Skip to content

Instantly share code, notes, and snippets.

View howardjohn's full-sized avatar

John Howard howardjohn

542 followers · 0 following
  • Solo.io
  • Sunnyvale, CA
View GitHub Profile
@howardjohn
howardjohn / aggregate-cluster.yaml
Last active October 13, 2022 02:53
An example of configuring aggregate cluster using EnvoyFilter. Currently needs patched Pilot with go-control-plane updated: gcr.io/howardjohn-istio/pilot:1575492376, and proxy from `master`
# First define a basic deployment+service that will act as our local service
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
namespace: default
spec:
selector:
matchLabels:
app: httpbin
@howardjohn
howardjohn / README.md
Last active May 6, 2020 23:15
Control plane routing of XDS

XDS routing by gateway

The goal of this is to make revision transparent to user. Rather than specifying a revision as part of the pod/namespace, we will do routing at a gateway based on some metadata. For this example we will user an arbitrary setting we configure on the pod - in practice we would likely use something like ISTIO_VERSION which is configured automatically for the user.

To deploy this, add the following annotation to a pod:

        annotations:
          proxy.istio.io/config: |
            discoveryAddress: istio-ingressgateway.istio-system.svc:443
@howardjohn
howardjohn / README.md
Created May 11, 2020 19:57
Fully remote control plane with Istio

Remote control plane

Example remote control plane setup. Workloads connect to a gateway exposed under istiod.howardjohn-mc.qualistio.org, which has a real LetsEncrypt certificate.

Setup - Control Plane

istioctl install -d manifests
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.yaml
kubectl apply -f controlplane.yaml
@howardjohn
howardjohn / gist:33e896b31265c8a8635cc5e03d016b83
Last active June 25, 2020 13:26
Running istio-agent locally bootstrapped with SA token
mkdir -p ./var/run/secrets/tokens ./var/run/secrets/istio
echo '{"kind":"TokenRequest","apiVersion":"authentication.k8s.io/v1","spec":{"audiences":["istio-ca"]}}' | kubectl create --raw /api/v1/namespaces/default/serviceaccounts/default/token -f - | jq -j '.status.token' > ./var/run/secrets/tokens/istio-token
kubectl -n istio-system get secret istio-ca-secret -ojsonpath='{.data.ca-cert\.pem}' | base64 -d > ./var/run/secrets/istio/root-cert.pem
CA_ADDR=localhost:15012 PROXY_CONFIG="$(cat proxyconfig.yaml | envsubst)" go run ./pilot/cmd/pilot-agent proxy sidecar --templateFile ./tools/packaging/common/envoy_bootstrap_v2.json
where proxyconfig.yaml:
binaryPath: $GOPATH/src/istio.io/istio/out/linux_amd64/release/envoy
configPath: $HOME/kube/local/proxy
discoveryAddress: localhost:15012
statusPort: 15020
@howardjohn
howardjohn / local.sh
Last active November 5, 2020 21:20
Local Istio Development
# Build just the minimal dependencies we need
# Note: multiple builds are fast, so its fine to call this every time we run. Do not use `go run` - no caching.
alias build-local='go build -o ./out/linux_amd64/release ./pilot/cmd/pilot-agent ./pilot/cmd/pilot-discovery'
# Run pilot. Will use your local kubeconfig, or override with --kubeconfig flag
alias pilot-local='build-local && ./out/linux_amd64/release/pilot-discovery discovery'
# Fetch bootstrap token and root cert
function proxy-local-bootstrap() {
mkdir -p ./var/run/secrets/tokens ./var/run/secrets/istio
@howardjohn
howardjohn / request.sh
Created September 3, 2020 21:48
grpcurl for direct XDS calls
# Fetch a token. Only needed for JWT auth. Replace SA or namespace if needed
token=$(echo '{"kind":"TokenRequest","apiVersion":"authentication.k8s.io/v1","spec":{"audiences":["istio-ca"], "expirationSeconds":2592000}}' | kubectl create --raw /api/v1/namespaces/default/serviceaccounts/default/token -f - | jq -j '.status.token')
# Fetch request
request=$(cat request.json )
# JWT authentication
echo "${request}" | grpcurl -d @ -insecure -rpc-header "authorization: Bearer $token" localhost:15012 envoy.service.discovery.v3.AggregatedDiscoveryService/StreamAggregatedResources
# Plaintext Authentication
# echo "${request}" | grpcurl -v -d @ -plaintext localhost:15010 envoy.service.discovery.v3.AggregatedDiscoveryService/StreamAggregatedResources
@howardjohn
howardjohn / check-binds.sh
Last active July 25, 2022 18:28
This script checks for the binds configured for applications in an Istio mesh, and determines which ports need custom configuration (both in the current Istio version, and potential future changes)
#!/usr/bin/env bash
# This script determines how applications in the mesh and exposed by a Service bind.
# Dependencies on host: kubectl, istioctl, jq.
# Dependencies on mesh: distroless is not supported, ipv6 untested. This script supports only Istio 1.8.1+.
# This will `exec` into the proxy, but only run ss, so it should be suitable to run in a live cluster.
#
# In Istio 1.9, localhost and wildcard binds are supported out of the box. A bind to POD_IP can be enabled
# with a custom Sidecar.
# In future versions of Istio, we may change this to support wildcard and POD_IP binds out of the box, and
@howardjohn
howardjohn / gateway-injection.yaml
Created January 27, 2021 18:26
Example to set up injection of PROXY_CONFIG into a gateway to allow non istio-system gateways
apiVersion: operator.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: istio
spec:
revision: alt
components:
ingressGateways:
- name: istio-ingressgateway
enabled: true
@howardjohn
howardjohn / README.md
Created February 24, 2021 18:23
Multinetwork statefulsets

Multicluster statefulset

alpha.yaml: install in cluster "alpha" beta.yaml: install in cluster "beta"

Results:

Same network

  • echo-alpha.default: sort of works, but load balancing is broken (istio/istio#31064)
@howardjohn
howardjohn / go-compile-without-link
Created June 2, 2021 22:04
Compile all go tests, quickly, without running them