blogops/cilium-docker
1
0
Fork 0
Code Activity

Initial commit

Browse source
This commit is contained in:
Sergio Talens-Oliag 2023-07-17 23:34:46 +02:00
commit a267b572a3
Signed by: sto
GPG key ID: 821AEE0FD167FBDF
23 changed files with 2173 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

78
test/cilium-connectivity.sh Executable file
View file

@ -0,0 +1,78 @@
#!/bin/sh
# ----
# File: cilium-connectivity.sh
# Description: Script to test cilium connectivity in our deployments
# Author: Sergio Talens-Oliag <sto@mixinet.net>
# Copyright: (c) 2023 Sergio Talens-Oliag <sto@mixinet.net>
# ----
set -e
# ---------
# VARIABLES
# ---------
HUBBLE_PF="${HUBBLE_PF:-false}"
# ---------
# FUNCTIONS
# ---------
usage() {
cat <<EOF
Usage: $0 CTOOL CLUSTER
Where:
- CTOOL is 'k3d' or 'kind'
- CLUSTER is '1', '2' or '12' (multicluster test)
EOF
exit "$1"
}
start_pf() {
if [ "$HUBBLE_PF" = "true" ]; then
cilium hubble port-forward --context "$CTX" &
PF_PID="$!"
echo "Started hubble port-forward for $CTX with PID '$PF_PID'"
else
PF_PID=""
fi
}
stop_pf() {
if [ "$PF_PID" ]; then
echo "Killing hubble port-forward (PID '$PF_PID')"
kill "$PF_PID"
fi
}
# ====
# MAIN
# ====
CTOOL="$1"
CNUM="$2"
case "$CTOOL" in
k3d|kind) ;;
*) usage 1;;
esac
case "$CNUM" in
1|2)
CNAME="cilium$CNUM"
CTX="$CTOOL-$CNAME"
start_pf
cilium connectivity test --context "$CTX"
;;
12)
CTX="$CTOOL-cilium1"
CTX2="$CTOOL-cilium2"
start_pf
cilium connectivity test --context "$CTX" --multi-cluster "$CTX2"
;;
*) usage 1 ;;
esac
stop_pf

115
test/http-sw.sh Executable file
View file

@ -0,0 +1,115 @@
#!/bin/sh
# REF: https://docs.cilium.io/en/stable/gettingstarted/demo/#starwars-demo
# Compute WORK_DIR
SCRIPT="$(readlink -f "$0")"
SCRIPT_DIR="$(dirname "$SCRIPT")"
WORK_DIR_RELPATH="."
WORK_DIR="$(readlink -f "$SCRIPT_DIR/$WORK_DIR_RELPATH")"
# VARIABLES
NAMESPACE="http-sw"
YAML_DIR="$WORK_DIR/http-sw"
APP_YAML="$YAML_DIR/http-sw-app.yaml"
SW_L3_L4_POLICY_YAML="$YAML_DIR/sw_l3_l4_policy.yaml"
SW_L3_L4_L7_POLICY_YAML="$YAML_DIR/sw_l3_l4_l7_policy.yaml"
access_test() {
for pod in xwing tiefighter; do
ret="0"
echo "Checking deathstar access from '$pod'"
kubectl -n "$NAMESPACE" exec "$pod" -- curl --connect-timeout 5 \
-s -XPOST deathstar.$NAMESPACE.svc.cluster.local/v1/request-landing ||
ret="$?"
if [ "$ret" -ne "0" ]; then
echo "Connection failed!"
fi
done
# shellcheck disable=SC2043
for pod in tiefighter; do
ret="0"
echo "Checking deathstar exaust-port access from '$pod'"
kubectl -n "$NAMESPACE" exec "$pod" -- curl --connect-timeout 5 \
-s -XPUT deathstar.$NAMESPACE.svc.cluster.local/v1/exhaust-port ||
ret="$?"
if [ "$ret" -ne "0" ]; then
echo "Connection failed!"
fi
done
}
create_deployment() {
kubectl create ns "$NAMESPACE" || true
kubectl -n "$NAMESPACE" apply -f "$APP_YAML"
}
delete_deployment() {
kubectl delete ns "$NAMESPACE"
}
list_sw_endpoints() {
for pod in $(kubectl -n kube-system get pods -l k8s-app=cilium -o name); do
OUTPUT="$(
kubectl -n kube-system exec "$pod" -c cilium-agent \
-- cilium endpoint list
)"
echo "$OUTPUT" | head -1
echo "$OUTPUT" | grep -B6 "org=\(alliance\|empire\)" | grep -v "^--"
done
}
status() {
kubectl -n "$NAMESPACE" get all,CiliumNetworkPolicy
}
usage() {
echo "Usage: $0 create|delete|desc|endpoints|policy-(l34|l7|none)|status|test"
exit "$1"
}
# ====
# MAIN
# ====
case "$1" in
create) create_deployment;;
delete) delete_deployment;;
desc|describe)
if kubectl -n "$NAMESPACE" get cnp/rule1 -o name 2>/dev/null 1>&2; then
echo "Describe current policy"
kubectl -n "$NAMESPACE" describe CiliumNetworkPolicy/rule1
else
echo "Policy not installed"
fi
;;
eps|endpoints) list_sw_endpoints;;
policy-l34)
echo "Adding SW L3-L4 policy"
echo ""
cat "$SW_L3_L4_POLICY_YAML"
echo ""
kubectl -n "$NAMESPACE" apply -f "$SW_L3_L4_POLICY_YAML"
;;
policy-l7)
echo "Adding SW L3-L4-L7 policy:"
echo ""
cat "$SW_L3_L4_L7_POLICY_YAML"
echo ""
kubectl -n "$NAMESPACE" apply -f "$SW_L3_L4_L7_POLICY_YAML"
;;
policy-none)
echo "Removing Cilium Network Policy 'rule1'"
kubectl -n "$NAMESPACE" delete CiliumNetworkPolicy/rule1
;;
status) status;;
test)
echo "Running access test"
access_test
;;
"") usage "0" ;;
*) usage "1" ;;
esac
# ----
# vim: ts=2:sw=2:et:ai:sts=2

63
test/http-sw/http-sw-app.yaml Normal file
View file

@ -0,0 +1,63 @@
---
apiVersion: v1
kind: Service
metadata:
name: deathstar
labels:
app.kubernetes.io/name: deathstar
spec:
type: ClusterIP
ports:
- port: 80
selector:
org: empire
class: deathstar
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: deathstar
labels:
app.kubernetes.io/name: deathstar
spec:
replicas: 2
selector:
matchLabels:
org: empire
class: deathstar
template:
metadata:
labels:
org: empire
class: deathstar
app.kubernetes.io/name: deathstar
spec:
containers:
- name: deathstar
image: docker.io/cilium/starwars
---
apiVersion: v1
kind: Pod
metadata:
name: tiefighter
labels:
org: empire
class: tiefighter
app.kubernetes.io/name: tiefighter
spec:
containers:
- name: spaceship
image: docker.io/tgraf/netperf
---
apiVersion: v1
kind: Pod
metadata:
name: xwing
labels:
app.kubernetes.io/name: xwing
org: alliance
class: xwing
spec:
containers:
- name: spaceship
image: docker.io/tgraf/netperf

22
test/http-sw/sw_l3_l4_l7_policy.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "rule1"
spec:
description: "L7 policy to restrict access to specific HTTP call"
endpointSelector:
matchLabels:
org: empire
class: deathstar
ingress:
- fromEndpoints:
- matchLabels:
org: empire
toPorts:
- ports:
- port: "80"
protocol: TCP
rules:
http:
- method: "POST"
path: "/v1/request-landing"

18
test/http-sw/sw_l3_l4_policy.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "rule1"
spec:
description: "L3-L4 policy to restrict deathstar access to empire ships only"
endpointSelector:
matchLabels:
org: empire
class: deathstar
ingress:
- fromEndpoints:
- matchLabels:
org: empire
toPorts:
- ports:
- port: "80"
protocol: TCP

114
test/ingress-basic.sh Executable file
View file

@ -0,0 +1,114 @@
#!/bin/sh
# ----
# File: ingress-basic.sh
# Description: Script to test the ingress services on our cilium deployments
# Author: Sergio Talens-Oliag <sto@mixinet.net>
# Copyright: (c) 2023 Sergio Talens-Oliag <sto@mixinet.net>
# ----
# REF: https://docs.cilium.io/en/latest/network/servicemesh/http/
# ----
set -e
# Compute WORK_DIR
SCRIPT="$(readlink -f "$0")"
SCRIPT_DIR="$(dirname "$SCRIPT")"
WORK_DIR_RELPATH="."
WORK_DIR="$(readlink -f "$SCRIPT_DIR/$WORK_DIR_RELPATH")"
# VARIABLES
NAMESPACE="ingress-basic"
YAML_DIR="$WORK_DIR/ingress-basic"
BOOKINFO_YAML="$YAML_DIR/bookinfo.yaml"
create_deployment() {
kubectl create ns "$NAMESPACE" || true
kubectl apply -n "$NAMESPACE" -f "$BOOKINFO_YAML"
kubectl apply -n "$NAMESPACE" -f "$INGRESS_BASIC_YAML"
}
delete_deployment() {
kubectl delete ns "$NAMESPACE"
}
wait_for_deployments() {
for _deployment in productpage-v1 details-v1; do
echo "Waiting for '$_deployment' deployment to be ready"
kubectl wait -n "$NAMESPACE" deployment "$_deployment" \
--for condition=Available=True --timeout=90s
done
}
wait_for_ingress(){
printf "Waiting for the ingress to be ready "
while true; do
INGRESS="$(
kubectl get -n "$NAMESPACE" ingress \
-o jsonpath="{.items[0].status.loadBalancer.ingress}"
)"
if [ -z "$INGRESS" ]; then
printf "."
sleep 1
else
echo ". OK"
break
fi
done
}
print_objects() {
kubectl get -n "$NAMESPACE" pods
kubectl get -n "$NAMESPACE" svc
kubectl get -n "$NAMESPACE" ingress
kubectl get -n "$INGRESS_NAMESPACE" "$INGRESS_CONTROLLER"
}
test_ingress() {
HTTP_INGRESS="$(
kubectl get -n "$INGRESS_NAMESPACE" "$INGRESS_CONTROLLER" \
-o jsonpath='{.status.loadBalancer.ingress[0].ip}'
)"
URL="http://$HTTP_INGRESS/details/1"
echo "Testing 'details-v1' service connecting to '$URL'"
curl -s --fail "$URL" | jq
URL="http://$HTTP_INGRESS/"
echo "Testing 'productpage-v1' service connecting to '$URL' (10 first lines)"
curl -s --fail "$URL" | head -n 10
}
usage() {
echo "Usage: $0 cilium|nginx create|delete|status|test|wait"
exit "$1"
}
# ----
# MAIN
# ----
case "$1" in
cilium)
# We assume that the cilium ingress is shared
INGRESS_NAMESPACE="kube-system"
INGRESS_CONTROLLER="service/cilium-ingress"
INGRESS_BASIC_YAML="$YAML_DIR/ingress-basic-cilium.yaml"
;;
nginx)
INGRESS_NAMESPACE="ingress-nginx"
INGRESS_CONTROLLER="service/ingress-nginx-controller"
INGRESS_BASIC_YAML="$YAML_DIR/ingress-basic-nginx.yaml"
;;
"") usage 0;;
*) usage 1;;
esac
case "$2" in
create) create_deployment;;
delete) delete_deployment;;
status) print_objects;;
test) test_ingress;;
wait) wait_for_deployments && wait_for_ingress;;
*) usage 1;;
esac
# ----
# vim: ts=2:sw=2:et:ai:sts=2

343
test/ingress-basic/bookinfo.yaml Normal file
View file

@ -0,0 +1,343 @@
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##################################################################################################
# This file defines the services, service accounts, and deployments for the Bookinfo sample.
#
# To apply all 4 Bookinfo services, their corresponding service accounts, and deployments:
#
# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
#
# Alternatively, you can deploy any resource separately:
#
# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l service=reviews # reviews Service
# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l account=reviews # reviews ServiceAccount
# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l app=reviews,version=v3 # reviews-v3 Deployment
##################################################################################################
##################################################################################################
# Details service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
name: details
labels:
app: details
service: details
spec:
ports:
- port: 9080
name: http
selector:
app: details
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: bookinfo-details
labels:
account: details
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: details-v1
labels:
app: details
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: details
version: v1
template:
metadata:
labels:
app: details
version: v1
spec:
serviceAccountName: bookinfo-details
containers:
- name: details
image: docker.io/istio/examples-bookinfo-details-v1:1.16.2
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
securityContext:
runAsUser: 1000
---
##################################################################################################
# Ratings service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
name: ratings
labels:
app: ratings
service: ratings
spec:
ports:
- port: 9080
name: http
selector:
app: ratings
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: bookinfo-ratings
labels:
account: ratings
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ratings-v1
labels:
app: ratings
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: ratings
version: v1
template:
metadata:
labels:
app: ratings
version: v1
spec:
serviceAccountName: bookinfo-ratings
containers:
- name: ratings
image: docker.io/istio/examples-bookinfo-ratings-v1:1.16.2
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
securityContext:
runAsUser: 1000
---
##################################################################################################
# Reviews service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
name: reviews
labels:
app: reviews
service: reviews
spec:
ports:
- port: 9080
name: http
selector:
app: reviews
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: bookinfo-reviews
labels:
account: reviews
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: reviews-v1
labels:
app: reviews
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: reviews
version: v1
template:
metadata:
labels:
app: reviews
version: v1
spec:
serviceAccountName: bookinfo-reviews
containers:
- name: reviews
image: docker.io/istio/examples-bookinfo-reviews-v1:1.16.2
imagePullPolicy: IfNotPresent
env:
- name: LOG_DIR
value: "/tmp/logs"
ports:
- containerPort: 9080
volumeMounts:
- name: tmp
mountPath: /tmp
- name: wlp-output
mountPath: /opt/ibm/wlp/output
securityContext:
runAsUser: 1000
volumes:
- name: wlp-output
emptyDir: {}
- name: tmp
emptyDir: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: reviews-v2
labels:
app: reviews
version: v2
spec:
replicas: 1
selector:
matchLabels:
app: reviews
version: v2
template:
metadata:
labels:
app: reviews
version: v2
spec:
serviceAccountName: bookinfo-reviews
containers:
- name: reviews
image: docker.io/istio/examples-bookinfo-reviews-v2:1.16.2
imagePullPolicy: IfNotPresent
env:
- name: LOG_DIR
value: "/tmp/logs"
ports:
- containerPort: 9080
volumeMounts:
- name: tmp
mountPath: /tmp
- name: wlp-output
mountPath: /opt/ibm/wlp/output
securityContext:
runAsUser: 1000
volumes:
- name: wlp-output
emptyDir: {}
- name: tmp
emptyDir: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: reviews-v3
labels:
app: reviews
version: v3
spec:
replicas: 1
selector:
matchLabels:
app: reviews
version: v3
template:
metadata:
labels:
app: reviews
version: v3
spec:
serviceAccountName: bookinfo-reviews
containers:
- name: reviews
image: docker.io/istio/examples-bookinfo-reviews-v3:1.16.2
imagePullPolicy: IfNotPresent
env:
- name: LOG_DIR
value: "/tmp/logs"
ports:
- containerPort: 9080
volumeMounts:
- name: tmp
mountPath: /tmp
- name: wlp-output
mountPath: /opt/ibm/wlp/output
securityContext:
runAsUser: 1000
volumes:
- name: wlp-output
emptyDir: {}
- name: tmp
emptyDir: {}
---
##################################################################################################
# Productpage services
##################################################################################################
apiVersion: v1
kind: Service
metadata:
name: productpage
labels:
app: productpage
service: productpage
spec:
ports:
- port: 9080
name: http
selector:
app: productpage
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: bookinfo-productpage
labels:
account: productpage
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: productpage-v1
labels:
app: productpage
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: productpage
version: v1
template:
metadata:
labels:
app: productpage
version: v1
spec:
serviceAccountName: bookinfo-productpage
containers:
- name: productpage
image: docker.io/istio/examples-bookinfo-productpage-v1:1.16.2
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
volumeMounts:
- name: tmp
mountPath: /tmp
securityContext:
runAsUser: 1000
volumes:
- name: tmp
emptyDir: {}
---

25
test/ingress-basic/ingress-basic-cilium.yaml Normal file
View file

@ -0,0 +1,25 @@
# Basic ingress for istio bookinfo demo application, which can be found in below
# https://raw.githubusercontent.com/istio/istio/release-1.11/samples/bookinfo/platform/kube/bookinfo.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-basic-cilium
spec:
ingressClassName: cilium
rules:
- http:
paths:
- backend:
service:
name: details
port:
number: 9080
path: /details
pathType: Prefix
- backend:
service:
name: productpage
port:
number: 9080
path: /
pathType: Prefix

25
test/ingress-basic/ingress-basic-nginx.yaml Normal file
View file

@ -0,0 +1,25 @@
# Basic ingress for istio bookinfo demo application, which can be found in below
# https://raw.githubusercontent.com/istio/istio/release-1.11/samples/bookinfo/platform/kube/bookinfo.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-basic-nginx
spec:
ingressClassName: nginx
rules:
- http:
paths:
- backend:
service:
name: details
port:
number: 9080
path: /details
pathType: Prefix
- backend:
service:
name: productpage
port:
number: 9080
path: /
pathType: Prefix

254
test/mesh-test.sh Executable file
View file

@ -0,0 +1,254 @@
#!/bin/sh
# ----
# File: mesh-basic.sh
# Description: Script to test the cluster mesh on our cilium deployments
# Author: Sergio Talens-Oliag <sto@mixinet.net>
# Copyright: (c) 2023 Sergio Talens-Oliag <sto@mixinet.net>
# ----
# REF: https://docs.cilium.io/en/stable/network/clustermesh/services/
# ----
set -e
# Compute WORK_DIR
SCRIPT="$(readlink -f "$0")"
SCRIPT_DIR="$(dirname "$SCRIPT")"
WORK_DIR_RELPATH="."
WORK_DIR="$(readlink -f "$SCRIPT_DIR/$WORK_DIR_RELPATH")"
# VARIABLES
NAMESPACE="mesh-test"
SERVICE="svc/rebel-base"
DEPLOYMENT_RB="deployment/rebel-base"
DEPLOYMENT_XW="deployment/x-wing"
YAML_DIR="$WORK_DIR/mesh-test"
GSC1_YAML="$YAML_DIR/cluster1.yaml"
GSC2_YAML="$YAML_DIR/cluster2.yaml"
ACCESS_TEST_LOOPS="7"
access_test() {
for ctx in "$CTX1" "$CTX2"; do
echo "Running $ACCESS_TEST_LOOPS tests from '$ctx'"
counter=0
while [ "$counter" -lt "$ACCESS_TEST_LOOPS" ]; do
kubectl --context "$ctx" -n "$NAMESPACE" exec -ti "$DEPLOYMENT_XW" \
-- curl rebel-base
counter="$((counter + 1))"
done
done
}
create() {
for cn in "1" "2"; do
echo "Creating Global Service on Cluster $cn"
create_namespace "$cn"
deploy_objects "$cn"
done
}
create_namespace() {
case "$1" in
1) ctx="$CTX1";;
2) ctx="$CTX2";;
*) echo "Unknown cluster number '$1'"; exit 1;;
esac
kubectl --context="$ctx" create ns "$NAMESPACE" || true
}
deploy_objects() {
case "$1" in
1) ctx="$CTX1"; yaml="$GSC1_YAML";;
2) ctx="$CTX2"; yaml="$GSC2_YAML";;
*) echo "Unknown cluster number '$1'"; exit 1;;
esac
sed -e "s/Cluster-/$CTOOL-cluster-/" "$yaml" |
kubectl --context="$ctx" -n "$NAMESPACE" apply -f -
}
delete() {
for cn in "1" "2"; do
echo "Deleting Global Service on Cluster $cn"
delete_objects "$cn" || true
delete_namespace "$cn"
done
}
delete_deployment() {
case "$1" in
1) ctx="$CTX1";;
2) ctx="$CTX2";;
*) echo "Unknown cluster number '$1'"; exit 1;;
esac
echo "Deleting '$DEPLOYMENT_RB' on Cluster $1"
kubectl --context="$ctx" -n "$NAMESPACE" delete "$DEPLOYMENT_RB" || true
}
delete_namespace() {
case "$1" in
1) ctx="$CTX1";;
2) ctx="$CTX2";;
*) echo "Unknown cluster number '$1'"; exit 1;;
esac
kubectl --context="$ctx" delete ns "$NAMESPACE" || true
}
delete_objects() {
case "$1" in
1) ctx="$CTX1"; yaml="$GSC1_YAML";;
2) ctx="$CTX2"; yaml="$GSC2_YAML";;
*) echo "Unknown cluster number '$1'"; exit 1;;
esac
sed -e "s/Cluster-/$CTOOL-cluster-/" "$yaml" |
kubectl --context="$ctx" -n "$NAMESPACE" delete -f -
}
get_cilium_annotations() {
for ctx in "$CTX1" "$CTX2"; do
echo "Service '$SERVICE' cilium annotations on '$ctx'"
kubectl --context "$ctx" -n "$NAMESPACE" get "$SERVICE" -o yaml |
sed -ne 's/^ service.cilium.io/- service.cilium.io/p'
done
}
status() {
for ctx in "$CTX1" "$CTX2"; do
echo "Mesh test status on '$ctx'"
echo ""
kubectl --context "$ctx" -n "$NAMESPACE" get all
echo ""
done
}
wait_for_deployments() {
for ctx in "$CTX1" "$CTX2"; do
for _deployment in "$DEPLOYMENT_RB" "$DEPLOYMENT_XW"; do
echo "Waiting for '$_deployment' to be ready on '$ctx'"
kubectl wait --context="$ctx" -n "$NAMESPACE" "$_deployment" \
--for condition=Available=True --timeout=90s
done
done
}
service_affinity_default(){
kubectl --context="$1" -n "$NAMESPACE" annotate "$SERVICE" \
service.cilium.io/affinity-
}
service_affinity_local(){
kubectl --context="$1" -n "$NAMESPACE" annotate "$SERVICE" \
service.cilium.io/affinity="local" --overwrite
}
service_affinity_none(){
kubectl --context="$1" -n "$NAMESPACE" annotate "$SERVICE" \
service.cilium.io/affinity="none" --overwrite
}
service_affinity_remote(){
kubectl --context="$1" -n "$NAMESPACE" annotate "$SERVICE" \
service.cilium.io/affinity="remote" --overwrite
}
service_shared_default(){
case "$1" in
1) ctx="$CTX1";;
2) ctx="$CTX2";;
*) echo "Unknown cluster number '$1'"; exit 1;;
esac
kubectl --context="$ctx" -n "$NAMESPACE" annotate "$SERVICE" \
service.cilium.io/shared-
}
service_shared_false(){
case "$1" in
1) ctx="$CTX1";;
2) ctx="$CTX2";;
*) echo "Unknown cluster number '$1'"; exit 1;;
esac
kubectl --context="$ctx" -n "$NAMESPACE" annotate "$SERVICE" \
service.cilium.io/shared="false" --overwrite
}
service_shared_true(){
case "$1" in
1) ctx="$CTX1";;
2) ctx="$CTX2";;
*) echo "Unknown cluster number '$1'"; exit 1;;
esac
kubectl --context="$ctx" -n "$NAMESPACE" annotate "$SERVICE" \
service.cilium.io/shared="true" --overwrite
}
usage() {
cat <<EOF
Usage: $0 CLUST_TYPE ACTION
Where CLUST_TYPE is 'k3d' or 'kind' and ACTION is one of:
- create: creates namespaces and deploy services on both clusters
- delete: deletes services and namespaces on both clusters
- delete-deployment [CLUST]: delete rebel-base deployment from CLUST (default 1)
- delete-objects [CLUST]: delete objects from the cluster CLUST (default 1)
- deploy-objects [CLUST]: deploy objects on the cluster CLUST (default 1)
- get-annotations: get service annotations of both clusters
- svc-affinity-local: sets local affinity for the service on both clusters
- svc-affinity-remote: sets remote affinity for the service on both clusters
- svc-affinity-none: removes affinity for the service on both clusters
- svc-shared-default [CLUST]: remove shared annotation from the CLUST cluster
- svc-shared-false [CLUST]: removes service sharing from the CLUST cluster
- svc-shared-true [CLUST]: enables service sharing on the CLUST cluster
- status: prints the deployment status on both clusters
- test: calls the services $ACCESS_TEST_LOOPS times from each cluster
- wait: waits until the deployments are ready on both clusters
EOF
exit "$1"
}
# ====
# MAIN
# ====
CTOOL="$1"
case "$CTOOL" in
k3d|kind)
CTX1="$CTOOL-cilium1"
CTX2="$CTOOL-cilium2"
;;
"") usage "0";;
*) usage "1";;
esac
case "$2" in
create) create;;
delete) delete;;
delete-deployment) delete_deployment "${3:-1}";;
delete-objects) delete_objects "${3:-1}";;
deploy-objects) deploy_objects "${3:-1}";;
get-annotations) get_cilium_annotations;;
svc-af-local|svc-affinity-local)
for ctx in "$CTX1" "$CTX2"; do
service_affinity_local "$ctx"
done
;;
svc-af-remote|svc-affinity-remote)
for ctx in "$CTX1" "$CTX2"; do
service_affinity_remote "$ctx"
done
;;
svc-af-none|svc-affinity-none)
for ctx in "$CTX1" "$CTX2"; do
service_affinity_local "$ctx"
done
;;
svc-sh-default|svc-shared-default) service_shared_default "${3:-1}";;
svc-sh-false|svc-shared-false) service_shared_false "${3:-1}";;
svc-sh-true|svc-shared-true) service_shared_true "${3:-1}";;
status) status;;
test) access_test ;;
wait) wait_for_deployments ;;
*) usage "1" ;;
esac
# ----
# vim: ts=2:sw=2:et:ai:sts=2

91
test/mesh-test/cluster1.yaml Normal file
View file

@ -0,0 +1,91 @@
---
apiVersion: v1
kind: Service
metadata:
name: rebel-base
annotations:
service.cilium.io/global: "true"
spec:
type: ClusterIP
ports:
- port: 80
selector:
name: rebel-base
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: rebel-base
spec:
selector:
matchLabels:
name: rebel-base
replicas: 2
template:
metadata:
labels:
name: rebel-base
spec:
containers:
- name: rebel-base
image: docker.io/nginx:1.15.8
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html/
livenessProbe:
httpGet:
path: /
port: 80
periodSeconds: 1
readinessProbe:
httpGet:
path: /
port: 80
volumes:
- name: html
configMap:
name: rebel-base-response
items:
- key: message
path: index.html
---
apiVersion: v1
kind: ConfigMap
metadata:
name: rebel-base-response
data:
message: "{\"Galaxy\": \"Alderaan\", \"Cluster\": \"Cluster-1\"}\n"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: x-wing
spec:
selector:
matchLabels:
name: x-wing
replicas: 2
template:
metadata:
labels:
name: x-wing
spec:
containers:
- name: x-wing-container
image: docker.io/cilium/json-mock:1.2
livenessProbe:
exec:
command:
- curl
- -sS
- -o
- /dev/null
- localhost
readinessProbe:
exec:
command:
- curl
- -sS
- -o
- /dev/null
- localhost

91
test/mesh-test/cluster2.yaml Normal file
View file

@ -0,0 +1,91 @@
---
apiVersion: v1
kind: Service
metadata:
name: rebel-base
annotations:
service.cilium.io/global: "true"
spec:
type: ClusterIP
ports:
- port: 80
selector:
name: rebel-base
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: rebel-base
spec:
selector:
matchLabels:
name: rebel-base
replicas: 2
template:
metadata:
labels:
name: rebel-base
spec:
containers:
- name: rebel-base
image: docker.io/nginx:1.15.8
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html/
livenessProbe:
httpGet:
path: /
port: 80
periodSeconds: 1
readinessProbe:
httpGet:
path: /
port: 80
volumes:
- name: html
configMap:
name: rebel-base-response
items:
- key: message
path: index.html
---
apiVersion: v1
kind: ConfigMap
metadata:
name: rebel-base-response
data:
message: "{\"Galaxy\": \"Alderaan\", \"Cluster\": \"Cluster-2\"}\n"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: x-wing
spec:
selector:
matchLabels:
name: x-wing
replicas: 2
template:
metadata:
labels:
name: x-wing
spec:
containers:
- name: x-wing-container
image: docker.io/cilium/json-mock:1.2
livenessProbe:
exec:
command:
- curl
- -sS
- -o
- /dev/null
- localhost
readinessProbe:
exec:
command:
- curl
- -sS
- -o
- /dev/null
- localhost