solo-io / hoot Goto Github PK

code from hoot episodes

Go 68.07% Shell 14.01% Open Policy Agent 11.54% C 1.47% Dockerfile 0.25% Makefile 1.74% Rust 2.92%

hoot's Introduction

Hoot - Learn Kubernetes, Envoy, Istio, eBPF and GraphQL

We understand it is important for you to learn Envoy, Istio, Kubernetes, eBPF and GraphQL as part of your journey to cloud native so you can make sense of any technology or architecture decision. Hoot is designed to help you learn these technologies so you can be well prepared at your job!

Upcoming episodes

View Episode Calendar | Add Google Calendar

Suggest a topic

Please open an issue if you have an idea for a topic we should cover or a guest we should invite.

Previous episodes

This repo contains the code, slides and show notes for our Hoot series:

The full playlist:

Youtube Playlist.

Videos:

Episode 1: Intro to envoy - https://www.youtube.com/watch?v=KsO4pw4tEGA
Episode 2: Observe envoy - https://www.youtube.com/watch?v=ZthWg-_Bg_c
Episode 3: Securing enovy - https://www.youtube.com/watch?v=TwsT7oJpEas
Episode 4: Envoy, XDS - https://www.youtube.com/watch?v=S5Fm1Yhomc4
Episode 5: Envoy filters - https://www.youtube.com/watch?v=Po0Z9jTECfQ
Episode 6: Envoy WASM filters - https://www.youtube.com/watch?v=8fty-sqFyoY
Episode 7: Into to OPA - https://www.youtube.com/watch?v=iaDuJIZj6Yw
Episode 8: OPA + Envoy - https://www.youtube.com/watch?v=X1sdpMkHW9U
Episode 9: GitOps + Flux - https://www.youtube.com/watch?v=KKOARkFcllU
Episode 10: Waypoint - https://www.youtube.com/watch?v=VSr1hXPP2vQ
Episode 11: Advanced Istio Configuration with Envoy CRDs https://www.youtube.com/watch?v=sUkeFAERvE8
Episode 12: Hitless Deploys - https://www.youtube.com/watch?v=xYFx0a0W9_E
Episode 13: Approaches to Multi-Cluster Networking in Service Mesh (and Istio) - https://www.youtube.com/watch?v=9kl7CR8MH-w
Episode 14: Istio Debugging - https://www.youtube.com/watch?v=QLuQB_JdzvU
Episode 15: Envoy + External Services - https://www.youtube.com/watch?v=Veib7duO0vw
Episode 16: Adding real-time updates to OPA with OPAL - https://www.youtube.com/watch?v=n2TdVmY8CLI
Episode 17: Envoy + Rate Limiting - https://www.youtube.com/watch?v=1Y4kOu2TJ1k
Episode 18: Envoy Filters - https://www.youtube.com/watch?v=yOtEG1luTwU
Episode 19: eBPF: A Top-Down view - https://www.youtube.com/watch?v=PqghsyBF7ug
Episode 20: 1-Click Upgrade to Istio 1.13 using Helm - https://www.youtube.com/watch?v=Q3G5TEmXq7o
Episode 21: Istio In Action Book Highlight - https://www.youtube.com/watch?v=gpWuVnOyWnE
Episode 22: Accelerate your mesh with eBPF and Merbridge - https://www.youtube.com/watch?v=r2wgInmsqsU
Episode 23: HOW to increase application resiliency for Kubernetes services running on Spot VMs - https://www.youtube.com/watch?v=WIcWekCQTJU
Episode 24: Debug Envoy Configs and Analyze Access Logs - https://www.youtube.com/watch?v=OQFFIXFeZns
Episode 25: Istio + Spire + VM - https://www.youtube.com/watch?v=WOPoNqfrhb4
Episode 26: Declarative Kubernetes Lifecycle Management Across Multi-Clusters/Clouds with Cluster API - https://www.youtube.com/watch?v=fKeqbkGiHog
Episode 27: Gloo Cilium and Istio Seamlessly Together - https://www.youtube.com/watch?v=bAjAJtQioPU
Episode 28: What is new in Istio 1.14? - https://www.youtube.com/watch?v=XxMAjo8yrLI
Episode 29: Porting eBPF applications to BumbleBee - https://www.youtube.com/watch?v=NQcOQ1-sJII
Episode 30: HTTP/3 With Envoy Explained - https://www.youtube.com/watch?v=TjaJ5oMxNpc
Episode 31: Cilium L7 Policies vs Istio’s - https://youtu.be/d4mEnVZKum8
Episode 32: GraphQL for Developers or Platform Team? - https://youtu.be/cFcIb1mh998
Episode 33: Speed your Istio development environment with vcluster - https://youtu.be/b7OkYjvLf4Y
Episode 34: Optional Sidecar? A Tour of Cilium Service Mesh - https://t.co/2ZtJ40wFdw
Episode 35: Successes? Lessons? Istio @ Quizlet - https://www.youtube.com/watch?v=ESIG-ZQ4j-I
Episode 36: Istio ambient, what does it mean to you? - https://www.youtube.com/watch?v=fCX6hkj_xeQ
EPisode 37: Common Questions for Istio Ambient - https://www.youtube.com/watch?v=aXGwaSV1K1s
Episode 38: What Istio ambient means for your wallet - https://www.youtube.com/watch?v=nQtN0BJZ8lw
Episode 39: Ambient and Gloo Mesh - https://www.youtube.com/watch?v=vxy-yqarirY
Episode 40: Ask Us Anything about Istio Ambient Explained Book - https://www.youtube.com/watch?v=fyX1PrRaTf4
Episode 41: What is NEW in Istio 1.16? - https://www.youtube.com/watch?v=hO8PlznWbmI
Episode 42: Rust-based ztunnel for Istio ambient mesh? - https://www.youtube.com/watch?v=nyd_hxCWnds
Episode 43: Successes? Lessons? Istio @ Virtru - https://www.youtube.com/watch?v=NP7JTXlQkI8
Episode 44: Overview of SPIRE - https://www.youtube.com/watch?v=MuYmhc4mJHI
Episode 45: Solve Large Volumes of Metrics Challenges with Istio Service Mesh and Open Telemetry - https://www.youtube.com/watch?v=TGZrwk3L-mo
Episode 46: Istio Ambient Service Mesh & Rust-Based Ztunnel Update - https://www.youtube.com/watch?v=fCYAvsk_vlw
Episode 47: Rotating certificates in Istio - https://www.youtube.com/watch?v=hD7L-haWJew
Episode 48: GitOps and Service Mesh for Resilient and Secure Operations - https://www.youtube.com/watch?v=hYHgUPO13pw
Episode 49: Configuring external services with Istio's ServiceEntry - https://www.youtube.com/watch?v=FOFzetag9d4
Episode 50: Kubernetes Networking and Cilium - Part 1 - https://www.youtube.com/watch?v=TxPEpArfjwY
Episode 51: Kubernetes Networking and Cilium - Part 2 - https://www.youtube.com/watch?v=he2sLeJsMqU
Episode 52: Istio and Open Policy Agent (OPA) - https://www.youtube.com/watch?v=EnckV6lyre8
Episode 53: Cut Service Mesh Overhead by 90% or More with Istio Ambient Mesh - https://www.youtube.com/watch?v=AHujRw0H8F4

hoot's People

Contributors

Stargazers

Watchers

hoot's Issues

episode suggestion:

Envoy Filters

episode suggestion: Approaches to MultiCluster

episode suggestion: `type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2` using `secret discovery service (SDS)` using `go-control-plane`

Thank you for recording the Envoy sessions. They have been very useful in learning more about Envoy.

That said, I would like to see an episode of configuring the OAuth2 filter which requires a token_secret and a hmac_secret. These can be configured as static_resources or as separate files but I would like to stream these secrets back using https://github.com/envoyproxy/envoy/blob/v1.23.0/api/envoy/service/secret/v3/sds.proto#L29 using the https://github.com/envoyproxy/go-control-plane/blob/main/envoy/service/secret/v3/sds.pb.go#L219 callback.

Here, https://github.com/veehaitch/envoy-oauth2-filter-google, is an example of defining the secrets using files, which is not what I want to do.

I cannot find a good/working example online of using the secret discovery service (SDS) to stream back the secrets using the go-control-plane.

I would appreciate it if you made an episode on how to do this.

References

OAuth2 docs: https://www.envoyproxy.io/docs/envoy/v1.23.0/configuration/http/http_filters/oauth2_filter
Secret discovery service (SDS) docs: https://www.envoyproxy.io/docs/envoy/v1.23.0/configuration/security/secret

Error encountered during local setup of 44-overview-of-spire

I'm following this guide to setup Spire with Istio on local. Can you please help?

Encountering the following issue in the when I'm setting up the Istio.
istioctl install -f demo/istio-spire-config.yaml

Error Message
2023-09-05T13:20:05.327609Z warning envoy config external/envoy/source/common/config/grpc_stream.h:153 StreamSecrets gRPC config stream to sds-grpc closed: 3, workload is not authorized for the requested identities ["default"] thread=17

As per the video at 42:15, you've advised to create a resource of type "ClusterSPIFFEID", which I did. However, this issue is not getting resolved.

% k -n spire describe ClusterSPIFFEID service-account-spiffeid Name: service-account-spiffeid Namespace: Labels: <none> Annotations: <none> API Version: spire.spiffe.io/v1alpha1 Kind: ClusterSPIFFEID Metadata: Creation Timestamp: 2023-09-05T12:40:41Z Generation: 1 Managed Fields: API Version: spire.spiffe.io/v1alpha1 Fields Type: FieldsV1 fieldsV1: f:metadata: f:annotations: .: f:kubectl.kubernetes.io/last-applied-configuration: f:spec: .: f:dnsNameTemplates: f:spiffeIDTemplate: Manager: kubectl-client-side-apply Operation: Update Time: 2023-09-05T12:40:41Z Resource Version: 546 UID: a448b7de-5ed3-471d-b3c3-29f1147ff113 Spec: Dns Name Templates: {{ .PodMeta.Name }} Spiffe ID Template: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} Events: <none>

My spire server pod sporadically crashes, but could be unrelated, but still posting it here.
spire-server-0 1/2 CrashLoopBackOff 7 (24s ago) 29m

"spiffe:///spire-controller-manager-webhook" subject= subsystem_name=api
time="2023-09-05T13:37:17Z" level=debug msg="Rotating server SVID" subsystem_name=svid_rotator
time="2023-09-05T13:37:17Z" level=debug msg="Signed X509 SVID" expiration="2023-09-05T14:37:17Z" spiffe_id="spiffe:///spire/server" subsystem_name=svid_rotator

In the spire-controller-manager controller, I see the following error messages

rustDomain"} 2023-09-05T13:34:13Z INFO Starting EventSource {"controller": "pod", "controllerGroup": "", "controllerKind": "Pod", "source": "kind source: *v1.Pod"} 2023-09-05T13:34:13Z INFO Starting Controller {"controller": "pod", "controllerGroup": "", "controllerKind": "Pod"} 2023-09-05T13:34:13Z ERROR controller-runtime.source.EventHandler if kind is a CRD, it should be installed before calling Start {"kind": "ClusterStaticEntry.spire.spiffe.io", "error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:63 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func1 /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:49 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:50 k8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/poll.go:33 sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:56 2023-09-05T13:34:13Z ERROR controller-runtime.source.EventHandler if kind is a CRD, it should be installed before calling Start {"kind": "ClusterStaticEntry.spire.spiffe.io", "error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:63 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2 /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:73 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:74 k8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/poll.go:33 sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:56 2023-09-05T13:34:13Z INFO entry-reconciler New unsupported fields in SPIRE server found {"fields": "hint"} 2023-09-05T13:34:13Z ERROR entry-reconciler Failed to list ClusterStaticEntries {"error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} github.com/spiffe/spire-controller-manager/pkg/spireentry.(*entryReconciler).reconcile /workspace/pkg/spireentry/reconciler.go:101 github.com/spiffe/spire-controller-manager/pkg/reconciler.(*reconciler).Run /workspace/pkg/reconciler/reconciler.go:84 sigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/manager.go:383 sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/runnable_group.go:219 2023-09-05T13:34:13Z INFO Starting workers {"controller": "clusterspiffeid", "controllerGroup": "spire.spiffe.io", "controllerKind": "ClusterSPIFFEID", "worker count": 1} 2023-09-05T13:34:13Z DEBUG Triggering reconciliation {"controller": "clusterspiffeid", "controllerGroup": "spire.spiffe.io", "controllerKind": "ClusterSPIFFEID", "ClusterSPIFFEID": {"name":"service-account-spiffeid"}, "namespace": "", "name": "service-account-spiffeid", "reconcileID": "95b5733f-8571-463e-813b-c717a9359da0"} 2023-09-05T13:34:13Z INFO Starting workers {"controller": "clusterfederatedtrustdomain", "controllerGroup": "spire.spiffe.io", "controllerKind": "ClusterFederatedTrustDomain", "worker count": 1} 2023-09-05T13:34:13Z ERROR entry-reconciler Failed to list ClusterStaticEntries {"error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} github.com/spiffe/spire-controller-manager/pkg/spireentry.(*entryReconciler).reconcile /workspace/pkg/spireentry/reconciler.go:101 github.com/spiffe/spire-controller-manager/pkg/reconciler.(*reconciler).Run /workspace/pkg/reconciler/reconciler.go:84 sigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/manager.go:383 sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/runnable_group.go:219 2023-09-05T13:34:13Z INFO Starting workers {"controller": "pod", "controllerGroup": "", "controllerKind": "Pod", "worker count": 1} 2023-09-05T13:34:23Z ERROR controller-runtime.source.EventHandler if kind is a CRD, it should be installed before calling Start {"kind": "ClusterStaticEntry.spire.spiffe.io", "error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:63 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2 /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:73 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:74 k8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/poll.go:33 sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:56 2023-09-05T13:34:23Z ERROR entry-reconciler Failed to list ClusterStaticEntries {"error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} github.com/spiffe/spire-controller-manager/pkg/spireentry.(*entryReconciler).reconcile /workspace/pkg/spireentry/reconciler.go:101 github.com/spiffe/spire-controller-manager/pkg/reconciler.(*reconciler).Run /workspace/pkg/reconciler/reconciler.go:84 sigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/manager.go:383 sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/runnable_group.go:219 2023-09-05T13:34:33Z ERROR controller-runtime.source.EventHandler if kind is a CRD, it should be installed before calling Start {"kind": "ClusterStaticEntry.spire.spiffe.io", "error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:63 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2 /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:73 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:74 k8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/poll.go:33 sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:56 2023-09-05T13:34:33Z ERROR entry-reconciler Failed to list ClusterStaticEntries {"error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} github.com/spiffe/spire-controller-manager/pkg/spireentry.(*entryReconciler).reconcile /workspace/pkg/spireentry/reconciler.go:101 github.com/spiffe/spire-controller-manager/pkg/reconciler.(*reconciler).Run /workspace/pkg/reconciler/reconciler.go:84 sigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/manager.go:383 sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/runnable_group.go:219 2023-09-05T13:34:43Z ERROR controller-runtime.source.EventHandler if kind is a CRD, it should be installed before calling Start {"kind": "ClusterStaticEntry.spire.spiffe.io", "error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:63 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2 /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:73 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:74 k8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/poll.go:33 sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:56 2023-09-05T13:34:43Z ERROR entry-reconciler Failed to list ClusterStaticEntries {"error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} github.com/spiffe/spire-controller-manager/pkg/spireentry.(*entryReconciler).reconcile /workspace/pkg/spireentry/reconciler.go:101 github.com/spiffe/spire-controller-manager/pkg/reconciler.(*reconciler).Run /workspace/pkg/reconciler/reconciler.go:84 sigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/manager.go:383 sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/runnable_group.go:219 2023-09-05T13:34:53Z ERROR controller-runtime.source.EventHandler if kind is a CRD, it should be installed before calling Start {"kind": "ClusterStaticEntry.spire.spiffe.io", "error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:63 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2 /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:73 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:74 k8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/poll.go:33 sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:56 2023-09-05T13:34:53Z ERROR entry-reconciler Failed to list ClusterStaticEntries {"error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} github.com/spiffe/spire-controller-manager/pkg/spireentry.(*entryReconciler).reconcile /workspace/pkg/spireentry/reconciler.go:101 github.com/spiffe/spire-controller-manager/pkg/reconciler.(*reconciler).Run /workspace/pkg/reconciler/reconciler.go:84 sigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/manager.go:383 sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/runnable_group.go:219 2023-09-05T13:35:03Z ERROR controller-runtime.source.EventHandler if kind is a CRD, it should be installed before calling Start {"kind": "ClusterStaticEntry.spire.spiffe.io", "error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:63 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2 /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:73 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:74 k8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/poll.go:33 sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:56 2023-09-05T13:35:03Z ERROR entry-reconciler Failed to list ClusterStaticEntries {"error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} github.com/spiffe/spire-controller-manager/pkg/spireentry.(*entryReconciler).reconcile /workspace/pkg/spireentry/reconciler.go:101 github.com/spiffe/spire-controller-manager/pkg/reconciler.(*reconciler).Run /workspace/pkg/reconciler/reconciler.go:84 sigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/manager.go:383 sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/runnable_group.go:219 2023-09-05T13:35:13Z ERROR controller-runtime.source.EventHandler if kind is a CRD, it should be installed before calling Start {"kind": "ClusterStaticEntry.spire.spiffe.io", "error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:63 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2 /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:73 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:74 k8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/poll.go:33 sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:56 2023-09-05T13:35:13Z ERROR entry-reconciler Failed to list ClusterStaticEntries {"error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} github.com/spiffe/spire-controller-manager/pkg/spireentry.(*entryReconciler).reconcile /workspace/pkg/spireentry/reconciler.go:101 github.com/spiffe/spire-controller-manager/pkg/reconciler.(*reconciler).Run /workspace/pkg/reconciler/reconciler.go:84 sigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/manager.go:383 sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/runnable_group.go:219 2023-09-05T13:35:23Z ERROR controller-runtime.source.EventHandler if kind is a CRD, it should be installed before calling Start {"kind": "ClusterStaticEntry.spire.spiffe.io", "error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:63 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2 /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:73 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:74 k8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/poll.go:33 sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:56 2023-09-05T13:35:23Z ERROR entry-reconciler Failed to list ClusterStaticEntries {"error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} github.com/spiffe/spire-controller-manager/pkg/spireentry.(*entryReconciler).reconcile /workspace/pkg/spireentry/reconciler.go:101 github.com/spiffe/spire-controller-manager/pkg/reconciler.(*reconciler).Run /workspace/pkg/reconciler/reconciler.go:84 sigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/manager.go:383 sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/runnable_group.go:219 2023-09-05T13:35:33Z ERROR controller-runtime.source.EventHandler if kind is a CRD, it should be installed before calling Start {"kind": "ClusterStaticEntry.spire.spiffe.io", "error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:63 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2 /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:73 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:74 k8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/poll.go:33 sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:56 2023-09-05T13:35:33Z ERROR entry-reconciler Failed to list ClusterStaticEntries {"error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} github.com/spiffe/spire-controller-manager/pkg/spireentry.(*entryReconciler).reconcile /workspace/pkg/spireentry/reconciler.go:101 github.com/spiffe/spire-controller-manager/pkg/reconciler.(*reconciler).Run /workspace/pkg/reconciler/reconciler.go:84 sigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/manager.go:383 sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/runnable_group.go:219 2023-09-05T13:35:43Z ERROR controller-runtime.source.EventHandler if kind is a CRD, it should be installed before calling Start {"kind": "ClusterStaticEntry.spire.spiffe.io", "error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:63 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2 /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:73 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:74 k8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/poll.go:33 sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:56 2023-09-05T13:35:43Z ERROR entry-reconciler Failed to list ClusterStaticEntries {"error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} github.com/spiffe/spire-controller-manager/pkg/spireentry.(*entryReconciler).reconcile /workspace/pkg/spireentry/reconciler.go:101 github.com/spiffe/spire-controller-manager/pkg/reconciler.(*reconciler).Run /workspace/pkg/reconciler/reconciler.go:84 sigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/manager.go:383 sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/runnable_group.go:219 2023-09-05T13:35:53Z ERROR controller-runtime.source.EventHandler if kind is a CRD, it should be installed before calling Start {"kind": "ClusterStaticEntry.spire.spiffe.io", "error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:63 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2 /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:73 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:74 k8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/poll.go:33 sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:56 2023-09-05T13:35:53Z ERROR entry-reconciler Failed to list ClusterStaticEntries {"error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} github.com/spiffe/spire-controller-manager/pkg/spireentry.(*entryReconciler).reconcile /workspace/pkg/spireentry/reconciler.go:101 github.com/spiffe/spire-controller-manager/pkg/reconciler.(*reconciler).Run /workspace/pkg/reconciler/reconciler.go:84 sigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/manager.go:383 sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/runnable_group.go:219 2023-09-05T13:36:03Z ERROR controller-runtime.source.EventHandler if kind is a CRD, it should be installed before calling Start {"kind": "ClusterStaticEntry.spire.spiffe.io", "error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:63 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2 /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:73 k8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/loop.go:74 k8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/poll.go:33 sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/source/kind.go:56 2023-09-05T13:36:03Z ERROR entry-reconciler Failed to list ClusterStaticEntries {"error": "no matches for kind \"ClusterStaticEntry\" in version \"spire.spiffe.io/v1alpha1\""} github.com/spiffe/spire-controller-manager/pkg/spireentry.(*entryReconciler).reconcile /workspace/pkg/spireentry/reconciler.go:101 github.com/spiffe/spire-controller-manager/pkg/reconciler.(*reconciler).Run /workspace/pkg/reconciler/reconciler.go:84 sigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/manager.go:383 sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/runnable_group.go:219 2023-09-05T13:36:13Z ERROR Could not wait for Cache to sync {"controller": "clusterstaticentry", "controllerGroup": "spire.spiffe.io", "controllerKind": "ClusterStaticEntry", "error": "failed to wait for clusterstaticentry caches to sync: timed out waiting for cache to be synced for Kind *v1alpha1.ClusterStaticEntry"} sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:202 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:207 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:233 sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/runnable_group.go:219 2023-09-05T13:36:13Z INFO Stopping and waiting for non leader election runnables 2023-09-05T13:36:13Z INFO shutting down server {"path": "/metrics", "kind": "metrics", "addr": "127.0.0.1:8082"} 2023-09-05T13:36:13Z INFO Stopping and waiting for leader election runnables 2023-09-05T13:36:13Z INFO entry-reconciler Reconciliation canceled 2023-09-05T13:36:13Z INFO federation relationship-reconciler Reconciliation canceled 2023-09-05T13:36:13Z INFO Shutdown signal received, waiting for all workers to finish {"controller": "pod", "controllerGroup": "", "controllerKind": "Pod"} 2023-09-05T13:36:13Z ERROR error received after stop sequence was engaged {"error": "context canceled"} sigs.k8s.io/controller-runtime/pkg/manager.(*controllerManager).engageStopProcedure.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:555 2023-09-05T13:36:13Z ERROR error received after stop sequence was engaged {"error": "context canceled"} sigs.k8s.io/controller-runtime/pkg/manager.(*controllerManager).engageStopProcedure.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:555 2023-09-05T13:36:13Z INFO Shutdown signal received, waiting for all workers to finish {"controller": "clusterspiffeid", "controllerGroup": "spire.spiffe.io", "controllerKind": "ClusterSPIFFEID"} 2023-09-05T13:36:13Z INFO All workers finished {"controller": "clusterspiffeid", "controllerGroup": "spire.spiffe.io", "controllerKind": "ClusterSPIFFEID"} 2023-09-05T13:36:13Z INFO All workers finished {"controller": "pod", "controllerGroup": "", "controllerKind": "Pod"} 2023-09-05T13:36:13Z INFO Shutdown signal received, waiting for all workers to finish {"controller": "clusterfederatedtrustdomain", "controllerGroup": "spire.spiffe.io", "controllerKind": "ClusterFederatedTrustDomain"} 2023-09-05T13:36:13Z INFO All workers finished {"controller": "clusterfederatedtrustdomain", "controllerGroup": "spire.spiffe.io", "controllerKind": "ClusterFederatedTrustDomain"} 2023-09-05T13:36:13Z INFO Stopping and waiting for caches 2023-09-05T13:36:13Z ERROR error received after stop sequence was engaged {"error": "context canceled"} sigs.k8s.io/controller-runtime/pkg/manager.(*controllerManager).engageStopProcedure.func1 /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/manager/internal.go:555 2023-09-05T13:36:13Z INFO Stopping and waiting for webhooks 2023-09-05T13:36:13Z INFO controller-runtime.webhook Shutting down webhook server with timeout of 1 minute 2023-09-05T13:36:13Z INFO Wait completed, proceeding to shutdown the manager 2023-09-05T13:36:13Z ERROR setup problem running manager {"error": "failed to wait for clusterstaticentry caches to sync: timed out waiting for cache to be synced for Kind *v1alpha1.ClusterStaticEntry"} main.run /workspace/main.go:347 main.main /workspace/main.go:82 runtime.main /usr/local/go/src/runtime/proc.go:250 2023-09-05T13:36:13Z ERROR error received after stop sequence was engaged {"error": "leader election lost"} sigs.k8s.io/controller-runtime/pkg/manager.(*controllerManager).engageStopProcedure.func1
My Setup:

Kubernetes running on docker desktop.
Cluster Name: docker-desktop

% istioctl version
client version: 1.18.2
control plane version: 1.18.2
data plane version: 1.18.2 (1 proxies)

% kubectl version WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short. Use --output=yaml|json to get the full version. Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.2", GitCommit:"5835544ca568b757a8ecae5c153f317e5736700e", GitTreeState:"clean", BuildDate:"2022-09-21T14:33:49Z", GoVersion:"go1.19.1", Compiler:"gc", Platform:"darwin/arm64"} Kustomize Version: v4.5.7 Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.2", GitCommit:"5835544ca568b757a8ecae5c153f317e5736700e", GitTreeState:"clean", BuildDate:"2022-09-21T14:27:13Z", GoVersion:"go1.19.1", Compiler:"gc", Platform:"linux/arm64"}

episode suggestion: Istio Rate Limit is working even if ratelimit & redis pods are down - Azure AKS 1.21.9

Kindly refer attachment.
I've deployed rate limit along with Redis in Azure AKS 1.21.9 and did some basic tests related to rate limiting, it worked as expected.

Issue Description:

I scaled down rate limit & Redis pods and tested rate limit functionality. As the rate limit and Redis pods are down, rate limit functionality should not work. But in my case, the rate limit worked even if ratelimit/Redis pods are down.

The expectation is it should not work right? If it is working, how come?

Azure AKS 1.21.9

Istio Version - 1.14

Documents used for ratelimit deployment:

https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/#verify-local-rate-limit
https://github.com/istio/istio/blob/release-1.14/samples/ratelimit/rate-limit-service.yaml
poc-ratelimitdown.docx

Bug: Episode 25 code not reproducible on my system

I've been trying to reproduce https://github.com/solo-io/hoot/tree/master/25-istio-spire-integration on Minikube 1.23 on macOS, but after deploying SPIRE and Istio the pods of the example application do not fully come up.

NAME                              READY   STATUS    RESTARTS   AGE
details-v1-5878f98b8f-srvpb       1/2     Running   0          135m
productpage-v1-58bb99c456-hjcrp   1/2     Running   0          135m
ratings-v1-6bcc595f97-blff8       1/2     Running   0          135m

The main clue I have found is that when describing the pod it says

Warning  Unhealthy  2m19s (x1078 over 37m)  kubelet            Readiness probe failed: Get "http://172.17.0.13:15021/healthz/ready": dial tcp 172.17.0.13:15021: connect: connection refused

Thus, my work hypothesis is that the authentication blocks the communication, e.g., since the registration entries have selectors which fail, but I have not figured out why that is, yet. I suspected that the UID of 1000 might be the problem and changed it to 1337 in the yaml files, but the issue still persists.

Could you advise on how to get it to work? This example would be quite useful if it worked, since it nicely combines the Mithril and Istio docs perspective. Thank you in advance.

eBPF: A Top-Down View

In this Hoot we will explore extended Berkeley Packet Filter (eBPF), the Linux technology that is quickly gaining popularity throughout the industry. We will first discuss at a high-level what eBPF is and how it works, then with that foundation we will take a hands-on look at building and running eBPF programs.

episode suggestion: gitops

episode suggestion: Controller Runtime

request on Flagger for Istio canary deployment

after watching episode 20 from one of our customers

episode suggestion: knative

episode suggestion:

episode request: understanding the control plane

Design consideration for a control plane implementation. Why there are so many control plane implementations? Scalability and observability of control plane components itself may be using Istio as an example. Performance, security and best practices. Extending the existing control plane solutions. Integration with different types other dataplane solutions apart from Envoy. These are some of the topics I can think of as I don't have much idea of control plane.

source: https://www.youtube.com/watch?v=S5Fm1Yhomc4&lc=UgxoLk4PbsYzrXwYHxl4AaABAg.9MC-40xA2ZY9Na1iGRA4W6

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.