Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gloo-mesh-2-all-mgmt-ctrl track edit notes #175

Open
find-arka opened this issue Apr 1, 2023 · 0 comments
Open

gloo-mesh-2-all-mgmt-ctrl track edit notes #175

find-arka opened this issue Apr 1, 2023 · 0 comments

Comments

@find-arka
Copy link

find-arka commented Apr 1, 2023
edited
Loading

After,

And also delete the different objects we've created:

kubectl --context ${MGMT} -n bookinfo-team delete virtualdestination productpage
kubectl --context ${MGMT} -n bookinfo-team delete outlierdetectionpolicy outlier-detection

  • We should also delete the failoverpolicy

  • Also, When we switch back to the original RT before the Zero Trust section of module 2, we should add a note on why we are switching back

  • Making this command and others multiline would improve readability-

pod=$(kubectl --context ${CLUSTER1} -n httpbin get pods -l app=not-in-mesh -o jsonpath='{.items[0].metadata.name}')
kubectl --context ${CLUSTER1} -n httpbin debug -i -q ${pod} --image=curlimages/curl -- curl -s -o /dev/null -w "%{http_code}" http://reviews.bookinfo-backends.svc.cluster.local:9080/reviews/0
  • Rather than doing a kubectl debug, it might be easier to do this via a sleep pod
    Current:
pod=$(kubectl --context ${CLUSTER1} -n httpbin get pods -l app=in-mesh -o jsonpath='{.items[0].metadata.name}')
kubectl --context ${CLUSTER1} -n httpbin debug -i -q ${pod} --image=curlimages/curl -- curl -s -o /dev/null -w "%{http_code}" http://reviews.bookinfo-backends.svc.cluster.local:9080/reviews/0

Proposed:

kubectl --context $CLUSTER1 -n httpbin \
apply -f https://raw.githubusercontent.com/istio/istio/release-1.17/samples/sleep/sleep.yaml

kubectl --context $CLUSTER1 -n httpbin \
get pod -l app=sleep;

kubectl --context $CLUSTER1 -n httpbin \
exec -it deploy/sleep -- \
curl -s -o /dev/null -w "%{http_code}" http://reviews.bookinfo-backends.svc.cluster.local:9080/reviews/0

We should break the following section into 3 separate sections

pod=$(kubectl --context ${CLUSTER1} -n bookinfo-frontends get pods -l app=productpage -o jsonpath='{.items[0].metadata.name}')
echo "From productpage to details, should be allowed"
kubectl --context ${CLUSTER1} -n bookinfo-frontends debug -i -q ${pod} --image=curlimages/curl -- curl -s http://details.bookinfo-backends:9080/details/0 | jq

echo "From productpage to reviews, should be allowed"
kubectl --context ${CLUSTER1} -n bookinfo-frontends debug -i -q ${pod} --image=curlimages/curl -- curl -s http://reviews.bookinfo-backends:9080/reviews/0 | jq

echo "From productpage to ratings, should be denied"
kubectl --context ${CLUSTER1} -n bookinfo-frontends debug -i -q ${pod} --image=curlimages/curl -- curl -s http://ratings.bookinfo-backends:9080/ratings/0 -i

Module 3

If you refresh your browser, you should see that you get a response either from the local service or from the external service.

^ this currently fails-

# curl -k https://10.5.0.254/get

error:

upstream connect error or disconnect/reset before headers. retried and the latest reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

istioctl --context $CLUSTER1 \
> pc secrets \
> -n istio-gateways svc/istio-ingressgateway

RESOURCE NAME               TYPE           STATUS     VALID CERT     SERIAL NUMBER                                        NOT AFTER                NOT BEFORE
kubernetes://tls-secret     CA             ACTIVE     true           417331438521364388010583664345130880179005978002     2024-03-31T13:24:41Z     2023-04-01T13:24:41Z
default                     Cert Chain     ACTIVE     true           138903141074340073272611178638063452375              2023-04-02T14:26:31Z     2023-04-01T14:24:31Z
ROOTCA                      CA             ACTIVE     true           268534852559328264948732062514656608914              2024-03-31T14:26:12Z     2023-04-01T14:26:12Z

istioctl --context $CLUSTER1 pc secrets -n httpbin deploy/in-mesh
RESOURCE NAME     TYPE           STATUS     VALID CERT     SERIAL NUMBER                               NOT AFTER                NOT BEFORE
default           Cert Chain     ACTIVE     true           205165220293220887344568674427115039589     2023-04-02T12:45:12Z     2023-04-01T12:43:12Z
ROOTCA            CA             ACTIVE     true           40700971172074859705572646854716953212      2033-03-29T12:43:20Z     2023-04-01T12:43:20Z

solution

  • restart the deployment so that it picks the new cert from istio
    kubectl --context $CLUSTER1 -n httpbin rollout restart deployment/in-mesh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@find-arka