Posts

Exclude a service from being auto sidecar injected by istio

As you may know, you can enable automatic sidecar injection for a specific namespace with istio:

kubectl label namespace ABC istio-injection=enabled

It means that every new service deployed in the ABC namespace will be injected with an Envoy sidecar. In case you don't want a specific service such as MyService to be controlled by Istio, you can set the annotation 'sidecar.istio.io/inject' to 'false'. For example:



References:

https://istio.io/docs/reference/config/annotations/

How to clean up Kong-Ingress-Controller

You can use this following shell script that I wrote a couple days ago to clean up Kong-Ingress-Controller:

"Searchlight for U" at the Korea&Vietnam OpenInfra User Group meetup

Image
Last night, in a cozy conference room in Seoul, South Korea, I had had a very friendly meetup with the OpenStack Korea User Group with around ten or so people. I and Sa Pham, the Vietnam OpenInfra User Group representatives, were there to share our experiences on OpenStack and networking with others. This is not my first time with the Korea User Group but meeting people working on open source projects or want to learn about OpenInfra technologies made me super excited.

Like last time, I had a brief presentation about OpenStack Searchlight showing folks what was going on and my plan for the Ussuri development cycle. And, that is why the title of my talk is "Searchlight for U".


Even though in Train, I had not put much effort into Searchlight but while presenting people the progress, I was amazed how far we have gone. I had been Searchlight's PTL for two cycles and now one more time. Hopefully, I could move the project forward with some real-world adaptation, use cases, and…

A sample Flask app that uses Keycloak for user registration and OIDC authentication

I've spent a couple of days exploring Keycloak, Istio, and EKS. The result is a sample Flask app that has these following features:
User registration and authentication (OIDC) with KeycloakThe app can be running on a local machine, in a Docker container, or inside a service mesh within a Kubernetes cluster and Istio. In that case, Istio and Keycloak were deployed on an EKS cluster following this tutorial [1]. The sample app repository is here [2]. Below are the detail instructions to run the sample app.
PrerequisitesHave a Keycloak instance up and running and you know the admin user credentialsIf you want to deploy the app on a Kubernetes cluster with Istio installed, make sure you have admin privileges to the cluster. You also need to install istioctl. Run the application normally 1. Clone the repo, install the requirementsgit clone https://github.com/dangtrinhnt/keycloak_flask
cd keycloak_flask
virtualenv ~/keycloak_flask
source ~/keycloak_flask/bin/activate
pip install -r requiremen…

How to open a custom port on the istio-ingressgateway

By default, when you deploy istio on a Kubernetes cluster, it will create a load balancer name istio-ingressgateway [1]. That ingress gateway is a Kubernetes's LoadBalancer resource that helps handling incoming traffic into the mesh. You can check by running this command:

kubectl -n istio-system get service istio-ingressgateway

The istio-ingressgateway load balancer will open a number of ports such as 80, 443, etc. If you want to open a new port on the load balancer, you can do like the following:

1. Export the current configuration of the istio-ingressgateway

kubectl -n istio-system get service istio-ingressgateway -o yaml > istio_ingressgateway.yaml

2. Edit the istio_ingressgateway.yaml, add the new port you want, for example

nano istio_ingressgateway.yaml

...
  - name: myport
    nodePort: 31410
    port: 5000
    protocol: TCP
    targetPort: 5000
...

3. Apply the new configuration

kubectl apply -f istio_ingressgateway.yaml

4. Check if the new port running

kubectl describe svc istio-ingres…

End-user authentication with Istio and KeyCloak on the AWS EKS environment

Image
When evaluating Istio to use in our AWS EKS clusters environment, I found it is a little bit confusing with end-user authentication which cost me a couple days to set up a running scenario. Moreover, most of the blog posts and online documents only mention end-user authentication with Auth0 (a proprietary authentication solution) or very limited to other software such as KeyCloak. This article describes how I did the configuration to make it work with KeyCloak as well as briefly explaining the authentication flow of Istio.

As you may know, Istio introduces two types of authentication which are Transport Authentication and Origin Authentication [0]. Transport Authentication is used for the service to service authentication while Origin Authentication is used for end-user authentication. But, when it comes to real configuration, it looks like I have to apply both types if I want to set up the scenario as follows:

Figure 1: Expected scenario What I expected to have are:
End-user requests …

Counting all items of a DynamoDB table using aws cli

This following command will return the total number of records of a DynamoDB table:

aws dynamodb scan --table-name <TABLE_NAME> --select "COUNT"