Skip to content

Instantly share code, notes, and snippets.

@mlbiam

mlbiam/istio-app.yaml

Created February 13, 2024 14:18
Show Gist options
  • Save mlbiam/6e089128e658c09db111f2f03dd8d701 to your computer and use it in GitHub Desktop.
Save mlbiam/6e089128e658c09db111f2f03dd8d701 to your computer and use it in GitHub Desktop.
Download ZIP
istio-livestream
Raw
istio-app.yaml
---
apiVersion: openunison.tremolo.io/v1
kind: Trust
metadata:
name: istio
namespace: openunison
spec:
accessTokenSkewMillis: 120000
accessTokenTimeToLive: 120000
authChainName: login-service
clientId: my-app
codeLastMileKeyName: lastmile-oidc
codeTokenSkewMilis: 60000
publicEndpoint: true
redirectURI:
- http://localhost:3001
- https://app.74.220.18.48.nip.io
signedUserInfo: false
verifyRedirect: true
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: app-tls-certificate
namespace: istio-system
spec:
secretName: app-tls-certificate
dnsNames:
- app.74.220.18.48.nip.io
issuerRef:
name: enterprise-ca
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: v1
kind: Namespace
metadata:
labels:
istio-injection: enabled
name: istio-app
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: app
name: app
namespace: istio-app
spec:
replicas: 1
selector:
matchLabels:
app: "app"
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: app
spec:
containers:
- image: docker.io/mlbiam/istio-oidc-app:prod
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
httpGet:
path: /nginx-health
port: 8080
scheme: HTTP
initialDelaySeconds: 3
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: ouhtml
readinessProbe:
failureThreshold: 3
httpGet:
path: /nginx-health
port: 8080
scheme: HTTP
initialDelaySeconds: 3
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsGroup: 433
runAsNonRoot: true
runAsUser: 431
---
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app: app
name: app-service
namespace: istio-app
spec:
ports:
- port: 80
protocol: TCP
targetPort: 8080
name: http-service
selector:
app: app
---
kind: Gateway
apiVersion: networking.istio.io/v1alpha3
metadata:
name: app-gateway
namespace: istio-app
labels:
app: app
spec:
servers:
- hosts:
- app.74.220.18.48.nip.io
port:
name: http
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- app.74.220.18.48.nip.io
port:
name: https-443
number: 443
protocol: HTTPS
tls:
credentialName: app-tls-certificate
mode: SIMPLE
selector:
istio: ingressgateway
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: app-vs
namespace: istio-app
labels:
app: run-app
spec:
hosts:
- app.74.220.18.48.nip.io
gateways:
- app-gateway
http:
- route:
- destination:
port:
number: 80
host: app-service
Raw
istio-auth.yaml
---
apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
name: hello-world-auth
namespace: istio-hello-world
spec:
selector:
matchLabels:
app: run-service
jwtRules:
- issuer: https://k8sou.74.220.18.48.nip.io/auth/idp/k8sIdp
jwks: '{"keys":[{"kty":"RSA","kid":"C=MyCountry, ST=, L=My Cluster, O=MyOrg, OU=Kubernetes, CN=unison-saml2-rp-sig-C=MyCountry, ST=, L=My Cluster, O=MyOrg, OU=Kubernetes, CN=unison-saml2-rp-sig-1705421642166","use":"sig","alg":"RS256","n":"wSM8RzlixXy-t0Byf-ECHJtWTqfVTGBGwhdWshqDY8PLm_HRVonawtmg9AgaJ8mQTtjb3ri3Y3mi5TJMpFGvVCwJtzuUvBYYm4O63jTuGkg3MbMFMMeIngivq2uIIYwLoxnCtSFtqKSpr4H1bbD1RNVg4gnK5dZVrLwNHHvRV_axB27rL4xaDsAYbLon5JawX8N_IQ5MEzpP467hJiD-jqRMQdb9e6t-mTJ6VL_qJL1CSaByUXVNyce5C8NGQcCCx_bnKvXhX73qWZF6DxDH-aQJuaTkEdiwP07O7NgJORB3KfiVFrRQMSy5CBlX2DgFWypnPesF2dEsUsk_VLVhuw","e":"AQAB"}]}'
#jwksUri: https://k8sou.74.220.18.48.nip.io/auth/idp/k8sIdp/certs
audiences:
- my-app
outputPayloadToHeader: User-Info
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: simple-hellow-world
namespace: istio-hello-world
spec:
action: ALLOW
selector:
matchLabels:
app: run-service
rules:
- from:
- source:
requestPrincipals: ["*"]
Raw
istio-az.yaml
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: service-level-az
namespace: istio-hello-world
spec:
action: ALLOW
selector:
matchLabels:
app: run-service
rules:
- when:
- key: request.auth.claims[groups]
values: ["sys-admins"]
Raw
openunison-istio.yaml
---
apiVersion: v1
kind: Namespace
metadata:
labels:
istio-injection: enabled
name: istio-hello-world
---
apiVersion: v1
kind: ConfigMap
metadata:
name: service-source
namespace: istio-hello-world
labels:
app: service
data:
requirements.txt: |-
flask
startup.sh: |-
#!/bin/bash
pip3 install -r /src/requirements.txt
echo "Starting python service..."
python3 /src/service.py
service.py: |-
from flask import Flask
from flask import request
import os
import socket
import json
import base64
app = Flask(__name__)
@app.route('/headers')
def return_headers():
return json.dumps({"headers":str(request.headers)})
@app.route('/who-am-i')
def who_am_i():
user_info = request.headers["User-Info"]
user_info_json = base64.b64decode(user_info).decode("utf8")
user_info_obj = json.loads(user_info_json)
ret_val = {
"name": user_info_obj["sub"],
"groups": user_info_obj["groups"]
}
return json.dumps(ret_val)
@app.route('/')
def hello():
retVal = {
"msg":"hello world!",
"host":"%s" % socket.gethostname()
}
return json.dumps(retVal)
@app.route("/health-check")
def health_check():
ret_val = {
"status":"I'm not dead yet!"
}
return json.dumps(ret_val)
if __name__ == "__main__":
app.run(host="0.0.0.0", port=8080, debug=True)
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: run-service
name: run-service
namespace: istio-hello-world
spec:
replicas: 1
selector:
matchLabels:
app: run-service
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: run-service
spec:
containers:
- image: python:buster
name: python
volumeMounts:
- mountPath: /src
name: sources
command:
- bash
- -c
- /src/startup.sh
livenessProbe:
httpGet:
path: /health-check
port: 8080
readinessProbe:
httpGet:
path: /health-check
port: 8080
volumes:
- name: sources
configMap:
name: service-source
defaultMode: 0777
---
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app: run-service
name: run-service
namespace: istio-hello-world
spec:
ports:
- port: 80
protocol: TCP
targetPort: 8080
name: http-service
selector:
app: run-service
---
kind: Gateway
apiVersion: networking.istio.io/v1alpha3
metadata:
name: service-gateway
namespace: istio-hello-world
labels:
app: run-service
spec:
servers:
- hosts:
- service.74.220.18.48.nip.io
port:
name: http
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- service.74.220.18.48.nip.io
port:
name: https-443
number: 443
protocol: HTTPS
tls:
credentialName: service-tls-certificate
mode: SIMPLE
selector:
istio: ingressgateway
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: service-vs
namespace: istio-hello-world
labels:
app: run-service
spec:
hosts:
- service.74.220.18.48.nip.io
gateways:
- service-gateway
http:
- route:
- destination:
port:
number: 80
host: run-service
corsPolicy:
allowOrigins:
- prefix: https://app.74.220.18.48.nip.io
allowMethods:
- GET
- OPTIONS
allowHeaders:
- Authorization
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: service-cert
namespace: istio-system
spec:
secretName: service-tls-certificate
dnsNames:
- service.74.220.18.48.nip.io
issuerRef:
name: enterprise-ca
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: ClusterIssuer
group: cert-manager.io
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment