From 27030b4c58f62f72bd30e517a9953bd981d79c13 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 08:03:17 +0200 Subject: [PATCH] Deleted HTTP2 attempt. Moving on. --- .../README.md | 321 ------------------ .../authentication.yaml | 8 - .../deployment.yaml | 80 ----- .../gateway.yaml | 118 ------- .../ingress.yaml | 29 -- Istio/ingress.yaml | 119 ------- Istio/tmp/README.md | 1 - Istio/tmp/ingress.yaml | 63 ---- Istio/tmp/tmp.txt | 29 -- 9 files changed, 768 deletions(-) delete mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/README.md delete mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/authentication.yaml delete mode 100755 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/deployment.yaml delete mode 100755 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/gateway.yaml delete mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/ingress.yaml delete mode 100755 Istio/ingress.yaml delete mode 100644 Istio/tmp/README.md delete mode 100755 Istio/tmp/ingress.yaml delete mode 100755 Istio/tmp/tmp.txt diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/README.md b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/README.md deleted file mode 100644 index bdab5da..0000000 --- a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/README.md +++ /dev/null @@ -1,321 +0,0 @@ ---- -gitea: none -include_toc: true ---- - -# Based on - -- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) - -# Description - -The previous example was modified set the gateway to enable for HTTP2 traffic. - -https://stackoverflow.com/a/59610581 - - -# Changelog - -## Gateway - -```yaml -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 443 - name: secure-http2 - protocol: HTTP2 - hosts: - - "*" - tls: - mode: SIMPLE - credentialName: my-tls-cert-secret - minProtocolVersion: TLSV1_2 -``` - -`` - -# Walkthrough - - -## Generate client and server certificate and key files - -First step will be to generate the certificate and key files to be able to set them to the Gateway resource. - -### Create a folder to store files. - -Create the folder to contain the files that will be generated. - -```shell -mkdir certfolder -``` - -### Create a certificate and a private key. - -```shell -openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt -``` - -The files generated are the following: - -```yaml -private-key: certfolder/istio.cert.key -root-certificate: certfolder/istio.cert.crt -``` - -The information set to the certificate generated is the following: - -```yaml -Organization-name: Internet of things -CN: lb.net -``` - -### Create a TLS secret - -At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. - -```shell -kubectl create -n istio-system secret tls my-tls-cert-secret \ - --key=certfolder/istio.cert.key \ - --cert=certfolder/istio.cert.crt -``` -```text -secret/my-tls-cert-secret created -``` -```text -service/helloworld created -deployment.apps/helloworld-nginx created -gateway.networking.istio.io/helloworld-gateway created -virtualservice.networking.istio.io/helloworld-vs created -``` - -> **Note:**\ -> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. - - -## Deploy resources - -```shell -kubectl apply -f ./ -``` -```text -service/helloworld created -deployment.apps/helloworld-nginx created -gateway.networking.istio.io/helloworld-gateway created -virtualservice.networking.istio.io/helloworld-vs created -``` - -## Test the service -### http2 -#### Curl HTTP1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 -``` -```text -http_version: 1.1 -status_code: 426 -``` - -#### Curl HTTP1.1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -#### Curl HTTP2 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -### http1-web - -#### Curl HTTP1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 -``` -```text -http_version: 1.1 -status_code: 426 -``` - -#### Curl HTTP1.1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -#### Curl HTTP2 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -## Cleanup - -```shell -kubectl delete -f ./ -``` - -```text -service "helloworld" deleted -deployment.apps "helloworld-nginx" deleted -gateway.networking.istio.io "helloworld-gateway" deleted -virtualservice.networking.istio.io "helloworld-vs" deleted -``` - -# Links of Interest - -- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol - -- https://stackoverflow.com/a/51279606 - -- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy - - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . -[+] Building 0.0s (0/0) -ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") - ---- -## Create the Dockerfile - -```bash -FROM ubuntu/apache2 - -RUN apt-get update && \ -apt-get install apache2 openssl -y && \ -a2ensite default-ssl && \ -a2enmod ssl && \ -echo "

Howdy

" | tee /var/www/html/index.html - -RUN /usr/bin/printf "\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ -\n\ -\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ - SSLEngine on\n\ - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ - SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ -" > /etc/apache2/sites-available/000-default.conf - -RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -``` - -## Build the image - -Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. - -For my own commodity, I have used a raspberry pi 4 to build this images. - -The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. - -```shell - docker build --tag https-demo:armv7 . -``` -```text -docker build --tag https-demo:armv7 . --no-cache -[+] Building 16.5s (8/8) FINISHED - => [internal] load .dockerignore 0.0s - => => transferring context: 2B 0.0s - => [internal] load build definition from Dockerfile 0.0s - => => transferring dockerfile: 1.09kB 0.0s - => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s - => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s - => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s - => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s - => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s - => exporting to image 1.0s - => => exporting layers 1.0s - => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s - => => naming to docker.io/library/https-demo:armv7 0.0s -``` - -## Tag the image - -```shell -docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 -``` - -## Upload to the registery server - -```text -docker image push registery.filter.home:5000/https-demo:armv7 -The push refers to repository [registery.filter.home:5000/https-demo] -c6d858706b08: Pushed -9e077e0202f0: Pushed -6ffc708d0cf3: Pushed -69e01b4bf4d7: Pushed -17c5b30f3843: Pushed -0b9f60fbcaf1: Pushed -armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 -``` - - - -## ? -curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe - - - - - ---- - - -Has apache2 installed with a default certificate. - -Port 80 visible for HTTP - -Port 443 visible for HTTPS. - - - - -curl https:/192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k -http_version: 2 -status_code: 200 - - - -```shell -curl --insecure --resolve lb.net:80:192.168.1.50 http://lb.net -``` - -```shell -curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net -``` diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/authentication.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/authentication.yaml deleted file mode 100644 index 7553d94..0000000 --- a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/authentication.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default-mtls - namespace: default -spec: - mtls: - mode: PERMISSIVE diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/deployment.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/deployment.yaml deleted file mode 100755 index 3f9ad6c..0000000 --- a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/deployment.yaml +++ /dev/null @@ -1,80 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - port: 8080 - name: http-s - targetPort: 80 - protocol: TCP - appProtocol: HTTP - - - port: 8443 - name: https - targetPort: 443 - protocol: TCP - appProtocol: https - selector: - app: helloworld ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: helloworld-nginx - labels: - app: helloworld -spec: - replicas: 1 - selector: - matchLabels: - app: helloworld - template: - metadata: - labels: - app: helloworld - sidecar.istio.io/inject: "true" - spec: - containers: - - name: helloworld - image: oriolfilter/https-nginx-demo - resources: - requests: - cpu: "100m" - imagePullPolicy: Always #Always - ports: - - containerPort: 80 - - containerPort: 443 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx - labels: - app: nginx - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: nginx - version: v1 - template: - metadata: - labels: - app: nginx - version: v1 - spec: - # serviceAccountName: istio-helloworld - containers: - - name: nginx - image: nginx - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 80 \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/gateway.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/gateway.yaml deleted file mode 100755 index 1fe0fa3..0000000 --- a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/gateway.yaml +++ /dev/null @@ -1,118 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: -# istio: myingressgateway - istio: ingressgateway - servers: -# - port: -# number: 443 -# name: secure-http2 -# protocol: HTTP2 -# hosts: -# - "*" - - port: - number: 80 - name: http2-i - protocol: HTTP2 - hosts: - - "*" - - port: - number: 443 - name: https-i - protocol: HTTPS - hosts: - - "*" - tls: - credentialName: my-tls-cert-secret - minProtocolVersion: TLSV1_2 -# - mode: SIMPLE ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: helloworld-vs -spec: - hosts: - - "*" - gateways: - - helloworld-gateway - http: - - name: http-vs - match: - - port: 80 - route: - - destination: - host: helloworld.default.svc.cluster.local - port: - number: 8080 - - name: https-vs - match: - - port: 443 - route: - - destination: - host: helloworld.default.svc.cluster.local - port: - number: 8443 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: helloworld - namespace: default -spec: - host: helloworld.default.svc.cluster.local - trafficPolicy: - portLevelSettings: - - port: - number: 8080 - tls: - mode: DISABLE - - - port: - number: 8443 - tls: -# credentialName: client-credential - mode: SIMPLE - -# port: -# name: https-backend -# number: 8443 -# protocol: HTTPS -# tls: -# credentialName: my-tls-cert-secret -# mode: SIMPLE -# tcp: -## - match: -## - port: 80 -## route: -## - destination: -## host: helloworld -## port: -## number: 8080 -## - match: -## - port: 443 -# - route: -# - destination: -# host: helloworld -# port: -# number: 8443 -# -# tls: -# - match: -# - port: 443 -# sniHosts: -# - "hello.si" -## - uri: -## exact: /helloworld -# route: -# - destination: -# host: helloworld -# port: -# number: 8443 -## protocol: HTTPS -## rewrite: -## uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/ingress.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/ingress.yaml deleted file mode 100644 index 850c2eb..0000000 --- a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - name: ingress -spec: - profile: empty # Do not install CRDs or the control plane - components: - ingressGateways: - - name: myistio-ingressgateway - namespace: istio-ingress - enabled: true - label: - istio: myingressgateway - k8s: - service: - ports: - - name: https-ingress - port: 443 - protocol: TCP - targetPort: 1055 - - name: http-ingress - port: 80 - protocol: TCP - targetPort: 1085 - - values: - gateways: - istio-ingressgateway: - injectionTemplate: gateway diff --git a/Istio/ingress.yaml b/Istio/ingress.yaml deleted file mode 100755 index 12b0027..0000000 --- a/Istio/ingress.yaml +++ /dev/null @@ -1,119 +0,0 @@ -#apiVersion: v1 -#kind: Service -#metadata: -# name: istio-lb -# namespace: istio-system -# labels: -# istio: istio-ingress -#spec: -# type: LoadBalancer -# ports: -# - port: 80 -# name: http -# - port: 443 -# name: https -# selector: -# istio: istio-ingress -#--- -#apiVersion: install.istio.io/v1alpha1 -#kind: IstioOperator -#metadata: -# namespace: istio-system -# name: my-istio-operator -#spec: -## profile: default -# profile: empty -# components: -# ingressGateways: -# - name: istio-ingress -# enabled: true -# label: -# istio: my-istio-ingress ---- -#apiVersion: install.istio.io/v1alpha1 -#kind: IstioOperator -#spec: -# components: -# ingressGateways: -# - name: istio-ingress -# enabled: true -## - name: istio-ingressgateway-staging -# namespace: staging -# enabled: true ---- -#apiVersion: install.istio.io/v1alpha1 -#kind: IstioOperator -#metadata: -# namespace: istio-system -# name: istio-operator -#spec: -# profile: default -# components: -# ingressGateways: -# - name: istio-ingress -# enabled: true -# - namespace: default -# name: istio-ingressgateway-private -# enabled: true -# k8s: -# serviceAnnotations: -# service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type: "private" -# values: -# gateways: -# istio-ingressgateway: -# sds: -# enabled: true ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - labels: - app: istio-ingressgateway -# install.operator.istio.io/owning-resource: unknown -# install.operator.istio.io/owning-resource-namespace: istio-system - istio: my-ingress-gateway -# istio.io/rev: default - operator.istio.io/component: IngressGateways -# operator.istio.io/managed: Reconcile -# operator.istio.io/version: 1.16.1 -# release: istio - name: my-ingress-gateway - namespace: istio-system - resourceVersion: "880342" - uid: 289a34e8-fe45-43ad-8dad-bc3dc9534f5c -spec: -# allocateLoadBalancerNodePorts: true -# clusterIP: 10.110.130.2 -# clusterIPs: -# - 10.110.130.2 - externalTrafficPolicy: Cluster - internalTrafficPolicy: Cluster - ipFamilies: - - IPv4 - ipFamilyPolicy: SingleStack - ports: - - name: status-port - nodePort: 30276 - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - nodePort: 32188 - port: 80 - protocol: TCP - targetPort: 8080 - - name: https -# nodePort: 32437 - port: 443 - protocol: TCP -# targetPort: 8443 - selector: - app: istio-ingressgateway - istio: ingressgateway -# sessionAffinity: None - type: LoadBalancer -status: - loadBalancer: - ingress: - - ip: 192.168.1.50 \ No newline at end of file diff --git a/Istio/tmp/README.md b/Istio/tmp/README.md deleted file mode 100644 index 0bcf9ac..0000000 --- a/Istio/tmp/README.md +++ /dev/null @@ -1 +0,0 @@ -https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/ \ No newline at end of file diff --git a/Istio/tmp/ingress.yaml b/Istio/tmp/ingress.yaml deleted file mode 100755 index 8743294..0000000 --- a/Istio/tmp/ingress.yaml +++ /dev/null @@ -1,63 +0,0 @@ -## https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway -#apiVersion: v1 -#kind: Service -#metadata: -# name: istio-ingressgateway2 -# namespace: istio-ingress -#spec: -# type: LoadBalancer -# selector: -# istio: ingressgateway -# ports: -# - port: 80 -# name: http -# - port: 443 -# name: https -#--- -#apiVersion: apps/v1 -#kind: Deployment -#metadata: -# name: istio-ingressgateway2 -# namespace: istio-ingress -#spec: -# selector: -# matchLabels: -# istio: ingressgateway -# template: -# metadata: -# annotations: -# # Select the gateway injection template (rather than the default sidecar template) -# inject.istio.io/templates: gateway -# labels: -# # Set a unique label for the gateway. This is required to ensure Gateways can select this workload -# istio: ingressgateway -# # Enable gateway injection. If connecting to a revisioned control plane, replace with "istio.io/rev: revision-name" -# sidecar.istio.io/inject: "true" -# spec: -# containers: -# - name: istio-proxy -# image: auto # The image will automatically update each time the pod starts. -#--- -## Set up roles to allow reading credentials for TLS -#apiVersion: rbac.authorization.k8s.io/v1 -#kind: Role -#metadata: -# name: istio-ingressgateway2-sds -# namespace: istio-ingress -#rules: -# - apiGroups: [""] -# resources: ["secrets"] -# verbs: ["get", "watch", "list"] -#--- -#apiVersion: rbac.authorization.k8s.io/v1 -#kind: RoleBinding -#metadata: -# name: istio-ingressgateway2-sds -# namespace: istio-ingress -#roleRef: -# apiGroup: rbac.authorization.k8s.io -# kind: Role -# name: istio-ingressgateway2-sds -#subjects: -# - kind: ServiceAccount -# name: default \ No newline at end of file diff --git a/Istio/tmp/tmp.txt b/Istio/tmp/tmp.txt deleted file mode 100755 index bc35189..0000000 --- a/Istio/tmp/tmp.txt +++ /dev/null @@ -1,29 +0,0 @@ -https://medium.com/@dinup24/expose-apps-on-private-network-through-istio-ingress-gateway-7dcb8a16d5bc - - -cat << EOF > istio-operator.yaml -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: istio-system - name: istio-operator -spec: - profile: default - components: - ingressGateways: - - name: istio-ingressgateway - enabled: true - - namespace: istio-system - name: istio-ingressgateway-private - enabled: true - k8s: - serviceAnnotations: - service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type: "private" - values: - gateways: - istio-ingressgateway: - sds: - enabled: true -EOF - -istioctl manifest apply -f istio-operator.yaml \ No newline at end of file