-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathrouting.yaml.j2
188 lines (188 loc) · 4.56 KB
/
routing.yaml.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
apiVersion: v1
kind: List
items:
{% for index in range(1, (num_apps | int) + 1) %}
# This virtual service requires any request to have x-variant set to either
# 'stable', 'canary' or 'mirror' (otherwise the request raturns 404)
- apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
labels:
app: scale-test
name: variant-{{ index }}
namespace: {{ namespace }}
spec:
hosts:
- app-{{ index }}.{{ wildcard_domain }} # for external routing
- app-{{ index }} # for internal routing within NAMESPACE
gateways:
- app-gateway # for external routing
- mesh # for internal routing
http:
- match:
- headers:
x-variant:
exact: stable
route:
- destination:
host: app-{{ index }}
port:
number: 8080
subset: stable
- match:
- headers:
x-variant:
exact: canary
route:
- destination:
host: app-{{ index }}
port:
number: 8080
subset: canary
- match:
- headers:
x-variant:
exact: mirror
route:
- destination:
host: app-{{ index }}
port:
number: 8080
subset: stable
mirror:
host: app-{{ index }}
port:
number: 8080
subset: canary
- apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: variant-{{ index }}
namespace: {{ namespace }}
labels:
app: scale-test
spec:
host: app-{{ index }}.{{ namespace }}.svc.cluster.local
trafficPolicy:
loadBalancer:
simple: RANDOM
portLevelSettings:
- port:
number: 8080
tls:
mode: ISTIO_MUTUAL
connectionPool:
http:
http1MaxPendingRequests: 10000
http2MaxRequests: 10000
tcp:
maxConnections: 10000
- port:
number: 5432
tls:
mode: DISABLE
connectionPool:
http:
http1MaxPendingRequests: 10000
http2MaxRequests: 10000
tcp:
maxConnections: 10000
subsets:
- name: stable
labels:
app.variant: stable
- name: canary
labels:
app.variant: canary
{% endfor %}
- apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: app-gateway
namespace: {{ namespace }}
labels:
app: scale-test
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- hosts:
# Catch-all route not allowed in Maistra
# Wildcard routes not possible in OCP 4.1
{% for index in range(1, (num_apps | int) + 1) %}
- "app-{{ index }}.{{ wildcard_domain }}"
{% endfor %}
port:
name: https
number: 443
protocol: HTTPS
tls:
mode: SIMPLE
# These keys are mounted from the secret istio-system/istio-ingressgateway-certs
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
# Redirect non-encrypted traffic to port 443
- hosts:
# Wildcard routes not possible in OCP 4.1
{% for index in range(1, (num_apps | int) + 1) %}
- "app-{{ index }}.{{ wildcard_domain }}"
{% endfor %}
port:
name: http
number: 80
protocol: HTTP
tls:
httpsRedirect: true
{% if policy_version is defined and policy_version == "old" %}
# Global policy requiring communication to be TLS-encrypted
- apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default
namespace: {{ namespace }}
labels:
app: scale-test
spec:
peers:
- mtls: {}
# Exception for the policy above on DB port
- apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: app-db
namespace: {{ namespace }}
labels:
app: scale-test
spec:
peers: []
targets:
{% for index in range(1, (num_apps | int) + 1) %}
- name: app-{{ index }}
ports:
- number: 5432
{% endfor %}
{% else %}
- apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: {{ namespace }}
spec:
mtls:
mode: STRICT
# Port-level mTLS is not allowed on mesh-level policy
- apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: app-db
namespace: {{ namespace }}
spec:
selector:
matchLabels:
app: scale-test
mtls:
mode: STRICT
portLevelMtls:
5432:
mode: DISABLE
{% endif %}