mathieu-benoit
diff --git a/‎content/onlineboutique/deploy-apps.md‎
Lines changed: 60 additions & 49 deletions b/‎content/onlineboutique/deploy-apps.md‎
Lines changed: 60 additions & 49 deletions
diff --git a/‎content/onlineboutique/deploy-authorization-policies.md‎
Lines changed: 22 additions & 5 deletions b/‎content/onlineboutique/deploy-authorization-policies.md‎
Lines changed: 22 additions & 5 deletions
diff --git a/‎content/onlineboutique/deploy-network-policies.md‎
Lines changed: 40 additions & 20 deletions b/‎content/onlineboutique/deploy-network-policies.md‎
Lines changed: 40 additions & 20 deletions
@@ -1,71 +1,83 @@
 ---
 title: "Deploy apps"
-weight: 4
+weight: 5
 description: "Duration: 5 min | Persona: Apps Operator"
 tags: ["apps-operator", "asm"]
 ---
 ![Apps Operator](/images/apps-operator.png)
 _{{< param description >}}_
 
-In this section, you will deploy via Kustomize the Online Boutique apps in the dedicated namespace.
+In this section, you will deploy the Online Boutique apps.
 
 Initialize variables:
 ```Bash
 WORK_DIR=~/
 source ${WORK_DIR}acm-workshop-variables.sh
 ```
 
-## Get upstream Kubernetes manifests
+## Update base overlay
 
-Get the upstream Kubernetes manifests:
+Update the Kustomize base overlay:
 ```Bash
-cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME
-mkdir upstream
-cd upstream
-kpt pkg get https://github.com/GoogleCloudPlatform/anthos-service-mesh-samples.git/docs/online-boutique-asm-manifests/base@main
-```
-
-## Create base overlay
-
-Create Kustomize base overlay files:
-```Bash
-cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME
-mkdir base
-cd base
-kustomize create --resources ../upstream/base/all
-cat <<EOF >> kustomization.yaml
+cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/base
+kustomize edit add resource ../upstream/base
+cat <<EOF >> ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/base/kustomization.yaml
 patchesStrategicMerge:
 - |-
   apiVersion: v1
-  kind: Namespace
+  kind: Service
   metadata:
-    name: onlineboutique
+    name: frontend-external
   \$patch: delete
 EOF
 ```
 {{% notice info %}}
-We are removing the upstream `Namespace` resource as we already defined it in a previous section while configuring the associated Config Sync's `RepoSync` setup.
+Here we are deleting the `Service` `frontend-external` because the `frontend` app will be exposed by the Ingress Gateway.
 {{% /notice %}}
 
-You could browse the files in the `${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/upstream/base` folder, along with the `Namespace`, `Deployment` and `Service` for the OnlineBoutique apps, you could see the `VirtualService` resource which will allow to establish the Ingress Gateway routing to the OnlineBoutique app. The `spec.hosts` value is `"*"` but in the following part you will replace this value by the actual DNS of the OnlineBoutique solution (i.e. `ONLINE_BOUTIQUE_INGRESS_GATEWAY_HOST_NAME`) defined in a previous section.
+## Define VirtualService
 
-## Define Staging namespace overlay
+Define the `VirtualService` resource in order to establish the Ingress Gateway routing to the Online Boutique apps:
+```Bash
+cat <<EOF > ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/base/virtualservice.yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: frontend
+spec:
+  hosts:
+  - "*"
+  gateways:
+  - ${INGRESS_GATEWAY_NAMESPACE}/${INGRESS_GATEWAY_NAME}
+  http:
+  - route:
+    - destination:
+        host: frontend
+        port:
+          number: 80
+EOF
+```
 
-Update the overlay files needed to define the Staging namespace:
+Update the Kustomize base overlay:
 ```Bash
-cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/staging
-kustomize edit add resource ../base
-kustomize edit set namespace $ONLINEBOUTIQUE_NAMESPACE
-cp -r ../upstream/base/for-virtualservice-host/ .
-sed -i "s/HOST_NAME/${ONLINE_BOUTIQUE_INGRESS_GATEWAY_HOST_NAME}/g" for-virtualservice-host/kustomization.yaml
-kustomize edit add component for-virtualservice-host
+cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/base
+kustomize edit add resource virtualservice.yaml
 ```
 
-Update the `Deployments`'s container images to point to the private Artifact Registry:
+## Update the Staging namespace overlay
+
+Update the Staging Kustomize overlay with the proper `hosts` value in the `VirtualService` and with the `Deployments`'s container images to point to the private Artifact Registry:
 ```Bash
-cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/staging
 cat <<EOF >> ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/staging/kustomization.yaml
 patchesJson6902:
+- target:
+    kind: VirtualService
+    name: frontend
+  patch: |-
+    - op: replace
+      path: /spec/hosts
+      value:
+        - ${ONLINE_BOUTIQUE_INGRESS_GATEWAY_HOST_NAME}
 - target:
     kind: Deployment
     name: adservice
@@ -166,37 +178,36 @@ git add . && git commit -m "Online Boutique apps" && git push origin main
 ## Check deployments
 
 List the Kubernetes resources managed by Config Sync in **GKE cluster** for the **Online Boutique apps** repository:
+{{< tabs groupId="cs-status-ui">}}
+{{% tab name="gcloud" %}}
 ```Bash
 gcloud alpha anthos config sync repo describe \
     --project $TENANT_PROJECT_ID \
     --managed-resources all \
     --sync-name repo-sync \
     --sync-namespace $ONLINEBOUTIQUE_NAMESPACE
 ```
-Wait and re-run this command above until you see `"status": "SYNCED"`. All the `managed_resources` listed should have `STATUS: Current` as well.
-
-List the GitHub runs for the **Online Boutique apps** repository:
+Wait and re-run this command above until you see `"status": "SYNCED"`.
+{{% /tab %}}
+{{% tab name="UI" %}}
+Alternatively, you could also see this from within the Cloud Console, by clicking on this link:
 ```Bash
-cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME && gh run list
+echo -e "https://console.cloud.google.com/kubernetes/config_management/status?clusterName=${GKE_NAME}&id=${GKE_NAME}&project=${TENANT_PROJECT_ID}"
 ```
+Wait until you see the `Sync status` column as `SYNCED`. And then you can also click on `View resources` to see the details.
+{{% /tab %}}
+{{< /tabs >}}
 
 ## Check the Online Boutique apps
 
-Navigate to the Online Boutique apps, click on the link displayed by the command below:
-```Bash
-echo -e "https://${ONLINE_BOUTIQUE_INGRESS_GATEWAY_HOST_NAME}"
-```
-
-You will see that the Online Boutique website is not working.
-
-Open the list of the **Workloads** deployed in the GKE cluster, click on the link displayed by the command below:
+Open the list of the **Workloads** deployed in the GKE cluster, you will see that the Online Boutique apps is successfully deployed. Click on the link displayed by the command below:
 ```Bash
 echo -e "https://console.cloud.google.com/kubernetes/workload/overview?project=${TENANT_PROJECT_ID}"
 ```
 
-Here you could see that all the Online Boutique `Deployments` are in `Error`. If you look at more details on the `Pods` you will see this error:
-```Plaintext
-Readiness probe failed: Get "http://10.4.2.13:15020/app-health/server/readyz": dial tcp 10.4.2.13:15020: connect: connection refused
+Navigate to the Online Boutique apps, click on the link displayed by the command below:
+```Bash
+echo -e "https://${ONLINE_BOUTIQUE_INGRESS_GATEWAY_HOST_NAME}"
 ```
 
-At this stage, that's expected because we have deployed the `deny-all` `NetworkPolicy` in the `onlineboutique` `Namespace` blocking any ingress and egress requests to and from any app in this `Namespace`. We will fix this in the next sections.
+You should receive the error: `RBAC: access denied`. This is because the default deny-all `AuthorizationPolicy` has been applied to the entire mesh. In the next section you will apply a fine granular `AuthorizationPolicy` for the Online Boutique apps in order to get fix this.
@@ -1,13 +1,13 @@
 ---
 title: "Deploy AuthorizationPolicies"
-weight: 7
+weight: 6
 description: "Duration: 5 min | Persona: Apps Operator"
 tags: ["apps-operator", "asm", "security-tips"]
 ---
 ![Apps Operator](/images/apps-operator.png)
 _{{< param description >}}_
 
-In this section, you will deploy granular and specific `AuthorizationPolicies` for the Online Boutique namespace. At the end that's where you will finally have a working Whereami app :)
+In this section, you will deploy granular and specific `AuthorizationPolicies` for the Online Boutique namespace. At the end that's where you will finally have working Online Boutique apps :)
 
 Initialize variables:
 ```Bash
@@ -20,15 +20,14 @@ source ${WORK_DIR}acm-workshop-variables.sh
 Get the upstream Kubernetes manifests:
 ```Bash
 cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/upstream
-kpt pkg get https://github.com/GoogleCloudPlatform/anthos-service-mesh-samples.git/docs/online-boutique-asm-manifests/service-accounts@main
 kpt pkg get https://github.com/GoogleCloudPlatform/anthos-service-mesh-samples.git/docs/online-boutique-asm-manifests/authorization-policies@main
 ```
 
 ## Update the Kustomize base overlay
 
 ```Bash
 cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/base
-kustomize edit add component ../upstream/service-accounts/all
+kustomize edit add component ../upstream/components/service-accounts
 kustomize edit add component ../upstream/authorization-policies/all
 ```
 
@@ -55,18 +54,36 @@ git add . && git commit -m "Online Boutique AuthorizationPolicies" && git push o
 ## Check deployments
 
 List the Kubernetes resources managed by Config Sync in **GKE cluster** for the **Online Boutique apps** repository:
+{{< tabs groupId="cs-status-ui">}}
+{{% tab name="gcloud" %}}
 ```Bash
 gcloud alpha anthos config sync repo describe \
     --project $TENANT_PROJECT_ID \
     --managed-resources all \
     --sync-name repo-sync \
     --sync-namespace $ONLINEBOUTIQUE_NAMESPACE
 ```
-Wait and re-run this command above until you see `"status": "SYNCED"`. All the `managed_resources` listed should have `STATUS: Current` as well.
+Wait and re-run this command above until you see `"status": "SYNCED"`.
+{{% /tab %}}
+{{% tab name="UI" %}}
+Alternatively, you could also see this from within the Cloud Console, by clicking on this link:
+```Bash
+echo -e "https://console.cloud.google.com/kubernetes/config_management/status?clusterName=${GKE_NAME}&id=${GKE_NAME}&project=${TENANT_PROJECT_ID}"
+```
+Wait until you see the `Sync status` column as `SYNCED`. And then you can also click on `View resources` to see the details.
+{{% /tab %}}
+{{< /tabs >}}
 
 List the GitHub runs for the **Online Boutique apps** repository:
 ```Bash
 cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME && gh run list
 ```
 
+## Check the Online Boutique apps
+
+Navigate to the Online Boutique apps, click on the link displayed by the command below:
+```Bash
+echo -e "https://${ONLINE_BOUTIQUE_INGRESS_GATEWAY_HOST_NAME}"
+```
+
 You should now have the Online Boutique apps working successfully. Congrats!
@@ -1,13 +1,13 @@
 ---
 title: "Deploy NetworkPolicies"
-weight: 6
+weight: 3
 description: "Duration: 5 min | Persona: Apps Operator"
 tags: ["apps-operator", "security-tips"]
 ---
 ![Apps Operator](/images/apps-operator.png)
 _{{< param description >}}_
 
-In this section, you will deploy granular and specific `NetworkPolicies` for the Online Boutique namespace. This will fix the policies violation you faced earlier. At the end you will catch another issue that you will resolve in the next section.
+In this section, you will deploy granular and specific `NetworkPolicies` for the Online Boutique namespace. This will fix the policies violation you faced earlier.
 
 Initialize variables:
 ```Bash
@@ -19,16 +19,16 @@ source ${WORK_DIR}acm-workshop-variables.sh
 
 Get the upstream Kubernetes manifests:
 ```Bash
-cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/upstream
-kpt pkg get https://github.com/GoogleCloudPlatform/microservices-demo.git/docs/network-policies@main
-cd network-policies
-kustomize create --autodetect
-kustomize edit remove resource Kptfile
+kpt pkg get https://github.com/GoogleCloudPlatform/microservices-demo.git/kustomize@main ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/upstream
+rm ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/upstream/tests -rf
+rm ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/upstream/Kptfile
+rm ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/upstream/kustomization.yaml
 ```
 
 ## Update the Kustomize base overlay
 
 ```Bash
+mkdir ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/base
 cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/base
 mkdir network-policies
 cat <<EOF >> network-policies/kustomization.yaml
@@ -56,10 +56,22 @@ patchesJson6902:
           - port: 8080
             protocol: TCP
 EOF
-kustomize edit add resource ../upstream/network-policies
+kustomize create
+kustomize edit add component ../upstream/components/network-policies
 kustomize edit add component network-policies
 ```
 
+## Define Staging namespace overlay
+
+```Bash
+cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/staging
+kustomize edit add resource ../base
+kustomize edit set namespace $ONLINEBOUTIQUE_NAMESPACE
+```
+{{% notice info %}}
+The `kustomization.yaml` file was already existing from the [GitHub repository template](https://github.com/mathieu-benoit/config-sync-app-template-repo/blob/main/staging/kustomization.yaml) used when we created the **Online Boutique apps** repository.
+{{% /notice %}}
+
 ## Deploy Kubernetes manifests
 
 ```Bash
@@ -70,30 +82,38 @@ git add . && git commit -m "Online Boutique NetworkPolicies" && git push origin
 ## Check deployments
 
 List the Kubernetes resources managed by Config Sync in **GKE cluster** for the **Online Boutique apps** repository:
+{{< tabs groupId="cs-status-ui">}}
+{{% tab name="gcloud" %}}
 ```Bash
 gcloud alpha anthos config sync repo describe \
     --project $TENANT_PROJECT_ID \
     --managed-resources all \
     --sync-name repo-sync \
     --sync-namespace $ONLINEBOUTIQUE_NAMESPACE
 ```
-Wait and re-run this command above until you see `"status": "SYNCED"`. All the `managed_resources` listed should have `STATUS: Current` as well.
-
-List the GitHub runs for the **Online Boutique apps** repository:
+Wait and re-run this command above until you see `"status": "SYNCED"`.
+{{% /tab %}}
+{{% tab name="UI" %}}
+Alternatively, you could also see this from within the Cloud Console, by clicking on this link:
 ```Bash
-cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME && gh run list
+echo -e "https://console.cloud.google.com/kubernetes/config_management/status?clusterName=${GKE_NAME}&id=${GKE_NAME}&project=${TENANT_PROJECT_ID}"
 ```
+Wait until you see the `Sync status` column as `SYNCED`. And then you can also click on `View resources` to see the details.
+{{% /tab %}}
+{{< /tabs >}}
 
-## Check the Online Boutique apps
-
-Open the list of the **Workloads** deployed in the GKE cluster, you will now see that all the Online Boutique apps are working. Click on the link displayed by the command below:
+The `namespaces-required-networkpolicies` `Constraint` shouldn't complain anymore. Click on the link displayed by the command below:
 ```Bash
-echo -e "https://console.cloud.google.com/kubernetes/workload/overview?project=${TENANT_PROJECT_ID}"
+echo -e "https://console.cloud.google.com/kubernetes/object/constraints.gatekeeper.sh/k8srequirenamespacenetworkpolicies/${GKE_LOCATION}/${GKE_NAME}/namespaces-required-networkpolicies?apiVersion=v1beta1&project=${TENANT_PROJECT_ID}"
 ```
 
-Navigate to the Online Boutique apps, click on the link displayed by the command below:
-```Bash
-echo -e "https://${ONLINE_BOUTIQUE_INGRESS_GATEWAY_HOST_NAME}"
+At the very bottom of the object's description you should now see:
+```Plaintext
+...
+totalViolations: 0
 ```
 
-You should receive the error: `RBAC: access denied`. This is because the default deny-all `AuthorizationPolicy` has been applied to the entire mesh. In the next section you will apply fine granular `AuthorizationPolicies` for the Online Boutique apps in order to get them working.
+List the GitHub runs for the **Online Boutique apps** repository:
+```Bash
+cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME && gh run list
+```