| # To test in real cluster: |
| # kubectl create ns none |
| # kubectl label namespace none istio-injection=enabled |
| |
| # All configs for 'none' namespace, used to test interception without iptables. |
| # In this mode the namespace isolation is required - the tests will also verify isolation |
| # It is important to update the tests in ../envoy/v2 which verify the number of generated listeners. |
| |
| # This is the first test using the new isolated model, you can use it as a template to create more |
| # isolated tests. It should be possible to also apply it to real k8s. |
| |
| # TODO: the IP addresses are not namespaced yet, so must be unique on the mesh (flat namespace) including in |
| # ServiceEntry tests. Removing deps on ip in progress. |
| --- |
| # Default sidecar |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: Sidecar |
| metadata: |
| name: default |
| namespace: none |
| spec: |
| egress: |
| - hosts: |
| - none/* |
| - default/test.default # TODO: without namespace it fails validation ! |
| # TODO: if we include the namespace, why do we need full name ? Importing regular services should work. |
| |
| # Label selection seems to confuse the new code. |
| ingress: |
| - port: |
| number: 7071 |
| protocol: HTTP |
| name: httplocal |
| defaultEndpoint: 127.0.0.1:17071 |
| - port: |
| number: 7070 |
| protocol: TCP |
| name: tcplocal |
| defaultEndpoint: 127.0.0.1:17070 |
| # Fortio ports |
| - port: |
| number: 18080 |
| protocol: HTTP |
| name: http-echo |
| defaultEndpoint: 127.0.0.1:28080 |
| - port: |
| number: 18079 |
| protocol: TCP |
| name: grpc-ping |
| defaultEndpoint: 127.0.0.1:28079 |
| --- |
| |
| apiVersion: v1 |
| kind: Service |
| metadata: |
| name: fortio |
| namespace: none |
| spec: |
| ports: |
| - port: 8080 # This is the service port - connect to fortio:8080 as client (using http proxy or in mesh) |
| name: http-echo |
| targetPort: 18080 # This port should listen on the target machine |
| - port: 8079 |
| name: grpc-ping |
| targetPort: 18079 |
| selector: |
| app: fortio |
| |
| --- |
| # TODO: VirtualService using new Gateway style |
| |
| # TODO: use UDS |
| |
| apiVersion: apps/v1 |
| kind: Deployment |
| metadata: |
| name: fortio |
| namespace: none |
| spec: |
| replicas: 1 |
| selector: |
| matchLabels: |
| app: fortio |
| version: v1 |
| template: |
| metadata: |
| labels: |
| app: fortio |
| version: v1 |
| #INTERCEPTION_MODE: NONE |
| annotations: |
| sidecar.istio.io/interceptionMode: NONE |
| status.sidecar.istio.io/port: "0" |
| spec: |
| containers: |
| - name: echosrv |
| image: costinm/fortio:latest |
| imagePullPolicy: Always |
| ports: |
| - containerPort: 18080 |
| - containerPort: 18079 |
| args: |
| - server |
| - -static-dir |
| - "/usr/share/fortio/" |
| - --stdclient |
| - -http-port |
| #- 127.0.0.1:28080 # This is the port from Sidecar. Normally should be localhost |
| - :28080 # bound to 0.0.0.0 to allow additional perf testing. |
| - -grpc-port |
| - :28079 |
| env: |
| - name: HTTP_PROXY |
| value: 127.0.0.1:15002 |
| resources: |
| requests: |
| cpu: 1000m |
| memory: "1G" |
| limits: |
| cpu: 1000m |
| memory: "1G" |
| --- |
| |
| apiVersion: apps/v1 |
| kind: Deployment |
| metadata: |
| name: fortio-cli |
| namespace: none |
| spec: |
| replicas: 1 |
| selector: |
| matchLabels: |
| app: fortio-cli |
| version: v1 |
| template: |
| metadata: |
| labels: |
| app: fortio-cli |
| version: v1 |
| annotations: |
| status.sidecar.istio.io/port: "0" |
| sidecar.istio.io/interceptionMode: NONE |
| spec: |
| containers: |
| - name: echosrv |
| image: costinm/fortio:latest |
| imagePullPolicy: Always |
| args: |
| - load |
| - --stdclient |
| - -t |
| - "0" |
| - -c |
| - "32" |
| - -qps |
| - "500" |
| - http://fortio:8080/echo?size=5000 |
| env: |
| - name: HTTP_PROXY |
| value: 127.0.0.1:15002 |
| resources: |
| requests: |
| cpu: 500m |
| memory: "1G" |
| limits: |
| cpu: 1000m |
| memory: "1G" |
| |
| --- |
| |
| # "None" mode depends on unique ports for each defined service or service entry. |
| # Not supported/require iptables: |
| # - TCP with 'addresses' field - needs iptables |
| # - resolution:NONE - 'original DST' - external services (for example https, ServiceEntry+address), stateful sets |
| # - TCP with resolution:DNS - same issue |
| # - |
| |
| # Local ServiceEntry (meshex, test) - the tests will use the IPs defined in the service when connecting. |
| # This works on local mode where K8S Service controller doesn't exist, and can be used for testing in k8s by a test |
| # pretending to have this address. |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: ServiceEntry |
| metadata: |
| name: s1tcp |
| namespace: none |
| spec: |
| hosts: |
| - s1tcp.none |
| |
| ports: |
| - number: 2000 |
| name: tcplocal |
| protocol: TCP |
| |
| location: MESH_INTERNAL |
| resolution: STATIC |
| |
| endpoints: |
| - address: 10.11.0.1 |
| ports: |
| tcplocal: 7070 |
| labels: |
| app: s1tcp |
| --- |
| # Another inbound service, http type. Should generate a http listener on :7071 |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: ServiceEntry |
| metadata: |
| name: s1http |
| namespace: none |
| spec: |
| hosts: |
| - s1http.none |
| |
| ports: |
| - number: 2001 |
| name: httplocal |
| protocol: HTTP |
| |
| location: MESH_INTERNAL |
| resolution: STATIC |
| |
| endpoints: |
| - address: 10.11.0.1 |
| ports: |
| httplocal: 7071 |
| |
| --- |
| |
| # Regular TCP outbound cluster (Default MeshExternal = true, Resolution ClientSideLB) |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: ServiceEntry |
| metadata: |
| name: s2 |
| namespace: none |
| spec: |
| hosts: |
| - s2.external.test.istio.io |
| |
| ports: |
| - number: 2005 |
| name: http-remote # To verify port name doesn't confuse pilot - protocol is TCP |
| protocol: TCP |
| resolution: STATIC |
| endpoints: |
| - address: 10.11.0.2 |
| ports: |
| http-remote: 7071 |
| - address: 10.11.0.3 |
| ports: |
| http-remote: 7072 |
| |
| --- |
| # Another TCP outbound cluster, resolution DNS (Default MeshExternal = true) |
| # Not supported, bind=false |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: ServiceEntry |
| metadata: |
| name: s2dns |
| namespace: none |
| spec: |
| hosts: |
| - s2dns.external.test.istio.io |
| |
| ports: |
| - number: 2006 |
| protocol: TCP |
| name: tcp1 # TODO: is it optional ? Why not ? |
| resolution: DNS |
| |
| --- |
| # Outbound TCP cluster, resolution DNS - for a '.svc' (in cluster) service. |
| # As an optimization, this can be converted to EDS |
| # The new Sidecar is the recommended way to declare deps to mesh services - however |
| # DNS resolution is supposed to continue to work. |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: ServiceEntry |
| metadata: |
| name: tcpmeshdns |
| namespace: none |
| spec: |
| hosts: |
| - tcpmeshdns.seexamples.svc |
| ports: |
| - number: 2007 |
| protocol: TCP |
| name: tcp1 |
| resolution: DNS |
| |
| |
| --- |
| |
| # Outbound TCP cluster, resolution STATIC - for a '.svc' (in cluster) service. |
| # This binds on each endpoint address ! |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: ServiceEntry |
| metadata: |
| name: tcpmeshstatic |
| namespace: none |
| spec: |
| hosts: |
| - tcpmeshstatic.seexamples.svc |
| ports: |
| - number: 2008 |
| protocol: TCP |
| name: tcp1 |
| resolution: STATIC |
| endpoints: |
| - address: 10.11.0.8 |
| ports: |
| tcp1: 7070 |
| --- |
| # Outbound TCP cluster, resolution STATIC - for a '.svc' (in cluster) service. |
| # This generates EDS |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: ServiceEntry |
| metadata: |
| name: tcpmeshstaticint |
| namespace: none |
| spec: |
| hosts: |
| - tcpmeshstaticint.seexamples.svc |
| ports: |
| - number: 2009 |
| protocol: TCP |
| name: tcp1 |
| location: MESH_INTERNAL |
| resolution: STATIC |
| endpoints: |
| # NEEDED FOR VALIDATION - LIKELY BUG |
| - address: 10.11.0.9 |
| ports: |
| tcp1: 7070 |
| --- |
| |
| # TODO: in progres, should bind to 127.0.0.1 |
| # will resolve using SNI |
| # DNS or etc/hosts or code must override the address, but pass proper SNI |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: ServiceEntry |
| metadata: |
| name: https |
| namespace: none |
| spec: |
| hosts: |
| # TODO: Bug: without isolation (in the main test) it causes 'duplicated cluster', envoy rejects config |
| # This will happen if this is defined in multiple namespaces in 1.0 |
| - www1.googleapis.com |
| - api1.facebook.com |
| location: MESH_EXTERNAL |
| ports: |
| - number: 2443 |
| name: https |
| protocol: TLS |
| resolution: DNS |
| --- |
| # TODO: this should be auto-generated from ServiceEntry/protocol=TLS, it's just boilerplate |
| apiVersion: networking.istio.io/v1alpha3 |
| kind: VirtualService |
| metadata: |
| name: tls-routing |
| namespace: none |
| spec: |
| hosts: |
| - www1.googleapis.com |
| - api1.facebook.com |
| tls: |
| - match: |
| - port: 2443 |
| sniHosts: |
| - www1.googleapis.com |
| route: |
| - destination: |
| host: www1.googleapis.com |
| - match: |
| - port: 2443 |
| sniHosts: |
| - api1.facebook.com |
| route: |
| - destination: |
| host: api1.facebook.com |
| --- |
| # DestinationRules attach to services, have no impact on 'none' interception |
| |
| # VirtualService for HTTP affect routes, no impact on none interception |
| |