apiVersion: v1 kind: Namespace metadata: labels: istio-injection: enabled name: bookstore-servicemesh --- apiVersion: v1 kind: ServiceAccount metadata: name: book-admin namespace: bookstore-servicemesh --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: book-admin-role namespace: bookstore-servicemesh rules: - apiGroups: - "" resources: - namespaces - endpoints - services - nodes - nodes/proxy - pods - configmaps verbs: - list - get - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: book-admin-role-binding namespace: bookstore-servicemesh roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: book-admin-role subjects: - kind: ServiceAccount name: book-admin namespace: bookstore-servicemesh --- apiVersion: v1 data: application.yaml: |- database: hsqldb spring: datasource: schema: "classpath:db/${database}/schema.sql" data: "classpath:db/${database}/data.sql" sql-script-encoding: UTF-8 jpa: show-sql: false hibernate: ddl-auto: none open-in-view: false resources: chain: compressed: true cache: true cache: period: 86400 logging: pattern: console: "%clr(%d{HH:mm:ss.SSS}){faint} %clr(${LOG_LEVEL_PATTERN:%5p}) %clr(-){faint} %clr([%t]){faint} %clr(%-40logger{39}){cyan}[%line]%clr(:){faint} %m%n${LOG_EXCEPTION_CONVERSION_WORD:%wEx}" level: root: INFO server: port: ${PORT:80} kind: ConfigMap metadata: name: account namespace: bookstore-servicemesh --- apiVersion: v1 data: application.yaml: |- database: hsqldb logging: pattern: console: "%clr(%d{HH:mm:ss.SSS}){faint} %clr(${LOG_LEVEL_PATTERN:%5p}) %clr(-){faint} %clr([%t]){faint} %clr(%-40logger{39}){cyan}[%line]%clr(:){faint} %m%n${LOG_EXCEPTION_CONVERSION_WORD:%wEx}" level: root: INFO server: port: ${PORT:80} kind: ConfigMap metadata: name: authentication namespace: bookstore-servicemesh --- apiVersion: v1 data: application.yaml: |- server: port: ${PORT:80} logging: level: root: INFO kind: ConfigMap metadata: name: frontend namespace: bookstore-servicemesh --- apiVersion: v1 data: application.yaml: |- database: hsqldb spring: datasource: schema: "classpath:db/${database}/schema.sql" data: "classpath:db/${database}/data.sql" sql-script-encoding: UTF-8 jpa: show-sql: false hibernate: ddl-auto: none open-in-view: false resources: chain: compressed: true cache: true cache: period: 86400 logging: pattern: console: "%clr(%d{HH:mm:ss.SSS}){faint} %clr(${LOG_LEVEL_PATTERN:%5p}) %clr(-){faint} %clr([%t]){faint} %clr(%-40logger{39}){cyan}[%line]%clr(:){faint} %m%n${LOG_EXCEPTION_CONVERSION_WORD:%wEx}" level: root: INFO server: port: ${PORT:80} kind: ConfigMap metadata: name: payment namespace: bookstore-servicemesh --- apiVersion: v1 data: application.yaml: |- database: hsqldb spring: datasource: schema: "classpath:db/${database}/schema.sql" data: "classpath:db/${database}/data.sql" sql-script-encoding: UTF-8 jpa: show-sql: false hibernate: ddl-auto: none open-in-view: false resources: chain: compressed: true cache: true cache: period: 86400 logging: pattern: console: "%clr(%d{HH:mm:ss.SSS}){faint} %clr(${LOG_LEVEL_PATTERN:%5p}) %clr(-){faint} %clr([%t]){faint} %clr(%-40logger{39}){cyan}[%line]%clr(:){faint} %m%n${LOG_EXCEPTION_CONVERSION_WORD:%wEx}" level: root: INFO server: port: ${PORT:80} kind: ConfigMap metadata: name: warehouse namespace: bookstore-servicemesh --- apiVersion: v1 kind: Service metadata: labels: app: account name: account namespace: bookstore-servicemesh spec: ports: - name: http-server port: 80 targetPort: http-server selector: app: account type: ClusterIP --- apiVersion: v1 kind: Service metadata: labels: app: authentication name: authentication namespace: bookstore-servicemesh spec: ports: - name: http-server port: 80 targetPort: http-server selector: app: authentication type: ClusterIP --- apiVersion: v1 kind: Service metadata: labels: app: frontend name: frontend namespace: bookstore-servicemesh spec: ports: - name: http-server port: 80 targetPort: http-server selector: app: frontend type: ClusterIP --- apiVersion: v1 kind: Service metadata: labels: app: payment name: payment namespace: bookstore-servicemesh spec: ports: - name: http-server port: 80 targetPort: http-server selector: app: payment type: ClusterIP --- apiVersion: v1 kind: Service metadata: labels: app: warehouse name: warehouse namespace: bookstore-servicemesh spec: ports: - name: http-server port: 80 targetPort: http-server selector: app: warehouse type: ClusterIP --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: account name: bookstore-servicemesh-domain-account namespace: bookstore-servicemesh spec: replicas: 1 selector: matchLabels: app: account template: metadata: labels: app: account spec: containers: - env: - name: PORT value: "80" - name: JAVA_TOOL_OPTIONS value: -agentlib:jdwp=transport=dt_socket,server=y,address=5005,suspend=n,quiet=y image: icyfenix/bookstore-istio-domain-account name: account ports: - containerPort: 80 name: http-server volumeMounts: - mountPath: config name: account-config serviceAccountName: book-admin volumes: - configMap: items: - key: application.yaml path: application.yaml name: account name: account-config --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: authentication name: bookstore-servicemesh-domain-authentication namespace: bookstore-servicemesh spec: replicas: 1 selector: matchLabels: app: authentication template: metadata: labels: app: authentication spec: containers: - env: - name: PORT value: "80" - name: JAVA_TOOL_OPTIONS value: -agentlib:jdwp=transport=dt_socket,server=y,address=5005,suspend=n,quiet=y image: icyfenix/bookstore-istio-domain-authentication name: authentication ports: - containerPort: 80 name: http-server volumeMounts: - mountPath: config name: authentication-config serviceAccountName: book-admin volumes: - configMap: items: - key: application.yaml path: application.yaml name: authentication name: authentication-config --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: frontend name: bookstore-servicemesh-domain-frontend namespace: bookstore-servicemesh spec: replicas: 1 selector: matchLabels: app: frontend template: metadata: labels: app: frontend spec: containers: - env: - name: PORT value: "80" - name: JAVA_TOOL_OPTIONS value: -agentlib:jdwp=transport=dt_socket,server=y,address=5005,suspend=n,quiet=y image: icyfenix/bookstore-istio-domain-frontend name: gateway ports: - containerPort: 80 name: http-server volumeMounts: - mountPath: config name: frontend-config serviceAccountName: book-admin volumes: - configMap: items: - key: application.yaml path: application.yaml name: frontend name: frontend-config --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: payment name: bookstore-servicemesh-domain-payment namespace: bookstore-servicemesh spec: replicas: 1 selector: matchLabels: app: payment template: metadata: labels: app: payment spec: containers: - env: - name: PORT value: "80" - name: JAVA_TOOL_OPTIONS value: -agentlib:jdwp=transport=dt_socket,server=y,address=5005,suspend=n,quiet=y image: icyfenix/bookstore-istio-domain-payment name: payment ports: - containerPort: 80 name: http-server volumeMounts: - mountPath: config name: payment-config serviceAccountName: book-admin volumes: - configMap: items: - key: application.yaml path: application.yaml name: payment name: payment-config --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: warehouse name: bookstore-servicemesh-domain-warehouse namespace: bookstore-servicemesh spec: replicas: 1 selector: matchLabels: app: warehouse template: metadata: labels: app: warehouse spec: containers: - env: - name: PORT value: "80" - name: JAVA_TOOL_OPTIONS value: -agentlib:jdwp=transport=dt_socket,server=y,address=5005,suspend=n,quiet=y image: icyfenix/bookstore-istio-domain-warehouse name: warehouse ports: - containerPort: 80 name: http-server volumeMounts: - mountPath: config name: warehouse-config serviceAccountName: book-admin volumes: - configMap: items: - key: application.yaml path: application.yaml name: warehouse name: warehouse-config --- apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: bookstore-gateway namespace: bookstore-servicemesh spec: selector: istio: ingressgateway servers: - port: number: 8080 name: http protocol: HTTP hosts: - "*" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: bookstore namespace: bookstore-servicemesh spec: hosts: - "*" gateways: - bookstore-gateway http: - match: - uri: prefix: /restful/accounts route: - destination: host: account port: number: 80 - match: - uri: prefix: /restful/pay - uri: prefix: /restful/settlements route: - destination: host: payment port: number: 80 - match: - uri: prefix: /restful/advertisements - uri: prefix: /restful/products route: - destination: host: warehouse port: number: 80 - match: - uri: prefix: /oauth route: - destination: host: authentication port: number: 80 - route: - destination: host: frontend port: number: 80 --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: frontend namespace: bookstore-servicemesh spec: host: frontend --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: account namespace: bookstore-servicemesh spec: host: account --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: payment namespace: bookstore-servicemesh spec: host: payment --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: warehouse namespace: bookstore-servicemesh spec: host: warehouse --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: authentication namespace: bookstore-servicemesh spec: host: authentication --- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: authorization-request namespace: bookstore-servicemesh spec: action: DENY rules: - from: - source: notRequestPrincipals: ["*"] notNamespaces: ["bookstore-servicemesh"] to: - operation: paths: - /restful/accounts/* - /restful/pay/* - /restful/settlements* --- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: authorization-peer namespace: bookstore-servicemesh spec: action: ALLOW rules: - from: - source: namespaces: ["bookstore-servicemesh"] to: - operation: paths: - /restful/accounts/* - /restful/products* - /restful/pay/* - /restful/settlements* methods: ["GET","POST","PUT","PATCH"] - from: - source: namespaces: ["istio-system"] --- apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: authentication-mtls namespace: bookstore-servicemesh spec: mtls: mode: STRICT --- apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: authentication-mtls namespace: bookstore-servicemesh spec: mtls: mode: STRICT --- apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: authentication-jwt-token namespace: bookstore-servicemesh spec: jwtRules: - issuer: "icyfenix@gmail.com" # Envoy默认只认“Bearer”作为JWT前缀,之前其他地方用的都是小写,这里专门兼容一下 fromHeaders: - name: Authorization prefix: "bearer " # 在rsa-key目录下放了用来生成这个JWKS的证书,最初是用java keytool生成的jks格式,一般转jwks都是用pkcs12或者pem格式,为方便使用也一起附带了 jwks: | { "keys": [ { "e": "AQAB", "kid": "bookstore-jwt-kid", "kty": "RSA", "n": "i-htQPOTvNMccJjOkCAzd3YlqBElURzkaeRLDoJYskyU59JdGO-p_q4JEH0DZOM2BbonGI4lIHFkiZLO4IBBZ5j2P7U6QYURt6-AyjS6RGw9v_wFdIRlyBI9D3EO7u8rCA4RktBLPavfEc5BwYX2Vb9wX6N63tV48cP1CoGU0GtIq9HTqbEQs5KVmme5n4XOuzxQ6B2AGaPBJgdq_K0ZWDkXiqPz6921X3oiNYPCQ22bvFxb4yFX8ZfbxeYc-1rN7PaUsK009qOx-qRenHpWgPVfagMbNYkm0TOHNOWXqukxE-soCDI_Nc--1khWCmQ9E2B82ap7IXsVBAnBIaV9WQ" } ] } forwardOriginalToken: true