-
Notifications
You must be signed in to change notification settings - Fork 8
CRD Examples Demo
- Need to have vault setup and access -- Use this for a way to get it done Codelab - Vault on GKE
bash crd-setup-helper.sh init-demos </path/to/repo>
- Responses
- Take the default appconfigcrd-demo, because they align with the example/demo yamls
Follow instructions complete setup as per crd-setup-helper.sh
- Follow the instructions as part of the install
Follow the instructions in the install (see prerequisite of having vault address and credentials
kubectl get ns
kubectl get services -n istio-system istio-ingressgateway
kubectl get services -n devtest
appconfigmgrv2-system Active 17h
config-management-system Active 17h
default Active 17h
devtest Active 17h
devtest-istio Active 17h
gatekeeper-system Active 17h
istio-system Active 17h
kube-public Active 17h
kube-system Active 17h
uc-allowed-jwt-istio Active 17h
uc-allowed-services-istio Active 17h
uc-allowed-services-k8s Active 17h
uc-firebase Active 17h
uc-opa Active 17h
uc-secrets-istio Active 17h
uc-secrets-k8s Active 17h
uc-secrets-vault-k8s Active 17h
export INGRESS_NO_ISTIO_HOST=$(kubectl -n devtest get service test-service-external -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_ISTIO_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
Testing for Access
In order to test, we have two namespaces that have a test driver app that will call the internal services. The App Config CRD defines the allowed services. Driver will pass in the URL the sequence of gets, call1, call2, call3, etc
User setup of the tests. IMPORTANT
In order to simulate, the app team being responsible for deployments using whatever tools and process, the deployments of the apps are done using kubectl and the use case apps are in the folder examples/use-cases/${use case namespace}/deploy-apps.yaml (you can do this before looking at each use case)
Use Case - Allowed Services - k8s
Use Case - Allowed Services - istio
Use Case - Allowed Services - istio + JWT
Use Case - Allowed Services - k8s + Secrets (GCP Service Account)
Use Case - Allowed Services - istio + Secrets (GCP Service Account) + EGress (Service Entry)
Use Case - Allowed Services & Secrets (GCP Service Account - k8s plugin - Vault)
Use Case - Allowed Services & Secret (GCP Service Account and Workload Identity)