Google Git
Sign in
apache / dubbo-go-pixiu / de9f1befd6a6e38513ea5e704a5488ed608df7d5 / . / tests / testdata / config / none.yaml
blob: c7bc4de793b36fe8e083b5fadb3bcbb3e8c7d249 [file] [log] [blame]
# To test in real cluster:
# kubectl create ns none
# kubectl label namespace none istio-injection=enabled
# All configs for 'none' namespace, used to test interception without iptables.
# In this mode the namespace isolation is required - the tests will also verify isolation
# It is important to update the tests in ../envoy/v2 which verify the number of generated listeners.
# This is the first test using the new isolated model, you can use it as a template to create more
# isolated tests. It should be possible to also apply it to real k8s.
# TODO: the IP addresses are not namespaced yet, so must be unique on the mesh (flat namespace) including in
# ServiceEntry tests. Removing deps on ip in progress.
---
# Default sidecar
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: none
spec:
egress:
- hosts:
- none/*
- default/test.default # TODO: without namespace it fails validation !
# TODO: if we include the namespace, why do we need full name ? Importing regular services should work.
# Label selection seems to confuse the new code.
ingress:
- port:
number: 7071
protocol: HTTP
name: httplocal
defaultEndpoint: 127.0.0.1:17071
- port:
number: 7070
protocol: TCP
name: tcplocal
defaultEndpoint: 127.0.0.1:17070
# Fortio ports
- port:
number: 18080
protocol: HTTP
name: http-echo
defaultEndpoint: 127.0.0.1:28080
- port:
number: 18079
protocol: TCP
name: grpc-ping
defaultEndpoint: 127.0.0.1:28079
---
apiVersion: v1
kind: Service
metadata:
name: fortio
namespace: none
spec:
ports:
- port: 8080 # This is the service port - connect to fortio:8080 as client (using http proxy or in mesh)
name: http-echo
targetPort: 18080 # This port should listen on the target machine
- port: 8079
name: grpc-ping
targetPort: 18079
selector:
app: fortio
---
# TODO: VirtualService using new Gateway style
# TODO: use UDS
apiVersion: apps/v1
kind: Deployment
metadata:
name: fortio
namespace: none
spec:
replicas: 1
selector:
matchLabels:
app: fortio
version: v1
template:
metadata:
labels:
app: fortio
version: v1
#INTERCEPTION_MODE: NONE
annotations:
sidecar.istio.io/interceptionMode: NONE
status.sidecar.istio.io/port: "0"
spec:
containers:
- name: echosrv
image: costinm/fortio:latest
imagePullPolicy: Always
ports:
- containerPort: 18080
- containerPort: 18079
args:
- server
- -static-dir
- "/usr/share/fortio/"
- --stdclient
- -http-port
#- 127.0.0.1:28080 # This is the port from Sidecar. Normally should be localhost
- :28080 # bound to 0.0.0.0 to allow additional perf testing.
- -grpc-port
- :28079
env:
- name: HTTP_PROXY
value: 127.0.0.1:15002
resources:
requests:
cpu: 1000m
memory: "1G"
limits:
cpu: 1000m
memory: "1G"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: fortio-cli
namespace: none
spec:
replicas: 1
selector:
matchLabels:
app: fortio-cli
version: v1
template:
metadata:
labels:
app: fortio-cli
version: v1
annotations:
status.sidecar.istio.io/port: "0"
sidecar.istio.io/interceptionMode: NONE
spec:
containers:
- name: echosrv
image: costinm/fortio:latest
imagePullPolicy: Always
args:
- load
- --stdclient
- -t
- "0"
- -c
- "32"
- -qps
- "500"
- http://fortio:8080/echo?size=5000
env:
- name: HTTP_PROXY
value: 127.0.0.1:15002
resources:
requests:
cpu: 500m
memory: "1G"
limits:
cpu: 1000m
memory: "1G"
---
# "None" mode depends on unique ports for each defined service or service entry.
# Not supported/require iptables:
# - TCP with 'addresses' field - needs iptables
# - resolution:NONE - 'original DST' - external services (for example https, ServiceEntry+address), stateful sets
# - TCP with resolution:DNS - same issue
# -
# Local ServiceEntry (meshex, test) - the tests will use the IPs defined in the service when connecting.
# This works on local mode where K8S Service controller doesn't exist, and can be used for testing in k8s by a test
# pretending to have this address.
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: s1tcp
namespace: none
spec:
hosts:
- s1tcp.none
ports:
- number: 2000
name: tcplocal
protocol: TCP
location: MESH_INTERNAL
resolution: STATIC
endpoints:
- address: 10.11.0.1
ports:
tcplocal: 7070
labels:
app: s1tcp
---
# Another inbound service, http type. Should generate a http listener on :7071
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: s1http
namespace: none
spec:
hosts:
- s1http.none
ports:
- number: 2001
name: httplocal
protocol: HTTP
location: MESH_INTERNAL
resolution: STATIC
endpoints:
- address: 10.11.0.1
ports:
httplocal: 7071
---
# Regular TCP outbound cluster (Default MeshExternal = true, Resolution ClientSideLB)
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: s2
namespace: none
spec:
hosts:
- s2.external.test.istio.io
ports:
- number: 2005
name: http-remote # To verify port name doesn't confuse pilot - protocol is TCP
protocol: TCP
resolution: STATIC
endpoints:
- address: 10.11.0.2
ports:
http-remote: 7071
- address: 10.11.0.3
ports:
http-remote: 7072
---
# Another TCP outbound cluster, resolution DNS (Default MeshExternal = true)
# Not supported, bind=false
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: s2dns
namespace: none
spec:
hosts:
- s2dns.external.test.istio.io
ports:
- number: 2006
protocol: TCP
name: tcp1 # TODO: is it optional ? Why not ?
resolution: DNS
---
# Outbound TCP cluster, resolution DNS - for a '.svc' (in cluster) service.
# As an optimization, this can be converted to EDS
# The new Sidecar is the recommended way to declare deps to mesh services - however
# DNS resolution is supposed to continue to work.
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: tcpmeshdns
namespace: none
spec:
hosts:
- tcpmeshdns.seexamples.svc
ports:
- number: 2007
protocol: TCP
name: tcp1
resolution: DNS
---
# Outbound TCP cluster, resolution STATIC - for a '.svc' (in cluster) service.
# This binds on each endpoint address !
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: tcpmeshstatic
namespace: none
spec:
hosts:
- tcpmeshstatic.seexamples.svc
ports:
- number: 2008
protocol: TCP
name: tcp1
resolution: STATIC
endpoints:
- address: 10.11.0.8
ports:
tcp1: 7070
---
# Outbound TCP cluster, resolution STATIC - for a '.svc' (in cluster) service.
# This generates EDS
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: tcpmeshstaticint
namespace: none
spec:
hosts:
- tcpmeshstaticint.seexamples.svc
ports:
- number: 2009
protocol: TCP
name: tcp1
location: MESH_INTERNAL
resolution: STATIC
endpoints:
# NEEDED FOR VALIDATION - LIKELY BUG
- address: 10.11.0.9
ports:
tcp1: 7070
---
# TODO: in progres, should bind to 127.0.0.1
# will resolve using SNI
# DNS or etc/hosts or code must override the address, but pass proper SNI
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: https
namespace: none
spec:
hosts:
# TODO: Bug: without isolation (in the main test) it causes 'duplicated cluster', envoy rejects config
# This will happen if this is defined in multiple namespaces in 1.0
- www1.googleapis.com
- api1.facebook.com
location: MESH_EXTERNAL
ports:
- number: 2443
name: https
protocol: TLS
resolution: DNS
---
# TODO: this should be auto-generated from ServiceEntry/protocol=TLS, it's just boilerplate
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: tls-routing
namespace: none
spec:
hosts:
- www1.googleapis.com
- api1.facebook.com
tls:
- match:
- port: 2443
sniHosts:
- www1.googleapis.com
route:
- destination:
host: www1.googleapis.com
- match:
- port: 2443
sniHosts:
- api1.facebook.com
route:
- destination:
host: api1.facebook.com
---
# DestinationRules attach to services, have no impact on 'none' interception
# VirtualService for HTTP affect routes, no impact on none interception