diff --git a/k8s/istio/JourneyToIstio.md b/k8s/istio/JourneyToIstio.md index 6e44cf526..a12f6740a 100644 --- a/k8s/istio/JourneyToIstio.md +++ b/k8s/istio/JourneyToIstio.md @@ -4,32 +4,32 @@ You need the eshopsOnContainers configured on your local, with this in a powershell console, we need to enter in /k8s/istio and execute ``` >kubectl get pods -NAME READY STATUS RESTARTS AGE -eshop-apigwmm-54ccc6c589-557fn 0/1 Running 26 3h -eshop-apigwms-7d5f86cf7c-2j2zp 0/1 CrashLoopBackOff 30 3h -eshop-apigwwm-7794b6d879-7j4mt 0/1 CrashLoopBackOff 39 3h -eshop-apigwws-8585f6899f-7kkg2 0/1 Running 11 3h -eshop-basket-api-8bfc5c5f6-8xxcv 0/1 Running 41 3h -eshop-basket-data-66fbc788cc-dmkgb 1/1 Running 0 3h -eshop-catalog-api-c77747b76-4gp6c 0/1 CrashLoopBackOff 40 3h -eshop-identity-api-7574f6b458-4rbp6 0/1 CrashLoopBackOff 44 3h -eshop-keystore-data-5c9c85cb99-s5qz7 1/1 Running 0 3h -eshop-locations-api-64847646d-5wv52 0/1 CrashLoopBackOff 36 3h -eshop-marketing-api-745f9546b8-krjqq 0/1 Running 33 3h -eshop-mobileshoppingagg-7d467f86bd-bw9c7 0/1 Running 22 3h -eshop-nosql-data-579c9d89f8-x4z2k 1/1 Running 0 3h -eshop-ordering-api-5c55bd5464-7hnjx 0/1 CrashLoopBackOff 38 3h -eshop-ordering-backgroundtasks-f6dcb7db4-xq7gr 1/1 Running 22 3h -eshop-ordering-signalrhub-6664868779-dphxm 1/1 Running 0 3h -eshop-payment-api-7988db5f76-z76tc 1/1 Running 17 3h -eshop-rabbitmq-6b68647bc4-qjjrb 1/1 Running 0 3h -eshop-sql-data-5c4fdcccf4-2z5dm 1/1 Running 0 3h -eshop-webhooks-api-588b58bb66-lmx5c 1/1 Running 0 3h -eshop-webhooks-web-565c68b59c-dk8hp 1/1 Running 0 3h -eshop-webmvc-55c596544b-9fqsj 1/1 Running 0 3h -eshop-webshoppingagg-f8547f45b-4mjvp 0/1 CrashLoopBackOff 16 3h -eshop-webspa-84fd54466d-hzrlb 1/1 Running 0 3h -eshop-webstatus-775b487d4d-tbfbn 1/1 Running 0 3h +NAME READY STATUS RESTARTS AGE +eshop-apigwmm-54ccc6c589-557fn 0/1 Running 31 4h +eshop-apigwms-7d5f86cf7c-2j2zp 0/1 Running 32 4h +eshop-apigwwm-7794b6d879-7j4mt 0/1 Running 44 4h +eshop-apigwws-8585f6899f-7kkg2 0/1 Running 13 4h +eshop-basket-api-8bfc5c5f6-8xxcv 1/1 Running 47 4h +eshop-basket-data-66fbc788cc-dmkgb 1/1 Running 1 4h +eshop-catalog-api-c77747b76-4gp6c 0/1 Running 48 4h +eshop-identity-api-7574f6b458-4rbp6 0/1 Running 55 4h +eshop-keystore-data-5c9c85cb99-s5qz7 1/1 Running 1 4h +eshop-locations-api-64847646d-5wv52 1/1 Running 42 4h +eshop-marketing-api-745f9546b8-krjqq 1/1 Running 40 4h +eshop-mobileshoppingagg-7d467f86bd-bw9c7 0/1 Running 24 4h +eshop-nosql-data-579c9d89f8-x4z2k 1/1 Running 1 4h +eshop-ordering-api-5c55bd5464-7hnjx 0/1 Running 46 4h +eshop-ordering-backgroundtasks-f6dcb7db4-xq7gr 0/1 Running 24 4h +eshop-ordering-signalrhub-6664868779-dphxm 1/1 Running 1 4h +eshop-payment-api-7988db5f76-z76tc 0/1 Running 19 4h +eshop-rabbitmq-6b68647bc4-qjjrb 1/1 Running 1 4h +eshop-sql-data-5c4fdcccf4-2z5dm 1/1 Running 1 4h +eshop-webhooks-api-588b58bb66-lmx5c 1/1 Running 2 4h +eshop-webhooks-web-565c68b59c-dk8hp 1/1 Running 1 4h +eshop-webmvc-55c596544b-9fqsj 1/1 Running 2 4h +eshop-webshoppingagg-f8547f45b-4mjvp 0/1 Running 21 4h +eshop-webspa-84fd54466d-hzrlb 1/1 Running 2 4h +eshop-webstatus-775b487d4d-tbfbn 1/1 Running 1 4h ``` ```ps1 @@ -71,3 +71,15 @@ enter in k8s/istio/kiali and execute: ``` this script will prompt for a valid account/password and setups the secret in kubernetes (at the moment account/password will be admin/admin we need to modify the yml) + +After enter in /k8s/istio/nginx-ingress that execute, we need to apply the istio integration with nginx-ingress for service-upstream. + +``` +> ./update-nginx-ingress.ps1 +``` + +And After that, we only need to activate the sidecar injection in the default namespace for the eshops deployments, for doing that you must go the folder /k8s/istio +and run: +``` +> ./apply-injection.ps1 +```` \ No newline at end of file diff --git a/k8s/istio/apply-injection.ps1 b/k8s/istio/apply-injection.ps1 new file mode 100644 index 000000000..294eb880f --- /dev/null +++ b/k8s/istio/apply-injection.ps1 @@ -0,0 +1,2 @@ +kubectl label namespace default istio-injection=enabled +kubectl get namespace -L istio-injection diff --git a/k8s/istio/delete-istio.ps1 b/k8s/istio/delete-istio.ps1 new file mode 100644 index 000000000..b1fa99e86 --- /dev/null +++ b/k8s/istio/delete-istio.ps1 @@ -0,0 +1,2 @@ +helm delete --purge istio +kubectl delete -f install/kubernetes/helm/istio/templates/crds.yaml -n istio-system \ No newline at end of file diff --git a/k8s/istio/deploy-istio-helm.ps1 b/k8s/istio/deploy-istio-helm.ps1 index 704813121..5bfcbc1e7 100644 --- a/k8s/istio/deploy-istio-helm.ps1 +++ b/k8s/istio/deploy-istio-helm.ps1 @@ -1,3 +1,4 @@ $ISTIO_VERSION="1.0.6" cd istio-$ISTIO_VERSION -helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set global.controlPlaneSecurityEnabled=true --set grafana.enabled=true --set tracing.enabled=true --set kiali.enabled=true \ No newline at end of file +helm install install/kubernetes/helm/istio --wait --name istio --namespace istio-system --set global.controlPlaneSecurityEnabled=true --set grafana.enabled=true --set tracing.enabled=true --set kiali.enabled=true --set ingress.enabled=false --set gateways.istio-ingressgateway.enabled=false +cd .. \ No newline at end of file diff --git a/k8s/istio/kiali/secrets.yml b/k8s/istio/kiali/secrets.yml index 7185f1383..fb6155d54 100644 --- a/k8s/istio/kiali/secrets.yml +++ b/k8s/istio/kiali/secrets.yml @@ -7,5 +7,5 @@ metadata: app: kiali type: Opaque data: - username: YQBkAG0AaQBuAA== - passphrase: YQBkAG0AaQBuAA== \ No newline at end of file + username: YWRtaW4= + passphrase: MWYyZDFlMmU2N2Rm \ No newline at end of file diff --git a/k8s/istio/kiali/set-kiali-credentials.ps1 b/k8s/istio/kiali/set-kiali-credentials.ps1 index bd778b647..dad0f5754 100644 --- a/k8s/istio/kiali/set-kiali-credentials.ps1 +++ b/k8s/istio/kiali/set-kiali-credentials.ps1 @@ -32,5 +32,5 @@ $KIALIUSERNAME = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($us $plainpassword = Get-PlainText $password; $KIALIPASSWORD = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($plainpassword)) -Write-Host "setting username [$KIALIUSERNAME] and password [$KIALIPASSWORD]" -ForegroundColor Blue -kubectl apply -f secrets.yml \ No newline at end of file +Write-Host "Creating Kiali Secret in namespace [$NAMESPACE]" -ForegroundColor Blue +kubectl -n $NAMESPACE create secret generic kiali --from-literal=username=$KIALIUSERNAME --from-literal=passphrase=$KIALIPASSWORD \ No newline at end of file diff --git a/k8s/istio/nginx-ingress/cloud-generic.yaml b/k8s/istio/nginx-ingress/cloud-generic.yaml new file mode 100644 index 000000000..945441ab8 --- /dev/null +++ b/k8s/istio/nginx-ingress/cloud-generic.yaml @@ -0,0 +1,21 @@ +kind: Service +apiVersion: v1 +metadata: + name: ingress-nginx + namespace: ingress-nginx + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx +spec: + externalTrafficPolicy: Local + type: LoadBalancer + selector: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + ports: + - name: http + port: 80 + targetPort: http + - name: https + port: 443 + targetPort: https \ No newline at end of file diff --git a/k8s/istio/nginx-ingress/cm.yaml b/k8s/istio/nginx-ingress/cm.yaml new file mode 100644 index 000000000..7818fd15b Binary files /dev/null and b/k8s/istio/nginx-ingress/cm.yaml differ diff --git a/k8s/istio/nginx-ingress/local-dockerk8s/identityapi-cm-fix.yaml b/k8s/istio/nginx-ingress/local-dockerk8s/identityapi-cm-fix.yaml new file mode 100644 index 000000000..3a3fcf5a5 --- /dev/null +++ b/k8s/istio/nginx-ingress/local-dockerk8s/identityapi-cm-fix.yaml @@ -0,0 +1,3 @@ +data: + mvc_e: http://10.0.75.1/webmvc + \ No newline at end of file diff --git a/k8s/istio/nginx-ingress/local-dockerk8s/mvc-cm-fix.yaml b/k8s/istio/nginx-ingress/local-dockerk8s/mvc-cm-fix.yaml new file mode 100644 index 000000000..1475deec1 --- /dev/null +++ b/k8s/istio/nginx-ingress/local-dockerk8s/mvc-cm-fix.yaml @@ -0,0 +1,3 @@ +data: + urls__IdentityUrl: http://10.0.75.1/identity + urls__mvc: http://10.0.75.1/webmvc diff --git a/k8s/istio/nginx-ingress/local-dockerk8s/mvc-fix.yaml b/k8s/istio/nginx-ingress/local-dockerk8s/mvc-fix.yaml new file mode 100644 index 000000000..b9ecd4cba --- /dev/null +++ b/k8s/istio/nginx-ingress/local-dockerk8s/mvc-fix.yaml @@ -0,0 +1,39 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + annotations: + ingress.kubernetes.io/ssl-redirect: "false" + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + labels: + app: webmvc + name: eshop-webmvc-loopback + namespace: default +spec: + rules: + - http: + paths: + - backend: + serviceName: webmvc + servicePort: http + path: /webmvc +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + annotations: + ingress.kubernetes.io/ssl-redirect: "false" + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + labels: + app: identity-api + name: eshop-identity-api-loopback + namespace: default +spec: + rules: + - http: + paths: + - backend: + serviceName: identity + servicePort: http + path: /identity \ No newline at end of file diff --git a/k8s/istio/nginx-ingress/mandatory.yaml b/k8s/istio/nginx-ingress/mandatory.yaml new file mode 100644 index 000000000..0b9ea035e --- /dev/null +++ b/k8s/istio/nginx-ingress/mandatory.yaml @@ -0,0 +1,239 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ingress-nginx + +--- + +kind: ConfigMap +apiVersion: v1 +metadata: + name: nginx-configuration + namespace: ingress-nginx + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nginx-ingress-serviceaccount + namespace: ingress-nginx + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: nginx-ingress-clusterrole + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "extensions" + resources: + - ingresses/status + verbs: + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: nginx-ingress-role + namespace: ingress-nginx + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx +rules: + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + # Defaults to "-" + # Here: "-" + # This has to be adapted if you change either parameter + # when launching the nginx-ingress-controller. + - "ingress-controller-leader-nginx" + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: nginx-ingress-role-nisa-binding + namespace: ingress-nginx + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress-role +subjects: + - kind: ServiceAccount + name: nginx-ingress-serviceaccount + namespace: ingress-nginx + +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: nginx-ingress-clusterrole-nisa-binding + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress-clusterrole +subjects: + - kind: ServiceAccount + name: nginx-ingress-serviceaccount + namespace: ingress-nginx + +--- + +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: nginx-ingress-controller + namespace: ingress-nginx + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + template: + metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + annotations: + prometheus.io/port: "10254" + prometheus.io/scrape: "true" + service-upstream: "true" + spec: + serviceAccountName: nginx-ingress-serviceaccount + containers: + - name: nginx-ingress-controller + image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0 + args: + - /nginx-ingress-controller + - --configmap=$(POD_NAMESPACE)/nginx-configuration + - --publish-service=$(POD_NAMESPACE)/ingress-nginx + - --annotations-prefix=nginx.ingress.kubernetes.io + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + # www-data -> 33 + runAsUser: 33 + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - name: http + containerPort: 80 + - name: https + containerPort: 443 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 diff --git a/k8s/istio/nginx-ingress/service-nodeport.yaml b/k8s/istio/nginx-ingress/service-nodeport.yaml new file mode 100644 index 000000000..dd82ed3ed --- /dev/null +++ b/k8s/istio/nginx-ingress/service-nodeport.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: ingress-nginx + namespace: ingress-nginx + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx +spec: + type: NodePort + ports: + - name: http + port: 80 + targetPort: 80 + protocol: TCP + - name: https + port: 443 + targetPort: 443 + protocol: TCP + selector: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx diff --git a/k8s/istio/nginx-ingress/update-nginx-ingress.ps1 b/k8s/istio/nginx-ingress/update-nginx-ingress.ps1 new file mode 100644 index 000000000..656bd9fe8 --- /dev/null +++ b/k8s/istio/nginx-ingress/update-nginx-ingress.ps1 @@ -0,0 +1 @@ +kubectl apply -f mandatory.yml \ No newline at end of file diff --git a/k8s/nginx-ingress/mandatory-istio.yaml b/k8s/nginx-ingress/mandatory-istio.yaml new file mode 100644 index 000000000..56b1cc3b5 --- /dev/null +++ b/k8s/nginx-ingress/mandatory-istio.yaml @@ -0,0 +1,238 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ingress-nginx + +--- + +kind: ConfigMap +apiVersion: v1 +metadata: + name: nginx-configuration + namespace: ingress-nginx + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nginx-ingress-serviceaccount + namespace: ingress-nginx + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: nginx-ingress-clusterrole + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "extensions" + resources: + - ingresses/status + verbs: + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: nginx-ingress-role + namespace: ingress-nginx + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx +rules: + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + # Defaults to "-" + # Here: "-" + # This has to be adapted if you change either parameter + # when launching the nginx-ingress-controller. + - "ingress-controller-leader-nginx" + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: nginx-ingress-role-nisa-binding + namespace: ingress-nginx + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress-role +subjects: + - kind: ServiceAccount + name: nginx-ingress-serviceaccount + namespace: ingress-nginx + +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: nginx-ingress-clusterrole-nisa-binding + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress-clusterrole +subjects: + - kind: ServiceAccount + name: nginx-ingress-serviceaccount + namespace: ingress-nginx + +--- + +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: nginx-ingress-controller + namespace: ingress-nginx + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + template: + metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + annotations: + prometheus.io/port: "10254" + prometheus.io/scrape: "true" + spec: + serviceAccountName: nginx-ingress-serviceaccount + containers: + - name: nginx-ingress-controller + image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0 + args: + - /nginx-ingress-controller + - --configmap=$(POD_NAMESPACE)/nginx-configuration + - --publish-service=$(POD_NAMESPACE)/ingress-nginx + - --annotations-prefix=nginx.ingress.kubernetes.io + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + # www-data -> 33 + runAsUser: 33 + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - name: http + containerPort: 80 + - name: https + containerPort: 443 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1