CRD Examples Demo - GoogleCloudPlatform/anthos-appconfig GitHub Wiki

CRD Examples-Demo

Prerequisite (Vault)

Need to have vault setup and access -- Use this for a way to get it done Codelab - Vault on GKE

bash crd-setup-helper.sh init-demos </path/to/repo>

Responses
- Take the default appconfigcrd-demo, because they align with the example/demo yamls

Follow instructions complete setup as per crd-setup-helper.sh

Sections

Pubsub

Follow the instructions as part of the install

Vault

Follow the instructions in the install (see prerequisite of having vault address and credentials

Verify Namespaces

kubectl get ns
kubectl get services -n istio-system istio-ingressgateway
kubectl get services -n devtest

appconfigmgrv2-system       Active   17h
config-management-system    Active   17h
default                     Active   17h
devtest                     Active   17h
devtest-istio               Active   17h
gatekeeper-system           Active   17h
istio-system                Active   17h
kube-public                 Active   17h
kube-system                 Active   17h
uc-allowed-jwt-istio        Active   17h
uc-allowed-services-istio   Active   17h
uc-allowed-services-k8s     Active   17h
uc-firebase                 Active   17h
uc-opa                      Active   17h
uc-secrets-istio            Active   17h
uc-secrets-k8s              Active   17h
uc-secrets-vault-k8s        Active   17h

Verify sample scripts

export INGRESS_NO_ISTIO_HOST=$(kubectl -n devtest get service test-service-external -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_ISTIO_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

Running the tests

Testing for Access

In order to test, we have two namespaces that have a test driver app that will call the internal services. The App Config CRD defines the allowed services. Driver will pass in the URL the sequence of gets, call1, call2, call3, etc

User setup of the tests. IMPORTANT

In order to simulate, the app team being responsible for deployments using whatever tools and process, the deployments of the apps are done using kubectl and the use case apps are in the folder examples/use-cases/${use case namespace}/deploy-apps.yaml (you can do this before looking at each use case)

Use Cases Detail

Use Case - Allowed Services - k8s

Use Case - Allowed Services - istio

Use Case - Allowed Services - istio + JWT

Use Case - Allowed Services - k8s + Secrets (GCP Service Account)

Use Case - Allowed Services - istio + Secrets (GCP Service Account) + EGress (Service Entry)

Use Case - Firebase - JWT

Use Case - Allowed Services & Secrets (GCP Service Account - k8s plugin - Vault)

Use Case - Allowed Services & Secret (GCP Service Account and Workload Identity)