Skip to content

Instantly share code, notes, and snippets.

@incfly

incfly/knative.sh

Last active December 4, 2019 23:03
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save incfly/9b31e755c8adade77d3b85f570a7d4f1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save incfly/9b31e755c8adade77d3b85f570a7d4f1 to your computer and use it in GitHub Desktop.
Download ZIP
knative-mtls
Raw
knative.sh
function prepare() {
kubectl create ns bug
kubectl label ns bug istio-injection=enabled
cat <<EOF | kubectl apply -f -
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "default"
namespace: "bug"
spec:
peers:
- mtls:
mode: STRICT
---
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "mtls-services"
namespace: "bug"
spec:
host: "*.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
name: sleep
namespace: bug
---
apiVersion: v1
kind: Service
metadata:
name: sleep
namespace: bug
labels:
app: sleep
spec:
ports:
- port: 80
name: http
selector:
app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sleep
namespace: bug
spec:
replicas: 1
selector:
matchLabels:
app: sleep
template:
metadata:
labels:
app: sleep
annotations:
sidecar.istio.io/inject: "true"
spec:
serviceAccountName: sleep
containers:
- name: sleep
image: governmentpaas/curl-ssl
command: ["/bin/sleep", "3650d"]
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /etc/sleep/tls
name: secret-volume
volumes:
- name: secret-volume
secret:
secretName: sleep-secret
optional: true
EOF
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: httpbin
namespace: bug
labels:
app: httpbin
spec:
ports:
- name: http
port: 8000
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin1
namespace: bug
spec:
replicas: 1
selector:
matchLabels:
app: httpbin1
version: v1
template:
metadata:
labels:
app: httpbin1
version: v1
annotations:
sidecar.istio.io/inject: "true"
spec:
containers:
- image: docker.io/kennethreitz/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin2
namespace: bug
spec:
replicas: 1
selector:
matchLabels:
app: httpbin2
version: v1
template:
metadata:
labels:
app: httpbin2
version: v1
annotations:
sidecar.istio.io/inject: "true"
spec:
containers:
- image: docker.io/kennethreitz/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 80
EOF
}
function endpoint() {
name=${1:-httpbin1}
podIP=$(kubectl -n bug get pod -l app=${name} -o jsonpath='{.items[*].status.podIP}')
podName=$(kpidn bug -l app=${name})
echo "name ${name}, podIP ${podIP}, podName ${podName}"
kubectl -n bug apply -f - <<EOF
apiVersion: v1
kind: Endpoints
metadata:
name: httpbin
namespace: bug
subsets:
- addresses:
- ip: ${podIP} ### Replace your httpbin1 pod's IP
targetRef:
kind: Pod
name: ${podName} ### Replace your httpbin1 pod's name
namespace: bug
ports:
- name: http
port: 80
protocol: TCP
EOF
}
function addse() {
ip1=$(kubectl -n bug get pod -l app=httpbin1 -o jsonpath='{.items[*].status.podIP}')
ip2=$(kubectl -n bug get pod -l app=httpbin2 -o jsonpath='{.items[*].status.podIP}')
kubectl -n bug apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin2-se-update
spec:
hosts:
- httpbin.bug.svc
location: MESH_INTERNAL
ports:
- number: 8000
name: http1
protocol: http
resolution: STATIC
endpoints:
- address: ${ip1}
ports:
http1: 80
- address: ${ip2}
ports:
http1: 80
EOF
}
function check() {
podName=$(kpidn bug -l app=sleep)
kubectl -n bug exec -it ${podName} -- curl httpbin.bug.svc:8000/ip
}
Raw
self-note.md

ignore this....

why httpbin1 has the dest port 80, not httpbin2? both dont have the service selector definition matching.

  • indeed, only http1 having the pod_ip_80 listener.
  • before, no tls context
  • after adding endpoints, yes, added.
  • after swapping to httpbin2, no.

Pilot has different logic of two:

  1. No endpoints associated with a service, 0 -> 1. trigger full push.
  2. Endpoints exist, but updated. 1 -> 2. trigger only eds push.

why we have virtualInboud for destination port filter chain as well as other listener? redudant?

  • seems added from the service listeners.

Service Entry as a solution

  • Define service entry beforehand to get the listener.
  • When swapping the endpoints, working fine.

If modify SE afterwards, endpoints swapping makes those envoy unable to serve traffic, causing 503. Normally, pod is marked "ready" only after receiving desired LDS config, then kube-api server populated endpoints with ready endpoints.

Alternative TCP proxy pass through works, but lame...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment