fixes with walkthrough until authz

Author: Mathieu Benoit

content/configure-authorization-policies/asm-ingress.md

@@ -25,6 +25,6 @@ spec:
   rules:
   - to:
       - operation:
-          ports: ["8080"]
+          ports: ["80"]
 EOF
 ```

content/configure-authorization-policies/onlineboutique.md

@@ -4,6 +4,83 @@ weight: 2
 ---
 In this section we will configure `AuthorizationPolicy` for the OnlineBoutique namespace.
 
+Create Kubernetes `ServiceAccount` per app:
+```Bash
+cat <<EOF | kubectl apply -n $ONLINEBOUTIQUE_NAMESPACE -f -
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: adservice
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cartservice
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: checkoutservice
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: currencyservice
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: emailservice
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: frontend
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: loadgenerator
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: paymentservice
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: productcatalogservice
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: recommendationservice
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: shippingservice
+EOF
+```
+
+Replace the `default` `ServiceAccount` per app:
+```Bash
+services="adservice cartservice checkoutservice currencyservice emailservice frontend loadgenerator paymentservice productcatalogservice recommendationservice shippingservice"
+for s in $services; do sed -i "s/serviceAccountName: default/serviceAccountName: $s/g" ~/$WORKING_DIRECTORY/$ONLINEBOUTIQUE_NAMESPACE/deployment_$s.yaml; done
+```
+
+Re-deploy the updated Kubernetes manifests updated:
+```Bash
+kubectl apply -f ~/$WORKING_DIRECTORY/$ONLINEBOUTIQUE_NAMESPACE/ -n $ONLINEBOUTIQUE_NAMESPACE
+```
+
+Ensure that all deployments are still up and running:
+```Bash
+kubectl wait --for=condition=available --timeout=600s deployment --all -n $ONLINEBOUTIQUE_NAMESPACE
+curl -s http://${INGRESS_GATEWAY_PUBLIC_IP}
+```
+
 Deploy fine granular `AuthorizationPolicy` per app:
 ```Bash
 cat <<EOF | kubectl apply -n $ONLINEBOUTIQUE_NAMESPACE -f -
@@ -192,4 +269,9 @@ spec:
           methods: ["POST"]
           ports: ["50051"]
 EOF
+```
+
+Test that the solution is still working properly:
+```Bash
+curl -s http://${INGRESS_GATEWAY_PUBLIC_IP}
 ```

content/deploy-workloads/ingress-gateway.md

@@ -35,8 +35,6 @@ spec:
   ports:
   - port: 80
     name: http
-  - port: 443
-    name: https
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -53,6 +51,7 @@ spec:
         inject.istio.io/templates: gateway
       labels:
         ${INGRESS_GATEWAY_LABEL}
+        app: ${INGRESS_GATEWAY_NAME}
     spec:
       containers:
       - name: istio-proxy

content/deploy-workloads/onlineboutique.md

@@ -4,6 +4,7 @@ weight: 2
 ---
 In this section, you will deploy the [OnlineBoutique](https://github.com/GoogleCloudPlatform/microservices-demo) apps as-is, without any notion of Istio nor ASM, not yet.
 
+Create the OnlineBoutique namespace:
 ```Bash
 export ONLINEBOUTIQUE_NAMESPACE=onlineboutique
 cat <<EOF | kubectl apply -n $ONLINEBOUTIQUE_NAMESPACE -f -
@@ -14,8 +15,15 @@ metadata:
   labels:
     name: ${ONLINEBOUTIQUE_NAMESPACE}
 EOF
-curl -LO https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/master/release/kubernetes-manifests.yaml > ~/$WORKING_DIRECTORY/onlineboutique.yaml
-kubectl apply -f ~/$WORKING_DIRECTORY/onlineboutique.yaml -n $ONLINEBOUTIQUE_NAMESPACE
+```
+
+Retrieve and deploy the Kubernetes manifests of the OnlineBoutique apps:
+```Bash
+mkdir ~/$WORKING_DIRECTORY/$ONLINEBOUTIQUE_NAMESPACE
+curl https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/main/release/kubernetes-manifests.yaml > ~/$WORKING_DIRECTORY/$ONLINEBOUTIQUE_NAMESPACE/tmp.yaml
+nomos hydrate --path ~/$WORKING_DIRECTORY/$ONLINEBOUTIQUE_NAMESPACE/ --output ~/$WORKING_DIRECTORY/$ONLINEBOUTIQUE_NAMESPACE --no-api-server-check --source-format unstructured
+rm ~/$WORKING_DIRECTORY/$ONLINEBOUTIQUE_NAMESPACE/tmp.yaml
+kubectl apply -f ~/$WORKING_DIRECTORY/$ONLINEBOUTIQUE_NAMESPACE/ -n $ONLINEBOUTIQUE_NAMESPACE
 ```
 
 Ensure that all deployments are up and running:
@@ -25,13 +33,13 @@ ONLINEBOUTIQUE_PUBLIC_IP=$(kubectl get svc frontend-external -n $ONLINEBOUTIQUE_
 curl -s http://${ONLINEBOUTIQUE_PUBLIC_IP}
 ```
 
-In order to be more secure and have more resilience with the data stored in `redis`, we will instead leverage Memorystore (redis) instead:
+In order to be more secure and have more resilience with the data stored in `redis`, we will leverage Memorystore (redis) instead:
 ```Bash
 gcloud services enable redis.googleapis.com
-gcloud redis instances create cart --size=1 --region=$REGION --zone=$ZONE --redis-version=redis_6_X
+gcloud redis instances create cart --size=1 --region=$REGION --zone=$ZONE --redis-version=redis_6_x
 REDIS_IP=$(gcloud redis instances describe cart --region=$REGION --format='get(host)')
-sed -i "s/value: \"redis-cart:6379\"/value: \"$REDIS_IP\"/g" ~/$WORKING_DIRECTORY/onlineboutique.yaml
-kubectl apply -f ~/$WORKING_DIRECTORY/onlineboutique.yaml -n $ONLINEBOUTIQUE_NAMESPACE
+sed -i "s/redis-cart:6379/$REDIS_IP/g" ~/$WORKING_DIRECTORY/$ONLINEBOUTIQUE_NAMESPACE/deployment_cartservice.yaml
+kubectl apply -f ~/$WORKING_DIRECTORY/$ONLINEBOUTIQUE_NAMESPACE/deployment_cartservice.yaml -n $ONLINEBOUTIQUE_NAMESPACE
 ```
 
 Ensure that the solution is still working correctly with Memorystore (redis):
@@ -43,6 +51,8 @@ From there, the `redis` container originally deployed could now be deleted:
 ```Bash
 kubectl delete deployment redis -n $ONLINEBOUTIQUE_NAMESPACE
 kubectl delete service redis -n $ONLINEBOUTIQUE_NAMESPACE
+rm ~/$WORKING_DIRECTORY/$ONLINEBOUTIQUE_NAMESPACE/deployment_redis-cart.yaml
+rm ~/$WORKING_DIRECTORY/$ONLINEBOUTIQUE_NAMESPACE/service_redis-cart.yaml
 ```
 {{% notice note %}}
 You can connect to a Memorystore (redis) instance only from GKE clusters that are in the same region and use the same network as your instance. You cannot connect to a Memorystore (redis) instance from a GKE cluster without VPC-native/IP aliasing enabled. For this you should create a GKE cluster with this option `--enable-ip-alias`.

content/enable-asm/onlineboutique.md

@@ -58,7 +58,8 @@ curl -s http://${INGRESS_GATEWAY_PUBLIC_IP}
 
 You could remove the `LoadBalancer` service `frontend-external` (not used moving forward) deployed earlier in this workshop:
 ```Bash
-kubectl delete service frontend-external -n -n $ONLINEBOUTIQUE_NAMESPACE
+kubectl delete service frontend-external -n $ONLINEBOUTIQUE_NAMESPACE
+rm ~/$WORKING_DIRECTORY/$ONLINEBOUTIQUE_NAMESPACE/service_frontend-external.yaml
 ```
 
 Resources:

content/install-asm/install-asm.md

@@ -40,6 +40,7 @@ metadata:
 apiVersion: v1
 data:
   mesh: |-
+    enableTracing: true
     defaultConfig:
       image:
         imageType: distroless
@@ -57,6 +58,7 @@ kubectl get controlplanerevision -n istio-system
 kubectl get dataplanecontrols
 kubectl get daemonset istio-cni-node -n kube-system
 kubectl wait --for=condition=available --timeout=600s deployment --all -n asm-system
+kubectl describe configmap env-$ASM_VERSION -n istio-system
 ```
 
 Resources:

content/monitor-asm/_index.md

@@ -0,0 +1,14 @@
+---
+title: "Monitor ASM"
+chapter: true
+weight: 3
+---
+In this section you will monitor Anthos Service Mesh (ASM).
+
+{{% notice warning %}}
+This section is still under construction... stay tuned!
+{{% /notice %}}
+
+{{% children showhidden="false" %}}
+
+_Note: For each Google / Kubernetes SA, mounted via Workload Identity, grant them this `roles/cloudtrace.agent` role in order to leverage ASM's option: Cloud Tracing._

content/overview/before-you-begin.md

@@ -17,6 +17,7 @@ Install the required tools:
 - [`gcloud`](https://cloud.google.com/sdk/docs/install)
 - [`kubectl`](https://kubernetes.io/docs/tasks/tools/#kubectl)
 - `istioctl`
+- [`nomos`](https://cloud.google.com/anthos-config-management/docs/how-to/nomos-command#installing)
 - `curl`
 
 Get the _Folder Id_ and _Billing Account Id_ you will use to create your GCP project:

content/troubleshoot-asm/troubleshoot-istio.md renamed to content/troubleshoot-asm/troubleshoot-asm.md

@@ -3,6 +3,8 @@ title: "Troubleshoot Istio/ASM"
 weight: 2
 ---
 
+_Note: Managed ASM doesn't support `istioctl proxy-status`._
+
 ```Bash
 kubectl get events
 ```
@@ -11,10 +13,6 @@ kubectl get events
 istioctl analyze -A
 ```
 
-```Bash
-istioctl proxy-status
-```
-
 ```Bash
 NAMESPACE=your-namespace
 DEPLOYMENT_NAME=your-deployment-name
@@ -25,7 +23,9 @@ kubectl logs deployment/$DEPLOYMENT_NAME -c istio-proxy -n $NAMESPACE
 NAMESPACE=your-namespace
 DEPLOYMENT_NAME=your-deployment-name
 APP_LABEL=your-pod-app-label
-istioctl proxy-config log -l app=$APP_LABEL --level none -n $NAMESPACE
+istioctl proxy-config log $(kubectl -n $NAMESPACE get pod -l app=$APP_LABEL -o jsonpath={.items..metadata.name}) \
+    --level debug \
+    -n $NAMESPACE
 kubectl logs deployment/$DEPLOYMENT_NAME -c istio-proxy -n $NAMESPACE
 ```
 
@@ -44,9 +44,10 @@ istioctl proxy-config listeners $(kubectl -n $NAMESPACE get pod -l app=$APP_LABE
 ```
 
 ```Bash
-ASM_VERSION=$(kubectl get deploy -n istio-system -l app=istiod -o jsonpath={.items[*].metadata.labels.'istio\.io\/rev'}'{"\n"}')
-kubectl describe configmap istio-$ASM_VERSION -n istio-system
+kubectl describe configmap -n istio-system
 ```
 
 Resources:
-- [Troubleshooting ASM](https://cloud.google.com/service-mesh/docs/troubleshooting/troubleshoot-intro)
+- [Resolving managed Anthos Service Mesh issues](https://cloud.google.com/service-mesh/docs/managed/troubleshoot)
+- [Troubleshooting ASM](https://cloud.google.com/service-mesh/docs/troubleshooting/troubleshoot-intro)
+- [Managed Anthos Service Mesh supported features](https://cloud.google.com/service-mesh/docs/managed/supported-features-mcp)