESPACE -f - 101 | 102 | -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/sub-scenarios/4a-fault-detection-via-EnvoyFilter/additional-sm-hc-uri-set-200-success.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SERVICE_POD_NAME=$1 4 | SERVICE_NAME=$2 5 | SERVICE_NAMESPACE=$3 6 | 7 | echo "oc exec $SERVICE_POD_NAME --n $SERVICE_NAMESPACE -- curl -iv -X GET http://$SERVICE_NAME.$SERVICE_NAMESPACE.svc.cluster.local:8080/status/set/succeed" 8 | 9 | oc exec $SERVICE_POD_NAME -n $SERVICE_NAMESPACE -- curl -iv -X GET http://$SERVICE_NAME.$SERVICE_NAMESPACE.svc.cluster.local:8080/status/set/succeed 10 | -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/sub-scenarios/4a-fault-detection-via-EnvoyFilter/additional-sm-hc-uri-set-503-fail.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SERVICE_POD_NAME=$1 4 | SERVICE_NAME=$2 5 | SERVICE_NAMESPACE=$3 6 | 7 | echo "oc exec $SERVICE_POD_NAME --n $SERVICE_NAMESPACE -- curl -iv -X GET http://$SERVICE_NAME.$SERVICE_NAMESPACE.svc.cluster.local:8080/status/set/fail" 8 | 9 | oc exec $SERVICE_POD_NAME -n $SERVICE_NAMESPACE -- curl -iv -X GET http://$SERVICE_NAME.$SERVICE_NAMESPACE.svc.cluster.local:8080/status/set/fail 10 | -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/sub-scenarios/4a-fault-detection-via-EnvoyFilter/istio-envoy-filter-status-check-cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: EnvoyFilter 3 | metadata: 4 | name: status-check-healthcheck 5 | spec: 6 | workloadSelector: 7 | labels: 8 | istio: ingressgateway 9 | configPatches: 10 | - applyTo: CLUSTER 11 | match: 12 | cluster: 13 | name: >- 14 | outbound|8080||rest-greeting-remote.greetings-service.svc.cluster.local 15 | context: GATEWAY 16 | patch: 17 | operation: MERGE 18 | value: 19 | health_checks: 20 | - always_log_health_check_failures: true 21 | event_log_path: /dev/stdout 22 | healthy_threshold: 3 23 | http_health_check: 24 | host: quarkus-rest-503.greetings-service.svc.cluster.local 25 | path: /status/check 26 | interval: 5s 27 | no_traffic_interval: 15s 28 | timeout: 5s 29 | unhealthy_threshold: 5 30 | -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/sub-scenarios/4a-fault-detection-via-EnvoyFilter/istio-envoy-filter-status-check.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: EnvoyFilter 3 | metadata: 4 | name: status-check-healthcheck 5 | spec: 6 | workloadSelector: 7 | labels: 8 | istio: ingressgateway 9 | configPatches: 10 | - applyTo: CLUSTER 11 | match: 12 | cluster: 13 | service: rest-greeting-remote.greetings-service.svc.cluster.local 14 | context: GATEWAY 15 | patch: 16 | operation: MERGE 17 | value: 18 | health_checks: 19 | - always_log_health_check_failures: true 20 | event_log_path: /dev/stdout 21 | healthy_threshold: 1 22 | http_health_check: 23 | host: >- 24 | rest-greeting-remote.greetings-service.svc.cluster.local 25 | path: /status/check 26 | interval: 5s 27 | timeout: 5s 28 | unhealthy_threshold: 1 29 | -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/sub-scenarios/4a-fault-detection-via-EnvoyFilter/rest-greeting-remote-503-outlier-detection-dr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: DestinationRule 3 | metadata: 4 | name: rest-greeting-remote-503-outlier-detection-dr 5 | spec: 6 | host: rest-greeting-remote.greetings-service-1.svc.cluster.local 7 | trafficPolicy: 8 | outlierDetection: 9 | consecutive5xxErrors: 1 10 | interval: 30s 11 | baseEjectionTime: 1m 12 | maxEjectionPercent: 100 13 | -------------------------------------------------------------------------------- /Scenario-4-Cross-Cluster-Traffic-Management/sub-scenarios/4b-multiple-gateways-different-health-behavior/additional-smcp-gw-vs-to-bypass-hc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | GW_APP_NAME=$1 4 | GW_NAMESPACE=$2 5 | SERVICE_NAMESPACE=$3 6 | GW_ROUTE=$(oc get route $GW_APP_NAME -o jsonpath='{.spec.host}' -n $GW_NAMESPACE) 7 | 8 | 9 | echo "GW_APP_NAME: $GW_APP_NAME" 10 | echo "GW_NAMESPACE: $GW_NAMESPACE" 11 | echo "SERVICE_NAMESPACE: $SERVICE_NAMESPACE" 12 | echo "GW_ROUTE: $GW_ROUTE" 13 | echo '' 14 | echo "################# Gateway - rest-greeting-remote-${GW_APP_NAME} [${SERVICE_NAMESPACE}] #################" 15 | echo "apiVersion: networking.istio.io/v1alpha3 16 | kind: Gateway 17 | metadata: 18 | name: rest-greeting-remote-${GW_APP_NAME} 19 | spec: 20 | selector: 21 | app: ${GW_APP_NAME} 22 | servers: 23 | - port: 24 | number: 80 25 | name: http 26 | protocol: HTTP 27 | hosts: 28 | - ${GW_ROUTE}" 29 | 30 | 31 | echo "apiVersion: networking.istio.io/v1alpha3 32 | kind: Gateway 33 | metadata: 34 | name: rest-greeting-remote-${GW_APP_NAME} 35 | spec: 36 | selector: 37 | app: ${GW_APP_NAME} 38 | servers: 39 | - port: 40 | number: 80 41 | name: http 42 | protocol: HTTP 43 | hosts: 44 | - ${GW_ROUTE}" | oc apply -n $SERVICE_NAMESPACE -f - 45 | 46 | echo "################# VirtualService - rest-greeting-remote-${GW_APP_NAME} [${SERVICE_NAMESPACE}] #################" 47 | echo "apiVersion: networking.istio.io/v1alpha3 48 | kind: VirtualService 49 | metadata: 50 | name: rest-greeting-remote-${GW_APP_NAME}-vs 51 | spec: 52 | hosts: 53 | - ${GW_ROUTE} 54 | gateways: 55 | - rest-greeting-${GW_APP_NAME} 56 | - mesh 57 | http: 58 | - match: 59 | - uri: 60 | exact: /hello 61 | - uri: 62 | prefix: /hello 63 | route: 64 | - destination: 65 | host: rest-greeting-remote 66 | port: 67 | number: 8080" 68 | 69 | 70 | echo "apiVersion: networking.istio.io/v1alpha3 71 | kind: VirtualService 72 | metadata: 73 | name: rest-greeting-remote-${GW_APP_NAME}-vs 74 | spec: 75 | hosts: 76 | - ${GW_ROUTE} 77 | gateways: 78 | - rest-greeting-remote-${GW_APP_NAME} 79 | - mesh 80 | http: 81 | - match: 82 | - uri: 83 | exact: /hello 84 | - uri: 85 | prefix: /hello 86 | route: 87 | - destination: 88 | host: rest-greeting-remote 89 | port: 90 | number: 8080"| oc apply -n $SERVICE_NAMESPACE -f - 91 | 92 | -------------------------------------------------------------------------------- /Scenario-6-EnvoyFilters/README.adoc: -------------------------------------------------------------------------------- 1 | = Purpose 2 | 3 | `EnvoyFilter` implementations 4 | 5 | == Application Driven Capabilities on the `Service Mesh` 6 | * link:remove-headers.adoc[Envoy Filter to Remove a Header] 7 | 8 | 9 | -------------------------------------------------------------------------------- /Scenario-6-EnvoyFilters/remove-headers.adoc: -------------------------------------------------------------------------------- 1 | = EnvoyFilter to Remove a Header 2 | 3 | How can we remove `x-envoy-decorator-operation`? 4 | 5 | * With `VirtualService` 6 | 7 | ---- 8 | apiversion: networking.istio.io/v1beta1 9 | kind: VirtualService 10 | ... 11 | spec: 12 | ... 13 | http: 14 | - headers: 15 | response: 16 | remove: 17 | - x-envoy-upstream-service-time 18 | route: 19 | - destination: 20 | host: httpbin 21 | subset: v1 22 | weight: 100 23 | ---- 24 | 25 | * With lua based `EnvoyFilter` 26 | 27 | ---- 28 | apiVersion: networking.istio.io/v1alpha3 29 | kind: EnvoyFilter 30 | metadata: 31 | name: response-headers-filter 32 | namespace: istio-system 33 | spec: 34 | configPatches: 35 | - applyTo: HTTP_FILTER 36 | match: 37 | context: GATEWAY 38 | listener: 39 | filterChain: 40 | filter: 41 | name: "envoy.http_connection_manager" 42 | subFilter: 43 | name: "envoy.router" 44 | patch: 45 | operation: ADD 46 | value: 47 | name: envoy.lua 48 | config: 49 | inlineCode: | 50 | function envoy_on_response(response_handle) 51 | response_handle:headers():remove("x-envoy-upstream-service-time") 52 | response_handle:headers():remove("x-envoy-overloaded") 53 | response_handle:headers():remove("x-powered-by") 54 | end 55 | ---- 56 | 57 | * With non-lua based `EnvoyFilter` 58 | 59 | ---- 60 | apiVersion: networking.istio.io/v1alpha3 61 | kind: EnvoyFilter 62 | metadata: 63 | name: response-headers-filter 64 | spec: 65 | workloadSelector: 66 | labels: 67 | app: myapp 68 | configPatches: 69 | - applyTo: NETWORK_FILTER 70 | match: 71 | context: SIDECAR_INBOUND 72 | listener: 73 | filterChain: 74 | filter: 75 | name: "envoy.filters.network.http_connection_manager" 76 | patch: 77 | operation: MERGE 78 | value: 79 | typed_config: 80 | "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager" 81 | server_header_transformation: PASS_THROUGH 82 | - applyTo: HTTP_ROUTE 83 | match: 84 | context: SIDECAR_INBOUND 85 | patch: 86 | operation: MERGE 87 | value: 88 | decorator: 89 | propagate: false # removes the decorator header 90 | response_headers_to_remove: 91 | - x-envoy-upstream-service-time 92 | - x-powered-by 93 | - server 94 | ---- 95 | 96 | -------------------------------------------------------------------------------- /Scenario-Arch-1-ServiceMesh-Separations/README.adoc: -------------------------------------------------------------------------------- 1 | = Architecture Choices Service Mesh Topologies 2 | :toc: 3 | 4 | Consider architecture choices for the definition of single, multi-tenant, mutlt-cluster service mesh topologies 5 | 6 | 7 | 8 | TBR - but it’s necessary for the Route objects in the istio-system Namespace 9 | TBR - (one thing I learned for sure in this project is that different environments should have dedicated clusters …) 10 | 11 | the level of "seperation" can be argued 12 | 13 | cluster = env 14 | or 15 | servicemesh = env 16 | or 17 | namespace = env 18 | 19 | each has its own merrits 20 | 21 | ie. one does not exclude the other however what is a good practice is 22 | 23 | 1 servicemesh = Many environemtns .... that is defintely anti-pattern of the use of the mesh 24 | 25 | and as I said much earlier in my explanations in my view it is better to think ServiceMesh as part of the APP which would mean 1 cluster => MANY APPS = 1-1 ServiceMesh 26 | 27 | what you have now is the "anti-pattern" ie. 1 servicemesh = many environments 28 | -------------------------------------------------------------------------------- /Scenario-D1-Offline-Deployments/README.adoc: -------------------------------------------------------------------------------- 1 | = Deploying ServiceMesh Operator and Controlplane in an Offline environment 2 | :toc: 3 | 4 | == Troubleshooting Problems 5 | * link:https://access.redhat.com/solutions/5514331[Service Mesh Jaeger and Prometheus can't start in disconnected environment] 6 | 7 | 8 | 9 | https://access.redhat.com/solutions/5566581 10 | 11 | 12 | https://docs.openshift.com/container-platform/4.9/operators/admin/olm-restricted-networks.html 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /Scenario-MTLS-1-External-Request-Per-Service-Cert/create-certs-secured-gw-vs-route-for-cert-manager-user-case.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | NAMESPACE=$1 4 | ISTIO_NAMESPACE=$2 5 | HOSTNAME=$3 6 | SECRET_NAME=$4 7 | 8 | echo '-------------------------------------------------------------------------' 9 | echo 'application namespace : '$NAMESPACE 10 | echo 'application hostname : '$HOSTNAME 11 | echo 'secret to stor certifcate : '$SECRET_NAME 12 | echo 'istio namespace : '$ISTIO_NAMESPACE 13 | echo '-------------------------------------------------------------------------' 14 | 15 | echo "################# Create - Certificate for hostname [$HOSTNAME] with cert-manager and store in secret [$SECRET_NAME] #################" 16 | 17 | echo "apiVersion: cert-manager.io/v1 18 | kind: Certificate 19 | metadata: 20 | name: hello-openshift-cert 21 | spec: 22 | secretName: $SECRET_NAME 23 | commonName: $HOSTNAME 24 | issuerRef: 25 | name: selfsigned-issuer 26 | kind: ClusterIssuer 27 | dnsNames: 28 | - $HOSTNAME" | oc apply $ISTIO_NAMESPACE -f - 29 | 30 | sleep 5 31 | 32 | echo "################# Create - Gateway to define HTTPS certificate [$SECRET_NAME] for hostname [$HOSTNAME] #################" 33 | 34 | echo "apiVersion: networking.istio.io/v1alpha3 35 | kind: Gateway 36 | metadata: 37 | name: hello-openshift-gateway 38 | spec: 39 | selector: 40 | istio: ingressgateway 41 | servers: 42 | - port: 43 | number: 443 44 | name: https 45 | protocol: HTTPS 46 | tls: 47 | mode: SIMPLE 48 | credentialName: $SECRET_NAME 49 | hosts: 50 | - $HOSTNAME" | oc apply -n $NAMESPACE -f - 51 | 52 | sleep 5 53 | 54 | echo "################# Create - VirtualService for host [$HOSTNAME] to service [hello-openshift.$NAMESPACE .svc.cluster.local] #################" 55 | 56 | echo "apiVersion: networking.istio.io/v1beta1 57 | kind: VirtualService 58 | metadata: 59 | name: hello-openshift 60 | spec: 61 | gateways: 62 | - hello-openshift-gateway 63 | - mesh 64 | hosts: 65 | - $HOSTNAME 66 | http: 67 | - match: 68 | - uri: 69 | exact: / 70 | route: 71 | - destination: 72 | host: hello-openshift.$NAMESPACE.svc.cluster.local 73 | port: 74 | number: 8080" | oc apply -n $NAMESPACE -f - 75 | 76 | sleep 5 77 | 78 | echo "################# Create - Route for host [$HOSTNAME] to expose service hello-openshift over https with cert-manager certifcate #################" 79 | 80 | echo "kind: Route 81 | apiVersion: route.openshift.io/v1 82 | metadata: 83 | name: hello-ocp 84 | spec: 85 | host: hello-ocp.com 86 | to: 87 | kind: Service 88 | name: istio-ingressgateway 89 | weight: 100 90 | port: 91 | targetPort: https 92 | tls: 93 | termination: passthrough 94 | wildcardPolicy: None" | oc apply -n $ISTIO_NAMESPACE -f - 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | -------------------------------------------------------------------------------- /Scenario-MTLS-1-External-Request-Per-Service-Cert/create-sm-for-cert-manager-use-case.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | NAMESPACE=$1 4 | ISTIO_NAMESPACE=$2 5 | 6 | echo '-------------------------------------------------------------------------' 7 | echo 'application namespace : '$NAMESPACE 8 | echo 'istio namespace : '$ISTIO_NAMESPACE 9 | echo '-------------------------------------------------------------------------' 10 | 11 | echo "################# Create - namespace for Istio SMCP [$ISTIO_NAMESPACE] #################" 12 | 13 | oc new-project $ISTIO_NAMESPACE 14 | 15 | sleep 5 16 | 17 | echo "################# Create - ServiceMeshControlPlane in [$ISTIO_NAMESPACE] #################" 18 | 19 | echo "apiVersion: maistra.io/v2 20 | kind: ServiceMeshControlPlane 21 | metadata: 22 | name: tenant-certs 23 | spec: 24 | policy: 25 | type: Istiod 26 | addons: 27 | grafana: 28 | enabled: true 29 | jaeger: 30 | install: 31 | storage: 32 | type: Memory 33 | kiali: 34 | enabled: true 35 | prometheus: 36 | enabled: true 37 | general: 38 | logging: 39 | logAsJSON: true 40 | profiles: 41 | - default 42 | proxy: 43 | accessLogging: 44 | file: 45 | name: /dev/stdout 46 | networking: 47 | trafficControl: 48 | inbound: {} 49 | outbound: 50 | policy: REGISTRY_ONLY 51 | telemetry: 52 | type: Istiod 53 | tracing: 54 | sampling: 10000 55 | type: Jaeger 56 | version: v2.1" | oc apply -n $ISTIO_NAMESPACE -f - 57 | 58 | sleep 5 59 | 60 | echo "################# Create - namespace for Application [$NAMESPACE] #################" 61 | 62 | oc new-project $NAMESPACE 63 | 64 | echo "################# Create - ServiceMeshMemberRoll with [$NAMESPACE] #################" 65 | 66 | sleep 5 67 | 68 | echo "apiVersion: maistra.io/v1 69 | kind: ServiceMeshMemberRoll 70 | metadata: 71 | namespace: istio-system-certs 72 | name: default 73 | spec: 74 | members: 75 | - $NAMESPACE" | oc apply -n $ISTIO_NAMESPACE -f - 76 | 77 | sleep 5 78 | 79 | -------------------------------------------------------------------------------- /Scenario-MTLS-2-Internal-SM-MTLS/README.adoc: -------------------------------------------------------------------------------- 1 | = Securing traffic between Service Mesh Deployments with mTLS 2 | :toc: 3 | 4 | == Different SMCP Setups for `STRICT` vs `PERMISSIVE` mTLS 5 | 6 | 1. SMCP without `security` section results in `PERMISSIVE` mTLS policy 7 | 8 | oc get PeerAuthentication -n istio-system 9 | NAME MODE AGE 10 | default PERMISSIVE 2d 11 | disable-mtls-jaeger-collector DISABLE 2d 12 | grafana-ports-mtls-disabled PERMISSIVE 2d 13 | 14 | 2. SMCP with `security` section and `dataplane` mTLS enabled 15 | ** config 16 | 17 | spec: 18 | security: 19 | dataPlane: 20 | mtls: true 21 | 22 | ** policies changed to `STRICT` 23 | 24 | NAME MODE AGE 25 | default STRICT 2d 26 | disable-mtls-jaeger-collector DISABLE 2d 27 | grafana-ports-mtls-disabled PERMISSIVE 2d 28 | 29 | 3. Verifying mTLS is used 30 | 31 | * Check link:https://kiali.io/docs/features/security/#masthead-indicator[KIALI for Mesh-wide mTLS enabled indicator] 32 | 33 | * Deploy bookinfo 34 | 35 | oc new-project bookinfo 36 | oc patch smmr default --type='json' -p='[{"op": "add", "path": "/spec/members/-", "value":"bookinfo"}]' -n istio-system-certs 37 | oc apply -f https://raw.githubusercontent.com/maistra/istio/maistra-2.1/samples/bookinfo/platform/kube/bookinfo.yaml 38 | oc apply -f https://raw.githubusercontent.com/maistra/istio/maistra-2.1/samples/bookinfo/networking/bookinfo-gateway.yaml 39 | curl -s "http://$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}' -n istio-system-certs)/productpage" | grep -o ".*" 40 | 41 | 4. Set different `DestinationRule` traffic.tls.mode to specify mTLS connection behavior to upstream cluster (see link:https://istio.io/latest/docs/reference/config/networking/destination-rule/#ClientTLSSettings-TLSmode[DestinationRule refrence]) 42 | 43 | * Options 44 | 45 | .DestinationRule mtls mode options 46 | ==== 47 | [cols="2*^",options="header"] 48 | |=== 49 | |Name 50 | |Description 51 | 52 | |DISABLE 53 | |Do not setup a TLS connection to the upstream endpoint. 54 | 55 | |SIMPLE 56 | |Originate a TLS connection to the upstream endpoint. 57 | 58 | |MUTUAL 59 | |Secure connections to the upstream using mutual TLS by presenting client certificates for authentication. 60 | 61 | |ISTIO_MUTUAL 62 | |Secure connections to the upstream using mutual TLS by presenting client certificates for authentication. Compared to Mutual mode, this mode uses certificates generated automatically by Istio for mTLS authentication. When this mode is used, all other fields in ClientTLSSettings should be empty. 63 | 64 | |=== 65 | ==== 66 | 67 | * Use different rules 68 | 69 | oc apply -f https://raw.githubusercontent.com/maistra/istio/maistra-2.1/samples/bookinfo/networking/destination-rule-all.yaml 70 | oc apply -f https://github.com/maistra/istio/blob/maistra-2.1/samples/bookinfo/networking/destination-rule-all-mtls.yaml 71 | 72 | == 1 - Service Mesh generated self-signed certificates for workload to workload communication 73 | 74 | * As previously shown this Out-of-the-box functionality and use of it is dependent on configuration 75 | 76 | == 2 - Adding an external certificate authority key and certificate 77 | 78 | * link:https://docs.openshift.com/container-platform/4.9/service_mesh/v2x/ossm-security.html#ossm-cert-manage_ossm-security[Adding an external certificate authority key and certificate] 79 | 80 | == 3 - Use an external issuer for internal SM certs usage not supported 81 | 82 | * NOT SUPPORTED https://issues.redhat.com/browse/OSSM-568 83 | 84 | 85 | -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/README-OSSM-AT-THE-EDGE-CONFIGS.adoc: -------------------------------------------------------------------------------- 1 | = Testing OSSM Edge Configurations 2 | :toc: 3 | 4 | The following showcase how behavior is affected by Mesh `spec.proxy.networking.trafficControl.policy` settings of `ALLOW_ANY` and `REGISTRY_ONLY` and also how you can enable incoming requests to the mesh from a non-mesh but same OCP cluster namespace 5 | 6 | == Demo `Outgoing` Mesh Access with REGISTRY_ONLY & mTLS 7 | 8 | * Follow instructions in link:https://github.com/skoussou/servicemesh-playground/tree/main/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling#option-1a-directly-via-sidecar[Option 1a: directly (via Sidecar)] 9 | * After the above works successfully. `oc delete ServiceEntry rest-greeting-remote-mesh-ext -n greetings-client` will result in a failure as without `ServiceEntry` the mesh will not allow external traffic when policy: REGISTRY_ONLY 10 | 11 | == Demo `Outgoing` Mesh Access with ALLOW_ANY (non-mTLS) 12 | 13 | [NOTE] 14 | ==== 15 | First execute the above as it is required also for this demo) 16 | ==== 17 | 18 | * With the above demo working as expected execute link:https://github.com/skoussou/servicemesh-playground/blob/main/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/test-greeting-client-allow-any.sh[`test-greeting-client-allow-any.sh`] to setup access to external service without `ServiceEntry` due to `ALLOW_ANY` mesh setting of `spec.proxy.networking.trafficControl.policy` 19 | 20 | ---- 21 | Istio setting to configure the sidecar handling of external services, that is, those services that are not defined in Istio’s internal service registry. (see: https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services- 22 | 23 | ALLOW_ANY, the Istio proxy lets calls to unknown services pass through 24 | 25 | echo "apiVersion: maistra.io/v2 26 | kind: ServiceMeshControlPlane 27 | metadata: 28 | name: tenant-allow-any 29 | spec: 30 | ... 31 | proxy: 32 | .. 33 | networking: 34 | trafficControl: 35 | inbound: {} 36 | outbound: 37 | policy: ALLOW_ANY 38 | ---- 39 | 40 | image::./images/spec.proxy.networking.trafficControl.policy.allow_any.png[400,1000] 41 | 42 | * Change to `REGISTRY_ONLY` (failures will start to occur on the client side) 43 | 44 | watch curl -i http://$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}' -n istio-system-client-allow-any)/say/goodday-to/Stelios 45 | 46 | image::./images/spec.proxy.networking.trafficControl.policy.registry_only.png[400,1000] 47 | 48 | * Apply the `ServiceEntry` (failures will start to occur on the client side) 49 | 50 | ---- 51 | echo "apiVersion: networking.istio.io/v1beta1 52 | kind: ServiceEntry 53 | metadata: 54 | name: rest-greeting-remote-mesh-ext 55 | namespace: greetings-client-allow-any 56 | spec: 57 | hosts: 58 | - istio-ingressgateway.istio-system-service.svc.cluster.local 59 | location: MESH_EXTERNAL 60 | ports: 61 | - name: http 62 | number: 80 63 | protocol: HTTP2 64 | resolution: DNS" |oc apply -f - 65 | ---- 66 | 67 | image::./images/spec.proxy.networking.trafficControl.policy.registry_only.with_serviceentry.png[400,1000] 68 | 69 | == Demo `Incoming` Mesh Access (non-mTLS) 70 | 71 | [NOTE] 72 | ==== 73 | First execute the above as it is required also for this demo) 74 | ==== 75 | 76 | * With the above demo working as expected execute link:https://github.com/skoussou/servicemesh-playground/blob/main/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/test-greeting-client-non-mesh.sh[`test-greeting-client-non-mesh.sh`] to setup access from an external (to the mesh) service but in the same cluster 77 | 78 | image::./images/incoming-non-mesh-non-mtls.png[400,1000]] 79 | 80 | 81 | 82 | 83 | -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/create-greeting-service-1a-with-build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SM_CP_NS=$1 4 | SM_TENANT_NAME=$2 5 | SM_MR_NS=$3 6 | REMOTE_SERVICE_ROUTE=$4 #eg. hello.remote.com 7 | CERTIFICATE_SECRET_NAME=$5 8 | CLUSTER_NAME=$6 9 | 10 | echo '---------------------------------------------------------------------------' 11 | echo 'ServiceMesh Namespace : '$SM_CP_NS 12 | echo 'ServiceMesh Control Plane Tenant Name : '$SM_TENANT_NAME 13 | echo 'ServiceMesh Member Namespace : '$SM_MR_NS 14 | echo 'Remote Cluster Name : '$CLUSTER_NAME 15 | echo 'Remote Service Route : '$REMOTE_SERVICE_ROUTE 16 | echo 'Greting Service Route Cert Secret Name : '$CERTIFICATE_SECRET_NAME 17 | echo '---------------------------------------------------------------------------' 18 | 19 | cd ../coded-services/quarkus-rest-greeting-remote 20 | oc new-project $SM_MR_NS 21 | oc project $SM_MR_NS 22 | 23 | mvn clean package -Dquarkus.kubernetes.deploy=true -DskipTests 24 | 25 | #echo 'sleeping 15s' 26 | sleep 15 27 | oc patch dc/rest-greeting-remote -p '{"spec":{"template":{"metadata":{"annotations":{"sidecar.istio.io/inject": "true"}}}}}' -n $SM_MR_NS 28 | oc set env dc/rest-greeting-remote GREETINGS_SVC_LOCATION=$REMOTE_SERVICE_ROUTE -n $SM_MR_NS 29 | oc set env dc/rest-greeting-remote GREETING_LOCATION=$CLUSTER_NAME -n $SM_MR_NS 30 | 31 | cd ../../Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling 32 | echo 33 | echo "################# SMR [$SM_MR_NS] added in SMCP [ns:$SM_CP_NS name: $SM_TENANT_NAME] #################" 34 | echo "sh ../scripts/create-membership.sh $SM_CP_NS $SM_TENANT_NAME $SM_MR_NS" 35 | sh ../scripts/create-membership.sh $SM_CP_NS $SM_TENANT_NAME $SM_MR_NS 36 | 37 | echo 38 | echo "oc rollout latest dc/rest-greeting-remote -n $SM_MR_NS" 39 | oc rollout latest dc/rest-greeting-remote -n $SM_MR_NS 40 | 41 | 42 | echo "################# Route - hello-remote [$SM_CP_NS] #################" 43 | echo "kind: Route 44 | apiVersion: route.openshift.io/v1 45 | metadata: 46 | name: hello-remote 47 | spec: 48 | host: ${REMOTE_SERVICE_ROUTE} 49 | to: 50 | kind: Service 51 | name: istio-ingressgateway 52 | weight: 100 53 | port: 54 | targetPort: https 55 | tls: 56 | termination: passthrough 57 | wildcardPolicy: None" | oc apply -n $SM_CP_NS -f - 58 | 59 | echo "################# Gateway - rest-greeting-remote-gateway [$SM_MR_NS] #################" 60 | 61 | echo "apiVersion: networking.istio.io/v1alpha3 62 | kind: Gateway 63 | metadata: 64 | name: rest-greeting-remote-gateway 65 | spec: 66 | selector: 67 | istio: ingressgateway # use istio default gateway service 68 | servers: 69 | - port: 70 | number: 8443 71 | name: https-web 72 | protocol: HTTPS 73 | tls: 74 | credentialName: $CERTIFICATE_SECRET_NAME #eg. greeting-remote-secret 75 | mode: MUTUAL 76 | hosts: 77 | - $REMOTE_SERVICE_ROUTE" | oc apply -n $SM_MR_NS -f - 78 | 79 | echo "################# VirtualService - rest-greeting-remote [$SM_MR_NS] #################" 80 | 81 | 82 | echo "apiVersion: networking.istio.io/v1alpha3 83 | kind: VirtualService 84 | metadata: 85 | name: rest-greeting-remote 86 | spec: 87 | hosts: 88 | - ${REMOTE_SERVICE_ROUTE} 89 | gateways: 90 | - rest-greeting-remote-gateway 91 | - mesh 92 | http: 93 | - match: 94 | - uri: 95 | exact: /hello 96 | - uri: 97 | prefix: /hello 98 | route: 99 | - destination: 100 | host: rest-greeting-remote 101 | port: 102 | number: 8080 " | oc apply -n $SM_MR_NS -f - 103 | -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/create-smcp-2.1.1-registry_only-strict-mtls.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SM_CP_NS=$1 4 | SM_TENANT_NAME=$2 5 | 6 | echo '---------------------------------------------------------------------------' 7 | echo 'ServiceMesh Namespace : '$SM_CP_NS 8 | echo 'ServiceMesh Control Plane Tenant Name : '$SM_TENANT_NAME 9 | echo '---------------------------------------------------------------------------' 10 | 11 | echo "############# Creating SM Tenant [$SM_TENANT_NAME] in Namespace [$SM_CP_NS ] #############" 12 | echo "apiVersion: maistra.io/v2 13 | kind: ServiceMeshControlPlane 14 | metadata: 15 | name: $SM_TENANT_NAME 16 | spec: 17 | security: 18 | dataPlane: 19 | automtls: false 20 | mtls: true 21 | tracing: 22 | sampling: 10000 23 | type: Jaeger 24 | general: 25 | logging: 26 | logAsJSON: true 27 | profiles: 28 | - default 29 | proxy: 30 | accessLogging: 31 | file: 32 | name: /dev/stdout 33 | networking: 34 | trafficControl: 35 | inbound: {} 36 | outbound: 37 | policy: REGISTRY_ONLY 38 | policy: 39 | type: Istiod 40 | addons: 41 | grafana: 42 | enabled: true 43 | jaeger: 44 | install: 45 | storage: 46 | type: Memory 47 | kiali: 48 | enabled: true 49 | prometheus: 50 | enabled: true 51 | version: v2.1 52 | telemetry: 53 | type: Istiod" 54 | 55 | echo "apiVersion: maistra.io/v2 56 | kind: ServiceMeshControlPlane 57 | metadata: 58 | name: $SM_TENANT_NAME 59 | spec: 60 | security: 61 | dataPlane: 62 | automtls: false 63 | mtls: true 64 | tracing: 65 | sampling: 10000 66 | type: Jaeger 67 | general: 68 | logging: 69 | logAsJSON: true 70 | profiles: 71 | - default 72 | proxy: 73 | accessLogging: 74 | file: 75 | name: /dev/stdout 76 | networking: 77 | trafficControl: 78 | inbound: {} 79 | outbound: 80 | policy: REGISTRY_ONLY 81 | policy: 82 | type: Istiod 83 | addons: 84 | grafana: 85 | enabled: true 86 | jaeger: 87 | install: 88 | storage: 89 | type: Memory 90 | kiali: 91 | enabled: true 92 | prometheus: 93 | enabled: true 94 | version: v2.1 95 | telemetry: 96 | type: Istiod"| oc apply -n $SM_CP_NS -f - 97 | 98 | echo "oc wait --for condition=Ready -n $FED_1_SMCP_NAMESPACE smcp/$FED_1_SMCP_NAME --timeout 300s" 99 | #oc wait --for condition=Ready -n $FED_1_SMCP_NAMESPACE smcp/$FED_1_SMCP_NAME --timeout 300s 100 | 101 | -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/1-allow-any-passthroughcluster.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/1-allow-any-passthroughcluster.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/2-prometheus-passthroughcluster-greeting-remote-service-metrics.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/2-prometheus-passthroughcluster-greeting-remote-service-metrics.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/3-REGISTRY_ONLY_Blackhole_Blocking.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/3-REGISTRY_ONLY_Blackhole_Blocking.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/4-apply-SE-REGISTRY_ONLY.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/4-apply-SE-REGISTRY_ONLY.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/5-STRICT-mTLS-Fails-External.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/5-STRICT-mTLS-Fails-External.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/6-STRICT-mTLS-DISABLE-FOR-External.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/6-STRICT-mTLS-DISABLE-FOR-External.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/7-A-GW-IN.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/7-A-GW-IN.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/7-ISTIO-CONFIG-MTLS-SIDECAR.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/7-ISTIO-CONFIG-MTLS-SIDECAR.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/7-client-side.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/7-client-side.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/7-service-side.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/7-service-side.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/7B-IN-VS.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/7B-IN-VS.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/7C-OUT-SE.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/7C-OUT-SE.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/7D-OUT-DR.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/7D-OUT-DR.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/7E-OUT-VS.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/7E-OUT-VS.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/incoming-non-mesh-non-mtls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/incoming-non-mesh-non-mtls.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/option-1a-mtls-3-in-mesh-svc-to-external-via-sidecar-with-mtls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/option-1a-mtls-3-in-mesh-svc-to-external-via-sidecar-with-mtls.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/option-1b-mtls-3-in-mesh-svc-to-external-via-egress-gateway-NO-mtls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/option-1b-mtls-3-in-mesh-svc-to-external-via-egress-gateway-NO-mtls.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/option-1b-mtls-3-in-mesh-svc-to-external-via-egress-gateway-with-mtls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/option-1b-mtls-3-in-mesh-svc-to-external-via-egress-gateway-with-mtls.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/spec.proxy.networking.trafficControl.policy.allow_any.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/spec.proxy.networking.trafficControl.policy.allow_any.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/spec.proxy.networking.trafficControl.policy.registry_only.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/spec.proxy.networking.trafficControl.policy.registry_only.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/spec.proxy.networking.trafficControl.policy.registry_only.with_serviceentry.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/images/spec.proxy.networking.trafficControl.policy.registry_only.with_serviceentry.png -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/smcp-2.1.1-allow_any-auto-mtls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: maistra.io/v2 2 | kind: ServiceMeshControlPlane 3 | metadata: 4 | name: tenant-1 5 | spec: 6 | security: 7 | dataPlane: 8 | automtls: true 9 | mtls: false 10 | tracing: 11 | sampling: 10000 12 | type: Jaeger 13 | general: 14 | logging: 15 | logAsJSON: true 16 | profiles: 17 | - default 18 | proxy: 19 | accessLogging: 20 | file: 21 | name: /dev/stdout 22 | networking: 23 | trafficControl: 24 | inbound: {} 25 | outbound: 26 | policy: ALLOW_ANY 27 | policy: 28 | type: Istiod 29 | addons: 30 | grafana: 31 | enabled: true 32 | jaeger: 33 | install: 34 | storage: 35 | type: Memory 36 | kiali: 37 | enabled: true 38 | prometheus: 39 | enabled: true 40 | version: v2.1 41 | telemetry: 42 | type: Istiod 43 | -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/smcp-2.1.1-registry_only-auto-mtls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: maistra.io/v2 2 | kind: ServiceMeshControlPlane 3 | metadata: 4 | name: tenant-1 5 | spec: 6 | security: 7 | dataPlane: 8 | automtls: true 9 | mtls: false 10 | tracing: 11 | sampling: 10000 12 | type: Jaeger 13 | general: 14 | logging: 15 | logAsJSON: true 16 | profiles: 17 | - default 18 | proxy: 19 | accessLogging: 20 | file: 21 | name: /dev/stdout 22 | networking: 23 | trafficControl: 24 | inbound: {} 25 | outbound: 26 | policy: REGISTRY_ONLY 27 | policy: 28 | type: Istiod 29 | addons: 30 | grafana: 31 | enabled: true 32 | jaeger: 33 | install: 34 | storage: 35 | type: Memory 36 | kiali: 37 | enabled: true 38 | prometheus: 39 | enabled: true 40 | version: v2.1 41 | telemetry: 42 | type: Istiod 43 | -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/smcp-2.1.1-registry_only-strict-mtls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: maistra.io/v2 2 | kind: ServiceMeshControlPlane 3 | metadata: 4 | name: tenant-1 5 | spec: 6 | security: 7 | dataPlane: 8 | automtls: false 9 | mtls: true 10 | tracing: 11 | sampling: 10000 12 | type: Jaeger 13 | general: 14 | logging: 15 | logAsJSON: true 16 | profiles: 17 | - default 18 | proxy: 19 | accessLogging: 20 | file: 21 | name: /dev/stdout 22 | networking: 23 | trafficControl: 24 | inbound: {} 25 | outbound: 26 | policy: REGISTRY_ONLY 27 | policy: 28 | type: Istiod 29 | addons: 30 | grafana: 31 | enabled: true 32 | jaeger: 33 | install: 34 | storage: 35 | type: Memory 36 | kiali: 37 | enabled: true 38 | prometheus: 39 | enabled: true 40 | version: v2.1 41 | telemetry: 42 | type: Istiod 43 | -------------------------------------------------------------------------------- /Scenario-MTLS-3-SM-Service-To-External-MTLS-Handling/test-greeting-client-non-mesh.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | echo 'PREREQUISITE -----------------------------------------------------------------------------------' 5 | echo 'PREREQUISITE ' 6 | echo 'PREREQUISITE The scenario MTLS-3 (Option 1a: directly (via Sidecar)) must have been run first ' 7 | echo 'PREREQUISITE ' 8 | echo 'PREREQUISITE -----------------------------------------------------------------------------------' 9 | echo 10 | echo 11 | echo '------------------------------------------------------------------------------------------------' 12 | echo ' SETUP IN CLUSTER NON-TLS ACCESS towards rest-greeting-remote (greetings-service)' 13 | echo '------------------------------------------------------------------------------------------------' 14 | 15 | echo "kind: Gateway 16 | apiVersion: networking.istio.io/v1alpha3 17 | metadata: 18 | name: in-cluster-rest-greeting-remote-gateway 19 | namespace: greetings-service 20 | spec: 21 | servers: 22 | - hosts: 23 | - 'istio-ingressgateway.istio-system-service.svc.cluster.local' 24 | port: 25 | name: http-web 26 | number: 80 27 | protocol: HTTP 28 | selector: 29 | istio: ingressgateway" |oc apply -f - 30 | 31 | echo "kind: VirtualService 32 | apiVersion: networking.istio.io/v1alpha3 33 | metadata: 34 | name: in-cluster-rest-greeting-remote 35 | namespace: greetings-service 36 | spec: 37 | hosts: 38 | - 'istio-ingressgateway.istio-system-service.svc.cluster.local' 39 | gateways: 40 | - in-cluster-rest-greeting-remote-gateway 41 | http: 42 | - match: 43 | - uri: 44 | exact: /hello 45 | - uri: 46 | prefix: /hello 47 | route: 48 | - destination: 49 | host: rest-greeting-remote 50 | port: 51 | number: 8080" |oc apply -f - 52 | 53 | 54 | 55 | echo 56 | echo ' Create NON-Istio Based Client' 57 | echo '------------------------------------------------------------------------------------------------' 58 | echo 59 | echo ' Step 1 - ServiceMeshControlPlane: rest-client-greeting (greetings-client-nonmesh)' 60 | echo 61 | 62 | oc new-project greetings-client-nonmesh 63 | sleep 2 64 | cd ../coded-services/quarkus-rest-client-greeting 65 | oc project greetings-client-nonmesh 66 | mvn clean package -Dquarkus.kubernetes.deploy=true -DskipTests 67 | # Cannot use this unless I either validate ISTIO's certs or ignore oc set env dc/rest-client-greeting GREETINGS_SVC_LOCATION="https://istio-ingressgateway.istio-system-service.svc.cluster.local:443" -n greetings-client-nonmesh 68 | # https://istio-ingressgateway.istio-system-service.svc.cluster.local:443/hello 69 | sleep 7 70 | oc set env dc/rest-client-greeting GREETINGS_SVC_LOCATION="http://istio-ingressgateway.istio-system-service.svc.cluster.local:80" -n greetings-client-nonmesh 71 | sleep 7 72 | oc rollout latest dc/rest-client-greeting -n greetings-client-nonmesh 73 | 74 | sleep 2 75 | oc expose svc rest-client-greeting 76 | 77 | sleep 2 78 | 79 | echo 80 | echo ' Step 2 - Test non-mesh rest-client-greeting' 81 | echo 82 | 83 | watch curl -i http://$(oc get route rest-client-greeting -o jsonpath='{.spec.host}' -n greetings-client-nonmesh)/say/goodday-to/Stelios 84 | -------------------------------------------------------------------------------- /Scenario-MTLS-4-Turn-Off-MTLS/images/all-but-details-with-mtls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-4-Turn-Off-MTLS/images/all-but-details-with-mtls.png -------------------------------------------------------------------------------- /Scenario-MTLS-4-Turn-Off-MTLS/images/error-without-peerauthentication-disable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-4-Turn-Off-MTLS/images/error-without-peerauthentication-disable.png -------------------------------------------------------------------------------- /Scenario-MTLS-4-Turn-Off-MTLS/images/no-security-applied.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-MTLS-4-Turn-Off-MTLS/images/no-security-applied.png -------------------------------------------------------------------------------- /Scenario-MTLS-4-Turn-Off-MTLS/test-ssl-handshakes.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | POD_NAME=$1 4 | 5 | echo "oc rsh -c istio-proxy pod/$POD_NAME curl localhost:15000/stats |grep handshake" 6 | echo 7 | echo '--------------------------------------------------------------------------------------' 8 | oc rsh -c istio-proxy pod/$POD_NAME curl localhost:15000/stats |grep handshake 9 | echo '--------------------------------------------------------------------------------------' 10 | -------------------------------------------------------------------------------- /Scenario-Observability-Scenarios/images/SM-TRACE-Arch-Options.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-Observability-Scenarios/images/SM-TRACE-Arch-Options.png -------------------------------------------------------------------------------- /Scenario-Observability-Scenarios/images/istio-jaeger-production.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-Observability-Scenarios/images/istio-jaeger-production.png -------------------------------------------------------------------------------- /Scenario-Observability-Scenarios/jaeger-daemonset.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: jaegertracing.io/v1 2 | kind: Jaeger 3 | metadata: 4 | name: custom-prod-jaeger 5 | spec: 6 | agent: 7 | strategy: DaemonSet 8 | serviceAccount: jaeger-agent-daemonset 9 | options: 10 | log-level: debug 11 | strategy: production 12 | collector: 13 | autoscale: true 14 | minReplicas: 2 15 | maxReplicas: 3 16 | resources: 17 | limits: 18 | cpu: 100m 19 | memory: 128Mi 20 | storage: 21 | type: elasticsearch 22 | elasticsearch: 23 | nodeCount: 1 24 | resources: 25 | requests: 26 | cpu: 200m 27 | memory: 2Gi 28 | limits: 29 | memory: 2Gi 30 | redundancyPolicy: ZeroRedundancy 31 | -------------------------------------------------------------------------------- /Scenario-Observability-Scenarios/jaeger-production-elastic.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: jaegertracing.io/v1 2 | kind: Jaeger 3 | metadata: 4 | name: jaeger-production 5 | namespace: istio-system-tracing 6 | spec: 7 | strategy: production 8 | sampling: 9 | options: 10 | default_strategy: 11 | type: probabilistic 12 | param: 0.5 13 | storage: 14 | type: elasticsearch 15 | esIndexCleaner: 16 | enabled: true // turn the cron job deployment on and off 17 | numberOfDays: 7 // number of days to wait before deleting a record 18 | schedule: "55 23 * * *" // cron expression for it to run 19 | elasticsearch: 20 | nodeCount: 3 21 | storage: 22 | size: 5Gi 23 | resources: 24 | requests: 25 | cpu: 200m 26 | memory: 1Gi 27 | limits: 28 | memory: 1Gi 29 | redundancyPolicy: SingleRedundancy 30 | -------------------------------------------------------------------------------- /Scenario-Observability-Scenarios/jaeger-small-production-elastic.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: jaegertracing.io/v1 2 | kind: Jaeger 3 | metadata: 4 | name: jaeger-small-production 5 | namespace: istio-system-tracing 6 | spec: 7 | strategy: production 8 | storage: 9 | type: elasticsearch 10 | esIndexCleaner: 11 | enabled: true // turn the cron job deployment on and off 12 | numberOfDays: 7 // number of days to wait before deleting a record 13 | schedule: "55 23 * * *" // cron expression for it to run 14 | elasticsearch: 15 | nodeCount: 1 16 | storage: 17 | size: 1Gi 18 | resources: 19 | requests: 20 | cpu: 200m 21 | memory: 1Gi 22 | limits: 23 | memory: 1Gi 24 | redundancyPolicy: ZeroRedundancy 25 | -------------------------------------------------------------------------------- /Scenario-Observability-Scenarios/smcp-2.1.1-external-jaeger-daemonset-resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: maistra.io/v2 2 | kind: ServiceMeshControlPlane 3 | metadata: 4 | name: basic 5 | spec: 6 | addons: 7 | grafana: 8 | enabled: true 9 | jaeger: 10 | install: 11 | ingress: 12 | enabled: true 13 | storage: 14 | type: Elasticsearch 15 | name: custom-prod-jaeger 16 | kiali: 17 | enabled: true 18 | prometheus: 19 | enabled: true 20 | policy: 21 | type: Istiod 22 | profiles: 23 | - default 24 | telemetry: 25 | type: Istiod 26 | tracing: 27 | sampling: 10000 28 | type: Jaeger 29 | version: v2.1 30 | -------------------------------------------------------------------------------- /Scenario-Observability-Scenarios/smcp-2.1.1-external-jaeger-production-resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: maistra.io/v2 2 | kind: ServiceMeshControlPlane 3 | metadata: 4 | name: istio-production 5 | spec: 6 | addons: 7 | grafana: 8 | enabled: true 9 | jaeger: 10 | install: 11 | ingress: 12 | enabled: true 13 | storage: 14 | type: Elasticsearch 15 | name: jaeger-production 16 | kiali: 17 | enabled: true 18 | prometheus: 19 | enabled: true 20 | policy: 21 | type: Istiod 22 | profiles: 23 | - default 24 | proxy: 25 | accessLogging: 26 | file: 27 | name: /dev/stdout 28 | telemetry: 29 | type: Istiod 30 | tracing: 31 | sampling: 10000 32 | type: Jaeger 33 | version: v2.1 34 | -------------------------------------------------------------------------------- /Scenario-Platform-1-Federation/0-operator-subscription.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: Subscription 4 | metadata: 5 | name: kiali-ossm 6 | namespace: openshift-operators 7 | spec: 8 | channel: stable 9 | installPlanApproval: Automatic 10 | name: kiali-ossm 11 | source: redhat-operators 12 | sourceNamespace: openshift-marketplace 13 | --- 14 | apiVersion: operators.coreos.com/v1alpha1 15 | kind: Subscription 16 | metadata: 17 | name: jaeger-product 18 | namespace: openshift-operators 19 | spec: 20 | channel: stable 21 | installPlanApproval: Automatic 22 | name: jaeger-product 23 | source: redhat-operators 24 | sourceNamespace: openshift-marketplace 25 | --- 26 | apiVersion: operators.coreos.com/v1alpha1 27 | kind: Subscription 28 | metadata: 29 | name: servicemeshoperator 30 | namespace: openshift-operators 31 | spec: 32 | channel: stable 33 | installPlanApproval: Automatic 34 | name: servicemeshoperator 35 | source: redhat-operators 36 | sourceNamespace: openshift-marketplace 37 | -------------------------------------------------------------------------------- /Scenario-Platform-1-Federation/0-setup-ocp-login-vars.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | export OCP_1_LOGIN_TOKEN= 4 | export OCP_1_LOGIN_SERVER= 5 | 6 | export OCP_2_LOGIN_TOKEN= 7 | export OCP_2_LOGIN_SERVER= 8 | 9 | 10 | echo 11 | echo '---------------------------------------------------------------------------' 12 | echo 'OCP_1_LOGIN_TOKEN (EAST) : '$OCP_1_LOGIN_TOKEN 13 | echo 'OCP_1_LOGIN_SERVER (EAST) : '$OCP_1_LOGIN_SERVER 14 | echo '---------------------------------------------------------------------------' 15 | echo 'OCP_2_LOGIN_TOKEN (WEST) : '$OCP_2_LOGIN_TOKEN 16 | echo 'OCP_2_LOGIN_SERVER (WEST) : '$OCP_2_LOGIN_SERVER 17 | echo '---------------------------------------------------------------------------' 18 | echo 19 | -------------------------------------------------------------------------------- /Scenario-Platform-1-Federation/README.adoc: -------------------------------------------------------------------------------- 1 | = Federation Demo Automation 2 | :toc: 3 | 4 | Service Mesh federation functionality and configurations are described in detail in the link:https://docs.openshift.com/container-platform/4.9/service_mesh/v2x/ossm-federation.html[documentation]. This is an automation for the demo link:https://github.com/kiali/demos/tree/master/federated-travels[Federated Travels with OpenShift Service Mesh] in order to test and compare quickly a setup. 5 | 6 | ifdef::env-github[] 7 | image:https://img.youtube.com/vi/USrTSixYd80/maxresdefault.jpg[link=https://youtu.be/USrTSixYd80] 8 | endif::[] 9 | 10 | .A walkthrough of the automation activities 11 | ifndef::env-github[] 12 | video::USrTSixYd80[youtube,list=PLZjCciga0z5w6PiJKl2P8UJKdG0cEXKcz] 13 | endif::[] 14 | 15 | == Pre-requisites 16 | 17 | 1. 2 instances of either 18 | ** local link:https://access.redhat.com/documentation/en-us/red_hat_codeready_containers/1.34/html/getting_started_guide[CodeReady Containers (CRC]) clusters or 19 | ** OpenShift Clusters (4.6+) 20 | 2. `oc` binary installed in the local path 21 | 3. `bash` capable command prompt 22 | 4. Prepare the Scripts and Operators 23 | 24 | * Edit link:./0-setup-ocp-login-vars.sh[0-setup-ocp-login-vars.sh] to add URL and login token for the 2 clusters 25 | 26 | export OCP_1_LOGIN_TOKEN= 27 | export OCP_1_LOGIN_SERVER= 29 | export OCP_2_LOGIN_SERVER= 30 | 31 | * Login to each cluster and apply the necessary operators subscriptions 32 | 33 | ./add-operators-subscriptions-sm.sh 34 | 35 | == Demo Example 36 | 37 | image::./images/east-west-sides.png[title="Travel Demo Federated Components across East and West Mesh",800,400] 38 | 39 | == AWS - AWS Federation Setup 40 | 41 | * Run the setup script which will 42 | ** Create the *control plane* namespaces in *West* and *East* cluster 43 | ** Create the `ServiceMeshControlPlane` resource in each cluster to create the OSSM Service Mesh instance 44 | ** Create the *data plane* namespaces and appropriate `ServiceMeshMemberRoll` to register them in the mesh 45 | ** Configure and setup peering between the *West* and *East* meshes 46 | *** sharing secrets to accept requests between meshes 47 | *** setup `ServiceMeshPeer` and export/import the appropriate service 48 | *** verify peering is setup 49 | ** Deploy the applications on both clusters 50 | ** Check federation is working 51 | 52 | 0-execute-federation-setup-AWS-LB.sh 53 | 54 | == AWS - GCP Federation Setup 55 | 56 | The script for this setup is perfrorming exactly the same activities as for the _AWS - AWS Setup_ 57 | 58 | 0-execute-federation-setup-AWS-GCP-LB.sh 59 | -------------------------------------------------------------------------------- /Scenario-Platform-1-Federation/images/east-west-sides.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/Scenario-Platform-1-Federation/images/east-west-sides.png -------------------------------------------------------------------------------- /Scenario-Platform-Sizing/README.adoc: -------------------------------------------------------------------------------- 1 | = How to Approach Sizing of the `SMCP` 2 | :toc: 3 | 4 | Would like to seek help regarding Service Mesh Control Plane Sizing. 5 | 6 | == Documentation on Starting with Control Plane Sizing 7 | 8 | . Any document / guide regarding the sizing of the service mesh control plane? 9 | . Is there a recommended sizing for the control plane components (grafana/ kiali /prometheus)? 10 | 11 | Reference 12 | 13 | * https://istio.io/latest/docs/ops/deployment/performance-and-scalability/ 14 | * https://docs.openshift.com/container-platform/4.9/service_mesh/v2x/ossm-performance-scalability.html#additional-latency 15 | 16 | == Perf Testing & Tuning 17 | 18 | . Is there a recommended CPU/RAM ratio to the number of microservices in service mesh? 19 | . Is there a recommended CPU/RAM ratio to the number of requests in service mesh? 20 | 21 | === Control Plane 22 | *TODO* Explore the causes of CPU/RAM resources from the control plane components 23 | 24 | - istiod 25 | 26 | [NOTE] 27 | ==== 28 | need to consider what happens to it when there are 1000s of 29 | 30 | * configs to apply 31 | * microservices to apply it to 32 | * topology of datapalne 33 | 34 | ==== 35 | 36 | - ingressgateway 37 | 38 | - egressgateway 39 | 40 | - tracing stack 41 | 42 | - metric stack 43 | 44 | 45 | 46 | === Data Plane 47 | 48 | 49 | *TODO* Explore the causes of CPU/RAM resources from the control data components 50 | 51 | - istio-proxy 52 | 53 | [NOTE] 54 | ==== 55 | need to consider what happens to it when there are 1000s of 56 | 57 | * requests (what prodocol type, tls/non-tls, size of request) 58 | * configs applied (MEM) 59 | 60 | ==== 61 | 62 | 63 | === Performance Testing Guide 64 | -------------------------------------------------------------------------------- /Scenario-RBAC-1-SA-On-Workloads-Resources-Restrictions/README.adoc: -------------------------------------------------------------------------------- 1 | = Applying RBAC cases on In Mesh Workloads 2 | :toc: 3 | 4 | * `ServiceMesh` Version: 2.0 5 | * Purpose: Configs will not be distributed to _Envoy istio-proxy_ sidecar beyond the same namespace unless overriden by configurations of _SideCar_ CR resource 6 | 7 | == Setup ServiceMesh installation 8 | 9 | * Pre-Requisites 10 | 11 | 1. Setup of 1 OCP Clusters 12 | 13 | 2. `ServiceMesh` Operators Installation in the the cluster 14 | 15 | scripts/add-operators-subscriptions-sm-2.1.sh (*Elastic Search Works only from console due to openshift-operators-redhat namespace creation need*) 16 | 17 | * Setup 18 | 19 | 1. Control Plane Namespace Creation 20 | 21 | oc new-project 22 | 23 | 2. SMCP 24 | 25 | oc apply -f smcp-2.1.yaml 26 | 27 | ** or modify/apply the following 28 | 29 | apiVersion: maistra.io/v2 30 | kind: ServiceMeshControlPlane 31 | metadata: 32 | name: 33 | namespace: 34 | spec: 35 | tracing: 36 | sampling: 10000 37 | type: Jaeger 38 | general: 39 | logging: 40 | logAsJSON: true 41 | profiles: 42 | - default 43 | proxy: 44 | accessLogging: 45 | file: 46 | name: /dev/stdout 47 | policy: 48 | type: Istiod 49 | addons: 50 | grafana: 51 | enabled: true 52 | jaeger: 53 | install: 54 | storage: 55 | type: Memory 56 | kiali: 57 | enabled: true 58 | prometheus: 59 | enabled: true 60 | security: 61 | controlPlane: 62 | mtls: true 63 | dataPlane: 64 | mtls: true 65 | version: v2.1 66 | telemetry: 67 | type: Istiod 68 | 69 | 70 | ** Reset 71 | 72 | oc delete -f smcp-2.1.yaml 73 | 74 | 75 | == Setup Service Mesh Deployments 76 | 77 | *Important*: Deploy _Greeting Client_ and _Greeting Service_ on the *same* OCP Clusters/Meshes 78 | 79 | 80 | === Service Mesh greetings-client-service scripted deployments 81 | 82 | Follow instructions at link:../Scenario-0-Deploy-In-ServiceMesh/README.adoc#greetings-client-service[greetings client/service] _*Greeting Client*_ to add link:../coded-services/quarkus-rest-client-greeting[quarkus-rest-client-greeting] and _Greeting Service_ link:../coded-services/quarkus-rest-greeting-remote[quarkus-rest-greeting-remote] in the Service Mesh (Note: in the folders there is subfolder ISTIO_YAML to create GW/VS for the services) 83 | 84 | == Testing `rest-client-greeting` in Service Mesh 85 | 86 | The following tests simulate the states depicted in the images 87 | 88 | 89 | ** Calling directly one of the *Greeting Service* deployments 90 | 91 | watch -n 2 curl -X GET http://$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}' -n )/hello/Stelios 92 | 93 | ** Calling the *Client* deployment 94 | 95 | (a) watch -n 2 curl -X GET http://$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}' -n )/say/goodday-to/Stelios 96 | (b) watch -n 2 curl -X GET http://$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}' -n )/say/hello 97 | 98 | == Sub-Scenario RBAC 1a: Restrict Access DENY_ALL 99 | 100 | * Apply restriction to access anything in `greeting_client` namespace 101 | 102 | oc apply -f deny_all_greeting_client_ns.yaml 103 | 104 | == Sub-Scenario RBAC 1b: Restrict to resources for specific SA 105 | 106 | * Apply restriction to access anything under resource `/say/goodday-to` for specific SA (Note modify the YAML below for the SA to point to your istio-system namespace). The test *(a)* will fail RBAC but *(b)* will succeed 107 | 108 | oc apply -f sc1b-deny_sa-based_greeting_client_ns.yaml 109 | 110 | * Modify the file adding _-wrong_ at the end of the SA name. Both *(a)* and *(b)* will succeed 111 | 112 | Additional Configurations can be drawn from: https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule 113 | 114 | 115 | 116 | 117 | 118 | -------------------------------------------------------------------------------- /Scenario-RBAC-1-SA-On-Workloads-Resources-Restrictions/deny_all_greeting_client_ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: deny-all-greetings-client 5 | namespace: greetings-client 6 | spec: 7 | {} 8 | -------------------------------------------------------------------------------- /Scenario-RBAC-1-SA-On-Workloads-Resources-Restrictions/sc1b-deny_sa-based_greeting_client_ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: deny-sa-greetings-client 5 | namespace: greetings-client 6 | spec: 7 | rules: 8 | - from: 9 | - source: 10 | principals: 11 | - >- 12 | cluster.local/ns//sa/istio-ingressgateway-service-account 13 | to: 14 | - operation: 15 | methods: 16 | - GET 17 | paths: 18 | - /say/goodday-to* 19 | action: DENY 20 | -------------------------------------------------------------------------------- /Scenario-RBAC-1-SA-On-Workloads-Resources-Restrictions/smcp-2.1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: maistra.io/v2 2 | kind: ServiceMeshControlPlane 3 | metadata: 4 | name: 5 | namespace: 6 | spec: 7 | tracing: 8 | sampling: 10000 9 | type: Jaeger 10 | general: 11 | logging: 12 | logAsJSON: true 13 | profiles: 14 | - default 15 | proxy: 16 | accessLogging: 17 | file: 18 | name: /dev/stdout 19 | policy: 20 | type: Istiod 21 | addons: 22 | grafana: 23 | enabled: true 24 | jaeger: 25 | install: 26 | storage: 27 | type: Memory 28 | kiali: 29 | enabled: true 30 | prometheus: 31 | enabled: true 32 | security: 33 | controlPlane: 34 | mtls: true 35 | dataPlane: 36 | mtls: true 37 | version: v2.1 38 | telemetry: 39 | type: Istiod 40 | -------------------------------------------------------------------------------- /Scenarios-Arch-2-ServiceMesh-Observability/README.adoc: -------------------------------------------------------------------------------- 1 | = Service Mesh Observability Stack Architectures 2 | :toc: 3 | 4 | Gather various deployment setups for the observability stack handling different needs 5 | 6 | = Basic Setup 7 | 8 | Using Jaeger in Service Mesh(Istio) https://tracing.cloudnative101.dev/docs/ocp-istio-java.html#_understanding_jaeger_service_mesh_kiali 9 | Distributed Tracing Infrastructure with Jaeger on Kubernetes https://medium.com/@masroor.hasan/tracing-infrastructure-with-jaeger-on-kubernetes-6800132a677 10 | 11 | = Tracing 12 | 13 | == Production Setup 14 | 15 | * External Jaeger (agent deployment sidecar/stateful set) 16 | ** Jaeger Client https://github.com/jaegertracing/jaeger-client-java/blob/master/jaeger-core/README.md 17 | 18 | Distributed Tracing with Envoy Service Mesh & Jaeger https://hackernoon.com/distributed-tracing-with-envoy-service-mesh-jaeger-c365b6191592 19 | https://discuss.istio.io/t/distributing-tracing-doesnt-work-when-clients-send-traces-to-node-local-jaeger-agent-ip/9934 20 | env: 21 | - name: JAEGER_AGENT_HOST 22 | valueFrom: 23 | fieldRef: 24 | fieldPath: status.hostIP 25 | 26 | == OCP Monitoring Stack integration 27 | 28 | * Jaeger federation? 29 | 30 | 31 | = Metrics 32 | 33 | == Prometheus Federation 34 | 35 | https://prometheus.io/docs/prometheus/latest/federation/ 36 | Multilevel Prometheus setup using Remote Read https://sitaram.substack.com/p/multilevel-prometheus-setup-using?utm_source=url&s=r 37 | 38 | == OCP Monitoring Stack Integration 39 | -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/.dockerignore: -------------------------------------------------------------------------------- 1 | * 2 | !target/*-runner 3 | !target/*-runner.jar 4 | !target/lib/* 5 | !target/quarkus-app/ 6 | -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/.gitignore: -------------------------------------------------------------------------------- 1 | # Eclipse 2 | .project 3 | .classpath 4 | .settings/ 5 | bin/ 6 | 7 | # IntelliJ 8 | .idea 9 | *.ipr 10 | *.iml 11 | *.iws 12 | 13 | # NetBeans 14 | nb-configuration.xml 15 | 16 | # Visual Studio Code 17 | .vscode 18 | 19 | # OSX 20 | .DS_Store 21 | 22 | # Vim 23 | *.swp 24 | *.swo 25 | 26 | # patch 27 | *.orig 28 | *.rej 29 | 30 | # Maven 31 | target/ 32 | pom.xml.tag 33 | pom.xml.releaseBackup 34 | pom.xml.versionsBackup 35 | release.properties -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/.mvn/wrapper/maven-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/coded-services/quarkus-opentracing/.mvn/wrapper/maven-wrapper.jar -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/.mvn/wrapper/maven-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.6.3/apache-maven-3.6.3-bin.zip 2 | wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar 3 | -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/ISTIO-YAML/create-quarkus-opentracing-jaeger-daemonset.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SM_CP_NS=$1 4 | SM_TENANT_NAME=$2 5 | SM_MR_NS=$3 6 | SM_REMOTE_ROUTE=$4 7 | 8 | echo 9 | echo '---------------------------------------------------------------------------' 10 | echo 'ServiceMesh Control Plane Namespace : '$SM_CP_NS 11 | echo 'ServiceMesh Control Plane Tenant Name : '$SM_TENANT_NAME 12 | echo 'ServiceMesh Member Namespace : '$SM_MR_NS 13 | echo 'Remote SMCP Route Name : '$SM_REMOTE_ROUTE 14 | echo '---------------------------------------------------------------------------' 15 | echo 16 | 17 | #cd ../../coded-services/quarkus-opentracing 18 | cd ../ 19 | oc new-project $SM_MR_NS 20 | oc project $SM_MR_NS 21 | 22 | mvn clean package -Dquarkus.kubernetes.deploy=true -DskipTests 23 | 24 | echo 'sleeping 15s' 25 | sleep 15 26 | oc patch dc/hello-traced-quarkus-service -p '{"spec":{"template":{"metadata":{"annotations":{"sidecar.istio.io/inject": "true"}}}}}' -n $SM_MR_NS 27 | oc patch dc/hello-traced-quarkus-service --type=json --patch ' 28 | [ 29 | { 30 | "op": "add", 31 | "path": "/spec/template/spec/containers/0/env", 32 | "value": [ 33 | { 34 | "name": "JAEGER_AGENT_HOST", 35 | "valueFrom": { 36 | "fieldRef": { 37 | "apiVersion": "v1", 38 | "fieldPath": "status.hostIP" 39 | } 40 | } 41 | } 42 | ] 43 | } 44 | ]' -n $SM_MR_NS 45 | 46 | echo 47 | echo "################# SMR [default] added in SMCP [ns:$SM_CP_NS name: $SM_TENANT_NAME] #################" 48 | echo "sh ../../scripts/create-membership.sh $SM_CP_NS $SM_TENANT_NAME $SM_MR_NS" 49 | sh ../../scripts/create-membership.sh $SM_CP_NS $SM_TENANT_NAME $SM_MR_NS 50 | 51 | oc rollout latest dc/hello-traced-quarkus-service -n $SM_MR_NS 52 | 53 | 54 | echo "################# Gateway - opentracing-hello-gateway [$SM_CP_NS] #################" 55 | echo "kind: Gateway 56 | apiVersion: networking.istio.io/v1alpha3 57 | metadata: 58 | name: opentracing-hello-gateway 59 | spec: 60 | servers: 61 | - hosts: 62 | - '*' 63 | port: 64 | name: http-hello-traced-quarkus-service 65 | number: 80 66 | protocol: HTTP 67 | selector: 68 | istio: ingressgateway"|oc apply -n $SM_MR_NS -f - 69 | 70 | 71 | echo "################# VirtualService - opentracing-hello [$SM_CP_NS] #################" 72 | echo "kind: VirtualService 73 | apiVersion: networking.istio.io/v1alpha3 74 | metadata: 75 | name: opentracing-hello 76 | spec: 77 | hosts: 78 | - '*' 79 | gateways: 80 | - opentracing-hello-gateway 81 | http: 82 | - match: 83 | - uri: 84 | exact: /chain 85 | - uri: 86 | exact: /hello 87 | route: 88 | - destination: 89 | host: hello-traced-quarkus-service 90 | port: 91 | number: 8080"|oc apply -n $SM_MR_NS -f - 92 | 93 | echo 94 | echo "################# TESTING [http://${SM_REMOTE_ROUTE}/chain] #################" 95 | echo "watch curl -v http://${SM_REMOTE_ROUTE}/chain" 96 | sleep 10 97 | watch curl -v http://${SM_REMOTE_ROUTE}/chain 98 | 99 | -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/ISTIO-YAML/create-quarkus-opentracing-jaeger-sidecar.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SM_CP_NS=$1 4 | SM_TENANT_NAME=$2 5 | SM_MR_NS=$3 6 | SM_REMOTE_ROUTE=$4 7 | 8 | echo 9 | echo '---------------------------------------------------------------------------' 10 | echo 'ServiceMesh Control Plane Namespace : '$SM_CP_NS 11 | echo 'ServiceMesh Control Plane Tenant Name : '$SM_TENANT_NAME 12 | echo 'ServiceMesh Member Namespace : '$SM_MR_NS 13 | echo 'Remote SMCP Route Name : '$SM_REMOTE_ROUTE 14 | echo '---------------------------------------------------------------------------' 15 | echo 16 | 17 | #cd ../../coded-services/quarkus-opentracing 18 | cd ../ 19 | oc new-project $SM_MR_NS 20 | oc project $SM_MR_NS 21 | 22 | mvn clean package -Dquarkus.kubernetes.deploy=true -DskipTests 23 | 24 | echo 'sleeping 15s' 25 | sleep 15 26 | oc patch dc/hello-traced-quarkus-service -p '{"spec":{"template":{"metadata":{"annotations":{"sidecar.istio.io/inject": "true"}}}}}' -n $SM_MR_NS 27 | oc patch dc/hello-traced-quarkus-service -p '{"spec":{"template":{"metadata":{"annotations":{"sidecar.jaegertracing.io/inject": "true"}}}}}' -n $SM_MR_NS 28 | 29 | echo 30 | echo "################# SMR [default] added in SMCP [ns:$SM_CP_NS name: $SM_TENANT_NAME] #################" 31 | echo "sh ../../scripts/create-membership.sh $SM_CP_NS $SM_TENANT_NAME $SM_MR_NS" 32 | sh ../../scripts/create-membership.sh $SM_CP_NS $SM_TENANT_NAME $SM_MR_NS 33 | 34 | oc rollout latest dc/hello-traced-quarkus-service -n $SM_MR_NS 35 | 36 | 37 | echo "################# Gateway - opentracing-hello-gateway [$SM_CP_NS] #################" 38 | echo "kind: Gateway 39 | apiVersion: networking.istio.io/v1alpha3 40 | metadata: 41 | name: opentracing-hello-gateway 42 | spec: 43 | servers: 44 | - hosts: 45 | - '*' 46 | port: 47 | name: http-hello-traced-quarkus-service 48 | number: 80 49 | protocol: HTTP 50 | selector: 51 | istio: ingressgateway"|oc apply -n $SM_MR_NS -f - 52 | 53 | 54 | echo "################# VirtualService - opentracing-hello [$SM_CP_NS] #################" 55 | echo "kind: VirtualService 56 | apiVersion: networking.istio.io/v1alpha3 57 | metadata: 58 | name: opentracing-hello 59 | spec: 60 | hosts: 61 | - '*' 62 | gateways: 63 | - opentracing-hello-gateway 64 | http: 65 | - match: 66 | - uri: 67 | exact: /chain 68 | - uri: 69 | exact: /hello 70 | route: 71 | - destination: 72 | host: hello-traced-quarkus-service 73 | port: 74 | number: 8080"|oc apply -n $SM_MR_NS -f - 75 | 76 | echo 77 | echo "################# TESTING [http://${SM_REMOTE_ROUTE}/chain] #################" 78 | echo "curl -v http://${SM_REMOTE_ROUTE}/chain" 79 | sleep 10 80 | curl -v http://${SM_REMOTE_ROUTE}/chain 81 | 82 | -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/README.md: -------------------------------------------------------------------------------- 1 | Quarkus guide: https://quarkus.io/guides/opentracing 2 | -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/create-quarkus-opentracing-docker-image.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | QUAYIO_USERNAME=$1 4 | IMAGE_VERSION=$2 5 | 6 | echo 7 | echo '---------------------------------------------------------------------------' 8 | echo 'mvn package' 9 | mvn package 10 | echo 11 | echo '---------------------------------------------------------------------------' 12 | echo ' podman login registry.redhat.io if necessary to get access to ubi image ' 13 | echo '---------------------------------------------------------------------------' 14 | echo 15 | echo "podman build -f src/main/docker/Dockerfile.jvm -t $QUAYIO_USERNAME/quarkus-opentracing ." 16 | podman build -f src/main/docker/Dockerfile.jvm -t $QUAYIO_USERNAME/quarkus-opentracing . 17 | echo 18 | echo 19 | echo "podman tag localhost/$QUAYIO_USERNAME/quarkus-opentracing $QUAYIO_USERNAME/quarkus-opentracing:v$IMAGE_VERSION" 20 | podman tag localhost/$QUAYIO_USERNAME/quarkus-opentracing $QUAYIO_USERNAME/quarkus-opentracing:v$IMAGE_VERSION 21 | echo 22 | echo 23 | echo '---------------------------------------------------------------------------' 24 | echo ' skopeo login quay.io if necessary to get push the image ' 25 | echo '----------------------------------------------------------------------------' 26 | //echo "sudo skopeo copy --dest-tls-verify=false localhost/$QUAYIO_USERNAME/quarkus-opentracing:v$IMAGE_VERSION docker://quay.io/$QUAYIO_USERNAME/quarkus-opentracing:v$IMAGE_VERSION" 27 | //sudo skopeo copy --dest-tls-verify=false containers-storage:localhost/$QUAYIO_USERNAME/quarkus-opentracing:v$IMAGE_VERSION docker://quay.io/$QUAYIO_USERNAME/quarkus-opentracing:v$IMAGE_VERSION 28 | echo "skopeo copy --dest-tls-verify=false localhost/$QUAYIO_USERNAME/quarkus-opentracing:v$IMAGE_VERSION docker://quay.io/$QUAYIO_USERNAME/quarkus-opentracing:v$IMAGE_VERSION" 29 | skopeo copy --dest-tls-verify=false containers-storage:localhost/$QUAYIO_USERNAME/quarkus-opentracing:v$IMAGE_VERSION docker://quay.io/$QUAYIO_USERNAME/quarkus-opentracing:v$IMAGE_VERSION 30 | 31 | -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/src/main/docker/Dockerfile.jvm: -------------------------------------------------------------------------------- 1 | #### 2 | # This Dockerfile is used in order to build a container that runs the Quarkus application in JVM mode 3 | # 4 | # Before building the container image run: 5 | # 6 | # ./mvnw package 7 | # 8 | # Then, build the image with: 9 | # 10 | # docker build -f src/main/docker/Dockerfile.jvm -t quarkus/opentracing-jvm . 11 | # 12 | # Then run the container using: 13 | # 14 | # docker run -i --rm -p 8080:8080 quarkus/opentracing-jvm 15 | # 16 | # If you want to include the debug port into your docker image 17 | # you will have to expose the debug port (default 5005) like this : EXPOSE 8080 5050 18 | # 19 | # Then run the container using : 20 | # 21 | # docker run -i --rm -p 8080:8080 -p 5005:5005 -e JAVA_ENABLE_DEBUG="true" quarkus/opentracing-jvm 22 | # 23 | ### 24 | FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 25 | 26 | ARG JAVA_PACKAGE=java-11-openjdk-headless 27 | ARG RUN_JAVA_VERSION=1.3.8 28 | ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' 29 | # Install java and the run-java script 30 | # Also set up permissions for user `1001` 31 | RUN microdnf install curl ca-certificates ${JAVA_PACKAGE} \ 32 | && microdnf update \ 33 | && microdnf clean all \ 34 | && mkdir /deployments \ 35 | && chown 1001 /deployments \ 36 | && chmod "g+rwX" /deployments \ 37 | && chown 1001:root /deployments \ 38 | && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh \ 39 | && chown 1001 /deployments/run-java.sh \ 40 | && chmod 540 /deployments/run-java.sh \ 41 | && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security 42 | 43 | # Configure the JAVA_OPTIONS, you can add -XshowSettings:vm to also display the heap size. 44 | ENV JAVA_OPTIONS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager" 45 | # We make four distinct layers so if there are application changes the library layers can be re-used 46 | COPY --chown=1001 target/quarkus-app/lib/ /deployments/lib/ 47 | COPY --chown=1001 target/quarkus-app/*.jar /deployments/ 48 | COPY --chown=1001 target/quarkus-app/app/ /deployments/app/ 49 | COPY --chown=1001 target/quarkus-app/quarkus/ /deployments/quarkus/ 50 | 51 | EXPOSE 8080 52 | USER 1001 53 | 54 | ENTRYPOINT [ "/deployments/run-java.sh" ] 55 | -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/src/main/docker/Dockerfile.legacy-jar: -------------------------------------------------------------------------------- 1 | #### 2 | # This Dockerfile is used in order to build a container that runs the Quarkus application in JVM mode 3 | # 4 | # Before building the container image run: 5 | # 6 | # ./mvnw package -Dquarkus.package.type=legacy-jar 7 | # 8 | # Then, build the image with: 9 | # 10 | # docker build -f src/main/docker/Dockerfile.legacy-jar -t quarkus/opentracing-legacy-jar . 11 | # 12 | # Then run the container using: 13 | # 14 | # docker run -i --rm -p 8080:8080 quarkus/opentracing-legacy-jar 15 | # 16 | # If you want to include the debug port into your docker image 17 | # you will have to expose the debug port (default 5005) like this : EXPOSE 8080 5050 18 | # 19 | # Then run the container using : 20 | # 21 | # docker run -i --rm -p 8080:8080 -p 5005:5005 -e JAVA_ENABLE_DEBUG="true" quarkus/opentracing-legacy-jar 22 | # 23 | ### 24 | FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 25 | 26 | ARG JAVA_PACKAGE=java-11-openjdk-headless 27 | ARG RUN_JAVA_VERSION=1.3.8 28 | ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' 29 | # Install java and the run-java script 30 | # Also set up permissions for user `1001` 31 | RUN microdnf install curl ca-certificates ${JAVA_PACKAGE} \ 32 | && microdnf update \ 33 | && microdnf clean all \ 34 | && mkdir /deployments \ 35 | && chown 1001 /deployments \ 36 | && chmod "g+rwX" /deployments \ 37 | && chown 1001:root /deployments \ 38 | && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh \ 39 | && chown 1001 /deployments/run-java.sh \ 40 | && chmod 540 /deployments/run-java.sh \ 41 | && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security 42 | 43 | # Configure the JAVA_OPTIONS, you can add -XshowSettings:vm to also display the heap size. 44 | ENV JAVA_OPTIONS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager" 45 | COPY target/lib/* /deployments/lib/ 46 | COPY target/*-runner.jar /deployments/app.jar 47 | 48 | EXPOSE 8080 49 | USER 1001 50 | 51 | ENTRYPOINT [ "/deployments/run-java.sh" ] 52 | -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/src/main/docker/Dockerfile.native: -------------------------------------------------------------------------------- 1 | #### 2 | # This Dockerfile is used in order to build a container that runs the Quarkus application in native (no JVM) mode 3 | # 4 | # Before building the container image run: 5 | # 6 | # ./mvnw package -Pnative 7 | # 8 | # Then, build the image with: 9 | # 10 | # docker build -f src/main/docker/Dockerfile.native -t quarkus/opentracing . 11 | # 12 | # Then run the container using: 13 | # 14 | # docker run -i --rm -p 8080:8080 quarkus/opentracing 15 | # 16 | ### 17 | FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 18 | WORKDIR /work/ 19 | RUN chown 1001 /work \ 20 | && chmod "g+rwX" /work \ 21 | && chown 1001:root /work 22 | COPY --chown=1001:root target/*-runner /work/application 23 | 24 | EXPOSE 8080 25 | USER 1001 26 | 27 | CMD ["./application", "-Dquarkus.http.host=0.0.0.0"] 28 | -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/src/main/docker/Dockerfile.native-distroless: -------------------------------------------------------------------------------- 1 | #### 2 | # This Dockerfile is used in order to build a distroless container that runs the Quarkus application in native (no JVM) mode 3 | # 4 | # Before building the container image run: 5 | # 6 | # ./mvnw package -Pnative 7 | # 8 | # Then, build the image with: 9 | # 10 | # docker build -f src/main/docker/Dockerfile.native-distroless -t quarkus/opentracing . 11 | # 12 | # Then run the container using: 13 | # 14 | # docker run -i --rm -p 8080:8080 quarkus/opentracing 15 | # 16 | ### 17 | FROM quay.io/quarkus/quarkus-distroless-image:1.0 18 | COPY target/*-runner /application 19 | 20 | EXPOSE 8080 21 | USER nonroot 22 | 23 | CMD ["./application", "-Dquarkus.http.host=0.0.0.0"] 24 | -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/src/main/java/org/acme/opentracing/FrancophoneService.java: -------------------------------------------------------------------------------- 1 | package org.acme.opentracing; 2 | 3 | import javax.enterprise.context.ApplicationScoped; 4 | 5 | import org.eclipse.microprofile.opentracing.Traced; 6 | 7 | @Traced 8 | @ApplicationScoped 9 | public class FrancophoneService { 10 | 11 | public String bonjour() { 12 | return "bonjour"; 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/src/main/java/org/acme/opentracing/ResourceClient.java: -------------------------------------------------------------------------------- 1 | package org.acme.opentracing; 2 | 3 | import javax.ws.rs.GET; 4 | import javax.ws.rs.Path; 5 | import javax.ws.rs.Produces; 6 | import javax.ws.rs.core.MediaType; 7 | 8 | @Path("/") 9 | public interface ResourceClient { 10 | @GET 11 | @Path("/hello") 12 | @Produces(MediaType.TEXT_PLAIN) 13 | String hello(); 14 | } 15 | -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/src/main/java/org/acme/opentracing/TracedResource.java: -------------------------------------------------------------------------------- 1 | package org.acme.opentracing; 2 | 3 | import javax.inject.Inject; 4 | import javax.ws.rs.GET; 5 | import javax.ws.rs.Path; 6 | import javax.ws.rs.Produces; 7 | import javax.ws.rs.core.Context; 8 | import javax.ws.rs.core.MediaType; 9 | import javax.ws.rs.core.UriInfo; 10 | 11 | import org.eclipse.microprofile.config.inject.ConfigProperty; 12 | import org.eclipse.microprofile.rest.client.RestClientBuilder; 13 | import org.jboss.logging.Logger; 14 | 15 | import java.net.MalformedURLException; 16 | 17 | @Path("/") 18 | public class TracedResource { 19 | 20 | private static final Logger LOG = Logger.getLogger(TracedResource.class); 21 | 22 | @Inject 23 | FrancophoneService exampleBean; 24 | 25 | @ConfigProperty(name = "hello-service-url") 26 | protected String helloURL; 27 | 28 | @Context 29 | private UriInfo uriInfo; 30 | 31 | @GET 32 | @Path("/hello") 33 | @Produces(MediaType.TEXT_PLAIN) 34 | public String hello() { 35 | LOG.info("hello"); 36 | return "hello"; 37 | } 38 | 39 | @GET 40 | @Path("/chain") 41 | @Produces(MediaType.TEXT_PLAIN) 42 | public String chain() throws MalformedURLException { 43 | ResourceClient resourceClient = RestClientBuilder.newBuilder() 44 | .baseUri(uriInfo.getBaseUri()).baseUrl(new java.net.URL(helloURL)) 45 | .build(ResourceClient.class); 46 | return "chain -> " + exampleBean.bonjour() + " -> " + resourceClient.hello(); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | quarkus.kubernetes-client.trust-certs=true 2 | 3 | quarkus.jaeger.service-name=hello-traced-quarkus-service 4 | quarkus.jaeger.sampler-type=const 5 | quarkus.jaeger.sampler-param=1 6 | quarkus.log.console.format=%d{HH:mm:ss} %-5p traceId=%X{traceId}, spanId=%X{spanId}, sampled=%X{sampled} [%c{2.}] (%t) %s%e%n 7 | 8 | quarkus.openshift.labels.app=hello-traced-quarkus-service 9 | quarkus.openshift.labels.version=v1 10 | quarkus.openshift.deployment-kind=Deployment 11 | 12 | %test.hello-service-url=http://localhost:8080 13 | 14 | ###################################### 15 | # Quarkus on Openshift configurations 16 | ###################################### 17 | 18 | # ENV Variables for Data Directories 19 | quarkus.openshift.env.vars.hello-service-url=http://deployment-hello-traced-quarkus-service:8080 20 | -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/src/test/java/org/acme/opentracing/NativeTracedResourceIT.java: -------------------------------------------------------------------------------- 1 | package org.acme.opentracing; 2 | 3 | import io.quarkus.test.junit.NativeImageTest; 4 | 5 | @NativeImageTest 6 | public class NativeTracedResourceIT extends TracedResourceTest { 7 | 8 | // Execute the same tests but in native mode. 9 | } 10 | -------------------------------------------------------------------------------- /coded-services/quarkus-opentracing/src/test/java/org/acme/opentracing/TracedResourceTest.java: -------------------------------------------------------------------------------- 1 | package org.acme.opentracing; 2 | 3 | import static io.restassured.RestAssured.given; 4 | import static org.hamcrest.CoreMatchers.is; 5 | 6 | import org.junit.jupiter.api.Test; 7 | 8 | import io.quarkus.test.junit.QuarkusTest; 9 | 10 | @QuarkusTest 11 | public class TracedResourceTest { 12 | 13 | @Test 14 | public void testHelloEndpoint() { 15 | given() 16 | .when().get("/hello") 17 | .then() 18 | .statusCode(200) 19 | .body(is("hello")); 20 | } 21 | 22 | } 23 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/.dockerignore: -------------------------------------------------------------------------------- 1 | * 2 | !target/*-runner 3 | !target/*-runner.jar 4 | !target/lib/* 5 | !target/quarkus-app/ 6 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/.gitignore: -------------------------------------------------------------------------------- 1 | # Eclipse 2 | .project 3 | .classpath 4 | .settings/ 5 | bin/ 6 | 7 | # IntelliJ 8 | .idea 9 | *.ipr 10 | *.iml 11 | *.iws 12 | 13 | # NetBeans 14 | nb-configuration.xml 15 | 16 | # Visual Studio Code 17 | .vscode 18 | 19 | # OSX 20 | .DS_Store 21 | 22 | # Vim 23 | *.swp 24 | *.swo 25 | 26 | # patch 27 | *.orig 28 | *.rej 29 | 30 | # Maven 31 | target/ 32 | pom.xml.tag 33 | pom.xml.releaseBackup 34 | pom.xml.versionsBackup 35 | release.properties -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/ISTIO-YAML/istio-envoy-filter-status-check-cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: EnvoyFilter 3 | metadata: 4 | name: status-check-healthcheck 5 | spec: 6 | workloadSelector: 7 | labels: 8 | istio: ingressgateway 9 | configPatches: 10 | - applyTo: CLUSTER 11 | match: 12 | cluster: 13 | name: >- 14 | outbound|8080||rest-greeting-remote.greetings-service.svc.cluster.local 15 | context: GATEWAY 16 | patch: 17 | operation: MERGE 18 | value: 19 | health_checks: 20 | - always_log_health_check_failures: true 21 | event_log_path: /dev/stdout 22 | healthy_threshold: 3 23 | http_health_check: 24 | host: rest-greeting-remote.greetings-service.svc.cluster.local 25 | path: /status/check 26 | interval: 5s 27 | no_traffic_interval: 15s 28 | timeout: 5s 29 | unhealthy_threshold: 5 30 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/ISTIO-YAML/istio-envoy-filter-status-check.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: EnvoyFilter 3 | metadata: 4 | name: status-check-healthcheck 5 | spec: 6 | workloadSelector: 7 | labels: 8 | istio: ingressgateway 9 | configPatches: 10 | - applyTo: CLUSTER 11 | match: 12 | cluster: 13 | service: rest-greeting-remote.greetings-service.svc.cluster.local 14 | context: GATEWAY 15 | patch: 16 | operation: MERGE 17 | value: 18 | health_checks: 19 | - always_log_health_check_failures: true 20 | event_log_path: /dev/stdout 21 | healthy_threshold: 3 22 | http_health_check: 23 | host: >- 24 | rest-greeting-remote.greetings-service.svc.cluster.local 25 | path: /status/check 26 | interval: 5s 27 | timeout: 5s 28 | unhealthy_threshold: 1 29 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/ISTIO-YAML/istio-hello.remote-route.yaml: -------------------------------------------------------------------------------- 1 | kind: Route 2 | apiVersion: route.openshift.io/v1 3 | metadata: 4 | name: hello-remote 5 | spec: 6 | host: hello.remote.com 7 | to: 8 | kind: Service 9 | name: istio-ingressgateway 10 | weight: 100 11 | port: 12 | targetPort: http2 13 | wildcardPolicy: None 14 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/ISTIO-YAML/istio-status-check-gateway-vs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: status-check-gateway 5 | spec: 6 | selector: 7 | istio: ingressgateway # use istio default controller 8 | servers: 9 | - port: 10 | number: 80 11 | name: http 12 | protocol: HTTP 13 | hosts: 14 | - "istio-ingressgateway-istio-system-tenant-1.apps." 15 | --- 16 | apiVersion: networking.istio.io/v1alpha3 17 | kind: VirtualService 18 | metadata: 19 | name: status-check 20 | spec: 21 | hosts: 22 | - "istio-ingressgateway-istio-system-tenant-1.apps." 23 | gateways: 24 | - status-check-gateway 25 | - mesh 26 | http: 27 | - match: 28 | - uri: 29 | exact: /status 30 | - uri: 31 | prefix: /status 32 | route: 33 | - destination: 34 | host: quarkus-rest-503.greeting-service.svc.cluster.local 35 | port: 36 | number: 8080 37 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/ISTIO-YAML/quarkus-rest-503-outlier-detection-dr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: DestinationRule 3 | metadata: 4 | name: quarkus-rest-503-outlier-detection-dr 5 | spec: 6 | host: quarkus-rest-503.greetings-service-1.svc.cluster.local 7 | trafficPolicy: 8 | outlierDetection: 9 | consecutive5xxErrors: 1 10 | interval: 30s 11 | baseEjectionTime: 2m 12 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/ISTIO-YAML/rest-greeting-remote-503-outlier-detection-dr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: DestinationRule 3 | metadata: 4 | name: rest-greeting-remote-503-outlier-detection-dr 5 | spec: 6 | host: rest-greeting-remote.greetings-service-1.svc.cluster.local 7 | trafficPolicy: 8 | outlierDetection: 9 | consecutive5xxErrors: 1 10 | interval: 30s 11 | baseEjectionTime: 1m 12 | maxEjectionPercent: 100 13 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/README.md: -------------------------------------------------------------------------------- 1 | # Getting started with Quarkus 2 | 3 | This is a minimal CRUD service exposing a couple of endpoints over REST. 4 | 5 | Under the hood, this demo uses: 6 | 7 | - RESTEasy to expose the REST endpoints 8 | - REST-assured and JUnit 5 for endpoint testing 9 | 10 | ## Requirements 11 | 12 | To compile and run this demo you will need: 13 | 14 | - JDK 1.8+ 15 | - GraalVM 16 | 17 | ### Configuring GraalVM and JDK 1.8+ 18 | 19 | Make sure that both the `GRAALVM_HOME` and `JAVA_HOME` environment variables have 20 | been set, and that a JDK 1.8+ `java` command is on the path. 21 | 22 | See the [Building a Native Executable guide](https://quarkus.io/guides/building-native-image-guide) 23 | for help setting up your environment. 24 | 25 | ## Building the application 26 | 27 | Launch the Maven build on the checked out sources of this demo: 28 | 29 | > ./mvnw install 30 | 31 | ### Live coding with Quarkus 32 | 33 | The Maven Quarkus plugin provides a development mode that supports 34 | live coding. To try this out: 35 | 36 | > ./mvnw quarkus:dev 37 | 38 | This command will leave Quarkus running in the foreground listening on port 8080. 39 | 40 | 1. Visit the default endpoint: [http://127.0.0.1:8080](http://127.0.0.1:8080). 41 | - Make a simple change to [src/main/resources/META-INF/resources/index.html](src/main/resources/META-INF/resources/index.html) file. 42 | - Refresh the browser to see the updated page. 43 | 2. Visit the `/hello` endpoint: [http://127.0.0.1:8080/hello](http://127.0.0.1:8080/hello) 44 | - Update the response in [src/main/java/org/acme/quickstart/GreetingResource.java](src/main/java/org/acme/quickstart/GreetingResource.java). Replace `hello` with `hello there` in the `hello()` method. 45 | - Refresh the browser. You should now see `hello there`. 46 | - Undo the change, so the method returns `hello` again. 47 | - Refresh the browser. You should now see `hello`. 48 | 49 | ### Run Quarkus in JVM mode 50 | 51 | When you're done iterating in developer mode, you can run the application as a 52 | conventional jar file. 53 | 54 | First compile it: 55 | 56 | > ./mvnw install 57 | 58 | Then run it: 59 | 60 | > java -jar ./target/quarkus-app/quarkus-run.jar 61 | 62 | Have a look at how fast it boots, or measure the total native memory consumption. 63 | 64 | ### Run Quarkus as a native executable 65 | 66 | You can also create a native executable from this application without making any 67 | source code changes. A native executable removes the dependency on the JVM: 68 | everything needed to run the application on the target platform is included in 69 | the executable, allowing the application to run with minimal resource overhead. 70 | 71 | Compiling a native executable takes a bit longer, as GraalVM performs additional 72 | steps to remove unnecessary codepaths. Use the `native` profile to compile a 73 | native executable: 74 | 75 | > ./mvnw install -Dnative 76 | 77 | After getting a cup of coffee, you'll be able to run this executable directly: 78 | 79 | > ./target/getting-started-1.0.0-SNAPSHOT-runner 80 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/src/main/docker/Dockerfile.jvm: -------------------------------------------------------------------------------- 1 | #### 2 | # This Dockerfile is used in order to build a container that runs the Quarkus application in JVM mode 3 | # 4 | # Before building the container image run: 5 | # 6 | # ./mvnw package 7 | # 8 | # Then, build the image with: 9 | # 10 | # docker build -f src/main/docker/Dockerfile.jvm -t quarkus/getting-started-jvm . 11 | # 12 | # Then run the container using: 13 | # 14 | # docker run -i --rm -p 8080:8080 quarkus/getting-started-jvm 15 | # 16 | # If you want to include the debug port into your docker image 17 | # you will have to expose the debug port (default 5005) like this : EXPOSE 8080 5050 18 | # 19 | # Then run the container using : 20 | # 21 | # docker run -i --rm -p 8080:8080 -p 5005:5005 -e JAVA_ENABLE_DEBUG="true" quarkus/getting-started-jvm 22 | # 23 | ### 24 | FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 25 | 26 | ARG JAVA_PACKAGE=java-11-openjdk-headless 27 | ARG RUN_JAVA_VERSION=1.3.8 28 | ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' 29 | # Install java and the run-java script 30 | # Also set up permissions for user `1001` 31 | RUN microdnf install curl ca-certificates ${JAVA_PACKAGE} \ 32 | && microdnf update \ 33 | && microdnf clean all \ 34 | && mkdir /deployments \ 35 | && chown 1001 /deployments \ 36 | && chmod "g+rwX" /deployments \ 37 | && chown 1001:root /deployments \ 38 | && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh \ 39 | && chown 1001 /deployments/run-java.sh \ 40 | && chmod 540 /deployments/run-java.sh \ 41 | && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security 42 | 43 | # Configure the JAVA_OPTIONS, you can add -XshowSettings:vm to also display the heap size. 44 | ENV JAVA_OPTIONS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager" 45 | # We make four distinct layers so if there are application changes the library layers can be re-used 46 | COPY --chown=1001 target/quarkus-app/lib/ /deployments/lib/ 47 | COPY --chown=1001 target/quarkus-app/*.jar /deployments/ 48 | COPY --chown=1001 target/quarkus-app/app/ /deployments/app/ 49 | COPY --chown=1001 target/quarkus-app/quarkus/ /deployments/quarkus/ 50 | 51 | EXPOSE 8080 52 | USER 1001 53 | 54 | ENTRYPOINT [ "/deployments/run-java.sh" ] 55 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/src/main/docker/Dockerfile.legacy-jar: -------------------------------------------------------------------------------- 1 | #### 2 | # This Dockerfile is used in order to build a container that runs the Quarkus application in JVM mode 3 | # 4 | # Before building the container image run: 5 | # 6 | # ./mvnw package -Dquarkus.package.type=legacy-jar 7 | # 8 | # Then, build the image with: 9 | # 10 | # docker build -f src/main/docker/Dockerfile.legacy-jar -t quarkus/getting-started-legacy-jar . 11 | # 12 | # Then run the container using: 13 | # 14 | # docker run -i --rm -p 8080:8080 quarkus/getting-started-legacy-jar 15 | # 16 | # If you want to include the debug port into your docker image 17 | # you will have to expose the debug port (default 5005) like this : EXPOSE 8080 5050 18 | # 19 | # Then run the container using : 20 | # 21 | # docker run -i --rm -p 8080:8080 -p 5005:5005 -e JAVA_ENABLE_DEBUG="true" quarkus/getting-started-legacy-jar 22 | # 23 | ### 24 | FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 25 | 26 | ARG JAVA_PACKAGE=java-11-openjdk-headless 27 | ARG RUN_JAVA_VERSION=1.3.8 28 | ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' 29 | # Install java and the run-java script 30 | # Also set up permissions for user `1001` 31 | RUN microdnf install curl ca-certificates ${JAVA_PACKAGE} \ 32 | && microdnf update \ 33 | && microdnf clean all \ 34 | && mkdir /deployments \ 35 | && chown 1001 /deployments \ 36 | && chmod "g+rwX" /deployments \ 37 | && chown 1001:root /deployments \ 38 | && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh \ 39 | && chown 1001 /deployments/run-java.sh \ 40 | && chmod 540 /deployments/run-java.sh \ 41 | && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security 42 | 43 | # Configure the JAVA_OPTIONS, you can add -XshowSettings:vm to also display the heap size. 44 | ENV JAVA_OPTIONS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager" 45 | COPY target/lib/* /deployments/lib/ 46 | COPY target/*-runner.jar /deployments/app.jar 47 | 48 | EXPOSE 8080 49 | USER 1001 50 | 51 | ENTRYPOINT [ "/deployments/run-java.sh" ] 52 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/src/main/docker/Dockerfile.native: -------------------------------------------------------------------------------- 1 | #### 2 | # This Dockerfile is used in order to build a container that runs the Quarkus application in native (no JVM) mode 3 | # 4 | # Before building the container image run: 5 | # 6 | # ./mvnw package -Pnative 7 | # 8 | # Then, build the image with: 9 | # 10 | # docker build -f src/main/docker/Dockerfile.native -t quarkus/getting-started . 11 | # 12 | # Then run the container using: 13 | # 14 | # docker run -i --rm -p 8080:8080 quarkus/getting-started 15 | # 16 | ### 17 | FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 18 | WORKDIR /work/ 19 | RUN chown 1001 /work \ 20 | && chmod "g+rwX" /work \ 21 | && chown 1001:root /work 22 | COPY --chown=1001:root target/*-runner /work/application 23 | 24 | EXPOSE 8080 25 | USER 1001 26 | 27 | CMD ["./application", "-Dquarkus.http.host=0.0.0.0"] 28 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/src/main/docker/Dockerfile.native-distroless: -------------------------------------------------------------------------------- 1 | #### 2 | # This Dockerfile is used in order to build a distroless container that runs the Quarkus application in native (no JVM) mode 3 | # 4 | # Before building the container image run: 5 | # 6 | # ./mvnw package -Pnative 7 | # 8 | # Then, build the image with: 9 | # 10 | # docker build -f src/main/docker/Dockerfile.native-distroless -t quarkus/getting-started . 11 | # 12 | # Then run the container using: 13 | # 14 | # docker run -i --rm -p 8080:8080 quarkus/getting-started 15 | # 16 | ### 17 | FROM quay.io/quarkus/quarkus-distroless-image:1.0 18 | COPY target/*-runner /application 19 | 20 | EXPOSE 8080 21 | USER nonroot 22 | 23 | CMD ["./application", "-Dquarkus.http.host=0.0.0.0"] 24 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/src/main/java/org/acme/getting/started/GreetingResource.java: -------------------------------------------------------------------------------- 1 | package org.acme.getting.started; 2 | 3 | import javax.inject.Inject; 4 | import javax.ws.rs.GET; 5 | import javax.ws.rs.Path; 6 | import javax.ws.rs.Produces; 7 | import javax.ws.rs.core.MediaType; 8 | //import javax.ws.rs.BadRequestException; 9 | import javax.ws.rs.ServerErrorException; 10 | 11 | import org.jboss.resteasy.annotations.jaxrs.PathParam; 12 | 13 | import org.eclipse.microprofile.config.inject.ConfigProperty; 14 | 15 | 16 | @Path("/status") 17 | public class GreetingResource { 18 | 19 | @ConfigProperty(name = "error.flag", defaultValue = "fail") 20 | String flag; 21 | 22 | @GET 23 | @Produces(MediaType.TEXT_PLAIN) 24 | @Path("/check") 25 | public String greeting() { 26 | if (flag.equals("fail")){ 27 | // throw new BadRequestException(); 28 | throw new ServerErrorException(503); 29 | } 30 | return "success"; 31 | } 32 | 33 | } 34 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | # Quarkus Configuration file 2 | # key = value 3 | 4 | quarkus.kubernetes-client.trust-certs=true 5 | 6 | error.flag=${ERROR_FLAG:fail} 7 | 8 | 9 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/src/test/java/org/acme/getting/started/GreetingResourceTest.java: -------------------------------------------------------------------------------- 1 | package org.acme.getting.started; 2 | 3 | import static io.restassured.RestAssured.given; 4 | import static org.hamcrest.CoreMatchers.is; 5 | 6 | import java.util.UUID; 7 | 8 | import org.junit.jupiter.api.Test; 9 | 10 | import io.quarkus.test.junit.QuarkusTest; 11 | 12 | @QuarkusTest 13 | public class GreetingResourceTest { 14 | 15 | @Test 16 | public void testHelloEndpoint() { 17 | given() 18 | .when().get("/hello") 19 | .then() 20 | .statusCode(200) 21 | .body(is("hello")); 22 | } 23 | 24 | @Test 25 | public void testGreetingEndpoint() { 26 | String uuid = UUID.randomUUID().toString(); 27 | given() 28 | .pathParam("name", uuid) 29 | .when().get("/hello/greeting/{name}") 30 | .then() 31 | .statusCode(200) 32 | .body(is("hello " + uuid)); 33 | } 34 | 35 | } 36 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-503/src/test/java/org/acme/getting/started/NativeGreetingResourceIT.java: -------------------------------------------------------------------------------- 1 | package org.acme.getting.started; 2 | 3 | import io.quarkus.test.junit.NativeImageTest; 4 | 5 | @NativeImageTest 6 | public class NativeGreetingResourceIT extends GreetingResourceTest { 7 | 8 | // Execute the same tests but in native mode. 9 | } -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/.dockerignore: -------------------------------------------------------------------------------- 1 | * 2 | !target/*-runner 3 | !target/*-runner.jar 4 | !target/lib/* 5 | !target/quarkus-app/ 6 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/.gitignore: -------------------------------------------------------------------------------- 1 | # Eclipse 2 | .project 3 | .classpath 4 | .settings/ 5 | bin/ 6 | 7 | # IntelliJ 8 | .idea 9 | *.ipr 10 | *.iml 11 | *.iws 12 | 13 | # NetBeans 14 | nb-configuration.xml 15 | 16 | # Visual Studio Code 17 | .vscode 18 | 19 | # OSX 20 | .DS_Store 21 | 22 | # Vim 23 | *.swp 24 | *.swo 25 | 26 | # patch 27 | *.orig 28 | *.rej 29 | 30 | # Maven 31 | target/ 32 | pom.xml.tag 33 | pom.xml.releaseBackup 34 | pom.xml.versionsBackup 35 | release.properties -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/.mvn/wrapper/maven-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/coded-services/quarkus-rest-client-greeting/.mvn/wrapper/maven-wrapper.jar -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/.mvn/wrapper/maven-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.6.3/apache-maven-3.6.3-bin.zip 2 | wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar 3 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/ISTIO-YAML/RETEST-REMOTE-FAILOVER.yaml: -------------------------------------------------------------------------------- 1 | kind: ServiceEntry 2 | apiVersion: networking.istio.io/v1alpha3 3 | metadata: 4 | name: remote-getting-started 5 | namespace: istio-system-tenant-4 6 | spec: 7 | hosts: 8 | - hello.remote.com 9 | ports: 10 | - name: http 11 | number: 80 12 | protocol: HTTP 13 | location: MESH_EXTERNAL 14 | resolution: DNS 15 | endpoints: 16 | - address: >- 17 | istio-ingressgateway-istio-system-tenant-4.apps.cluster-ac6a.ac6a.sandbox1173.opentlc.com 18 | labels: 19 | cluster: primary 20 | locality: primary 21 | ports: 22 | http: 80 23 | weight: 80 24 | - address: >- 25 | istio-ingressgateway-istio-system-tenant-4.apps.rosa-e532.qxhy.p1.openshiftapps.com 26 | labels: 27 | cluster: secondary 28 | locality: secondary 29 | ports: 30 | http: 80 31 | weight: 20 32 | --- 33 | kind: DestinationRule 34 | apiVersion: networking.istio.io/v1alpha3 35 | metadata: 36 | name: egress-for-target-subset-failover-destination-rule 37 | namespace: istio-system-tenant-4 38 | spec: 39 | host: hello.remote.com 40 | trafficPolicy: 41 | connectionPool: 42 | http: 43 | http1MaxPendingRequests: 5 44 | http2MaxRequests: 5 45 | maxRetries: 5 46 | subsets: 47 | - name: target-subset 48 | trafficPolicy: 49 | loadBalancer: 50 | localityLbSetting: 51 | enabled: true 52 | failover: 53 | - from: primary 54 | to: secondary 55 | outlierDetection: 56 | baseEjectionTime: 1m 57 | consecutiveErrors: 3 58 | interval: 10s 59 | --- 60 | kind: Gateway 61 | apiVersion: networking.istio.io/v1alpha3 62 | metadata: 63 | name: istio-egressgateway 64 | namespace: istio-system-tenant-4 65 | spec: 66 | servers: 67 | - hosts: 68 | - '*' 69 | port: 70 | name: http 71 | number: 80 72 | protocol: HTTP 73 | selector: 74 | istio: egressgateway 75 | --- 76 | kind: VirtualService 77 | apiVersion: networking.istio.io/v1alpha3 78 | metadata: 79 | name: gateway-routing 80 | namespace: istio-system-tenant-4 81 | spec: 82 | hosts: 83 | - hello.remote.com 84 | gateways: 85 | - mesh 86 | - istio-egressgateway 87 | http: 88 | - match: 89 | - gateways: 90 | - mesh 91 | port: 80 92 | route: 93 | - destination: 94 | host: istio-egressgateway.istio-system-tenant-4.svc.cluster.local 95 | - match: 96 | - gateways: 97 | - istio-egressgateway 98 | port: 80 99 | route: 100 | - destination: 101 | host: hello.remote.com 102 | subset: target-subset 103 | weight: 100 104 | exportTo: 105 | - '*' 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/ISTIO-YAML/RETEST-REMOTE-loadBalancer.yaml: -------------------------------------------------------------------------------- 1 | kind: ServiceEntry 2 | apiVersion: networking.istio.io/v1alpha3 3 | metadata: 4 | name: remote-getting-started 5 | namespace: istio-system-tenant-4 6 | spec: 7 | hosts: 8 | - hello.remote.com 9 | ports: 10 | - name: http 11 | number: 80 12 | protocol: HTTP 13 | location: MESH_EXTERNAL 14 | resolution: DNS 15 | endpoints: 16 | - address: >- 17 | istio-ingressgateway-istio-system-tenant-4.apps.cluster-ac6a.ac6a.sandbox1173.opentlc.com 18 | labels: 19 | cluster: primary 20 | locality: primary 21 | ports: 22 | http: 80 23 | - address: >- 24 | istio-ingressgateway-istio-system-tenant-4.apps.rosa-e532.qxhy.p1.openshiftapps.com 25 | labels: 26 | cluster: secondary 27 | locality: secondary 28 | ports: 29 | http: 80 30 | --- 31 | kind: DestinationRule 32 | apiVersion: networking.istio.io/v1alpha3 33 | metadata: 34 | name: egress-for-target-sunset-destination-rule 35 | namespace: istio-system-tenant-4 36 | spec: 37 | host: hello.remote.com 38 | trafficPolicy: 39 | connectionPool: 40 | http: 41 | http1MaxPendingRequests: 5 42 | http2MaxRequests: 5 43 | maxRetries: 5 44 | subsets: 45 | - name: target-subset 46 | trafficPolicy: 47 | loadBalancer: 48 | simple: ROUND_ROBIN 49 | --- 50 | kind: Gateway 51 | apiVersion: networking.istio.io/v1alpha3 52 | metadata: 53 | name: istio-egressgateway 54 | namespace: istio-system-tenant-4 55 | spec: 56 | servers: 57 | - hosts: 58 | - '*' 59 | port: 60 | name: http 61 | number: 80 62 | protocol: HTTP 63 | selector: 64 | istio: egressgateway 65 | --- 66 | kind: VirtualService 67 | apiVersion: networking.istio.io/v1alpha3 68 | metadata: 69 | name: gateway-routing 70 | namespace: istio-system-tenant-4 71 | spec: 72 | hosts: 73 | - hello.remote.com 74 | gateways: 75 | - mesh 76 | - istio-egressgateway 77 | http: 78 | - match: 79 | - gateways: 80 | - mesh 81 | port: 80 82 | route: 83 | - destination: 84 | host: istio-egressgateway.istio-system-tenant-4.svc.cluster.local 85 | - match: 86 | - gateways: 87 | - istio-egressgateway 88 | port: 80 89 | route: 90 | - destination: 91 | host: hello.remote.com 92 | subset: target-subset 93 | weight: 100 94 | exportTo: 95 | - '*' 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/ISTIO-YAML/istio-hello-client-gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: rest-client-gateway 5 | spec: 6 | selector: 7 | istio: ingressgateway # use istio default controller 8 | servers: 9 | - port: 10 | number: 80 11 | name: http 12 | protocol: HTTP 13 | hosts: 14 | - "*" 15 | --- 16 | apiVersion: networking.istio.io/v1alpha3 17 | kind: VirtualService 18 | metadata: 19 | name: rest-client-greeting 20 | spec: 21 | hosts: 22 | - "*" 23 | gateways: 24 | - rest-client-gateway 25 | http: 26 | - match: 27 | - uri: 28 | prefix: /say 29 | route: 30 | - destination: 31 | host: rest-client-greeting 32 | port: 33 | number: 8080 34 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/ISTIO-YAML/test-DR-Target-Subset.yaml: -------------------------------------------------------------------------------- 1 | kind: DestinationRule 2 | apiVersion: networking.istio.io/v1alpha3 3 | metadata: 4 | name: egress-for-target-sunset-destination-rule 5 | # namespace: istio-system 6 | spec: 7 | host: hello.remote.com 8 | trafficPolicy: 9 | connectionPool: 10 | http: 11 | http1MaxPendingRequests: 5 12 | http2MaxRequests: 5 13 | maxRetries: 5 14 | subsets: 15 | - name: target-subset 16 | trafficPolicy: 17 | loadBalancer: 18 | simple: ROUND_ROBIN 19 | # localityLbSetting: 20 | # enabled: true 21 | # failover: 22 | # - from: primary 23 | # to: secondary 24 | outlierDetection: 25 | baseEjectionTime: 1m 26 | consecutiveErrors: 3 27 | interval: 10s 28 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/ISTIO-YAML/test-GW.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: istio-egressgateway 5 | # namespace: istio-system 6 | spec: 7 | selector: 8 | istio: egressgateway 9 | servers: 10 | - port: 11 | number: 80 12 | name: http 13 | protocol: HTTP 14 | hosts: 15 | - "*" 16 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/ISTIO-YAML/test-SE.yaml: -------------------------------------------------------------------------------- 1 | kind: ServiceEntry 2 | apiVersion: networking.istio.io/v1alpha3 3 | metadata: 4 | name: remote-getting-started 5 | # namespace: istio-system 6 | spec: 7 | hosts: 8 | - hello.remote.com 9 | ports: 10 | - name: http 11 | number: 80 12 | protocol: HTTP 13 | location: MESH_EXTERNAL 14 | resolution: DNS 15 | endpoints: 16 | - address: istio-ingressgateway-istio-system.apps.cluster-1139.1139.sandbox724.opentlc.com 17 | locality: primary 18 | labels: 19 | cluster: primary 20 | ports: 21 | http: 80 22 | - address: istio-ingressgateway-istio-system.apps.rosa-1194.6d0b.p1.openshiftapps.com 23 | locality: secondary 24 | labels: 25 | cluster: secondary 26 | ports: 27 | http: 80 28 | # exportTo: 29 | # - istio-system 30 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/ISTIO-YAML/test-VS.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: VirtualService 3 | metadata: 4 | name: gateway-routing 5 | # namespace: istio-system #(using namespace in gateways below to point to correct gateway rather than placing in istio-system) 6 | spec: 7 | hosts: 8 | - hello.remote.com 9 | exportTo: 10 | - "*" 11 | gateways: 12 | - mesh 13 | # reverted - istio-system/istio-egressgateway 14 | - istio-egressgateway 15 | http: 16 | - match: 17 | - port: 80 18 | gateways: 19 | - mesh 20 | route: 21 | - destination: 22 | host: istio-egressgateway.istio-system.svc.cluster.local 23 | - match: 24 | - port: 80 25 | gateways: 26 | - istio-egressgateway 27 | route: 28 | - destination: 29 | host: hello.remote.com 30 | subset: target-subset 31 | weight: 100 32 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/README.md: -------------------------------------------------------------------------------- 1 | Quarkus guide: https://quarkus.io/guides/rest-client 2 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/src/main/docker/Dockerfile.jvm: -------------------------------------------------------------------------------- 1 | #### 2 | # This Dockerfile is used in order to build a container that runs the Quarkus application in JVM mode 3 | # 4 | # Before building the container image run: 5 | # 6 | # ./mvnw package 7 | # 8 | # Then, build the image with: 9 | # 10 | # docker build -f src/main/docker/Dockerfile.jvm -t quarkus/rest-client-jvm . 11 | # 12 | # Then run the container using: 13 | # 14 | # docker run -i --rm -p 8080:8080 quarkus/rest-client-jvm 15 | # 16 | # If you want to include the debug port into your docker image 17 | # you will have to expose the debug port (default 5005) like this : EXPOSE 8080 5050 18 | # 19 | # Then run the container using : 20 | # 21 | # docker run -i --rm -p 8080:8080 -p 5005:5005 -e JAVA_ENABLE_DEBUG="true" quarkus/rest-client-jvm 22 | # 23 | ### 24 | FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 25 | 26 | ARG JAVA_PACKAGE=java-11-openjdk-headless 27 | ARG RUN_JAVA_VERSION=1.3.8 28 | ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' 29 | # Install java and the run-java script 30 | # Also set up permissions for user `1001` 31 | RUN microdnf install curl ca-certificates ${JAVA_PACKAGE} \ 32 | && microdnf update \ 33 | && microdnf clean all \ 34 | && mkdir /deployments \ 35 | && chown 1001 /deployments \ 36 | && chmod "g+rwX" /deployments \ 37 | && chown 1001:root /deployments \ 38 | && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh \ 39 | && chown 1001 /deployments/run-java.sh \ 40 | && chmod 540 /deployments/run-java.sh \ 41 | && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security 42 | 43 | # Configure the JAVA_OPTIONS, you can add -XshowSettings:vm to also display the heap size. 44 | ENV JAVA_OPTIONS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager" 45 | # We make four distinct layers so if there are application changes the library layers can be re-used 46 | COPY --chown=1001 target/quarkus-app/lib/ /deployments/lib/ 47 | COPY --chown=1001 target/quarkus-app/*.jar /deployments/ 48 | COPY --chown=1001 target/quarkus-app/app/ /deployments/app/ 49 | COPY --chown=1001 target/quarkus-app/quarkus/ /deployments/quarkus/ 50 | 51 | EXPOSE 8080 52 | USER 1001 53 | 54 | ENTRYPOINT [ "/deployments/run-java.sh" ] 55 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/src/main/docker/Dockerfile.legacy-jar: -------------------------------------------------------------------------------- 1 | #### 2 | # This Dockerfile is used in order to build a container that runs the Quarkus application in JVM mode 3 | # 4 | # Before building the container image run: 5 | # 6 | # ./mvnw package -Dquarkus.package.type=legacy-jar 7 | # 8 | # Then, build the image with: 9 | # 10 | # docker build -f src/main/docker/Dockerfile.legacy-jar -t quarkus/rest-client-legacy-jar . 11 | # 12 | # Then run the container using: 13 | # 14 | # docker run -i --rm -p 8080:8080 quarkus/rest-client-legacy-jar 15 | # 16 | # If you want to include the debug port into your docker image 17 | # you will have to expose the debug port (default 5005) like this : EXPOSE 8080 5050 18 | # 19 | # Then run the container using : 20 | # 21 | # docker run -i --rm -p 8080:8080 -p 5005:5005 -e JAVA_ENABLE_DEBUG="true" quarkus/rest-client-legacy-jar 22 | # 23 | ### 24 | FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 25 | 26 | ARG JAVA_PACKAGE=java-11-openjdk-headless 27 | ARG RUN_JAVA_VERSION=1.3.8 28 | ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' 29 | # Install java and the run-java script 30 | # Also set up permissions for user `1001` 31 | RUN microdnf install curl ca-certificates ${JAVA_PACKAGE} \ 32 | && microdnf update \ 33 | && microdnf clean all \ 34 | && mkdir /deployments \ 35 | && chown 1001 /deployments \ 36 | && chmod "g+rwX" /deployments \ 37 | && chown 1001:root /deployments \ 38 | && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh \ 39 | && chown 1001 /deployments/run-java.sh \ 40 | && chmod 540 /deployments/run-java.sh \ 41 | && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security 42 | 43 | # Configure the JAVA_OPTIONS, you can add -XshowSettings:vm to also display the heap size. 44 | ENV JAVA_OPTIONS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager" 45 | COPY target/lib/* /deployments/lib/ 46 | COPY target/*-runner.jar /deployments/app.jar 47 | 48 | EXPOSE 8080 49 | USER 1001 50 | 51 | ENTRYPOINT [ "/deployments/run-java.sh" ] 52 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/src/main/docker/Dockerfile.native: -------------------------------------------------------------------------------- 1 | #### 2 | # This Dockerfile is used in order to build a container that runs the Quarkus application in native (no JVM) mode 3 | # 4 | # Before building the container image run: 5 | # 6 | # ./mvnw package -Pnative 7 | # 8 | # Then, build the image with: 9 | # 10 | # docker build -f src/main/docker/Dockerfile.native -t quarkus/rest-client . 11 | # 12 | # Then run the container using: 13 | # 14 | # docker run -i --rm -p 8080:8080 quarkus/rest-client 15 | # 16 | ### 17 | FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 18 | WORKDIR /work/ 19 | RUN chown 1001 /work \ 20 | && chmod "g+rwX" /work \ 21 | && chown 1001:root /work 22 | COPY --chown=1001:root target/*-runner /work/application 23 | 24 | EXPOSE 8080 25 | USER 1001 26 | 27 | CMD ["./application", "-Dquarkus.http.host=0.0.0.0"] 28 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/src/main/docker/Dockerfile.native-distroless: -------------------------------------------------------------------------------- 1 | #### 2 | # This Dockerfile is used in order to build a distroless container that runs the Quarkus application in native (no JVM) mode 3 | # 4 | # Before building the container image run: 5 | # 6 | # ./mvnw package -Pnative 7 | # 8 | # Then, build the image with: 9 | # 10 | # docker build -f src/main/docker/Dockerfile.native-distroless -t quarkus/rest-client . 11 | # 12 | # Then run the container using: 13 | # 14 | # docker run -i --rm -p 8080:8080 quarkus/rest-client 15 | # 16 | ### 17 | FROM quay.io/quarkus/quarkus-distroless-image:1.0 18 | COPY target/*-runner /application 19 | 20 | EXPOSE 8080 21 | USER nonroot 22 | 23 | CMD ["./application", "-Dquarkus.http.host=0.0.0.0"] 24 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/src/main/java/org/acme/rest/client/CountriesResource.java: -------------------------------------------------------------------------------- 1 | package org.acme.rest.client; 2 | 3 | import java.util.Set; 4 | import java.util.concurrent.CompletionStage; 5 | 6 | import javax.inject.Inject; 7 | import javax.ws.rs.GET; 8 | import javax.ws.rs.Path; 9 | import javax.ws.rs.Produces; 10 | import javax.ws.rs.core.MediaType; 11 | 12 | import org.eclipse.microprofile.rest.client.inject.RestClient; 13 | import org.jboss.resteasy.annotations.jaxrs.PathParam; 14 | 15 | import io.smallrye.mutiny.Uni; 16 | 17 | @Path("/country") 18 | public class CountriesResource { 19 | 20 | @Inject 21 | @RestClient 22 | CountriesService countriesService; 23 | 24 | @GET 25 | @Path("/name/{name}") 26 | @Produces(MediaType.APPLICATION_JSON) 27 | public Set name(@PathParam String name) { 28 | return countriesService.getByName(name); 29 | } 30 | 31 | @GET 32 | @Path("/name-async/{name}") 33 | @Produces(MediaType.APPLICATION_JSON) 34 | public CompletionStage> nameAsync(@PathParam String name) { 35 | return countriesService.getByNameAsync(name); 36 | } 37 | 38 | @GET 39 | @Path("/name-uni/{name}") 40 | @Produces(MediaType.APPLICATION_JSON) 41 | public Uni> nameMutiny(@PathParam String name) { 42 | return countriesService.getByNameAsUni(name); 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/src/main/java/org/acme/rest/client/CountriesService.java: -------------------------------------------------------------------------------- 1 | package org.acme.rest.client; 2 | 3 | import java.util.Set; 4 | import java.util.concurrent.CompletionStage; 5 | 6 | import javax.ws.rs.GET; 7 | import javax.ws.rs.Path; 8 | import javax.ws.rs.Produces; 9 | 10 | import org.eclipse.microprofile.rest.client.inject.RegisterRestClient; 11 | import org.jboss.resteasy.annotations.jaxrs.PathParam; 12 | 13 | import io.smallrye.mutiny.Uni; 14 | 15 | @Path("/v2") 16 | @RegisterRestClient 17 | public interface CountriesService { 18 | 19 | @GET 20 | @Path("/name/{name}") 21 | @Produces("application/json") 22 | Set getByName(@PathParam String name); 23 | 24 | @GET 25 | @Path("/name/{name}") 26 | @Produces("application/json") 27 | CompletionStage> getByNameAsync(@PathParam String name); 28 | 29 | @GET 30 | @Path("/name/{name}") 31 | @Produces("application/json") 32 | Uni> getByNameAsUni(@PathParam String name); 33 | } 34 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/src/main/java/org/acme/rest/client/Country.java: -------------------------------------------------------------------------------- 1 | package org.acme.rest.client; 2 | 3 | import java.util.List; 4 | 5 | import com.fasterxml.jackson.annotation.JsonIgnoreProperties; 6 | 7 | @JsonIgnoreProperties(ignoreUnknown = true) 8 | public class Country { 9 | 10 | public String name; 11 | public String alpha2Code; 12 | public String capital; 13 | public List currencies; 14 | 15 | public static class Currency { 16 | public String code; 17 | public String name; 18 | public String symbol; 19 | } 20 | 21 | } 22 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/src/main/java/org/acme/rest/client/GreetingsResource.java: -------------------------------------------------------------------------------- 1 | package org.acme.rest.client; 2 | 3 | import java.util.Set; 4 | import java.util.concurrent.CompletionStage; 5 | 6 | import javax.inject.Inject; 7 | import javax.ws.rs.GET; 8 | import javax.ws.rs.Path; 9 | import javax.ws.rs.Produces; 10 | import javax.ws.rs.core.MediaType; 11 | 12 | import org.eclipse.microprofile.rest.client.inject.RestClient; 13 | import org.jboss.resteasy.annotations.jaxrs.PathParam; 14 | 15 | import io.smallrye.mutiny.Uni; 16 | 17 | @Path("/say") 18 | public class GreetingsResource { 19 | 20 | @Inject 21 | @RestClient 22 | GreetingsService greetingsServiceService; 23 | 24 | @GET 25 | @Path("/hello") 26 | @Produces(MediaType.APPLICATION_JSON) 27 | public String hello(@PathParam String name) { 28 | return greetingsServiceService.getSimpleHello(); 29 | } 30 | 31 | @GET 32 | @Path("/goodday-to/{name}") 33 | @Produces(MediaType.APPLICATION_JSON) 34 | public String goodday(@PathParam String name) { 35 | return greetingsServiceService.getGreeting(name)+ ". And have a good day!"; 36 | } 37 | 38 | } 39 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/src/main/java/org/acme/rest/client/GreetingsService.java: -------------------------------------------------------------------------------- 1 | package org.acme.rest.client; 2 | 3 | import java.util.Set; 4 | import java.util.concurrent.CompletionStage; 5 | 6 | import javax.ws.rs.GET; 7 | import javax.ws.rs.Path; 8 | import javax.ws.rs.Produces; 9 | import javax.ws.rs.core.MediaType; 10 | 11 | import org.eclipse.microprofile.rest.client.inject.RegisterRestClient; 12 | import org.jboss.resteasy.annotations.jaxrs.PathParam; 13 | 14 | import io.smallrye.mutiny.Uni; 15 | 16 | @Path("/hello") 17 | @RegisterRestClient 18 | public interface GreetingsService { 19 | 20 | 21 | @GET 22 | @Produces(MediaType.TEXT_PLAIN) 23 | @Path("/greeting/{name}") 24 | String getGreeting(@PathParam String name); 25 | 26 | @GET 27 | @Produces(MediaType.TEXT_PLAIN) 28 | String getSimpleHello() ; 29 | 30 | } 31 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | #org.acme.rest.client.CountriesService/mp-rest/url=https://restcountries.eu/rest 2 | #org.acme.rest.client.GreetingsService/mp-rest/url=http://istio-ingressgateway-istio-system.apps.cluster-1139.1139.sandbox724.opentlc.com 3 | #org.acme.rest.client.GreetingsService/mp-rest/url=http://istio-ingressgateway-istio-system.apps.rosa-1194.6d0b.p1.openshiftapps.com 4 | 5 | #Local working b4 6 | #org.acme.rest.client.GreetingsService/mp-rest/url=http://istio-egressgateway.istio-system.svc.cluster.local 7 | org.acme.rest.client.GreetingsService/mp-rest/url=${GREETINGS_SVC_LOCATION:http://rest-greeting-remote.greetings-service.svc.cluster.local:8080} 8 | 9 | # Remote External Service Route 10 | #org.acme.rest.client.GreetingsService/mp-rest/url=http://hello.remote.com 11 | quarkus.kubernetes-client.trust-certs=true 12 | 13 | 14 | #Manipulate Deployment 15 | quarkus.openshift.labels.app=rest-client-greeting 16 | quarkus.openshift.labels.version=v1 17 | quarkus.openshift.deployment-kind=Deployment 18 | 19 | # Build the svc as image and Deploy the svc to registry 20 | # ./mvnw quarkus:add-extension -Dextensions="container-image-docker" 21 | # quarkus.container-image.build=true 22 | # quarkus.container-image.push=true 23 | # quarkus.container-image.builder=podman 24 | # quarkus.container-image.image=quay.io/skoussou/rest-client-greeting:1.0.0 25 | # quarkus.container-image.tag=1.0.0 26 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/src/test/java/org/acme/rest/client/CountriesResourceIT.java: -------------------------------------------------------------------------------- 1 | package org.acme.rest.client; 2 | 3 | import io.quarkus.test.junit.NativeImageTest; 4 | 5 | @NativeImageTest 6 | public class CountriesResourceIT extends CountriesResourceTest { 7 | 8 | // Run the same tests 9 | 10 | } -------------------------------------------------------------------------------- /coded-services/quarkus-rest-client-greeting/src/test/java/org/acme/rest/client/CountriesResourceTest.java: -------------------------------------------------------------------------------- 1 | package org.acme.rest.client; 2 | 3 | import static io.restassured.RestAssured.given; 4 | import static org.hamcrest.CoreMatchers.is; 5 | 6 | import org.junit.jupiter.api.Test; 7 | 8 | import io.quarkus.test.junit.QuarkusTest; 9 | 10 | @QuarkusTest 11 | public class CountriesResourceTest { 12 | 13 | @Test 14 | public void testCountryNameEndpoint() { 15 | given() 16 | .when().get("/country/name/greece") 17 | .then() 18 | .statusCode(200) 19 | .body("$.size()", is(1), 20 | "[0].alpha2Code", is("GR"), 21 | "[0].capital", is("Athens"), 22 | "[0].currencies.size()", is(1), 23 | "[0].currencies[0].name", is("Euro")); 24 | } 25 | 26 | @Test 27 | public void testCountryNameAsyncEndpoint() { 28 | given() 29 | .when().get("/country/name-async/greece") 30 | .then() 31 | .statusCode(200) 32 | .body("$.size()", is(1), 33 | "[0].alpha2Code", is("GR"), 34 | "[0].capital", is("Athens"), 35 | "[0].currencies.size()", is(1), 36 | "[0].currencies[0].name", is("Euro")); 37 | } 38 | 39 | @Test 40 | public void testCountryNameMutinyEndpoint() { 41 | given() 42 | .when().get("/country/name-uni/greece") 43 | .then() 44 | .statusCode(200) 45 | .body("$.size()", is(1), 46 | "[0].alpha2Code", is("GR"), 47 | "[0].capital", is("Athens"), 48 | "[0].currencies.size()", is(1), 49 | "[0].currencies[0].name", is("Euro")); 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/.dockerignore: -------------------------------------------------------------------------------- 1 | * 2 | !target/*-runner 3 | !target/*-runner.jar 4 | !target/lib/* 5 | !target/quarkus-app/ 6 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/.gitignore: -------------------------------------------------------------------------------- 1 | # Eclipse 2 | .project 3 | .classpath 4 | .settings/ 5 | bin/ 6 | 7 | # IntelliJ 8 | .idea 9 | *.ipr 10 | *.iml 11 | *.iws 12 | 13 | # NetBeans 14 | nb-configuration.xml 15 | 16 | # Visual Studio Code 17 | .vscode 18 | 19 | # OSX 20 | .DS_Store 21 | 22 | # Vim 23 | *.swp 24 | *.swo 25 | 26 | # patch 27 | *.orig 28 | *.rej 29 | 30 | # Maven 31 | target/ 32 | pom.xml.tag 33 | pom.xml.releaseBackup 34 | pom.xml.versionsBackup 35 | release.properties -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/.mvn/wrapper/maven-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/skoussou/servicemesh-playground/f55dd15cdeb8b770e53e44d3982a9caf934cfd6e/coded-services/quarkus-rest-greeting-remote/.mvn/wrapper/maven-wrapper.jar -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/.mvn/wrapper/maven-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.6.3/apache-maven-3.6.3-bin.zip 2 | wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar 3 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/.s2i/environment: -------------------------------------------------------------------------------- 1 | MAVEN_S2I_ARTIFACT_DIRS=target 2 | S2I_SOURCE_DEPLOYMENTS_FILTER=*-runner.jar lib 3 | JAVA_OPTIONS=-Dquarkus.http.host=0.0.0.0 4 | AB_JOLOKIA_OFF=true 5 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/ISTIO-YAML/istio-hello.remote-route.yaml: -------------------------------------------------------------------------------- 1 | kind: Route 2 | apiVersion: route.openshift.io/v1 3 | metadata: 4 | name: hello-remote 5 | spec: 6 | host: hello.remote.com 7 | to: 8 | kind: Service 9 | name: istio-ingressgateway 10 | weight: 100 11 | port: 12 | targetPort: http2 13 | wildcardPolicy: None 14 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/ISTIO-YAML/istio-helloworld-gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: rest-greeting-remote-gateway 5 | spec: 6 | selector: 7 | istio: ingressgateway # use istio default controller 8 | servers: 9 | - port: 10 | number: 80 11 | name: http 12 | protocol: HTTP 13 | hosts: 14 | - "istio-ingressgateway-.apps..com" 15 | - "hello.remote.com" 16 | --- 17 | apiVersion: networking.istio.io/v1alpha3 18 | kind: VirtualService 19 | metadata: 20 | name: rest-greeting-remote 21 | spec: 22 | hosts: 23 | - "istio-ingressgateway-.apps..com" 24 | - "hello.remote.com" 25 | gateways: 26 | - rest-greeting-remote-gateway 27 | - mesh 28 | http: 29 | - match: 30 | - uri: 31 | exact: /hello 32 | - uri: 33 | prefix: /hello 34 | route: 35 | - destination: 36 | host: rest-greeting-remote 37 | port: 38 | number: 8080 39 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/README.md: -------------------------------------------------------------------------------- 1 | # Getting started with Quarkus 2 | 3 | This is a minimal CRUD service exposing a couple of endpoints over REST. 4 | 5 | Under the hood, this demo uses: 6 | 7 | - RESTEasy to expose the REST endpoints 8 | - REST-assured and JUnit 5 for endpoint testing 9 | 10 | ## Requirements 11 | 12 | To compile and run this demo you will need: 13 | 14 | - JDK 1.8+ 15 | - GraalVM 16 | 17 | ### Configuring GraalVM and JDK 1.8+ 18 | 19 | Make sure that both the `GRAALVM_HOME` and `JAVA_HOME` environment variables have 20 | been set, and that a JDK 1.8+ `java` command is on the path. 21 | 22 | See the [Building a Native Executable guide](https://quarkus.io/guides/building-native-image-guide) 23 | for help setting up your environment. 24 | 25 | ## Building the application 26 | 27 | Launch the Maven build on the checked out sources of this demo: 28 | 29 | > ./mvnw install 30 | 31 | ### Live coding with Quarkus 32 | 33 | The Maven Quarkus plugin provides a development mode that supports 34 | live coding. To try this out: 35 | 36 | > ./mvnw quarkus:dev 37 | 38 | This command will leave Quarkus running in the foreground listening on port 8080. 39 | 40 | 1. Visit the default endpoint: [http://127.0.0.1:8080](http://127.0.0.1:8080). 41 | - Make a simple change to [src/main/resources/META-INF/resources/index.html](src/main/resources/META-INF/resources/index.html) file. 42 | - Refresh the browser to see the updated page. 43 | 2. Visit the `/hello` endpoint: [http://127.0.0.1:8080/hello](http://127.0.0.1:8080/hello) 44 | - Update the response in [src/main/java/org/acme/quickstart/GreetingResource.java](src/main/java/org/acme/quickstart/GreetingResource.java). Replace `hello` with `hello there` in the `hello()` method. 45 | - Refresh the browser. You should now see `hello there`. 46 | - Undo the change, so the method returns `hello` again. 47 | - Refresh the browser. You should now see `hello`. 48 | 49 | ### Run Quarkus in JVM mode 50 | 51 | When you're done iterating in developer mode, you can run the application as a 52 | conventional jar file. 53 | 54 | First compile it: 55 | 56 | > ./mvnw install 57 | 58 | Then run it: 59 | 60 | > java -jar ./target/quarkus-app/quarkus-run.jar 61 | 62 | Have a look at how fast it boots, or measure the total native memory consumption. 63 | 64 | ### Run Quarkus as a native executable 65 | 66 | You can also create a native executable from this application without making any 67 | source code changes. A native executable removes the dependency on the JVM: 68 | everything needed to run the application on the target platform is included in 69 | the executable, allowing the application to run with minimal resource overhead. 70 | 71 | Compiling a native executable takes a bit longer, as GraalVM performs additional 72 | steps to remove unnecessary codepaths. Use the `native` profile to compile a 73 | native executable: 74 | 75 | > ./mvnw install -Dnative 76 | 77 | After getting a cup of coffee, you'll be able to run this executable directly: 78 | 79 | > ./target/getting-started-1.0.0-SNAPSHOT-runner 80 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/src/main/docker/Dockerfile.jvm: -------------------------------------------------------------------------------- 1 | #### 2 | # This Dockerfile is used in order to build a container that runs the Quarkus application in JVM mode 3 | # 4 | # Before building the container image run: 5 | # 6 | # ./mvnw package 7 | # 8 | # Then, build the image with: 9 | # 10 | # docker build -f src/main/docker/Dockerfile.jvm -t quarkus/getting-started-jvm . 11 | # 12 | # Then run the container using: 13 | # 14 | # docker run -i --rm -p 8080:8080 quarkus/getting-started-jvm 15 | # 16 | # If you want to include the debug port into your docker image 17 | # you will have to expose the debug port (default 5005) like this : EXPOSE 8080 5050 18 | # 19 | # Then run the container using : 20 | # 21 | # docker run -i --rm -p 8080:8080 -p 5005:5005 -e JAVA_ENABLE_DEBUG="true" quarkus/getting-started-jvm 22 | # 23 | ### 24 | FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 25 | 26 | ARG JAVA_PACKAGE=java-11-openjdk-headless 27 | ARG RUN_JAVA_VERSION=1.3.8 28 | ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' 29 | # Install java and the run-java script 30 | # Also set up permissions for user `1001` 31 | RUN microdnf install curl ca-certificates ${JAVA_PACKAGE} \ 32 | && microdnf update \ 33 | && microdnf clean all \ 34 | && mkdir /deployments \ 35 | && chown 1001 /deployments \ 36 | && chmod "g+rwX" /deployments \ 37 | && chown 1001:root /deployments \ 38 | && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh \ 39 | && chown 1001 /deployments/run-java.sh \ 40 | && chmod 540 /deployments/run-java.sh \ 41 | && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security 42 | 43 | # Configure the JAVA_OPTIONS, you can add -XshowSettings:vm to also display the heap size. 44 | ENV JAVA_OPTIONS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager" 45 | # We make four distinct layers so if there are application changes the library layers can be re-used 46 | COPY --chown=1001 target/quarkus-app/lib/ /deployments/lib/ 47 | COPY --chown=1001 target/quarkus-app/*.jar /deployments/ 48 | COPY --chown=1001 target/quarkus-app/app/ /deployments/app/ 49 | COPY --chown=1001 target/quarkus-app/quarkus/ /deployments/quarkus/ 50 | 51 | EXPOSE 8080 52 | USER 1001 53 | 54 | ENTRYPOINT [ "/deployments/run-java.sh" ] 55 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/src/main/docker/Dockerfile.legacy-jar: -------------------------------------------------------------------------------- 1 | #### 2 | # This Dockerfile is used in order to build a container that runs the Quarkus application in JVM mode 3 | # 4 | # Before building the container image run: 5 | # 6 | # ./mvnw package -Dquarkus.package.type=legacy-jar 7 | # 8 | # Then, build the image with: 9 | # 10 | # docker build -f src/main/docker/Dockerfile.legacy-jar -t quarkus/getting-started-legacy-jar . 11 | # 12 | # Then run the container using: 13 | # 14 | # docker run -i --rm -p 8080:8080 quarkus/getting-started-legacy-jar 15 | # 16 | # If you want to include the debug port into your docker image 17 | # you will have to expose the debug port (default 5005) like this : EXPOSE 8080 5050 18 | # 19 | # Then run the container using : 20 | # 21 | # docker run -i --rm -p 8080:8080 -p 5005:5005 -e JAVA_ENABLE_DEBUG="true" quarkus/getting-started-legacy-jar 22 | # 23 | ### 24 | FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 25 | 26 | ARG JAVA_PACKAGE=java-11-openjdk-headless 27 | ARG RUN_JAVA_VERSION=1.3.8 28 | ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' 29 | # Install java and the run-java script 30 | # Also set up permissions for user `1001` 31 | RUN microdnf install curl ca-certificates ${JAVA_PACKAGE} \ 32 | && microdnf update \ 33 | && microdnf clean all \ 34 | && mkdir /deployments \ 35 | && chown 1001 /deployments \ 36 | && chmod "g+rwX" /deployments \ 37 | && chown 1001:root /deployments \ 38 | && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh \ 39 | && chown 1001 /deployments/run-java.sh \ 40 | && chmod 540 /deployments/run-java.sh \ 41 | && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security 42 | 43 | # Configure the JAVA_OPTIONS, you can add -XshowSettings:vm to also display the heap size. 44 | ENV JAVA_OPTIONS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager" 45 | COPY target/lib/* /deployments/lib/ 46 | COPY target/*-runner.jar /deployments/app.jar 47 | 48 | EXPOSE 8080 49 | USER 1001 50 | 51 | ENTRYPOINT [ "/deployments/run-java.sh" ] 52 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/src/main/docker/Dockerfile.native: -------------------------------------------------------------------------------- 1 | #### 2 | # This Dockerfile is used in order to build a container that runs the Quarkus application in native (no JVM) mode 3 | # 4 | # Before building the container image run: 5 | # 6 | # ./mvnw package -Pnative 7 | # 8 | # Then, build the image with: 9 | # 10 | # docker build -f src/main/docker/Dockerfile.native -t quarkus/getting-started . 11 | # 12 | # Then run the container using: 13 | # 14 | # docker run -i --rm -p 8080:8080 quarkus/getting-started 15 | # 16 | ### 17 | FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 18 | WORKDIR /work/ 19 | RUN chown 1001 /work \ 20 | && chmod "g+rwX" /work \ 21 | && chown 1001:root /work 22 | COPY --chown=1001:root target/*-runner /work/application 23 | 24 | EXPOSE 8080 25 | USER 1001 26 | 27 | CMD ["./application", "-Dquarkus.http.host=0.0.0.0"] 28 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/src/main/docker/Dockerfile.native-distroless: -------------------------------------------------------------------------------- 1 | #### 2 | # This Dockerfile is used in order to build a distroless container that runs the Quarkus application in native (no JVM) mode 3 | # 4 | # Before building the container image run: 5 | # 6 | # ./mvnw package -Pnative 7 | # 8 | # Then, build the image with: 9 | # 10 | # docker build -f src/main/docker/Dockerfile.native-distroless -t quarkus/getting-started . 11 | # 12 | # Then run the container using: 13 | # 14 | # docker run -i --rm -p 8080:8080 quarkus/getting-started 15 | # 16 | ### 17 | FROM quay.io/quarkus/quarkus-distroless-image:1.0 18 | COPY target/*-runner /application 19 | 20 | EXPOSE 8080 21 | USER nonroot 22 | 23 | CMD ["./application", "-Dquarkus.http.host=0.0.0.0"] 24 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/src/main/java/org/acme/getting/started/GreetingResource.java: -------------------------------------------------------------------------------- 1 | package org.acme.getting.started; 2 | 3 | import javax.inject.Inject; 4 | import javax.ws.rs.GET; 5 | import javax.ws.rs.Path; 6 | import javax.ws.rs.Produces; 7 | import javax.ws.rs.core.MediaType; 8 | 9 | import org.jboss.resteasy.annotations.jaxrs.PathParam; 10 | 11 | import org.eclipse.microprofile.config.inject.ConfigProperty; 12 | 13 | 14 | @Path("/hello") 15 | public class GreetingResource { 16 | 17 | @ConfigProperty(name = "greeting.location", defaultValue = "Local") 18 | String location; 19 | 20 | @Inject 21 | GreetingService service; 22 | 23 | @GET 24 | @Produces(MediaType.TEXT_PLAIN) 25 | @Path("/greeting/{name}") 26 | public String greeting(@PathParam String name) { 27 | return service.greeting(name); 28 | } 29 | 30 | @GET 31 | @Produces(MediaType.TEXT_PLAIN) 32 | public String hello() { 33 | //return "Hello (Remotely) "; 34 | return "Hello ("+location+") "; 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/src/main/java/org/acme/getting/started/GreetingService.java: -------------------------------------------------------------------------------- 1 | package org.acme.getting.started; 2 | 3 | import javax.enterprise.context.ApplicationScoped; 4 | import org.eclipse.microprofile.config.inject.ConfigProperty; 5 | 6 | @ApplicationScoped 7 | public class GreetingService { 8 | 9 | @ConfigProperty(name = "greeting.location", defaultValue = "Local") 10 | String location; 11 | 12 | public String greeting(String name) { 13 | //return "Greetings (Remotely) " + name; 14 | return "Greetings ("+location+") " + name; 15 | } 16 | 17 | } 18 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/src/main/java/org/acme/getting/started/StatusResource.java: -------------------------------------------------------------------------------- 1 | package org.acme.getting.started; 2 | 3 | import javax.inject.Inject; 4 | import javax.ws.rs.GET; 5 | import javax.ws.rs.Path; 6 | import javax.ws.rs.Produces; 7 | import javax.ws.rs.core.MediaType; 8 | //import javax.ws.rs.BadRequestException; 9 | import javax.ws.rs.ServerErrorException; 10 | 11 | import org.jboss.resteasy.annotations.jaxrs.PathParam; 12 | 13 | import org.eclipse.microprofile.config.inject.ConfigProperty; 14 | 15 | import org.acme.getting.started.StatusSetResource; 16 | 17 | @Path("/status") 18 | public class StatusResource { 19 | 20 | @Inject 21 | StatusSetResource sr; 22 | 23 | // @ConfigProperty(name = "error.flag", defaultValue = "fail") 24 | // String flag; 25 | 26 | @GET 27 | @Produces(MediaType.TEXT_PLAIN) 28 | @Path("/check") 29 | public String greeting() { 30 | // if (flag.equals("fail")){ 31 | if (sr.getFlag().equals("fail")){ 32 | // throw new BadRequestException(); 33 | throw new ServerErrorException(503); 34 | } 35 | return "success"; 36 | } 37 | 38 | } 39 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/src/main/java/org/acme/getting/started/StatusSetResource.java: -------------------------------------------------------------------------------- 1 | package org.acme.getting.started; 2 | 3 | import javax.inject.Inject; 4 | import javax.ws.rs.GET; 5 | import javax.ws.rs.Path; 6 | import javax.ws.rs.Produces; 7 | import javax.ws.rs.core.MediaType; 8 | //import javax.ws.rs.BadRequestException; 9 | import javax.ws.rs.ServerErrorException; 10 | 11 | import org.jboss.resteasy.annotations.jaxrs.PathParam; 12 | 13 | import org.eclipse.microprofile.config.inject.ConfigProperty; 14 | 15 | import javax.enterprise.context.ApplicationScoped; 16 | 17 | 18 | @ApplicationScoped 19 | @Path("/status") 20 | public class StatusSetResource { 21 | 22 | @ConfigProperty(name = "error.flag", defaultValue = "fail") 23 | String flag; 24 | 25 | 26 | @GET 27 | @Produces(MediaType.TEXT_PLAIN) 28 | @Path("/set/{flag}") 29 | public void setStatusFlag(@PathParam("flag")String flagValue) { 30 | System.out.println("FlagValue(b4)="+this.flag); 31 | this.flag=flagValue; 32 | System.out.println("FlagValue(af)="+this.flag); 33 | } 34 | 35 | public String getFlag(){ 36 | System.out.println("FlagValue="+this.flag); 37 | return flag; 38 | } 39 | 40 | } 41 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | # Quarkus Configuration file 2 | # key = value 3 | 4 | quarkus.kubernetes-client.trust-certs=true 5 | 6 | greeting.location=${GREETING_LOCATION:Local Cluster} 7 | 8 | # copied from quarkus-rest-503 9 | error.flag=${ERROR_FLAG:fail} 10 | 11 | quarkus.openshift.labels.app=rest-greeting-remote 12 | quarkus.openshift.labels.version=v1 13 | quarkus.openshift.deployment-kind=Deployment 14 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/src/test/java/org/acme/getting/started/GreetingResourceTest.java: -------------------------------------------------------------------------------- 1 | package org.acme.getting.started; 2 | 3 | import static io.restassured.RestAssured.given; 4 | import static org.hamcrest.CoreMatchers.is; 5 | 6 | import java.util.UUID; 7 | 8 | import org.junit.jupiter.api.Test; 9 | 10 | import io.quarkus.test.junit.QuarkusTest; 11 | 12 | @QuarkusTest 13 | public class GreetingResourceTest { 14 | 15 | @Test 16 | public void testHelloEndpoint() { 17 | given() 18 | .when().get("/hello") 19 | .then() 20 | .statusCode(200) 21 | .body(is("hello")); 22 | } 23 | 24 | @Test 25 | public void testGreetingEndpoint() { 26 | String uuid = UUID.randomUUID().toString(); 27 | given() 28 | .pathParam("name", uuid) 29 | .when().get("/hello/greeting/{name}") 30 | .then() 31 | .statusCode(200) 32 | .body(is("hello " + uuid)); 33 | } 34 | 35 | } 36 | -------------------------------------------------------------------------------- /coded-services/quarkus-rest-greeting-remote/src/test/java/org/acme/getting/started/NativeGreetingResourceIT.java: -------------------------------------------------------------------------------- 1 | package org.acme.getting.started; 2 | 3 | import io.quarkus.test.junit.NativeImageTest; 4 | 5 | @NativeImageTest 6 | public class NativeGreetingResourceIT extends GreetingResourceTest { 7 | 8 | // Execute the same tests but in native mode. 9 | } -------------------------------------------------------------------------------- /scripts/add-operators-subscriptions-sm-2.1-MANUAL.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "oc create ns openshift-operators-redhat" 4 | oc create ns openshift-operators-redhat 5 | sleep 4 6 | echo "################# Adding Operator elasticsearch-operator #################" 7 | echo ' 8 | apiVersion: operators.coreos.com/v1alpha1 9 | kind: Subscription 10 | metadata: 11 | name: elasticsearch-operator 12 | namespace: openshift-operators-redhat 13 | spec: 14 | channel: "4.6" 15 | installPlanApproval: Manual 16 | name: elasticsearch-operator 17 | source: redhat-operators 18 | sourceNamespace: openshift-marketplace 19 | startingCSV: elasticsearch-operator.4.6.0-202110262229 20 | ' 21 | 22 | echo 'apiVersion: operators.coreos.com/v1alpha1 23 | kind: Subscription 24 | metadata: 25 | name: elasticsearch-operator 26 | spec: 27 | channel: "4.6" 28 | installPlanApproval: Manual 29 | name: elasticsearch-operator 30 | source: redhat-operators 31 | sourceNamespace: openshift-marketplace 32 | startingCSV: elasticsearch-operator.4.6.0-202110262229' | oc apply -f - 33 | 34 | 35 | echo 'sleeping 20s' 36 | sleep 20 37 | 38 | echo "################# Adding Operator jaeger-product #################" 39 | echo " 40 | apiVersion: operators.coreos.com/v1alpha1 41 | kind: Subscription 42 | metadata: 43 | name: jaeger-product 44 | namespace: openshift-operators 45 | spec: 46 | channel: stable 47 | installPlanApproval: Manual 48 | name: jaeger-product 49 | source: redhat-operators 50 | sourceNamespace: openshift-marketplace 51 | startingCSV: jaeger-operator.v1.24.1 52 | " 53 | 54 | echo "apiVersion: operators.coreos.com/v1alpha1 55 | kind: Subscription 56 | metadata: 57 | name: jaeger-product 58 | namespace: openshift-operators 59 | spec: 60 | channel: stable 61 | installPlanApproval: Manual 62 | name: jaeger-product 63 | source: redhat-operators 64 | sourceNamespace: openshift-marketplace 65 | startingCSV: jaeger-operator.v1.24.1" | oc apply -f - 66 | 67 | echo 'sleeping 20s' 68 | sleep 20 69 | 70 | 71 | echo "################# Adding Operator kiali-ossm #################" 72 | echo " 73 | apiVersion: operators.coreos.com/v1alpha1 74 | kind: Subscription 75 | metadata: 76 | name: kiali-ossm 77 | namespace: openshift-operators 78 | spec: 79 | channel: stable 80 | installPlanApproval: Manual 81 | name: kiali-ossm 82 | source: redhat-operators 83 | sourceNamespace: openshift-marketplace 84 | startingCSV: kiali-operator.v1.36.5 85 | " 86 | 87 | echo "apiVersion: operators.coreos.com/v1alpha1 88 | kind: Subscription 89 | metadata: 90 | name: kiali-ossm 91 | namespace: openshift-operators 92 | spec: 93 | channel: stable 94 | installPlanApproval: Manual 95 | name: kiali-ossm 96 | source: redhat-operators 97 | sourceNamespace: openshift-marketplace 98 | startingCSV: kiali-operator.v1.36.5" | oc apply -f - 99 | 100 | echo 'sleeping 20s' 101 | sleep 20 102 | 103 | 104 | echo "################# Adding Operator servicemeshoperator #################" 105 | echo " 106 | apiVersion: operators.coreos.com/v1alpha1 107 | kind: Subscription 108 | metadata: 109 | name: servicemeshoperator 110 | namespace: openshift-operators 111 | spec: 112 | channel: stable 113 | installPlanApproval: Manual 114 | name: servicemeshoperator 115 | source: redhat-operators 116 | sourceNamespace: openshift-marketplace 117 | startingCSV: servicemeshoperator.v2.1.0 118 | " 119 | 120 | echo "apiVersion: operators.coreos.com/v1alpha1 121 | kind: Subscription 122 | metadata: 123 | name: servicemeshoperator 124 | namespace: openshift-operators 125 | spec: 126 | channel: stable 127 | installPlanApproval: Manual 128 | name: servicemeshoperator 129 | source: redhat-operators 130 | sourceNamespace: openshift-marketplace 131 | startingCSV: servicemeshoperator.v2.1.0" | oc apply -f - 132 | -------------------------------------------------------------------------------- /scripts/add-operators-subscriptions-sm-2.1.1-MANUAL.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "oc create ns openshift-operators-redhat" 4 | oc create ns openshift-operators-redhat 5 | sleep 4 6 | echo "################# Adding Operator elasticsearch-operator #################" 7 | echo ' 8 | apiVersion: operators.coreos.com/v1alpha1 9 | kind: Subscription 10 | metadata: 11 | name: elasticsearch-operator 12 | namespace: openshift-operators-redhat 13 | spec: 14 | channel: stable-5.3 15 | installPlanApproval: Manual 16 | name: elasticsearch-operator 17 | source: redhat-operators 18 | sourceNamespace: openshift-marketplace 19 | startingCSV: elasticsearch-operator.5.3.4-13 20 | ' | oc apply -f - 21 | 22 | echo 'apiVersion: operators.coreos.com/v1alpha1 23 | kind: Subscription 24 | metadata: 25 | name: elasticsearch-operator 26 | namespace: openshift-operators-redhat 27 | spec: 28 | channel: stable-5.3 29 | installPlanApproval: Manual 30 | name: elasticsearch-operator 31 | source: redhat-operators 32 | sourceNamespace: openshift-marketplace 33 | startingCSV: elasticsearch-operator.5.3.4-13' | oc apply -f - 34 | 35 | 36 | echo 'sleeping 20s' 37 | sleep 20 38 | 39 | operators.coreos.com/jaeger-product.openshift-operators 40 | 41 | echo "################# Adding Operator jaeger-product #################" 42 | echo " 43 | apiVersion: operators.coreos.com/v1alpha1 44 | kind: Subscription 45 | metadata: 46 | name: jaeger-product 47 | namespace: openshift-operators 48 | spec: 49 | channel: stable 50 | installPlanApproval: Manual 51 | name: jaeger-product 52 | source: redhat-operators 53 | sourceNamespace: openshift-marketplace 54 | startingCSV: jaeger-operator.v1.30.0 55 | " 56 | 57 | echo "apiVersion: operators.coreos.com/v1alpha1 58 | kind: Subscription 59 | metadata: 60 | name: jaeger-product 61 | namespace: openshift-operators 62 | spec: 63 | channel: stable 64 | installPlanApproval: Manual 65 | name: jaeger-product 66 | source: redhat-operators 67 | sourceNamespace: openshift-marketplace 68 | startingCSV: jaeger-operator.v1.30.0" | oc apply -f - 69 | 70 | echo 'sleeping 20s' 71 | sleep 20 72 | 73 | 74 | echo "################# Adding Operator kiali-ossm #################" 75 | echo " 76 | apiVersion: operators.coreos.com/v1alpha1 77 | kind: Subscription 78 | metadata: 79 | name: kiali-ossm 80 | namespace: openshift-operators 81 | spec: 82 | channel: stable 83 | installPlanApproval: Manual 84 | name: kiali-ossm 85 | source: redhat-operators 86 | sourceNamespace: openshift-marketplace 87 | startingCSV: kiali-operator.v1.36.7 88 | " 89 | 90 | echo "apiVersion: operators.coreos.com/v1alpha1 91 | kind: Subscription 92 | metadata: 93 | name: kiali-ossm 94 | namespace: openshift-operators 95 | spec: 96 | channel: stable 97 | installPlanApproval: Manual 98 | name: kiali-ossm 99 | source: redhat-operators 100 | sourceNamespace: openshift-marketplace 101 | startingCSV: kiali-operator.v1.36.7" | oc apply -f - 102 | 103 | echo 'sleeping 20s' 104 | sleep 20 105 | 106 | 107 | echo "################# Adding Operator servicemeshoperator #################" 108 | echo " 109 | apiVersion: operators.coreos.com/v1alpha1 110 | kind: Subscription 111 | metadata: 112 | name: servicemeshoperator 113 | namespace: openshift-operators 114 | spec: 115 | channel: stable 116 | installPlanApproval: Manual 117 | name: servicemeshoperator 118 | source: redhat-operators 119 | sourceNamespace: openshift-marketplace 120 | startingCSV: servicemeshoperator.v2.1.1 121 | " 122 | 123 | echo "apiVersion: operators.coreos.com/v1alpha1 124 | kind: Subscription 125 | metadata: 126 | name: servicemeshoperator 127 | namespace: openshift-operators 128 | spec: 129 | channel: stable 130 | installPlanApproval: Manual 131 | name: servicemeshoperator 132 | source: redhat-operators 133 | sourceNamespace: openshift-marketplace 134 | startingCSV: servicemeshoperator.v2.1.1" | oc apply -f - 135 | -------------------------------------------------------------------------------- /scripts/add-operators-subscriptions-sm-2.1.1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "oc create ns openshift-operators-redhat" 4 | oc create ns openshift-operators-redhat 5 | sleep 4 6 | echo "################# Adding Operator elasticsearch-operator #################" 7 | echo ' 8 | apiVersion: operators.coreos.com/v1alpha1 9 | kind: Subscription 10 | metadata: 11 | name: elasticsearch-operator 12 | namespace: openshift-operators-redhat 13 | spec: 14 | channel: stable-5.3 15 | installPlanApproval: Automatic 16 | name: elasticsearch-operator 17 | source: redhat-operators 18 | sourceNamespace: openshift-marketplace 19 | startingCSV: elasticsearch-operator.5.3.4-13 20 | ' | oc apply -f - 21 | 22 | echo 'apiVersion: operators.coreos.com/v1alpha1 23 | kind: Subscription 24 | metadata: 25 | name: elasticsearch-operator 26 | namespace: openshift-operators-redhat 27 | spec: 28 | channel: stable-5.3 29 | installPlanApproval: Automatic 30 | name: elasticsearch-operator 31 | source: redhat-operators 32 | sourceNamespace: openshift-marketplace 33 | startingCSV: elasticsearch-operator.5.3.4-13' | oc apply -f - 34 | 35 | 36 | echo 'sleeping 20s' 37 | sleep 20 38 | 39 | operators.coreos.com/jaeger-product.openshift-operators 40 | 41 | echo "################# Adding Operator jaeger-product #################" 42 | echo " 43 | apiVersion: operators.coreos.com/v1alpha1 44 | kind: Subscription 45 | metadata: 46 | name: jaeger-product 47 | namespace: openshift-operators 48 | spec: 49 | channel: stable 50 | installPlanApproval: Automatic 51 | name: jaeger-product 52 | source: redhat-operators 53 | sourceNamespace: openshift-marketplace 54 | startingCSV: jaeger-operator.v1.30.0 55 | " 56 | 57 | echo "apiVersion: operators.coreos.com/v1alpha1 58 | kind: Subscription 59 | metadata: 60 | name: jaeger-product 61 | namespace: openshift-operators 62 | spec: 63 | channel: stable 64 | installPlanApproval: Automatic 65 | name: jaeger-product 66 | source: redhat-operators 67 | sourceNamespace: openshift-marketplace 68 | startingCSV: jaeger-operator.v1.30.0" | oc apply -f - 69 | 70 | echo 'sleeping 20s' 71 | sleep 20 72 | 73 | 74 | echo "################# Adding Operator kiali-ossm #################" 75 | echo " 76 | apiVersion: operators.coreos.com/v1alpha1 77 | kind: Subscription 78 | metadata: 79 | name: kiali-ossm 80 | namespace: openshift-operators 81 | spec: 82 | channel: stable 83 | installPlanApproval: Automatic 84 | name: kiali-ossm 85 | source: redhat-operators 86 | sourceNamespace: openshift-marketplace 87 | startingCSV: kiali-operator.v1.36.7 88 | " 89 | 90 | echo "apiVersion: operators.coreos.com/v1alpha1 91 | kind: Subscription 92 | metadata: 93 | name: kiali-ossm 94 | namespace: openshift-operators 95 | spec: 96 | channel: stable 97 | installPlanApproval: Automatic 98 | name: kiali-ossm 99 | source: redhat-operators 100 | sourceNamespace: openshift-marketplace 101 | startingCSV: kiali-operator.v1.36.7" | oc apply -f - 102 | 103 | echo 'sleeping 20s' 104 | sleep 20 105 | 106 | 107 | echo "################# Adding Operator servicemeshoperator #################" 108 | echo " 109 | apiVersion: operators.coreos.com/v1alpha1 110 | kind: Subscription 111 | metadata: 112 | name: servicemeshoperator 113 | namespace: openshift-operators 114 | spec: 115 | channel: stable 116 | installPlanApproval: Automatic 117 | name: servicemeshoperator 118 | source: redhat-operators 119 | sourceNamespace: openshift-marketplace 120 | startingCSV: servicemeshoperator.v2.1.1 121 | " 122 | 123 | echo "apiVersion: operators.coreos.com/v1alpha1 124 | kind: Subscription 125 | metadata: 126 | name: servicemeshoperator 127 | namespace: openshift-operators 128 | spec: 129 | channel: stable 130 | installPlanApproval: Automatic 131 | name: servicemeshoperator 132 | source: redhat-operators 133 | sourceNamespace: openshift-marketplace 134 | startingCSV: servicemeshoperator.v2.1.1" | oc apply -f - 135 | -------------------------------------------------------------------------------- /scripts/add-operators-subscriptions-sm-2.1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "oc create ns openshift-operators-redhat" 4 | oc create ns openshift-operators-redhat 5 | sleep 4 6 | echo "################# Adding Operator elasticsearch-operator #################" 7 | echo ' 8 | apiVersion: operators.coreos.com/v1alpha1 9 | kind: Subscription 10 | metadata: 11 | name: elasticsearch-operator 12 | namespace: openshift-operators-redhat 13 | spec: 14 | channel: "4.6" 15 | installPlanApproval: Manual 16 | name: elasticsearch-operator 17 | source: redhat-operators 18 | sourceNamespace: openshift-marketplace 19 | startingCSV: elasticsearch-operator.4.6.0-202110262229 20 | ' | oc apply -f - 21 | 22 | echo 'apiVersion: operators.coreos.com/v1alpha1 23 | kind: Subscription 24 | metadata: 25 | name: elasticsearch-operator 26 | spec: 27 | channel: "4.6" 28 | installPlanApproval: Automatic 29 | name: elasticsearch-operator 30 | source: redhat-operators 31 | sourceNamespace: openshift-marketplace 32 | startingCSV: elasticsearch-operator.4.6.0-202110262229' | oc apply -f - 33 | 34 | 35 | echo 'sleeping 20s' 36 | sleep 20 37 | 38 | operators.coreos.com/jaeger-product.openshift-operators 39 | 40 | echo "################# Adding Operator jaeger-product #################" 41 | echo " 42 | apiVersion: operators.coreos.com/v1alpha1 43 | kind: Subscription 44 | metadata: 45 | name: jaeger-product 46 | namespace: openshift-operators 47 | spec: 48 | channel: stable 49 | installPlanApproval: Automatic 50 | name: jaeger-product 51 | source: redhat-operators 52 | sourceNamespace: openshift-marketplace 53 | startingCSV: jaeger-operator.v1.24.1 54 | " 55 | 56 | echo "apiVersion: operators.coreos.com/v1alpha1 57 | kind: Subscription 58 | metadata: 59 | name: jaeger-product 60 | namespace: openshift-operators 61 | spec: 62 | channel: stable 63 | installPlanApproval: Automatic 64 | name: jaeger-product 65 | source: redhat-operators 66 | sourceNamespace: openshift-marketplace 67 | startingCSV: jaeger-operator.v1.24.1" | oc apply -f - 68 | 69 | echo 'sleeping 20s' 70 | sleep 20 71 | 72 | 73 | echo "################# Adding Operator kiali-ossm #################" 74 | echo " 75 | apiVersion: operators.coreos.com/v1alpha1 76 | kind: Subscription 77 | metadata: 78 | name: kiali-ossm 79 | namespace: openshift-operators 80 | spec: 81 | channel: stable 82 | installPlanApproval: Automatic 83 | name: kiali-ossm 84 | source: redhat-operators 85 | sourceNamespace: openshift-marketplace 86 | startingCSV: kiali-operator.v1.36.5 87 | " 88 | 89 | echo "apiVersion: operators.coreos.com/v1alpha1 90 | kind: Subscription 91 | metadata: 92 | name: kiali-ossm 93 | namespace: openshift-operators 94 | spec: 95 | channel: stable 96 | installPlanApproval: Automatic 97 | name: kiali-ossm 98 | source: redhat-operators 99 | sourceNamespace: openshift-marketplace 100 | startingCSV: kiali-operator.v1.36.5" | oc apply -f - 101 | 102 | echo 'sleeping 20s' 103 | sleep 20 104 | 105 | 106 | echo "################# Adding Operator servicemeshoperator #################" 107 | echo " 108 | apiVersion: operators.coreos.com/v1alpha1 109 | kind: Subscription 110 | metadata: 111 | name: servicemeshoperator 112 | namespace: openshift-operators 113 | spec: 114 | channel: stable 115 | installPlanApproval: Automatic 116 | name: servicemeshoperator 117 | source: redhat-operators 118 | sourceNamespace: openshift-marketplace 119 | startingCSV: servicemeshoperator.v2.1.0 120 | " 121 | 122 | echo "apiVersion: operators.coreos.com/v1alpha1 123 | kind: Subscription 124 | metadata: 125 | name: servicemeshoperator 126 | namespace: openshift-operators 127 | spec: 128 | channel: stable 129 | installPlanApproval: Automatic 130 | name: servicemeshoperator 131 | source: redhat-operators 132 | sourceNamespace: openshift-marketplace 133 | startingCSV: servicemeshoperator.v2.1.0" | oc apply -f - 134 | -------------------------------------------------------------------------------- /scripts/add-operators-subscriptions-sm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "oc create ns openshift-operators-redhat" 4 | oc create ns openshift-operators-redhat 5 | sleep 4 6 | echo "################# Adding Operator elasticsearch-operator #################" 7 | echo " 8 | apiVersion: operators.coreos.com/v1alpha1 9 | kind: Subscription 10 | metadata: 11 | name: elasticsearch-operator 12 | namespace: openshift-operators-redhat 13 | spec: 14 | channel: stable-5.4 15 | installPlanApproval: Automatic 16 | name: elasticsearch-operator 17 | source: redhat-operators 18 | sourceNamespace: openshift-marketplace" | oc apply -f - 19 | echo 'apiVersion: operators.coreos.com/v1alpha1 20 | kind: Subscription 21 | metadata: 22 | name: elasticsearch-operator 23 | namespace: openshift-operators-redhat 24 | spec: 25 | channel: stable-5.4 26 | installPlanApproval: Automatic 27 | name: elasticsearch-operator 28 | source: redhat-operators 29 | sourceNamespace: openshift-marketplace | oc apply -f - ' 30 | 31 | echo 'sleeping 20s' 32 | sleep 20 33 | 34 | echo "################# Adding Operator jaeger-product #################" 35 | echo " 36 | apiVersion: operators.coreos.com/v1alpha1 37 | kind: Subscription 38 | metadata: 39 | name: jaeger-product 40 | namespace: openshift-operators 41 | spec: 42 | channel: stable 43 | installPlanApproval: Automatic 44 | name: jaeger-product 45 | source: redhat-operators 46 | sourceNamespace: openshift-marketplace 47 | " 48 | 49 | echo "apiVersion: operators.coreos.com/v1alpha1 50 | kind: Subscription 51 | metadata: 52 | name: jaeger-product 53 | namespace: openshift-operators 54 | spec: 55 | channel: stable 56 | installPlanApproval: Automatic 57 | name: jaeger-product 58 | source: redhat-operators 59 | sourceNamespace: openshift-marketplace" | oc apply -f - 60 | 61 | echo 'sleeping 20s' 62 | sleep 20 63 | 64 | echo "################# Adding Operator kiali-ossm #################" 65 | echo " 66 | apiVersion: operators.coreos.com/v1alpha1 67 | kind: Subscription 68 | metadata: 69 | name: kiali-ossm 70 | namespace: openshift-operators 71 | spec: 72 | channel: stable 73 | installPlanApproval: Automatic 74 | name: kiali-ossm 75 | source: redhat-operators 76 | sourceNamespace: openshift-marketplace 77 | " 78 | 79 | echo "apiVersion: operators.coreos.com/v1alpha1 80 | kind: Subscription 81 | metadata: 82 | name: kiali-ossm 83 | namespace: openshift-operators 84 | spec: 85 | channel: stable 86 | installPlanApproval: Automatic 87 | name: kiali-ossm 88 | source: redhat-operators 89 | sourceNamespace: openshift-marketplace" | oc apply -f - 90 | 91 | #echo 'sleeping 20s' 92 | sleep 20 93 | 94 | 95 | echo "################# Adding Operator servicemeshoperator #################" 96 | echo " 97 | apiVersion: operators.coreos.com/v1alpha1 98 | kind: Subscription 99 | metadata: 100 | name: servicemeshoperator 101 | namespace: openshift-operators 102 | spec: 103 | channel: stable 104 | installPlanApproval: Automatic 105 | name: servicemeshoperator 106 | source: redhat-operators 107 | sourceNamespace: openshift-marketplace 108 | " 109 | 110 | echo "apiVersion: operators.coreos.com/v1alpha1 111 | kind: Subscription 112 | metadata: 113 | name: servicemeshoperator 114 | namespace: openshift-operators 115 | spec: 116 | channel: stable 117 | installPlanApproval: Automatic 118 | name: servicemeshoperator 119 | source: redhat-operators 120 | sourceNamespace: openshift-marketplace" | oc apply -f - 121 | -------------------------------------------------------------------------------- /scripts/certs/README.adoc: -------------------------------------------------------------------------------- 1 | = Creating Self-Signed CA, CSR, Certificates for Client and Service side 2 | :toc: 3 | 4 | == Create a CA Root, Certificate Signing Request, TLS Certificate for hosted service 5 | 6 | These instructions are for self-signed certificates however PKI and CA based certs can & should be used in real environemtns 7 | 8 | === Create CA Root (Only once for client and service) 9 | 10 | * Update/Copy & Modify (based on -self-signed- CA org information like `CN`, `commonName`, `DNS.1` etc.) `scripts/certs/app-default.conf` 11 | 12 | cd scripts/certs 13 | vim app-default.conf 14 | 15 | * Create CA (self-signed) 16 | 17 | create-ca-root-certs-keys.sh 18 | 19 | === Create Certificate Signing Request, TLS Certificate for hosted service for the app (self-signed) 20 | 21 | * Create CSR and Certificate for the app (self-signed) 22 | 23 | create-app-csr-certs-keys.sh 24 | eg. create-app-csr-certs-keys.sh app-default.conf greeting-remote 25 | 26 | === Create OCP secret to store the certificate in `istio-system` 27 | 28 | oc create -n istio-system secret generic greeting-remote-secret \ 29 | --from-file=tls.key=greeting-remote-app.key \ 30 | --from-file=tls.crt=greeting-remote-app.crt \ 31 | --from-file=ca.crt=ca-root.crt \ 32 | -n istio-system 33 | 34 | == Create Client Certificate 35 | 36 | The aim is to perform MUTUAL auth with the service using the (self-signed) certificate above 37 | 38 | * Update/Copy & Modify (based on -self-signed- CA org information) `scripts/certs/app-default.conf` to `scripts/certs/app-client-openshift.conf` changing `CN`, `commonName`, `DNS.1` to eg. `rest-client-greeting.com` 39 | 40 | cd scripts/certs 41 | cp app-default.conf app-client-openshift.conf 42 | 43 | * Create CSR, Certificate for the app (self-signed) 44 | 45 | create-app-csr-certs-keys.sh 46 | eg. create-app-csr-certs-keys.sh app-client-openshift.conf greeting-client 47 | 48 | === Create OCP secret to store the client `greeting-client-secret` certificate in `istio-system` 49 | 50 | oc create -n istio-system secret generic greeting-client-secret \ 51 | --from-file=tls.key=greeting-client-app.key \ 52 | --from-file=tls.crt=greeting-client-app.crt \ 53 | --from-file=ca.crt=ca-root.crt \ 54 | -n istio-system 55 | 56 | -------------------------------------------------------------------------------- /scripts/certs/add-configure-certs-manager.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ISTIO_NAMESPACE=$1 4 | 5 | echo '-------------------------------------------------------------------------' 6 | echo 'Certs Manager applied in Namespace : '$ISTIO_NAMESPACE 7 | echo '-------------------------------------------------------------------------' 8 | 9 | 10 | echo "################# Subscription - cert-manager-operator #################" 11 | echo " 12 | apiVersion: operators.coreos.com/v1alpha1 13 | kind: Subscription 14 | metadata: 15 | name: cert-manager-operator 16 | namespace: openshift-operators 17 | spec: 18 | channel: stable 19 | installPlanApproval: Automatic 20 | name: cert-manager-operator 21 | source: certified-operators 22 | sourceNamespace: openshift-marketplace 23 | startingCSV: cert-manager-operator.v1.1.0" | oc apply -f - 24 | 25 | sleep 25s 26 | 27 | echo "################# CertManager - instance #################" 28 | echo " 29 | apiVersion: operator.cert-manager.io/v1alpha1 30 | kind: CertManager 31 | metadata: 32 | name: cert-manager 33 | spec: {}" | oc apply -n $ISTIO_NAMESPACE -f - 34 | 35 | 36 | sleep 30s 37 | 38 | echo "################# cert-manager - Issuer Configuration #################" 39 | oc apply -f certs-manager-self-signed-issuer.yaml 40 | 41 | 42 | 43 | -------------------------------------------------------------------------------- /scripts/certs/app-default.conf: -------------------------------------------------------------------------------- 1 | [ req ] 2 | default_bits = 2048 3 | distinguished_name = req_distinguished_name 4 | prompt = no 5 | [ dn ] 6 | C = UK 7 | O = RH 8 | CN = greeting.remote.com 9 | ST = Baker Street 10 | L = London 11 | OU=RedHat 12 | [ req_distinguished_name ] 13 | countryName = UK 14 | stateOrProvinceName = London 15 | localityName = London 16 | organizationName = RedHat 17 | commonName = greeting.remote.com 18 | [ req_ext ] 19 | subjectAltName = @alt_names 20 | [alt_names] 21 | DNS.1 = greeting.remote.com 22 | #IP.1 = 172.16.70.24 23 | #IP.2 = 172.16.70.184 24 | -------------------------------------------------------------------------------- /scripts/certs/certs-manager-self-signed-issuer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: sandbox 5 | --- 6 | apiVersion: cert-manager.io/v1 7 | kind: ClusterIssuer 8 | metadata: 9 | name: selfsigned-issuer 10 | spec: 11 | selfSigned: {} 12 | --- 13 | apiVersion: cert-manager.io/v1 14 | kind: Certificate 15 | metadata: 16 | name: my-selfsigned-ca 17 | namespace: sandbox 18 | spec: 19 | isCA: true 20 | commonName: my-selfsigned-ca 21 | secretName: root-secret 22 | privateKey: 23 | algorithm: ECDSA 24 | size: 256 25 | issuerRef: 26 | name: selfsigned-issuer 27 | kind: ClusterIssuer 28 | group: cert-manager.io 29 | --- 30 | apiVersion: cert-manager.io/v1 31 | kind: Issuer 32 | metadata: 33 | name: my-ca-issuer 34 | namespace: sandbox 35 | spec: 36 | ca: 37 | secretName: root-secret 38 | -------------------------------------------------------------------------------- /scripts/certs/create-app-csr-certs-keys.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | LOCATION_CONF=$1 4 | CERTS_PREFIX=$2 5 | 6 | echo '-------------------------------------------------------------------------' 7 | echo 'Certificate Info File Location : '$LOCATION_CONF 8 | echo 'Certificate Files Prefix : '$CERTS_PREFIX 9 | echo '-------------------------------------------------------------------------' 10 | 11 | 12 | 13 | echo "Step2: Create CSR request for app $CERTS_PREFIX" 14 | echo "openssl req -new -config $LOCATION_CONF -nodes -keyout $CERTS_PREFIX.key -out $CERTS_PREFIX.csr" 15 | 16 | openssl req -new -config $LOCATION_CONF -nodes -keyout $CERTS_PREFIX-app.key -out $CERTS_PREFIX-app.csr 17 | #openssl req -newkey rsa:4096 -nodes -keyout app-key.pem -out app-req.csr -subj “/C=FR/ST=France/L=Paris/OU=RedHat/CN=*.bookinfo.com/emailAddress=stkousso@redhat.com” 18 | 19 | echo "Step3: Sign Application Certificate" 20 | echo "openssl x509 -req -in $CERTS_PREFIX.csr -days 365 -CA ca-root.crt -CAkey ca-root.key -CAcreateserial -out $CERTS_PREFIX-app.crt" 21 | openssl x509 -req -in $CERTS_PREFIX-app.csr -days 365 -CA ca-root.crt -CAkey ca-root.key -CAcreateserial -out $CERTS_PREFIX-app.crt 22 | #openssl x509 -req -in app-req.csr -days 365 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out app-cert.pem 23 | -------------------------------------------------------------------------------- /scripts/certs/create-ca-root-certs-keys.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "Step1: Create CA Key & Certificate (Done once)" 4 | echo "openssl req -x509 -newkey rsa:4096 -days 365 -nodes -keyout ca-root.key -out ca-root.crt -subj "/C=UK/ST=Farnborough/L=Hampshire/OU=skousou/CN=skoussou.com/emailAddress=skousou@gmail.com"" 5 | openssl req -x509 -newkey rsa:4096 -days 365 -nodes -keyout ca-root.key -out ca-root.crt -subj "/C=UK/ST=Farnborough/L=Hampshire/OU=skousou/CN=skoussou.com/emailAddress=skousou@gmail.com" 6 | -------------------------------------------------------------------------------- /scripts/certs/create-client-certs-keys.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | CERTS_PREFIX=$1 4 | 5 | echo "Step1: Create CSR request for client" 6 | echo "openssl req -out $CERTS_PREFIX-client.csr -newkey rsa:2048 -nodes -keyout $CERTS_PREFIX-client.key -subj "/CN=client.example.com/O=client organization"" 7 | openssl req -out $CERTS_PREFIX-client.csr -newkey rsa:2048 -nodes -keyout $CERTS_PREFIX-client.key -subj "/CN=client.example.com/O=client organization" 8 | 9 | echo "Step3: Sign Client Certificate" 10 | echo "openssl x509 -req -days 365 -CA ca-root.crt -CAkey ca-root.key -set_serial 1 -in $CERTS_PREFIX-client.csr -out $CERTS_PREFIX-client.crt" 11 | openssl x509 -req -days 365 -CA ca-root.crt -CAkey ca-root.key -set_serial 1 -in $CERTS_PREFIX-client.csr -out $CERTS_PREFIX-client.crt 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /scripts/create-membership.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ISTIO_NAMESPACE=$1 4 | ISTIO_TENANT_NAME=$2 5 | APP_NAMESPACE=$3 6 | SERVICE_MESH_MEMBER_RESOURCE_NAME=default 7 | 8 | echo '-------------------------------------------------------------------------' 9 | echo 'Istio Namespace : '$ISTIO_NAMESPACE 10 | echo 'Istio SMCP Name : '$ISTIO_TENANT_NAME 11 | echo 'App Namespace : '$APP_NAMESPACE 12 | echo 'SMR Resource Name : '$SERVICE_MESH_MEMBER_RESOURCE_NAME 13 | 14 | echo '-------------------------------------------------------------------------' 15 | 16 | 17 | echo "################# ServiceMeshMeber - [$SERVICE_MESH_MEMBER_RESOURCE_NAME] for [$APP_NAMESPACE] #################" 18 | 19 | echo "apiVersion: maistra.io/v1 20 | kind: ServiceMeshMember 21 | metadata: 22 | namespace: $APP_NAMESPACE 23 | name: $SERVICE_MESH_MEMBER_RESOURCE_NAME 24 | spec: 25 | controlPlaneRef: 26 | name: $ISTIO_TENANT_NAME 27 | namespace: $ISTIO_NAMESPACE" 28 | 29 | 30 | echo "apiVersion: maistra.io/v1 31 | kind: ServiceMeshMember 32 | metadata: 33 | namespace: $APP_NAMESPACE 34 | name: $SERVICE_MESH_MEMBER_RESOURCE_NAME 35 | spec: 36 | controlPlaneRef: 37 | name: $ISTIO_TENANT_NAME 38 | namespace: $ISTIO_NAMESPACE" |oc apply -f - 39 | --------------------------------------------------------------------------------