From de80fadf2a503b2727878ec3d5261d2aeea9644b Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Mon, 24 Apr 2023 06:03:45 +0200 Subject: [PATCH] Trying to get HTTP2 to work, tested a TCP LB, and it worked. --- .../??-TCP-FORWARDING-(WORKS)/README.md | 304 ++++++++++++++++++ .../certfolder/istio.cert.crt | 20 ++ .../certfolder/istio.cert.key | 28 ++ .../??-TCP-FORWARDING-(WORKS)/deployment.yaml | 49 +++ .../??-TCP-FORWARDING-(WORKS)/gateway.yaml | 83 +++++ 5 files changed, 484 insertions(+) create mode 100644 Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/README.md create mode 100644 Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.crt create mode 100644 Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.key create mode 100755 Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/deployment.yaml create mode 100755 Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/gateway.yaml diff --git a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/README.md b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/README.md new file mode 100644 index 0000000..be28ee3 --- /dev/null +++ b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/README.md @@ -0,0 +1,304 @@ +--- +gitea: none +include_toc: true +--- + +# Based on + +- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) + +# Description + +The previous example was modified set the gateway to enable for HTTP2 traffic. + +https://stackoverflow.com/a/59610581 + + +# Changelog + +## Gateway + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: secure-http2 + protocol: HTTP2 + hosts: + - "*" + tls: + mode: SIMPLE + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 +``` + +`` + +# Walkthrough + + +## Generate client and server certificate and key files + +First step will be to generate the certificate and key files to be able to set them to the Gateway resource. + +### Create a folder to store files. + +Create the folder to contain the files that will be generated. + +```shell +mkdir certfolder +``` + +### Create a certificate and a private key. + +```shell +openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt +``` + +The files generated are the following: + +```yaml +private-key: certfolder/istio.cert.key +root-certificate: certfolder/istio.cert.crt +``` + +The information set to the certificate generated is the following: + +```yaml +Organization-name: Internet of things +CN: lb.net +``` + +### Create a TLS secret + +At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. + +```shell +kubectl create -n istio-system secret tls my-tls-cert-secret \ + --key=certfolder/istio.cert.key \ + --cert=certfolder/istio.cert.crt +``` +```text +secret/my-tls-cert-secret created +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +> **Note:**\ +> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. + + +## Deploy resources + +```shell +kubectl apply -f ./ +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Test the service +### http2 +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +### http1-web + +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +## Cleanup + +```shell +kubectl delete -f ./ +``` + +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +# Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol + +- https://stackoverflow.com/a/51279606 + +- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy + + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . +[+] Building 0.0s (0/0) +ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") + +--- +## Create the Dockerfile + +```bash +FROM ubuntu/apache2 + +RUN apt-get update && \ +apt-get install apache2 openssl -y && \ +a2ensite default-ssl && \ +a2enmod ssl && \ +echo "

Howdy

" | tee /var/www/html/index.html + +RUN /usr/bin/printf "\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ +\n\ +\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ + SSLEngine on\n\ + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ +" > /etc/apache2/sites-available/000-default.conf + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem +``` + +## Build the image + +Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. + +For my own commodity, I have used a raspberry pi 4 to build this images. + +The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. + +```shell + docker build --tag https-demo:armv7 . +``` +```text +docker build --tag https-demo:armv7 . --no-cache +[+] Building 16.5s (8/8) FINISHED + => [internal] load .dockerignore 0.0s + => => transferring context: 2B 0.0s + => [internal] load build definition from Dockerfile 0.0s + => => transferring dockerfile: 1.09kB 0.0s + => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s + => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s + => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s + => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s + => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s + => exporting to image 1.0s + => => exporting layers 1.0s + => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s + => => naming to docker.io/library/https-demo:armv7 0.0s +``` + +## Tag the image + +```shell +docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 +``` + +## Upload to the registery server + +```text +docker image push registery.filter.home:5000/https-demo:armv7 +The push refers to repository [registery.filter.home:5000/https-demo] +c6d858706b08: Pushed +9e077e0202f0: Pushed +6ffc708d0cf3: Pushed +69e01b4bf4d7: Pushed +17c5b30f3843: Pushed +0b9f60fbcaf1: Pushed +armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 +``` + + + +## ? +curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe + + + + + +--- + + +Has apache2 installed with a default certificate. + +Port 80 visible for HTTP + +Port 443 visible for HTTPS. \ No newline at end of file diff --git a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.crt b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.crt new file mode 100644 index 0000000..72dd154 --- /dev/null +++ b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPTCCAiWgAwIBAgIUNR/VCRO6PPCYDZKIApOQ4n/d7OUwDQYJKoZIhvcNAQEL +BQAwLjEbMBkGA1UECgwSSW50ZXJuZXQgb2YgdGhpbmdzMQ8wDQYDVQQDDAZsYi5u +ZXQwHhcNMjMwNDIzMjI1NjE5WhcNMjQwNDIyMjI1NjE5WjAuMRswGQYDVQQKDBJJ +bnRlcm5ldCBvZiB0aGluZ3MxDzANBgNVBAMMBmxiLm5ldDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAKKEn3TzyYjW3W/MLKCd18ygojKWgN12gxNxZcQF +BvghPTNsESt+aBuI1N1Xzj+Bvxs5Bs4FVcMXAkOmLtvwbd6A9owZwd8E9ODKrhau +Uk9eNQf6ZvSF2GeQoI39SFCL2NEKOzMmEYxGlf842yFaSxgrMx2GirSsqEEPhstS +LAEldjU77pQ9OniIHuYLfA6AamAz51hXPytpGiaRqAm/xIvRtPFuA9pXJHhREtUG +S/O6P2v980YAuP8hl3LIpOM9xUod4+x9EHfBXHI5iuPET5kjCnIF/45UmKPtwsga +RUN3fqYAknJSPyI+s+xnxulkxM9A1kmP8MvDeO/4hAMSA1MCAwEAAaNTMFEwHQYD +VR0OBBYEFACskVXLguvAreQgdla3hoZqlcxMMB8GA1UdIwQYMBaAFACskVXLguvA +reQgdla3hoZqlcxMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB +AI3SNO84LwluCbTMBYthD+5cMnC6rARyrJBwkYoJfCqgu6j/h8Lcou5VSYVOR4J5 +R3DiyTFutBKYnifnuZgHjNioI6l/uFphPRmoeH1I5zKghq5P2x6LE/Z6/0alzN9X +ZBgYPWQ5wenrilQ94yLJXX2kwgK5jbMinmTzw8SFHe+Qn5ZlJnAW+YR8vJ+Nu30Q +rhxSxbNqa2yFPOkV4qjc4zkJ+67bKv7yLJ5WKF6Mfafct69FBwSVVCROsY5mHg8c +xMyP3d6N01R7XXJATEHbyJHvUUXBtLgA41H8g3vwj1ugKdBhWijBeeBZEyz11U20 +0j6OhMfBuYikiRQl1dfZltg= +-----END CERTIFICATE----- diff --git a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.key b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.key new file mode 100644 index 0000000..6b3f82d --- /dev/null +++ b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCihJ9088mI1t1v +zCygndfMoKIyloDddoMTcWXEBQb4IT0zbBErfmgbiNTdV84/gb8bOQbOBVXDFwJD +pi7b8G3egPaMGcHfBPTgyq4WrlJPXjUH+mb0hdhnkKCN/UhQi9jRCjszJhGMRpX/ +ONshWksYKzMdhoq0rKhBD4bLUiwBJXY1O+6UPTp4iB7mC3wOgGpgM+dYVz8raRom +kagJv8SL0bTxbgPaVyR4URLVBkvzuj9r/fNGALj/IZdyyKTjPcVKHePsfRB3wVxy +OYrjxE+ZIwpyBf+OVJij7cLIGkVDd36mAJJyUj8iPrPsZ8bpZMTPQNZJj/DLw3jv ++IQDEgNTAgMBAAECggEAB33Pj+eQ+bLV4EpsIDdGdFNPRr+zTwIghqvqgf+tU5DM +rmsj23pnOCW1kkJy6nCDq7CURLjwPB76Zr3pWRAbMG+HbeveCPbEhvwwzDDa8Heq +QCTlzA3DbPq4u/LZ+4SGyRQMqI3vrySt02b+iuoLniCXqZvDFxMCaoVZtFOkXaUW +mYVkW3BtLdIqHUolql9Tt6kPf9Es7AQhce1ZGrvRSxhiG8xRU4Fmb5zRPXAd/Uzj +RHzJtcHTFbhjWn/fngtxVUdBNqSNx5z8Bhtex39hgWwULuAyf6jSQbwLtURdyuR8 +WlaJjIV5uZ6ghkQ0mTWyEivuQzuaEUxOND05HgPi8QKBgQDXf8uZSZoCitjHCZ1i +1O1Xh40qzYYY6KrMc+rzA3BGsgLmQRw5oj0JlhlAPUjh7RmDz6nMEZpUJgKDtyvt +ktJz28l9ybF5qVjjHz1ZBHxaPC/bruO+4mUsYN6bK4tcIm0j6huuSO7igs7I33ZA +9bcLkUTtV4QmcKHhIu2UfLVR+QKBgQDBD8XC9alaJHuSjCizPQyrCmmgFHZqNMG9 +IFKOtxXIAX5fJ8RZGyTfObuw2DJncsRGjX6XWr3xo91P/h0sF87FYQ92qz8ji6cg +rZ+rD9LY6DaVpAB+i0h97PAEgKwkFhXbuTEVDUCY8yFvwz4OGBeKTq19DrMgdeCj +tAIXq+bSqwKBgAPyIxg7cMZ7JF0AoBEfNPlVUhBmkv4BxJ7ZwIOSnIuu1r7AknO7 +tMJoLS4v8RWx8bWoJ8PEzr6bs5AV2ogPGCtm6tmSx90ibK479DOdEWnVkErFeQYV +vySA4ZKVyYd2Wek+cCNQ0o7zNjYXYWLvHNrpXgm6gIDzrwMgUJlXbzqBAoGANZEy +xg1zl9dXkinhgRoHUc3p0MjcsktBFkDJp1+VY5FGhxB5ol+ts2JJeaADHEDzxL+t +yEEdQta8qV1QqtNQQ+PSbpLFSg+Np7uE+enCDv0faBXBLVtoGciMMDOjj7+xAO45 +eCXdLpMHTANYTIDSx0VdTb2uZetPERz5F6hSu1ECgYAvBqCirwy2HHNuRD7KqpaF +vyiwIPRj4PK8z0IF4KAEgI9+WWyXLFi7QV3J1PErLlFzc6YW1Z427lfsgGZ9wBXy +D6Gk7u08FSU+5lyO+X43wlj+XefRFo7AVA52iYSNlz7WS618AYLJyWC4xBt6Ya/Z +49OKVGZRjHierSA2yZl5fQ== +-----END PRIVATE KEY----- diff --git a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/deployment.yaml b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/deployment.yaml new file mode 100755 index 0000000..7bb85ab --- /dev/null +++ b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/deployment.yaml @@ -0,0 +1,49 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: tcp-a + targetPort: 80 + protocol: TCP + + - port: 8443 + name: tcp-b + targetPort: 443 + protocol: TCP + selector: + app: helloworld +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + sidecar.istio.io/inject: "true" + spec: + containers: + - name: helloworld +# image: nginx + image: oriolfilter/https-apache-demo:armv7 + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 + - containerPort: 443 diff --git a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/gateway.yaml b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/gateway.yaml new file mode 100755 index 0000000..17c1ada --- /dev/null +++ b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/gateway.yaml @@ -0,0 +1,83 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: +# - port: +# number: 443 +# name: secure-http2 +# protocol: HTTP2 +# hosts: +# - "*" + - port: + number: 80 + name: tcp-2 + protocol: TCP + hosts: + - "*" + - port: + number: 443 + name: tcp-i + protocol: TCP + hosts: + - "*" +# tls: +# credentialName: my-tls-cert-secret +# minProtocolVersion: TLSV1_2 + +# mode: PASSTHROUGH +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - port: 80 +# hosts: +# - "hello.si" + name: helloworld + route: + - destination: + host: helloworld + port: + number: 80 + tcp: + - match: + - port: 80 + route: + - destination: + host: helloworld + port: + number: 8080 + - match: + - port: 443 + route: + - destination: + host: helloworld + port: + number: 8443 +# +# tls: +# - match: +# - port: 443 +# sniHosts: +# - "hello.si" +## - uri: +## exact: /helloworld +# route: +# - destination: +# host: helloworld +# port: +# number: 8443 +## protocol: HTTPS +## rewrite: +## uri: "/" \ No newline at end of file