artificialwisdomai · sdake · Aug 22, 2024
@@ -0,0 +1,10 @@
+apiVersion: telemetry.istio.io/v1
+kind: Telemetry
+metadata:
+  name: mesh-default
+  namespace: istio-system
+spec:
+  accessLogging:
+    - providers:
+      - name: envoy
+
@@ -0,0 +1,37 @@
+###
+#
+# I couldn't get this to work. The jist was to forward servicees that arrive on ingress-gateway
+# to the eastwest-gateway. Just storing in git for now as a reference for later.
+
+apiVersion: networking.istio.io/v1
+kind: Gateway
+metadata:
+  name: eastwest-gateway
+spec:
+  selector:
+    istio: eastwest-gateway
+  servers:
+  - port:
+      number: 8080
+      name: http
+      protocol: HTTP
+    hosts:
+    - "*"
+---
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: forward-to-eastwest
+spec:
+  hosts:
+  - "*"
+  gateways:
+  - ingress-gateway
+  http:
+  - match:
+    - port: 8080
+    route:
+    - destination:
+        host: eastwest-gateway
+        port:
+          number: 8080
@@ -0,0 +1,59 @@
+###
+#
+# Provides a gateway to connect to istiod.istio-system from virtual machines.
+# Direct from the samples directory in istio.
+
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: istiod-gateway
+spec:
+  selector:
+    istio: eastwestgateway
+  servers:
+    - port:
+        name: tls-istiod
+        number: 15012
+        protocol: tls
+      tls:
+        mode: PASSTHROUGH        
+      hosts:
+        - "*"
+    - port:
+        name: tls-istiodwebhook
+        number: 15017
+        protocol: tls
+      tls:
+        mode: PASSTHROUGH          
+      hosts:
+        - "*"
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: istiod-vs
+spec:
+  hosts:
+  - "*"
+  gateways:
+  - istiod-gateway
+  tls:
+  - match:
+    - port: 15012
+      sniHosts:
+      - "*"
+    route:
+    - destination:
+        host: istiod.istio-system.svc.cluster.local
+        port:
+          number: 15012
+  - match:
+    - port: 15017
+      sniHosts:
+      - "*"
+    route:
+    - destination:
+        host: istiod.istio-system.svc.cluster.local
+        port:
+          number: 443
+
@@ -0,0 +1,20 @@
+###
+#
+# Unclear what this does.
+
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: cross-network-gateway
+spec:
+  selector:
+    istio: eastwestgateway
+  servers:
+    - port:
+        number: 15443
+        name: tls
+        protocol: TLS
+      tls:
+        mode: AUTO_PASSTHROUGH
+      hosts:
+        - "*.local"
@@ -0,0 +1,28 @@
+###
+#
+# This was tested with Istio 1.22.3
+# 
+# curl -LO https://github.com/istio/istio/releases/download/1.17.1/istio-1.22.3-linux-amd64.tar.gz
+
+
+###
+#
+# ambient mode does not work with virtual machines
+# ambient mode appears to require ztunnel
+# to enable ambient mode, use `--set profile=ambient` with `istio-cni` and `istiod`. Add ztunnel.
+# helm template ztunnel istio/ztunnel --namespace istio-system > istio-ztunnel.yaml
+
+
+###
+#
+# Helm is currently recommended upstream.
+# use `helm template` to create a record of manifests.
+
+#helm repo add istio https://istio-release.storage.googleapis.com/charts
+#helm repo update
+#helm template istio-cni istio/cni --namespace istio-system > istio-cni.yaml
+
+helm template istio-base istio/base --namespace istio-system --include-crds --values values-base.yaml > istio-base.yaml
+helm template istiod istio/istiod --namespace istio-system --values values-istiod-multi.yaml > istio-istiod-multi.yaml
+helm template istio-ingress istio/gateway --namespace istio-ingress --values values-gateway-multi.yaml > istio-gateway-multi.yaml
+helm template istio-ingress istio/gateway --namespace istio-ingress --values values-gateway-eastwest-multi.yaml > istio-gateway-eastwest-multi.yaml
@@ -0,0 +1,28 @@
+###
+#
+# Make sure the service istio-eastwestgateway has an assigned external ip.
+# Multi-network, automatic workloadentry creation:
+# https://istio.io/latest/docs/setup/install/virtual-machine/
+
+###
+#
+# This creates files to install on the virtual machine.
+
+mkdir -p "$(pwd)/vm-files"
+ingress_ip=$(kubectl get svc istio-eastwestgateway -n istio-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+istioctl x workload entry configure -f workloadgroup.yaml -o "$(pwd)/vm-files" --clusterID "cluster1" --ingressIP "${ingress_ip}"
+
+###
+#
+# This needs to be run on the virtual machine.
+
+sudo systemctl stop istio
+sudo rm -rf /etc/certs/*
+sudo mkdir -p /etc/certs
+sudo cp vm-files/mesh.yaml /etc/istio/config/mesh
+sudo cp vm-files/root-cert.pem /etc/certs/root-cert.pem
+sudo cp vm-files/cluster.env /var/lib/istio/envoy/cluster.env
+sudo cp vm-files/istio-token /var/run/secrets/tokens/istio-token
+sudo mkdir -p /etc/istio/proxy
+sudo chown -R istio-proxy /var/lib/istio /etc/certs /etc/istio/proxy /etc/istio/config /var/run/secrets /etc/certs
+sudo systemctl start istio
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+    #  labels:
+    #topology.istio.io/network=kubenetwork
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-ingress
@@ -0,0 +1,107 @@
+###
+#
+# The goal of this manifest is to
+# 1. provide a workloadgroup for vllm serverless operations
+# 2. provide a vllm.vllm dns resolved name that maps to the virtual machines
+# 3. automatically healthcheck vllm.vllm on port 8000
+# 4. forward all traffic from ingressgateway to vllm.vllm. This last part doesn't appear to work.
+
+---
+apiVersion: networking.istio.io/v1
+kind: WorkloadGroup
+metadata:
+  name: vllm
+  namespace: vllm
+spec:
+  metadata:
+    labels:
+      app: vllm
+  template:
+    ports:
+      http: 8000
+    serviceAccount: default
+    network: vmnetwork
+  probe:
+    periodSeconds: 5
+    initialDelaySeconds: 1
+    httpGet:
+      port: 8000
+      path: /health
+---
+apiVersion: networking.istio.io/v1
+kind: ServiceEntry
+metadata:
+  name: vllm
+  namespace: vllm
+  labels:
+    app: vllm
+spec:
+  hosts:
+  - vllm
+  location: MESH_INTERNAL
+  ports:
+  - name: http
+    number: 8000
+    protocol: http
+  resolution: STATIC
+  workloadSelector:
+    labels:
+      app: vllm
+---
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: vllm
+  namespace: vllm
+  labels:
+    app: vllm
+spec:
+  hosts:
+  - "*"
+  gateways:
+  - gateway
+  http:
+  - match:
+    - uri:
+        prefix: /health
+    route:
+    - destination:
+        port:
+          number: 8000
+        host: vllm
+---
+apiVersion: networking.istio.io/v1
+kind: Gateway
+metadata:
+  name: gateway
+  namespace: vllm
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+    - "*"
+#---
+# I am not currently using this
+#
+#apiVersion: networking.istio.io/v1
+#kind: DestinationRule
+#metadata:
+#  name: vllm-dr
+#  namespace: vllm
+#  labels:
+#    app: foo
+#spec:
+#  host: vm1
+#  trafficPolicy:
+#    loadBalancer:
+#      simple: ROUND_ROBIN
+        #  subsets:
+        #  - name: v1
+        #    labels:
+        #      version: v1
+---
@@ -0,0 +1,7 @@
+###
+#
+# Check for third-party jwt token support
+#
+# https://istio.io/latest/docs/ops/best-practices/security/#configure-third-party-service-account-tokens
+
+kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))'
@@ -0,0 +1,10 @@
+ingress_ip=$(kubectl get svc -n istio-ingress istio-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+curl -v http://${ingress_ip}:80/
+#curl -v -H "Host: httpbin.example.com" http://${ingress_ip}:80/health
+#curl -v -H "Host: vllm" http://${ingress_ip}:80
+#curl -v http://${ingress_ip}:80
+echo "This is the ingress gateway --------------------->"
+
+kubectl logs -n istio-ingress -l istio=ingressgateway
+echo "This is the eastwest gateway --------------------->"
+kubectl logs -n istio-ingress -l istio=eastwestgateway
@@ -0,0 +1 @@
+#revision: v1-22-3
@@ -0,0 +1,26 @@
+# labels.topology.istio.io/network: vmnetwork
+name: istio-eastwestgateway
+labels:
+  istio: eastwestgateway
+  app: istio-eastwestgateway
+service:
+  annotations:
+    oci.oraclecloud.com/load-balancer-type: "lb"
+    service.beta.kubernetes.io/oci-load-balancer-shape: "flexible"
+    service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "10"
+    service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "100"
+    topology.istio.io/network: kubenetwork
+  ports:
+    - name: status-port
+      port: 15021
+      targetPort: 15021
+    - name: tls
+      port: 15443
+      targetPort: 15443
+    - name: tls-istiod
+      port: 15012
+      targetPort: 15012
+    - name: tls-webhook
+      port: 15017
+      targetPort: 15017
+networkGateway: kubenetwork
@@ -0,0 +1,15 @@
+labels:
+  istio: ingressgateway
+  app: istio-ingressgateway
+service:
+  annotations:
+    oci.oraclecloud.com/load-balancer-type: "lb"
+    service.beta.kubernetes.io/oci-load-balancer-shape: "flexible"
+    service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "10"
+    service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "100"
+pilot:
+  traceSampling: 100
+logLevel: debug
+tracing:
+  enabled: true
+networkGateway: kubenetwork
@@ -0,0 +1,14 @@
+global:
+  meshID: mesh1
+  multiCluster:
+    enabled: true
+    clusterName: cluster1
+  network: kubenetwork
+  meshConfig:
+    enableTracing: true
+    accessLogFile: /dev/stdout
+    accessLogEncoding: JSON
+    accessLogFormat: "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS% %CONNECTION_TERMINATION_DETAILS% \"%UPSTREAM_TRANSPORT_FAILURE_REASON%\" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%\n"
+  traceSampling: 100
+tracing:
+  enabled: true