Istio в minikube.

Примеры из курса “11 Steps to Awesome with Kubernetes, Istio, and Knative LiveLessons”

Делаю:
22.04.2020

https://github.com/redhat-developer-demos/istio-tutorial

http://github.com/burrsutter/scripts-istio


$ istioctl manifest apply --set profile=demo



$ kubectl label namespace default istio-injection=enabled


Deploy with Istio Envoy Sidecars

$ kubectl create namespace tutorial
$ kubectl config set-context $(kubectl config current-context) --namespace=tutorial



$ mkdir -p ~/tmp/istio && cd ~/tmp/istio

$ git clone https://github.com/redhat-developer-demos/istio-tutorial

$ cd istio-tutorial/

$ istioctl kube-inject -f customer/kubernetes/Deployment.yml
$ kubectl label namespace tutorial istio-injection=enabled



$ kubectl get namespaces --show-labels
***
tutorial          Active   8m33s   istio-injection=enabled



$ kubectl apply -f customer/kubernetes/Deployment.yml



$ kubectl get pods
NAME                        READY   STATUS    RESTARTS   AGE
customer-6948b8b959-v4cg8   2/2     Running   0          26s



$ kubectl apply -f customer/kubernetes/Service.yml
$ kubectl apply -f customer/kubernetes/Gateway.yml

$ kubectl apply -f preference/kubernetes/Deployment.yml
$ kubectl apply -f preference/kubernetes/Service.yml

$ kubectl apply -f recommendation/kubernetes/Deployment.yml
$ kubectl apply -f recommendation/kubernetes/Service.yml



$ kubectl get services
NAME             TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
customer         ClusterIP   10.110.254.99    <none>        8080/TCP   39s
preference       ClusterIP   10.108.86.218    <none>        8080/TCP   24s
recommendation   ClusterIP   10.111.135.119   <none>        8080/TCP   18s



$ kubectl get vs
NAME               GATEWAYS             HOSTS   AGE
customer-gateway   [customer-gateway]   [*]     50s



$ kubectl get service -n istio-system istio-ingressgateway

Вижу -> 30850/TCP

$ minikube --profile my-profile ip
192.168.99.120

$ while true; do curl 192.168.99.120:30850/customer; sleep .3; done
customer => preference => recommendation v1 from 'f11b097f1dd0': 12
customer => preference => recommendation v1 from 'f11b097f1dd0': 13
customer => preference => recommendation v1 from 'f11b097f1dd0': 14
customer => preference => recommendation v1 from 'f11b097f1dd0': 15
customer => preference => recommendation v1 from 'f11b097f1dd0': 16
customer => preference => recommendation v1 from 'f11b097f1dd0': 17
customer => preference => recommendation v1 from 'f11b097f1dd0': 18
customer => preference => recommendation v1 from 'f11b097f1dd0': 19
customer => preference => recommendation v1 from 'f11b097f1dd0': 20
customer => preference => recommendation v1 from 'f11b097f1dd0': 21
customer => preference => recommendation v1 from 'f11b097f1dd0': 22
customer => preference => recommendation v1 from 'f11b097f1dd0': 23
customer => preference => recommendation v1 from 'f11b097f1dd0': 24
customer => preference => recommendation v1 from 'f11b097f1dd0': 25


Shift traffic with VirtualService and DestinationRule

https://redhat-developer-demos.github.io/istio-tutorial/istio-tutorial/1.3.x/4simple-routerules.html

$ kubectl apply -f recommendation/kubernetes/Deployment-v2.yml

$ while true; do curl 192.168.99.120:30850/customer; sleep .3; done
customer => preference => recommendation v2 from '3cbba7a9cde5': 1
customer => preference => recommendation v1 from 'f11b097f1dd0': 26
customer => preference => recommendation v2 from '3cbba7a9cde5': 2
customer => preference => recommendation v1 from 'f11b097f1dd0': 27
customer => preference => recommendation v2 from '3cbba7a9cde5': 3
customer => preference => recommendation v1 from 'f11b097f1dd0': 28
customer => preference => recommendation v2 from '3cbba7a9cde5': 4
customer => preference => recommendation v1 from 'f11b097f1dd0': 29
customer => preference => recommendation v2 from '3cbba7a9cde5': 5
customer => preference => recommendation v1 from 'f11b097f1dd0': 30
customer => preference => recommendation v2 from '3cbba7a9cde5': 6
customer => preference => recommendation v1 from 'f11b097f1dd0': 31
customer => preference => recommendation v2 from '3cbba7a9cde5': 7
customer => preference => recommendation v1 from 'f11b097f1dd0': 32
customer => preference => recommendation v2 from '3cbba7a9cde5': 8



$ kubectl get pods --show-labels
***
recommendation-v1-69db8d6c48-2x244   2/2     Running   0          15m     app=recommendation,pod-template-hash=69db8d6c48,security.istio.io/tlsMode=istio,service.istio.io/canonical-name=recommendation,service.istio.io/canonical-revision=v1,version=v1
recommendation-v2-6c5b86bbd8-q9gtv   2/2     Running   0          2m42s   app=recommendation,pod-template-hash=6c5b86bbd8,security.istio.io/tlsMode=istio,service.istio.io/canonical-name=recommendation,service.istio.io/canonical-revision=v2,version=v2



$ kubectl scale --replicas=2 deployment/recommendation-v2 -n tutorial



$ kubectl scale --replicas=1 deployment/recommendation-v2 -n tutorial



$ {
    kubectl create -f istiofiles/destination-rule-recommendation-v1-v2.yml -n tutorial
    kubectl create -f istiofiles/virtual-service-recommendation-v2.yml -n tutorial
}

$ while true; do curl 192.168.99.120:30850/customer; sleep .3; done
customer => preference => recommendation v2 from '3cbba7a9cde5': 9
customer => preference => recommendation v2 from '3cbba7a9cde5': 10
customer => preference => recommendation v2 from '3cbba7a9cde5': 11
customer => preference => recommendation v2 from '3cbba7a9cde5': 12
customer => preference => recommendation v2 from '3cbba7a9cde5': 13
customer => preference => recommendation v2 from '3cbba7a9cde5': 14
customer => preference => recommendation v2 from '3cbba7a9cde5': 15
customer => preference => recommendation v2 from '3cbba7a9cde5': 16
customer => preference => recommendation v2 from '3cbba7a9cde5': 17
customer => preference => recommendation v2 from '3cbba7a9cde5': 18
customer => preference => recommendation v2 from '3cbba7a9cde5': 19
customer => preference => recommendation v2 from '3cbba7a9cde5': 20
customer => preference => recommendation v2 from '3cbba7a9cde5': 21
customer => preference => recommendation v2 from '3cbba7a9cde5': 22
customer => preference => recommendation v2 from '3cbba7a9cde5': 23
customer => preference => recommendation v2 from '3cbba7a9cde5': 24



$ kubectl get virtualservices
NAME               GATEWAYS             HOSTS              AGE
customer-gateway   [customer-gateway]   [*]                20m
recommendation                          [recommendation]   83s



$ kubectl get destinationrules
NAME             HOST             AGE
recommendation   recommendation   114s



$ kubectl describe vs recommendation

Weight: 100


$ kubectl edit vs/recommendation

subset: version-v1

$ while true; do curl 192.168.99.120:30850/customer; sleep .3; done
customer => preference => recommendation v1 from 'f11b097f1dd0': 33
customer => preference => recommendation v1 from 'f11b097f1dd0': 34
customer => preference => recommendation v1 from 'f11b097f1dd0': 35
customer => preference => recommendation v1 from 'f11b097f1dd0': 36
customer => preference => recommendation v1 from 'f11b097f1dd0': 37
customer => preference => recommendation v1 from 'f11b097f1dd0': 38
customer => preference => recommendation v1 from 'f11b097f1dd0': 39
customer => preference => recommendation v1 from 'f11b097f1dd0': 40




$ kubectl delete dr recommendation
$ kubectl delete vs recommendation



$ kubectl delete -f istiofiles/virtual-service-recommendation-v1_and_v2_75_25.yml -n tutorial



$ kubectl delete -f istiofiles/destination-rule-recommendation-v1-v2.yml -n tutorial


Perform smarter canary deployments

$ kubectl apply -f istiofiles/destination-rule-recommendation-v1-v2.yml -n tutorial
$ kubectl apply -f istiofiles/virtual-service-recommendation-v1_and_v2.yml -n tutorial

$ while true; do curl 192.168.99.120:30850/customer; sleep .3; done
customer => preference => recommendation v2 from '3cbba7a9cde5': 45
customer => preference => recommendation v1 from 'f11b097f1dd0': 41
customer => preference => recommendation v1 from 'f11b097f1dd0': 42
customer => preference => recommendation v1 from 'f11b097f1dd0': 43
customer => preference => recommendation v2 from '3cbba7a9cde5': 46
customer => preference => recommendation v1 from 'f11b097f1dd0': 44
customer => preference => recommendation v1 from 'f11b097f1dd0': 45
customer => preference => recommendation v1 from 'f11b097f1dd0': 46
customer => preference => recommendation v1 from 'f11b097f1dd0': 47
customer => preference => recommendation v1 from 'f11b097f1dd0': 48
customer => preference => recommendation v1 from 'f11b097f1dd0': 49
customer => preference => recommendation v2 from '3cbba7a9cde5': 47
customer => preference => recommendation v1 from 'f11b097f1dd0': 50
customer => preference => recommendation v1 from 'f11b097f1dd0': 51
customer => preference => recommendation v1 from 'f11b097f1dd0': 52
customer => preference => recommendation v1 from 'f11b097f1dd0': 53
customer => preference => recommendation v1 from 'f11b097f1dd0': 54
customer => preference => recommendation v1 from 'f11b097f1dd0': 55
customer => preference => recommendation v1 from 'f11b097f1dd0': 56
customer => preference => recommendation v1 from 'f11b097f1dd0': 57



$ kubectl edit vs recommendation

60 / 40

$ kubectl delete vs recommendation
$ kubectl delete dr recommendation



$ ./scripts/clean.sh


Далее примеры, где в зависимости от браузера, региона, залогинен пользователь или нет - отдавать контент из определенного сервиса.

https://redhat-developer-demos.github.io/istio-tutorial/istio-tutorial/1.3.x/4advanced-routerules.html


Practice mirroring and the dark launch

https://redhat-developer-demos.github.io/istio-tutorial/istio-tutorial/1.3.x/4advanced-routerules.html#mirroringtraffic

$ kubectl create -f istiofiles/destination-rule-recommendation-v1-v2.yml -n tutorial

$ kubectl create -f istiofiles/virtual-service-recommendation-v1-mirror-v2.yml -n tutorial

$ while true; do curl 192.168.99.120:30850/customer; sleep .3; done
customer => preference => recommendation v1 from 'f11b097f1dd0': 105
customer => preference => recommendation v1 from 'f11b097f1dd0': 106
customer => preference => recommendation v1 from 'f11b097f1dd0': 107
customer => preference => recommendation v1 from 'f11b097f1dd0': 108
customer => preference => recommendation v1 from 'f11b097f1dd0': 109
customer => preference => recommendation v1 from 'f11b097f1dd0': 110
customer => preference => recommendation v1 from 'f11b097f1dd0': 111

Видим только v1

В общем, если правильно понял. v2 отработает только в случае ошибки.


Explore observability - Grafana, Jaeger, Kiali

$ {
kubectl patch service/grafana -p '{"spec":{"type":"NodePort"}}' -n istio-system

echo http://$(minikube --profile my-profile ip):$(kubectl get svc grafana -n istio-system -o 'jsonpath={.spec.ports[0].nodePort}')

kubectl patch service/jaeger-query -p '{"spec":{"type":"NodePort"}}' -n istio-system

echo http://$(minikube --profile my-profile ip):$(kubectl get svc jaeger-query -n istio-system -o 'jsonpath={.spec.ports[0].nodePort}')

kubectl patch service/prometheus -p '{"spec":{"type":"NodePort"}}' -n istio-system

echo http://$(minikube --profile my-profile ip):$(kubectl get svc prometheus -n istio-system -o 'jsonpath={.spec.ports[0].nodePort}')

kubectl patch service/kiali -p '{"spec":{"type":"NodePort"}}' -n istio-system

echo http://$(minikube --profile my-profile ip):$(kubectl get svc kiali -n istio-system -o 'jsonpath={.spec.ports[0].nodePort}')/kiali

}


Inject Chaos

https://redhat-developer-demos.github.io/istio-tutorial/istio-tutorial/1.3.x/6fault-injection.html


// HTTP Error 503
$ {
    kubectl create -f istiofiles/destination-rule-recommendation.yml -n tutorial
    kubectl create -f istiofiles/virtual-service-recommendation-503.yml -n tutorial
}


$ kubectl delete -f istiofiles/virtual-service-recommendation-503.yml -n tutorial



// Delay
$ {
    kubectl create -f istiofiles/virtual-service-recommendation-delay.yml -n tutorial
    kubectl replace -f istiofiles/destination-rule-recommendation.yml -n tutorial
}



$ {
    kubectl delete -f istiofiles/destination-rule-recommendation.yml -n tutorial
    kubectl delete -f istiofiles/virtual-service-recommendation-delay.yml -n tutorial
}


Add resiliency

https://redhat-developer-demos.github.io/istio-tutorial/istio-tutorial/1.3.x/5circuit-breaker.html#timeout

$ kubectl edit deployment recommendation-v2

Имидж

istio-tutorial-recommendation:v2.1-timeout



$ kubectl create -f istiofiles/virtual-service-recommendation-timeout.yml -n tutorial



$ kubectl edit deployment recommendation-v2

Имидж

istio-tutorial-recommendation:v2.1-timeout


Add security

https://github.com/burrsutter/scripts-istio/tree/master/egress_demo

// Create a namespace and make it “sticky”

$ kubectl create namespace egresstest
$ kubectl config set-context --current --namespace=egresstest
$ kubectl label namespace egresstest istio-injection=enabled

// Check the Configmap

$ kubectl get configmap istio -n istio-system -o yaml | grep -o "mode: ALLOW_ANY"
mode: ALLOW_ANY

// Create a Deployment and find its Pod

$ kubectl create deployment nginx --image=nginx
$ NGINXPOD=$(kubectl get pods -l app=nginx -o 'jsonpath={.items[0].metadata.name}')

$ kubectl exec -it $NGINXPOD /bin/bash



# apt-get update # note: this will fail if egress is blocked
# apt-get -y install curl

# curl httpbin.org/user-agent

# curl http://worldclockapi.com/api/json/cet/now

exit


// Now, block egress

$ kubectl get configmap istio -n istio-system -o yaml \
    | sed 's/mode: ALLOW_ANY/mode: REGISTRY_ONLY/g' | \
    kubectl replace -n istio-system -f -

$ kubectl get configmap istio -n istio-system -o yaml | grep -o "mode: REGISTRY_ONLY"


// Selectively open up egress

$ kubectl apply -f istiofiles/service-entry-egress-worldclockapi.yml