Merge branch 'master' into master

InnTZero · Dec 26, 2021 · 32cede2 · 32cede2
2 parents edffa8d + 4afe0ba
commit 32cede2
Show file tree

Hide file tree

Showing 31 changed files with 1,657 additions and 140 deletions.
diff --git a/module10/harbor/harbor.MD b/module10/harbor/harbor.MD
@@ -37,30 +37,34 @@ http://192.168.34.2:30002
 admin/Harbor12345
 ```
 
-### Add insecure registry to docker client and restart docker
-
-```json
-{
-  "features": {
-    "buildkit": true
-  },
-  "experimental": false,
-  "builder": {
-    "gc": {
-      "enabled": true,
-      "defaultKeepStorage": "20GB"
-    }
-  },
-  "insecure-registries": ["core.harbor.domain:32177"]
-}
+### Download repository certs from
+
+```sh
+https://192.168.34.2:30003/harbor/projects/1/repositories
+```
+
+### Copy the downloaded ca.crt to vm docker certs configuration folder
+
+```sh
+mkdir /etc/docker/certs.d/core.harbor.domain
+copy the ca.crt to this folder
+systemctl restart docker
+```
+
+### Edit /etc/hosts to map core.harbor.domain to harbor svc clusterip
+
+```sh
+10.104.231.99 core.harbor.domain
 ```
 
 ### Docker login
 
 ```sh
-docker login -u harbor_registry_user -p harbor_registry_password core.harbor.domain:32083
+docker login -u admin -p Harbor12345 core.harbor.domain
 ```
 
+### Docker tag a image to core.harbor.domain and push it and you will see it in harbor portal
+
 ### Check repositories and blobs
 
 ```sh

diff --git a/module10/loki-stack/readme.MD b/module10/loki-stack/readme.MD
@@ -20,7 +20,7 @@ Error: unable to build kubernetes objects from release manifest: [unable to reco
 
 ```sh
 helm pull grafana/loki-stack
-tar -xvf loki-stack-2.4.1.tgz
+tar -xvf loki-stack-*.tgz
 cd loki-stack
 ```
 
@@ -37,4 +37,28 @@ helm upgrade --install loki ./loki-stack --set grafana.enabled=true,prometheus.e
 
 ### Change the grafana service to NodePort type and access it
 
+```sh
+kubectl edit svc loki-grafana -oyaml -n default
+```
+
+And change ClusterIP type to NodePort.
+
+Login password is in secret `loki-grafana`
+
+```sh
+kubectl get secret loki-grafana -oyaml -n default
+```
+
+Find admin-password: `xxx`
+
+```sh
+echo 'xxx' | base64 -d
+```
+
+Then you will get grafana login password, the login username is 'admin' on default.
+
+> Note: `xxx` is the value of key `admin-password` in your yaml.
+
+### Change the grafana service to NodePort type and access it
+
 Login password is in secret `loki-grafana`
diff --git a/module14/istio/authentication/gen-jwt.py b/module14/istio/authentication/gen-jwt.py
@@ -0,0 +1,135 @@
+### https://raw.githubusercontent.com/istio/istio/release-1.12/security/tools/jwt/samples/gen-jwt.py
+
+#!/usr/bin/python
+
+# Copyright 2018 Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Python script generates a JWT signed with custom private key.
+
+Example:
+./gen-jwt.py  --iss example-issuer --aud foo,bar --claims=email:[email protected],dead:beef key.pem -listclaim key1 val2 val3 -listclaim key2 val3 val4
+"""
+from __future__ import print_function
+import argparse
+import copy
+import time
+
+from jwcrypto import jwt, jwk
+
+
+def main(args):
+    """Generates a signed JSON Web Token from local private key."""
+    with open(args.key) as f:
+        pem_data = f.read()
+    f.closed
+
+    pem_data_encode = pem_data.encode("utf-8")
+    key = jwk.JWK.from_pem(pem_data_encode)
+
+    if args.jwks:
+        with open(args.jwks, "w+") as fout:
+            fout.write("{ \"keys\":[ ")
+            fout.write(key.export(private_key=False))
+            fout.write("]}")
+        fout.close
+
+    now = int(time.time())
+    payload = {
+        # expire in one hour.
+        "exp": now + args.expire,
+        "iat": now,
+    }
+    if args.iss:
+        payload["iss"] = args.iss
+    if args.sub:
+        payload["sub"] = args.sub
+    else:
+        payload["sub"] = args.iss
+
+    if args.aud:
+        if "," in args.aud:
+            payload["aud"] = args.aud.split(",")
+        else:
+            payload["aud"] = args.aud
+
+    if args.claims:
+        for item in args.claims.split(","):
+            k, v = item.split(':')
+            payload[k] = v
+
+    if args.listclaim:
+        for item in args.listclaim:
+            if (len(item) > 1):
+                k = item[0]
+                v = item[1:]
+                payload[k] = v
+
+    if args.nestedclaim:
+        nested = {}
+        for item in args.nestedclaim:
+            if (len(item) > 1):
+                k = item[0]
+                v = item[1:]
+                if len(v) == 1:
+                    v = v[0]
+                nested[k] = v
+        nested["nested-2"] = copy.copy(nested)
+        payload["nested"] = nested
+
+    token = jwt.JWT(header={"alg": "RS256", "typ": "JWT", "kid": key.key_id},
+                    claims=payload)
+
+    token.make_signed_token(key)
+
+    return token.serialize()
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(
+        description=__doc__,
+        formatter_class=argparse.RawDescriptionHelpFormatter)
+    # positional arguments
+    parser.add_argument(
+        'key',
+        help='The path to the key pem file. The key can be generated with openssl command: `openssl genrsa -out key.pem 2048`')
+    # optional arguments
+    parser.add_argument("-iss", "--iss",
+                        default="[email protected]",
+                        help="iss claim. Default is `[email protected]`")
+    parser.add_argument("-aud", "--aud",
+                        help="aud claim. This is comma-separated-list of audiences")
+    parser.add_argument("-sub", "--sub",
+                        help="sub claim. If not provided, it is set to the same as iss claim.")
+    parser.add_argument("-claims", "--claims",
+                        help="Other claims in format name1:value1,name2:value2 etc. Only string values are supported.")
+    parser.add_argument("-jwks", "--jwks",
+                        help="Path to the output file for JWKS.")
+    parser.add_argument("-expire", "--expire", type=int, default=3600,
+                        help="JWT expiration time in second. Default is 1 hour.")
+    parser.add_argument(
+        "-listclaim",
+        "--listclaim",
+        action='append',
+        nargs='+',
+        help="A list claim in format key1 value2 value3... Only string values are supported. Multiple list claims can be specified, e.g., -listclaim key1 val2 val3 -listclaim key2 val3 val4.")
+    parser.add_argument(
+        "-nestedclaim",
+        "--nestedclaim",
+        action='append',
+        nargs='+',
+        help="Nested claim in format key value1 [value2 ...], only string values are supported, will be added under the nested key in the JWT payload. "
+             "Multiple nested claims can be specified, e.g., -nestedclaim key1 val2 val3 -nestedclaim key2 val3 val4."
+    )
+    print(main(parser.parse_args()))
diff --git a/module14/istio/authentication/peerauthentication.MD b/module14/istio/authentication/peerauthentication.MD
@@ -0,0 +1,89 @@
+### setup
+```
+kubectl create ns foo
+kubectl apply -f <(istioctl kube-inject -f samples/httpbin/httpbin.yaml) -n foo
+kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml) -n foo
+kubectl create ns bar
+kubectl apply -f <(istioctl kube-inject -f samples/httpbin/httpbin.yaml) -n bar
+kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml) -n bar
+kubectl create ns legacy
+kubectl apply -f samples/httpbin/httpbin.yaml -n legacy
+kubectl apply -f samples/sleep/sleep.yaml -n legacy
+```
+### check sleep.bar to httpbin.foo reachability, return 200
+```
+kubectl exec "$(kubectl get pod -l app=sleep -n bar -o jsonpath={.items..metadata.name})" -c sleep -n bar -- curl http://httpbin.foo:8000/ip -s -o /dev/null -w "%{http_code}\n"
+```
+### This one-liner command conveniently iterates through all reachability combinations:
+```
+for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl -s "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
+```
+```
+sleep.foo to httpbin.foo: 200
+sleep.foo to httpbin.bar: 200
+sleep.foo to httpbin.legacy: 200
+sleep.bar to httpbin.foo: 200
+sleep.bar to httpbin.bar: 200
+sleep.bar to httpbin.legacy: 200
+sleep.legacy to httpbin.foo: 200
+sleep.legacy to httpbin.bar: 200
+sleep.legacy to httpbin.legacy: 200
+```
+### check connectivity from host
+```
+k get po -n foo -w -owide
+curl 192.168.166.178
+```
+### check peerauthentication
+```
+kubectl get peerauthentication --all-namespaces
+```
+### there is no dr
+```
+kubectl get destinationrules.networking.istio.io --all-namespaces -o yaml | grep "host:"
+```
+### display headers to check the actual sidecar to sidecar communication is through mtls 
+```
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl -s http://httpbin.foo:8000/headers
+ ```
+### while the communication from host to sidecar is through http
+```
+curl 192.168.166.178/headers
+```
+### Globally enabling Istio mutual TLS in STRICT mode
+```
+kubectl apply -f - <<EOF
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: "default"
+  namespace: "istio-system"
+spec:
+  mtls:
+    mode: STRICT
+EOF
+```
+### check connectivity again and the connection from legacy to foo and bar are broken
+```
+for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
+```
+### overwrite the global rule
+```
+cat <<EOF | kubectl apply -n foo -f -
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: "overwrite-example"
+  namespace: "foo"
+spec:
+  selector:
+    matchLabels:
+      app: httpbin
+  mtls:
+    mode: DISABLE
+EOF
+```
+### check connectivity again and the connection from legacy to foo is back and bar is broken
+```
+for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
+```