From 2b7f83c2089bdda80af01a233a4490f1f63d5754 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 05:46:03 +0200 Subject: [PATCH] TLS Passthrough documented. This commit has other files, I guess I did some minor slightly modifications and nothing relevant so far so all commited. --- .../README.md | 120 ------- .../10-TCP-FORWARDING/README.md | 10 +- .../11-TLS-PASSTHROUGH/README.md | 131 ++++---- .../bk_old_nonworking_gateway.yaml | 113 ------- .../11-TLS-PASSTHROUGH/deployment.yaml | 73 ++-- .../11-TLS-PASSTHROUGH/gateway-02.yaml | 36 -- .../11-TLS-PASSTHROUGH/gateway.yaml | 58 +--- .../README.md | 0 .../authentication.yaml | 0 .../deployment.yaml | 0 .../gateway.yaml | 0 .../ingress.yaml | 0 .../ingress.yaml | 29 -- .../README.md | 313 ------------------ .../authentication.yaml | 11 - .../bk_old_nonworking_gateway.yaml | 117 ------- .../deployment.yaml | 74 ----- .../gateway-02.yaml | 36 -- .../gateway.yaml | 85 ----- .../ingress.yaml | 29 -- .../03-disable-mTLS}/authentication.yaml | 3 - 21 files changed, 97 insertions(+), 1141 deletions(-) delete mode 100755 Istio/02-Traffic_management/11-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml delete mode 100755 Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway-02.yaml rename Istio/02-Traffic_management/{XX-HTTP2-gateway-made-it-work => XX-HTTP2-gateway-made-it-work-maybe}/README.md (100%) rename Istio/02-Traffic_management/{XX-HTTP2-gateway-made-it-work => XX-HTTP2-gateway-made-it-work-maybe}/authentication.yaml (100%) rename Istio/02-Traffic_management/{XX-HTTP2-gateway-made-it-work => XX-HTTP2-gateway-made-it-work-maybe}/deployment.yaml (100%) rename Istio/02-Traffic_management/{XX-HTTP2-gateway-made-it-work => XX-HTTP2-gateway-made-it-work-maybe}/gateway.yaml (100%) rename Istio/02-Traffic_management/{11-TLS-PASSTHROUGH => XX-HTTP2-gateway-made-it-work-maybe}/ingress.yaml (100%) delete mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml delete mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md delete mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml delete mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml delete mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml delete mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml delete mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml delete mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml rename Istio/{02-Traffic_management/11-TLS-PASSTHROUGH => 06-Internal-Authentication/03-disable-mTLS}/authentication.yaml (50%) diff --git a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md index ad5fd8a..3b9d38e 100644 --- a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md +++ b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md @@ -189,123 +189,3 @@ virtualservice.networking.istio.io "helloworld-vs" deleted ``` # Links of Interest - -- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol - -- https://stackoverflow.com/a/51279606 - -- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy - - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . -[+] Building 0.0s (0/0) -ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") - ---- -## Create the Dockerfile - -```bash -FROM ubuntu/apache2 - -RUN apt-get update && \ -apt-get install apache2 openssl -y && \ -a2ensite default-ssl && \ -a2enmod ssl && \ -echo "

Howdy

" | tee /var/www/html/index.html - -RUN /usr/bin/printf "\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ -\n\ -\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ - SSLEngine on\n\ - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ - SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ -" > /etc/apache2/sites-available/000-default.conf - -RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -``` - -## Build the image - -Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. - -For my own commodity, I have used a raspberry pi 4 to build this images. - -The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. - -```shell - docker build --tag https-demo:armv7 . -``` -```text -docker build --tag https-demo:armv7 . --no-cache -[+] Building 16.5s (8/8) FINISHED - => [internal] load .dockerignore 0.0s - => => transferring context: 2B 0.0s - => [internal] load build definition from Dockerfile 0.0s - => => transferring dockerfile: 1.09kB 0.0s - => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s - => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s - => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s - => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s - => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s - => exporting to image 1.0s - => => exporting layers 1.0s - => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s - => => naming to docker.io/library/https-demo:armv7 0.0s -``` - -## Tag the image - -```shell -docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 -``` - -## Upload to the registery server - -```text -docker image push registery.filter.home:5000/https-demo:armv7 -The push refers to repository [registery.filter.home:5000/https-demo] -c6d858706b08: Pushed -9e077e0202f0: Pushed -6ffc708d0cf3: Pushed -69e01b4bf4d7: Pushed -17c5b30f3843: Pushed -0b9f60fbcaf1: Pushed -armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 -``` - - - -## ? -curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe - - - - - ---- - - -Has apache2 installed with a default certificate. - -Port 80 visible for HTTP - -Port 443 visible for HTTPS. - - - - -curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k -http_version: 2 -status_code: 200 \ No newline at end of file diff --git a/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md index 10fc093..f9a4a51 100644 --- a/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md +++ b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md @@ -164,7 +164,9 @@ virtualservice.networking.istio.io/helloworld-vs created ### Get LB IP ```shell -$ kubectl get svc -l istio=ingressgateway -A +kubectl get svc -l istio=ingressgateway -A +``` +```text NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h ``` @@ -232,8 +234,4 @@ virtualservice.networking.istio.io "helloworld-vs" deleted # Links of Interest -- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol - -- https://stackoverflow.com/a/51279606 - -- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy +- https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md index 9a7e81b..716777a 100644 --- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md +++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md @@ -9,13 +9,9 @@ include_toc: true # Description -The previous example was modified set TCP forwarding towards the backend. +The previous example was modified set TLS Forwarding for the HTTPS, meaning that the TLS will be terminated by the backend containing a service capable of such. -The backend contains an HTTPS service, which is used to demonstrate how the TCP forwarding is working as intended (aka doesn't disturb HTTP traffic). - -The same backend also contains the same service but running as HTTP, and for such has also been set in the gateway to display both working as intended. - -Additionally, the backend used, has HTTP2 enable, which also will be used to confirm that it's working as intended. +This requires a deployment with a service HTTPS (as it will need to handle the TLS termination ...). > **Note:**\ > For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) @@ -24,68 +20,65 @@ Additionally, the backend used, has HTTP2 enable, which also will be used to con ## Gateway -Gateway been configured to listen both ports `80` and `443` through the TCP protocol, without any host specified. +Gateway configured to listen the port `443` for `HTTPS` traffic protocol. + +The tls was configured as `PASSTHROUGH` ```yaml apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: helloworld-gateway + namespace: default spec: selector: istio: ingressgateway servers: - - port: - number: 80 - name: tcp-1 - protocol: TCP - hosts: - - "*" - port: number: 443 - name: tcp-2 - protocol: TCP + name: https-web + protocol: HTTPS hosts: - "*" + tls: + mode: PASSTHROUGH ``` ## Virtual service -Virtual service have 2 rules that perform the same behavior, on different ports. +Virtual service expected to receive traffic with designation, the host `lb.net`. -The rules will receive the traffic and forward it to the destination service and port. +The rule that contains, will receive traffic from the port `443`, with host destination `lb.net`. + +The destination of such is the service `helloworld.default.svc.cluster.local`, with port destination 8443. ```yaml apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: helloworld-vs + namespace: default spec: hosts: - - "*" + - "lb.net" gateways: - helloworld-gateway - tcp: + tls: - match: - - port: 80 + - port: 443 + sniHosts: ["lb.net"] route: - destination: host: helloworld.default.svc.cluster.local - port: - number: 8080 - - match: - - port: 443 - route: - - destination: - host: helloworld.default.svc.cluster.local port: number: 8443 ``` ## Service -The service will forward the incoming TCP traffic with port 8080, to the deployment port 80. -The same behavior is applied for the service port 8443, that will be forwarded towards the port 443 from the deployment. +The service will forward incoming TCP traffic from the port `8443`, towards the deployment port `443`. + +It's been specified the protocol expected to service, it being `HTTPS`. ```yaml apiVersion: v1 @@ -97,14 +90,11 @@ metadata: service: helloworld spec: ports: - - port: 8080 - name: http-web - targetPort: 80 - protocol: TCP - - port: 8443 - name: https-web + - name: https + port: 8443 targetPort: 443 protocol: TCP + appProtocol: HTTPS selector: app: helloworld ``` @@ -164,57 +154,50 @@ virtualservice.networking.istio.io/helloworld-vs created ### Get LB IP ```shell -$ kubectl get svc -l istio=ingressgateway -A +kubectl get svc -l istio=ingressgateway -A +``` +```text NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h ``` +### curl HTTPS -### curl HTTP +Well, it just works. + +The `--resolve` flag it's used to "fake" the traffic to match the filters we specified in the `Virtual Service`, specifically the `host` and `hostSNI` fields. ```shell -curl http://192.168.1.50 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' +curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net ``` ```text -http_version: 1.1 -status_code: 426 +

Howdy

``` -#### curl HTTPS +### curl HTTPS (HEAD) -This already confirms that `HTTP2` is working as intended. +Here we can spot the following sentence: + +- `server: nginx/1.23.4` + +This means that the TLS was handled by Nginx (verifying that the `TLS Passthrough` was performed correctly). + +If it had been managed by Istio, it would say: + +- `server: istio-envoy` ```shell -curl https://192.168.1.50 -ks -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http1.1 +curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net --HEAD ``` ```text -http_version: 2 -status_code: 200 -``` - -#### Curl HTTP2 - -The previous example already displayed that `HTTP2` is working as intended. - -This example is maintained due being explicitly to confirm the `HTTP2` feature. - -```shell -curl https://192.168.1.50 -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http2 -sk -o=/dev/null -``` -```text -http_version: 2 -status_code: 200 -``` - -#### Curl HTTP1.1 - -We can confirm that `HTTP1.1` also works over `TCP forwarding`. - -```shell -curl https://192.168.1.50 -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http1.1 -sk -o=/dev/null -``` -```text -http_version: 1.1 -status_code: 200 +HTTP/2 200 +server: nginx/1.23.4 +date: Tue, 25 Apr 2023 02:49:33 GMT +content-type: text/html +content-length: 15 +last-modified: Tue, 25 Apr 2023 00:47:17 GMT +etag: "64472315-f" +strict-transport-security: max-age=7200 +accept-ranges: bytes ``` ## Cleanup @@ -232,8 +215,6 @@ virtualservice.networking.istio.io "helloworld-vs" deleted # Links of Interest -- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol +- https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway -- https://stackoverflow.com/a/51279606 - -- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode \ No newline at end of file diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml deleted file mode 100755 index 4305bf6..0000000 --- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml +++ /dev/null @@ -1,113 +0,0 @@ -#apiVersion: networking.istio.io/v1alpha3 -#kind: Gateway -#metadata: -# name: helloworld-gateway -#spec: -# selector: -## istio: myingressgateway -# istio: ingressgateway -# servers: -# - hosts: -# ["lb.net","*.lb.net"] -# port: -# name: tls-443 -# number: 443 -# protocol: HTTPS -# tls: -# mode: SIMPLE -# credentialName: my-tls-cert-secret -# minProtocolVersion: TLSV1_2 -#--- -#apiVersion: networking.istio.io/v1alpha3 -#kind: VirtualService -#metadata: -# name: helloworld-vs -#spec: -# hosts: -# - "*" -# gateways: -# - helloworld-gateway -# http: -## - name: http-vs -## match: -## - port: 80 -## route: -## - destination: -## host: helloworld.default.svc.cluster.local -## port: -## number: 8080 -# - name: https-vs -# match: -# - port: 443 -# route: -# - destination: -# host: helloworld.default.svc.cluster.local -# port: -# number: 443 -## -## tls: -## - match: -## - port: 443 -## sniHosts: ["lb.net"] -## route: -## - destination: -## host: helloworld.default.svc.cluster.local -## port: -## number: 443 -##--- -##apiVersion: networking.istio.io/v1alpha3 -##kind: DestinationRule -##metadata: -## name: helloworld -## namespace: default -##spec: -## host: helloworld.default.svc.cluster.local -## trafficPolicy: -## portLevelSettings: -## - port: -## number: 8080 -## tls: -## mode: DISABLE -## - port: -## number: 8443 -## tls: -## credentialName: client-credential -## mode: SIMPLE -## port: -## name: https-backend -## number: 8443 -## protocol: HTTPS -## tls: -## credentialName: my-tls-cert-secret -## mode: SIMPLE -## tcp: -### - match: -### - port: 80 -### route: -### - destination: -### host: helloworld -### port: -### number: 8080 -### - match: -### - port: 443 -## - route: -## - destination: -## host: helloworld -## port: -## number: 8443 -## -## tls: -## - match: -## - port: 443 -## sniHosts: -## - "hello.si" -### - uri: -### exact: /helloworld -## route: -## - destination: -## host: helloworld -## port: -## number: 8443 -### protocol: HTTPS -### rewrite: -### uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml index 3f9ad6c..f94f650 100755 --- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml +++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml @@ -7,17 +7,11 @@ metadata: service: helloworld spec: ports: - - port: 8080 - name: http-s - targetPort: 80 - protocol: TCP - appProtocol: HTTP - - - port: 8443 - name: https + - name: https + port: 8443 targetPort: 443 protocol: TCP - appProtocol: https + appProtocol: HTTPS selector: app: helloworld --- @@ -36,7 +30,6 @@ spec: metadata: labels: app: helloworld - sidecar.istio.io/inject: "true" spec: containers: - name: helloworld @@ -48,33 +41,33 @@ spec: ports: - containerPort: 80 - containerPort: 443 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx - labels: - app: nginx - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: nginx - version: v1 - template: - metadata: - labels: - app: nginx - version: v1 - spec: - # serviceAccountName: istio-helloworld - containers: - - name: nginx - image: nginx - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 80 \ No newline at end of file +#--- +#apiVersion: apps/v1 +#kind: Deployment +#metadata: +# name: nginx +# labels: +# app: nginx +# version: v1 +#spec: +# replicas: 1 +# selector: +# matchLabels: +# app: nginx +# version: v1 +# template: +# metadata: +# labels: +# app: nginx +# version: v1 +# spec: +# # serviceAccountName: istio-helloworld +# containers: +# - name: nginx +# image: nginx +# resources: +# requests: +# cpu: "100m" +# imagePullPolicy: IfNotPresent +# ports: +# - containerPort: 80 \ No newline at end of file diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway-02.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway-02.yaml deleted file mode 100755 index 5070950..0000000 --- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway-02.yaml +++ /dev/null @@ -1,36 +0,0 @@ -#apiVersion: networking.istio.io/v1beta1 -#kind: Gateway -#metadata: -# name: helloworld-gateway -#spec: -# selector: -# istio: ingressgateway -# servers: -# - hosts: -# - "*" -# port: -# name: https -# number: 443 -# protocol: HTTPS -# tls: -# mode: PASSTHROUGH -#--- -#apiVersion: networking.istio.io/v1beta1 -#kind: VirtualService -#metadata: -# name: helloworld-vs -#spec: -# gateways: -# - helloworld-gateway -# hosts: ["lb.net","*.lb.net"] -## http: -## - route: -## - destination: -## host: helloworld.default.svc.cluster.local -##spec: -# tls: -# - match: -# - sniHosts: ["lb.net","*.lb.net"] -# route: -# - destination: -# host: helloworld.default.svc.cluster.local \ No newline at end of file diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml index a313d3a..2f092f6 100755 --- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml +++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml @@ -2,61 +2,30 @@ apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: helloworld-gateway + namespace: default spec: selector: - # istio: myingressgateway istio: ingressgateway servers: - # - port: - # number: 443 - # name: secure-http2 - # protocol: HTTP2 - # hosts: - # - "*" - - port: - number: 80 - name: http2-i - protocol: HTTP2 - hosts: - - "*" - port: number: 443 - name: https-i + name: https-web protocol: HTTPS hosts: - "*" tls: -# credentialName: my-tls-cert-secret -# minProtocolVersion: TLSV1_2 - # mode: PASSTHROUGH --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: helloworld-vs + namespace: default spec: hosts: - "lb.net" gateways: - helloworld-gateway - http: - - name: http-vs - match: - - port: 80 - route: - - destination: - host: helloworld.default.svc.cluster.local - port: - number: 8080 -# - name: https-vs -# match: -# - port: 443 -# route: -# - destination: -# host: helloworld.default.svc.cluster.local -# port: -# number: 8443 tls: - match: - port: 443 @@ -65,23 +34,4 @@ spec: - destination: host: helloworld.default.svc.cluster.local port: - number: 8443 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: helloworld - namespace: default -spec: - host: helloworld.default.svc.cluster.local - trafficPolicy: - portLevelSettings: - - port: - number: 8080 - tls: - mode: DISABLE - - - port: - number: 8443 - tls: - mode: DISABLE + number: 8443 \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/README.md similarity index 100% rename from Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md rename to Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/README.md diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/authentication.yaml similarity index 100% rename from Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml rename to Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/authentication.yaml diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/deployment.yaml similarity index 100% rename from Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml rename to Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/deployment.yaml diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/gateway.yaml similarity index 100% rename from Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml rename to Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/gateway.yaml diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/ingress.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/ingress.yaml similarity index 100% rename from Istio/02-Traffic_management/11-TLS-PASSTHROUGH/ingress.yaml rename to Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/ingress.yaml diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml deleted file mode 100644 index 850c2eb..0000000 --- a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - name: ingress -spec: - profile: empty # Do not install CRDs or the control plane - components: - ingressGateways: - - name: myistio-ingressgateway - namespace: istio-ingress - enabled: true - label: - istio: myingressgateway - k8s: - service: - ports: - - name: https-ingress - port: 443 - protocol: TCP - targetPort: 1055 - - name: http-ingress - port: 80 - protocol: TCP - targetPort: 1085 - - values: - gateways: - istio-ingressgateway: - injectionTemplate: gateway diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md deleted file mode 100644 index f356e8b..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md +++ /dev/null @@ -1,313 +0,0 @@ ---- -gitea: none -include_toc: true ---- - -# Based on - -- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) - -# Description - -The previous example was modified set the gateway to enable for HTTP2 traffic. - -https://stackoverflow.com/a/59610581 - - -# Changelog - -## Gateway - -```yaml -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 443 - name: secure-http2 - protocol: HTTP2 - hosts: - - "*" - tls: - mode: SIMPLE - credentialName: my-tls-cert-secret - minProtocolVersion: TLSV1_2 -``` - -`` - -# Walkthrough - - -## Generate client and server certificate and key files - -First step will be to generate the certificate and key files to be able to set them to the Gateway resource. - -### Create a folder to store files. - -Create the folder to contain the files that will be generated. - -```shell -mkdir certfolder -``` - -### Create a certificate and a private key. - -```shell -openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt -``` - -The files generated are the following: - -```yaml -private-key: certfolder/istio.cert.key -root-certificate: certfolder/istio.cert.crt -``` - -The information set to the certificate generated is the following: - -```yaml -Organization-name: Internet of things -CN: lb.net -``` - -### Create a TLS secret - -At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. - -```shell -kubectl create -n istio-system secret tls my-tls-cert-secret \ - --key=certfolder/istio.cert.key \ - --cert=certfolder/istio.cert.crt -``` -```text -secret/my-tls-cert-secret created -``` -```text -service/helloworld created -deployment.apps/helloworld-nginx created -gateway.networking.istio.io/helloworld-gateway created -virtualservice.networking.istio.io/helloworld-vs created -``` - -> **Note:**\ -> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. - - -## Deploy resources - -```shell -kubectl apply -f ./ -``` -```text -service/helloworld created -deployment.apps/helloworld-nginx created -gateway.networking.istio.io/helloworld-gateway created -virtualservice.networking.istio.io/helloworld-vs created -``` - -## Test the service -### http2 -#### Curl HTTP1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 -``` -```text -http_version: 1.1 -status_code: 426 -``` - -#### Curl HTTP1.1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -#### Curl HTTP2 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -### http1-web - -#### Curl HTTP1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 -``` -```text -http_version: 1.1 -status_code: 426 -``` - -#### Curl HTTP1.1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -#### Curl HTTP2 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -## Cleanup - -```shell -kubectl delete -f ./ -``` - -```text -service "helloworld" deleted -deployment.apps "helloworld-nginx" deleted -gateway.networking.istio.io "helloworld-gateway" deleted -virtualservice.networking.istio.io "helloworld-vs" deleted -``` - -# Links of Interest - -- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol - -- https://stackoverflow.com/a/51279606 - -- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy - - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . -[+] Building 0.0s (0/0) -ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") - ---- -## Create the Dockerfile - -```bash -FROM ubuntu/apache2 - -RUN apt-get update && \ -apt-get install apache2 openssl -y && \ -a2ensite default-ssl && \ -a2enmod ssl && \ -echo "

Howdy

" | tee /var/www/html/index.html - -RUN /usr/bin/printf "\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ -\n\ -\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ - SSLEngine on\n\ - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ - SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ -" > /etc/apache2/sites-available/000-default.conf - -RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -``` - -## Build the image - -Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. - -For my own commodity, I have used a raspberry pi 4 to build this images. - -The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. - -```shell - docker build --tag https-demo:armv7 . -``` -```text -docker build --tag https-demo:armv7 . --no-cache -[+] Building 16.5s (8/8) FINISHED - => [internal] load .dockerignore 0.0s - => => transferring context: 2B 0.0s - => [internal] load build definition from Dockerfile 0.0s - => => transferring dockerfile: 1.09kB 0.0s - => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s - => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s - => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s - => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s - => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s - => exporting to image 1.0s - => => exporting layers 1.0s - => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s - => => naming to docker.io/library/https-demo:armv7 0.0s -``` - -## Tag the image - -```shell -docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 -``` - -## Upload to the registery server - -```text -docker image push registery.filter.home:5000/https-demo:armv7 -The push refers to repository [registery.filter.home:5000/https-demo] -c6d858706b08: Pushed -9e077e0202f0: Pushed -6ffc708d0cf3: Pushed -69e01b4bf4d7: Pushed -17c5b30f3843: Pushed -0b9f60fbcaf1: Pushed -armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 -``` - - - -## ? -curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe - - - - - ---- - - -Has apache2 installed with a default certificate. - -Port 80 visible for HTTP - -Port 443 visible for HTTPS. - - - - -curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k -http_version: 2 -status_code: 200 - -# Recv failure: Connection reset by peer diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml deleted file mode 100644 index da9883d..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default-mtls - namespace: default -spec: - mtls: - mode: DISABLE - - -#curl -v --resolve ":$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example_certs/example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT" diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml deleted file mode 100755 index 871a985..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml +++ /dev/null @@ -1,117 +0,0 @@ -#apiVersion: networking.istio.io/v1alpha3 -#kind: Gateway -#metadata: -# name: helloworld-gateway -#spec: -# selector: -## istio: myingressgateway -# istio: ingressgateway -# servers: -# - hosts: -# ["lb.net","*.lb.net"] -# port: -# name: tls-443 -# number: 443 -# protocol: HTTPS -# tls: -# mode: SIMPLE -# credentialName: my-tls-cert-secret -# minProtocolVersion: TLSV1_2 -#--- -#apiVersion: networking.istio.io/v1alpha3 -#kind: VirtualService -#metadata: -# name: helloworld-vs -#spec: -# hosts: -# - "*" -# gateways: -# - helloworld-gateway -# http: -## - name: http-vs -## match: -## - port: 80 -## route: -## - destination: -## host: helloworld.default.svc.cluster.local -## port: -## number: 8080 -# - name: https-vs -# match: -# - port: 443 -# route: -# - destination: -# host: helloworld.default.svc.cluster.local -# port: -# number: 443 -## -## tls: -## - match: -## - port: 443 -## sniHosts: ["lb.net"] -## route: -## - destination: -## host: helloworld.default.svc.cluster.local -## port: -## number: 443 -# -##--- -##apiVersion: networking.istio.io/v1alpha3 -##kind: DestinationRule -##metadata: -## name: helloworld -## namespace: default -##spec: -## host: helloworld.default.svc.cluster.local -## trafficPolicy: -## portLevelSettings: -## - port: -## number: 8080 -## tls: -## mode: DISABLE -# -## - port: -## number: 8443 -## tls: -## credentialName: client-credential -## mode: SIMPLE -# -# -## port: -## name: https-backend -## number: 8443 -## protocol: HTTPS -## tls: -## credentialName: my-tls-cert-secret -## mode: SIMPLE -## tcp: -### - match: -### - port: 80 -### route: -### - destination: -### host: helloworld -### port: -### number: 8080 -### - match: -### - port: 443 -## - route: -## - destination: -## host: helloworld -## port: -## number: 8443 -## -## tls: -## - match: -## - port: 443 -## sniHosts: -## - "hello.si" -### - uri: -### exact: /helloworld -## route: -## - destination: -## host: helloworld -## port: -## number: 8443 -### protocol: HTTPS -### rewrite: -### uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml deleted file mode 100755 index 233c5ed..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - name: p1 - port: 80 - protocol: TCP - - name: https - port: 443 - protocol: TCP - selector: - app: helloworld ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: helloworld-nginx - labels: - app: helloworld -spec: - replicas: 1 - selector: - matchLabels: - app: helloworld - template: - metadata: - labels: - app: helloworld - sidecar.istio.io/inject: "true" - spec: - containers: - - name: helloworld - image: oriolfilter/https-apache-demo:armv7 - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent #Always - ports: - - containerPort: 443 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx - labels: - app: nginx - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: nginx - version: v1 - template: - metadata: - labels: - app: nginx - version: v1 - spec: - # serviceAccountName: istio-helloworld - containers: - - name: nginx - image: nginx - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 80 \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml deleted file mode 100755 index 5070950..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml +++ /dev/null @@ -1,36 +0,0 @@ -#apiVersion: networking.istio.io/v1beta1 -#kind: Gateway -#metadata: -# name: helloworld-gateway -#spec: -# selector: -# istio: ingressgateway -# servers: -# - hosts: -# - "*" -# port: -# name: https -# number: 443 -# protocol: HTTPS -# tls: -# mode: PASSTHROUGH -#--- -#apiVersion: networking.istio.io/v1beta1 -#kind: VirtualService -#metadata: -# name: helloworld-vs -#spec: -# gateways: -# - helloworld-gateway -# hosts: ["lb.net","*.lb.net"] -## http: -## - route: -## - destination: -## host: helloworld.default.svc.cluster.local -##spec: -# tls: -# - match: -# - sniHosts: ["lb.net","*.lb.net"] -# route: -# - destination: -# host: helloworld.default.svc.cluster.local \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml deleted file mode 100755 index 210ef29..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml +++ /dev/null @@ -1,85 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: - # istio: myingressgateway - istio: ingressgateway - servers: - # - port: - # number: 443 - # name: secure-http2 - # protocol: HTTP2 - # hosts: - # - "*" - - port: - number: 80 - name: http2-i - protocol: HTTP2 - hosts: - - "*" - - port: - number: 443 - name: https-i - protocol: HTTPS - hosts: - - "*" - tls: - credentialName: my-tls-cert-secret - minProtocolVersion: TLSV1_2 - # - mode: SIMPLE ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: helloworld-vs -spec: - hosts: ["lb.net"] - gateways: - - helloworld-gateway - http: - - name: http-vs - match: - - port: 80 - route: - - destination: - host: helloworld.default.svc.cluster.local - port: - number: 80 - - name: https-vs - match: - - port: 443 - sniHosts: ["lb.net"] - route: - - destination: - host: helloworld.default.svc.cluster.local - port: - number: 443 -# tls: -# - match: -# - sniHosts: ["lb.net"] -# route: -# - destination: -# host: helloworld.default.svc.cluster.local ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: helloworld - namespace: default -spec: - host: helloworld.default.svc.cluster.local - trafficPolicy: - portLevelSettings: - - port: - number: 8080 - tls: - mode: DISABLE -# - - port: - number: 443 - tls: - credentialName: client-credential - mode: DISABLE \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml deleted file mode 100644 index 850c2eb..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - name: ingress -spec: - profile: empty # Do not install CRDs or the control plane - components: - ingressGateways: - - name: myistio-ingressgateway - namespace: istio-ingress - enabled: true - label: - istio: myingressgateway - k8s: - service: - ports: - - name: https-ingress - port: 443 - protocol: TCP - targetPort: 1055 - - name: http-ingress - port: 80 - protocol: TCP - targetPort: 1085 - - values: - gateways: - istio-ingressgateway: - injectionTemplate: gateway diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/authentication.yaml b/Istio/06-Internal-Authentication/03-disable-mTLS/authentication.yaml similarity index 50% rename from Istio/02-Traffic_management/11-TLS-PASSTHROUGH/authentication.yaml rename to Istio/06-Internal-Authentication/03-disable-mTLS/authentication.yaml index da9883d..221a86d 100644 --- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/authentication.yaml +++ b/Istio/06-Internal-Authentication/03-disable-mTLS/authentication.yaml @@ -6,6 +6,3 @@ metadata: spec: mtls: mode: DISABLE - - -#curl -v --resolve ":$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example_certs/example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT"