diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e83764a..0a2fcda 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,6 +13,7 @@ jobs: run: | curl -L https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz | tar -zxf - sudo mv kubeconform /usr/local/bin + kubeconform -v - name: check all yaml run: | ./bin/test.sh | tee -a apply.txt diff --git a/.yamllint b/.yamllint index 64c84d6..f6d8c32 100644 --- a/.yamllint +++ b/.yamllint @@ -5,6 +5,9 @@ yaml-files: - '*.yml' - '.yamllint' +ignore: | + .github/ + rules: braces: enable brackets: enable diff --git a/Istio/DestinationRule/circuit-breaker.yaml b/Istio/DestinationRule/circuit-breaker.yaml index 8f9cd4e..b73bdb7 100644 --- a/Istio/DestinationRule/circuit-breaker.yaml +++ b/Istio/DestinationRule/circuit-breaker.yaml @@ -8,8 +8,8 @@ spec: host: service-a trafficPolicy: outlierDetection: - consecutive5xxErrors: 7 # Default 5 - interval: 5m # Interval over which errors are counted and compared to the threshold. This is a periodic check, not a rolling one. - baseEjectionTime: 10s # Initial period for which the endpoint is ejected from the endpoint pool. Repeated ejections are longer each time. Default 30s - maxEjectionPercent: 50 # Max % of endpoints that can ejected from the endpoint pool. Default 10 - minHealthPercent: 50 # Min % of endpoints in the endpoint pool that must be healthy for circuit-breaking to activate. Default 0 + consecutive5xxErrors: 7 # Default 5 + interval: 5m # Interval over which errors are counted and compared to the threshold. This is a periodic check, not a rolling one. + baseEjectionTime: 10s # Initial period for which the endpoint is ejected from the endpoint pool. Repeated ejections are longer each time. Default 30s + maxEjectionPercent: 50 # Max % of endpoints that can ejected from the endpoint pool. Default 10 + minHealthPercent: 50 # Min % of endpoints in the endpoint pool that must be healthy for circuit-breaking to activate. Default 0 diff --git a/Istio/DestinationRule/connection-pool-settings.yaml b/Istio/DestinationRule/connection-pool-settings.yaml index 199e3ef..ba2f1ea 100644 --- a/Istio/DestinationRule/connection-pool-settings.yaml +++ b/Istio/DestinationRule/connection-pool-settings.yaml @@ -10,12 +10,12 @@ spec: trafficPolicy: connectionPool: tcp: - maxConnections: 100 # Default 4bn - connectTimeout: 50ms # Default 10s - tcpKeepalive: # TCP-level keepalives ie SO_KEEPALIVE - time: 3600s # Default 2h - interval: 50s # Default 75s + maxConnections: 100 # Default 4bn + connectTimeout: 50ms # Default 10s + tcpKeepalive: # TCP-level keepalives ie SO_KEEPALIVE + time: 3600s # Default 2h + interval: 50s # Default 75s http: - maxRequestsPerConnection: 1 # Disables HTTP connection keep-alive/reuse. Default unlimited - idleTimeout: 1m # How long a keep-alive tcp connection will stay open if unused for any http requests. Default 1h - h2UpgradePolicy: UPGRADE # Upgrade http1.1 connections arriving at the sidecar to h2 from sidecar -> workload. Default: use mesh-wide setting + maxRequestsPerConnection: 1 # Disables HTTP connection keep-alive/reuse. Default unlimited + idleTimeout: 1m # How long a keep-alive tcp connection will stay open if unused for any http requests. Default 1h + h2UpgradePolicy: UPGRADE # Upgrade http1.1 connections arriving at the sidecar to h2 from sidecar -> workload. Default: use mesh-wide setting diff --git a/Istio/DestinationRule/load-balance.yaml b/Istio/DestinationRule/load-balance.yaml index e87ad2c..b581bc0 100644 --- a/Istio/DestinationRule/load-balance.yaml +++ b/Istio/DestinationRule/load-balance.yaml @@ -1,3 +1,4 @@ +--- apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: @@ -6,4 +7,4 @@ spec: host: service-a trafficPolicy: loadBalancer: - simple: LEAST_CONN # Default: ROUND_ROBIN, others: RANDOM + simple: LEAST_CONN # Default: ROUND_ROBIN, others: RANDOM diff --git a/Istio/DestinationRule/sticky-sessions.yaml b/Istio/DestinationRule/sticky-sessions.yaml index ea4aea6..185dfcd 100644 --- a/Istio/DestinationRule/sticky-sessions.yaml +++ b/Istio/DestinationRule/sticky-sessions.yaml @@ -1,3 +1,4 @@ +--- apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: diff --git a/Istio/DestinationRule/subsets.yaml b/Istio/DestinationRule/subsets.yaml index 0a19c5d..6feb787 100644 --- a/Istio/DestinationRule/subsets.yaml +++ b/Istio/DestinationRule/subsets.yaml @@ -6,9 +6,9 @@ metadata: spec: host: service-a subsets: - - name: v1 # Arbitrary name for subset - labels: # Kubernetes Pod labels to match - version: v1 - - name: v2 - labels: - version: v2 + - name: v1 # Arbitrary name for subset + labels: # Kubernetes Pod labels to match + version: v1 + - name: v2 + labels: + version: v2 diff --git a/Istio/DestinationRule/tls.yaml b/Istio/DestinationRule/tls.yaml index 73a7199..86c0ccf 100644 --- a/Istio/DestinationRule/tls.yaml +++ b/Istio/DestinationRule/tls.yaml @@ -1,3 +1,4 @@ +--- apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: @@ -8,7 +9,7 @@ spec: tls: mode: SIMPLE --- -# NB: This establishes an mTLS connection with an upstream endpoint. +# NB: This establishes an mTLS connection with an upstream endpoint. # It's for _mesh-external_ endpoints; within the mesh Istio automatically establishes mTLS connections between pairs of sidecars. apiVersion: networking.istio.io/v1beta1 kind: DestinationRule diff --git a/Istio/VirtualService/README.md b/Istio/VirtualService/README.md new file mode 100644 index 0000000..4920238 --- /dev/null +++ b/Istio/VirtualService/README.md @@ -0,0 +1,10 @@ +# VirtualService +`VirtualServices` configure routing rules for traffic. + +Traffic is identified by the _Host_ it's addressed to in its layer 7 request header (there must be at most one VirtualService per Host). +For a given protocol, Routing Rules are then tried in order until one matches the attributes of the request. +The matching routing rule specifies a Service to which to send the request (a _Service_ is effectively a Kubernetes `Service`, qv). +Optionally, a subset of the Service's Pods can be targeted using Subsets (see `DestinationRule`) + +VirtualServices can be thought of as an "active" bump-on-the-wire through which requests are sent. +They can apply various transforms to the traffic passing through them, such as header manipulation, delay injection, etc. diff --git a/Istio/VirtualService/delay-injection.yaml b/Istio/VirtualService/delay-injection.yaml new file mode 100644 index 0000000..3fadf93 --- /dev/null +++ b/Istio/VirtualService/delay-injection.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: delay-injection +spec: + hosts: + - service-a + http: + - fault: + delay: + fixedDelay: 10s + percentage: + value: 100.0 + route: + - destination: + host: service-a diff --git a/Istio/VirtualService/error-injection.yaml b/Istio/VirtualService/error-injection.yaml new file mode 100644 index 0000000..3ffdd5f --- /dev/null +++ b/Istio/VirtualService/error-injection.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: error-injection +spec: + hosts: + - service-a + http: + - fault: + abort: + httpStatus: 500 + # percentage: + # value: 100.0 + route: + - destination: + host: service-a diff --git a/Istio/VirtualService/header-manipulation.yaml b/Istio/VirtualService/header-manipulation.yaml new file mode 100644 index 0000000..bd08564 --- /dev/null +++ b/Istio/VirtualService/header-manipulation.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: header-manipulation +spec: + hosts: + - service-a + http: + - headers: + # These rules are always applied + request: + set: + manipulated: "true" + route: + - weight: 90 + destination: + host: service-a-current + headers: + # These rules are applied only when this route is taken + request: + set: + test-subset: "false" + response: + add: + new-header: "foo" + remove: + - old-header + - weight: 90 + destination: + host: service-a-next + headers: + # These rules are applied only when this route is taken + request: + set: + test-subset: "true" diff --git a/Istio/VirtualService/identity.yaml b/Istio/VirtualService/identity.yaml new file mode 100644 index 0000000..3f3ec99 --- /dev/null +++ b/Istio/VirtualService/identity.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: identity +spec: + hosts: + - service-a + http: + - route: + - destination: + host: service-a diff --git a/Istio/VirtualService/layer-7-routing.yaml b/Istio/VirtualService/layer-7-routing.yaml new file mode 100644 index 0000000..4937362 --- /dev/null +++ b/Istio/VirtualService/layer-7-routing.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: path-routing +spec: + hosts: + - service-a + http: + - match: + - uri: + prefix: "/beta" + ignoreUriCase: true + route: + - destination: + host: service-a-vnext + - route: + - destination: + host: service-a-current +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: header-routing +spec: + hosts: + - service-a + http: + - match: + - headers: + x-beta: + exact: "yes please" + route: + - destination: + host: service-a-vnext + - route: + - destination: + host: service-a-current +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: combined-routing +spec: + hosts: + - service-a + http: + - match: + - uri: + prefix: "/beta" + ignoreUriCase: true + method: + exact: "POST" + headers: # Has header 'x-beta: im_sure' + x-beta: + exact: "im_sure" + queryParams: # '?beta=really_sure' + beta: + exact: "really_sure" + withoutHeaders: # Doesn't have header 'x-feeling: scared' + x-feeling: + exact: "scared" + route: + - destination: + host: service-a-vnext + - route: + - destination: + host: service-a-current diff --git a/Istio/VirtualService/redirect-rewrite.yaml b/Istio/VirtualService/redirect-rewrite.yaml new file mode 100644 index 0000000..965d9df --- /dev/null +++ b/Istio/VirtualService/redirect-rewrite.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: redirect +spec: + hosts: + - service-a + http: + # Sends an HTTP 301. + - redirect: + authority: service-a-vnext + uri: /app +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: rewrite +spec: + hosts: + - service-a + http: + # Transparently re-writes the destination. + - rewrite: + authority: service-a-vnext + uri: /app + route: + - destination: + host: service-a-vnext diff --git a/Istio/VirtualService/retry.yaml b/Istio/VirtualService/retry.yaml new file mode 100644 index 0000000..6bcf6b3 --- /dev/null +++ b/Istio/VirtualService/retry.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: retry +spec: + hosts: + - service-a + http: + - route: + - destination: + host: service-a + retries: + attempts: 3 + perTryTimeout: 1s + retryOn: 5xx # Any HTTP 5xx status, timed-out/rejected/closed TCP connection diff --git a/Istio/VirtualService/timeout.yaml b/Istio/VirtualService/timeout.yaml new file mode 100644 index 0000000..2682787 --- /dev/null +++ b/Istio/VirtualService/timeout.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: timeout +spec: + hosts: + - service-a + http: + # Istio will return an HTTP 504 to the caller if the destination doesn't reply in time + - route: + - destination: + host: service-a + timeout: 10s diff --git a/Istio/VirtualService/traffic-split.yaml b/Istio/VirtualService/traffic-split.yaml new file mode 100644 index 0000000..f87bfb9 --- /dev/null +++ b/Istio/VirtualService/traffic-split.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: split-between-services +spec: + hosts: + - service-a + http: + - route: + - weight: 90 + destination: + host: service-a-current + - weight: 10 + destination: + host: service-a-next +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: split-between-subsets +spec: + hosts: + - service-a + http: + - route: + - weight: 90 + destination: + host: service-a + subset: v1 + - weight: 10 + destination: + host: service-a + subset: v2