Script and config repo for istio demo in CNCF 2018 China
Maintainer: Joey Zhang[me@zhangzhoujian.com]
-
Kubernetes environment
-
istio release command: using version[1.0.2]
NOTE: we use aliyun version minikube in China network. kubectl :1.9+. Please use 0.28.1 version. Latest version doesnot support localkube. Minikube-Aliyun-Kubernetes
start command
minikube start --bootstrapper=localkube --memory=8196 --logtostderr --v 0
Go to install directory and run make coammnd. Waiting for pods of istio-system running. In istio-demo dir:
make istio/apply
check installed status. If all pods are running, will be ok.
make istio/check
install base insole demo app. check api get ok when deploy done. get json response.
cd $ISTIO_DEMO/install/insoledemo && make insole/apply
curl minikube ip and http port to check
curl -X GET http://192.168.99.100:31380/company/api/v1/companies
We config the weight split in product virtual service. Different version will use different weight. Can try curl 100 times and see product version split.
cd $ISTIO_DEMO/install/insoledemo && make weight_split/apply
Clean config after done.
cd $ISTIO_DEMO/install/insoledemo && make weight_split/clean
We config the header split in product virtual service. Different version will consume different header. Can try curl coammnd with header then see product version split. As config header android will be route to v1, ios will be routed to v2, others will random.
- headers:
x-request-platform:
exact: android
route:
- destination:
host: product
subset: v1
- match:
- headers:
x-request-platform:
exact: ios
route:
- destination:
host: product
subset: v2
- route:
- destination:
host: product
cd $ISTIO_DEMO/install/insoledemo && make header_split/apply
Clean config after done.
cd $ISTIO_DEMO/install/insoledemo && make header_split/clean
- generate new key pairs, and host the public key in remote host.
- config with policy
- generate new JWT token in jwt.io
cd $ISTIO_DEMO/install/insoledemo && make policy_jwt/apply
Clean config after done.
cd $ISTIO_DEMO/install/insoledemo && make policy_jwt/clean
white list rule need about 5 minutes to take affect. Maybe need patient. Internal call of comany to product will be block by white list, beacause of white list in product is set to user.
cd $ISTIO_DEMO/install/insoledemo && make white_list/apply
Clean config after done.
cd $ISTIO_DEMO/install/insoledemo && make white_list/clean
Open customized mixer adapter authz, will check token payload user_roles, api will be unauth except admin role. NEED restart policy pod to take affect.
cd $ISTIO_DEMO/install/insoledemo && make authz/apply
Clean config after done.
cd $ISTIO_DEMO/install/insoledemo && make authz/clean
test command in another repo echo
- white list take too long for take affect
- authz need install first before istio start, or need restart policy pod to take affect