istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/testdata/config/none.yaml (about) 1 # To test in real cluster: 2 # kubectl create ns none 3 # kubectl label namespace none istio-injection=enabled 4 5 # All configs for 'none' namespace, used to test interception without iptables. 6 # In this mode the namespace isolation is required - the tests will also verify isolation 7 # It is important to update the tests in ../envoy/v2 which verify the number of generated listeners. 8 9 # This is the first test using the new isolated model, you can use it as a template to create more 10 # isolated tests. It should be possible to also apply it to real k8s. 11 12 # TODO: the IP addresses are not namespaced yet, so must be unique on the mesh (flat namespace) including in 13 # ServiceEntry tests. Removing deps on ip in progress. 14 --- 15 # Default sidecar 16 apiVersion: networking.istio.io/v1alpha3 17 kind: Sidecar 18 metadata: 19 name: default 20 namespace: none 21 spec: 22 egress: 23 - hosts: 24 - none/* 25 - default/test.default # TODO: without namespace it fails validation ! 26 # TODO: if we include the namespace, why do we need full name ? Importing regular services should work. 27 28 # Label selection seems to confuse the new code. 29 ingress: 30 - port: 31 number: 7071 32 protocol: HTTP 33 name: httplocal 34 defaultEndpoint: 127.0.0.1:17071 35 - port: 36 number: 7070 37 protocol: TCP 38 name: tcplocal 39 defaultEndpoint: 127.0.0.1:17070 40 # Fortio ports 41 - port: 42 number: 18080 43 protocol: HTTP 44 name: http-echo 45 defaultEndpoint: 127.0.0.1:28080 46 - port: 47 number: 18079 48 protocol: TCP 49 name: grpc-ping 50 defaultEndpoint: 127.0.0.1:28079 51 --- 52 53 apiVersion: v1 54 kind: Service 55 metadata: 56 name: fortio 57 namespace: none 58 spec: 59 ports: 60 - port: 8080 # This is the service port - connect to fortio:8080 as client (using http proxy or in mesh) 61 name: http-echo 62 targetPort: 18080 # This port should listen on the target machine 63 - port: 8079 64 name: grpc-ping 65 targetPort: 18079 66 selector: 67 app: fortio 68 69 --- 70 # TODO: VirtualService using new Gateway style 71 72 # TODO: use UDS 73 74 apiVersion: apps/v1 75 kind: Deployment 76 metadata: 77 name: fortio 78 namespace: none 79 spec: 80 replicas: 1 81 selector: 82 matchLabels: 83 app: fortio 84 version: v1 85 template: 86 metadata: 87 labels: 88 app: fortio 89 version: v1 90 #INTERCEPTION_MODE: NONE 91 annotations: 92 sidecar.istio.io/interceptionMode: NONE 93 status.sidecar.istio.io/port: "0" 94 spec: 95 containers: 96 - name: echosrv 97 image: costinm/fortio:latest 98 imagePullPolicy: Always 99 ports: 100 - containerPort: 18080 101 - containerPort: 18079 102 args: 103 - server 104 - -static-dir 105 - "/usr/share/fortio/" 106 - --stdclient 107 - -http-port 108 #- 127.0.0.1:28080 # This is the port from Sidecar. Normally should be localhost 109 - :28080 # bound to 0.0.0.0 to allow additional perf testing. 110 - -grpc-port 111 - :28079 112 env: 113 - name: HTTP_PROXY 114 value: 127.0.0.1:15002 115 resources: 116 requests: 117 cpu: 1000m 118 memory: "1G" 119 limits: 120 cpu: 1000m 121 memory: "1G" 122 --- 123 124 apiVersion: apps/v1 125 kind: Deployment 126 metadata: 127 name: fortio-cli 128 namespace: none 129 spec: 130 replicas: 1 131 selector: 132 matchLabels: 133 app: fortio-cli 134 version: v1 135 template: 136 metadata: 137 labels: 138 app: fortio-cli 139 version: v1 140 annotations: 141 status.sidecar.istio.io/port: "0" 142 sidecar.istio.io/interceptionMode: NONE 143 spec: 144 containers: 145 - name: echosrv 146 image: costinm/fortio:latest 147 imagePullPolicy: Always 148 args: 149 - load 150 - --stdclient 151 - -t 152 - "0" 153 - -c 154 - "32" 155 - -qps 156 - "500" 157 - http://fortio:8080/echo?size=5000 158 env: 159 - name: HTTP_PROXY 160 value: 127.0.0.1:15002 161 resources: 162 requests: 163 cpu: 500m 164 memory: "1G" 165 limits: 166 cpu: 1000m 167 memory: "1G" 168 169 --- 170 171 # "None" mode depends on unique ports for each defined service or service entry. 172 # Not supported/require iptables: 173 # - TCP with 'addresses' field - needs iptables 174 # - resolution:NONE - 'original DST' - external services (for example https, ServiceEntry+address), stateful sets 175 # - TCP with resolution:DNS - same issue 176 # - 177 178 # Local ServiceEntry (meshex, test) - the tests will use the IPs defined in the service when connecting. 179 # This works on local mode where K8S Service controller doesn't exist, and can be used for testing in k8s by a test 180 # pretending to have this address. 181 apiVersion: networking.istio.io/v1alpha3 182 kind: ServiceEntry 183 metadata: 184 name: s1tcp 185 namespace: none 186 spec: 187 hosts: 188 - s1tcp.none 189 190 ports: 191 - number: 2000 192 name: tcplocal 193 protocol: TCP 194 195 location: MESH_INTERNAL 196 resolution: STATIC 197 198 endpoints: 199 - address: 10.11.0.1 200 ports: 201 tcplocal: 7070 202 labels: 203 app: s1tcp 204 --- 205 # Another inbound service, http type. Should generate a http listener on :7071 206 apiVersion: networking.istio.io/v1alpha3 207 kind: ServiceEntry 208 metadata: 209 name: s1http 210 namespace: none 211 spec: 212 hosts: 213 - s1http.none 214 215 ports: 216 - number: 2001 217 name: httplocal 218 protocol: HTTP 219 220 location: MESH_INTERNAL 221 resolution: STATIC 222 223 endpoints: 224 - address: 10.11.0.1 225 ports: 226 httplocal: 7071 227 228 --- 229 230 # Regular TCP outbound cluster (Default MeshExternal = true, Resolution ClientSideLB) 231 apiVersion: networking.istio.io/v1alpha3 232 kind: ServiceEntry 233 metadata: 234 name: s2 235 namespace: none 236 spec: 237 hosts: 238 - s2.external.test.istio.io 239 240 ports: 241 - number: 2005 242 name: http-remote # To verify port name doesn't confuse pilot - protocol is TCP 243 protocol: TCP 244 resolution: STATIC 245 endpoints: 246 - address: 10.11.0.2 247 ports: 248 http-remote: 7071 249 - address: 10.11.0.3 250 ports: 251 http-remote: 7072 252 253 --- 254 # Another TCP outbound cluster, resolution DNS (Default MeshExternal = true) 255 # Not supported, bind=false 256 apiVersion: networking.istio.io/v1alpha3 257 kind: ServiceEntry 258 metadata: 259 name: s2dns 260 namespace: none 261 spec: 262 hosts: 263 - s2dns.external.test.istio.io 264 265 ports: 266 - number: 2006 267 protocol: TCP 268 name: tcp1 # TODO: is it optional ? Why not ? 269 resolution: DNS 270 271 --- 272 # Outbound TCP cluster, resolution DNS - for a '.svc' (in cluster) service. 273 # As an optimization, this can be converted to EDS 274 # The new Sidecar is the recommended way to declare deps to mesh services - however 275 # DNS resolution is supposed to continue to work. 276 apiVersion: networking.istio.io/v1alpha3 277 kind: ServiceEntry 278 metadata: 279 name: tcpmeshdns 280 namespace: none 281 spec: 282 hosts: 283 - tcpmeshdns.seexamples.svc 284 ports: 285 - number: 2007 286 protocol: TCP 287 name: tcp1 288 resolution: DNS 289 290 291 --- 292 293 # Outbound TCP cluster, resolution STATIC - for a '.svc' (in cluster) service. 294 # This binds on each endpoint address ! 295 apiVersion: networking.istio.io/v1alpha3 296 kind: ServiceEntry 297 metadata: 298 name: tcpmeshstatic 299 namespace: none 300 spec: 301 hosts: 302 - tcpmeshstatic.seexamples.svc 303 ports: 304 - number: 2008 305 protocol: TCP 306 name: tcp1 307 resolution: STATIC 308 endpoints: 309 - address: 10.11.0.8 310 ports: 311 tcp1: 7070 312 --- 313 # Outbound TCP cluster, resolution STATIC - for a '.svc' (in cluster) service. 314 # This generates EDS 315 apiVersion: networking.istio.io/v1alpha3 316 kind: ServiceEntry 317 metadata: 318 name: tcpmeshstaticint 319 namespace: none 320 spec: 321 hosts: 322 - tcpmeshstaticint.seexamples.svc 323 ports: 324 - number: 2009 325 protocol: TCP 326 name: tcp1 327 location: MESH_INTERNAL 328 resolution: STATIC 329 endpoints: 330 # NEEDED FOR VALIDATION - LIKELY BUG 331 - address: 10.11.0.9 332 ports: 333 tcp1: 7070 334 --- 335 336 # TODO: in progres, should bind to 127.0.0.1 337 # will resolve using SNI 338 # DNS or etc/hosts or code must override the address, but pass proper SNI 339 apiVersion: networking.istio.io/v1alpha3 340 kind: ServiceEntry 341 metadata: 342 name: https 343 namespace: none 344 spec: 345 hosts: 346 # TODO: Bug: without isolation (in the main test) it causes 'duplicated cluster', envoy rejects config 347 # This will happen if this is defined in multiple namespaces in 1.0 348 - www1.googleapis.com 349 - api1.facebook.com 350 location: MESH_EXTERNAL 351 ports: 352 - number: 2443 353 name: https 354 protocol: TLS 355 resolution: DNS 356 --- 357 # TODO: this should be auto-generated from ServiceEntry/protocol=TLS, it's just boilerplate 358 apiVersion: networking.istio.io/v1alpha3 359 kind: VirtualService 360 metadata: 361 name: tls-routing 362 namespace: none 363 spec: 364 hosts: 365 - www1.googleapis.com 366 - api1.facebook.com 367 tls: 368 - match: 369 - port: 2443 370 sniHosts: 371 - www1.googleapis.com 372 route: 373 - destination: 374 host: www1.googleapis.com 375 - match: 376 - port: 2443 377 sniHosts: 378 - api1.facebook.com 379 route: 380 - destination: 381 host: api1.facebook.com 382 --- 383 # DestinationRules attach to services, have no impact on 'none' interception 384 385 # VirtualService for HTTP affect routes, no impact on none interception 386