ayan.poddar/eShopOnContainers
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Added support to istio with nginx-ingress

Browse Source
This commit is contained in:
jmanuelcorral 2019-03-07 16:26:03 +01:00
parent 6926bbe54b
commit 3e7f930208
15 changed files with 614 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
k8s/istio/JourneyToIstio.md
View File

@ -4,32 +4,32 @@ You need the eshopsOnContainers configured on your local, with this
in a powershell console, we need to enter in /k8s/istio and execute
```
>kubectl get pods
NAME READY STATUS RESTARTS AGE
eshop-apigwmm-54ccc6c589-557fn 0/1 Running 26 3h
eshop-apigwms-7d5f86cf7c-2j2zp 0/1 CrashLoopBackOff 30 3h
eshop-apigwwm-7794b6d879-7j4mt 0/1 CrashLoopBackOff 39 3h
eshop-apigwws-8585f6899f-7kkg2 0/1 Running 11 3h
eshop-basket-api-8bfc5c5f6-8xxcv 0/1 Running 41 3h
eshop-basket-data-66fbc788cc-dmkgb 1/1 Running 0 3h
eshop-catalog-api-c77747b76-4gp6c 0/1 CrashLoopBackOff 40 3h
eshop-identity-api-7574f6b458-4rbp6 0/1 CrashLoopBackOff 44 3h
eshop-keystore-data-5c9c85cb99-s5qz7 1/1 Running 0 3h
eshop-locations-api-64847646d-5wv52 0/1 CrashLoopBackOff 36 3h
eshop-marketing-api-745f9546b8-krjqq 0/1 Running 33 3h
eshop-mobileshoppingagg-7d467f86bd-bw9c7 0/1 Running 22 3h
eshop-nosql-data-579c9d89f8-x4z2k 1/1 Running 0 3h
eshop-ordering-api-5c55bd5464-7hnjx 0/1 CrashLoopBackOff 38 3h
eshop-ordering-backgroundtasks-f6dcb7db4-xq7gr 1/1 Running 22 3h
eshop-ordering-signalrhub-6664868779-dphxm 1/1 Running 0 3h
eshop-payment-api-7988db5f76-z76tc 1/1 Running 17 3h
eshop-rabbitmq-6b68647bc4-qjjrb 1/1 Running 0 3h
eshop-sql-data-5c4fdcccf4-2z5dm 1/1 Running 0 3h
eshop-webhooks-api-588b58bb66-lmx5c 1/1 Running 0 3h
eshop-webhooks-web-565c68b59c-dk8hp 1/1 Running 0 3h
eshop-webmvc-55c596544b-9fqsj 1/1 Running 0 3h
eshop-webshoppingagg-f8547f45b-4mjvp 0/1 CrashLoopBackOff 16 3h
eshop-webspa-84fd54466d-hzrlb 1/1 Running 0 3h
eshop-webstatus-775b487d4d-tbfbn 1/1 Running 0 3h
NAME READY STATUS RESTARTS AGE
eshop-apigwmm-54ccc6c589-557fn 0/1 Running 31 4h
eshop-apigwms-7d5f86cf7c-2j2zp 0/1 Running 32 4h
eshop-apigwwm-7794b6d879-7j4mt 0/1 Running 44 4h
eshop-apigwws-8585f6899f-7kkg2 0/1 Running 13 4h
eshop-basket-api-8bfc5c5f6-8xxcv 1/1 Running 47 4h
eshop-basket-data-66fbc788cc-dmkgb 1/1 Running 1 4h
eshop-catalog-api-c77747b76-4gp6c 0/1 Running 48 4h
eshop-identity-api-7574f6b458-4rbp6 0/1 Running 55 4h
eshop-keystore-data-5c9c85cb99-s5qz7 1/1 Running 1 4h
eshop-locations-api-64847646d-5wv52 1/1 Running 42 4h
eshop-marketing-api-745f9546b8-krjqq 1/1 Running 40 4h
eshop-mobileshoppingagg-7d467f86bd-bw9c7 0/1 Running 24 4h
eshop-nosql-data-579c9d89f8-x4z2k 1/1 Running 1 4h
eshop-ordering-api-5c55bd5464-7hnjx 0/1 Running 46 4h
eshop-ordering-backgroundtasks-f6dcb7db4-xq7gr 0/1 Running 24 4h
eshop-ordering-signalrhub-6664868779-dphxm 1/1 Running 1 4h
eshop-payment-api-7988db5f76-z76tc 0/1 Running 19 4h
eshop-rabbitmq-6b68647bc4-qjjrb 1/1 Running 1 4h
eshop-sql-data-5c4fdcccf4-2z5dm 1/1 Running 1 4h
eshop-webhooks-api-588b58bb66-lmx5c 1/1 Running 2 4h
eshop-webhooks-web-565c68b59c-dk8hp 1/1 Running 1 4h
eshop-webmvc-55c596544b-9fqsj 1/1 Running 2 4h
eshop-webshoppingagg-f8547f45b-4mjvp 0/1 Running 21 4h
eshop-webspa-84fd54466d-hzrlb 1/1 Running 2 4h
eshop-webstatus-775b487d4d-tbfbn 1/1 Running 1 4h
```
```ps1
@ -71,3 +71,15 @@ enter in k8s/istio/kiali and execute:
```
this script will prompt for a valid account/password and setups the secret in kubernetes
(at the moment account/password will be admin/admin we need to modify the yml)
After enter in /k8s/istio/nginx-ingress that execute, we need to apply the istio integration with nginx-ingress for service-upstream.
```
> ./update-nginx-ingress.ps1
```
And After that, we only need to activate the sidecar injection in the default namespace for the eshops deployments, for doing that you must go the folder /k8s/istio
and run:
```
> ./apply-injection.ps1
````

2
k8s/istio/apply-injection.ps1 Normal file
View File

@ -0,0 +1,2 @@
kubectl label namespace default istio-injection=enabled
kubectl get namespace -L istio-injection

2
k8s/istio/delete-istio.ps1 Normal file
View File

@ -0,0 +1,2 @@
helm delete --purge istio
kubectl delete -f install/kubernetes/helm/istio/templates/crds.yaml -n istio-system

3
k8s/istio/deploy-istio-helm.ps1
View File

@ -1,3 +1,4 @@
$ISTIO_VERSION="1.0.6"
cd istio-$ISTIO_VERSION
helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set global.controlPlaneSecurityEnabled=true --set grafana.enabled=true --set tracing.enabled=true --set kiali.enabled=true
helm install install/kubernetes/helm/istio --wait --name istio --namespace istio-system --set global.controlPlaneSecurityEnabled=true --set grafana.enabled=true --set tracing.enabled=true --set kiali.enabled=true --set ingress.enabled=false --set gateways.istio-ingressgateway.enabled=false
cd ..

4
k8s/istio/kiali/secrets.yml
View File

@ -7,5 +7,5 @@ metadata:
app: kiali
type: Opaque
data:
username: YQBkAG0AaQBuAA==
passphrase: YQBkAG0AaQBuAA==
username: YWRtaW4=
passphrase: MWYyZDFlMmU2N2Rm

4
k8s/istio/kiali/set-kiali-credentials.ps1
View File

@ -32,5 +32,5 @@ $KIALIUSERNAME = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($us
$plainpassword = Get-PlainText $password;
$KIALIPASSWORD = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($plainpassword))
Write-Host "setting username [$KIALIUSERNAME] and password [$KIALIPASSWORD]" -ForegroundColor Blue
kubectl apply -f secrets.yml
Write-Host "Creating Kiali Secret in namespace [$NAMESPACE]" -ForegroundColor Blue
kubectl -n $NAMESPACE create secret generic kiali --from-literal=username=$KIALIUSERNAME --from-literal=passphrase=$KIALIPASSWORD

21
k8s/istio/nginx-ingress/cloud-generic.yaml Normal file
View File

@ -0,0 +1,21 @@
kind: Service
apiVersion: v1
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
externalTrafficPolicy: Local
type: LoadBalancer
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
ports:
- name: http
port: 80
targetPort: http
- name: https
port: 443
targetPort: https

BIN
k8s/istio/nginx-ingress/cm.yaml Normal file
View File

Binary file not shown.

3
k8s/istio/nginx-ingress/local-dockerk8s/identityapi-cm-fix.yaml Normal file
View File

@ -0,0 +1,3 @@
data:
mvc_e: http://10.0.75.1/webmvc

3
k8s/istio/nginx-ingress/local-dockerk8s/mvc-cm-fix.yaml Normal file
View File

@ -0,0 +1,3 @@
data:
urls__IdentityUrl: http://10.0.75.1/identity
urls__mvc: http://10.0.75.1/webmvc

39
k8s/istio/nginx-ingress/local-dockerk8s/mvc-fix.yaml Normal file
View File

@ -0,0 +1,39 @@
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/ssl-redirect: "false"
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-redirect: "false"
labels:
app: webmvc
name: eshop-webmvc-loopback
namespace: default
spec:
rules:
- http:
paths:
- backend:
serviceName: webmvc
servicePort: http
path: /webmvc
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/ssl-redirect: "false"
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-redirect: "false"
labels:
app: identity-api
name: eshop-identity-api-loopback
namespace: default
spec:
rules:
- http:
paths:
- backend:
serviceName: identity
servicePort: http
path: /identity

239
k8s/istio/nginx-ingress/mandatory.yaml Normal file
View File

@ -0,0 +1,239 @@
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "ingress-controller-leader-nginx"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ingress-role-nisa-binding
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-role
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: nginx-ingress-clusterrole-nisa-binding
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
service-upstream: "true"
spec:
serviceAccountName: nginx-ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
# www-data -> 33
runAsUser: 33
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1

22
k8s/istio/nginx-ingress/service-nodeport.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
- name: https
port: 443
targetPort: 443
protocol: TCP
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx

1
k8s/istio/nginx-ingress/update-nginx-ingress.ps1 Normal file
View File

@ -0,0 +1 @@
kubectl apply -f mandatory.yml

238
k8s/nginx-ingress/mandatory-istio.yaml Normal file
View File

@ -0,0 +1,238 @@
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "ingress-controller-leader-nginx"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ingress-role-nisa-binding
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-role
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: nginx-ingress-clusterrole-nisa-binding
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
spec:
serviceAccountName: nginx-ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
# www-data -> 33
runAsUser: 33
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1