Skip to content

Commit

Permalink
Doc updates using loadbalancer with sail
Browse files Browse the repository at this point in the history
  • Loading branch information
adam-cattermole committed Nov 30, 2023
1 parent e2456db commit ad4678b
Show file tree
Hide file tree
Showing 8 changed files with 66 additions and 40 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -284,7 +284,7 @@ local-deploy: ## Deploy Kuadrant Operator in the cluster pointed by KUBECONFIG
kubectl -n $(KUADRANT_NAMESPACE) wait --timeout=300s --for=condition=Available deployments --all
@echo
@echo "Now you can export the kuadrant gateway by doing:"
@echo "kubectl port-forward -n istio-system service/istio-ingressgateway 9080:80 &"
@echo "kubectl port-forward -n istio-system service/istio-ingressgateway-istio 9080:80 &"
@echo "after that, you can curl -H \"Host: myhost.com\" localhost:9080"
@echo "-- Linux only -- Ingress gateway is exported using nodePort service in port 9080"
@echo "curl -H \"Host: myhost.com\" localhost:9080"
Expand Down
24 changes: 16 additions & 8 deletions doc/user-guides/auth-for-app-devs-and-platform-engineers.md
Original file line number Diff line number Diff line change
Expand Up @@ -110,20 +110,28 @@ spec:
EOF
```

Export the gateway hostname and port:

```sh
export INGRESS_HOST=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.status.addresses[0].value}')
export INGRESS_PORT=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
```

Send requests to the application unprotected:

```sh
curl -H 'Host: api.toystore.com' http://localhost:9080/cars -i
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/cars -i
# HTTP/1.1 200 OK
```

```sh
curl -H 'Host: api.toystore.com' http://localhost:9080/dolls -i
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/dolls -i
# HTTP/1.1 200 OK
```

```sh
curl -H 'Host: api.toystore.com' http://localhost:9080/admin -i
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/admin -i
# HTTP/1.1 200 OK
```

Expand Down Expand Up @@ -199,22 +207,22 @@ EOF
Send requests to the application protected by Kuadrant:

```sh
curl -H 'Host: api.toystore.com' http://localhost:9080/cars -i
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/cars -i
# HTTP/1.1 401 Unauthorized
```

```sh
curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamaregularuser' http://localhost:9080/cars -i
curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamaregularuser' http://$GATEWAY_URL/cars -i
# HTTP/1.1 200 OK
```

```sh
curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamaregularuser' http://localhost:9080/admin -i
curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamaregularuser' http://$GATEWAY_URL/admin -i
# HTTP/1.1 403 Forbidden
```

```sh
curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamanadmin' http://localhost:9080/admin -i
curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamanadmin' http://$GATEWAY_URL/admin -i
# HTTP/1.1 200 OK
```

Expand Down Expand Up @@ -274,7 +282,7 @@ EOF
Send requests to the route protected by the default policy set at the level of the gateway:

```sh
curl -H 'Host: foo.other-apps.com' http://localhost:9080/ -i
curl -H 'Host: foo.other-apps.com' http://$GATEWAY_URL/ -i
# HTTP/1.1 403 Forbidden
```

Expand Down
20 changes: 15 additions & 5 deletions doc/user-guides/authenticated-rl-for-app-developers.md
Original file line number Diff line number Diff line change
Expand Up @@ -86,17 +86,27 @@ spec:
EOF
```

Export the gateway hostname and port:

```sh
export INGRESS_HOST=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.status.addresses[0].value}')
export INGRESS_PORT=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
```

Verify the route works:

```sh
curl -H 'Host: api.toystore.com' http://localhost:9080/toy -i
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i
# HTTP/1.1 200 OK
```

> **Note**: If the command above fails to hit the Toy Store API on your environment, try forwarding requests to the service:
> **Note**: If the command above fails to hit the Toy Store API on your environment, try forwarding requests to the service and accessing over localhost:
>
> ```sh
> kubectl port-forward -n istio-system service/istio-ingressgateway 9080:80 2>&1 >/dev/null &
> curl -H 'Host: api.toystore.com' http://localhost:9080/toy -i
> # HTTP/1.1 200 OK
> ```
### ③ Enforce authentication on requests to the Toy Store API
Expand Down Expand Up @@ -139,7 +149,7 @@ EOF
Verify the authentication works by sending a request to the Toy Store API without API key:

```sh
curl -H 'Host: api.toystore.com' http://localhost:9080/toy -i
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i
# HTTP/1.1 401 Unauthorized
# www-authenticate: APIKEY realm="api-key-users"
# x-ext-auth-reason: "credential not found"
Expand Down Expand Up @@ -225,13 +235,13 @@ Verify the rate limiting works by sending requests as Alice and Bob.
Up to 5 successful (`200 OK`) requests every 10 seconds allowed for Alice, then `429 Too Many Requests`:

```sh
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMALICE' -H 'Host: api.toystore.com' http://localhost:9080/toy | egrep --color "\b(429)\b|$"; sleep 1; done
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMALICE' -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy | grep -E --color "\b(429)\b|$"; sleep 1; done
```

Up to 2 successful (`200 OK`) requests every 10 seconds allowed for Bob, then `429 Too Many Requests`:

```sh
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMBOB' -H 'Host: api.toystore.com' http://localhost:9080/toy | egrep --color "\b(429)\b|$"; sleep 1; done
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMBOB' -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy | grep -E --color "\b(429)\b|$"; sleep 1; done
```

## Cleanup
Expand Down
32 changes: 21 additions & 11 deletions doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,17 +82,27 @@ kubectl apply -f examples/toystore/httproute.yaml

#### Try the API unprotected

Export the gateway hostname and port:

```sh
export INGRESS_HOST=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.status.addresses[0].value}')
export INGRESS_PORT=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
```

```sh
curl -H 'Host: api.toystore.com' http://localhost:9080/toy -i
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i
# HTTP/1.1 200 OK
```

It should return `200 OK`.

> **Note**: If the command above fails to hit the Toy Store API on your environment, try forwarding requests to the service:
> **Note**: If the command above fails to hit the Toy Store API on your environment, try forwarding requests to the service and accessing over localhost:
>
> ```sh
> kubectl port-forward -n istio-system service/istio-ingressgateway 9080:80 2>&1 >/dev/null &
> curl -H 'Host: api.toystore.com' http://localhost:9080/toy -i
> # HTTP/1.1 200 OK
> ```
### ③ Deploy Keycloak
Expand Down Expand Up @@ -157,7 +167,7 @@ EOF
#### Try the API missing authentication

```sh
curl -H 'Host: api.toystore.com' http://localhost:9080/toy -i
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i
# HTTP/1.1 401 Unauthorized
# www-authenticate: Bearer realm="keycloak-users"
# www-authenticate: Bearer realm="k8s-service-accounts"
Expand All @@ -175,7 +185,7 @@ ACCESS_TOKEN=$(kubectl run token --attach --rm --restart=Never -q --image=curlim
Send a request to the API as the Keycloak-authenticated user while still missing permissions:

```sh
curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy -i
curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i
# HTTP/1.1 403 Forbidden
```

Expand All @@ -199,7 +209,7 @@ SA_TOKEN=$(kubectl create token client-app-1)
Send a request to the API as the service account while still missing permissions:

```sh
curl -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy -i
curl -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i
# HTTP/1.1 403 Forbidden
```

Expand Down Expand Up @@ -281,24 +291,24 @@ EOF
Send requests to the API as the Keycloak-authenticated user:

```sh
curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy -i
curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i
# HTTP/1.1 200 OK
```

```sh
curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' -X POST http://localhost:9080/admin/toy -i
curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' -X POST http://$GATEWAY_URL/admin/toy -i
# HTTP/1.1 200 OK
```

Send requests to the API as the Kubernetes service account:

```sh
curl -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy -i
curl -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i
# HTTP/1.1 200 OK
```

```sh
curl -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' -X POST http://localhost:9080/admin/toy -i
curl -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' -X POST http://$GATEWAY_URL/admin/toy -i
# HTTP/1.1 403 Forbidden
```

Expand Down Expand Up @@ -339,13 +349,13 @@ Each user should be entitled to a maximum of 5 requests every 10 seconds.
Send requests as the Keycloak-authenticated user:

```sh
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy | egrep --color "\b(429)\b|$"; sleep 1; done
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy | grep -E --color "\b(429)\b|$"; sleep 1; done
```

Send requests as the Kubernetes service account:

```sh
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy | egrep --color "\b(429)\b|$"; sleep 1; done
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy | grep -E --color "\b(429)\b|$"; sleep 1; done
```

## Cleanup
Expand Down
5 changes: 0 additions & 5 deletions doc/user-guides/gateway-dns.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,6 @@ Deploy policy controller and install DNSPolicy CRD:
make deploy-policy-controller
```

Install metallb:
```shell
make install-metallb
```

Create a namespace:
```shell
kubectl create namespace my-gateways
Expand Down
4 changes: 2 additions & 2 deletions doc/user-guides/gateway-rl-for-cluster-operators.md
Original file line number Diff line number Diff line change
Expand Up @@ -188,13 +188,13 @@ kubectl port-forward -n istio-system service/internal-istio 9082:80 2>&1 >/dev/n
Up to 5 successful (`200 OK`) requests every 10 seconds through the `external` ingress gateway (`*.io`), then `429 Too Many Requests`:

```sh
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.io' http://localhost:9081 | egrep --color "\b(429)\b|$"; sleep 1; done
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.io' http://localhost:9081 | grep -E --color "\b(429)\b|$"; sleep 1; done
```

Unlimited successful (`200 OK`) through the `internal` ingress gateway (`*.local`):

```sh
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.local' http://localhost:9082 | egrep --color "\b(429)\b|$"; sleep 1; done
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.local' http://localhost:9082 | grep -E --color "\b(429)\b|$"; sleep 1; done
```

## Cleanup
Expand Down
5 changes: 0 additions & 5 deletions doc/user-guides/gateway-tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,6 @@ Deploy policy controller and install TLSPolicy CRD:
make deploy-policy-controller
```

Install metallb:
```shell
make install-metallb
```

Create a namespace:
```shell
kubectl create namespace my-gateways
Expand Down
14 changes: 11 additions & 3 deletions doc/user-guides/simple-rl-for-app-developers.md
Original file line number Diff line number Diff line change
Expand Up @@ -87,10 +87,18 @@ spec:
EOF
```

Export the gateway hostname and port:

```sh
export INGRESS_HOST=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.status.addresses[0].value}')
export INGRESS_PORT=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
```

Verify the route works:

```sh
curl -H 'Host: api.toystore.com' http://localhost:9080/toys -i
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toys -i
# HTTP/1.1 200 OK
```

Expand Down Expand Up @@ -141,13 +149,13 @@ Verify the rate limiting works by sending requests in a loop.
Up to 5 successful (`200 OK`) requests every 10 seconds to `POST /toys`, then `429 Too Many Requests`:

```sh
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.com' http://localhost:9080/toys -X POST | egrep --color "\b(429)\b|$"; sleep 1; done
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.com' http://$GATEWAY_URL/toys -X POST | grep -E --color "\b(429)\b|$"; sleep 1; done
```

Unlimited successful (`200 OK`) to `GET /toys`:

```sh
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.com' http://localhost:9080/toys | egrep --color "\b(429)\b|$"; sleep 1; done
while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H 'Host: api.toystore.com' http://$GATEWAY_URL/toys | grep -E --color "\b(429)\b|$"; sleep 1; done
```

## Cleanup
Expand Down

0 comments on commit ad4678b

Please sign in to comment.