mitzen

 In this example, we are going to setup istio to use kubernetes gateway api to host multiple hosts. In this setup, we have a single localhost and we can support servera.example.com and serverb.example.com and many more. First we have to get istio installed and install the kubernetes gateway api CRD.  Setup istio istioctl install -f samples/bookinfo/demo-profile-no-gateways.yaml -y install kubernetes gateway api crds kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.3.0" | kubectl apply -f - Let's deploy our application A and application B. Application A uses port 8080 and uses httpbin as the app image. apiVersion : v1 kind : Namespace metadata :   name : tenant-a   labels :     tenant : tenant-a --- apiVersion : v1 kind : Service metadata :   name : servera-service   namespace : tenant-a spec :   selector :     app : servera   ports :   - port : 8080     targetPort : 8080 --- apiVersion...

  Let's setup the book info application by running  kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml And then setup the gateway and default http route below:- apiVersion : gateway.networking.k8s.io/v1 kind : Gateway metadata :   name : bookinfo-gateway spec :   gatewayClassName : istio   listeners :   - name : http     port : 80     protocol : HTTP     allowedRoutes :       namespaces :         from : Same --- apiVersion : gateway.networking.k8s.io/v1 kind : HTTPRoute metadata :   name : bookinfo spec :   parentRefs :   - name : bookinfo-gateway   rules :   - matches :     - path :         type : Exact         value : /productpage     - path :         type : PathPrefix         value : /static     - path :         type : Exact ...

We can easily configure traffic weight in virtual service. Here is an example of how we can do that. apiVersion : networking.istio.io/v1beta1 kind : VirtualService metadata :   name : reviews spec :   hosts :   - reviews   http :   - route :     - destination :         host : reviews         subset : v1         port :           number : 9080       weight : 50     - destination :         host : reviews         subset : v2         port :           number : 9080       weight : 50 --- apiVersion : networking.istio.io/v1beta1 kind : DestinationRule metadata :   name : reviews-destination spec :   host : reviews   trafficPolicy :     loadBalancer :       simple : ROUND_ROBIN # <-- This enables round-robin, ot...

In Istio we need virtual service and destination rule to route our traffic to the right service.  What is the bare minimum correct configuration that is needed to do this?  1. VirtualService.spec.hosts = DestinationRule.spec.host - this host must be exactly the same, for example if there is a host for "server-a.example.com" in virtual service, then the destination rule host must have "server-a.example.com". 2. Subset if exist - needs to exist in both virtual service and destination rule.  A minimal configuration would look like this:-  apiVersion : networking.istio.io/v1beta1 kind : DestinationRule metadata :   name : reviews-destination spec :   host : reviews   # MUST match VirtualService hosts   subsets :     - name : v1       labels :         version : v1 --- apiVersion : networking.istio.io/v1beta1 kind : VirtualService metadata :   name : reviews spec :   gateways :     - shar...

We can easily configure or annotate gateway to use cluster ip instead of getting a load balancer ip.  Run the following command  kubectl annotate gateway bookinfo-gateway networking.istio.io/service-type=ClusterIP --namespace=default To get your load balancer ip back, remove this annotation  kubectl annotate gateway bookinfo-gateway networking.istio.io/service-type- --namespace=default

The purpose of this is to make docker available to wsl prompt such as ubuntu 24.04. Sometimes it can be time consuming to install another version of docker. Here we can simply make docker available to wsl by enabling certain configuration.  To get started, please goto  General and check "Use the WSL" option.  If it is already checked, proceed to the next step.  Then goto Resource and depending on what wsl prompt that you have, you can switch docker on for that wsl. For example, I have Ubuntu and Ubuntu 24.04. Here I enable docker for ubuntu 24.04.  You should be able to click "Apply and restart".  If you can't, try restarting docker and go through the steps above again.  Once you have successfully configure, you should goto your wsl command prompt and run "docker".

caBundle is  base64-encoded CA certificate that Kubernetes uses to trust the TLS certificate presented by your webhook server. To see how we can generate this we can use the following command openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes -subj "/CN=mutating-webhook.default.svc" And to get the base64 encoded, just run the following command:-   cat tls/server.crt | base64 -w 0

You can build istio on WSL and it requires golang and docker. Refer to here to setup docker for wsl .  To build istio, you have to configure the following   # This defines the docker hub to use when running integration tests and building docker images # eg: HUB="docker.io/istio", HUB="gcr.io/istio-testing" export HUB="docker.io/$USER" # This defines the docker tag to use when running integration tests and # building docker images to be your user id. You may also set this variable # this to any other legitimate docker tag. export TAG=$USER # This defines a shortcut to change directories to $HOME/istio.io export ISTIO=$GOPATH/src/istio.io/istio Setting GOPATH don't really matter but in the spirit of the docs. GOPATH normally would be $HOME/go folder. For example, mine would be /home/nzai/go. And it also configure the variable ISTIO. For me, that would have to following value: /home/nzai/go/src/istio.io/istio Next, you need to make the necessary directori...

Python list comprehension is pretty useful at times to make code easier to read. There are typically 2 pattern for using list comprehension.  Pattern 1 (filtering) [expression for item in iterable if condition] Example: nums = [ 1 , 2 , 3 , 4 , 5 ] evens = [n for n in nums if n % 2 == 0 ] print (evens)   # [2, 4] A filtering  # filtering [ x for x in items if x > 0 ] filter → include only x > 0 In filtering we can chain multiple condition nums = range ( 10 ) filtered = [ n for n in nums if n % 2 == 0 if n > 3 ] print ( filtered )   # [4, 6, 8] Pattern 2 (transform)  [expression_if_true if condition else expression_if_false for item in iterable] nums = [ 1 , 2 , 3 , 4 ] labels = [ "even" if n % 2 == 0 else "odd" for n in nums ] print ( labels )   # ['odd', 'even', 'odd', 'even'] A transformation construct [ x if x > 0 else 0 for x in items]  transform → replace ne...

We can use ansible playbook to help us automate many of the common tasks. In this example, we going to make use of our inventory.ini file we configured earlier and then  In our first playbook, we're just going to install apache web server on the target machine. So we're using the following playbook:- --- - hosts : all   become : true   tasks :     # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html     - name : Install apache httpd       ansible.builtin.apt :         name : apache2         state : present         update_cache : yes     # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#examples         # - name: Copy file with owner and permissions     #   ansible.builtin.copy:     #     src: index.html     #     dest: /var/ww...

To setup ansible to manage your server, we can use inventory.ini. This is an example of what my inventory looks like. In the configuration file, I have place my server into a category called "app".  At the bottom you can see that we setup the user and where our ssh-key pair can be located by ansible.  # inventory file: hosts [app] 34.129.197.131 [all:vars] ansible_user =jeremy ansible_ssh_private_key_file =~/.ssh/my-gcp-key Once we have our inventory setup, we can simply run it.  ansible -i inventory.ini -m ping app We have successfully execute an adhoc ansible command.  You can also try running shell ad hoc command ansible -i inventory.ini -m shell -a "echo hello" app If you run into issue where you not able to connect (maybe after a server reboot), this could be due to ssh finger printing. Try to debug by ssh into your vm and see if it prompts you for password. ssh -i ~/.ssh/my-gcp-key jeremy@34.129.28.4

First you must create your ssh key-pair if you haven't go them.  In Google compute, key pair are not automatically generated.  So create your ssh key pair using the following command ssh-keygen -t rsa -f ~/.ssh/my-gcp-key -C "jeremy" When setting up your VM, goto "Security and Access" and look for "SSH key". Your key should be in this format. Please note the format has way too many extra spaces to illustrate the differences. PROTOCOL                SSH-KEY-PAIR                  USER  The actual value that gets place int the textbox is this. ssh-rsa  AAAAB3NzaC1yc2EAAAADAQABAAABgQDVjrBwWKsrGOYluzjMccPgYs5w39GMCY3PtJ/DwW84tudELlUcOWpVLS8Fy+HE= jeremy   Once your instance has been created,  To login, fire up your bash shell and then run the following command ssh -i ~/.ssh/my-gcp-key jeremy@your-public-ip-vm And you should see something like this:- 

This is a easy to get to ansible ad hoc commands docs link https://docs.ansible.com/ansible/latest/collections/ansible/builtin/index.html

Initial setup stage GKE supports Kubernetes Gateway API load balancing and routing of network traffic to 2 or more clusters. Kubernetes gateway API here refers to HTTPRoute, Gateway native objects. This means traffic from a client will be redirected to a public IP and these traffic gets redirect to one or more GKE clusters.  export PROJECT_ID=your-project-id export VERSION=1.32 export PROJECT_NUMBER=your-project-number Create 2 gke clusters by running the following commands  gcloud container clusters create gke-west-1 \     --gateway-api=standard \     --location=us-west1-a \     --workload-pool=$PROJECT_ID.svc.id.goog \     --cluster-version=$VERSION \     --enable-fleet \     --project=$PROJECT_ID Create a east cluster gcloud container clusters create gke-east-1 \     --gateway-api=standard \     --location=us-east1-b \     --workload-pool=$PROJECT_ID.svc.id.goog \     --clust...