From 5e0abdebd4da97f6b10eea8d34279f9e9867928c Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 06:45:34 +0200 Subject: [PATCH] HTTPS backend documented, need to fix 2 refference links (unless I set them right already ) --- .../08b-HTTPS-max-TLS-version/README.md | 3 +- .../README.md | 264 ++++++++++++++---- .../authentication.yaml | 8 + .../deployment.yaml | 41 +-- .../gateway.yaml | 69 +---- .../10-TCP-FORWARDING/README.md | 19 +- .../11-TLS-PASSTHROUGH/README.md | 2 +- .../03-disable-mTLS/README.md | 6 + .../03-disable-mTLS/deployment.yaml | 79 ++++++ .../03-disable-mTLS/gateway.yaml | 70 +++++ 10 files changed, 391 insertions(+), 170 deletions(-) create mode 100644 Istio/02-Traffic_management/09-HTTPS-backend (pending document)/authentication.yaml create mode 100644 Istio/06-Internal-Authentication/03-disable-mTLS/README.md create mode 100755 Istio/06-Internal-Authentication/03-disable-mTLS/deployment.yaml create mode 100755 Istio/06-Internal-Authentication/03-disable-mTLS/gateway.yaml diff --git a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md index 3629bec..e3833f4 100644 --- a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md +++ b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md @@ -15,6 +15,8 @@ The previous example was modified to limit and specify the maximum TLS version. ## Gateway +Gateway has been modified to limit the maximum TLS version to v1.2. + ```yaml apiVersion: networking.istio.io/v1alpha3 kind: Gateway @@ -36,7 +38,6 @@ spec: maxProtocolVersion: TLSV1_2 ``` -Gateway has been modified to limit the maximum TLS version to v1.2. # Walkthrough diff --git a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md index 3b9d38e..966300f 100644 --- a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md +++ b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md @@ -9,16 +9,23 @@ include_toc: true # Description -The previous example was modified set the gateway to enable for HTTP2 traffic. - -https://stackoverflow.com/a/59610581 +This example contains a backend that serves HTTPS traffic and can be accessed from both `HTTP` and `HTTPS` requests through the gateway resource. -# Changelog +> **Note:**\ +> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) + +# Configuration ## Gateway -```yaml +The gateway is configured to listen to the port `80` for `HTTP` traffic, and to the port `443` for `HTTPS` traffic. + +The TLS configuration is set to `simple`, and the credentials (the object that contains the certificates/TLS configuration) is set to `my-tls-cert-secret`. + +Any of the configured ports has limited the hosts. + +```shell apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: @@ -27,23 +34,173 @@ spec: selector: istio: ingressgateway servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" - port: number: 443 - name: secure-http2 - protocol: HTTP2 + name: https + protocol: HTTPS hosts: - "*" tls: - mode: SIMPLE credentialName: my-tls-cert-secret - minProtocolVersion: TLSV1_2 + mode: SIMPLE ``` -`` +> **Note:**\ +> The credentials resource is created further bellow through the [Walkthrough](#walkthrough) steps. + +> **Note:**\ +> For more information regarding the TLS mode configuration, refer to the following [Istio documentation regarding the TLS mode field](https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode). + +## Virtual service + +The rule that contains, will receive traffic from the port `443` and `80`. + +This traffic will be directed towards destination of such is the service `helloworld.default.svc.cluster.local`, with port destination 8443. + +This destination is the service that contains the `HTTPS` deployment, running over the port `8443` + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - name: https-vs + match: + - port: 80 + - port: 443 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8443 +``` + +## DestinationRule + +This DestinationRule, will interject the traffic destined to the service `helloworld.default.svc.cluster.local` with port `8443`. + +As mentioned in the [Virtual Service](#virtual%20service) section, the destination is the `HTTPS` service. + +By default, the call would be made with `HTTP` protocol, yet, as the destination is an `HTTPS` service, the request would result in the status code `400 Bad Request`, due sending HTTP traffic to an HTTPS service. + +To avoid this, we need to specify that the destination handles HTTPS traffic. + +By setting the `tls.mode` field with `simple`, it means that there will be an attempt to initialize a TLS handshake. + +> **Note:** +> For more information about the TLS mode, refer to the [Istio official documentation from the DestinationRule object regarding the TLS mode field](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ClientTLSSettings-TLSmode). + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: helloworld + namespace: default +spec: + host: helloworld.default.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8443 + tls: + mode: SIMPLE +``` + +## Service + +The service will forward incoming TCP traffic from the port `8443`, towards the deployment port `443`. + +It's been specified the protocol expected to service, it being `HTTPS`. + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - name: https + port: 8443 + targetPort: 443 + protocol: TCP + appProtocol: HTTPS + selector: + app: helloworld +``` + +## Deployment + +Deployment listens to port 80 and 443. + +> **Note:**\ +> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: oriolfilter/https-nginx-demo + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + - containerPort: 443 +``` + +## PeerAuthentication + +Due to the deployment having an `HTTPS`, and already initializing a TLS termination towards that service, we need to disable the **mTLS** tool for that specific service/deployment. + +On the [Destination Rule](#destination%20rule) section we set the `tls` to `simple`, meaning that the service is expecting to receive `HTTPS` traffic, if `mTLS` is enabled, it will perform the handshake with the `mTLS` service, instead of with the destination `HTTPS` service. + +```yaml +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default-mtls + namespace: default +spec: + mtls: + mode: DISABLE +``` + +> **Note**:\ +> As this configuration is very board, and targets the whole namespace, I would strongly recommend referring to the following example [06-Internal-Authentication/02-target-service-accounts](../../06-Internal-Authentication/02-target-service-accounts), which shows how to target service accounts set to resources, limiting the scope of this rule set. # Walkthrough - ## Generate client and server certificate and key files First step will be to generate the certificate and key files to be able to set them to the Gateway resource. @@ -98,82 +255,71 @@ virtualservice.networking.istio.io/helloworld-vs created > **Note:**\ > It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. - ## Deploy resources ```shell kubectl apply -f ./ ``` ```text +peerauthentication.security.istio.io/default-mtls created service/helloworld created deployment.apps/helloworld-nginx created gateway.networking.istio.io/helloworld-gateway created virtualservice.networking.istio.io/helloworld-vs created +destinationrule.networking.istio.io/helloworld created ``` ## Test the service -### http2 -#### Curl HTTP1 + +### Get LB IP ```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 +kubectl get svc -l istio=ingressgateway -A ``` ```text -http_version: 1.1 -status_code: 426 +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h ``` +### curl HTTP gateway -#### Curl HTTP1.1 +Well, it works as expected. ```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 +curl --insecure 192.168.1.50 -I ``` ```text -http_version: 1.1 -status_code: 200 +HTTP/1.1 200 OK +server: istio-envoy +date: Tue, 25 Apr 2023 04:41:19 GMT +content-type: text/html +content-length: 15 +last-modified: Tue, 25 Apr 2023 00:47:17 GMT +etag: "64472315-f" +strict-transport-security: max-age=7200 +accept-ranges: bytes +x-envoy-upstream-service-time: 28 ``` -#### Curl HTTP2 +### curl HTTPS gateway + +Well, it works as expected. ```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 +curl --insecure https://192.168.1.50 -I ``` ```text -http_version: 1.1 -status_code: 200 +HTTP/2 200 +server: istio-envoy +date: Tue, 25 Apr 2023 04:42:07 GMT +content-type: text/html +content-length: 15 +last-modified: Tue, 25 Apr 2023 00:47:17 GMT +etag: "64472315-f" +strict-transport-security: max-age=7200 +accept-ranges: bytes +x-envoy-upstream-service-time: 13 ``` -### http1-web - -#### Curl HTTP1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 -``` -```text -http_version: 1.1 -status_code: 426 -``` - -#### Curl HTTP1.1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -#### Curl HTTP2 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -``` -```text -http_version: 1.1 -status_code: 200 -``` ## Cleanup @@ -189,3 +335,9 @@ virtualservice.networking.istio.io "helloworld-vs" deleted ``` # Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode + +- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ClientTLSSettings-TLSmode \ No newline at end of file diff --git a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/authentication.yaml b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/authentication.yaml new file mode 100644 index 0000000..221a86d --- /dev/null +++ b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/authentication.yaml @@ -0,0 +1,8 @@ +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default-mtls + namespace: default +spec: + mtls: + mode: DISABLE diff --git a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/deployment.yaml b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/deployment.yaml index 3f9ad6c..82e781b 100755 --- a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/deployment.yaml +++ b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/deployment.yaml @@ -7,12 +7,6 @@ metadata: service: helloworld spec: ports: - - port: 8080 - name: http-s - targetPort: 80 - protocol: TCP - appProtocol: HTTP - - port: 8443 name: https targetPort: 443 @@ -36,45 +30,14 @@ spec: metadata: labels: app: helloworld - sidecar.istio.io/inject: "true" spec: containers: - name: helloworld image: oriolfilter/https-nginx-demo - resources: - requests: - cpu: "100m" - imagePullPolicy: Always #Always - ports: - - containerPort: 80 - - containerPort: 443 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx - labels: - app: nginx - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: nginx - version: v1 - template: - metadata: - labels: - app: nginx - version: v1 - spec: - # serviceAccountName: istio-helloworld - containers: - - name: nginx - image: nginx resources: requests: cpu: "100m" imagePullPolicy: IfNotPresent ports: - - containerPort: 80 \ No newline at end of file + - containerPort: 80 + - containerPort: 443 \ No newline at end of file diff --git a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/gateway.yaml b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/gateway.yaml index 1fe0fa3..861d59e 100755 --- a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/gateway.yaml +++ b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/gateway.yaml @@ -4,31 +4,22 @@ metadata: name: helloworld-gateway spec: selector: -# istio: myingressgateway istio: ingressgateway servers: -# - port: -# number: 443 -# name: secure-http2 -# protocol: HTTP2 -# hosts: -# - "*" - port: number: 80 - name: http2-i - protocol: HTTP2 + name: http + protocol: HTTP hosts: - "*" - port: number: 443 - name: https-i + name: https protocol: HTTPS hosts: - "*" tls: credentialName: my-tls-cert-secret - minProtocolVersion: TLSV1_2 -# mode: SIMPLE --- apiVersion: networking.istio.io/v1alpha3 @@ -41,16 +32,9 @@ spec: gateways: - helloworld-gateway http: - - name: http-vs - match: - - port: 80 - route: - - destination: - host: helloworld.default.svc.cluster.local - port: - number: 8080 - name: https-vs match: + - port: 80 - port: 443 route: - destination: @@ -67,52 +51,7 @@ spec: host: helloworld.default.svc.cluster.local trafficPolicy: portLevelSettings: - - port: - number: 8080 - tls: - mode: DISABLE - - port: number: 8443 tls: -# credentialName: client-credential mode: SIMPLE - -# port: -# name: https-backend -# number: 8443 -# protocol: HTTPS -# tls: -# credentialName: my-tls-cert-secret -# mode: SIMPLE -# tcp: -## - match: -## - port: 80 -## route: -## - destination: -## host: helloworld -## port: -## number: 8080 -## - match: -## - port: 443 -# - route: -# - destination: -# host: helloworld -# port: -# number: 8443 -# -# tls: -# - match: -# - port: 443 -# sniHosts: -# - "hello.si" -## - uri: -## exact: /helloworld -# route: -# - destination: -# host: helloworld -# port: -# number: 8443 -## protocol: HTTPS -## rewrite: -## uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md index f9a4a51..39a768e 100644 --- a/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md +++ b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md @@ -24,7 +24,7 @@ Additionally, the backend used, has HTTP2 enable, which also will be used to con ## Gateway -Gateway been configured to listen both ports `80` and `443` through the TCP protocol, without any host specified. +The gateway has been configured to listen both ports `80` and `443` through the TCP protocol, without any host specified. ```yaml apiVersion: networking.istio.io/v1alpha3 @@ -84,8 +84,8 @@ spec: ## Service -The service will forward the incoming TCP traffic with port 8080, to the deployment port 80. -The same behavior is applied for the service port 8443, that will be forwarded towards the port 443 from the deployment. +The service will forward incoming traffic from the service port 8443, that will be forwarded towards the port 443 from the deployment. + ```yaml apiVersion: v1 @@ -97,14 +97,11 @@ metadata: service: helloworld spec: ports: - - port: 8080 - name: http-web - targetPort: 80 - protocol: TCP - port: 8443 - name: https-web + name: https targetPort: 443 protocol: TCP + appProtocol: https selector: app: helloworld ``` @@ -145,6 +142,12 @@ spec: - containerPort: 443 ``` +## PeerAuthentication + +```yaml + +``` + # Walkthrough ## Deploy resources diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md index 716777a..2d118b0 100644 --- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md +++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md @@ -20,7 +20,7 @@ This requires a deployment with a service HTTPS (as it will need to handle the T ## Gateway -Gateway configured to listen the port `443` for `HTTPS` traffic protocol. +The gateway was configured to listen the port `443` for `HTTPS` traffic protocol. The tls was configured as `PASSTHROUGH` diff --git a/Istio/06-Internal-Authentication/03-disable-mTLS/README.md b/Istio/06-Internal-Authentication/03-disable-mTLS/README.md new file mode 100644 index 0000000..1aa4192 --- /dev/null +++ b/Istio/06-Internal-Authentication/03-disable-mTLS/README.md @@ -0,0 +1,6 @@ +# Based on + +- [02-Traffic_management/09-HTTPS-backend (pending document)](../../02-Traffic_management/09-HTTPS-backend%20(pending%20document)) + +On the previous example only uses a HTTPS backend, here boards both HTTP and HTTPS backends. + diff --git a/Istio/06-Internal-Authentication/03-disable-mTLS/deployment.yaml b/Istio/06-Internal-Authentication/03-disable-mTLS/deployment.yaml new file mode 100755 index 0000000..5b2d589 --- /dev/null +++ b/Istio/06-Internal-Authentication/03-disable-mTLS/deployment.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http + targetPort: 80 + protocol: TCP + appProtocol: http + + - port: 8443 + name: https + targetPort: 443 + protocol: TCP + appProtocol: https + selector: + app: helloworld +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + sidecar.istio.io/inject: "true" + spec: + containers: + - name: helloworld + image: oriolfilter/https-nginx-demo + resources: + requests: + cpu: "100m" + imagePullPolicy: Always #Always + ports: + - containerPort: 80 + - containerPort: 443 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx + labels: + app: nginx + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + version: v1 + template: + metadata: + labels: + app: nginx + version: v1 + spec: + containers: + - name: nginx + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 \ No newline at end of file diff --git a/Istio/06-Internal-Authentication/03-disable-mTLS/gateway.yaml b/Istio/06-Internal-Authentication/03-disable-mTLS/gateway.yaml new file mode 100755 index 0000000..f88d191 --- /dev/null +++ b/Istio/06-Internal-Authentication/03-disable-mTLS/gateway.yaml @@ -0,0 +1,70 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - "*" + tls: + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 + mode: SIMPLE +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - name: http-vs + match: + - port: 80 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8080 + - name: https-vs + match: + - port: 443 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8443 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: helloworld + namespace: default +spec: + host: helloworld.default.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8080 + tls: + mode: SIMPLE + + - port: + number: 8443 + tls: + mode: SIMPLE