automating Mixer samples (istio#13196)

* move samples Signed-off-by: Kuat Yessenov <kuat@google.com> * add metric samples Signed-off-by: Kuat Yessenov <kuat@google.com> * add samples Signed-off-by: Kuat Yessenov <kuat@google.com> * add samples Signed-off-by: Kuat Yessenov <kuat@google.com> * typo Signed-off-by: Kuat Yessenov <kuat@google.com> * typo Signed-off-by: Kuat Yessenov <kuat@google.com> * add samples Signed-off-by: Kuat Yessenov <kuat@google.com> * add samples Signed-off-by: Kuat Yessenov <kuat@google.com> * add samples Signed-off-by: Kuat Yessenov <kuat@google.com> * add samples Signed-off-by: Kuat Yessenov <kuat@google.com>
samos123 · Apr 11, 2019 · c30c91c · c30c91c
1 parent cccb01e
commit c30c91c
Show file tree

Hide file tree

Showing 20 changed files with 786 additions and 60 deletions.
diff --git a/samples/bookinfo/policy/mixer-rule-deny-ip-crd.yaml b/samples/bookinfo/policy/mixer-rule-deny-ip-crd.yaml
@@ -0,0 +1,29 @@
+apiVersion: config.istio.io/v1alpha2
+kind: listchecker
+metadata:
+  name: whitelistip
+spec:
+  # providerUrl: ordinarily black and white lists are maintained
+  # externally and fetched asynchronously using the providerUrl.
+  overrides: ["10.57.0.0/16"]  # overrides provide a static list
+  blacklist: false
+  entryType: IP_ADDRESSES
+---
+apiVersion: config.istio.io/v1alpha2
+kind: listentry
+metadata:
+  name: sourceip
+spec:
+  value: source.ip | ip("0.0.0.0")
+---
+apiVersion: config.istio.io/v1alpha2
+kind: rule
+metadata:
+  name: checkip
+spec:
+  match: source.labels["istio"] == "ingressgateway"
+  actions:
+  - handler: whitelistip.listchecker
+    instances:
+    - sourceip.listentry
+---
diff --git a/samples/bookinfo/policy/mixer-rule-deny-ip.yaml b/samples/bookinfo/policy/mixer-rule-deny-ip.yaml
@@ -0,0 +1,32 @@
+apiVersion: config.istio.io/v1alpha2
+kind: handler
+metadata:
+  name: whitelistip
+spec:
+  compiledAdapter: listchecker
+  params:
+    # providerUrl: ordinarily black and white lists are maintained
+    # externally and fetched asynchronously using the providerUrl.
+    overrides: ["10.57.0.0/16"]  # overrides provide a static list
+    blacklist: false
+    entryType: IP_ADDRESSES
+---
+apiVersion: config.istio.io/v1alpha2
+kind: instance
+metadata:
+  name: sourceip
+spec:
+  compiledTemplate: listentry
+  params:
+    value: source.ip | ip("0.0.0.0")
+---
+apiVersion: config.istio.io/v1alpha2
+kind: rule
+metadata:
+  name: checkip
+spec:
+  match: source.labels["istio"] == "ingressgateway"
+  actions:
+  - handler: whitelistip
+    instances: [ sourceip ]
+---
diff --git a/samples/bookinfo/policy/mixer-rule-deny-label-crd.yaml b/samples/bookinfo/policy/mixer-rule-deny-label-crd.yaml
@@ -0,0 +1,24 @@
+apiVersion: "config.istio.io/v1alpha2"
+kind: denier
+metadata:
+  name: denyreviewsv3handler
+spec:
+  status:
+    code: 7
+    message: Not allowed
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: checknothing
+metadata:
+  name: denyreviewsv3request
+spec:
+---
+apiVersion: "config.istio.io/v1alpha2"
+kind: rule
+metadata:
+  name: denyreviewsv3
+spec:
+  match: destination.labels["app"] == "ratings" && source.labels["app"]=="reviews" && source.labels["version"] == "v3"
+  actions:
+  - handler: denyreviewsv3handler.denier
+    instances: [ denyreviewsv3request.checknothing ]
diff --git a/samples/bookinfo/policy/mixer-rule-deny-label.yaml b/samples/bookinfo/policy/mixer-rule-deny-label.yaml
@@ -1,17 +1,20 @@
 apiVersion: "config.istio.io/v1alpha2"
-kind: denier
+kind: handler
 metadata:
   name: denyreviewsv3handler
 spec:
-  status:
-    code: 7
-    message: Not allowed
+  compiledAdapter: denier
+  params:
+    status:
+      code: 7
+      message: Not allowed
 ---
 apiVersion: "config.istio.io/v1alpha2"
-kind: checknothing
+kind: instance
 metadata:
   name: denyreviewsv3request
 spec:
+  compiledTemplate: checknothing
 ---
 apiVersion: "config.istio.io/v1alpha2"
 kind: rule
@@ -20,5 +23,5 @@ metadata:
 spec:
   match: destination.labels["app"] == "ratings" && source.labels["app"]=="reviews" && source.labels["version"] == "v3"
   actions:
-  - handler: denyreviewsv3handler.denier
-    instances: [ denyreviewsv3request.checknothing ]
+  - handler: denyreviewsv3handler
+    instances: [ denyreviewsv3request ]
diff --git a/samples/bookinfo/policy/mixer-rule-deny-whitelist-crd.yaml b/samples/bookinfo/policy/mixer-rule-deny-whitelist-crd.yaml
@@ -0,0 +1,28 @@
+apiVersion: config.istio.io/v1alpha2
+kind: listchecker
+metadata:
+  name: whitelist
+spec:
+  # providerUrl: ordinarily black and white lists are maintained
+  # externally and fetched asynchronously using the providerUrl.
+  overrides: ["v1", "v2"]  # overrides provide a static list
+  blacklist: false
+---
+apiVersion: config.istio.io/v1alpha2
+kind: listentry
+metadata:
+  name: appversion
+spec:
+  value: source.labels["version"]
+---
+apiVersion: config.istio.io/v1alpha2
+kind: rule
+metadata:
+  name: checkversion
+spec:
+  match: destination.labels["app"] == "ratings"
+  actions:
+  - handler: whitelist.listchecker
+    instances:
+    - appversion.listentry
+---
diff --git a/samples/bookinfo/policy/mixer-rule-deny-whitelist.yaml b/samples/bookinfo/policy/mixer-rule-deny-whitelist.yaml
@@ -0,0 +1,31 @@
+apiVersion: config.istio.io/v1alpha2
+kind: handler
+metadata:
+  name: whitelist
+spec:
+  compiledAdapter: listchecker
+  params:
+    # providerUrl: ordinarily black and white lists are maintained
+    # externally and fetched asynchronously using the providerUrl.
+    overrides: ["v1", "v2"]  # overrides provide a static list
+    blacklist: false
+---
+apiVersion: config.istio.io/v1alpha2
+kind: instance
+metadata:
+  name: appversion
+spec:
+  compiledTemplate: listentry
+  params:
+    value: source.labels["version"]
+---
+apiVersion: config.istio.io/v1alpha2
+kind: rule
+metadata:
+  name: checkversion
+spec:
+  match: destination.labels["app"] == "ratings"
+  actions:
+  - handler: whitelist
+    instances: [ appversion ]
+---
diff --git a/samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml b/samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml
@@ -1,46 +1,50 @@
-apiVersion: "config.istio.io/v1alpha2"
-kind: memquota
+apiVersion: config.istio.io/v1alpha2
+kind: handler
 metadata:
-  name: handler
+  name: quotahandler
   namespace: istio-system
 spec:
-  quotas:
-  - name: requestcount.quota.istio-system
-    maxAmount: 500
-    validDuration: 1s
-    # The first matching override is applied.
-    # A requestcount instance is checked against override dimensions.
-    overrides:
-    # The following override applies to 'reviews' regardless
-    # of the source.
-    - dimensions:
-        destination: reviews
-      maxAmount: 1
-      validDuration: 5s
-    # The following override applies to 'productpage' when
-    # the source is a specific ip address.
-    - dimensions:
-        destination: productpage
-        source: "10.28.11.20"
+  compiledAdapter: memquota
+  params:
+    quotas:
+    - name: requestcountquota.instance.istio-system
       maxAmount: 500
       validDuration: 1s
-    # The following override applies to 'productpage' regardless
-    # of the source.
-    - dimensions:
-        destination: productpage
-      maxAmount: 2
-      validDuration: 5s
+      # The first matching override is applied.
+      # A requestcount instance is checked against override dimensions.
+      overrides:
+      # The following override applies to 'reviews' regardless
+      # of the source.
+      - dimensions:
+          destination: reviews
+        maxAmount: 1
+        validDuration: 5s
+      # The following override applies to 'productpage' when
+      # the source is a specific ip address.
+      - dimensions:
+          destination: productpage
+          source: "10.28.11.20"
+        maxAmount: 500
+        validDuration: 1s
+      # The following override applies to 'productpage' regardless
+      # of the source.
+      - dimensions:
+          destination: productpage
+        maxAmount: 2
+        validDuration: 5s
 ---
-apiVersion: "config.istio.io/v1alpha2"
-kind: quota
+apiVersion: config.istio.io/v1alpha2
+kind: instance
 metadata:
-  name: requestcount
+  name: requestcountquota
   namespace: istio-system
 spec:
-  dimensions:
-    source: request.headers["x-forwarded-for"] | "unknown"
-    destination: destination.labels["app"] | destination.service.name | "unknown"
-    destinationVersion: destination.labels["version"] | "unknown"
+  compiledTemplate: quota
+  params:
+    dimensions:
+      source: request.headers["x-forwarded-for"] | "unknown"
+      destination: destination.labels["app"] | destination.service.name | "unknown"
+      destinationVersion: destination.labels["version"] | "unknown"
 ---
 apiVersion: config.istio.io/v1alpha2
 kind: QuotaSpec
@@ -51,7 +55,7 @@ spec:
   rules:
   - quotas:
     - charge: 1
-      quota: requestcount
+      quota: requestcountquota
 ---
 apiVersion: config.istio.io/v1alpha2
 kind: QuotaSpecBinding
@@ -76,6 +80,6 @@ spec:
   # quota only applies if you are not logged in.
   # match: match(request.headers["cookie"], "user=*") == false
   actions:
-  - handler: handler.memquota
+  - handler: quotahandler
     instances:
-    - requestcount.quota
+    - requestcountquota
diff --git a/samples/bookinfo/policy/mixer-rule-productpage-redis-quota-rolling-window.yaml b/samples/bookinfo/policy/mixer-rule-productpage-redis-quota-rolling-window.yaml
@@ -0,0 +1,87 @@
+apiVersion: config.istio.io/v1alpha2
+kind: handler
+metadata:
+  name: redishandler
+  namespace: istio-system
+spec:
+  compiledAdapter: redisquota
+  params:
+    redisServerUrl: redis-release-master:6379
+    connectionPoolSize: 10
+    quotas:
+    - name: requestcountquota.instance.istio-system
+      maxAmount: 500
+      validDuration: 1s
+      bucketDuration: 500ms
+      rateLimitAlgorithm: ROLLING_WINDOW
+      # The first matching override is applied.
+      # A requestcount instance is checked against override dimensions.
+      overrides:
+      # The following override applies to 'reviews' regardless
+      # of the source.
+      - dimensions:
+          destination: reviews
+        maxAmount: 1
+      # The following override applies to 'productpage' when
+      # the source is a specific ip address.
+      - dimensions:
+          destination: productpage
+          source: "10.28.11.20"
+        maxAmount: 500
+      # The following override applies to 'productpage' regardless
+      # of the source.
+      - dimensions:
+          destination: productpage
+        maxAmount: 2
+---
+apiVersion: config.istio.io/v1alpha2
+kind: instance
+metadata:
+  name: requestcountquota
+  namespace: istio-system
+spec:
+  compiledTemplate: quota
+  params:
+    dimensions:
+      source: request.headers["x-forwarded-for"] | "unknown"
+      destination: destination.labels["app"] | destination.workload.name | "unknown"
+      destinationVersion: destination.labels["version"] | "unknown"
+---
+apiVersion: config.istio.io/v1alpha2
+kind: QuotaSpec
+metadata:
+  name: request-count
+  namespace: istio-system
+spec:
+  rules:
+  - quotas:
+    - charge: 1
+      quota: requestcountquota
+---
+apiVersion: config.istio.io/v1alpha2
+kind: QuotaSpecBinding
+metadata:
+  name: request-count
+  namespace: istio-system
+spec:
+  quotaSpecs:
+  - name: request-count
+    namespace: istio-system
+  services:
+  - name: productpage
+    namespace: default
+    #  - service: '*'  # Uncomment this to bind *all* services to request-count
+---
+apiVersion: config.istio.io/v1alpha2
+kind: rule
+metadata:
+  name: quota
+  namespace: istio-system
+spec:
+  # quota only applies if you are not logged in.
+  # match: match(request.headers["cookie"], "session=*") == false
+  actions:
+  - handler: redishandler
+    instances:
+    - requestcountquota
+---