From: Xinhui Li Date: Tue, 5 Jan 2021 19:11:53 +0000 (-0800) Subject: Add files X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F29%2F4029%2F1;p=iec%2Fxconnect.git Add files Change-Id: Ia19fa7cb3ab831d154872aa5b932b0c8df167b99 Signed-off-by: xinhui li --- diff --git a/mash/envoy.yaml b/mash/envoy.yaml new file mode 100644 index 0000000..46a0057 --- /dev/null +++ b/mash/envoy.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: proxy-protocol + namespace: istio-system +spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: LISTENER + patch: + operation: MERGE + value: + listener_filters: + - name: envoy.filters.listener.proxy_protocol + - name: envoy.filters.listener.tls_inspector diff --git a/mash/envoyXF.yaml b/mash/envoyXF.yaml new file mode 100644 index 0000000..5a4b220 --- /dev/null +++ b/mash/envoyXF.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: ingressgateway-settings + namespace: istio-system +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + listener: + filterChain: + filter: + name: envoy.http_connection_manager + patch: + operation: MERGE + value: + name: envoy.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager + skip_xff_append: false + use_remote_address: true + xff_num_trusted_hops: 1 diff --git a/mash/istioOp.yaml b/mash/istioOp.yaml new file mode 100644 index 0000000..79cde98 --- /dev/null +++ b/mash/istioOp.yaml @@ -0,0 +1,13 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system + name: example-istiocontrolplane +spec: + profile: demo + ingressGateways: + name: istio-ingressgateway + namespace: istio-system + annotations: + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" diff --git a/mash/meshconfig.yaml b/mash/meshconfig.yaml new file mode 100644 index 0000000..2691ad1 --- /dev/null +++ b/mash/meshconfig.yaml @@ -0,0 +1,144 @@ +# Set the following variable to true to disable policy checks by Mixer. +# Note that metrics will still be reported to Mixer. +disablePolicyChecks: false + +disableMixerHttpReports: false +# reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server +reportBatchMaxEntries: 100 +# reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server +reportBatchMaxTime: 1s + +# Set enableTracing to false to disable request tracing. +enableTracing: true + +# Set accessLogFile to empty string to disable access log. +accessLogFile: "/dev/stdout" + +# If accessLogEncoding is TEXT, value will be used directly as the log format +# example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n" +# If AccessLogEncoding is JSON, value will be parsed as map[string]string +# example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}' +# Leave empty to use default log format +accessLogFormat: "" + +# Set accessLogEncoding to JSON or TEXT to configure sidecar access log +accessLogEncoding: 'TEXT' + +enableEnvoyAccessLogService: false +mixerCheckServer: istio-policy.istio-system.svc.cluster.local:9091 +mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:9091 +# policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. +# Default is false which means the traffic is denied when the client is unable to connect to Mixer. +policyCheckFailOpen: false +# Let Pilot give ingresses the public IP of the Istio ingressgateway +ingressService: istio-ingressgateway + +# Default connect timeout for dynamic clusters generated by Pilot and returned via XDS +connectTimeout: 10s + +# Automatic protocol detection uses a set of heuristics to +# determine whether the connection is using TLS or not (on the +# server side), as well as the application protocol being used +# (e.g., http vs tcp). These heuristics rely on the client sending +# the first bits of data. For server first protocols like MySQL, +# MongoDB, etc., Envoy will timeout on the protocol detection after +# the specified period, defaulting to non mTLS plain TCP +# traffic. Set this field to tweak the period that Envoy will wait +# for the client to send the first bits of data. (MUST BE >=1ms) +protocolDetectionTimeout: 100ms + +# DNS refresh rate for Envoy clusters of type STRICT_DNS +dnsRefreshRate: 300s + +# Unix Domain Socket through which envoy communicates with NodeAgent SDS to get +# key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. +sdsUdsPath: "" + +# The trust domain corresponds to the trust root of a system. +# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain +trustDomain: "" + +# The trust domain aliases represent the aliases of trust_domain. +# For example, if we have +# trustDomain: td1 +# trustDomainAliases: [“td2”, "td3"] +# Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account", +# or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh. +trustDomainAliases: + +# If true, automatically configure client side mTLS settings to match the corresponding service's +# server side mTLS authentication policy, when destination rule for that service does not specify +# TLS settings. +enableAutoMtls: false + +# Set the default behavior of the sidecar for handling outbound traffic from the application: +# ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no +# services or ServiceEntries for the destination port +# REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well +# as those defined through ServiceEntries +outboundTrafficPolicy: + mode: ALLOW_ANY +localityLbSetting: + enabled: true +# The namespace to treat as the administrative root namespace for istio +# configuration. +rootNamespace: istio-system + +# Configures DNS certificates provisioned through Chiron linked into Pilot. +certificates: + [] +configSources: +- address: istio-galley.istio-system.svc:9901 + +defaultConfig: + # + # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters + # defined in Envoy's configuration file + connectTimeout: 10s + # + ### ADVANCED SETTINGS ############# + # Where should envoy's configuration be stored in the istio-proxy container + configPath: "/etc/istio/proxy" + binaryPath: "/usr/local/bin/envoy" + # The pseudo service name used for Envoy. + serviceCluster: istio-proxy + # These settings that determine how long an old Envoy + # process should be kept alive after an occasional reload. + drainDuration: 45s + parentShutdownDuration: 1m0s + # + # The mode used to redirect inbound connections to Envoy. This setting + # has no effect on outbound traffic: iptables REDIRECT is always used for + # outbound connections. + # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. + # The "REDIRECT" mode loses source addresses during redirection. + # If "TPROXY", use iptables TPROXY to redirect to Envoy. + # The "TPROXY" mode preserves both the source and destination IP + # addresses and ports, so that they can be used for advanced filtering + # and manipulation. + # The "TPROXY" mode also configures the sidecar to run with the + # CAP_NET_ADMIN capability, which is required to use TPROXY. + #interceptionMode: REDIRECT + # + # Port where Envoy listens (on local host) for admin commands + # You can exec into the istio-proxy container in a pod and + # curl the admin port (curl http://localhost:15000/) to obtain + # diagnostic information from Envoy. See + # https://lyft.github.io/envoy/docs/operations/admin.html + # for more details + proxyAdminPort: 15000 + # + # Set concurrency to a specific number to control the number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: 2 + # + tracing: + zipkin: + # Address of the Zipkin collector + address: zipkin.istio-system:9411 + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: NONE + # + # Address where istio Pilot service is running + discoveryAddress: istio-pilot.istio-system:15010 \ No newline at end of file diff --git a/mash/sample-service.yaml b/mash/sample-service.yaml new file mode 100644 index 0000000..3e2d4f1 --- /dev/null +++ b/mash/sample-service.yaml @@ -0,0 +1,49 @@ +apiVersion: v1 +kind: Service +metadata: + name: my-service + namespace: my-namespace + labels: + app: my-app + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" +spec: + selector: + app: my-app + ports: + - protocol: TCP + port: 80 + targetPort: 80 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-deployment + namespace: my-namespace + labels: + app: my-app +spec: + replicas: 1 + selector: + matchLabels: + app: my-app + template: + metadata: + labels: + app: my-app + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + containers: + - name: nginx + image: nginx:1.19.2 + ports: + - containerPort: 80 diff --git a/mash/test.txt b/mash/test.txt new file mode 100644 index 0000000..3dff67c --- /dev/null +++ b/mash/test.txt @@ -0,0 +1,42 @@ +stioctl manifest generate --set values.gateways.istio-egressgateway.enabled=false --set values.gateways.istio-ingressgateway.sds.enabled=true > ./istio-ingressgateway.yaml + +:$ +cd /Users/xinhui.li/go/src/github.com/istio-managing-apps-kubernetes +sudo cp -r * /Users/xinhui.li/Downloads/eks/istio-1.7.3/demos/ + +ssh -i "lxh-kp.pem" ec2-user@44.241.41.215 +curl -H "Host: ad29778f1b27046fc9ebe0413741901f-6724d8ee316606c2.elb.us-west-2.amazonaws.com" "http://$INGRESS_HOST:$INGRESS_PORT/headers?show_env=1" +http://ad29778f1b27046fc9ebe0413741901f-6724d8ee316606c2.elb.us-west-2.amazonaws.com/headers?show_env=1 + +kubectl rollout pause deployment istio-ingressgateway -n istio-system + +kubectl get pod -n istio-system +kubectl exec istio-ingressgateway-85866b6679-xdsjs -n istio-system -c istio-proxy -- curl 'localhost:15000/config_dump' > config_dump.json +kubectl exec istio-ingressgateway-85866b6679-zjsqd -c istio-proxy -- curl 'localhost:15000/stats' > stats +kubectl exec istio-ingressgateway-85866b6679-zjsqd -n istio-system -c istio-proxy -- curl 'localhost:15000/clusters' > clusters +kubectl logs istio-ingressgateway-85866b6679-zjsqd -n istio-system -c istio-proxy > proxy.log + +name: istio-ingressgateway +curl --interface utun1 -H "Host: a7099e53576e541278c6b9c69b71bf53-75bc8e7536570e2e.elb.us-west-2.amazonaws.com" -H "Pepe: bububu" http://proxyddostest02.duckdns.org/headers + + + +ssh -i ec2-user@44.231.113.107 + + +curl -v -HHost:httpbin.example.com --resolve "$INGRESS_HOST:$SECURE_INGRESS_PORT:$INGRESS_HOST" \ +--cacert new_certificates/example.com.crt "https://$INGRESS_HOST:$SECURE_INGRESS_PORT/status/418" + + +a25fa0b4835bf460588ee5002b857c36-1ccd5b150ee87ab2.elb.us-west-2.amazonaws.com + +openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt +openssl req -out httpbin.example.com.csr -newkey rsa:2048 -nodes -keyout httpbin.example.com.key -subj "/CN=a25fa0b4835bf460588ee5002b857c36-1ccd5b150ee87ab2.elb.us-west-2.amazonaws.com/O=httpbin organization" +openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in httpbin.example.com.csr -out httpbin.example.com.crt + +curl -vvv -H "Host: acb7ca2ca2f3a498c822f3786553a075-7fb58ba389cbc75b.elb.us-west-2.amazonaws.com" --cacert new_certificates/example.com.crt "https://acb7ca2ca2f3a498c822f3786553a075-7fb58ba389cbc75b.elb.us-west-2.amazonaws.com:443/headers?show_env=1" + + + + + diff --git a/mash/topology.yaml b/mash/topology.yaml new file mode 100644 index 0000000..86ab2b4 --- /dev/null +++ b/mash/topology.yaml @@ -0,0 +1,7 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + meshConfig: + defaultConfig: + gatewayTopology: + numTrustedProxies: 2