IBAC for Istio full visual tutorial

docs/_common/install-otterize-from-cloud-with-istiowatcher.md

@@ -0,0 +1,17 @@
+If no Kubernetes clusters are connected to your account, click the "connect your cluster" button to:
+1. Create a Cloud cluster object, specifying its name and the name of an environment to which all namespaces in that cluster will belong, by default.
+2. Connect it with your actual Kubernetes cluster, by clicking on the "Connection guide →" link and running the Helm commands shown there.
+    1. Follow the instructions to install OtterizeAnd <b>add</b> the following flag to the Helm command:  `--set networkMapper.istiowatcher.enable=true`
+
+<details>
+<summary>More details, if you're curious</summary>
+
+Connecting your cluster simply entails installing Otterize OSS via Helm, using credentials from your account so Otterize OSS can report information needed to visualize the cluster.
+
+The credentials will already be inlined into the Helm command shown in the Cloud UI, so you just need to copy that line and run it from your shell.
+If you don't give it the Cloud credentials, Otterize OSS will run fully standalone in your cluster &mdash; you just won't have the visualization in Otterize Cloud.
+
+The Helm command shown in the Cloud UI also includes flags to turn off enforcement: Otterize OSS will be running in "shadow mode," 
+meaning that it will show you what **would** happen if it were to create/update your access controls (Kubernetes network policies,  Kafka ACLs, Istio authorization policies, etc.).
+Later in this tutorial, we'll turn on enforcement, but for now we'll leave it in shadow mode.
+</details>

docs/_common/install-otterize-from-cloud.md

@@ -1,6 +1,6 @@
 If no Kubernetes clusters are connected to your account, click the "connect your cluster" button to:
 1. Create a Cloud cluster object, specifying its name and the name of an environment to which all namespaces in that cluster will belong, by default.
-2. Connect it with your actual Kubernetes cluster, by clicking on the "Connection guide →" link and running the Helm commands shown there.
+2. Connect it with your actual Kubernetes cluster, by clicking on the "Connection guide →" link and running the Helm commands shown there. You'll want to keep enforcement off, and be in shadow mode.
 
 <details>
 <summary>More details, if you're curious</summary>

static/code-examples/ibac-for-istio/all.yaml

@@ -1,113 +1,117 @@
-apiVersion: v1
-kind: Namespace
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
 metadata:
-  name: otterize-tutorial-istio
-  labels:
-    istio-injection: enabled
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: client
-  namespace: otterize-tutorial-istio
+  name: cartservice
+  namespace: otterize-visual-tutorial-istio
 spec:
-  selector:
-    matchLabels:
-      app: client
-  template:
-    metadata:
-      labels:
-        app: client
-    spec:
-      serviceAccountName: client-service-account
-      containers:
-        - name: client
-          image: alpine/curl
-          command: [ "/bin/sh", "-c", "--" ]
-          args: [ "while true; do echo \"Calling server...\"; if ! timeout 2 curl -si nginx-service:8080/client-path; then echo \"curl timed out\"; fi; sleep 2; done" ]
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: client-service-account
-  namespace: otterize-tutorial-istio
-  labels:
-    app: client
+  service:
+    name: cartservice
+  calls:
+    - name: redis-cart
+      type: http
+      resources:
+        - path: /items
+          methods:
+            - GET
+            - POST
 ---
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
 metadata:
-  name: other-client
-  namespace: otterize-tutorial-istio
+  name: checkoutservice
+  namespace: otterize-visual-tutorial-istio
 spec:
-  selector:
-    matchLabels:
-      app: other-client
-  template:
-    metadata:
-      labels:
-        app: other-client
-    spec:
-      serviceAccountName: other-client-service-account
-      containers:
-        - name: other-client
-          image: alpine/curl
-          command: [ "/bin/sh", "-c", "--" ]
-          args: [ "while true; do echo \"Calling server...\"; if ! timeout 2 curl -si nginx-service:8080/other-client-path; then echo \"curl timed out\"; fi; sleep 2; done" ]
+  service:
+    name: checkoutservice
+  calls:
+    - name: productcatalogservice
+      type: http
+      resources:
+        - path: /products
+          methods:
+            - POST
 ---
-apiVersion: v1
-kind: ServiceAccount
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
 metadata:
-  name: other-client-service-account
-  namespace: otterize-tutorial-istio
-  labels:
-    app: other-client
+  name: frontend
+  namespace: otterize-visual-tutorial-istio
+spec:
+  service:
+    name: frontend
+  calls:
+    - name: adservice
+      type: http
+      resources:
+        - path: /ads
+          methods:
+            - GET
+    - name: cartservice
+      type: http
+      resources:
+        - path: /items
+          methods:
+            - GET
+            - POST
+    - name: checkoutservice
+      type: http
+      resources:
+        - path: /checkout
+          methods:
+            - POST
+    - name: currencyservice
+      type: http
+      resources:
+        - path: /currency
+          methods:
+            - GET
+    - name: productcatalogservice
+      type: http
+      resources:
+        - path: /products
+          methods:
+            - GET
+    - name: recommendationservice
+      type: http
+      resources:
+        - path: /recommendations
+          methods:
+            - GET
+    - name: shippingservice
+      type: http
+      resources:
+        - path: /shipping
+          methods:
+            - POST
 ---
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
 metadata:
-  name: nginx
-  namespace: otterize-tutorial-istio
+  name: loadgenerator
+  namespace: otterize-visual-tutorial-istio
 spec:
-  selector:
-    matchLabels:
-      app: nginx
-  replicas: 1
-  template:
-    metadata:
-      labels:
-        app: nginx
-    spec:
-      containers:
-        - name: nginx
-          image: nginx:1.14.2
-          command: ["/bin/sh", "-c"]
-          args:
-            - |
-              echo 'events {}' > /etc/nginx/nginx.conf;
-              echo 'http {' >> /etc/nginx/nginx.conf;
-              echo '    include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf;
-              echo '    server {' >> /etc/nginx/nginx.conf;
-              echo '        listen 80;' >> /etc/nginx/nginx.conf;
-              echo '        server_name localhost;' >> /etc/nginx/nginx.conf;
-              echo '        location /client-path { return 200 "hello from /client-path\n"; }' >> /etc/nginx/nginx.conf;
-              echo '        location /other-client-path { return 200 "hello from /other-client-path\n"; }' >> /etc/nginx/nginx.conf;
-              echo '    }' >> /etc/nginx/nginx.conf;
-              echo '}' >> /etc/nginx/nginx.conf;
-              nginx -g "daemon off;"
-          ports:
-            - containerPort: 80
+  service:
+    name: loadgenerator
+  calls:
+    - name: frontend
+      type: http
+      resources:
+        - path: /
+          methods:
+            - GET
 ---
-apiVersion: v1
-kind: Service
+apiVersion: k8s.otterize.com/v1alpha2
+kind: ClientIntents
 metadata:
-  name: nginx-service
-  namespace: otterize-tutorial-istio
+  name: recommendationservice
+  namespace: otterize-visual-tutorial-istio
 spec:
-  selector:
-    app: nginx
-  ports:
-    - protocol: TCP
-      port: 8080
-      targetPort: 80
----
+  service:
+    name: recommendationservice
+  calls:
+    - name: productcatalogservice
+      type: http
+      resources:
+        - path: /similar-products
+          methods:
+            - GET

static/code-examples/ibac-for-istio/allow-nothing.yaml

@@ -2,6 +2,6 @@ apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
   name: allow-nothing
-  namespace: otterize-tutorial-istio
+  namespace: otterize-visual-tutorial-istio
 spec:
   {}