We should break the following section into 3 separate sections
pod=$(kubectl --context ${CLUSTER1} -n bookinfo-frontends get pods -l app=productpage -o jsonpath='{.items[0].metadata.name}')
echo "From productpage to details, should be allowed"
kubectl --context ${CLUSTER1} -n bookinfo-frontends debug -i -q ${pod} --image=curlimages/curl -- curl -s http://details.bookinfo-backends:9080/details/0 | jq
echo "From productpage to reviews, should be allowed"
kubectl --context ${CLUSTER1} -n bookinfo-frontends debug -i -q ${pod} --image=curlimages/curl -- curl -s http://reviews.bookinfo-backends:9080/reviews/0 | jq
echo "From productpage to ratings, should be denied"
kubectl --context ${CLUSTER1} -n bookinfo-frontends debug -i -q ${pod} --image=curlimages/curl -- curl -s http://ratings.bookinfo-backends:9080/ratings/0 -i
Module 3
If you refresh your browser, you should see that you get a response either from the local service or from the external service.
^ this currently fails-
# curl -k https://10.5.0.254/get
error:
upstream connect error or disconnect/reset before headers. retried and the latest reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
RESOURCE NAME TYPE STATUS VALID CERT SERIAL NUMBER NOT AFTER NOT BEFORE
kubernetes://tls-secret CA ACTIVE true 417331438521364388010583664345130880179005978002 2024-03-31T13:24:41Z 2023-04-01T13:24:41Z
default Cert Chain ACTIVE true 138903141074340073272611178638063452375 2023-04-02T14:26:31Z 2023-04-01T14:24:31Z
ROOTCA CA ACTIVE true 268534852559328264948732062514656608914 2024-03-31T14:26:12Z 2023-04-01T14:26:12Z
istioctl --context $CLUSTER1 pc secrets -n httpbin deploy/in-mesh
RESOURCE NAME TYPE STATUS VALID CERT SERIAL NUMBER NOT AFTER NOT BEFORE
default Cert Chain ACTIVE true 205165220293220887344568674427115039589 2023-04-02T12:45:12Z 2023-04-01T12:43:12Z
ROOTCA CA ACTIVE true 40700971172074859705572646854716953212 2033-03-29T12:43:20Z 2023-04-01T12:43:20Z
solution
restart the deployment so that it picks the new cert from istio
kubectl --context $CLUSTER1 -n httpbin rollout restart deployment/in-mesh
After,
Also, When we switch back to the original RT before the Zero Trust section of module 2, we should add a note on why we are switching back
Making this command and others multiline would improve readability-
Rather than doing a kubectl debug, it might be easier to do this via a sleep pod Current:
Proposed:
We should break the following section into 3 separate sections
Module 3
^ this currently fails-
error:
solution
kubectl --context $CLUSTER1 -n httpbin rollout restart deployment/in-mesh