From d86fc9a7419b41a60030d5a1d67e3e72c5694614 Mon Sep 17 00:00:00 2001
From: savagebidoof <filter.oriol@gmail.com>
Date: Sun, 23 Apr 2023 07:49:11 +0200
Subject: [PATCH] created the minimum maximium TLS gateway examples.

---
 .../08a-HTTPS-min-TLS-version/README.md       | 178 ++++++++++++++++++
 .../08a-HTTPS-min-TLS-version/deployment.yaml |  39 ++++
 .../08a-HTTPS-min-TLS-version/gateway.yaml    |  39 ++++
 .../08b-HTTPS-max-TLS-version/README.md       | 175 +++++++++++++++++
 .../08b-HTTPS-max-TLS-version/deployment.yaml |  39 ++++
 .../08b-HTTPS-max-TLS-version/gateway.yaml    |  39 ++++
 6 files changed, 509 insertions(+)
 create mode 100644 Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md
 create mode 100755 Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/deployment.yaml
 create mode 100755 Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/gateway.yaml
 create mode 100644 Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md
 create mode 100755 Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/deployment.yaml
 create mode 100755 Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/gateway.yaml

diff --git a/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md
new file mode 100644
index 0000000..42d9907
--- /dev/null
+++ b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md
@@ -0,0 +1,178 @@
+---
+gitea: none
+include_toc: true
+---
+
+# Based on
+
+- [07-HTTPS-Gateway-Simple-TLS](../07-HTTPS-Gateway-Simple-TLS)
+
+# Description
+
+The previous example was modified to limit and specify the minimum TLS version. 
+
+# Changelog
+
+## Gateway
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: helloworld-gateway
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+    - port:
+        number: 443
+        name: secure-http
+        protocol: HTTPS
+      hosts:
+        - "*"
+      tls:
+        mode: SIMPLE
+        credentialName: my-tls-cert-secret
+        minProtocolVersion: TLSV1_3
+```
+
+Gateway has been modified to limit the minimum TLS version to v1.3.
+
+# Walkthrough
+
+## Generate client and server certificate and key files
+
+First step will be to generate the certificate and key files to be able to set them to the Gateway resource.
+
+### Create a folder to store files.
+
+Create the folder to contain the files that will be generated. 
+
+```shell
+mkdir certfolder
+```
+
+### Create a certificate and a private key.
+
+```shell
+openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt
+```
+
+The files generated are the following:
+
+```yaml
+private-key: certfolder/istio.cert.key
+root-certificate: certfolder/istio.cert.crt
+```
+
+The information set to the certificate generated is the following:
+
+```yaml
+Organization-name: Internet of things
+CN: lb.net
+```
+
+### Create a TLS secret
+
+At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`.
+
+```shell
+kubectl create -n istio-system secret tls my-tls-cert-secret \
+  --key=certfolder/istio.cert.key \
+  --cert=certfolder/istio.cert.crt
+```
+```text
+secret/my-tls-cert-secret created
+```
+```text
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+> **Note:**\
+> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
+
+
+## Deploy resources
+
+```shell
+kubectl apply -f ./
+```
+```text
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+## Test the service
+
+[//]: # (```shell)
+[//]: # (curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net/helloworld)
+[//]: # (```)
+### Curl TLS 1.2
+
+It fails as intended.
+
+As the TLS v1.2 is smaller than the TLS v1.3 set as a minimal TLS version accepted, it doesn't allow us to proceed with the request.
+
+```shell
+curl  --insecure https://192.168.1.50/helloworld -I --tlsv1.2 --tls-max 1.2
+```
+
+```text
+curl: (35) OpenSSL/3.0.8: error:0A00042E:SSL routines::tlsv1 alert protocol version
+```
+
+### Curl TLS 1.3
+
+It works as intended due respecting the minimal TLS version set.
+
+```shell
+curl  --insecure https://192.168.1.50/helloworld -I --tlsv1.3 --tls-max 1.3
+```
+
+```text
+HTTP/2 200 
+server: istio-envoy
+date: Sun, 23 Apr 2023 05:43:18 GMT
+content-type: text/html
+content-length: 615
+last-modified: Tue, 28 Mar 2023 15:01:54 GMT
+etag: "64230162-267"
+accept-ranges: bytes
+x-envoy-upstream-service-time: 13
+```
+
+## Cleanup
+
+```shell
+kubectl delete -n istio-system secret my-tls-cert-secret
+```
+```text
+service "helloworld" deleted
+deployment.apps "helloworld-nginx" deleted
+gateway.networking.istio.io "helloworld-gateway" deleted
+virtualservice.networking.istio.io "helloworld-vs" deleted
+```
+
+```shell
+kubectl delete -f ./
+```
+```text
+secret "my-tls-cert-secret" deleted
+```
+```shell
+rm -rv certfolder/
+```
+```text
+removed 'certfolder/istio.cert.key'
+removed 'certfolder/istio.cert.crt'
+removed directory 'certfolder/'
+```
+
+# Links of Interest
+
+- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/deployment.yaml b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/deployment.yaml
new file mode 100755
index 0000000..a283aab
--- /dev/null
+++ b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/deployment.yaml
@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld
+  labels:
+    app: helloworld
+    service: helloworld
+spec:
+  ports:
+    - port: 80
+      name: http
+  selector:
+    app: helloworld
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: helloworld-nginx
+  labels:
+    app: helloworld
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: helloworld
+  template:
+    metadata:
+      labels:
+        app: helloworld
+    spec:
+      containers:
+        - name: helloworld
+          image: nginx
+          resources:
+            requests:
+              cpu: "100m"
+          imagePullPolicy: IfNotPresent #Always
+          ports:
+            - containerPort: 80
diff --git a/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/gateway.yaml b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/gateway.yaml
new file mode 100755
index 0000000..9829a3f
--- /dev/null
+++ b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/gateway.yaml
@@ -0,0 +1,39 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: helloworld-gateway
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+    - port:
+        number: 443
+        name: secure-http
+        protocol: HTTPS
+      hosts:
+        - "*"
+      tls:
+        mode: SIMPLE
+        credentialName: my-tls-cert-secret
+        minProtocolVersion: TLSV1_3
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: helloworld-vs
+spec:
+  hosts:
+    - "*"
+  gateways:
+    - helloworld-gateway
+  http:
+    - match:
+        - uri:
+            exact: /helloworld
+      route:
+        - destination:
+            host: helloworld
+            port:
+              number: 80
+      rewrite:
+        uri: "/"
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md
new file mode 100644
index 0000000..845f64c
--- /dev/null
+++ b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md
@@ -0,0 +1,175 @@
+---
+gitea: none
+include_toc: true
+---
+
+# Based on
+
+- [07-HTTPS-Gateway-Simple-TLS](../07-HTTPS-Gateway-Simple-TLS)
+
+# Description
+
+The previous example was modified to limit and specify the maximum TLS version. 
+
+# Changelog
+
+## Gateway
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: helloworld-gateway
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+    - port:
+        number: 443
+        name: secure-http
+        protocol: HTTPS
+      hosts:
+        - "*"
+      tls:
+        mode: SIMPLE
+        credentialName: my-tls-cert-secret
+        maxProtocolVersion: TLSV1_2
+```
+
+Gateway has been modified to limit the maximum TLS version to v1.2.
+
+# Walkthrough
+
+## Generate client and server certificate and key files
+
+First step will be to generate the certificate and key files to be able to set them to the Gateway resource.
+
+### Create a folder to store files.
+
+Create the folder to contain the files that will be generated. 
+
+```shell
+mkdir certfolder
+```
+
+### Create a certificate and a private key.
+
+```shell
+openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt
+```
+
+The files generated are the following:
+
+```yaml
+private-key: certfolder/istio.cert.key
+root-certificate: certfolder/istio.cert.crt
+```
+
+The information set to the certificate generated is the following:
+
+```yaml
+Organization-name: Internet of things
+CN: lb.net
+```
+
+### Create a TLS secret
+
+At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`.
+
+```shell
+kubectl create -n istio-system secret tls my-tls-cert-secret \
+  --key=certfolder/istio.cert.key \
+  --cert=certfolder/istio.cert.crt
+```
+```text
+secret/my-tls-cert-secret created
+```
+```text
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+> **Note:**\
+> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
+
+
+## Deploy resources
+
+```shell
+kubectl apply -f ./
+```
+```text
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+## Test the service
+
+### Curl TLS 1.2
+
+It fails as intended.
+
+As the TLS v1.2 is smaller than the TLS v1.3 set as a minimal TLS version accepted, it doesn't allow us to proceed with the request.
+
+```shell
+curl  --insecure https://192.168.1.50/helloworld -I --tlsv1.2 --tls-max 1.2
+```
+
+```text
+HTTP/2 200 
+server: istio-envoy
+date: Sun, 23 Apr 2023 05:48:04 GMT
+content-type: text/html
+content-length: 615
+last-modified: Tue, 28 Mar 2023 15:01:54 GMT
+etag: "64230162-267"
+accept-ranges: bytes
+x-envoy-upstream-service-time: 7
+```
+
+### Curl TLS 1.3
+
+It works as intended due respecting the minimal TLS version set.
+
+```shell
+curl  --insecure https://192.168.1.50/helloworld -I --tlsv1.3 --tls-max 1.3
+```
+
+```text
+curl: (35) OpenSSL/3.0.8: error:0A00042E:SSL routines::tlsv1 alert protocol version
+```
+
+## Cleanup
+
+```shell
+kubectl delete -n istio-system secret my-tls-cert-secret
+```
+```text
+service "helloworld" deleted
+deployment.apps "helloworld-nginx" deleted
+gateway.networking.istio.io "helloworld-gateway" deleted
+virtualservice.networking.istio.io "helloworld-vs" deleted
+```
+
+```shell
+kubectl delete -f ./
+```
+```text
+secret "my-tls-cert-secret" deleted
+```
+```shell
+rm -rv certfolder/
+```
+```text
+removed 'certfolder/istio.cert.key'
+removed 'certfolder/istio.cert.crt'
+removed directory 'certfolder/'
+```
+
+# Links of Interest
+
+- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/deployment.yaml b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/deployment.yaml
new file mode 100755
index 0000000..a283aab
--- /dev/null
+++ b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/deployment.yaml
@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld
+  labels:
+    app: helloworld
+    service: helloworld
+spec:
+  ports:
+    - port: 80
+      name: http
+  selector:
+    app: helloworld
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: helloworld-nginx
+  labels:
+    app: helloworld
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: helloworld
+  template:
+    metadata:
+      labels:
+        app: helloworld
+    spec:
+      containers:
+        - name: helloworld
+          image: nginx
+          resources:
+            requests:
+              cpu: "100m"
+          imagePullPolicy: IfNotPresent #Always
+          ports:
+            - containerPort: 80
diff --git a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/gateway.yaml b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/gateway.yaml
new file mode 100755
index 0000000..e7b67fe
--- /dev/null
+++ b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/gateway.yaml
@@ -0,0 +1,39 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: helloworld-gateway
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+    - port:
+        number: 443
+        name: secure-http
+        protocol: HTTPS
+      hosts:
+        - "*"
+      tls:
+        mode: SIMPLE
+        credentialName: my-tls-cert-secret
+        maxProtocolVersion: TLSV1_2
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: helloworld-vs
+spec:
+  hosts:
+    - "*"
+  gateways:
+    - helloworld-gateway
+  http:
+    - match:
+        - uri:
+            exact: /helloworld
+      route:
+        - destination:
+            host: helloworld
+            port:
+              number: 80
+      rewrite:
+        uri: "/"
\ No newline at end of file