ContainerSolutions · ianmiell · May 4, 2022 · Apr 30, 2022 · May 1, 2022 · May 4, 2022
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -13,6 +13,7 @@ jobs:
         run: |
            curl -L https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz | tar -zxf -
            sudo mv kubeconform /usr/local/bin
+           kubeconform -v
       - name: check all yaml
         run: |
           ./bin/test.sh | tee -a apply.txt

diff --git a/.yamllint b/.yamllint
@@ -5,6 +5,9 @@ yaml-files:
   - '*.yml'
   - '.yamllint'
 
+ignore: |
+  .github/
+
 rules:
   braces: enable
   brackets: enable

diff --git a/Istio/DestinationRule/circuit-breaker.yaml b/Istio/DestinationRule/circuit-breaker.yaml
@@ -8,8 +8,8 @@ spec:
   host: service-a
   trafficPolicy:
     outlierDetection:
-      consecutive5xxErrors: 7 # Default 5
-      interval: 5m # Interval over which errors are counted and compared to the threshold. This is a periodic check, not a rolling one.
-      baseEjectionTime: 10s # Initial period for which the endpoint is ejected from the endpoint pool. Repeated ejections are longer each time. Default 30s
-      maxEjectionPercent: 50 # Max % of endpoints that can ejected from the endpoint pool. Default 10
-      minHealthPercent: 50 # Min % of endpoints in the endpoint pool that must be healthy for circuit-breaking to activate. Default 0
+      consecutive5xxErrors: 7  # Default 5
+      interval: 5m  # Interval over which errors are counted and compared to the threshold. This is a periodic check, not a rolling one.
+      baseEjectionTime: 10s  # Initial period for which the endpoint is ejected from the endpoint pool. Repeated ejections are longer each time. Default 30s
+      maxEjectionPercent: 50  # Max % of endpoints that can ejected from the endpoint pool. Default 10
+      minHealthPercent: 50  # Min % of endpoints in the endpoint pool that must be healthy for circuit-breaking to activate. Default 0
diff --git a/Istio/DestinationRule/connection-pool-settings.yaml b/Istio/DestinationRule/connection-pool-settings.yaml
@@ -10,12 +10,12 @@ spec:
   trafficPolicy:
     connectionPool:
       tcp:
-        maxConnections: 100 # Default 4bn
-        connectTimeout: 50ms # Default 10s
-        tcpKeepalive: # TCP-level keepalives ie SO_KEEPALIVE
-          time: 3600s # Default 2h
-          interval: 50s # Default 75s
+        maxConnections: 100  # Default 4bn
+        connectTimeout: 50ms  # Default 10s
+        tcpKeepalive:  # TCP-level keepalives ie SO_KEEPALIVE
+          time: 3600s  # Default 2h
+          interval: 50s  # Default 75s
       http:
-        maxRequestsPerConnection: 1 # Disables HTTP connection keep-alive/reuse. Default unlimited
-        idleTimeout: 1m # How long a keep-alive tcp connection will stay open if unused for any http requests. Default 1h
-        h2UpgradePolicy: UPGRADE # Upgrade http1.1 connections arriving at the sidecar to h2 from sidecar -> workload. Default: use mesh-wide setting
+        maxRequestsPerConnection: 1  # Disables HTTP connection keep-alive/reuse. Default unlimited
+        idleTimeout: 1m  # How long a keep-alive tcp connection will stay open if unused for any http requests. Default 1h
+        h2UpgradePolicy: UPGRADE  # Upgrade http1.1 connections arriving at the sidecar to h2 from sidecar -> workload. Default: use mesh-wide setting
diff --git a/Istio/DestinationRule/load-balance.yaml b/Istio/DestinationRule/load-balance.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -6,4 +7,4 @@ spec:
   host: service-a
   trafficPolicy:
     loadBalancer:
-      simple: LEAST_CONN # Default: ROUND_ROBIN, others: RANDOM
+      simple: LEAST_CONN  # Default: ROUND_ROBIN, others: RANDOM
diff --git a/Istio/DestinationRule/sticky-sessions.yaml b/Istio/DestinationRule/sticky-sessions.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:

diff --git a/Istio/DestinationRule/subsets.yaml b/Istio/DestinationRule/subsets.yaml
@@ -6,9 +6,9 @@ metadata:
 spec:
   host: service-a
   subsets:
-  - name: v1 # Arbitrary name for subset
-    labels: # Kubernetes Pod labels to match
-      version: v1
-  - name: v2
-    labels:
-      version: v2
+    - name: v1  # Arbitrary name for subset
+      labels:  # Kubernetes Pod labels to match
+        version: v1
+    - name: v2
+      labels:
+        version: v2
diff --git a/Istio/DestinationRule/tls.yaml b/Istio/DestinationRule/tls.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -8,7 +9,7 @@ spec:
     tls:
       mode: SIMPLE
 ---
-# NB: This establishes an mTLS connection with an upstream endpoint. 
+# NB: This establishes an mTLS connection with an upstream endpoint.
 # It's for _mesh-external_ endpoints; within the mesh Istio automatically establishes mTLS connections between pairs of sidecars.
 apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule

diff --git a/Istio/VirtualService/README.md b/Istio/VirtualService/README.md
@@ -0,0 +1,10 @@
+# VirtualService
+`VirtualServices` configure routing rules for traffic.
+
+Traffic is identified by the _Host_ it's addressed to in its layer 7 request header (there must be at most one VirtualService per Host).
+For a given protocol, Routing Rules are then tried in order until one matches the attributes of the request.
+The matching routing rule specifies a Service to which to send the request (a _Service_ is effectively a Kubernetes `Service`, qv).
+Optionally, a subset of the Service's Pods can be targeted using Subsets (see `DestinationRule`)
+
+VirtualServices can be thought of as an "active" bump-on-the-wire through which requests are sent.
+They can apply various transforms to the traffic passing through them, such as header manipulation, delay injection, etc.
diff --git a/Istio/VirtualService/delay-injection.yaml b/Istio/VirtualService/delay-injection.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: delay-injection
+spec:
+  hosts:
+    - service-a
+  http:
+    - fault:
+        delay:
+          fixedDelay: 10s
+          percentage:
+            value: 100.0
+      route:
+        - destination:
+            host: service-a
diff --git a/Istio/VirtualService/error-injection.yaml b/Istio/VirtualService/error-injection.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: error-injection
+spec:
+  hosts:
+    - service-a
+  http:
+    - fault:
+        abort:
+          httpStatus: 500
+          # percentage:
+          #   value: 100.0
+      route:
+        - destination:
+            host: service-a
diff --git a/Istio/VirtualService/header-manipulation.yaml b/Istio/VirtualService/header-manipulation.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: header-manipulation
+spec:
+  hosts:
+    - service-a
+  http:
+    - headers:
+        # These rules are always applied
+        request:
+          set:
+            manipulated: "true"
+      route:
+        - weight: 90
+          destination:
+            host: service-a-current
+          headers:
+            # These rules are applied only when this route is taken
+            request:
+              set:
+                test-subset: "false"
+            response:
+              add:
+                new-header: "foo"
+              remove:
+                - old-header
+        - weight: 90
+          destination:
+            host: service-a-next
+          headers:
+            # These rules are applied only when this route is taken
+            request:
+              set:
+                test-subset: "true"
diff --git a/Istio/VirtualService/identity.yaml b/Istio/VirtualService/identity.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: identity
+spec:
+  hosts:
+    - service-a
+  http:
+    - route:
+        - destination:
+            host: service-a
diff --git a/Istio/VirtualService/layer-7-routing.yaml b/Istio/VirtualService/layer-7-routing.yaml
@@ -0,0 +1,68 @@
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: path-routing
+spec:
+  hosts:
+    - service-a
+  http:
+    - match:
+        - uri:
+            prefix: "/beta"
+          ignoreUriCase: true
+      route:
+        - destination:
+            host: service-a-vnext
+    - route:
+        - destination:
+            host: service-a-current
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: header-routing
+spec:
+  hosts:
+    - service-a
+  http:
+    - match:
+        - headers:
+            x-beta:
+              exact: "yes please"
+      route:
+        - destination:
+            host: service-a-vnext
+    - route:
+        - destination:
+            host: service-a-current
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: combined-routing
+spec:
+  hosts:
+    - service-a
+  http:
+    - match:
+        - uri:
+            prefix: "/beta"
+          ignoreUriCase: true
+          method:
+            exact: "POST"
+          headers:  # Has header 'x-beta: im_sure'
+            x-beta:
+              exact: "im_sure"
+          queryParams:  # '?beta=really_sure'
+            beta:
+              exact: "really_sure"
+          withoutHeaders:  # Doesn't have header 'x-feeling: scared'
+            x-feeling:
+              exact: "scared"
+      route:
+        - destination:
+            host: service-a-vnext
+    - route:
+        - destination:
+            host: service-a-current
diff --git a/Istio/VirtualService/redirect-rewrite.yaml b/Istio/VirtualService/redirect-rewrite.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: redirect
+spec:
+  hosts:
+    - service-a
+  http:
+    # Sends an HTTP 301.
+    - redirect:
+        authority: service-a-vnext
+        uri: /app
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: rewrite
+spec:
+  hosts:
+    - service-a
+  http:
+    # Transparently re-writes the destination.
+    - rewrite:
+        authority: service-a-vnext
+        uri: /app
+      route:
+        - destination:
+            host: service-a-vnext
diff --git a/Istio/VirtualService/retry.yaml b/Istio/VirtualService/retry.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: retry
+spec:
+  hosts:
+    - service-a
+  http:
+    - route:
+        - destination:
+            host: service-a
+      retries:
+        attempts: 3
+        perTryTimeout: 1s
+        retryOn: 5xx  # Any HTTP 5xx status, timed-out/rejected/closed TCP connection
diff --git a/Istio/VirtualService/timeout.yaml b/Istio/VirtualService/timeout.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: timeout
+spec:
+  hosts:
+    - service-a
+  http:
+    # Istio will return an HTTP 504 to the caller if the destination doesn't reply in time
+    - route:
+        - destination:
+            host: service-a
+      timeout: 10s
diff --git a/Istio/VirtualService/traffic-split.yaml b/Istio/VirtualService/traffic-split.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: split-between-services
+spec:
+  hosts:
+    - service-a
+  http:
+    - route:
+        - weight: 90
+          destination:
+            host: service-a-current
+        - weight: 10
+          destination:
+            host: service-a-next
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: split-between-subsets
+spec:
+  hosts:
+    - service-a
+  http:
+    - route:
+        - weight: 90
+          destination:
+            host: service-a
+            subset: v1
+        - weight: 10
+          destination:
+            host: service-a
+            subset: v2