Cleanup, common Istio install, Hipstershop 0.1.3 (#48)

* Remove github action

* common istio installation

* Security intro

* ILB

* multicluster ingress

* mesh expansion

* single control plane

* dual ctrl

* [bot] generate YAML region tags 28/12/2019 21:21:54

* [bot] generate YAML region tags 28/12/2019 21:22:22

* fix formatting

.gitignore

@@ -1,15 +1,15 @@
 .DS_Store
-*.pem
 *.env
+*.pem
+*.tar.gz
+cluster-2
+istio_master.yaml
 istio-1*
 istio-2*
-*.tar.gz
-istio.yaml
 istio-master.yaml
-istio_master.yaml
 istio-remote.yaml
-cluster-2
-kubectx
-kubemci
+istio.yaml
 kubeconfig
+kubectx
+kubemci*
 region-tag-adder

common/install_istio.sh

@@ -0,0 +1,72 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#!/bin/bash
+
+# installs standard single-cluster Istio on GKE + the Istio Stackdriver adapter
+
+# Download Istio
+WORKDIR="`pwd`"
+ISTIO_VERSION="${ISTIO_VERSION:-1.4.2}"
+log "Downloading Istio ${ISTIO_VERSION}..."
+curl -L https://git.io/getLatestIstio | ISTIO_VERSION=$ISTIO_VERSION sh -
+
+
+# Prepare for install
+kubectl label namespace default istio-injection=enabled
+kubectl create namespace istio-system
+
+kubectl create clusterrolebinding cluster-admin-binding \
+    --clusterrole=cluster-admin \
+    --user=$(gcloud config get-value core/account)
+
+helm template ${WORKDIR}/istio-${ISTIO_VERSION}/install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f -
+sleep 20
+
+
+# customize
+if [ "$ILB_ENABLED" == "true" ]; then
+    ILB="--set gateways.istio-ilbgateway.enabled=true"
+else
+    ILB="--set gateways.istio-ilbgateway.enabled=false"
+fi
+
+if [ "$MESH_EXPANSION" == "true" ]; then
+    ENABLE_VM="--set global.meshExpansion.enabled=true"
+else
+    ENABLE_VM="--set global.meshExpansion.enabled=false"
+fi
+
+
+# installs Istio with Envoy access logging enabled
+helm template ${WORKDIR}/istio-${ISTIO_VERSION}/install/kubernetes/helm/istio --name istio --namespace istio-system \
+--set prometheus.enabled=true \
+--set tracing.enabled=true \
+--set kiali.enabled=true --set kiali.createDemoSecret=true \
+--set "kiali.dashboard.jaegerURL=http://jaeger-query:16686" \
+--set "kiali.dashboard.grafanaURL=http://grafana:3000" \
+--set grafana.enabled=true \
+--set mixer.policy.enabled=false \
+${ILB} \
+${ENABLE_VM} \
+--set global.proxy.accessLogFile="/dev/stdout" >> istio.yaml
+
+# install istio
+kubectl apply -f istio.yaml
+
+# install the Stackdriver adapter
+git clone https://github.com/istio/installer && cd installer
+helm template istio-telemetry/mixer-telemetry --execute=templates/stackdriver.yaml -f global.yaml --set mixer.adapters.stackdriver.enabled=true --namespace istio-system | kubectl apply -f -
+cd ..
+
+rm -rf installer/

internal-load-balancer/README.md

@@ -23,7 +23,7 @@ In this demo, we will build the following architecture:
 - A GCP project with billing enabled
 - [Helm](https://helm.sh/docs/using_helm/#installing-helm) (CLI) installed on your local machine
 
-## 1 - Create a GKE Cluster
+## Create a GKE Cluster
 
 1. **Export project ID:**
 
@@ -39,83 +39,33 @@ gcloud container clusters create istio-ilb --project $PROJECT_ID --zone us-east4
 --num-nodes "4" --network "default" --async
 ```
 
-Wait for the cluster to be `RUNNING`, by executing:
+3. Wait for the cluster to be `RUNNING`, by executing:
 
 ```
 gcloud container clusters list --project $PROJECT_ID
-
 ```
 
-3. **Get credentials,** then grant RBAC permissions for Istio.
+4. Get credentials:
 
 ```
 gcloud container clusters get-credentials istio-ilb --zone us-east4-a --project $PROJECT_ID
-
-kubectl create clusterrolebinding cluster-admin-binding \
---clusterrole=cluster-admin \
---user=$(gcloud config get-value core/account)
-```
-
-## 2 - Install Istio with ILB Gateway Enabled
-
-
-
-1. **Download Istio:**
-
-Set [Istio version](https://github.com/istio/istio/releases):
-
-```
-ISTIO_VERSION=<version>
 ```
 
-Download Istio:
-
-```
-curl -L https://git.io/getLatestIstio | ISTIO_VERSION=${ISTIO_VERSION} sh -
-```
+## Install Istio with ILB Gateway Enabled
 
-2. **Prepare the cluster for install:**
+1. Install Istio on the cluster:
 
 ```
-kubectl create namespace istio-system
-kubectl label namespace default istio-injection=enabled
-helm template istio-${ISTIO_VERSION}/install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f -
-```
-
-3. **Wait for CRDs to be ready:**
-
-```
-kubectl get crds | grep 'istio.io\|certmanager.k8s.io' | wc -l
-```
-
-The output of this command should be either `53` (Istio 1.1) or `23` (Istio 1.2).
-
-4. **Generate the Istio installation YAML.**
-
-(Note that we're enabling the option to deploy the ILB Gateway.)
-```
-helm template ./istio-${ISTIO_VERSION}/install/kubernetes/helm/istio --name istio --namespace istio-system \
-   --set prometheus.enabled=true \
-   --set kiali.enabled=true --set kiali.createDemoSecret=true \
-   --set "kiali.dashboard.jaegerURL=http://jaeger-query:16686" \
-   --set "kiali.dashboard.grafanaURL=http://grafana:3000" \
-   --set grafana.enabled=true \
-   --set sidecarInjectorWebhook.enabled=true \
-   --set gateways.istio-ilbgateway.enabled=true > istio.yaml
+chmod +x ../common/install_istio.sh; ILB_ENABLED="true" ../common/install_istio.sh
 ```
 
 *Optional* - Open `istio.yaml` and search the file for `istio-ilbgateway`. You will find a Kubernetes Service, `istio-ilbgateway`, that is Service `type=LoadBalancer`, but has the annotation: `cloud.google.com/load-balancer-type: "internal"`. This means that rather than provisioning an external [Network Load Balancer](https://cloud.google.com/load-balancing/docs/network/) for Istio's ILB gateway, GKE will create an [Internal Load Balancer](https://cloud.google.com/load-balancing/docs/internal/) instead. [See the GCP docs](https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#create) for more information.
 
 Also note that the Istio ILB Gateway has [more customization options](https://istio.io/docs/reference/config/installation-options/#gateways-options) on install that we aren't using here, that would be useful for production use cases-- for example, autoscaling options, and memory/CPU allocations.
 
-5. **Install Istio on the cluster:**
-```
-kubectl apply -f istio.yaml
-```
+2. Run `kubectl get pods -n istio-system`. Notice a pod with the name prefix `istio-ilbgateway`. This is the Envoy proxy that will handle our requests from GCE.
 
-Run `kubectl get pods -n istio-system`. Notice a pod with the name prefix `istio-ilbgateway`. This is the Envoy proxy that will handle our requests from GCE.
-
-## 3 - Deploy the HelloServer application
+## Deploy the HelloServer application
 
 HelloServer is a Python HTTP server that serves the `GET / ` endpoint, and prints `HelloWorld`. We'll also deploy a load generator (also Python) that will repeatedly send 10 Requests per Second (RPS) to `helloserver`.
 
@@ -125,7 +75,7 @@ kubectl apply -f ../sample-apps/helloserver/server/server.yaml
 kubectl apply -f ../sample-apps/helloserver/loadgen/loadgen.yaml
 ```
 
-## 4 - Open the Kiali Dashboard
+## Explore the Kiali Dashboard
 
 [Kiali](https://www.kiali.io/) is a web-based Istio dashboard for observing your Istio mesh topology. We installed Kiali already, with the rest of the Istio control plane.
 
@@ -143,7 +93,7 @@ Then, navigate in the left sidebar to `Graph`, and view the Service Graph for th
 
 ![service-graph](screenshots/default-svc-graph.png)
 
-## 5- Modify ILB Gateway's Ports
+## Expose HelloServer using the ILB
 
 Now imagine that we want to reach HelloService from a workload not in the Istio mesh, and from outside of GKE.
 
@@ -162,32 +112,26 @@ Notice that under the `ports` field, there are four ports defined, all for inter
 2. **Add port 80 to the ILB gateway service**
 
 ```
-kubectl apply -f istio/ilb-gateway-modified.yaml
+kubectl apply -f manifests/ilb-gateway-modified.yaml
 ```
 
 **Note** - There is [a limitation of 5 ports](https://cloud.google.com/load-balancing/docs/internal/#forwarding_rule) for a GCP Internal Load Balancer. Outside of Kubernetes, there is an option to enable `all` ports, but you must provide a specific list of ports to expose for a Kubernetes service.
 
 
-## 6 - Create a GCE Instance
+## Access HelloServer via ILB
 
 Now, we'll create a GCE Instance in the same project. **Note**: we will create this VM in the same region as the GKE cluster. This is a prerequisite for GCP resource communication via ILB. Also notice that `--network=default` means we're creating the GCE VM in the same VPC network as the GKE cluster, which is also using the `default` network.
 
 ```
 gcloud compute --project=$PROJECT_ID instances create gce-ilb --zone=us-east4-a --machine-type=n1-standard-2 --network=default
 ```
 
-
-## 7 - Expose HelloServer via the ILB Gateway
-
 If we want to send traffic from GCE to GKE, via the Istio ILB Gateway, we will have to expose HelloServer within GCP. This will be the same process as if we were exposing HelloServer to the public internet ([with the IngressGateway](https://istio.io/docs/tasks/traffic-management/ingress/#configuring-ingress-using-an-istio-gateway)). For this, we'll use an Istio `Gateway` resource, along with a `VirtualService`.
 
 ```
-kubectl apply -f istio/server-ilb.yaml
+kubectl apply -f manifests/server-ilb.yaml
 ```
 
-
-## 8 - Send Traffic from GCE to GKE via ILB Gateway
-
 Because the Istio ILBGateway service is `type=LoadBalancer`, it gets an `EXTERNAL_IP`, but only "external" within our regional VPC network:
 
 1. **Get the EXTERNAL_IP for istio-ilbgateway:**
@@ -213,7 +157,9 @@ gcloud compute ssh --project $PROJECT_ID  --zone "us-east4-a" gce-ilb
 3. **Reach helloserver via the ILB gateway IP, at port 80:**
 
 ```
-curl http://<EXTERNAL_IP>:80
+export EXTERNAL_IP="<your-external-ip"
+
+curl http://${EXTERNAL_IP}:80
 ```
 
 You should see:
@@ -222,13 +168,11 @@ You should see:
 Hello World! /
 ```
 
-This request just went from your GCE instance, to the Istio ILB Gateway, then to the `helloserver` Service inside the Istio mesh.
+This request just went from your GCE instance, to the Istio ILB Gateway, then to the `hellosvc` Service inside the Istio mesh.
 
 Notice that if you try to execute the same `curl` request on your local machine, you will time out -- this because the ILB Gateway is only exposed from within your GCP project's private VPC network.
 
-## 9 - Observe changes to the service graph
-
-Re-open the Kiali service graph in the browser -- now notice how the ilb-gateway is also now serving traffic for `helloserver`.
+Finally, re-open the Kiali service graph in the browser -- now notice how the ilb-gateway is also now serving traffic for `hellosvc`.
 
 ![service-graph](screenshots/ilb-graph.png)
 
@@ -241,11 +185,11 @@ Re-open the Kiali service graph in the browser -- now notice how the ilb-gateway
 1. **Delete the GCE VM**:
 
 ```
-gcloud compute --project=$PROJECT_ID instances delete gce-ilb --zone=us-east4-a
+gcloud compute --project=$PROJECT_ID instances delete gce-ilb --zone=us-east4-a --async
 ```
 
 2. **Delete the GKE Cluster**:
 
 ```
-gcloud container clusters delete istio-ilb --project $PROJECT_ID --zone us-east4-a
+gcloud container clusters delete istio-ilb --project $PROJECT_ID --zone us-east4-a --async
 ```

internal-load-balancer/istio/ilb-gateway-modified.yaml → internal-load-balancer/manifests/ilb-gateway-modified.yaml

@@ -1,5 +1,5 @@
 
-# Copyright 2019 Google LLC
+# Copyright 2020 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# [START istio_internal_load_balancer_istio_service_istio_ilbgateway]
+# [START istio_internal_load_balancer_manifests_service_istio_ilbgateway]
 apiVersion: v1
 kind: Service
 metadata:
@@ -44,5 +44,5 @@ spec:
     app: istio-ilbgateway
     istio: ilbgateway
   type: LoadBalancer
-# [END istio_internal_load_balancer_istio_service_istio_ilbgateway]
+# [END istio_internal_load_balancer_manifests_service_istio_ilbgateway]
 ---

internal-load-balancer/istio/server-ilb.yaml → internal-load-balancer/manifests/server-ilb.yaml

@@ -1,5 +1,5 @@
 
-# Copyright 2019 Google LLC
+# Copyright 2020 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# [START istio_internal_load_balancer_istio_gateway_hello_ilb_gateway]
+# [START istio_internal_load_balancer_manifests_gateway_hello_ilb_gateway]
 apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -28,9 +28,9 @@ spec:
       name: http
       number: 80
       protocol: HTTP
-# [END istio_internal_load_balancer_istio_gateway_hello_ilb_gateway]
+# [END istio_internal_load_balancer_manifests_gateway_hello_ilb_gateway]
 ---
-# [START istio_internal_load_balancer_istio_virtualservice_hellosvc_vs]
+# [START istio_internal_load_balancer_manifests_virtualservice_hellosvc_vs]
 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -46,5 +46,5 @@ spec:
         host: hellosvc
         port:
           number: 80
-# [END istio_internal_load_balancer_istio_virtualservice_hellosvc_vs]
+# [END istio_internal_load_balancer_manifests_virtualservice_hellosvc_vs]
 ---