Merge pull request #165 from layer5io/kumarabd/feature/fix

added policies, gateway resources and envoy filter

Author: leecalcote

Dockerfile

@@ -19,8 +19,10 @@ RUN CGO_ENABLED=1 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -ldflags="-w -
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/base
-WORKDIR /
 ENV DISTRO="debian"
 ENV GOARCH="amd64"
+WORKDIR /templates
+COPY templates/* .
+WORKDIR /
 COPY --from=builder /build/meshery-istio .
 ENTRYPOINT ["/meshery-istio"]

go.mod

@@ -9,8 +9,8 @@ replace (
 
 require (
 	github.com/aspenmesh/istio-vet v0.0.0-20200806222806-9c8e9a962b9f
-	github.com/layer5io/meshery-adapter-library v0.1.7
-	github.com/layer5io/meshkit v0.1.28
+	github.com/layer5io/meshery-adapter-library v0.1.8
+	github.com/layer5io/meshkit v0.1.29
 	github.com/onsi/ginkgo v1.13.0 // indirect
 	golang.org/x/net v0.0.0-20200927032502-5d4f70055728 // indirect
 	google.golang.org/grpc v1.32.0 // indirect

go.sum

@@ -573,11 +573,10 @@ github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6Fm
 github.com/layer5io/kuttl v0.4.1-0.20200723152044-916f10574334/go.mod h1:UmrVd7x+bNVKrpmKgTtfRiTKHZeNPcMjQproJ0vGwhE=
 github.com/layer5io/learn-layer5/smi-conformance v0.0.0-20201022191033-40468652a54f h1:ZwVdDIb9RRXCRfRNUGOgwcyn5WrjfJi7NV64SwQ0Gvo=
 github.com/layer5io/learn-layer5/smi-conformance v0.0.0-20201022191033-40468652a54f/go.mod h1:LpewBZnN0QDRcC2fDiBVK+iByfFyf2HJM1B2h0rTMZo=
-github.com/layer5io/meshery-adapter-library v0.1.7 h1:RSDBbVvjM3HgXEaGp3qd0QW8JuORkXOxe9KE3ll0rMg=
-github.com/layer5io/meshery-adapter-library v0.1.7/go.mod h1:IZefiA/D02QB1wUbG8mStUnYA9Pukf+NEQdMYeWQo/o=
-github.com/layer5io/meshkit v0.1.27/go.mod h1:AznOL6xqpUZGyExSZJ3Bdx6EZ22UnAT9V620pm7R484=
-github.com/layer5io/meshkit v0.1.28 h1:F7DWcm3Txqb0QIqoEcBlp/qIO4s6+5Hp/CExMQM7Gjw=
-github.com/layer5io/meshkit v0.1.28/go.mod h1:AznOL6xqpUZGyExSZJ3Bdx6EZ22UnAT9V620pm7R484=
+github.com/layer5io/meshery-adapter-library v0.1.8 h1:w0Q0sotVRtz3BQYJb2IhSmyfpLn9JeVWdj6JMreXlmc=
+github.com/layer5io/meshery-adapter-library v0.1.8/go.mod h1:V3JWQ6xmtdLF5VYVL+7U9N3MA9CO8uiccE4t0OfjPfk=
+github.com/layer5io/meshkit v0.1.29 h1:wfemsp3R7JukX63Q+jejttAAYgF0/O5dA4hcEdwvuMw=
+github.com/layer5io/meshkit v0.1.29/go.mod h1:AznOL6xqpUZGyExSZJ3Bdx6EZ22UnAT9V620pm7R484=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.7.0 h1:h93mCPfUSkaul3Ka/VG8uZdmW1uMHDGxzu0NWHuJmHY=

internal/config/config.go

@@ -16,14 +16,24 @@ const (
 	LabelNamespace = "label-namespace"
 
 	// Istio vet operation
-	IstioVetOpertation = "istio-vet"
+	IstioVetOperation = "istio-vet"
+
+	// Configure Envoy filter operation
+	EnvoyFilterOperation = "envoy-filter-operation"
+	EnvoyPatchFile       = "envoy-patch-file"
 
 	// Addons that the adapter supports
 	PrometheusAddon = "prometheus-addon"
 	GrafanaAddon    = "grafana-addon"
 	KialiAddon      = "kiali-addon"
 	JaegerAddon     = "jaeger-addon"
 	ZipkinAddon     = "zipkin-addon"
+
+	// Policies
+	DenyAllPolicyOperation     = "deny-all-policy-operation"
+	StrictMTLSPolicyOperation  = "strict-mtls-policy-operation"
+	MutualMTLSPolicyOperation  = "mutual-mtls-policy-operation"
+	DisableMTLSPolicyOperation = "disable-mtls-policy-operation"
 )
 
 var (

internal/config/operations.go

@@ -2,6 +2,7 @@ package config
 
 import (
 	"github.com/layer5io/meshery-adapter-library/adapter"
+	"github.com/layer5io/meshery-adapter-library/common"
 	"github.com/layer5io/meshery-adapter-library/meshes"
 )
 
@@ -13,15 +14,18 @@ func getOperations(dev adapter.Operations) adapter.Operations {
 	versions, _ := getLatestReleaseNames(3)
 
 	dev[IstioOperation] = &adapter.Operation{
-		Type:        int32(meshes.OpCategory_INSTALL),
-		Description: "Istio Service Mesh",
-		Versions:    versions,
-		Templates: []adapter.Template{
-			"templates/istio.yaml",
-		},
+		Type:                 int32(meshes.OpCategory_INSTALL),
+		Description:          "Istio Service Mesh",
+		Versions:             versions,
 		AdditionalProperties: map[string]string{},
 	}
 
+	// Add Istio networking resources to sample applications
+	dev[common.BookInfoOperation].Templates = append(dev[common.BookInfoOperation].Templates, "file://templates/bookinfo-gateway.yaml")
+	dev[common.HTTPBinOperation].Templates = append(dev[common.HTTPBinOperation].Templates, "file://templates/httpbin-gateway.yaml")
+	dev[common.ImageHubOperation].Templates = append(dev[common.ImageHubOperation].Templates, "file://templates/imagehub-gateway.yaml")
+	dev[common.EmojiVotoOperation].Templates = append(dev[common.EmojiVotoOperation].Templates, "file://templates/emojivoto-gateway.yaml")
+
 	dev[LabelNamespace] = &adapter.Operation{
 		Type:        int32(meshes.OpCategory_CONFIGURE),
 		Description: "Label Namespace for Automatic Sidecar Injection",
@@ -52,10 +56,55 @@ func getOperations(dev adapter.Operations) adapter.Operations {
 		Description: "Zipkin Dashboard",
 	}
 
-	dev[IstioVetOpertation] = &adapter.Operation{
+	dev[IstioVetOperation] = &adapter.Operation{
 		Type:        int32(meshes.OpCategory_VALIDATE),
 		Description: "Analyze Running Configuration",
 	}
 
+	dev[EnvoyFilterOperation] = &adapter.Operation{
+		Type:        int32(meshes.OpCategory_CONFIGURE),
+		Description: "Envoy Filter for Imagehub",
+		Versions:    adapter.NoneVersion,
+		Templates: []adapter.Template{
+			"file://templates/imagehub-filter.yaml",
+		},
+		AdditionalProperties: map[string]string{
+			ServiceName:    "api-v1",
+			EnvoyPatchFile: "file://templates/imagehub-patch.json",
+		},
+	}
+
+	dev[DenyAllPolicyOperation] = &adapter.Operation{
+		Type:        int32(meshes.OpCategory_CONFIGURE),
+		Description: "Deny-All Policy",
+		Templates: []adapter.Template{
+			"file://templates/policy-denyall.yaml",
+		},
+	}
+
+	dev[StrictMTLSPolicyOperation] = &adapter.Operation{
+		Type:        int32(meshes.OpCategory_CONFIGURE),
+		Description: "Strict MTLS Policy",
+		Templates: []adapter.Template{
+			"file://templates/policy-strict.yaml",
+		},
+	}
+
+	dev[MutualMTLSPolicyOperation] = &adapter.Operation{
+		Type:        int32(meshes.OpCategory_CONFIGURE),
+		Description: "Mutual MTLS Policy",
+		Templates: []adapter.Template{
+			"file://templates/policy-mutual.yaml",
+		},
+	}
+
+	dev[DisableMTLSPolicyOperation] = &adapter.Operation{
+		Type:        int32(meshes.OpCategory_CONFIGURE),
+		Description: "Disable MTLS Policy",
+		Templates: []adapter.Template{
+			"file://templates/policy-disable.yaml",
+		},
+	}
+
 	return dev
 }

istio/error.go

@@ -42,6 +42,14 @@ var (
 	// duing sample app installation
 	ErrSampleAppCode = "istio_test_code"
 
+	// ErrEnvoyFilterCode represents the errors which are generated
+	// duing envoy filter patching
+	ErrEnvoyFilterCode = "istio_test_code"
+
+	// ErrApplyPolicyCode represents the errors which are generated
+	// duing policy apply operation
+	ErrApplyPolicyCode = "istio_test_code"
+
 	// ErrCustomOperationCode represents the errors which are generated
 	// when an invalid addon operation is requested
 	ErrCustomOperationCode = "istio_test_code"
@@ -111,6 +119,16 @@ func ErrSampleApp(err error) error {
 	return errors.NewDefault(ErrSampleAppCode, fmt.Sprintf("Error with sample app operation: %s", err.Error()))
 }
 
+// ErrEnvoyFilter is the error for streaming event
+func ErrEnvoyFilter(err error) error {
+	return errors.NewDefault(ErrEnvoyFilterCode, fmt.Sprintf("Error with envoy filter operation: %s", err.Error()))
+}
+
+// ErrApplyPolicy is the error for streaming event
+func ErrApplyPolicy(err error) error {
+	return errors.NewDefault(ErrApplyPolicyCode, fmt.Sprintf("Error with apply policy operation: %s", err.Error()))
+}
+
 // ErrAddonFromTemplate is the error for streaming event
 func ErrAddonFromTemplate(err error) error {
 	return errors.NewDefault(ErrAddonFromTemplateCode, fmt.Sprintf("Error with addon install operation: %s", err.Error()))

istio/install.go

@@ -22,9 +22,9 @@ import (
 )
 
 func (istio *Istio) installIstio(del bool, version, namespace string) (string, error) {
-	istio.Log.Info(fmt.Sprintf("Requested install of version: %s", version))
-	istio.Log.Info(fmt.Sprintf("Requested action is delete: %v", del))
-	istio.Log.Info(fmt.Sprintf("Requested action is in namespace: %s", namespace))
+	istio.Log.Debug(fmt.Sprintf("Requested install of version: %s", version))
+	istio.Log.Debug(fmt.Sprintf("Requested action is delete: %v", del))
+	istio.Log.Debug(fmt.Sprintf("Requested action is in namespace: %s", namespace))
 
 	// Overiding the namespace to be empty
 	// This is intentional as deploying istio on custom namespace
@@ -95,7 +95,11 @@ func (istio *Istio) applyManifest(contents []byte, isDel bool, namespace string)
 		return err
 	}
 
-	err = kclient.ApplyManifest(contents, mesherykube.ApplyOptions{Namespace: namespace, Delete: isDel})
+	err = kclient.ApplyManifest(contents, mesherykube.ApplyOptions{
+		Namespace: namespace,
+		Update:    true,
+		Delete:    isDel,
+	})
 	if err != nil {
 		return err
 	}

istio/istio.go

@@ -89,6 +89,19 @@ func (istio *Istio) ApplyOperation(ctx context.Context, opReq adapter.OperationR
 			ee.Details = ""
 			hh.StreamInfo(e)
 		}(istio, e)
+	case internalconfig.DenyAllPolicyOperation, internalconfig.StrictMTLSPolicyOperation, internalconfig.MutualMTLSPolicyOperation, internalconfig.DisableMTLSPolicyOperation:
+		go func(hh *Istio, ee *adapter.Event) {
+			stat, err := hh.applyPolicy(opReq.Namespace, opReq.IsDeleteOperation, operations[opReq.OperationName].Templates)
+			if err != nil {
+				e.Summary = fmt.Sprintf("Error while %s policy", stat)
+				e.Details = err.Error()
+				hh.StreamErr(e, err)
+				return
+			}
+			ee.Summary = fmt.Sprintf("Policy %s successfully", status.Deployed)
+			ee.Details = ""
+			hh.StreamInfo(e)
+		}(istio, e)
 	case common.CustomOperation:
 		go func(hh *Istio, ee *adapter.Event) {
 			stat, err := hh.applyCustomOperation(opReq.Namespace, opReq.CustomBody, opReq.IsDeleteOperation)
@@ -133,7 +146,7 @@ func (istio *Istio) ApplyOperation(ctx context.Context, opReq adapter.OperationR
 			ee.Details = fmt.Sprintf("Succesfully %sed %s from the %s namespace", operation, opReq.OperationName, opReq.Namespace)
 			hh.StreamInfo(e)
 		}(istio, e)
-	case internalconfig.IstioVetOpertation:
+	case internalconfig.IstioVetOperation:
 		go func(hh *Istio, ee *adapter.Event) {
 			responseChan := make(chan *adapter.Event, 1)
 
@@ -152,6 +165,21 @@ func (istio *Istio) ApplyOperation(ctx context.Context, opReq adapter.OperationR
 
 			istio.Log.Info("Done")
 		}(istio, e)
+	case internalconfig.EnvoyFilterOperation:
+		go func(hh *Istio, ee *adapter.Event) {
+			appName := operations[opReq.OperationName].AdditionalProperties[common.ServiceName]
+			patchFile := operations[opReq.OperationName].AdditionalProperties[internalconfig.EnvoyPatchFile]
+			stat, err := hh.patchWithEnvoyFilter(opReq.Namespace, opReq.IsDeleteOperation, appName, operations[opReq.OperationName].Templates, patchFile)
+			if err != nil {
+				e.Summary = fmt.Sprintf("Error while %s %s application", stat, appName)
+				e.Details = err.Error()
+				hh.StreamErr(e, err)
+				return
+			}
+			ee.Summary = fmt.Sprintf("%s application %s successfully", appName, stat)
+			ee.Details = fmt.Sprintf("The %s application is now %s.", appName, stat)
+			hh.StreamInfo(e)
+		}(istio, e)
 	default:
 		istio.StreamErr(e, ErrOpInvalid)
 	}

istio/sample_apps.go

@@ -11,10 +11,10 @@ import (
 	"github.com/layer5io/meshkit/utils"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
 )
 
 func (istio *Istio) installSampleApp(namespace string, del bool, templates []adapter.Template) (string, error) {
-	istio.Log.Info(fmt.Sprintf("Requested action is delete: %v", del))
 	st := status.Installing
 
 	if del {
@@ -36,6 +36,58 @@ func (istio *Istio) installSampleApp(namespace string, del bool, templates []ada
 	return status.Installed, nil
 }
 
+func (istio *Istio) patchWithEnvoyFilter(namespace string, del bool, app string, templates []adapter.Template, patchObject string) (string, error) {
+	st := status.Deploying
+
+	if del {
+		st = status.Removing
+	}
+
+	jsonContents, err := readFileSource(patchObject)
+	if err != nil {
+		return st, ErrEnvoyFilter(err)
+	}
+
+	_, err = istio.KubeClient.AppsV1().Deployments(namespace).Patch(context.TODO(), app, types.MergePatchType, []byte(jsonContents), metav1.PatchOptions{})
+	if err != nil {
+		return st, ErrEnvoyFilter(err)
+	}
+
+	for _, template := range templates {
+		contents, err := readFileSource(string(template))
+		if err != nil {
+			return st, ErrEnvoyFilter(err)
+		}
+
+		err = istio.applyManifest([]byte(contents), del, namespace)
+		if err != nil {
+			return st, ErrEnvoyFilter(err)
+		}
+	}
+
+	return status.Deployed, nil
+}
+func (istio *Istio) applyPolicy(namespace string, del bool, templates []adapter.Template) (string, error) {
+	st := status.Deploying
+
+	if del {
+		st = status.Removing
+	}
+
+	for _, template := range templates {
+		contents, err := readFileSource(string(template))
+		if err != nil {
+			return st, ErrApplyPolicy(err)
+		}
+
+		err = istio.applyManifest([]byte(contents), del, namespace)
+		if err != nil {
+			return st, ErrApplyPolicy(err)
+		}
+	}
+	return status.Deployed, nil
+}
+
 // LoadToMesh is used to mark deployment for automatic sidecar injection (or not)
 func (istio *Istio) LoadToMesh(namespace string, service string, remove bool) error {
 	deploy, err := istio.KubeClient.AppsV1().Deployments(namespace).Get(context.TODO(), service, metav1.GetOptions{})

templates/bookinfo-gateway.yaml

@@ -0,0 +1,41 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: sample-app-gateway
+spec:
+  selector:
+    istio: ingressgateway # use istio default controller
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+    - "*"
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: bookinfo
+spec:
+  hosts:
+  - "bookinfo.meshery.io"
+  gateways:
+  - sample-app-gateway
+  http:
+  - match:
+    - uri:
+        exact: /productpage
+    - uri:
+        prefix: /static
+    - uri:
+        exact: /login
+    - uri:
+        exact: /logout
+    - uri:
+        prefix: /api/v1/products
+    route:
+    - destination:
+        host: productpage
+        port:
+          number: 9080