Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Istio workload selector fetched from the gateway service spec #143

Merged
merged 1 commit into from
Feb 2, 2023
Merged

Istio workload selector fetched from the gateway service spec #143

merged 1 commit into from
Feb 2, 2023

Conversation

guicassolato
Copy link
Contributor

Closes #141

Verification steps

❶ Setup:

make local-setup

kubectl apply -f examples/toystore/toystore.yaml
kubectl apply -f examples/toystore/httproute.yaml

kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant
spec: {}
EOF

❷ Create the policies:

kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1beta1
kind: AuthPolicy
metadata:
  name: toystore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  authScheme: {}
---
apiVersion: kuadrant.io/v1beta1
kind: RateLimitPolicy
metadata:
  name: toystore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  rateLimits:
    - rules:
        - hosts: ["rate-limited.toystore.com"]
      configurations:
        - actions:
            - generic_key:
                descriptor_key: "limited"
                descriptor_value: "1"
      limits:
        - conditions:
            - "limited == 1"
          maxValue: 5
          seconds: 10
          variables: []
EOF

❸ Check the workload selectors:

Check the Gateway status and Gateway Service's selector:

kubectl get gateway/istio-ingressgateway -n istio-system -o jsonpath='{.metadata.labels}' | jq .
kubectl get gateway/istio-ingressgateway -n istio-system -o jsonpath='{.status.addresses}' | jq .
kubectl get service/istio-ingressgateway -n istio-system -o jsonpath='{.spec.selector}' | jq .

Check the workload selectors added to the Istio resources:

AuthorizationPolicy:

kubectl get authorizationpolicy/on-istio-ingressgateway-using-toystore -n istio-system -o jsonpath='{.spec.selector}' | jq .

EnvoyFilter:

kubectl get envoyfilter/kuadrant-ratelimiting-cluster-istio-ingressgateway -n istio-system -o jsonpath='{.spec.workloadSelector}' | jq .

WasmPlugin:

kubectl get wasmplugin/kuadrant-istio-ingressgateway -n istio-system -o jsonpath='{.spec.selector}' | jq .

❹ Add a 2nd gateway:

kubectl apply -n istio-system -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: kuadrant-ingressgateway
  labels:
    app: kuadrant
  annotations:
    kuadrant.io/namespace: default
spec:
  gatewayClassName: istio
  listeners:
    - name: default
      protocol: HTTP
      hostname: "*.kuadrant.io"
      port: 8080
      allowedRoutes:
        namespaces:
          from: All
EOF
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: toystore
  labels:
    app: toystore
  annotations:
    kuadrant.io/ratelimitpolicy: 'default/toystore'
    kuadrant.io/authpolicy: 'default/toystore'
spec:
  parentRefs:
    - name: istio-ingressgateway
      namespace: istio-system
    - name: kuadrant-ingressgateway
      namespace: istio-system
  hostnames: ["*.toystore.com", "*.toystore.kuadrant.io"]
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: "/toy"
          method: GET
        - path:
            type: Exact
            value: "/admin/toy"
          method: POST
        - path:
            type: Exact
            value: "/admin/toy"
          method: DELETE
      backendRefs:
        - name: toystore
          port: 80
EOF

❺ Check the workload selectors:

Check the 2nd Gateway status and 2nd Gateway Service's selector:

kubectl get gateway/kuadrant-ingressgateway -n istio-system -o jsonpath='{.metadata.labels}' | jq .
kubectl get gateway/kuadrant-ingressgateway -n istio-system -o jsonpath='{.status.addresses}' | jq .
kubectl get service/kuadrant-ingressgateway -n istio-system -o jsonpath='{.spec.selector}' | jq .

Check the workload selectors added to the Istio resources:

AuthorizationPolicy:

kubectl get authorizationpolicy/on-kuadrant-ingressgateway-using-toystore -n istio-system -o jsonpath='{.spec.selector}' | jq .

EnvoyFilter:

kubectl get envoyfilter/kuadrant-ratelimiting-cluster-kuadrant-ingressgateway -n istio-system -o jsonpath='{.spec.workloadSelector}' | jq .

WasmPlugin:

kubectl get wasmplugin/kuadrant-kuadrant-ingressgateway -n istio-system -o jsonpath='{.spec.selector}' | jq .

@guicassolato guicassolato self-assigned this Jan 26, 2023
@guicassolato guicassolato force-pushed the workload-selector branch 3 times, most recently from 5bad393 to c9fc05f Compare January 27, 2023 12:26
@guicassolato guicassolato marked this pull request as ready for review January 27, 2023 12:52
@guicassolato guicassolato requested a review from a team as a code owner January 27, 2023 12:52
eguzki
eguzki requested changes Feb 2, 2023
View reviewed changes
controllers/authpolicy_controller.go Outdated Show resolved Hide resolved
controllers/ratelimitpolicy_cluster_envoy_filter.go Outdated Show resolved Hide resolved
pkg/common/istio_utils.go Outdated Show resolved Hide resolved
@guicassolato guicassolato force-pushed the workload-selector branch 3 times, most recently from 3acd503 to 9747d84 Compare February 2, 2023 13:05
@guicassolato guicassolato force-pushed the workload-selector branch 3 times, most recently from c2f4bed to 91119ba Compare February 2, 2023 13:10
eguzki
eguzki approved these changes Feb 2, 2023
View reviewed changes
Copy link
Contributor

@eguzki eguzki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

verification steps working

@guicassolato guicassolato merged commit bfc5a1c into main Feb 2, 2023
@guicassolato guicassolato deleted the workload-selector branch February 2, 2023 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@didierofrivia didierofrivia didierofrivia approved these changes

@eguzki eguzki eguzki approved these changes

Assignees

@guicassolato guicassolato

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Wrong workload selector of resources configuring a gateway
3 participants
@guicassolato @eguzki @didierofrivia