--- /dev/null
+# Set the following variable to true to disable policy checks by Mixer.
+# Note that metrics will still be reported to Mixer.
+disablePolicyChecks: false
+
+disableMixerHttpReports: false
+# reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server
+reportBatchMaxEntries: 100
+# reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server
+reportBatchMaxTime: 1s
+
+# Set enableTracing to false to disable request tracing.
+enableTracing: true
+
+# Set accessLogFile to empty string to disable access log.
+accessLogFile: "/dev/stdout"
+
+# If accessLogEncoding is TEXT, value will be used directly as the log format
+# example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n"
+# If AccessLogEncoding is JSON, value will be parsed as map[string]string
+# example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}'
+# Leave empty to use default log format
+accessLogFormat: ""
+
+# Set accessLogEncoding to JSON or TEXT to configure sidecar access log
+accessLogEncoding: 'TEXT'
+
+enableEnvoyAccessLogService: false
+mixerCheckServer: istio-policy.istio-system.svc.cluster.local:9091
+mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:9091
+# policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
+# Default is false which means the traffic is denied when the client is unable to connect to Mixer.
+policyCheckFailOpen: false
+# Let Pilot give ingresses the public IP of the Istio ingressgateway
+ingressService: istio-ingressgateway
+
+# Default connect timeout for dynamic clusters generated by Pilot and returned via XDS
+connectTimeout: 10s
+
+# Automatic protocol detection uses a set of heuristics to
+# determine whether the connection is using TLS or not (on the
+# server side), as well as the application protocol being used
+# (e.g., http vs tcp). These heuristics rely on the client sending
+# the first bits of data. For server first protocols like MySQL,
+# MongoDB, etc., Envoy will timeout on the protocol detection after
+# the specified period, defaulting to non mTLS plain TCP
+# traffic. Set this field to tweak the period that Envoy will wait
+# for the client to send the first bits of data. (MUST BE >=1ms)
+protocolDetectionTimeout: 100ms
+
+# DNS refresh rate for Envoy clusters of type STRICT_DNS
+dnsRefreshRate: 300s
+
+# Unix Domain Socket through which envoy communicates with NodeAgent SDS to get
+# key/cert for mTLS. Use secret-mount files instead of SDS if set to empty.
+sdsUdsPath: ""
+
+# The trust domain corresponds to the trust root of a system.
+# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+trustDomain: ""
+
+# The trust domain aliases represent the aliases of trust_domain.
+# For example, if we have
+# trustDomain: td1
+# trustDomainAliases: [“td2”, "td3"]
+# Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account",
+# or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh.
+trustDomainAliases:
+
+# If true, automatically configure client side mTLS settings to match the corresponding service's
+# server side mTLS authentication policy, when destination rule for that service does not specify
+# TLS settings.
+enableAutoMtls: false
+
+# Set the default behavior of the sidecar for handling outbound traffic from the application:
+# ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no
+# services or ServiceEntries for the destination port
+# REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well
+# as those defined through ServiceEntries
+outboundTrafficPolicy:
+ mode: ALLOW_ANY
+localityLbSetting:
+ enabled: true
+# The namespace to treat as the administrative root namespace for istio
+# configuration.
+rootNamespace: istio-system
+
+# Configures DNS certificates provisioned through Chiron linked into Pilot.
+certificates:
+ []
+configSources:
+- address: istio-galley.istio-system.svc:9901
+
+defaultConfig:
+ #
+ # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters
+ # defined in Envoy's configuration file
+ connectTimeout: 10s
+ #
+ ### ADVANCED SETTINGS #############
+ # Where should envoy's configuration be stored in the istio-proxy container
+ configPath: "/etc/istio/proxy"
+ binaryPath: "/usr/local/bin/envoy"
+ # The pseudo service name used for Envoy.
+ serviceCluster: istio-proxy
+ # These settings that determine how long an old Envoy
+ # process should be kept alive after an occasional reload.
+ drainDuration: 45s
+ parentShutdownDuration: 1m0s
+ #
+ # The mode used to redirect inbound connections to Envoy. This setting
+ # has no effect on outbound traffic: iptables REDIRECT is always used for
+ # outbound connections.
+ # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
+ # The "REDIRECT" mode loses source addresses during redirection.
+ # If "TPROXY", use iptables TPROXY to redirect to Envoy.
+ # The "TPROXY" mode preserves both the source and destination IP
+ # addresses and ports, so that they can be used for advanced filtering
+ # and manipulation.
+ # The "TPROXY" mode also configures the sidecar to run with the
+ # CAP_NET_ADMIN capability, which is required to use TPROXY.
+ #interceptionMode: REDIRECT
+ #
+ # Port where Envoy listens (on local host) for admin commands
+ # You can exec into the istio-proxy container in a pod and
+ # curl the admin port (curl http://localhost:15000/) to obtain
+ # diagnostic information from Envoy. See
+ # https://lyft.github.io/envoy/docs/operations/admin.html
+ # for more details
+ proxyAdminPort: 15000
+ #
+ # Set concurrency to a specific number to control the number of Proxy worker threads.
+ # If set to 0 (default), then start worker thread for each CPU thread/core.
+ concurrency: 2
+ #
+ tracing:
+ zipkin:
+ # Address of the Zipkin collector
+ address: zipkin.istio-system:9411
+ #
+ # Mutual TLS authentication between sidecars and istio control plane.
+ controlPlaneAuthPolicy: NONE
+ #
+ # Address where istio Pilot service is running
+ discoveryAddress: istio-pilot.istio-system:15010
\ No newline at end of file
--- /dev/null
+stioctl manifest generate --set values.gateways.istio-egressgateway.enabled=false --set values.gateways.istio-ingressgateway.sds.enabled=true > ./istio-ingressgateway.yaml
+
+:$
+cd /Users/xinhui.li/go/src/github.com/istio-managing-apps-kubernetes
+sudo cp -r * /Users/xinhui.li/Downloads/eks/istio-1.7.3/demos/
+
+ssh -i "lxh-kp.pem" ec2-user@44.241.41.215
+curl -H "Host: ad29778f1b27046fc9ebe0413741901f-6724d8ee316606c2.elb.us-west-2.amazonaws.com" "http://$INGRESS_HOST:$INGRESS_PORT/headers?show_env=1"
+http://ad29778f1b27046fc9ebe0413741901f-6724d8ee316606c2.elb.us-west-2.amazonaws.com/headers?show_env=1
+
+kubectl rollout pause deployment istio-ingressgateway -n istio-system
+
+kubectl get pod -n istio-system
+kubectl exec istio-ingressgateway-85866b6679-xdsjs -n istio-system -c istio-proxy -- curl 'localhost:15000/config_dump' > config_dump.json
+kubectl exec istio-ingressgateway-85866b6679-zjsqd -c istio-proxy -- curl 'localhost:15000/stats' > stats
+kubectl exec istio-ingressgateway-85866b6679-zjsqd -n istio-system -c istio-proxy -- curl 'localhost:15000/clusters' > clusters
+kubectl logs istio-ingressgateway-85866b6679-zjsqd -n istio-system -c istio-proxy > proxy.log
+
+name: istio-ingressgateway
+curl --interface utun1 -H "Host: a7099e53576e541278c6b9c69b71bf53-75bc8e7536570e2e.elb.us-west-2.amazonaws.com" -H "Pepe: bububu" http://proxyddostest02.duckdns.org/headers
+
+
+
+ssh -i ec2-user@44.231.113.107
+
+
+curl -v -HHost:httpbin.example.com --resolve "$INGRESS_HOST:$SECURE_INGRESS_PORT:$INGRESS_HOST" \
+--cacert new_certificates/example.com.crt "https://$INGRESS_HOST:$SECURE_INGRESS_PORT/status/418"
+
+
+a25fa0b4835bf460588ee5002b857c36-1ccd5b150ee87ab2.elb.us-west-2.amazonaws.com
+
+openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt
+openssl req -out httpbin.example.com.csr -newkey rsa:2048 -nodes -keyout httpbin.example.com.key -subj "/CN=a25fa0b4835bf460588ee5002b857c36-1ccd5b150ee87ab2.elb.us-west-2.amazonaws.com/O=httpbin organization"
+openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in httpbin.example.com.csr -out httpbin.example.com.crt
+
+curl -vvv -H "Host: acb7ca2ca2f3a498c822f3786553a075-7fb58ba389cbc75b.elb.us-west-2.amazonaws.com" --cacert new_certificates/example.com.crt "https://acb7ca2ca2f3a498c822f3786553a075-7fb58ba389cbc75b.elb.us-west-2.amazonaws.com:443/headers?show_env=1"
+
+
+
+
+
Code Review / iec / xconnect.git / commitdiff