From f1e2d0c6c86bffff1ca21f579e493fe1b669ad58 Mon Sep 17 00:00:00 2001 From: Beppe Vanrolleghem Date: Tue, 3 Mar 2020 11:16:46 +0100 Subject: [PATCH] cleanup and use of namespace for safety/ease of use --- deploy.istio.yaml | 726 ---------------------------------------------- deploy.yaml | 44 ++- 2 files changed, 33 insertions(+), 737 deletions(-) delete mode 100644 deploy.istio.yaml diff --git a/deploy.istio.yaml b/deploy.istio.yaml deleted file mode 100644 index f6c58b9..0000000 --- a/deploy.istio.yaml +++ /dev/null @@ -1,726 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - name: server-a -spec: - replicas: 1 - selector: - matchLabels: - expose: "true" - server: http - strategy: {} - template: - metadata: - annotations: - sidecar.istio.io/status: '{"version":"b5faac9e6b02231b7db3b29487392a395f1c85c746bf62dc8cb660444af6e0d9","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' - creationTimestamp: null - labels: - expose: "true" - security.istio.io/tlsMode: istio - server: http - spec: - containers: - - image: beppev/server-a:latest - name: front-end - ports: - - containerPort: 5000 - resources: {} - - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --configPath - - /etc/istio/proxy - - --binaryPath - - /usr/local/bin/envoy - - --serviceCluster - - server-a.default - - --drainDuration - - 45s - - --parentShutdownDuration - - 1m0s - - --discoveryAddress - - istio-pilot.istio-system:15010 - - --zipkinAddress - - zipkin.istio-system:9411 - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --connectTimeout - - 10s - - --proxyAdminPort - - "15000" - - --concurrency - - "2" - - --controlPlaneAuthPolicy - - NONE - - --dnsRefreshRate - - 300s - - --statusPort - - "15020" - - --applicationPorts - - "5000" - - --trust-domain=cluster.local - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_META_POD_PORTS - value: |- - [ - {"containerPort":5000} - ] - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: ISTIO_META_CONFIG_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: SDS_ENABLED - value: "false" - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_INCLUDE_INBOUND_PORTS - value: "5000" - - name: ISTIO_METAJSON_LABELS - value: | - {"expose":"true","server":"http"} - - name: ISTIO_META_WORKLOAD_NAME - value: server-a - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/default/deployments/server-a - - name: ISTIO_META_MESH_ID - value: cluster.local - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: 1 - periodSeconds: 2 - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - volumeMounts: - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - initContainers: - - command: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - "15020" - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-init - resources: - limits: - cpu: 100m - memory: 50Mi - requests: - cpu: 10m - memory: 10Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - volumes: - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-certs - secret: - optional: true - secretName: istio.default -status: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - name: server-b -spec: - replicas: 1 - selector: - matchLabels: - app: ja - server: http - version: v1 - strategy: {} - template: - metadata: - annotations: - sidecar.istio.io/status: '{"version":"b5faac9e6b02231b7db3b29487392a395f1c85c746bf62dc8cb660444af6e0d9","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' - creationTimestamp: null - labels: - app: ja - security.istio.io/tlsMode: istio - server: http - version: v1 - spec: - containers: - - image: beppev/server-b:latest - name: front-end - ports: - - containerPort: 6000 - resources: {} - - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --configPath - - /etc/istio/proxy - - --binaryPath - - /usr/local/bin/envoy - - --serviceCluster - - ja.$(POD_NAMESPACE) - - --drainDuration - - 45s - - --parentShutdownDuration - - 1m0s - - --discoveryAddress - - istio-pilot.istio-system:15010 - - --zipkinAddress - - zipkin.istio-system:9411 - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --connectTimeout - - 10s - - --proxyAdminPort - - "15000" - - --concurrency - - "2" - - --controlPlaneAuthPolicy - - NONE - - --dnsRefreshRate - - 300s - - --statusPort - - "15020" - - --applicationPorts - - "6000" - - --trust-domain=cluster.local - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_META_POD_PORTS - value: |- - [ - {"containerPort":6000} - ] - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: ISTIO_META_CONFIG_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: SDS_ENABLED - value: "false" - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_INCLUDE_INBOUND_PORTS - value: "6000" - - name: ISTIO_METAJSON_LABELS - value: | - {"app":"ja","server":"http","version":"v1"} - - name: ISTIO_META_WORKLOAD_NAME - value: server-b - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/default/deployments/server-b - - name: ISTIO_META_MESH_ID - value: cluster.local - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: 1 - periodSeconds: 2 - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - volumeMounts: - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - initContainers: - - command: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - "15020" - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-init - resources: - limits: - cpu: 100m - memory: 50Mi - requests: - cpu: 10m - memory: 10Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - volumes: - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-certs - secret: - optional: true - secretName: istio.default -status: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - creationTimestamp: null - name: server-c -spec: - replicas: 1 - selector: - matchLabels: - app: ja - server: http - version: v2 - strategy: {} - template: - metadata: - annotations: - sidecar.istio.io/status: '{"version":"b5faac9e6b02231b7db3b29487392a395f1c85c746bf62dc8cb660444af6e0d9","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' - creationTimestamp: null - labels: - app: ja - security.istio.io/tlsMode: istio - server: http - version: v2 - spec: - containers: - - image: beppev/server-c:latest - name: front-end - ports: - - containerPort: 6000 - resources: {} - - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --configPath - - /etc/istio/proxy - - --binaryPath - - /usr/local/bin/envoy - - --serviceCluster - - ja.$(POD_NAMESPACE) - - --drainDuration - - 45s - - --parentShutdownDuration - - 1m0s - - --discoveryAddress - - istio-pilot.istio-system:15010 - - --zipkinAddress - - zipkin.istio-system:9411 - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --connectTimeout - - 10s - - --proxyAdminPort - - "15000" - - --concurrency - - "2" - - --controlPlaneAuthPolicy - - NONE - - --dnsRefreshRate - - 300s - - --statusPort - - "15020" - - --applicationPorts - - "6000" - - --trust-domain=cluster.local - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_META_POD_PORTS - value: |- - [ - {"containerPort":6000} - ] - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: ISTIO_META_CONFIG_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: SDS_ENABLED - value: "false" - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_INCLUDE_INBOUND_PORTS - value: "6000" - - name: ISTIO_METAJSON_LABELS - value: | - {"app":"ja","server":"http","version":"v2"} - - name: ISTIO_META_WORKLOAD_NAME - value: server-c - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/default/deployments/server-c - - name: ISTIO_META_MESH_ID - value: cluster.local - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: 1 - periodSeconds: 2 - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - volumeMounts: - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - initContainers: - - command: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - "15020" - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-init - resources: - limits: - cpu: 100m - memory: 50Mi - requests: - cpu: 10m - memory: 10Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - volumes: - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-certs - secret: - optional: true - secretName: istio.default -status: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: server-b-c-service -spec: - selector: - app: "ja" - ports: - - name: http - protocol: TCP - port: 6000 ---- -kind: Service -apiVersion: v1 -metadata: - name: expose-server -spec: - type: NodePort - selector: - expose: "true" - ports: - - name: http - protocol: TCP - targetPort: 5000 - port: 5000 - nodePort: 30036 ---- -kind: Service -apiVersion: v1 -metadata: - name: example-loadbalancer -spec: - selector: - expose: "true" - ports: - - name: http - protocol: TCP - targetPort: 5000 - port: 80 - type: LoadBalancer ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: server-check-destination -spec: - host: server-check - subsets: - - name: v1 - labels: - version: v1 - - name: v2 - labels: - version: v2 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: server-check-gateway -spec: - selector: - expose: "true" - istio: ingressgateway - servers: - - port: - number: 6000 - name: http - protocol: HTTP - hosts: - - "*" ---- -apiVersion: v1 -kind: Service -metadata: - name: server-check -spec: - selector: - expose: "true" - ports: - - name: http - protocol: TCP - targetPort: 6000 - port: 6000 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: server-check-service -spec: - hosts: - - "*" - gateways: - - server-check-gateway - tcp: - - match: - - port: 6000 - route: - - destination: - host: server-b-c-service - port: - number: 6000 - subset: v1 - weight: 50 - - destination: - host: server-b-c-service - port: - number: 6000 - subset: v2 - weight: 50 ---- diff --git a/deploy.yaml b/deploy.yaml index c168bff..6c6dbc9 100644 --- a/deploy.yaml +++ b/deploy.yaml @@ -1,19 +1,30 @@ --- +apiVersion: v1 +kind: Namespace +metadata: + name: istio-project-1 + labels: + istio-injection: enabled +--- apiVersion: apps/v1 kind: Deployment metadata: name: server-a + namespace: istio-project-1 spec: replicas: 1 selector: matchLabels: server: "http" + app: "ja" expose: "true" template: metadata: labels: server: "http" + app: "ja" expose: "true" + backend: "true" spec: containers: - name: front-end @@ -25,6 +36,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: server-b + namespace: istio-project-1 spec: replicas: 1 selector: @@ -49,6 +61,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: server-c + namespace: istio-project-1 spec: replicas: 1 selector: @@ -73,18 +86,21 @@ apiVersion: v1 kind: Service metadata: name: server-b-c-service + namespace: istio-project-1 spec: selector: - app: "ja" + backend: "true" ports: - name: http protocol: TCP port: 6000 + --- kind: Service apiVersion: v1 metadata: name: expose-server + namespace: istio-project-1 spec: type: NodePort selector: @@ -99,7 +115,8 @@ spec: kind: Service apiVersion: v1 metadata: - name: example-loadbalancer + name: example-loadbalancer + namespace: istio-project-1 spec: selector: expose: "true" @@ -114,8 +131,9 @@ apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: server-check-destination + namespace: istio-project-1 spec: - host: server-check + host: server-b-c-service subsets: - name: v1 labels: @@ -128,25 +146,28 @@ apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: server-check-gateway + namespace: istio-project-1 spec: selector: expose: "true" - istio: ingressgateway servers: - - port: - number: 6000 - name: http - protocol: HTTP - hosts: - - "*" + - port: + number: 6000 + name: http + protocol: HTTP + hosts: + - "*" --- apiVersion: v1 kind: Service metadata: name: server-check + namespace: istio-project-1 spec: selector: expose: "true" + version: v1 + version: v2 ports: - name: http protocol: TCP @@ -157,6 +178,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: server-check-service + namespace: istio-project-1 spec: hosts: - "*" @@ -177,4 +199,4 @@ spec: port: number: 6000 subset: v2 - weight: 50 \ No newline at end of file + weight: 50