ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

small backup cause things work and scared of proceeding without modifying anything, also say hi to my registry at home

Browse Source
This commit is contained in:
savagebidoof 2023-04-25 00:16:52 +02:00
parent de80fadf2a
commit 4bb07eebce
30 changed files with 2564 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1 +1,2 @@
/.idea/
/Istio/02-Traffic_management/XX-HTTPS-backend/

2
Istio/00-Troubleshooting/README.md
View File

@ -55,6 +55,8 @@ Warning [IST0104] (Gateway default/helloworld-gateway) The gateway refers to a p
Target a pod and start a packet capture on the istio-proxy container.
This step requires istio to be installed with the flag `values.global.proxy.privileged=true`
```shell
$ kubectl exec -n default "$(kubectl get pod -n default -l app=helloworld -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port 80 -A
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode

13
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/Dockerfile Normal file
View File

@ -0,0 +1,13 @@
FROM nginx
ADD server.conf /etc/nginx/conf.d/default.conf
# RUN apt-get update && \
# apt-get install apache2 openssl -y && \
# a2ensite default-ssl && \
# a2enmod ssl && \
RUN mkdir -p /var/www/html
RUN echo "<h2>Howdy</h2>" | tee /var/www/html/index.html
RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt

321
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md Normal file
View File

@ -0,0 +1,321 @@
---
gitea: none
include_toc: true
---
# Based on
- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
# Description
The previous example was modified set the gateway to enable for HTTP2 traffic.
https://stackoverflow.com/a/59610581
# Changelog
## Gateway
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: secure-http2
protocol: HTTP2
hosts:
- "*"
tls:
mode: SIMPLE
credentialName: my-tls-cert-secret
minProtocolVersion: TLSV1_2
```
`<text>`
# Walkthrough
## Generate client and server certificate and key files
First step will be to generate the certificate and key files to be able to set them to the Gateway resource.
### Create a folder to store files.
Create the folder to contain the files that will be generated.
```shell
mkdir certfolder
```
### Create a certificate and a private key.
```shell
openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt
```
The files generated are the following:
```yaml
private-key: certfolder/istio.cert.key
root-certificate: certfolder/istio.cert.crt
```
The information set to the certificate generated is the following:
```yaml
Organization-name: Internet of things
CN: lb.net
```
### Create a TLS secret
At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`.
```shell
kubectl create -n istio-system secret tls my-tls-cert-secret \
--key=certfolder/istio.cert.key \
--cert=certfolder/istio.cert.crt
```
```text
secret/my-tls-cert-secret created
```
```text
service/helloworld created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
> **Note:**\
> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
## Deploy resources
```shell
kubectl apply -f ./
```
```text
service/helloworld created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
## Test the service
### http2
#### Curl HTTP1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0
```
```text
http_version: 1.1
status_code: 426
```
#### Curl HTTP1.1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1
```
```text
http_version: 1.1
status_code: 200
```
#### Curl HTTP2
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2
```
```text
http_version: 1.1
status_code: 200
```
### http1-web
#### Curl HTTP1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0
```
```text
http_version: 1.1
status_code: 426
```
#### Curl HTTP1.1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1
```
```text
http_version: 1.1
status_code: 200
```
#### Curl HTTP2
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2
```
```text
http_version: 1.1
status_code: 200
```
## Cleanup
```shell
kubectl delete -f ./
```
```text
service "helloworld" deleted
deployment.apps "helloworld-nginx" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
# Links of Interest
- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
- https://stackoverflow.com/a/51279606
- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile
docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest .
[+] Building 0.0s (0/0)
ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
---
## Create the Dockerfile
```bash
FROM ubuntu/apache2
RUN apt-get update && \
apt-get install apache2 openssl -y && \
a2ensite default-ssl && \
a2enmod ssl && \
echo "<h2>Howdy</h2>" | tee /var/www/html/index.html
RUN /usr/bin/printf "<VirtualHost *:80>\n\
ServerAdmin webmaster@localhost\n\
DocumentRoot /var/www/html\n\
ErrorLog \${APACHE_LOG_DIR}/error.log\n\
CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
</VirtualHost>\n\
<VirtualHost *:443>\n\
ServerAdmin webmaster@localhost\n\
DocumentRoot /var/www/html\n\
ErrorLog \${APACHE_LOG_DIR}/error.log\n\
CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
SSLEngine on\n\
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\
</VirtualHost>" > /etc/apache2/sites-available/000-default.conf
RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
```
## Build the image
Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images.
For my own commodity, I have used a raspberry pi 4 to build this images.
The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image.
```shell
docker build --tag https-demo:armv7 .
```
```text
docker build --tag https-demo:armv7 . --no-cache
[+] Building 16.5s (8/8) FINISHED
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 1.09kB 0.0s
=> [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s
=> CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s
=> [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s
=> [3/4] RUN /usr/bin/printf "<VirtualHost *:80>\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s
=> [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s
=> exporting to image 1.0s
=> => exporting layers 1.0s
=> => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s
=> => naming to docker.io/library/https-demo:armv7 0.0s
```
## Tag the image
```shell
docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7
```
## Upload to the registery server
```text
docker image push registery.filter.home:5000/https-demo:armv7
The push refers to repository [registery.filter.home:5000/https-demo]
c6d858706b08: Pushed
9e077e0202f0: Pushed
6ffc708d0cf3: Pushed
69e01b4bf4d7: Pushed
17c5b30f3843: Pushed
0b9f60fbcaf1: Pushed
armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578
```
## ?
curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe
---
Has apache2 installed with a default certificate.
Port 80 visible for HTTP
Port 443 visible for HTTPS.
curl https:/192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k
http_version: 2
status_code: 200
```shell
curl --insecure --resolve lb.net:80:192.168.1.50 http://lb.net
```
```shell
curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net
```

8
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default-mtls
namespace: default
spec:
mtls:
mode: PERMISSIVE

80
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml Executable file
View File

@ -0,0 +1,80 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http-s
targetPort: 80
protocol: TCP
appProtocol: HTTP
- port: 8443
name: https
targetPort: 443
protocol: TCP
appProtocol: https
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
sidecar.istio.io/inject: "true"
spec:
containers:
- name: helloworld
image: oriolfilter/https-apache-demo:armv7
resources:
requests:
cpu: "100m"
imagePullPolicy: Always #Always
ports:
- containerPort: 80
- containerPort: 443
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: nginx
version: v1
template:
metadata:
labels:
app: nginx
version: v1
spec:
# serviceAccountName: istio-helloworld
containers:
- name: nginx
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80

118
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml Executable file
View File

@ -0,0 +1,118 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
# istio: myingressgateway
istio: ingressgateway
servers:
# - port:
# number: 443
# name: secure-http2
# protocol: HTTP2
# hosts:
# - "*"
- port:
number: 80
name: http2-i
protocol: HTTP2
hosts:
- "*"
- port:
number: 443
name: https-i
protocol: HTTPS
hosts:
- "*"
tls:
credentialName: my-tls-cert-secret
minProtocolVersion: TLSV1_2
#
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- name: http-vs
match:
- port: 80
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8080
- name: https-vs
match:
- port: 443
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: helloworld
namespace: default
spec:
host: helloworld.default.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8080
tls:
mode: DISABLE
- port:
number: 8443
tls:
# credentialName: client-credential
mode: SIMPLE
# port:
# name: https-backend
# number: 8443
# protocol: HTTPS
# tls:
# credentialName: my-tls-cert-secret
# mode: SIMPLE
# tcp:
## - match:
## - port: 80
## route:
## - destination:
## host: helloworld
## port:
## number: 8080
## - match:
## - port: 443
# - route:
# - destination:
# host: helloworld
# port:
# number: 8443
#
# tls:
# - match:
# - port: 443
# sniHosts:
# - "hello.si"
## - uri:
## exact: /helloworld
# route:
# - destination:
# host: helloworld
# port:
# number: 8443
## protocol: HTTPS
## rewrite:
## uri: "/"

29
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: ingress
spec:
profile: empty # Do not install CRDs or the control plane
components:
ingressGateways:
- name: myistio-ingressgateway
namespace: istio-ingress
enabled: true
label:
istio: myingressgateway
k8s:
service:
ports:
- name: https-ingress
port: 443
protocol: TCP
targetPort: 1055
- name: http-ingress
port: 80
protocol: TCP
targetPort: 1085
values:
gateways:
istio-ingressgateway:
injectionTemplate: gateway

37
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/server.conf Normal file
View File

@ -0,0 +1,37 @@
server {
listen 80;
# rewrite ^ https://$server_name$request_uri? permanent;
server_name lb.net;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log info;
add_header Strict-Transport-Security "max-age=7200";
root /var/www/html;
index index.html;
}
server {
listen 443 ssl default_server http2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
server_name lb.net;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log info;
ssl on;
ssl_certificate /cert.crt;
ssl_certificate_key /cert.key;
ssl_session_timeout 5m;
add_header Strict-Transport-Security "max-age=7200";
root /var/www/html;
index index.html;
}

311
Istio/02-Traffic_management/XX-HTTPS-backend/README.md Normal file
View File

@ -0,0 +1,311 @@
---
gitea: none
include_toc: true
---
# Based on
- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
# Description
The previous example was modified set the gateway to enable for HTTP2 traffic.
https://stackoverflow.com/a/59610581
# Changelog
## Gateway
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: secure-http2
protocol: HTTP2
hosts:
- "*"
tls:
mode: SIMPLE
credentialName: my-tls-cert-secret
minProtocolVersion: TLSV1_2
```
`<text>`
# Walkthrough
## Generate client and server certificate and key files
First step will be to generate the certificate and key files to be able to set them to the Gateway resource.
### Create a folder to store files.
Create the folder to contain the files that will be generated.
```shell
mkdir certfolder
```
### Create a certificate and a private key.
```shell
openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt
```
The files generated are the following:
```yaml
private-key: certfolder/istio.cert.key
root-certificate: certfolder/istio.cert.crt
```
The information set to the certificate generated is the following:
```yaml
Organization-name: Internet of things
CN: lb.net
```
### Create a TLS secret
At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`.
```shell
kubectl create -n istio-system secret tls my-tls-cert-secret \
--key=certfolder/istio.cert.key \
--cert=certfolder/istio.cert.crt
```
```text
secret/my-tls-cert-secret created
```
```text
service/helloworld created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
> **Note:**\
> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
## Deploy resources
```shell
kubectl apply -f ./
```
```text
service/helloworld created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
## Test the service
### http2
#### Curl HTTP1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0
```
```text
http_version: 1.1
status_code: 426
```
#### Curl HTTP1.1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1
```
```text
http_version: 1.1
status_code: 200
```
#### Curl HTTP2
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2
```
```text
http_version: 1.1
status_code: 200
```
### http1-web
#### Curl HTTP1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0
```
```text
http_version: 1.1
status_code: 426
```
#### Curl HTTP1.1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1
```
```text
http_version: 1.1
status_code: 200
```
#### Curl HTTP2
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2
```
```text
http_version: 1.1
status_code: 200
```
## Cleanup
```shell
kubectl delete -f ./
```
```text
service "helloworld" deleted
deployment.apps "helloworld-nginx" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
# Links of Interest
- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
- https://stackoverflow.com/a/51279606
- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile
docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest .
[+] Building 0.0s (0/0)
ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
---
## Create the Dockerfile
```bash
FROM ubuntu/apache2
RUN apt-get update && \
apt-get install apache2 openssl -y && \
a2ensite default-ssl && \
a2enmod ssl && \
echo "<h2>Howdy</h2>" | tee /var/www/html/index.html
RUN /usr/bin/printf "<VirtualHost *:80>\n\
ServerAdmin webmaster@localhost\n\
DocumentRoot /var/www/html\n\
ErrorLog \${APACHE_LOG_DIR}/error.log\n\
CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
</VirtualHost>\n\
<VirtualHost *:443>\n\
ServerAdmin webmaster@localhost\n\
DocumentRoot /var/www/html\n\
ErrorLog \${APACHE_LOG_DIR}/error.log\n\
CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
SSLEngine on\n\
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\
</VirtualHost>" > /etc/apache2/sites-available/000-default.conf
RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
```
## Build the image
Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images.
For my own commodity, I have used a raspberry pi 4 to build this images.
The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image.
```shell
docker build --tag https-demo:armv7 .
```
```text
docker build --tag https-demo:armv7 . --no-cache
[+] Building 16.5s (8/8) FINISHED
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 1.09kB 0.0s
=> [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s
=> CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s
=> [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s
=> [3/4] RUN /usr/bin/printf "<VirtualHost *:80>\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s
=> [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s
=> exporting to image 1.0s
=> => exporting layers 1.0s
=> => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s
=> => naming to docker.io/library/https-demo:armv7 0.0s
```
## Tag the image
```shell
docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7
```
## Upload to the registery server
```text
docker image push registery.filter.home:5000/https-demo:armv7
The push refers to repository [registery.filter.home:5000/https-demo]
c6d858706b08: Pushed
9e077e0202f0: Pushed
6ffc708d0cf3: Pushed
69e01b4bf4d7: Pushed
17c5b30f3843: Pushed
0b9f60fbcaf1: Pushed
armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578
```
## ?
curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe
---
Has apache2 installed with a default certificate.
Port 80 visible for HTTP
Port 443 visible for HTTPS.
curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k
http_version: 2
status_code: 200

80
Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml Executable file
View File

@ -0,0 +1,80 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http-s
targetPort: 80
protocol: TCP
appProtocol: HTTP
- port: 8443
name: https
targetPort: 443
protocol: TCP
appProtocol: https
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
sidecar.istio.io/inject: "true"
spec:
containers:
- name: helloworld
image: oriolfilter/https-apache-demo:armv7
resources:
requests:
cpu: "100m"
imagePullPolicy: Always #Always
ports:
- containerPort: 80
- containerPort: 443
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: nginx
version: v1
template:
metadata:
labels:
app: nginx
version: v1
spec:
# serviceAccountName: istio-helloworld
containers:
- name: nginx
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80

118
Istio/02-Traffic_management/XX-HTTPS-backend/gateway.yaml Executable file
View File

@ -0,0 +1,118 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
# istio: myingressgateway
istio: ingressgateway
servers:
# - port:
# number: 443
# name: secure-http2
# protocol: HTTP2
# hosts:
# - "*"
- port:
number: 80
name: http2-i
protocol: HTTP2
hosts:
- "*"
- port:
number: 443
name: https-i
protocol: HTTPS
hosts:
- "*"
tls:
credentialName: my-tls-cert-secret
minProtocolVersion: TLSV1_2
#
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- name: http-vs
match:
- port: 80
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8080
- name: https-vs
match:
- port: 443
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: helloworld
namespace: default
spec:
host: helloworld.default.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8080
tls:
mode: DISABLE
- port:
number: 8443
tls:
# credentialName: client-credential
mode: SIMPLE
# port:
# name: https-backend
# number: 8443
# protocol: HTTPS
# tls:
# credentialName: my-tls-cert-secret
# mode: SIMPLE
# tcp:
## - match:
## - port: 80
## route:
## - destination:
## host: helloworld
## port:
## number: 8080
## - match:
## - port: 443
# - route:
# - destination:
# host: helloworld
# port:
# number: 8443
#
# tls:
# - match:
# - port: 443
# sniHosts:
# - "hello.si"
## - uri:
## exact: /helloworld
# route:
# - destination:
# host: helloworld
# port:
# number: 8443
## protocol: HTTPS
## rewrite:
## uri: "/"

13
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/Dockerfile Normal file
View File

@ -0,0 +1,13 @@
FROM nginx
ADD server.conf /etc/nginx/conf.d/default.conf
# RUN apt-get update && \
# apt-get install apache2 openssl -y && \
# a2ensite default-ssl && \
# a2enmod ssl && \
RUN mkdir -p /var/www/html
RUN echo "<h2>Howdy</h2>" | tee /var/www/html/index.html
RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt

325
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md Normal file
View File

@ -0,0 +1,325 @@
---
gitea: none
include_toc: true
---
# Based on
- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
# Description
The previous example was modified set the gateway to enable for HTTP2 traffic.
https://stackoverflow.com/a/59610581
# Changelog
## Gateway
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: secure-http2
protocol: HTTP2
hosts:
- "*"
tls:
mode: SIMPLE
credentialName: my-tls-cert-secret
minProtocolVersion: TLSV1_2
```
`<text>`
# Walkthrough
## Generate client and server certificate and key files
First step will be to generate the certificate and key files to be able to set them to the Gateway resource.
### Create a folder to store files.
Create the folder to contain the files that will be generated.
```shell
mkdir certfolder
```
### Create a certificate and a private key.
```shell
openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt
```
The files generated are the following:
```yaml
private-key: certfolder/istio.cert.key
root-certificate: certfolder/istio.cert.crt
```
The information set to the certificate generated is the following:
```yaml
Organization-name: Internet of things
CN: lb.net
```
### Create a TLS secret
At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`.
```shell
kubectl create -n istio-system secret tls my-tls-cert-secret \
--key=certfolder/istio.cert.key \
--cert=certfolder/istio.cert.crt
```
```text
secret/my-tls-cert-secret created
```
```text
service/helloworld created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
> **Note:**\
> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
## Deploy resources
```shell
kubectl apply -f ./
```
```text
service/helloworld created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
## Test the service
### http2
#### Curl HTTP1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0
```
```text
http_version: 1.1
status_code: 426
```
#### Curl HTTP1.1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1
```
```text
http_version: 1.1
status_code: 200
```
#### Curl HTTP2
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2
```
```text
http_version: 1.1
status_code: 200
```
### http1-web
#### Curl HTTP1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0
```
```text
http_version: 1.1
status_code: 426
```
#### Curl HTTP1.1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1
```
```text
http_version: 1.1
status_code: 200
```
#### Curl HTTP2
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2
```
```text
http_version: 1.1
status_code: 200
```
## Cleanup
```shell
kubectl delete -f ./
```
```text
service "helloworld" deleted
deployment.apps "helloworld-nginx" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
# Links of Interest
- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
- https://stackoverflow.com/a/51279606
- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile
docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest .
[+] Building 0.0s (0/0)
ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
---
## Create the Dockerfile
```bash
FROM ubuntu/apache2
RUN apt-get update && \
apt-get install apache2 openssl -y && \
a2ensite default-ssl && \
a2enmod ssl && \
echo "<h2>Howdy</h2>" | tee /var/www/html/index.html
RUN /usr/bin/printf "<VirtualHost *:80>\n\
ServerAdmin webmaster@localhost\n\
DocumentRoot /var/www/html\n\
ErrorLog \${APACHE_LOG_DIR}/error.log\n\
CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
</VirtualHost>\n\
<VirtualHost *:443>\n\
ServerAdmin webmaster@localhost\n\
DocumentRoot /var/www/html\n\
ErrorLog \${APACHE_LOG_DIR}/error.log\n\
CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
SSLEngine on\n\
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\
</VirtualHost>" > /etc/apache2/sites-available/000-default.conf
RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
```
## Build the image
Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images.
For my own commodity, I have used a raspberry pi 4 to build this images.
The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image.
```shell
docker build --tag https-demo:armv7 .
```
```text
docker build --tag https-demo:armv7 . --no-cache
[+] Building 16.5s (8/8) FINISHED
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 1.09kB 0.0s
=> [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s
=> CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s
=> [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s
=> [3/4] RUN /usr/bin/printf "<VirtualHost *:80>\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s
=> [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s
=> exporting to image 1.0s
=> => exporting layers 1.0s
=> => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s
=> => naming to docker.io/library/https-demo:armv7 0.0s
```
## Tag the image
```shell
docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7
```
## Upload to the registery server
```text
docker image push registery.filter.home:5000/https-demo:armv7
The push refers to repository [registery.filter.home:5000/https-demo]
c6d858706b08: Pushed
9e077e0202f0: Pushed
6ffc708d0cf3: Pushed
69e01b4bf4d7: Pushed
17c5b30f3843: Pushed
0b9f60fbcaf1: Pushed
armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578
```
## ?
curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe
---
Has apache2 installed with a default certificate.
Port 80 visible for HTTP
Port 443 visible for HTTPS.
curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k
http_version: 2
status_code: 200
# Recv failure: Connection reset by peer
```shell
kubectl apply -f ./
```
```shell
curl --insecure --resolve lb.net:80:192.168.1.50 http://lb.net
```
```shell
curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net
```

11
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/authentication.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default-mtls
namespace: default
spec:
mtls:
mode: DISABLE
#curl -v --resolve ":$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example_certs/example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT"

113
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml Executable file
View File

@ -0,0 +1,113 @@
#apiVersion: networking.istio.io/v1alpha3
#kind: Gateway
#metadata:
# name: helloworld-gateway
#spec:
# selector:
## istio: myingressgateway
# istio: ingressgateway
# servers:
# - hosts:
# ["lb.net","*.lb.net"]
# port:
# name: tls-443
# number: 443
# protocol: HTTPS
# tls:
# mode: SIMPLE
# credentialName: my-tls-cert-secret
# minProtocolVersion: TLSV1_2
#---
#apiVersion: networking.istio.io/v1alpha3
#kind: VirtualService
#metadata:
# name: helloworld-vs
#spec:
# hosts:
# - "*"
# gateways:
# - helloworld-gateway
# http:
## - name: http-vs
## match:
## - port: 80
## route:
## - destination:
## host: helloworld.default.svc.cluster.local
## port:
## number: 8080
# - name: https-vs
# match:
# - port: 443
# route:
# - destination:
# host: helloworld.default.svc.cluster.local
# port:
# number: 443
##
## tls:
## - match:
## - port: 443
## sniHosts: ["lb.net"]
## route:
## - destination:
## host: helloworld.default.svc.cluster.local
## port:
## number: 443
##---
##apiVersion: networking.istio.io/v1alpha3
##kind: DestinationRule
##metadata:
## name: helloworld
## namespace: default
##spec:
## host: helloworld.default.svc.cluster.local
## trafficPolicy:
## portLevelSettings:
## - port:
## number: 8080
## tls:
## mode: DISABLE
## - port:
## number: 8443
## tls:
## credentialName: client-credential
## mode: SIMPLE
## port:
## name: https-backend
## number: 8443
## protocol: HTTPS
## tls:
## credentialName: my-tls-cert-secret
## mode: SIMPLE
## tcp:
### - match:
### - port: 80
### route:
### - destination:
### host: helloworld
### port:
### number: 8080
### - match:
### - port: 443
## - route:
## - destination:
## host: helloworld
## port:
## number: 8443
##
## tls:
## - match:
## - port: 443
## sniHosts:
## - "hello.si"
### - uri:
### exact: /helloworld
## route:
## - destination:
## host: helloworld
## port:
## number: 8443
### protocol: HTTPS
### rewrite:
### uri: "/"

80
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml Executable file
View File

@ -0,0 +1,80 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http-s
targetPort: 80
protocol: TCP
appProtocol: HTTP
- port: 8443
name: https
targetPort: 443
protocol: TCP
appProtocol: https
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
sidecar.istio.io/inject: "true"
spec:
containers:
- name: helloworld
image: oriolfilter/https-apache-demo:armv7
resources:
requests:
cpu: "100m"
imagePullPolicy: Always #Always
ports:
- containerPort: 80
- containerPort: 443
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: nginx
version: v1
template:
metadata:
labels:
app: nginx
version: v1
spec:
# serviceAccountName: istio-helloworld
containers:
- name: nginx
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80

36
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway-02.yaml Executable file
View File

@ -0,0 +1,36 @@
#apiVersion: networking.istio.io/v1beta1
#kind: Gateway
#metadata:
# name: helloworld-gateway
#spec:
# selector:
# istio: ingressgateway
# servers:
# - hosts:
# - "*"
# port:
# name: https
# number: 443
# protocol: HTTPS
# tls:
# mode: PASSTHROUGH
#---
#apiVersion: networking.istio.io/v1beta1
#kind: VirtualService
#metadata:
# name: helloworld-vs
#spec:
# gateways:
# - helloworld-gateway
# hosts: ["lb.net","*.lb.net"]
## http:
## - route:
## - destination:
## host: helloworld.default.svc.cluster.local
##spec:
# tls:
# - match:
# - sniHosts: ["lb.net","*.lb.net"]
# route:
# - destination:
# host: helloworld.default.svc.cluster.local

87
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway.yaml Executable file
View File

@ -0,0 +1,87 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
# istio: myingressgateway
istio: ingressgateway
servers:
# - port:
# number: 443
# name: secure-http2
# protocol: HTTP2
# hosts:
# - "*"
- port:
number: 80
name: http2-i
protocol: HTTP2
hosts:
- "*"
- port:
number: 443
name: https-i
protocol: HTTPS
hosts:
- "*"
tls:
# credentialName: my-tls-cert-secret
# minProtocolVersion: TLSV1_2
#
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "lb.net"
gateways:
- helloworld-gateway
http:
- name: http-vs
match:
- port: 80
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8080
# - name: https-vs
# match:
# - port: 443
# route:
# - destination:
# host: helloworld.default.svc.cluster.local
# port:
# number: 8443
tls:
- match:
- port: 443
sniHosts: ["lb.net"]
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: helloworld
namespace: default
spec:
host: helloworld.default.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8080
tls:
mode: DISABLE
- port:
number: 8443
tls:
mode: DISABLE

29
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/ingress.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: ingress
spec:
profile: empty # Do not install CRDs or the control plane
components:
ingressGateways:
- name: myistio-ingressgateway
namespace: istio-ingress
enabled: true
label:
istio: myingressgateway
k8s:
service:
ports:
- name: https-ingress
port: 443
protocol: TCP
targetPort: 1055
- name: http-ingress
port: 80
protocol: TCP
targetPort: 1085
values:
gateways:
istio-ingressgateway:
injectionTemplate: gateway

37
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/server.conf Normal file
View File

@ -0,0 +1,37 @@
server {
listen 80;
# rewrite ^ https://$server_name$request_uri? permanent;
server_name lb.net;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log info;
add_header Strict-Transport-Security "max-age=7200";
root /var/www/html;
index index.html;
}
server {
listen 443 ssl default_server http2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
server_name lb.net;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log info;
ssl on;
ssl_certificate /cert.crt;
ssl_certificate_key /cert.key;
ssl_session_timeout 5m;
add_header Strict-Transport-Security "max-age=7200";
root /var/www/html;
index index.html;
}

13
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/Dockerfile Normal file
View File

@ -0,0 +1,13 @@
FROM nginx
ADD server.conf /etc/nginx/conf.d/default.conf
# RUN apt-get update && \
# apt-get install apache2 openssl -y && \
# a2ensite default-ssl && \
# a2enmod ssl && \
RUN mkdir -p /var/www/html
RUN echo "<h2>Howdy</h2>" | tee /var/www/html/index.html
RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt

313
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md Normal file
View File

@ -0,0 +1,313 @@
---
gitea: none
include_toc: true
---
# Based on
- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
# Description
The previous example was modified set the gateway to enable for HTTP2 traffic.
https://stackoverflow.com/a/59610581
# Changelog
## Gateway
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: secure-http2
protocol: HTTP2
hosts:
- "*"
tls:
mode: SIMPLE
credentialName: my-tls-cert-secret
minProtocolVersion: TLSV1_2
```
`<text>`
# Walkthrough
## Generate client and server certificate and key files
First step will be to generate the certificate and key files to be able to set them to the Gateway resource.
### Create a folder to store files.
Create the folder to contain the files that will be generated.
```shell
mkdir certfolder
```
### Create a certificate and a private key.
```shell
openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt
```
The files generated are the following:
```yaml
private-key: certfolder/istio.cert.key
root-certificate: certfolder/istio.cert.crt
```
The information set to the certificate generated is the following:
```yaml
Organization-name: Internet of things
CN: lb.net
```
### Create a TLS secret
At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`.
```shell
kubectl create -n istio-system secret tls my-tls-cert-secret \
--key=certfolder/istio.cert.key \
--cert=certfolder/istio.cert.crt
```
```text
secret/my-tls-cert-secret created
```
```text
service/helloworld created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
> **Note:**\
> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
## Deploy resources
```shell
kubectl apply -f ./
```
```text
service/helloworld created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
## Test the service
### http2
#### Curl HTTP1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0
```
```text
http_version: 1.1
status_code: 426
```
#### Curl HTTP1.1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1
```
```text
http_version: 1.1
status_code: 200
```
#### Curl HTTP2
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2
```
```text
http_version: 1.1
status_code: 200
```
### http1-web
#### Curl HTTP1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0
```
```text
http_version: 1.1
status_code: 426
```
#### Curl HTTP1.1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1
```
```text
http_version: 1.1
status_code: 200
```
#### Curl HTTP2
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2
```
```text
http_version: 1.1
status_code: 200
```
## Cleanup
```shell
kubectl delete -f ./
```
```text
service "helloworld" deleted
deployment.apps "helloworld-nginx" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
# Links of Interest
- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
- https://stackoverflow.com/a/51279606
- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile
docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest .
[+] Building 0.0s (0/0)
ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
---
## Create the Dockerfile
```bash
FROM ubuntu/apache2
RUN apt-get update && \
apt-get install apache2 openssl -y && \
a2ensite default-ssl && \
a2enmod ssl && \
echo "<h2>Howdy</h2>" | tee /var/www/html/index.html
RUN /usr/bin/printf "<VirtualHost *:80>\n\
ServerAdmin webmaster@localhost\n\
DocumentRoot /var/www/html\n\
ErrorLog \${APACHE_LOG_DIR}/error.log\n\
CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
</VirtualHost>\n\
<VirtualHost *:443>\n\
ServerAdmin webmaster@localhost\n\
DocumentRoot /var/www/html\n\
ErrorLog \${APACHE_LOG_DIR}/error.log\n\
CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
SSLEngine on\n\
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\
</VirtualHost>" > /etc/apache2/sites-available/000-default.conf
RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
```
## Build the image
Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images.
For my own commodity, I have used a raspberry pi 4 to build this images.
The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image.
```shell
docker build --tag https-demo:armv7 .
```
```text
docker build --tag https-demo:armv7 . --no-cache
[+] Building 16.5s (8/8) FINISHED
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 1.09kB 0.0s
=> [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s
=> CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s
=> [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s
=> [3/4] RUN /usr/bin/printf "<VirtualHost *:80>\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s
=> [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s
=> exporting to image 1.0s
=> => exporting layers 1.0s
=> => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s
=> => naming to docker.io/library/https-demo:armv7 0.0s
```
## Tag the image
```shell
docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7
```
## Upload to the registery server
```text
docker image push registery.filter.home:5000/https-demo:armv7
The push refers to repository [registery.filter.home:5000/https-demo]
c6d858706b08: Pushed
9e077e0202f0: Pushed
6ffc708d0cf3: Pushed
69e01b4bf4d7: Pushed
17c5b30f3843: Pushed
0b9f60fbcaf1: Pushed
armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578
```
## ?
curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe
---
Has apache2 installed with a default certificate.
Port 80 visible for HTTP
Port 443 visible for HTTPS.
curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k
http_version: 2
status_code: 200
# Recv failure: Connection reset by peer

11
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default-mtls
namespace: default
spec:
mtls:
mode: DISABLE
#curl -v --resolve ":$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example_certs/example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT"

117
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml Executable file
View File

@ -0,0 +1,117 @@
#apiVersion: networking.istio.io/v1alpha3
#kind: Gateway
#metadata:
# name: helloworld-gateway
#spec:
# selector:
## istio: myingressgateway
# istio: ingressgateway
# servers:
# - hosts:
# ["lb.net","*.lb.net"]
# port:
# name: tls-443
# number: 443
# protocol: HTTPS
# tls:
# mode: SIMPLE
# credentialName: my-tls-cert-secret
# minProtocolVersion: TLSV1_2
#---
#apiVersion: networking.istio.io/v1alpha3
#kind: VirtualService
#metadata:
# name: helloworld-vs
#spec:
# hosts:
# - "*"
# gateways:
# - helloworld-gateway
# http:
## - name: http-vs
## match:
## - port: 80
## route:
## - destination:
## host: helloworld.default.svc.cluster.local
## port:
## number: 8080
# - name: https-vs
# match:
# - port: 443
# route:
# - destination:
# host: helloworld.default.svc.cluster.local
# port:
# number: 443
##
## tls:
## - match:
## - port: 443
## sniHosts: ["lb.net"]
## route:
## - destination:
## host: helloworld.default.svc.cluster.local
## port:
## number: 443
#
##---
##apiVersion: networking.istio.io/v1alpha3
##kind: DestinationRule
##metadata:
## name: helloworld
## namespace: default
##spec:
## host: helloworld.default.svc.cluster.local
## trafficPolicy:
## portLevelSettings:
## - port:
## number: 8080
## tls:
## mode: DISABLE
#
## - port:
## number: 8443
## tls:
## credentialName: client-credential
## mode: SIMPLE
#
#
## port:
## name: https-backend
## number: 8443
## protocol: HTTPS
## tls:
## credentialName: my-tls-cert-secret
## mode: SIMPLE
## tcp:
### - match:
### - port: 80
### route:
### - destination:
### host: helloworld
### port:
### number: 8080
### - match:
### - port: 443
## - route:
## - destination:
## host: helloworld
## port:
## number: 8443
##
## tls:
## - match:
## - port: 443
## sniHosts:
## - "hello.si"
### - uri:
### exact: /helloworld
## route:
## - destination:
## host: helloworld
## port:
## number: 8443
### protocol: HTTPS
### rewrite:
### uri: "/"

74
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml Executable file
View File

@ -0,0 +1,74 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- name: p1
port: 80
protocol: TCP
- name: https
port: 443
protocol: TCP
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
sidecar.istio.io/inject: "true"
spec:
containers:
- name: helloworld
image: oriolfilter/https-apache-demo:armv7
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 443
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: nginx
version: v1
template:
metadata:
labels:
app: nginx
version: v1
spec:
# serviceAccountName: istio-helloworld
containers:
- name: nginx
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80

36
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml Executable file
View File

@ -0,0 +1,36 @@
#apiVersion: networking.istio.io/v1beta1
#kind: Gateway
#metadata:
# name: helloworld-gateway
#spec:
# selector:
# istio: ingressgateway
# servers:
# - hosts:
# - "*"
# port:
# name: https
# number: 443
# protocol: HTTPS
# tls:
# mode: PASSTHROUGH
#---
#apiVersion: networking.istio.io/v1beta1
#kind: VirtualService
#metadata:
# name: helloworld-vs
#spec:
# gateways:
# - helloworld-gateway
# hosts: ["lb.net","*.lb.net"]
## http:
## - route:
## - destination:
## host: helloworld.default.svc.cluster.local
##spec:
# tls:
# - match:
# - sniHosts: ["lb.net","*.lb.net"]
# route:
# - destination:
# host: helloworld.default.svc.cluster.local

85
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml Executable file
View File

@ -0,0 +1,85 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
# istio: myingressgateway
istio: ingressgateway
servers:
# - port:
# number: 443
# name: secure-http2
# protocol: HTTP2
# hosts:
# - "*"
- port:
number: 80
name: http2-i
protocol: HTTP2
hosts:
- "*"
- port:
number: 443
name: https-i
protocol: HTTPS
hosts:
- "*"
tls:
credentialName: my-tls-cert-secret
minProtocolVersion: TLSV1_2
#
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts: ["lb.net"]
gateways:
- helloworld-gateway
http:
- name: http-vs
match:
- port: 80
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 80
- name: https-vs
match:
- port: 443
sniHosts: ["lb.net"]
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 443
# tls:
# - match:
# - sniHosts: ["lb.net"]
# route:
# - destination:
# host: helloworld.default.svc.cluster.local
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: helloworld
namespace: default
spec:
host: helloworld.default.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8080
tls:
mode: DISABLE
#
- port:
number: 443
tls:
credentialName: client-credential
mode: DISABLE

29
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: ingress
spec:
profile: empty # Do not install CRDs or the control plane
components:
ingressGateways:
- name: myistio-ingressgateway
namespace: istio-ingress
enabled: true
label:
istio: myingressgateway
k8s:
service:
ports:
- name: https-ingress
port: 443
protocol: TCP
targetPort: 1055
- name: http-ingress
port: 80
protocol: TCP
targetPort: 1085
values:
gateways:
istio-ingressgateway:
injectionTemplate: gateway

37
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/server.conf Normal file
View File

@ -0,0 +1,37 @@
server {
listen 80;
# rewrite ^ https://$server_name$request_uri? permanent;
server_name lb.net;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log info;
add_header Strict-Transport-Security "max-age=7200";
root /var/www/html;
index index.html;
}
server {
listen 443 ssl default_server http2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
server_name lb.net;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log info;
ssl on;
ssl_certificate /cert.crt;
ssl_certificate_key /cert.key;
ssl_session_timeout 5m;
add_header Strict-Transport-Security "max-age=7200";
root /var/www/html;
index index.html;
}