dir structure reorg

labs/ISTIO/lab.md

@@ -6,14 +6,21 @@ kubectl create clusterrolebinding cluster-admin-binding \
   --user="$(gcloud config get-value core/account)"
 ```
 
-### Task 2: Install Istio Components and Enable Automatic Sidecar Injection
-Istio is huge. Take a look at the install istio-demo-auth.yaml file. These are the Kubernetes objects that are needed to run Istio (including some extra features) in our cluster. Wow. Such yaml. 
+To interact with Istio, we will use `istioctl` which is bundled as a binary with the Istio install package.
+```
+# In the istio-1.0.0 directory
+export PATH=$PWD/bin:$PATH
+# Ensure the binary is available
+istio version
+```
 
+### Task 2: Install Istio Components and Enable Automatic Sidecar Injection
+Istio is a massive project. Check out the yaml file located at `istio-1.0.0/install/kubernetes/istio-demo-auth.yaml`. Wow. Such yaml. Let's install the components necessary in our cluster:
 ```
 # In the istio-1.0.0 directory 
 kubectl create -f install/kubernetes
 ```
-Each pod in the mesh must be running an Istio compatible sidecar. The sidecar is how all traffic to and from pods in the mesh communicate.
+Each pod in the mesh must be running an Istio compatible sideecar. The sidecar is how all traffic to and from pods in the mesh
 
 Manual injection modifies the controller configuration, e.g. deployment. It does this by modifying the pod template spec such that all pods for that deployment are created with the injected sidecar. Adding/Updating/Removing the sidecar requires modifying the entire deployment.
 
@@ -30,17 +37,32 @@ Since we have automatic injection enabled for the `default` namespace, any deplo
 # In the manifests/api directory
 kubectl create -f .
 ```
-The unshorten service will spin up a load balancer. Ensure the API is accessible by running the following:
+The unshorten service will spin up a load balancer. Ensure the API is accessible. Now that our pod is managed by Istio, we are not going to use the link-unshorten-service IP address as in previous labs. We will use the service provisioned by Istio called `istio-ingressgateway` to grab the routable IP address of the API.
 ```
-kubectl get svc
-# Grab the EXTERNAL-IP from the link-unshorten-service
+kubectl -n istio-system get service istio-ingressgateway
+```
+
+Now, paste the IP address with a shortened link as follows in your browser and you will see that there are some issues. Egress is blocked by default. The API is not able to make outbound connections by default.
 ```
-Now, paste the IP address in your browser and 
-you will see that there are some issues. Egress is blocked by default
 http://35.197.37.188/api/check?url=https://bit.ly/hi
-NOT ALLOWED!
+# NOT ALLOWED or fail to resolve 
+```
+
+### Task 4: Build Egress Rules
+Lets build some rules to explictlly allow outbound egress traffic to only bit.ly. This can be accomplished by using a `ServiceEntry`. Check out the file `link-unshorten-egress.yaml` located in the `istio-rules` directory and create it as follows:
+
+```
+# In the manifests/istio-rules directory
+kubectl create -f .
+```
+
+Once the rules are created, try to visit the API again and you should be able to successfully unshorten links to `bit.ly` domains only. 
+
+### Task 5: Logging and Monitoring with Istio
+
+
+
 
-Lets build some rules to explictlly allow outboud traffic to only bit.ly
 Grafana
 kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l app=grafana -o jsonpath='{.items[0].metadata.name}') 8080:3000
 

labs/ISTIO/manifests/api/link-unshorten-service.yaml

@@ -3,7 +3,6 @@ kind: Service
 metadata:
  name: link-unshorten-service
 spec:
- type: LoadBalancer
  ports:
    - port: 8080
      targetPort: 8080