Open
Description
After,
And also delete the different objects we've created:
kubectl --context ${MGMT} -n bookinfo-team delete virtualdestination productpage
kubectl --context ${MGMT} -n bookinfo-team delete outlierdetectionpolicy outlier-detection-
We should also delete the failoverpolicy
-
Also, When we switch back to the original RT before the Zero Trust section of module 2, we should add a note on why we are switching back
-
Making this command and others multiline would improve readability-
pod=$(kubectl --context ${CLUSTER1} -n httpbin get pods -l app=not-in-mesh -o jsonpath='{.items[0].metadata.name}')
kubectl --context ${CLUSTER1} -n httpbin debug -i -q ${pod} --image=curlimages/curl -- curl -s -o /dev/null -w "%{http_code}" http://reviews.bookinfo-backends.svc.cluster.local:9080/reviews/0- Rather than doing a kubectl debug, it might be easier to do this via a sleep pod
Current:
pod=$(kubectl --context ${CLUSTER1} -n httpbin get pods -l app=in-mesh -o jsonpath='{.items[0].metadata.name}')
kubectl --context ${CLUSTER1} -n httpbin debug -i -q ${pod} --image=curlimages/curl -- curl -s -o /dev/null -w "%{http_code}" http://reviews.bookinfo-backends.svc.cluster.local:9080/reviews/0Proposed:
kubectl --context $CLUSTER1 -n httpbin \
apply -f https://raw.githubusercontent.com/istio/istio/release-1.17/samples/sleep/sleep.yaml
kubectl --context $CLUSTER1 -n httpbin \
get pod -l app=sleep;
kubectl --context $CLUSTER1 -n httpbin \
exec -it deploy/sleep -- \
curl -s -o /dev/null -w "%{http_code}" http://reviews.bookinfo-backends.svc.cluster.local:9080/reviews/0We should break the following section into 3 separate sections
pod=$(kubectl --context ${CLUSTER1} -n bookinfo-frontends get pods -l app=productpage -o jsonpath='{.items[0].metadata.name}')
echo "From productpage to details, should be allowed"
kubectl --context ${CLUSTER1} -n bookinfo-frontends debug -i -q ${pod} --image=curlimages/curl -- curl -s http://details.bookinfo-backends:9080/details/0 | jq
echo "From productpage to reviews, should be allowed"
kubectl --context ${CLUSTER1} -n bookinfo-frontends debug -i -q ${pod} --image=curlimages/curl -- curl -s http://reviews.bookinfo-backends:9080/reviews/0 | jq
echo "From productpage to ratings, should be denied"
kubectl --context ${CLUSTER1} -n bookinfo-frontends debug -i -q ${pod} --image=curlimages/curl -- curl -s http://ratings.bookinfo-backends:9080/ratings/0 -iModule 3
If you refresh your browser, you should see that you get a response either from the local service or from the external service.
^ this currently fails-
# curl -k https://10.5.0.254/geterror:
upstream connect error or disconnect/reset before headers. retried and the latest reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
istioctl --context $CLUSTER1 \
> pc secrets \
> -n istio-gateways svc/istio-ingressgateway
RESOURCE NAME TYPE STATUS VALID CERT SERIAL NUMBER NOT AFTER NOT BEFORE
kubernetes://tls-secret CA ACTIVE true 417331438521364388010583664345130880179005978002 2024-03-31T13:24:41Z 2023-04-01T13:24:41Z
default Cert Chain ACTIVE true 138903141074340073272611178638063452375 2023-04-02T14:26:31Z 2023-04-01T14:24:31Z
ROOTCA CA ACTIVE true 268534852559328264948732062514656608914 2024-03-31T14:26:12Z 2023-04-01T14:26:12Z
istioctl --context $CLUSTER1 pc secrets -n httpbin deploy/in-mesh
RESOURCE NAME TYPE STATUS VALID CERT SERIAL NUMBER NOT AFTER NOT BEFORE
default Cert Chain ACTIVE true 205165220293220887344568674427115039589 2023-04-02T12:45:12Z 2023-04-01T12:43:12Z
ROOTCA CA ACTIVE true 40700971172074859705572646854716953212 2033-03-29T12:43:20Z 2023-04-01T12:43:20Z
solution
- restart the deployment so that it picks the new cert from istio
kubectl --context $CLUSTER1 -n httpbin rollout restart deployment/in-mesh
Metadata
Assignees
Labels
No labels