-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathsteps.sh
executable file
·224 lines (166 loc) · 4.58 KB
/
steps.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
#!/bin/env bash
source ./demo-magic.sh
clear
## Cluster setup
k3d cluster delete workshop > /dev/null 2>&1 || true
k3d cluster create workshop > /dev/null 2>&1
# Alternative if you need registry config!
# k3d cluster create workshop --registry-config registries.yaml > /dev/null 2>&1
## Load up Booksapp
# curl -sL run.linkerd.io/emojivoto.yml | kubectl apply -f -
kubectl create ns booksapp && \
curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/booksapp.yml \
| kubectl -n booksapp apply -f -
clear
# All installs to be done with helm
## cert-manager install
helm repo add linkerd https://helm.linkerd.io/stable
helm repo add jetstack https://charts.jetstack.io
helm repo update
clear
## cert-manager install
# Install cert-manager
pe "helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true --version v1.10.0"
wait
clear
# Install trust-manager
pe "helm upgrade --install --namespace cert-manager cert-manager-trust jetstack/cert-manager-trust --wait"
wait
clear
# Create the linkerd namespace ahead of time since we'll create our certs there
pe "kubectl create ns linkerd"
wait
clear
# Create certs for Linkerd
pe "kubectl apply -f bootstrap_ca.yaml"
wait
clear
# Inspect the YAML which defines the certificates
pe "bat -lyaml bootstrap_ca.yaml"
wait
clear
# Inspect root certificate
pe "kubectl get -n cert-manager secrets linkerd-trust-anchor -ojson | jq '.data.\"tls.crt\"' -r | base64 -d | openssl x509 -noout -text"
wait
clear
# Inspect intermediate certificate
pe "kubectl get -n linkerd secrets linkerd-identity-issuer -ojson | jq '.data.\"tls.crt\"' -r | base64 -d | openssl x509 -noout -text"
wait
clear
## Linkerd
# Install CRDS
## Note: Namespace is created above
pe "helm install linkerd-crds linkerd/linkerd-crds -n linkerd"
wait
clear
pe "helm install linkerd-control-plane --namespace linkerd --set identity.externalCA=true --set identity.issuer.scheme=kubernetes.io/tls linkerd/linkerd-control-plane"
wait
clear
pe "linkerd check"
wait
clear
pe "helm install linkerd-viz --namespace linkerd-viz --create-namespace linkerd/linkerd-viz"
wait
clear
pe "linkerd check"
wait
clear
## Inject booksapp
pe "kubectl get deploy -n booksapp -o yaml | linkerd inject - | kubectl apply -f -"
wait
clear
## Look around
#Things mostly work
pe "linkerd viz stat deploy -n booksapp"
wait
clear
# No effective policies
# pe "linkerd viz authz -n booksapp deployment"
# wait
# clear
## Harden our ns
### Default deny
### Configure a deny policy for booksapp
pe 'kubectl annotate ns booksapp config.linkerd.io/default-inbound-policy=deny'
wait
clear
pe 'kubectl get pods -n booksapp'
wait
clear
# pe "linkerd viz authz -n booksapp deployment"
# wait
# clear
pe "linkerd viz stat deploy -n booksapp"
wait
clear
# Traffic is still there
## Apps still restart thanks to default exemptions for health checks
pe 'kubectl rollout restart -n booksapp deploy'
wait
clear
# Now traffic is gone
## Alternately watch the traffic
# pe "linkerd viz authz -n booksapp deployment"
# wait
# clear
# pe "linkerd viz stat deploy -n booksapp"
# wait
# clear
### Allow admin traffic
pe "kubectl apply -f manifests/booksapp/admin_server.yaml"
wait
clear
pe "kubectl apply -f manifests/booksapp/allow_viz.yaml"
wait
clear
pe "bat -l yaml manifests/booksapp/admin_server.yaml"
wait
clear
pe "bat -l yaml manifests/booksapp/allow_viz.yaml"
wait
clear
### Allow app traffic
pe "kubectl apply -f manifests/booksapp/authors_server.yaml"
wait
clear
pe "kubectl apply -f manifests/booksapp/books_server.yaml"
wait
clear
pe "kubectl apply -f manifests/booksapp/webapp_server.yaml"
wait
clear
pe "kubectl apply -f manifests/booksapp/allow_namespace.yaml"
wait
clear
pe "bat -l yaml manifests/booksapp/authors_server.yaml"
wait
clear
pe "bat -l yaml manifests/booksapp/allow_namespace.yaml "
wait
clear
### No Traffic app? no ports!
# HTTPRoutes, Locking down who can do what with our books
## switch from watching traffic to watching pods
pe "kubectl apply -f manifests/booksapp/authors_get_route.yaml"
wait
clear
## wait a minute for authors to become unready
## App should become unready
pe 'kubectl apply -f manifests/booksapp/authors_get_policy.yaml'
wait
clear
## Lets fix our busted health checks, no more default routes
pe 'kubectl apply -f manifests/booksapp/authors_probe.yaml'
wait
clear
## wait a minute for authors to become ready
### Check readiness
## Check app
### Looks good
### Can't update books
pe 'kubectl apply -f manifests/booksapp/authors_modify_route.yaml'
wait
clear
pe 'kubectl apply -f manifests/booksapp/authors_modify_policy.yaml'
wait
clear