From f9147a9065c57a77940a0b439b91508eb585e2b1 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sun, 23 Apr 2023 08:57:44 +0200 Subject: [PATCH 01/21] Quality improvements --- .../09-Ingress/01-Create-Istio-LoadBalancer/README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md index e7b29b3..f81c507 100644 --- a/Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md +++ b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md @@ -160,6 +160,17 @@ x-envoy-upstream-service-time: 15 [Yeah no idea, gl with that.](https://stackoverflow.com/a/55731730) +```shell +kubectl delete -f ./deployment.yaml +kubectl delete -f ./gateway.yaml +``` +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + ```shell istioctl uninstall --purge ``` -- 2.47.2 From d4fd40e7e3fba8f3658d4cbe805497a2a6f5e4f5 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Mon, 24 Apr 2023 00:22:19 +0200 Subject: [PATCH 02/21] fixed a typo --- .../07-HTTPS-Gateway-Simple-TLS/README.md | 14 ++++++++------ .../08a-HTTPS-min-TLS-version/README.md | 11 ++++++----- .../08b-HTTPS-max-TLS-version/README.md | 10 +++++----- 3 files changed, 19 insertions(+), 16 deletions(-) diff --git a/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md b/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md index 0b74632..ac080b5 100644 --- a/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md +++ b/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md @@ -147,6 +147,14 @@ x-envoy-upstream-service-time: 96 ```shell kubectl delete -n istio-system secret my-tls-cert-secret ``` + +```text +secret "my-tls-cert-secret" deleted +``` + +```shell +kubectl delete -f ./ +``` ```text service "helloworld" deleted deployment.apps "helloworld-nginx" deleted @@ -154,12 +162,6 @@ gateway.networking.istio.io "helloworld-gateway" deleted virtualservice.networking.istio.io "helloworld-vs" deleted ``` -```shell -kubectl delete -f ./ -``` -```text -secret "my-tls-cert-secret" deleted -``` ```shell rm -rv certfolder/ ``` diff --git a/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md index 42d9907..bcf1667 100644 --- a/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md +++ b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md @@ -152,18 +152,19 @@ x-envoy-upstream-service-time: 13 kubectl delete -n istio-system secret my-tls-cert-secret ``` ```text -service "helloworld" deleted -deployment.apps "helloworld-nginx" deleted -gateway.networking.istio.io "helloworld-gateway" deleted -virtualservice.networking.istio.io "helloworld-vs" deleted +secret "my-tls-cert-secret" deleted ``` ```shell kubectl delete -f ./ ``` ```text -secret "my-tls-cert-secret" deleted +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted ``` + ```shell rm -rv certfolder/ ``` diff --git a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md index 97ac603..e664cd4 100644 --- a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md +++ b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md @@ -149,17 +149,17 @@ curl: (35) OpenSSL/3.0.8: error:0A00042E:SSL routines::tlsv1 alert protocol vers kubectl delete -n istio-system secret my-tls-cert-secret ``` ```text -service "helloworld" deleted -deployment.apps "helloworld-nginx" deleted -gateway.networking.istio.io "helloworld-gateway" deleted -virtualservice.networking.istio.io "helloworld-vs" deleted +secret "my-tls-cert-secret" deleted ``` ```shell kubectl delete -f ./ ``` ```text -secret "my-tls-cert-secret" deleted +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted ``` ```shell rm -rv certfolder/ -- 2.47.2 From e6c265c74f0dec78801e2c6a7a5f0a1bbd5a8922 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Mon, 24 Apr 2023 00:22:32 +0200 Subject: [PATCH 03/21] added an example --- Istio/00-Troubleshooting/README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Istio/00-Troubleshooting/README.md b/Istio/00-Troubleshooting/README.md index fe5d235..8477018 100644 --- a/Istio/00-Troubleshooting/README.md +++ b/Istio/00-Troubleshooting/README.md @@ -39,6 +39,18 @@ istioctl analyze -n istio-operator Info [IST0102] (Namespace istio-operator) The namespace is not enabled for Istio injection. Run 'kubectl label namespace istio-operator istio-injection=enabled' to enable it, or 'kubectl label namespace istio-operator istio-injection=disabled' to explicitly mark it as not needing injection. ``` +## Example of spotting a misconfiguration + +In this example, I have configured the gateway to listen to a port that currently is not open in the Isito Load Balancer selected. + +```shell +istioctl analyze +``` +```text +Warning [IST0104] (Gateway default/helloworld-gateway) The gateway refers to a port that is not exposed on the workload (pod selector istio=ingressgateway; port 81) +``` + + # Start the packet capture process on the istio-proxy container from a pod. Target a pod and start a packet capture on the istio-proxy container. -- 2.47.2 From de80fadf2a503b2727878ec3d5261d2aeea9644b Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Mon, 24 Apr 2023 06:03:45 +0200 Subject: [PATCH 04/21] Trying to get HTTP2 to work, tested a TCP LB, and it worked. --- .../??-TCP-FORWARDING-(WORKS)/README.md | 304 ++++++++++++++++++ .../certfolder/istio.cert.crt | 20 ++ .../certfolder/istio.cert.key | 28 ++ .../??-TCP-FORWARDING-(WORKS)/deployment.yaml | 49 +++ .../??-TCP-FORWARDING-(WORKS)/gateway.yaml | 83 +++++ 5 files changed, 484 insertions(+) create mode 100644 Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/README.md create mode 100644 Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.crt create mode 100644 Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.key create mode 100755 Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/deployment.yaml create mode 100755 Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/gateway.yaml diff --git a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/README.md b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/README.md new file mode 100644 index 0000000..be28ee3 --- /dev/null +++ b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/README.md @@ -0,0 +1,304 @@ +--- +gitea: none +include_toc: true +--- + +# Based on + +- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) + +# Description + +The previous example was modified set the gateway to enable for HTTP2 traffic. + +https://stackoverflow.com/a/59610581 + + +# Changelog + +## Gateway + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: secure-http2 + protocol: HTTP2 + hosts: + - "*" + tls: + mode: SIMPLE + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 +``` + +`` + +# Walkthrough + + +## Generate client and server certificate and key files + +First step will be to generate the certificate and key files to be able to set them to the Gateway resource. + +### Create a folder to store files. + +Create the folder to contain the files that will be generated. + +```shell +mkdir certfolder +``` + +### Create a certificate and a private key. + +```shell +openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt +``` + +The files generated are the following: + +```yaml +private-key: certfolder/istio.cert.key +root-certificate: certfolder/istio.cert.crt +``` + +The information set to the certificate generated is the following: + +```yaml +Organization-name: Internet of things +CN: lb.net +``` + +### Create a TLS secret + +At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. + +```shell +kubectl create -n istio-system secret tls my-tls-cert-secret \ + --key=certfolder/istio.cert.key \ + --cert=certfolder/istio.cert.crt +``` +```text +secret/my-tls-cert-secret created +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +> **Note:**\ +> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. + + +## Deploy resources + +```shell +kubectl apply -f ./ +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Test the service +### http2 +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +### http1-web + +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +## Cleanup + +```shell +kubectl delete -f ./ +``` + +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +# Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol + +- https://stackoverflow.com/a/51279606 + +- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy + + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . +[+] Building 0.0s (0/0) +ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") + +--- +## Create the Dockerfile + +```bash +FROM ubuntu/apache2 + +RUN apt-get update && \ +apt-get install apache2 openssl -y && \ +a2ensite default-ssl && \ +a2enmod ssl && \ +echo "

Howdy

" | tee /var/www/html/index.html + +RUN /usr/bin/printf "\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ +\n\ +\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ + SSLEngine on\n\ + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ +" > /etc/apache2/sites-available/000-default.conf + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem +``` + +## Build the image + +Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. + +For my own commodity, I have used a raspberry pi 4 to build this images. + +The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. + +```shell + docker build --tag https-demo:armv7 . +``` +```text +docker build --tag https-demo:armv7 . --no-cache +[+] Building 16.5s (8/8) FINISHED + => [internal] load .dockerignore 0.0s + => => transferring context: 2B 0.0s + => [internal] load build definition from Dockerfile 0.0s + => => transferring dockerfile: 1.09kB 0.0s + => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s + => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s + => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s + => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s + => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s + => exporting to image 1.0s + => => exporting layers 1.0s + => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s + => => naming to docker.io/library/https-demo:armv7 0.0s +``` + +## Tag the image + +```shell +docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 +``` + +## Upload to the registery server + +```text +docker image push registery.filter.home:5000/https-demo:armv7 +The push refers to repository [registery.filter.home:5000/https-demo] +c6d858706b08: Pushed +9e077e0202f0: Pushed +6ffc708d0cf3: Pushed +69e01b4bf4d7: Pushed +17c5b30f3843: Pushed +0b9f60fbcaf1: Pushed +armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 +``` + + + +## ? +curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe + + + + + +--- + + +Has apache2 installed with a default certificate. + +Port 80 visible for HTTP + +Port 443 visible for HTTPS. \ No newline at end of file diff --git a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.crt b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.crt new file mode 100644 index 0000000..72dd154 --- /dev/null +++ b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPTCCAiWgAwIBAgIUNR/VCRO6PPCYDZKIApOQ4n/d7OUwDQYJKoZIhvcNAQEL +BQAwLjEbMBkGA1UECgwSSW50ZXJuZXQgb2YgdGhpbmdzMQ8wDQYDVQQDDAZsYi5u +ZXQwHhcNMjMwNDIzMjI1NjE5WhcNMjQwNDIyMjI1NjE5WjAuMRswGQYDVQQKDBJJ +bnRlcm5ldCBvZiB0aGluZ3MxDzANBgNVBAMMBmxiLm5ldDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAKKEn3TzyYjW3W/MLKCd18ygojKWgN12gxNxZcQF +BvghPTNsESt+aBuI1N1Xzj+Bvxs5Bs4FVcMXAkOmLtvwbd6A9owZwd8E9ODKrhau +Uk9eNQf6ZvSF2GeQoI39SFCL2NEKOzMmEYxGlf842yFaSxgrMx2GirSsqEEPhstS +LAEldjU77pQ9OniIHuYLfA6AamAz51hXPytpGiaRqAm/xIvRtPFuA9pXJHhREtUG +S/O6P2v980YAuP8hl3LIpOM9xUod4+x9EHfBXHI5iuPET5kjCnIF/45UmKPtwsga +RUN3fqYAknJSPyI+s+xnxulkxM9A1kmP8MvDeO/4hAMSA1MCAwEAAaNTMFEwHQYD +VR0OBBYEFACskVXLguvAreQgdla3hoZqlcxMMB8GA1UdIwQYMBaAFACskVXLguvA +reQgdla3hoZqlcxMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB +AI3SNO84LwluCbTMBYthD+5cMnC6rARyrJBwkYoJfCqgu6j/h8Lcou5VSYVOR4J5 +R3DiyTFutBKYnifnuZgHjNioI6l/uFphPRmoeH1I5zKghq5P2x6LE/Z6/0alzN9X +ZBgYPWQ5wenrilQ94yLJXX2kwgK5jbMinmTzw8SFHe+Qn5ZlJnAW+YR8vJ+Nu30Q +rhxSxbNqa2yFPOkV4qjc4zkJ+67bKv7yLJ5WKF6Mfafct69FBwSVVCROsY5mHg8c +xMyP3d6N01R7XXJATEHbyJHvUUXBtLgA41H8g3vwj1ugKdBhWijBeeBZEyz11U20 +0j6OhMfBuYikiRQl1dfZltg= +-----END CERTIFICATE----- diff --git a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.key b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.key new file mode 100644 index 0000000..6b3f82d --- /dev/null +++ b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCihJ9088mI1t1v +zCygndfMoKIyloDddoMTcWXEBQb4IT0zbBErfmgbiNTdV84/gb8bOQbOBVXDFwJD +pi7b8G3egPaMGcHfBPTgyq4WrlJPXjUH+mb0hdhnkKCN/UhQi9jRCjszJhGMRpX/ +ONshWksYKzMdhoq0rKhBD4bLUiwBJXY1O+6UPTp4iB7mC3wOgGpgM+dYVz8raRom +kagJv8SL0bTxbgPaVyR4URLVBkvzuj9r/fNGALj/IZdyyKTjPcVKHePsfRB3wVxy +OYrjxE+ZIwpyBf+OVJij7cLIGkVDd36mAJJyUj8iPrPsZ8bpZMTPQNZJj/DLw3jv ++IQDEgNTAgMBAAECggEAB33Pj+eQ+bLV4EpsIDdGdFNPRr+zTwIghqvqgf+tU5DM +rmsj23pnOCW1kkJy6nCDq7CURLjwPB76Zr3pWRAbMG+HbeveCPbEhvwwzDDa8Heq +QCTlzA3DbPq4u/LZ+4SGyRQMqI3vrySt02b+iuoLniCXqZvDFxMCaoVZtFOkXaUW +mYVkW3BtLdIqHUolql9Tt6kPf9Es7AQhce1ZGrvRSxhiG8xRU4Fmb5zRPXAd/Uzj +RHzJtcHTFbhjWn/fngtxVUdBNqSNx5z8Bhtex39hgWwULuAyf6jSQbwLtURdyuR8 +WlaJjIV5uZ6ghkQ0mTWyEivuQzuaEUxOND05HgPi8QKBgQDXf8uZSZoCitjHCZ1i +1O1Xh40qzYYY6KrMc+rzA3BGsgLmQRw5oj0JlhlAPUjh7RmDz6nMEZpUJgKDtyvt +ktJz28l9ybF5qVjjHz1ZBHxaPC/bruO+4mUsYN6bK4tcIm0j6huuSO7igs7I33ZA +9bcLkUTtV4QmcKHhIu2UfLVR+QKBgQDBD8XC9alaJHuSjCizPQyrCmmgFHZqNMG9 +IFKOtxXIAX5fJ8RZGyTfObuw2DJncsRGjX6XWr3xo91P/h0sF87FYQ92qz8ji6cg +rZ+rD9LY6DaVpAB+i0h97PAEgKwkFhXbuTEVDUCY8yFvwz4OGBeKTq19DrMgdeCj +tAIXq+bSqwKBgAPyIxg7cMZ7JF0AoBEfNPlVUhBmkv4BxJ7ZwIOSnIuu1r7AknO7 +tMJoLS4v8RWx8bWoJ8PEzr6bs5AV2ogPGCtm6tmSx90ibK479DOdEWnVkErFeQYV +vySA4ZKVyYd2Wek+cCNQ0o7zNjYXYWLvHNrpXgm6gIDzrwMgUJlXbzqBAoGANZEy +xg1zl9dXkinhgRoHUc3p0MjcsktBFkDJp1+VY5FGhxB5ol+ts2JJeaADHEDzxL+t +yEEdQta8qV1QqtNQQ+PSbpLFSg+Np7uE+enCDv0faBXBLVtoGciMMDOjj7+xAO45 +eCXdLpMHTANYTIDSx0VdTb2uZetPERz5F6hSu1ECgYAvBqCirwy2HHNuRD7KqpaF +vyiwIPRj4PK8z0IF4KAEgI9+WWyXLFi7QV3J1PErLlFzc6YW1Z427lfsgGZ9wBXy +D6Gk7u08FSU+5lyO+X43wlj+XefRFo7AVA52iYSNlz7WS618AYLJyWC4xBt6Ya/Z +49OKVGZRjHierSA2yZl5fQ== +-----END PRIVATE KEY----- diff --git a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/deployment.yaml b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/deployment.yaml new file mode 100755 index 0000000..7bb85ab --- /dev/null +++ b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/deployment.yaml @@ -0,0 +1,49 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: tcp-a + targetPort: 80 + protocol: TCP + + - port: 8443 + name: tcp-b + targetPort: 443 + protocol: TCP + selector: + app: helloworld +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + sidecar.istio.io/inject: "true" + spec: + containers: + - name: helloworld +# image: nginx + image: oriolfilter/https-apache-demo:armv7 + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 + - containerPort: 443 diff --git a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/gateway.yaml b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/gateway.yaml new file mode 100755 index 0000000..17c1ada --- /dev/null +++ b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/gateway.yaml @@ -0,0 +1,83 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: +# - port: +# number: 443 +# name: secure-http2 +# protocol: HTTP2 +# hosts: +# - "*" + - port: + number: 80 + name: tcp-2 + protocol: TCP + hosts: + - "*" + - port: + number: 443 + name: tcp-i + protocol: TCP + hosts: + - "*" +# tls: +# credentialName: my-tls-cert-secret +# minProtocolVersion: TLSV1_2 + +# mode: PASSTHROUGH +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - port: 80 +# hosts: +# - "hello.si" + name: helloworld + route: + - destination: + host: helloworld + port: + number: 80 + tcp: + - match: + - port: 80 + route: + - destination: + host: helloworld + port: + number: 8080 + - match: + - port: 443 + route: + - destination: + host: helloworld + port: + number: 8443 +# +# tls: +# - match: +# - port: 443 +# sniHosts: +# - "hello.si" +## - uri: +## exact: /helloworld +# route: +# - destination: +# host: helloworld +# port: +# number: 8443 +## protocol: HTTPS +## rewrite: +## uri: "/" \ No newline at end of file -- 2.47.2 From 4bb07eebce9494d6694eea2619a5961be26ddf86 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 00:16:52 +0200 Subject: [PATCH 05/21] small backup cause things work and scared of proceeding without modifying anything, also say hi to my registry at home --- .gitignore | 1 + Istio/00-Troubleshooting/README.md | 2 + .../XX-HTTP2-gateway-made-it-work/Dockerfile | 13 + .../XX-HTTP2-gateway-made-it-work/README.md | 321 +++++++++++++++++ .../authentication.yaml | 8 + .../deployment.yaml | 80 +++++ .../gateway.yaml | 118 +++++++ .../ingress.yaml | 29 ++ .../XX-HTTP2-gateway-made-it-work/server.conf | 37 ++ .../XX-HTTPS-backend/README.md | 311 +++++++++++++++++ .../XX-HTTPS-backend/deployment.yaml | 80 +++++ .../XX-HTTPS-backend/gateway.yaml | 118 +++++++ .../__XX-TLS-PASSTHROUGH/Dockerfile | 13 + .../__XX-TLS-PASSTHROUGH/README.md | 325 ++++++++++++++++++ .../__XX-TLS-PASSTHROUGH/authentication.yaml | 11 + .../bk_old_nonworking_gateway.yaml | 113 ++++++ .../__XX-TLS-PASSTHROUGH/deployment.yaml | 80 +++++ .../__XX-TLS-PASSTHROUGH/gateway-02.yaml | 36 ++ .../__XX-TLS-PASSTHROUGH/gateway.yaml | 87 +++++ .../__XX-TLS-PASSTHROUGH/ingress.yaml | 29 ++ .../__XX-TLS-PASSTHROUGH/server.conf | 37 ++ .../Dockerfile | 13 + .../README.md | 313 +++++++++++++++++ .../authentication.yaml | 11 + .../bk_old_nonworking_gateway.yaml | 117 +++++++ .../deployment.yaml | 74 ++++ .../gateway-02.yaml | 36 ++ .../gateway.yaml | 85 +++++ .../ingress.yaml | 29 ++ .../server.conf | 37 ++ 30 files changed, 2564 insertions(+) create mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/Dockerfile create mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md create mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml create mode 100755 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml create mode 100755 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml create mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml create mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/server.conf create mode 100644 Istio/02-Traffic_management/XX-HTTPS-backend/README.md create mode 100755 Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml create mode 100755 Istio/02-Traffic_management/XX-HTTPS-backend/gateway.yaml create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/Dockerfile create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/authentication.yaml create mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml create mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml create mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway-02.yaml create mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway.yaml create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/ingress.yaml create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/server.conf create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/Dockerfile create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml create mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml create mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml create mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml create mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/server.conf diff --git a/.gitignore b/.gitignore index 85e7c1d..9cef47e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /.idea/ +/Istio/02-Traffic_management/XX-HTTPS-backend/ diff --git a/Istio/00-Troubleshooting/README.md b/Istio/00-Troubleshooting/README.md index 8477018..340f1c4 100644 --- a/Istio/00-Troubleshooting/README.md +++ b/Istio/00-Troubleshooting/README.md @@ -55,6 +55,8 @@ Warning [IST0104] (Gateway default/helloworld-gateway) The gateway refers to a p Target a pod and start a packet capture on the istio-proxy container. +This step requires istio to be installed with the flag `values.global.proxy.privileged=true` + ```shell $ kubectl exec -n default "$(kubectl get pod -n default -l app=helloworld -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port 80 -A tcpdump: verbose output suppressed, use -v[v]... for full protocol decode diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/Dockerfile b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/Dockerfile new file mode 100644 index 0000000..e3df53b --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/Dockerfile @@ -0,0 +1,13 @@ +FROM nginx + +ADD server.conf /etc/nginx/conf.d/default.conf + +# RUN apt-get update && \ +# apt-get install apache2 openssl -y && \ +# a2ensite default-ssl && \ +# a2enmod ssl && \ + +RUN mkdir -p /var/www/html +RUN echo "

Howdy

" | tee /var/www/html/index.html + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md new file mode 100644 index 0000000..bdab5da --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md @@ -0,0 +1,321 @@ +--- +gitea: none +include_toc: true +--- + +# Based on + +- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) + +# Description + +The previous example was modified set the gateway to enable for HTTP2 traffic. + +https://stackoverflow.com/a/59610581 + + +# Changelog + +## Gateway + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: secure-http2 + protocol: HTTP2 + hosts: + - "*" + tls: + mode: SIMPLE + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 +``` + +`` + +# Walkthrough + + +## Generate client and server certificate and key files + +First step will be to generate the certificate and key files to be able to set them to the Gateway resource. + +### Create a folder to store files. + +Create the folder to contain the files that will be generated. + +```shell +mkdir certfolder +``` + +### Create a certificate and a private key. + +```shell +openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt +``` + +The files generated are the following: + +```yaml +private-key: certfolder/istio.cert.key +root-certificate: certfolder/istio.cert.crt +``` + +The information set to the certificate generated is the following: + +```yaml +Organization-name: Internet of things +CN: lb.net +``` + +### Create a TLS secret + +At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. + +```shell +kubectl create -n istio-system secret tls my-tls-cert-secret \ + --key=certfolder/istio.cert.key \ + --cert=certfolder/istio.cert.crt +``` +```text +secret/my-tls-cert-secret created +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +> **Note:**\ +> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. + + +## Deploy resources + +```shell +kubectl apply -f ./ +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Test the service +### http2 +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +### http1-web + +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +## Cleanup + +```shell +kubectl delete -f ./ +``` + +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +# Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol + +- https://stackoverflow.com/a/51279606 + +- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy + + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . +[+] Building 0.0s (0/0) +ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") + +--- +## Create the Dockerfile + +```bash +FROM ubuntu/apache2 + +RUN apt-get update && \ +apt-get install apache2 openssl -y && \ +a2ensite default-ssl && \ +a2enmod ssl && \ +echo "

Howdy

" | tee /var/www/html/index.html + +RUN /usr/bin/printf "\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ +\n\ +\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ + SSLEngine on\n\ + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ +" > /etc/apache2/sites-available/000-default.conf + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem +``` + +## Build the image + +Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. + +For my own commodity, I have used a raspberry pi 4 to build this images. + +The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. + +```shell + docker build --tag https-demo:armv7 . +``` +```text +docker build --tag https-demo:armv7 . --no-cache +[+] Building 16.5s (8/8) FINISHED + => [internal] load .dockerignore 0.0s + => => transferring context: 2B 0.0s + => [internal] load build definition from Dockerfile 0.0s + => => transferring dockerfile: 1.09kB 0.0s + => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s + => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s + => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s + => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s + => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s + => exporting to image 1.0s + => => exporting layers 1.0s + => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s + => => naming to docker.io/library/https-demo:armv7 0.0s +``` + +## Tag the image + +```shell +docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 +``` + +## Upload to the registery server + +```text +docker image push registery.filter.home:5000/https-demo:armv7 +The push refers to repository [registery.filter.home:5000/https-demo] +c6d858706b08: Pushed +9e077e0202f0: Pushed +6ffc708d0cf3: Pushed +69e01b4bf4d7: Pushed +17c5b30f3843: Pushed +0b9f60fbcaf1: Pushed +armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 +``` + + + +## ? +curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe + + + + + +--- + + +Has apache2 installed with a default certificate. + +Port 80 visible for HTTP + +Port 443 visible for HTTPS. + + + + +curl https:/192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k +http_version: 2 +status_code: 200 + + + +```shell +curl --insecure --resolve lb.net:80:192.168.1.50 http://lb.net +``` + +```shell +curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net +``` diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml new file mode 100644 index 0000000..7553d94 --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml @@ -0,0 +1,8 @@ +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default-mtls + namespace: default +spec: + mtls: + mode: PERMISSIVE diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml new file mode 100755 index 0000000..afeb40d --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml @@ -0,0 +1,80 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http-s + targetPort: 80 + protocol: TCP + appProtocol: HTTP + + - port: 8443 + name: https + targetPort: 443 + protocol: TCP + appProtocol: https + selector: + app: helloworld +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + sidecar.istio.io/inject: "true" + spec: + containers: + - name: helloworld + image: oriolfilter/https-apache-demo:armv7 + resources: + requests: + cpu: "100m" + imagePullPolicy: Always #Always + ports: + - containerPort: 80 + - containerPort: 443 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx + labels: + app: nginx + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + version: v1 + template: + metadata: + labels: + app: nginx + version: v1 + spec: + # serviceAccountName: istio-helloworld + containers: + - name: nginx + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml new file mode 100755 index 0000000..1fe0fa3 --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml @@ -0,0 +1,118 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: +# istio: myingressgateway + istio: ingressgateway + servers: +# - port: +# number: 443 +# name: secure-http2 +# protocol: HTTP2 +# hosts: +# - "*" + - port: + number: 80 + name: http2-i + protocol: HTTP2 + hosts: + - "*" + - port: + number: 443 + name: https-i + protocol: HTTPS + hosts: + - "*" + tls: + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 +# + mode: SIMPLE +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - name: http-vs + match: + - port: 80 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8080 + - name: https-vs + match: + - port: 443 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8443 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: helloworld + namespace: default +spec: + host: helloworld.default.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8080 + tls: + mode: DISABLE + + - port: + number: 8443 + tls: +# credentialName: client-credential + mode: SIMPLE + +# port: +# name: https-backend +# number: 8443 +# protocol: HTTPS +# tls: +# credentialName: my-tls-cert-secret +# mode: SIMPLE +# tcp: +## - match: +## - port: 80 +## route: +## - destination: +## host: helloworld +## port: +## number: 8080 +## - match: +## - port: 443 +# - route: +# - destination: +# host: helloworld +# port: +# number: 8443 +# +# tls: +# - match: +# - port: 443 +# sniHosts: +# - "hello.si" +## - uri: +## exact: /helloworld +# route: +# - destination: +# host: helloworld +# port: +# number: 8443 +## protocol: HTTPS +## rewrite: +## uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml new file mode 100644 index 0000000..850c2eb --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml @@ -0,0 +1,29 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + name: ingress +spec: + profile: empty # Do not install CRDs or the control plane + components: + ingressGateways: + - name: myistio-ingressgateway + namespace: istio-ingress + enabled: true + label: + istio: myingressgateway + k8s: + service: + ports: + - name: https-ingress + port: 443 + protocol: TCP + targetPort: 1055 + - name: http-ingress + port: 80 + protocol: TCP + targetPort: 1085 + + values: + gateways: + istio-ingressgateway: + injectionTemplate: gateway diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/server.conf b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/server.conf new file mode 100644 index 0000000..1b7c17a --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/server.conf @@ -0,0 +1,37 @@ +server { + listen 80; +# rewrite ^ https://$server_name$request_uri? permanent; + + server_name lb.net; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log info; + + add_header Strict-Transport-Security "max-age=7200"; + + root /var/www/html; + index index.html; +} + +server { + listen 443 ssl default_server http2; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + + ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; + + server_name lb.net; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log info; + + ssl on; + ssl_certificate /cert.crt; + ssl_certificate_key /cert.key; + ssl_session_timeout 5m; + + add_header Strict-Transport-Security "max-age=7200"; + + root /var/www/html; + index index.html; +} \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTPS-backend/README.md b/Istio/02-Traffic_management/XX-HTTPS-backend/README.md new file mode 100644 index 0000000..ad5fd8a --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTPS-backend/README.md @@ -0,0 +1,311 @@ +--- +gitea: none +include_toc: true +--- + +# Based on + +- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) + +# Description + +The previous example was modified set the gateway to enable for HTTP2 traffic. + +https://stackoverflow.com/a/59610581 + + +# Changelog + +## Gateway + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: secure-http2 + protocol: HTTP2 + hosts: + - "*" + tls: + mode: SIMPLE + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 +``` + +`` + +# Walkthrough + + +## Generate client and server certificate and key files + +First step will be to generate the certificate and key files to be able to set them to the Gateway resource. + +### Create a folder to store files. + +Create the folder to contain the files that will be generated. + +```shell +mkdir certfolder +``` + +### Create a certificate and a private key. + +```shell +openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt +``` + +The files generated are the following: + +```yaml +private-key: certfolder/istio.cert.key +root-certificate: certfolder/istio.cert.crt +``` + +The information set to the certificate generated is the following: + +```yaml +Organization-name: Internet of things +CN: lb.net +``` + +### Create a TLS secret + +At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. + +```shell +kubectl create -n istio-system secret tls my-tls-cert-secret \ + --key=certfolder/istio.cert.key \ + --cert=certfolder/istio.cert.crt +``` +```text +secret/my-tls-cert-secret created +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +> **Note:**\ +> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. + + +## Deploy resources + +```shell +kubectl apply -f ./ +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Test the service +### http2 +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +### http1-web + +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +## Cleanup + +```shell +kubectl delete -f ./ +``` + +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +# Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol + +- https://stackoverflow.com/a/51279606 + +- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy + + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . +[+] Building 0.0s (0/0) +ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") + +--- +## Create the Dockerfile + +```bash +FROM ubuntu/apache2 + +RUN apt-get update && \ +apt-get install apache2 openssl -y && \ +a2ensite default-ssl && \ +a2enmod ssl && \ +echo "

Howdy

" | tee /var/www/html/index.html + +RUN /usr/bin/printf "\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ +\n\ +\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ + SSLEngine on\n\ + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ +" > /etc/apache2/sites-available/000-default.conf + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem +``` + +## Build the image + +Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. + +For my own commodity, I have used a raspberry pi 4 to build this images. + +The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. + +```shell + docker build --tag https-demo:armv7 . +``` +```text +docker build --tag https-demo:armv7 . --no-cache +[+] Building 16.5s (8/8) FINISHED + => [internal] load .dockerignore 0.0s + => => transferring context: 2B 0.0s + => [internal] load build definition from Dockerfile 0.0s + => => transferring dockerfile: 1.09kB 0.0s + => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s + => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s + => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s + => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s + => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s + => exporting to image 1.0s + => => exporting layers 1.0s + => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s + => => naming to docker.io/library/https-demo:armv7 0.0s +``` + +## Tag the image + +```shell +docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 +``` + +## Upload to the registery server + +```text +docker image push registery.filter.home:5000/https-demo:armv7 +The push refers to repository [registery.filter.home:5000/https-demo] +c6d858706b08: Pushed +9e077e0202f0: Pushed +6ffc708d0cf3: Pushed +69e01b4bf4d7: Pushed +17c5b30f3843: Pushed +0b9f60fbcaf1: Pushed +armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 +``` + + + +## ? +curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe + + + + + +--- + + +Has apache2 installed with a default certificate. + +Port 80 visible for HTTP + +Port 443 visible for HTTPS. + + + + +curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k +http_version: 2 +status_code: 200 \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml b/Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml new file mode 100755 index 0000000..afeb40d --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml @@ -0,0 +1,80 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http-s + targetPort: 80 + protocol: TCP + appProtocol: HTTP + + - port: 8443 + name: https + targetPort: 443 + protocol: TCP + appProtocol: https + selector: + app: helloworld +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + sidecar.istio.io/inject: "true" + spec: + containers: + - name: helloworld + image: oriolfilter/https-apache-demo:armv7 + resources: + requests: + cpu: "100m" + imagePullPolicy: Always #Always + ports: + - containerPort: 80 + - containerPort: 443 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx + labels: + app: nginx + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + version: v1 + template: + metadata: + labels: + app: nginx + version: v1 + spec: + # serviceAccountName: istio-helloworld + containers: + - name: nginx + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTPS-backend/gateway.yaml b/Istio/02-Traffic_management/XX-HTTPS-backend/gateway.yaml new file mode 100755 index 0000000..1fe0fa3 --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTPS-backend/gateway.yaml @@ -0,0 +1,118 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: +# istio: myingressgateway + istio: ingressgateway + servers: +# - port: +# number: 443 +# name: secure-http2 +# protocol: HTTP2 +# hosts: +# - "*" + - port: + number: 80 + name: http2-i + protocol: HTTP2 + hosts: + - "*" + - port: + number: 443 + name: https-i + protocol: HTTPS + hosts: + - "*" + tls: + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 +# + mode: SIMPLE +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - name: http-vs + match: + - port: 80 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8080 + - name: https-vs + match: + - port: 443 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8443 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: helloworld + namespace: default +spec: + host: helloworld.default.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8080 + tls: + mode: DISABLE + + - port: + number: 8443 + tls: +# credentialName: client-credential + mode: SIMPLE + +# port: +# name: https-backend +# number: 8443 +# protocol: HTTPS +# tls: +# credentialName: my-tls-cert-secret +# mode: SIMPLE +# tcp: +## - match: +## - port: 80 +## route: +## - destination: +## host: helloworld +## port: +## number: 8080 +## - match: +## - port: 443 +# - route: +# - destination: +# host: helloworld +# port: +# number: 8443 +# +# tls: +# - match: +# - port: 443 +# sniHosts: +# - "hello.si" +## - uri: +## exact: /helloworld +# route: +# - destination: +# host: helloworld +# port: +# number: 8443 +## protocol: HTTPS +## rewrite: +## uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/Dockerfile b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/Dockerfile new file mode 100644 index 0000000..e3df53b --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/Dockerfile @@ -0,0 +1,13 @@ +FROM nginx + +ADD server.conf /etc/nginx/conf.d/default.conf + +# RUN apt-get update && \ +# apt-get install apache2 openssl -y && \ +# a2ensite default-ssl && \ +# a2enmod ssl && \ + +RUN mkdir -p /var/www/html +RUN echo "

Howdy

" | tee /var/www/html/index.html + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md new file mode 100644 index 0000000..611f8be --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md @@ -0,0 +1,325 @@ +--- +gitea: none +include_toc: true +--- + +# Based on + +- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) + +# Description + +The previous example was modified set the gateway to enable for HTTP2 traffic. + +https://stackoverflow.com/a/59610581 + + +# Changelog + +## Gateway + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: secure-http2 + protocol: HTTP2 + hosts: + - "*" + tls: + mode: SIMPLE + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 +``` + +`` + +# Walkthrough + + +## Generate client and server certificate and key files + +First step will be to generate the certificate and key files to be able to set them to the Gateway resource. + +### Create a folder to store files. + +Create the folder to contain the files that will be generated. + +```shell +mkdir certfolder +``` + +### Create a certificate and a private key. + +```shell +openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt +``` + +The files generated are the following: + +```yaml +private-key: certfolder/istio.cert.key +root-certificate: certfolder/istio.cert.crt +``` + +The information set to the certificate generated is the following: + +```yaml +Organization-name: Internet of things +CN: lb.net +``` + +### Create a TLS secret + +At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. + +```shell +kubectl create -n istio-system secret tls my-tls-cert-secret \ + --key=certfolder/istio.cert.key \ + --cert=certfolder/istio.cert.crt +``` +```text +secret/my-tls-cert-secret created +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +> **Note:**\ +> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. + + +## Deploy resources + +```shell +kubectl apply -f ./ +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Test the service +### http2 +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +### http1-web + +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +## Cleanup + +```shell +kubectl delete -f ./ +``` + +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +# Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol + +- https://stackoverflow.com/a/51279606 + +- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy + + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . +[+] Building 0.0s (0/0) +ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") + +--- +## Create the Dockerfile + +```bash +FROM ubuntu/apache2 + +RUN apt-get update && \ +apt-get install apache2 openssl -y && \ +a2ensite default-ssl && \ +a2enmod ssl && \ +echo "

Howdy

" | tee /var/www/html/index.html + +RUN /usr/bin/printf "\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ +\n\ +\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ + SSLEngine on\n\ + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ +" > /etc/apache2/sites-available/000-default.conf + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem +``` + +## Build the image + +Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. + +For my own commodity, I have used a raspberry pi 4 to build this images. + +The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. + +```shell + docker build --tag https-demo:armv7 . +``` +```text +docker build --tag https-demo:armv7 . --no-cache +[+] Building 16.5s (8/8) FINISHED + => [internal] load .dockerignore 0.0s + => => transferring context: 2B 0.0s + => [internal] load build definition from Dockerfile 0.0s + => => transferring dockerfile: 1.09kB 0.0s + => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s + => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s + => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s + => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s + => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s + => exporting to image 1.0s + => => exporting layers 1.0s + => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s + => => naming to docker.io/library/https-demo:armv7 0.0s +``` + +## Tag the image + +```shell +docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 +``` + +## Upload to the registery server + +```text +docker image push registery.filter.home:5000/https-demo:armv7 +The push refers to repository [registery.filter.home:5000/https-demo] +c6d858706b08: Pushed +9e077e0202f0: Pushed +6ffc708d0cf3: Pushed +69e01b4bf4d7: Pushed +17c5b30f3843: Pushed +0b9f60fbcaf1: Pushed +armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 +``` + + + +## ? +curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe + + + + + +--- + + +Has apache2 installed with a default certificate. + +Port 80 visible for HTTP + +Port 443 visible for HTTPS. + + + + +curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k +http_version: 2 +status_code: 200 + +# Recv failure: Connection reset by peer + +```shell +kubectl apply -f ./ +``` + +```shell +curl --insecure --resolve lb.net:80:192.168.1.50 http://lb.net +``` + +```shell +curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net +``` diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/authentication.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/authentication.yaml new file mode 100644 index 0000000..da9883d --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/authentication.yaml @@ -0,0 +1,11 @@ +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default-mtls + namespace: default +spec: + mtls: + mode: DISABLE + + +#curl -v --resolve ":$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example_certs/example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT" diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml new file mode 100755 index 0000000..4305bf6 --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml @@ -0,0 +1,113 @@ +#apiVersion: networking.istio.io/v1alpha3 +#kind: Gateway +#metadata: +# name: helloworld-gateway +#spec: +# selector: +## istio: myingressgateway +# istio: ingressgateway +# servers: +# - hosts: +# ["lb.net","*.lb.net"] +# port: +# name: tls-443 +# number: 443 +# protocol: HTTPS +# tls: +# mode: SIMPLE +# credentialName: my-tls-cert-secret +# minProtocolVersion: TLSV1_2 +#--- +#apiVersion: networking.istio.io/v1alpha3 +#kind: VirtualService +#metadata: +# name: helloworld-vs +#spec: +# hosts: +# - "*" +# gateways: +# - helloworld-gateway +# http: +## - name: http-vs +## match: +## - port: 80 +## route: +## - destination: +## host: helloworld.default.svc.cluster.local +## port: +## number: 8080 +# - name: https-vs +# match: +# - port: 443 +# route: +# - destination: +# host: helloworld.default.svc.cluster.local +# port: +# number: 443 +## +## tls: +## - match: +## - port: 443 +## sniHosts: ["lb.net"] +## route: +## - destination: +## host: helloworld.default.svc.cluster.local +## port: +## number: 443 +##--- +##apiVersion: networking.istio.io/v1alpha3 +##kind: DestinationRule +##metadata: +## name: helloworld +## namespace: default +##spec: +## host: helloworld.default.svc.cluster.local +## trafficPolicy: +## portLevelSettings: +## - port: +## number: 8080 +## tls: +## mode: DISABLE +## - port: +## number: 8443 +## tls: +## credentialName: client-credential +## mode: SIMPLE +## port: +## name: https-backend +## number: 8443 +## protocol: HTTPS +## tls: +## credentialName: my-tls-cert-secret +## mode: SIMPLE +## tcp: +### - match: +### - port: 80 +### route: +### - destination: +### host: helloworld +### port: +### number: 8080 +### - match: +### - port: 443 +## - route: +## - destination: +## host: helloworld +## port: +## number: 8443 +## +## tls: +## - match: +## - port: 443 +## sniHosts: +## - "hello.si" +### - uri: +### exact: /helloworld +## route: +## - destination: +## host: helloworld +## port: +## number: 8443 +### protocol: HTTPS +### rewrite: +### uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml new file mode 100755 index 0000000..afeb40d --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml @@ -0,0 +1,80 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http-s + targetPort: 80 + protocol: TCP + appProtocol: HTTP + + - port: 8443 + name: https + targetPort: 443 + protocol: TCP + appProtocol: https + selector: + app: helloworld +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + sidecar.istio.io/inject: "true" + spec: + containers: + - name: helloworld + image: oriolfilter/https-apache-demo:armv7 + resources: + requests: + cpu: "100m" + imagePullPolicy: Always #Always + ports: + - containerPort: 80 + - containerPort: 443 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx + labels: + app: nginx + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + version: v1 + template: + metadata: + labels: + app: nginx + version: v1 + spec: + # serviceAccountName: istio-helloworld + containers: + - name: nginx + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway-02.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway-02.yaml new file mode 100755 index 0000000..5070950 --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway-02.yaml @@ -0,0 +1,36 @@ +#apiVersion: networking.istio.io/v1beta1 +#kind: Gateway +#metadata: +# name: helloworld-gateway +#spec: +# selector: +# istio: ingressgateway +# servers: +# - hosts: +# - "*" +# port: +# name: https +# number: 443 +# protocol: HTTPS +# tls: +# mode: PASSTHROUGH +#--- +#apiVersion: networking.istio.io/v1beta1 +#kind: VirtualService +#metadata: +# name: helloworld-vs +#spec: +# gateways: +# - helloworld-gateway +# hosts: ["lb.net","*.lb.net"] +## http: +## - route: +## - destination: +## host: helloworld.default.svc.cluster.local +##spec: +# tls: +# - match: +# - sniHosts: ["lb.net","*.lb.net"] +# route: +# - destination: +# host: helloworld.default.svc.cluster.local \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway.yaml new file mode 100755 index 0000000..a313d3a --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway.yaml @@ -0,0 +1,87 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + # istio: myingressgateway + istio: ingressgateway + servers: + # - port: + # number: 443 + # name: secure-http2 + # protocol: HTTP2 + # hosts: + # - "*" + - port: + number: 80 + name: http2-i + protocol: HTTP2 + hosts: + - "*" + - port: + number: 443 + name: https-i + protocol: HTTPS + hosts: + - "*" + tls: +# credentialName: my-tls-cert-secret +# minProtocolVersion: TLSV1_2 + # + mode: PASSTHROUGH +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "lb.net" + gateways: + - helloworld-gateway + http: + - name: http-vs + match: + - port: 80 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8080 +# - name: https-vs +# match: +# - port: 443 +# route: +# - destination: +# host: helloworld.default.svc.cluster.local +# port: +# number: 8443 + tls: + - match: + - port: 443 + sniHosts: ["lb.net"] + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8443 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: helloworld + namespace: default +spec: + host: helloworld.default.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8080 + tls: + mode: DISABLE + + - port: + number: 8443 + tls: + mode: DISABLE diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/ingress.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/ingress.yaml new file mode 100644 index 0000000..850c2eb --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/ingress.yaml @@ -0,0 +1,29 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + name: ingress +spec: + profile: empty # Do not install CRDs or the control plane + components: + ingressGateways: + - name: myistio-ingressgateway + namespace: istio-ingress + enabled: true + label: + istio: myingressgateway + k8s: + service: + ports: + - name: https-ingress + port: 443 + protocol: TCP + targetPort: 1055 + - name: http-ingress + port: 80 + protocol: TCP + targetPort: 1085 + + values: + gateways: + istio-ingressgateway: + injectionTemplate: gateway diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/server.conf b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/server.conf new file mode 100644 index 0000000..1b7c17a --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/server.conf @@ -0,0 +1,37 @@ +server { + listen 80; +# rewrite ^ https://$server_name$request_uri? permanent; + + server_name lb.net; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log info; + + add_header Strict-Transport-Security "max-age=7200"; + + root /var/www/html; + index index.html; +} + +server { + listen 443 ssl default_server http2; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + + ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; + + server_name lb.net; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log info; + + ssl on; + ssl_certificate /cert.crt; + ssl_certificate_key /cert.key; + ssl_session_timeout 5m; + + add_header Strict-Transport-Security "max-age=7200"; + + root /var/www/html; + index index.html; +} \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/Dockerfile b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/Dockerfile new file mode 100644 index 0000000..e3df53b --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/Dockerfile @@ -0,0 +1,13 @@ +FROM nginx + +ADD server.conf /etc/nginx/conf.d/default.conf + +# RUN apt-get update && \ +# apt-get install apache2 openssl -y && \ +# a2ensite default-ssl && \ +# a2enmod ssl && \ + +RUN mkdir -p /var/www/html +RUN echo "

Howdy

" | tee /var/www/html/index.html + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md new file mode 100644 index 0000000..f356e8b --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md @@ -0,0 +1,313 @@ +--- +gitea: none +include_toc: true +--- + +# Based on + +- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) + +# Description + +The previous example was modified set the gateway to enable for HTTP2 traffic. + +https://stackoverflow.com/a/59610581 + + +# Changelog + +## Gateway + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: secure-http2 + protocol: HTTP2 + hosts: + - "*" + tls: + mode: SIMPLE + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 +``` + +`` + +# Walkthrough + + +## Generate client and server certificate and key files + +First step will be to generate the certificate and key files to be able to set them to the Gateway resource. + +### Create a folder to store files. + +Create the folder to contain the files that will be generated. + +```shell +mkdir certfolder +``` + +### Create a certificate and a private key. + +```shell +openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt +``` + +The files generated are the following: + +```yaml +private-key: certfolder/istio.cert.key +root-certificate: certfolder/istio.cert.crt +``` + +The information set to the certificate generated is the following: + +```yaml +Organization-name: Internet of things +CN: lb.net +``` + +### Create a TLS secret + +At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. + +```shell +kubectl create -n istio-system secret tls my-tls-cert-secret \ + --key=certfolder/istio.cert.key \ + --cert=certfolder/istio.cert.crt +``` +```text +secret/my-tls-cert-secret created +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +> **Note:**\ +> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. + + +## Deploy resources + +```shell +kubectl apply -f ./ +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Test the service +### http2 +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +### http1-web + +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +## Cleanup + +```shell +kubectl delete -f ./ +``` + +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +# Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol + +- https://stackoverflow.com/a/51279606 + +- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy + + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . +[+] Building 0.0s (0/0) +ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") + +--- +## Create the Dockerfile + +```bash +FROM ubuntu/apache2 + +RUN apt-get update && \ +apt-get install apache2 openssl -y && \ +a2ensite default-ssl && \ +a2enmod ssl && \ +echo "

Howdy

" | tee /var/www/html/index.html + +RUN /usr/bin/printf "\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ +\n\ +\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ + SSLEngine on\n\ + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ +" > /etc/apache2/sites-available/000-default.conf + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem +``` + +## Build the image + +Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. + +For my own commodity, I have used a raspberry pi 4 to build this images. + +The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. + +```shell + docker build --tag https-demo:armv7 . +``` +```text +docker build --tag https-demo:armv7 . --no-cache +[+] Building 16.5s (8/8) FINISHED + => [internal] load .dockerignore 0.0s + => => transferring context: 2B 0.0s + => [internal] load build definition from Dockerfile 0.0s + => => transferring dockerfile: 1.09kB 0.0s + => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s + => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s + => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s + => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s + => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s + => exporting to image 1.0s + => => exporting layers 1.0s + => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s + => => naming to docker.io/library/https-demo:armv7 0.0s +``` + +## Tag the image + +```shell +docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 +``` + +## Upload to the registery server + +```text +docker image push registery.filter.home:5000/https-demo:armv7 +The push refers to repository [registery.filter.home:5000/https-demo] +c6d858706b08: Pushed +9e077e0202f0: Pushed +6ffc708d0cf3: Pushed +69e01b4bf4d7: Pushed +17c5b30f3843: Pushed +0b9f60fbcaf1: Pushed +armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 +``` + + + +## ? +curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe + + + + + +--- + + +Has apache2 installed with a default certificate. + +Port 80 visible for HTTP + +Port 443 visible for HTTPS. + + + + +curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k +http_version: 2 +status_code: 200 + +# Recv failure: Connection reset by peer diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml new file mode 100644 index 0000000..da9883d --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml @@ -0,0 +1,11 @@ +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default-mtls + namespace: default +spec: + mtls: + mode: DISABLE + + +#curl -v --resolve ":$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example_certs/example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT" diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml new file mode 100755 index 0000000..871a985 --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml @@ -0,0 +1,117 @@ +#apiVersion: networking.istio.io/v1alpha3 +#kind: Gateway +#metadata: +# name: helloworld-gateway +#spec: +# selector: +## istio: myingressgateway +# istio: ingressgateway +# servers: +# - hosts: +# ["lb.net","*.lb.net"] +# port: +# name: tls-443 +# number: 443 +# protocol: HTTPS +# tls: +# mode: SIMPLE +# credentialName: my-tls-cert-secret +# minProtocolVersion: TLSV1_2 +#--- +#apiVersion: networking.istio.io/v1alpha3 +#kind: VirtualService +#metadata: +# name: helloworld-vs +#spec: +# hosts: +# - "*" +# gateways: +# - helloworld-gateway +# http: +## - name: http-vs +## match: +## - port: 80 +## route: +## - destination: +## host: helloworld.default.svc.cluster.local +## port: +## number: 8080 +# - name: https-vs +# match: +# - port: 443 +# route: +# - destination: +# host: helloworld.default.svc.cluster.local +# port: +# number: 443 +## +## tls: +## - match: +## - port: 443 +## sniHosts: ["lb.net"] +## route: +## - destination: +## host: helloworld.default.svc.cluster.local +## port: +## number: 443 +# +##--- +##apiVersion: networking.istio.io/v1alpha3 +##kind: DestinationRule +##metadata: +## name: helloworld +## namespace: default +##spec: +## host: helloworld.default.svc.cluster.local +## trafficPolicy: +## portLevelSettings: +## - port: +## number: 8080 +## tls: +## mode: DISABLE +# +## - port: +## number: 8443 +## tls: +## credentialName: client-credential +## mode: SIMPLE +# +# +## port: +## name: https-backend +## number: 8443 +## protocol: HTTPS +## tls: +## credentialName: my-tls-cert-secret +## mode: SIMPLE +## tcp: +### - match: +### - port: 80 +### route: +### - destination: +### host: helloworld +### port: +### number: 8080 +### - match: +### - port: 443 +## - route: +## - destination: +## host: helloworld +## port: +## number: 8443 +## +## tls: +## - match: +## - port: 443 +## sniHosts: +## - "hello.si" +### - uri: +### exact: /helloworld +## route: +## - destination: +## host: helloworld +## port: +## number: 8443 +### protocol: HTTPS +### rewrite: +### uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml new file mode 100755 index 0000000..233c5ed --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml @@ -0,0 +1,74 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - name: p1 + port: 80 + protocol: TCP + - name: https + port: 443 + protocol: TCP + selector: + app: helloworld +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + sidecar.istio.io/inject: "true" + spec: + containers: + - name: helloworld + image: oriolfilter/https-apache-demo:armv7 + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 443 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx + labels: + app: nginx + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + version: v1 + template: + metadata: + labels: + app: nginx + version: v1 + spec: + # serviceAccountName: istio-helloworld + containers: + - name: nginx + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml new file mode 100755 index 0000000..5070950 --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml @@ -0,0 +1,36 @@ +#apiVersion: networking.istio.io/v1beta1 +#kind: Gateway +#metadata: +# name: helloworld-gateway +#spec: +# selector: +# istio: ingressgateway +# servers: +# - hosts: +# - "*" +# port: +# name: https +# number: 443 +# protocol: HTTPS +# tls: +# mode: PASSTHROUGH +#--- +#apiVersion: networking.istio.io/v1beta1 +#kind: VirtualService +#metadata: +# name: helloworld-vs +#spec: +# gateways: +# - helloworld-gateway +# hosts: ["lb.net","*.lb.net"] +## http: +## - route: +## - destination: +## host: helloworld.default.svc.cluster.local +##spec: +# tls: +# - match: +# - sniHosts: ["lb.net","*.lb.net"] +# route: +# - destination: +# host: helloworld.default.svc.cluster.local \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml new file mode 100755 index 0000000..210ef29 --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml @@ -0,0 +1,85 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + # istio: myingressgateway + istio: ingressgateway + servers: + # - port: + # number: 443 + # name: secure-http2 + # protocol: HTTP2 + # hosts: + # - "*" + - port: + number: 80 + name: http2-i + protocol: HTTP2 + hosts: + - "*" + - port: + number: 443 + name: https-i + protocol: HTTPS + hosts: + - "*" + tls: + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 + # + mode: SIMPLE +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: ["lb.net"] + gateways: + - helloworld-gateway + http: + - name: http-vs + match: + - port: 80 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 80 + - name: https-vs + match: + - port: 443 + sniHosts: ["lb.net"] + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 443 +# tls: +# - match: +# - sniHosts: ["lb.net"] +# route: +# - destination: +# host: helloworld.default.svc.cluster.local +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: helloworld + namespace: default +spec: + host: helloworld.default.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8080 + tls: + mode: DISABLE +# + - port: + number: 443 + tls: + credentialName: client-credential + mode: DISABLE \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml new file mode 100644 index 0000000..850c2eb --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml @@ -0,0 +1,29 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + name: ingress +spec: + profile: empty # Do not install CRDs or the control plane + components: + ingressGateways: + - name: myistio-ingressgateway + namespace: istio-ingress + enabled: true + label: + istio: myingressgateway + k8s: + service: + ports: + - name: https-ingress + port: 443 + protocol: TCP + targetPort: 1055 + - name: http-ingress + port: 80 + protocol: TCP + targetPort: 1085 + + values: + gateways: + istio-ingressgateway: + injectionTemplate: gateway diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/server.conf b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/server.conf new file mode 100644 index 0000000..1b7c17a --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/server.conf @@ -0,0 +1,37 @@ +server { + listen 80; +# rewrite ^ https://$server_name$request_uri? permanent; + + server_name lb.net; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log info; + + add_header Strict-Transport-Security "max-age=7200"; + + root /var/www/html; + index index.html; +} + +server { + listen 443 ssl default_server http2; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + + ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; + + server_name lb.net; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log info; + + ssl on; + ssl_certificate /cert.crt; + ssl_certificate_key /cert.key; + ssl_session_timeout 5m; + + add_header Strict-Transport-Security "max-age=7200"; + + root /var/www/html; + index index.html; +} \ No newline at end of file -- 2.47.2 From e76729c5dedd11104dada97fa039c8f616427227 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 02:58:47 +0200 Subject: [PATCH 06/21] Documented the container. Uploaded multiarch to dockerhub. Might want to create a different repo to allow people to just clone it. Not my concern rn, nor for a while. --- .../HTTPS-NGINX-DOCKERFILE/README.md | 209 ++++++++++++++++++ 1 file changed, 209 insertions(+) create mode 100644 Istio/99-resources/HTTPS-NGINX-DOCKERFILE/README.md diff --git a/Istio/99-resources/HTTPS-NGINX-DOCKERFILE/README.md b/Istio/99-resources/HTTPS-NGINX-DOCKERFILE/README.md new file mode 100644 index 0000000..10792fd --- /dev/null +++ b/Istio/99-resources/HTTPS-NGINX-DOCKERFILE/README.md @@ -0,0 +1,209 @@ +# Description + +This image was intended to be used on configuration tests or troubleshooting. + +URL: [`docker.io/oriolfilter/https-nginx-demo:latest`](https://hub.docker.com/r/oriolfilter/https-nginx-demo) + +--- + +## Breakdown + +### Capabilities + +- Multi arch +- HTTP +- HTTPS (with built-in certificate) +- HTTP2 +- Nginx + +### Platforms it was build on: + +- linux/amd64 +- linux/arm64 +- linux/arm/v7 + +### Dockerfile + +The orders given are very simple: + +1. Grab the nginx image as a base/template (this allows me to forget about the entrypoint configuration). + +2. Take the file `server.conf` and place it in the path `/etc/nginx/conf.d/default.conf` from the container/image. + +3. Create the directory `/var/www/html`, and afterwards create a simple index. + +4. Create a certificate and a key that will be used on the Nginx to allow HTTPS traffic requests. + +```Dockerfile +FROM nginx + +ADD server.conf /etc/nginx/conf.d/default.conf + +RUN mkdir -p /var/www/html +RUN echo "

Howdy

" | tee /var/www/html/index.html + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt +``` +### server.conf + +Read it if you please. + +The port listens to both port 80 and port 443, for HTTP and HTTPS traffic. + +Port 443 has enabled http2. + +Could have configured HTTP to HTTPS forwarding, yet this way I can verify the status of the service or configurations through HTTP requests. (also the HTTP to HTTPS forwarding should be handled by the Load Balancer / Ingress) + +It uses the certificates generated previously. + +```nginx +server { + listen 80; + + server_name lb.net; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log info; + + add_header Strict-Transport-Security "max-age=7200"; + + root /var/www/html; + index index.html; +} + +server { + listen 443 ssl default_server http2; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + + ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; + + server_name lb.net; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log info; + + ssl on; + ssl_certificate /cert.crt; + ssl_certificate_key /cert.key; + ssl_session_timeout 5m; + + add_header Strict-Transport-Security "max-age=7200"; + + root /var/www/html; + index index.html; +} +``` + +# Build it yourself + +[Used this guide through this process](https://docs.docker.com/build/building/multi-platform/) + +# Yes + +As far I understood, runs this as privileged to install certain packages / architectures / platforms to your device. + +```shell +docker run --privileged --rm tonistiigi/binfmt --install all +``` +```text +Unable to find image 'tonistiigi/binfmt:latest' locally +latest: Pulling from tonistiigi/binfmt +8d4d64c318a5: Pull complete +e9c608ddc3cb: Pull complete +Digest: sha256:66e11bea77a5ea9d6f0fe79b57cd2b189b5d15b93a2bdb925be22949232e4e55 +Status: Downloaded newer image for tonistiigi/binfmt:latest +installing: arm OK +installing: mips64le OK +installing: mips64 OK +installing: arm64 OK +installing: riscv64 OK +installing: s390x OK +installing: ppc64le OK +{ + "supported": [ + "linux/amd64", + "linux/arm64", + "linux/riscv64", + "linux/ppc64le", + "linux/s390x", + "linux/386", + "linux/mips64le", + "linux/mips64", + "linux/arm/v7", + "linux/arm/v6" + ], + "emulators": [ + "qemu-aarch64", + "qemu-arm", + "qemu-mips64", + "qemu-mips64el", + "qemu-ppc64le", + "qemu-riscv64", + "qemu-s390x" + ] +} +``` + +## Create builder profile + +```shell +docker buildx create --name mybuilder --driver docker-container --bootstrap +``` +```text +[+] Building 2.0s (1/1) FINISHED + => [internal] booting buildkit 2.0s + => => pulling image moby/buildkit:buildx-stable-1 1.2s + => => creating container buildx_buildkit_mybuilder0 0.8s +mybuilder +``` + +## Use created buildx profile + +```shell +docker buildx use mybuilder +``` + +## Inspect selected buildx profile + +```shell +docker buildx inspect +``` +```text +Name: mybuilder +Driver: docker-container +Last Activity: 2023-04-25 00:33:29 +0000 UTC + +Nodes: +Name: mybuilder0 +Endpoint: unix:///var/run/docker.sock +Status: running +Buildkit: v0.11.5 +Platforms: linux/amd64, linux/amd64/v2, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/mips64le, linux/mips64, linux/arm/v7, linux/arm/v6 +``` + + +## Build, tag and push + +I am targeting the repo directly, but any registry can be targeted. + +```shell +docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 -t oriolfilter/https-nginx-demo:latest . --push +``` + +```text +[+] Building 11.0s (24/24) FINISHED + => [internal] load .dockerignore 0.0s + => => transferring context: 2B 0.0s + => [internal] load build definition from Dockerfile 0.0s + => => transferring dockerfile: 383B 0.0s + => [linux/arm/v7 internal] load metadata for docker.io/library/nginx:latest 0.8s + => [linux/arm64 internal] load metadata for docker.io/library/nginx:latest 0.8s + => [linux/amd64 internal] load metadata for docker.io/library/nginx:latest 0.8s +... + +<> Building sounds intensifies <> + +... + => [auth] oriolfilter/https-nginx-demo:pull,push token for registry-1.docker.io +``` \ No newline at end of file -- 2.47.2 From 31418fed6cefef255a16ca2dc2b34092d1b2ca5e Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 02:59:20 +0200 Subject: [PATCH 07/21] Added some text --- Istio/00-Troubleshooting/README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Istio/00-Troubleshooting/README.md b/Istio/00-Troubleshooting/README.md index 340f1c4..76e484c 100644 --- a/Istio/00-Troubleshooting/README.md +++ b/Istio/00-Troubleshooting/README.md @@ -3,8 +3,6 @@ gitea: none include_toc: true --- - - # Istioctl analyze `istioctl analyze` reviews the current configuration set. @@ -50,13 +48,16 @@ istioctl analyze Warning [IST0104] (Gateway default/helloworld-gateway) The gateway refers to a port that is not exposed on the workload (pod selector istio=ingressgateway; port 81) ``` - # Start the packet capture process on the istio-proxy container from a pod. Target a pod and start a packet capture on the istio-proxy container. This step requires istio to be installed with the flag `values.global.proxy.privileged=true` +This is very useful to confirm if the service is receiving any traffic, or which is the traffic received. + +If mTLS is enabled and configured, the traffic received should be encrypted. + ```shell $ kubectl exec -n default "$(kubectl get pod -n default -l app=helloworld -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port 80 -A tcpdump: verbose output suppressed, use -v[v]... for full protocol decode -- 2.47.2 From 68af7eccd1db6264ba53f90adf70f36dcf3ba5c5 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 02:59:41 +0200 Subject: [PATCH 08/21] Added a link of interest that I found relevant back in the day --- .../02-Traffic_management/08a-HTTPS-min-TLS-version/README.md | 4 +++- .../02-Traffic_management/08b-HTTPS-max-TLS-version/README.md | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md index bcf1667..76708e4 100644 --- a/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md +++ b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md @@ -176,4 +176,6 @@ removed directory 'certfolder/' # Links of Interest -- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol \ No newline at end of file +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol + +- https://discuss.istio.io/t/minimum-tls-version/5541/3 \ No newline at end of file diff --git a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md index e664cd4..3629bec 100644 --- a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md +++ b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md @@ -172,4 +172,6 @@ removed directory 'certfolder/' # Links of Interest -- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol \ No newline at end of file +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol + +- https://discuss.istio.io/t/minimum-tls-version/5541/3 \ No newline at end of file -- 2.47.2 From 0ec26ba915787f03b9877c76efbd000c3986ae8a Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 03:04:51 +0200 Subject: [PATCH 09/21] residual cleanup --- .../XX-HTTP2-gateway-made-it-work/Dockerfile | 13 ------- .../XX-HTTP2-gateway-made-it-work/server.conf | 37 ------------------- .../Dockerfile | 13 ------- .../server.conf | 37 ------------------- 4 files changed, 100 deletions(-) delete mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/Dockerfile delete mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/server.conf delete mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/Dockerfile delete mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/server.conf diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/Dockerfile b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/Dockerfile deleted file mode 100644 index e3df53b..0000000 --- a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/Dockerfile +++ /dev/null @@ -1,13 +0,0 @@ -FROM nginx - -ADD server.conf /etc/nginx/conf.d/default.conf - -# RUN apt-get update && \ -# apt-get install apache2 openssl -y && \ -# a2ensite default-ssl && \ -# a2enmod ssl && \ - -RUN mkdir -p /var/www/html -RUN echo "

Howdy

" | tee /var/www/html/index.html - -RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/server.conf b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/server.conf deleted file mode 100644 index 1b7c17a..0000000 --- a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/server.conf +++ /dev/null @@ -1,37 +0,0 @@ -server { - listen 80; -# rewrite ^ https://$server_name$request_uri? permanent; - - server_name lb.net; - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log info; - - add_header Strict-Transport-Security "max-age=7200"; - - root /var/www/html; - index index.html; -} - -server { - listen 443 ssl default_server http2; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - - ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; - - server_name lb.net; - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log info; - - ssl on; - ssl_certificate /cert.crt; - ssl_certificate_key /cert.key; - ssl_session_timeout 5m; - - add_header Strict-Transport-Security "max-age=7200"; - - root /var/www/html; - index index.html; -} \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/Dockerfile b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/Dockerfile deleted file mode 100644 index e3df53b..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/Dockerfile +++ /dev/null @@ -1,13 +0,0 @@ -FROM nginx - -ADD server.conf /etc/nginx/conf.d/default.conf - -# RUN apt-get update && \ -# apt-get install apache2 openssl -y && \ -# a2ensite default-ssl && \ -# a2enmod ssl && \ - -RUN mkdir -p /var/www/html -RUN echo "

Howdy

" | tee /var/www/html/index.html - -RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/server.conf b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/server.conf deleted file mode 100644 index 1b7c17a..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/server.conf +++ /dev/null @@ -1,37 +0,0 @@ -server { - listen 80; -# rewrite ^ https://$server_name$request_uri? permanent; - - server_name lb.net; - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log info; - - add_header Strict-Transport-Security "max-age=7200"; - - root /var/www/html; - index index.html; -} - -server { - listen 443 ssl default_server http2; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - - ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; - - server_name lb.net; - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log info; - - ssl on; - ssl_certificate /cert.crt; - ssl_certificate_key /cert.key; - ssl_session_timeout 5m; - - add_header Strict-Transport-Security "max-age=7200"; - - root /var/www/html; - index index.html; -} \ No newline at end of file -- 2.47.2 From 96ef03948d7816c4c9a0a2859e4e5dddaa95e119 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 03:05:00 +0200 Subject: [PATCH 10/21] Upload --- .../HTTPS-NGINX-DOCKERFILE}/Dockerfile | 5 ----- .../HTTPS-NGINX-DOCKERFILE}/server.conf | 1 - 2 files changed, 6 deletions(-) rename Istio/{02-Traffic_management/__XX-TLS-PASSTHROUGH => 99-resources/HTTPS-NGINX-DOCKERFILE}/Dockerfile (70%) rename Istio/{02-Traffic_management/__XX-TLS-PASSTHROUGH => 99-resources/HTTPS-NGINX-DOCKERFILE}/server.conf (92%) diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/Dockerfile b/Istio/99-resources/HTTPS-NGINX-DOCKERFILE/Dockerfile similarity index 70% rename from Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/Dockerfile rename to Istio/99-resources/HTTPS-NGINX-DOCKERFILE/Dockerfile index e3df53b..f8ecbf1 100644 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/Dockerfile +++ b/Istio/99-resources/HTTPS-NGINX-DOCKERFILE/Dockerfile @@ -2,11 +2,6 @@ FROM nginx ADD server.conf /etc/nginx/conf.d/default.conf -# RUN apt-get update && \ -# apt-get install apache2 openssl -y && \ -# a2ensite default-ssl && \ -# a2enmod ssl && \ - RUN mkdir -p /var/www/html RUN echo "

Howdy

" | tee /var/www/html/index.html diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/server.conf b/Istio/99-resources/HTTPS-NGINX-DOCKERFILE/server.conf similarity index 92% rename from Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/server.conf rename to Istio/99-resources/HTTPS-NGINX-DOCKERFILE/server.conf index 1b7c17a..6904874 100644 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/server.conf +++ b/Istio/99-resources/HTTPS-NGINX-DOCKERFILE/server.conf @@ -1,6 +1,5 @@ server { listen 80; -# rewrite ^ https://$server_name$request_uri? permanent; server_name lb.net; -- 2.47.2 From 73041ccc499d443d71c91ce53e2acfc57780b22d Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 03:05:24 +0200 Subject: [PATCH 11/21] Residual cleanup, those where uploaded right after finishing the tests. --- .../certfolder/istio.cert.crt | 20 ------------- .../certfolder/istio.cert.key | 28 ------------------- 2 files changed, 48 deletions(-) delete mode 100644 Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.crt delete mode 100644 Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.key diff --git a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.crt b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.crt deleted file mode 100644 index 72dd154..0000000 --- a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.crt +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDPTCCAiWgAwIBAgIUNR/VCRO6PPCYDZKIApOQ4n/d7OUwDQYJKoZIhvcNAQEL -BQAwLjEbMBkGA1UECgwSSW50ZXJuZXQgb2YgdGhpbmdzMQ8wDQYDVQQDDAZsYi5u -ZXQwHhcNMjMwNDIzMjI1NjE5WhcNMjQwNDIyMjI1NjE5WjAuMRswGQYDVQQKDBJJ -bnRlcm5ldCBvZiB0aGluZ3MxDzANBgNVBAMMBmxiLm5ldDCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAKKEn3TzyYjW3W/MLKCd18ygojKWgN12gxNxZcQF -BvghPTNsESt+aBuI1N1Xzj+Bvxs5Bs4FVcMXAkOmLtvwbd6A9owZwd8E9ODKrhau -Uk9eNQf6ZvSF2GeQoI39SFCL2NEKOzMmEYxGlf842yFaSxgrMx2GirSsqEEPhstS -LAEldjU77pQ9OniIHuYLfA6AamAz51hXPytpGiaRqAm/xIvRtPFuA9pXJHhREtUG -S/O6P2v980YAuP8hl3LIpOM9xUod4+x9EHfBXHI5iuPET5kjCnIF/45UmKPtwsga -RUN3fqYAknJSPyI+s+xnxulkxM9A1kmP8MvDeO/4hAMSA1MCAwEAAaNTMFEwHQYD -VR0OBBYEFACskVXLguvAreQgdla3hoZqlcxMMB8GA1UdIwQYMBaAFACskVXLguvA -reQgdla3hoZqlcxMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB -AI3SNO84LwluCbTMBYthD+5cMnC6rARyrJBwkYoJfCqgu6j/h8Lcou5VSYVOR4J5 -R3DiyTFutBKYnifnuZgHjNioI6l/uFphPRmoeH1I5zKghq5P2x6LE/Z6/0alzN9X -ZBgYPWQ5wenrilQ94yLJXX2kwgK5jbMinmTzw8SFHe+Qn5ZlJnAW+YR8vJ+Nu30Q -rhxSxbNqa2yFPOkV4qjc4zkJ+67bKv7yLJ5WKF6Mfafct69FBwSVVCROsY5mHg8c -xMyP3d6N01R7XXJATEHbyJHvUUXBtLgA41H8g3vwj1ugKdBhWijBeeBZEyz11U20 -0j6OhMfBuYikiRQl1dfZltg= ------END CERTIFICATE----- diff --git a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.key b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.key deleted file mode 100644 index 6b3f82d..0000000 --- a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/certfolder/istio.cert.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCihJ9088mI1t1v -zCygndfMoKIyloDddoMTcWXEBQb4IT0zbBErfmgbiNTdV84/gb8bOQbOBVXDFwJD -pi7b8G3egPaMGcHfBPTgyq4WrlJPXjUH+mb0hdhnkKCN/UhQi9jRCjszJhGMRpX/ -ONshWksYKzMdhoq0rKhBD4bLUiwBJXY1O+6UPTp4iB7mC3wOgGpgM+dYVz8raRom -kagJv8SL0bTxbgPaVyR4URLVBkvzuj9r/fNGALj/IZdyyKTjPcVKHePsfRB3wVxy -OYrjxE+ZIwpyBf+OVJij7cLIGkVDd36mAJJyUj8iPrPsZ8bpZMTPQNZJj/DLw3jv -+IQDEgNTAgMBAAECggEAB33Pj+eQ+bLV4EpsIDdGdFNPRr+zTwIghqvqgf+tU5DM -rmsj23pnOCW1kkJy6nCDq7CURLjwPB76Zr3pWRAbMG+HbeveCPbEhvwwzDDa8Heq -QCTlzA3DbPq4u/LZ+4SGyRQMqI3vrySt02b+iuoLniCXqZvDFxMCaoVZtFOkXaUW -mYVkW3BtLdIqHUolql9Tt6kPf9Es7AQhce1ZGrvRSxhiG8xRU4Fmb5zRPXAd/Uzj -RHzJtcHTFbhjWn/fngtxVUdBNqSNx5z8Bhtex39hgWwULuAyf6jSQbwLtURdyuR8 -WlaJjIV5uZ6ghkQ0mTWyEivuQzuaEUxOND05HgPi8QKBgQDXf8uZSZoCitjHCZ1i -1O1Xh40qzYYY6KrMc+rzA3BGsgLmQRw5oj0JlhlAPUjh7RmDz6nMEZpUJgKDtyvt -ktJz28l9ybF5qVjjHz1ZBHxaPC/bruO+4mUsYN6bK4tcIm0j6huuSO7igs7I33ZA -9bcLkUTtV4QmcKHhIu2UfLVR+QKBgQDBD8XC9alaJHuSjCizPQyrCmmgFHZqNMG9 -IFKOtxXIAX5fJ8RZGyTfObuw2DJncsRGjX6XWr3xo91P/h0sF87FYQ92qz8ji6cg -rZ+rD9LY6DaVpAB+i0h97PAEgKwkFhXbuTEVDUCY8yFvwz4OGBeKTq19DrMgdeCj -tAIXq+bSqwKBgAPyIxg7cMZ7JF0AoBEfNPlVUhBmkv4BxJ7ZwIOSnIuu1r7AknO7 -tMJoLS4v8RWx8bWoJ8PEzr6bs5AV2ogPGCtm6tmSx90ibK479DOdEWnVkErFeQYV -vySA4ZKVyYd2Wek+cCNQ0o7zNjYXYWLvHNrpXgm6gIDzrwMgUJlXbzqBAoGANZEy -xg1zl9dXkinhgRoHUc3p0MjcsktBFkDJp1+VY5FGhxB5ol+ts2JJeaADHEDzxL+t -yEEdQta8qV1QqtNQQ+PSbpLFSg+Np7uE+enCDv0faBXBLVtoGciMMDOjj7+xAO45 -eCXdLpMHTANYTIDSx0VdTb2uZetPERz5F6hSu1ECgYAvBqCirwy2HHNuRD7KqpaF -vyiwIPRj4PK8z0IF4KAEgI9+WWyXLFi7QV3J1PErLlFzc6YW1Z427lfsgGZ9wBXy -D6Gk7u08FSU+5lyO+X43wlj+XefRFo7AVA52iYSNlz7WS618AYLJyWC4xBt6Ya/Z -49OKVGZRjHierSA2yZl5fQ== ------END PRIVATE KEY----- -- 2.47.2 From 2dab5274ca4bf91e2626d650080bfddd6de47805 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 03:06:09 +0200 Subject: [PATCH 12/21] Removed old `https-apache-demo` for recent `https-nginx-demo` image. --- .../??-TCP-FORWARDING-(WORKS)/deployment.yaml | 2 +- .../XX-HTTP2-gateway-made-it-work/deployment.yaml | 2 +- Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml | 2 +- .../02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/deployment.yaml b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/deployment.yaml index 7bb85ab..ae41138 100755 --- a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/deployment.yaml +++ b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/deployment.yaml @@ -39,7 +39,7 @@ spec: containers: - name: helloworld # image: nginx - image: oriolfilter/https-apache-demo:armv7 + image: oriolfilter/https-nginx-demo resources: requests: cpu: "100m" diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml index afeb40d..3f9ad6c 100755 --- a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml +++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml @@ -40,7 +40,7 @@ spec: spec: containers: - name: helloworld - image: oriolfilter/https-apache-demo:armv7 + image: oriolfilter/https-nginx-demo resources: requests: cpu: "100m" diff --git a/Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml b/Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml index afeb40d..3f9ad6c 100755 --- a/Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml +++ b/Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml @@ -40,7 +40,7 @@ spec: spec: containers: - name: helloworld - image: oriolfilter/https-apache-demo:armv7 + image: oriolfilter/https-nginx-demo resources: requests: cpu: "100m" diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml index afeb40d..3f9ad6c 100755 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml @@ -40,7 +40,7 @@ spec: spec: containers: - name: helloworld - image: oriolfilter/https-apache-demo:armv7 + image: oriolfilter/https-nginx-demo resources: requests: cpu: "100m" -- 2.47.2 From 28994224620ee281fde9da7badc0f81e24d2992a Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 03:41:59 +0200 Subject: [PATCH 13/21] Documented `02-Traffic_management/09-TCP-FORWARDING` --- .../09-TCP-FORWARDING/README.md | 239 ++++++++++++++ .../??-TCP-FORWARDING-(WORKS)/README.md | 304 ------------------ 2 files changed, 239 insertions(+), 304 deletions(-) create mode 100644 Istio/02-Traffic_management/09-TCP-FORWARDING/README.md delete mode 100644 Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/README.md diff --git a/Istio/02-Traffic_management/09-TCP-FORWARDING/README.md b/Istio/02-Traffic_management/09-TCP-FORWARDING/README.md new file mode 100644 index 0000000..f16da84 --- /dev/null +++ b/Istio/02-Traffic_management/09-TCP-FORWARDING/README.md @@ -0,0 +1,239 @@ +--- +gitea: none +include_toc: true +--- + +# Based on + +- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) + +# Description + +The previous example was modified set TCP forwarding towards the backend. + +The backend contains an HTTPS service, which is used to demonstrate how the TCP forwarding is working as intended (aka doesn't disturb HTTP traffic). + +The same backend also contains the same service but running as HTTP, and for such has also been set in the gateway to display both working as intended. + +Additionally, the backend used, has HTTP2 enable, which also will be used to confirm that it's working as intended. + +> **Note:**\ +> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) + +# Configuration + +## Gateway + +Gateway been configured to listen both ports `80` and `443` through the TCP protocol, without any host specified. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: tcp-1 + protocol: TCP + hosts: + - "*" + - port: + number: 443 + name: tcp-2 + protocol: TCP + hosts: + - "*" +``` + +## Virtual service + +Virtual service have 2 rules that perform the same behavior, on different ports. + +The rules will receive the traffic and forward it to the destination service and port. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + tcp: + - match: + - port: 80 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8080 + - match: + - port: 443 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8443 +``` + +## Service + +The service will forward the incoming TCP traffic with port 8080, to the deployment port 80. +The same behavior is applied for the service port 8443, that will be forwarded towards the port 443 from the deployment. + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http-web + targetPort: 80 + protocol: TCP + - port: 8443 + name: https-web + targetPort: 443 + protocol: TCP + selector: + app: helloworld +``` + +## Deployment + +Deployment listens to port 80 and 443. + +> **Note:**\ +> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: oriolfilter/https-nginx-demo + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + - containerPort: 443 +``` + +# Walkthrough + +## Deploy resources + +```shell +kubectl apply -f ./ +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Test the service + +### Get LB IP + +```shell +$ kubectl get svc -l istio=ingressgateway -A +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h +``` + +### curl HTTP + +```shell +curl http://192.168.1.50 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### curl HTTPS + +This already confirms that `HTTP2` is working as intended. + +```shell +curl https://192.168.1.50 -ks -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http1.1 +``` +```text +http_version: 2 +status_code: 200 +``` + +#### Curl HTTP2 + +The previous example already displayed that `HTTP2` is working as intended. + +This example is maintained due being explicitly to confirm the `HTTP2` feature. + +```shell +curl https://192.168.1.50 -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http2 -sk -o=/dev/null +``` +```text +http_version: 2 +status_code: 200 +``` + +#### Curl HTTP1.1 + +We can confirm that `HTTP1.1` also works over `TCP forwarding`. + +```shell +curl https://192.168.1.50 -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http1.1 -sk -o=/dev/null +``` +```text +http_version: 1.1 +status_code: 200 +``` + +## Cleanup + +```shell +kubectl delete -f ./ +``` + +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +# Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol + +- https://stackoverflow.com/a/51279606 + +- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy diff --git a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/README.md b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/README.md deleted file mode 100644 index be28ee3..0000000 --- a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/README.md +++ /dev/null @@ -1,304 +0,0 @@ ---- -gitea: none -include_toc: true ---- - -# Based on - -- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) - -# Description - -The previous example was modified set the gateway to enable for HTTP2 traffic. - -https://stackoverflow.com/a/59610581 - - -# Changelog - -## Gateway - -```yaml -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 443 - name: secure-http2 - protocol: HTTP2 - hosts: - - "*" - tls: - mode: SIMPLE - credentialName: my-tls-cert-secret - minProtocolVersion: TLSV1_2 -``` - -`` - -# Walkthrough - - -## Generate client and server certificate and key files - -First step will be to generate the certificate and key files to be able to set them to the Gateway resource. - -### Create a folder to store files. - -Create the folder to contain the files that will be generated. - -```shell -mkdir certfolder -``` - -### Create a certificate and a private key. - -```shell -openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt -``` - -The files generated are the following: - -```yaml -private-key: certfolder/istio.cert.key -root-certificate: certfolder/istio.cert.crt -``` - -The information set to the certificate generated is the following: - -```yaml -Organization-name: Internet of things -CN: lb.net -``` - -### Create a TLS secret - -At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. - -```shell -kubectl create -n istio-system secret tls my-tls-cert-secret \ - --key=certfolder/istio.cert.key \ - --cert=certfolder/istio.cert.crt -``` -```text -secret/my-tls-cert-secret created -``` -```text -service/helloworld created -deployment.apps/helloworld-nginx created -gateway.networking.istio.io/helloworld-gateway created -virtualservice.networking.istio.io/helloworld-vs created -``` - -> **Note:**\ -> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. - - -## Deploy resources - -```shell -kubectl apply -f ./ -``` -```text -service/helloworld created -deployment.apps/helloworld-nginx created -gateway.networking.istio.io/helloworld-gateway created -virtualservice.networking.istio.io/helloworld-vs created -``` - -## Test the service -### http2 -#### Curl HTTP1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 -``` -```text -http_version: 1.1 -status_code: 426 -``` - -#### Curl HTTP1.1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -#### Curl HTTP2 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -### http1-web - -#### Curl HTTP1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 -``` -```text -http_version: 1.1 -status_code: 426 -``` - -#### Curl HTTP1.1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -#### Curl HTTP2 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -## Cleanup - -```shell -kubectl delete -f ./ -``` - -```text -service "helloworld" deleted -deployment.apps "helloworld-nginx" deleted -gateway.networking.istio.io "helloworld-gateway" deleted -virtualservice.networking.istio.io "helloworld-vs" deleted -``` - -# Links of Interest - -- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol - -- https://stackoverflow.com/a/51279606 - -- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy - - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . -[+] Building 0.0s (0/0) -ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") - ---- -## Create the Dockerfile - -```bash -FROM ubuntu/apache2 - -RUN apt-get update && \ -apt-get install apache2 openssl -y && \ -a2ensite default-ssl && \ -a2enmod ssl && \ -echo "

Howdy

" | tee /var/www/html/index.html - -RUN /usr/bin/printf "\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ -\n\ -\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ - SSLEngine on\n\ - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ - SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ -" > /etc/apache2/sites-available/000-default.conf - -RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -``` - -## Build the image - -Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. - -For my own commodity, I have used a raspberry pi 4 to build this images. - -The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. - -```shell - docker build --tag https-demo:armv7 . -``` -```text -docker build --tag https-demo:armv7 . --no-cache -[+] Building 16.5s (8/8) FINISHED - => [internal] load .dockerignore 0.0s - => => transferring context: 2B 0.0s - => [internal] load build definition from Dockerfile 0.0s - => => transferring dockerfile: 1.09kB 0.0s - => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s - => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s - => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s - => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s - => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s - => exporting to image 1.0s - => => exporting layers 1.0s - => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s - => => naming to docker.io/library/https-demo:armv7 0.0s -``` - -## Tag the image - -```shell -docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 -``` - -## Upload to the registery server - -```text -docker image push registery.filter.home:5000/https-demo:armv7 -The push refers to repository [registery.filter.home:5000/https-demo] -c6d858706b08: Pushed -9e077e0202f0: Pushed -6ffc708d0cf3: Pushed -69e01b4bf4d7: Pushed -17c5b30f3843: Pushed -0b9f60fbcaf1: Pushed -armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 -``` - - - -## ? -curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe - - - - - ---- - - -Has apache2 installed with a default certificate. - -Port 80 visible for HTTP - -Port 443 visible for HTTPS. \ No newline at end of file -- 2.47.2 From cdff7c620cc31ca90d9e63a0d7c81b56d322eceb Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 03:42:10 +0200 Subject: [PATCH 14/21] Documented `02-Traffic_management/09-TCP-FORWARDING` --- .../deployment.yaml | 9 +- .../09-TCP-FORWARDING/gateway.yaml | 45 ++++++++++ .../??-TCP-FORWARDING-(WORKS)/gateway.yaml | 83 ------------------- 3 files changed, 48 insertions(+), 89 deletions(-) rename Istio/02-Traffic_management/{??-TCP-FORWARDING-(WORKS) => 09-TCP-FORWARDING}/deployment.yaml (83%) create mode 100755 Istio/02-Traffic_management/09-TCP-FORWARDING/gateway.yaml delete mode 100755 Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/gateway.yaml diff --git a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/deployment.yaml b/Istio/02-Traffic_management/09-TCP-FORWARDING/deployment.yaml similarity index 83% rename from Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/deployment.yaml rename to Istio/02-Traffic_management/09-TCP-FORWARDING/deployment.yaml index ae41138..92c59bd 100755 --- a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/deployment.yaml +++ b/Istio/02-Traffic_management/09-TCP-FORWARDING/deployment.yaml @@ -8,12 +8,11 @@ metadata: spec: ports: - port: 8080 - name: tcp-a + name: http-web targetPort: 80 protocol: TCP - - port: 8443 - name: tcp-b + name: https-web targetPort: 443 protocol: TCP selector: @@ -34,16 +33,14 @@ spec: metadata: labels: app: helloworld - sidecar.istio.io/inject: "true" spec: containers: - name: helloworld -# image: nginx image: oriolfilter/https-nginx-demo resources: requests: cpu: "100m" - imagePullPolicy: IfNotPresent #Always + imagePullPolicy: IfNotPresent ports: - containerPort: 80 - containerPort: 443 diff --git a/Istio/02-Traffic_management/09-TCP-FORWARDING/gateway.yaml b/Istio/02-Traffic_management/09-TCP-FORWARDING/gateway.yaml new file mode 100755 index 0000000..036596c --- /dev/null +++ b/Istio/02-Traffic_management/09-TCP-FORWARDING/gateway.yaml @@ -0,0 +1,45 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: tcp-1 + protocol: TCP + hosts: + - "*" + - port: + number: 443 + name: tcp-2 + protocol: TCP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + tcp: + - match: + - port: 80 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8080 + - match: + - port: 443 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8443 \ No newline at end of file diff --git a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/gateway.yaml b/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/gateway.yaml deleted file mode 100755 index 17c1ada..0000000 --- a/Istio/02-Traffic_management/??-TCP-FORWARDING-(WORKS)/gateway.yaml +++ /dev/null @@ -1,83 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: - istio: ingressgateway - servers: -# - port: -# number: 443 -# name: secure-http2 -# protocol: HTTP2 -# hosts: -# - "*" - - port: - number: 80 - name: tcp-2 - protocol: TCP - hosts: - - "*" - - port: - number: 443 - name: tcp-i - protocol: TCP - hosts: - - "*" -# tls: -# credentialName: my-tls-cert-secret -# minProtocolVersion: TLSV1_2 - -# mode: PASSTHROUGH ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: helloworld-vs -spec: - hosts: - - "*" - gateways: - - helloworld-gateway - http: - - match: - - port: 80 -# hosts: -# - "hello.si" - name: helloworld - route: - - destination: - host: helloworld - port: - number: 80 - tcp: - - match: - - port: 80 - route: - - destination: - host: helloworld - port: - number: 8080 - - match: - - port: 443 - route: - - destination: - host: helloworld - port: - number: 8443 -# -# tls: -# - match: -# - port: 443 -# sniHosts: -# - "hello.si" -## - uri: -## exact: /helloworld -# route: -# - destination: -# host: helloworld -# port: -# number: 8443 -## protocol: HTTPS -## rewrite: -## uri: "/" \ No newline at end of file -- 2.47.2 From 000992a3d11a99cae412ed3431057cbfca7359f0 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 03:43:18 +0200 Subject: [PATCH 15/21] Replaced the classic get LB through listing svc and specifying the name, by using the istio label set in the gateway configuration. --- Istio/01-Simple/01-hello_world_1_service_1_deployment/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Istio/01-Simple/01-hello_world_1_service_1_deployment/README.md b/Istio/01-Simple/01-hello_world_1_service_1_deployment/README.md index 794d4d1..f48a3ab 100755 --- a/Istio/01-Simple/01-hello_world_1_service_1_deployment/README.md +++ b/Istio/01-Simple/01-hello_world_1_service_1_deployment/README.md @@ -107,7 +107,7 @@ helloworld-nginx 1/1 1 1 44s ### Get LB IP ```shell -$ kubectl get svc istio-ingressgateway -n istio-system +$ kubectl get svc -l istio=ingressgateway -A NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h ``` -- 2.47.2 From be18d7695b06cf008f179b288d43481c3dcd5819 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 03:54:12 +0200 Subject: [PATCH 16/21] Reorganized the files a bit while I am documenting them. --- .gitignore | 1 - .../README.md | 0 .../deployment.yaml | 0 .../gateway.yaml | 0 .../README.md | 2 +- .../deployment.yaml | 0 .../gateway.yaml | 0 .../11-TLS-PASSTHROUGH/README.md | 239 +++++++++++++ .../authentication.yaml | 0 .../bk_old_nonworking_gateway.yaml | 0 .../deployment.yaml | 0 .../gateway-02.yaml | 0 .../gateway.yaml | 0 .../ingress.yaml | 0 .../__XX-TLS-PASSTHROUGH/README.md | 325 ------------------ 15 files changed, 240 insertions(+), 327 deletions(-) rename Istio/02-Traffic_management/{XX-HTTPS-backend => 09-HTTPS-backend (pending document)}/README.md (100%) rename Istio/02-Traffic_management/{XX-HTTPS-backend => 09-HTTPS-backend (pending document)}/deployment.yaml (100%) rename Istio/02-Traffic_management/{XX-HTTPS-backend => 09-HTTPS-backend (pending document)}/gateway.yaml (100%) rename Istio/02-Traffic_management/{09-TCP-FORWARDING => 10-TCP-FORWARDING}/README.md (98%) rename Istio/02-Traffic_management/{09-TCP-FORWARDING => 10-TCP-FORWARDING}/deployment.yaml (100%) rename Istio/02-Traffic_management/{09-TCP-FORWARDING => 10-TCP-FORWARDING}/gateway.yaml (100%) create mode 100644 Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md rename Istio/02-Traffic_management/{__XX-TLS-PASSTHROUGH => 11-TLS-PASSTHROUGH}/authentication.yaml (100%) rename Istio/02-Traffic_management/{__XX-TLS-PASSTHROUGH => 11-TLS-PASSTHROUGH}/bk_old_nonworking_gateway.yaml (100%) rename Istio/02-Traffic_management/{__XX-TLS-PASSTHROUGH => 11-TLS-PASSTHROUGH}/deployment.yaml (100%) rename Istio/02-Traffic_management/{__XX-TLS-PASSTHROUGH => 11-TLS-PASSTHROUGH}/gateway-02.yaml (100%) rename Istio/02-Traffic_management/{__XX-TLS-PASSTHROUGH => 11-TLS-PASSTHROUGH}/gateway.yaml (100%) rename Istio/02-Traffic_management/{__XX-TLS-PASSTHROUGH => 11-TLS-PASSTHROUGH}/ingress.yaml (100%) delete mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md diff --git a/.gitignore b/.gitignore index 9cef47e..85e7c1d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ /.idea/ -/Istio/02-Traffic_management/XX-HTTPS-backend/ diff --git a/Istio/02-Traffic_management/XX-HTTPS-backend/README.md b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md similarity index 100% rename from Istio/02-Traffic_management/XX-HTTPS-backend/README.md rename to Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md diff --git a/Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/deployment.yaml similarity index 100% rename from Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml rename to Istio/02-Traffic_management/09-HTTPS-backend (pending document)/deployment.yaml diff --git a/Istio/02-Traffic_management/XX-HTTPS-backend/gateway.yaml b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/gateway.yaml similarity index 100% rename from Istio/02-Traffic_management/XX-HTTPS-backend/gateway.yaml rename to Istio/02-Traffic_management/09-HTTPS-backend (pending document)/gateway.yaml diff --git a/Istio/02-Traffic_management/09-TCP-FORWARDING/README.md b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md similarity index 98% rename from Istio/02-Traffic_management/09-TCP-FORWARDING/README.md rename to Istio/02-Traffic_management/10-TCP-FORWARDING/README.md index f16da84..10fc093 100644 --- a/Istio/02-Traffic_management/09-TCP-FORWARDING/README.md +++ b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md @@ -9,7 +9,7 @@ include_toc: true # Description -The previous example was modified set TCP forwarding towards the backend. +The previous example was modified to set TCP forwarding towards the backend (HTTP and HTTPS backend). The backend contains an HTTPS service, which is used to demonstrate how the TCP forwarding is working as intended (aka doesn't disturb HTTP traffic). diff --git a/Istio/02-Traffic_management/09-TCP-FORWARDING/deployment.yaml b/Istio/02-Traffic_management/10-TCP-FORWARDING/deployment.yaml similarity index 100% rename from Istio/02-Traffic_management/09-TCP-FORWARDING/deployment.yaml rename to Istio/02-Traffic_management/10-TCP-FORWARDING/deployment.yaml diff --git a/Istio/02-Traffic_management/09-TCP-FORWARDING/gateway.yaml b/Istio/02-Traffic_management/10-TCP-FORWARDING/gateway.yaml similarity index 100% rename from Istio/02-Traffic_management/09-TCP-FORWARDING/gateway.yaml rename to Istio/02-Traffic_management/10-TCP-FORWARDING/gateway.yaml diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md new file mode 100644 index 0000000..9a7e81b --- /dev/null +++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md @@ -0,0 +1,239 @@ +--- +gitea: none +include_toc: true +--- + +# Based on + +- [10-TCP-FORWARDING](../10-TCP-FORWARDING) + +# Description + +The previous example was modified set TCP forwarding towards the backend. + +The backend contains an HTTPS service, which is used to demonstrate how the TCP forwarding is working as intended (aka doesn't disturb HTTP traffic). + +The same backend also contains the same service but running as HTTP, and for such has also been set in the gateway to display both working as intended. + +Additionally, the backend used, has HTTP2 enable, which also will be used to confirm that it's working as intended. + +> **Note:**\ +> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) + +# Configuration + +## Gateway + +Gateway been configured to listen both ports `80` and `443` through the TCP protocol, without any host specified. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: tcp-1 + protocol: TCP + hosts: + - "*" + - port: + number: 443 + name: tcp-2 + protocol: TCP + hosts: + - "*" +``` + +## Virtual service + +Virtual service have 2 rules that perform the same behavior, on different ports. + +The rules will receive the traffic and forward it to the destination service and port. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + tcp: + - match: + - port: 80 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8080 + - match: + - port: 443 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8443 +``` + +## Service + +The service will forward the incoming TCP traffic with port 8080, to the deployment port 80. +The same behavior is applied for the service port 8443, that will be forwarded towards the port 443 from the deployment. + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http-web + targetPort: 80 + protocol: TCP + - port: 8443 + name: https-web + targetPort: 443 + protocol: TCP + selector: + app: helloworld +``` + +## Deployment + +Deployment listens to port 80 and 443. + +> **Note:**\ +> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: oriolfilter/https-nginx-demo + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + - containerPort: 443 +``` + +# Walkthrough + +## Deploy resources + +```shell +kubectl apply -f ./ +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Test the service + +### Get LB IP + +```shell +$ kubectl get svc -l istio=ingressgateway -A +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h +``` + +### curl HTTP + +```shell +curl http://192.168.1.50 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### curl HTTPS + +This already confirms that `HTTP2` is working as intended. + +```shell +curl https://192.168.1.50 -ks -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http1.1 +``` +```text +http_version: 2 +status_code: 200 +``` + +#### Curl HTTP2 + +The previous example already displayed that `HTTP2` is working as intended. + +This example is maintained due being explicitly to confirm the `HTTP2` feature. + +```shell +curl https://192.168.1.50 -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http2 -sk -o=/dev/null +``` +```text +http_version: 2 +status_code: 200 +``` + +#### Curl HTTP1.1 + +We can confirm that `HTTP1.1` also works over `TCP forwarding`. + +```shell +curl https://192.168.1.50 -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http1.1 -sk -o=/dev/null +``` +```text +http_version: 1.1 +status_code: 200 +``` + +## Cleanup + +```shell +kubectl delete -f ./ +``` + +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +# Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol + +- https://stackoverflow.com/a/51279606 + +- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/authentication.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/authentication.yaml similarity index 100% rename from Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/authentication.yaml rename to Istio/02-Traffic_management/11-TLS-PASSTHROUGH/authentication.yaml diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml similarity index 100% rename from Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml rename to Istio/02-Traffic_management/11-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml similarity index 100% rename from Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml rename to Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway-02.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway-02.yaml similarity index 100% rename from Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway-02.yaml rename to Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway-02.yaml diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml similarity index 100% rename from Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway.yaml rename to Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/ingress.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/ingress.yaml similarity index 100% rename from Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/ingress.yaml rename to Istio/02-Traffic_management/11-TLS-PASSTHROUGH/ingress.yaml diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md deleted file mode 100644 index 611f8be..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md +++ /dev/null @@ -1,325 +0,0 @@ ---- -gitea: none -include_toc: true ---- - -# Based on - -- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) - -# Description - -The previous example was modified set the gateway to enable for HTTP2 traffic. - -https://stackoverflow.com/a/59610581 - - -# Changelog - -## Gateway - -```yaml -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 443 - name: secure-http2 - protocol: HTTP2 - hosts: - - "*" - tls: - mode: SIMPLE - credentialName: my-tls-cert-secret - minProtocolVersion: TLSV1_2 -``` - -`` - -# Walkthrough - - -## Generate client and server certificate and key files - -First step will be to generate the certificate and key files to be able to set them to the Gateway resource. - -### Create a folder to store files. - -Create the folder to contain the files that will be generated. - -```shell -mkdir certfolder -``` - -### Create a certificate and a private key. - -```shell -openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt -``` - -The files generated are the following: - -```yaml -private-key: certfolder/istio.cert.key -root-certificate: certfolder/istio.cert.crt -``` - -The information set to the certificate generated is the following: - -```yaml -Organization-name: Internet of things -CN: lb.net -``` - -### Create a TLS secret - -At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. - -```shell -kubectl create -n istio-system secret tls my-tls-cert-secret \ - --key=certfolder/istio.cert.key \ - --cert=certfolder/istio.cert.crt -``` -```text -secret/my-tls-cert-secret created -``` -```text -service/helloworld created -deployment.apps/helloworld-nginx created -gateway.networking.istio.io/helloworld-gateway created -virtualservice.networking.istio.io/helloworld-vs created -``` - -> **Note:**\ -> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. - - -## Deploy resources - -```shell -kubectl apply -f ./ -``` -```text -service/helloworld created -deployment.apps/helloworld-nginx created -gateway.networking.istio.io/helloworld-gateway created -virtualservice.networking.istio.io/helloworld-vs created -``` - -## Test the service -### http2 -#### Curl HTTP1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 -``` -```text -http_version: 1.1 -status_code: 426 -``` - -#### Curl HTTP1.1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -#### Curl HTTP2 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -### http1-web - -#### Curl HTTP1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 -``` -```text -http_version: 1.1 -status_code: 426 -``` - -#### Curl HTTP1.1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -#### Curl HTTP2 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -## Cleanup - -```shell -kubectl delete -f ./ -``` - -```text -service "helloworld" deleted -deployment.apps "helloworld-nginx" deleted -gateway.networking.istio.io "helloworld-gateway" deleted -virtualservice.networking.istio.io "helloworld-vs" deleted -``` - -# Links of Interest - -- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol - -- https://stackoverflow.com/a/51279606 - -- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy - - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . -[+] Building 0.0s (0/0) -ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") - ---- -## Create the Dockerfile - -```bash -FROM ubuntu/apache2 - -RUN apt-get update && \ -apt-get install apache2 openssl -y && \ -a2ensite default-ssl && \ -a2enmod ssl && \ -echo "

Howdy

" | tee /var/www/html/index.html - -RUN /usr/bin/printf "\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ -\n\ -\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ - SSLEngine on\n\ - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ - SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ -" > /etc/apache2/sites-available/000-default.conf - -RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -``` - -## Build the image - -Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. - -For my own commodity, I have used a raspberry pi 4 to build this images. - -The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. - -```shell - docker build --tag https-demo:armv7 . -``` -```text -docker build --tag https-demo:armv7 . --no-cache -[+] Building 16.5s (8/8) FINISHED - => [internal] load .dockerignore 0.0s - => => transferring context: 2B 0.0s - => [internal] load build definition from Dockerfile 0.0s - => => transferring dockerfile: 1.09kB 0.0s - => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s - => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s - => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s - => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s - => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s - => exporting to image 1.0s - => => exporting layers 1.0s - => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s - => => naming to docker.io/library/https-demo:armv7 0.0s -``` - -## Tag the image - -```shell -docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 -``` - -## Upload to the registery server - -```text -docker image push registery.filter.home:5000/https-demo:armv7 -The push refers to repository [registery.filter.home:5000/https-demo] -c6d858706b08: Pushed -9e077e0202f0: Pushed -6ffc708d0cf3: Pushed -69e01b4bf4d7: Pushed -17c5b30f3843: Pushed -0b9f60fbcaf1: Pushed -armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 -``` - - - -## ? -curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe - - - - - ---- - - -Has apache2 installed with a default certificate. - -Port 80 visible for HTTP - -Port 443 visible for HTTPS. - - - - -curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k -http_version: 2 -status_code: 200 - -# Recv failure: Connection reset by peer - -```shell -kubectl apply -f ./ -``` - -```shell -curl --insecure --resolve lb.net:80:192.168.1.50 http://lb.net -``` - -```shell -curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net -``` -- 2.47.2 From 2b7f83c2089bdda80af01a233a4490f1f63d5754 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 05:46:03 +0200 Subject: [PATCH 17/21] TLS Passthrough documented. This commit has other files, I guess I did some minor slightly modifications and nothing relevant so far so all commited. --- .../README.md | 120 ------- .../10-TCP-FORWARDING/README.md | 10 +- .../11-TLS-PASSTHROUGH/README.md | 131 ++++---- .../bk_old_nonworking_gateway.yaml | 113 ------- .../11-TLS-PASSTHROUGH/deployment.yaml | 73 ++-- .../11-TLS-PASSTHROUGH/gateway-02.yaml | 36 -- .../11-TLS-PASSTHROUGH/gateway.yaml | 58 +--- .../README.md | 0 .../authentication.yaml | 0 .../deployment.yaml | 0 .../gateway.yaml | 0 .../ingress.yaml | 0 .../ingress.yaml | 29 -- .../README.md | 313 ------------------ .../authentication.yaml | 11 - .../bk_old_nonworking_gateway.yaml | 117 ------- .../deployment.yaml | 74 ----- .../gateway-02.yaml | 36 -- .../gateway.yaml | 85 ----- .../ingress.yaml | 29 -- .../03-disable-mTLS}/authentication.yaml | 3 - 21 files changed, 97 insertions(+), 1141 deletions(-) delete mode 100755 Istio/02-Traffic_management/11-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml delete mode 100755 Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway-02.yaml rename Istio/02-Traffic_management/{XX-HTTP2-gateway-made-it-work => XX-HTTP2-gateway-made-it-work-maybe}/README.md (100%) rename Istio/02-Traffic_management/{XX-HTTP2-gateway-made-it-work => XX-HTTP2-gateway-made-it-work-maybe}/authentication.yaml (100%) rename Istio/02-Traffic_management/{XX-HTTP2-gateway-made-it-work => XX-HTTP2-gateway-made-it-work-maybe}/deployment.yaml (100%) rename Istio/02-Traffic_management/{XX-HTTP2-gateway-made-it-work => XX-HTTP2-gateway-made-it-work-maybe}/gateway.yaml (100%) rename Istio/02-Traffic_management/{11-TLS-PASSTHROUGH => XX-HTTP2-gateway-made-it-work-maybe}/ingress.yaml (100%) delete mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml delete mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md delete mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml delete mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml delete mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml delete mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml delete mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml delete mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml rename Istio/{02-Traffic_management/11-TLS-PASSTHROUGH => 06-Internal-Authentication/03-disable-mTLS}/authentication.yaml (50%) diff --git a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md index ad5fd8a..3b9d38e 100644 --- a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md +++ b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md @@ -189,123 +189,3 @@ virtualservice.networking.istio.io "helloworld-vs" deleted ``` # Links of Interest - -- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol - -- https://stackoverflow.com/a/51279606 - -- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy - - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . -[+] Building 0.0s (0/0) -ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") - ---- -## Create the Dockerfile - -```bash -FROM ubuntu/apache2 - -RUN apt-get update && \ -apt-get install apache2 openssl -y && \ -a2ensite default-ssl && \ -a2enmod ssl && \ -echo "

Howdy

" | tee /var/www/html/index.html - -RUN /usr/bin/printf "\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ -\n\ -\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ - SSLEngine on\n\ - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ - SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ -" > /etc/apache2/sites-available/000-default.conf - -RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -``` - -## Build the image - -Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. - -For my own commodity, I have used a raspberry pi 4 to build this images. - -The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. - -```shell - docker build --tag https-demo:armv7 . -``` -```text -docker build --tag https-demo:armv7 . --no-cache -[+] Building 16.5s (8/8) FINISHED - => [internal] load .dockerignore 0.0s - => => transferring context: 2B 0.0s - => [internal] load build definition from Dockerfile 0.0s - => => transferring dockerfile: 1.09kB 0.0s - => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s - => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s - => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s - => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s - => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s - => exporting to image 1.0s - => => exporting layers 1.0s - => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s - => => naming to docker.io/library/https-demo:armv7 0.0s -``` - -## Tag the image - -```shell -docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 -``` - -## Upload to the registery server - -```text -docker image push registery.filter.home:5000/https-demo:armv7 -The push refers to repository [registery.filter.home:5000/https-demo] -c6d858706b08: Pushed -9e077e0202f0: Pushed -6ffc708d0cf3: Pushed -69e01b4bf4d7: Pushed -17c5b30f3843: Pushed -0b9f60fbcaf1: Pushed -armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 -``` - - - -## ? -curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe - - - - - ---- - - -Has apache2 installed with a default certificate. - -Port 80 visible for HTTP - -Port 443 visible for HTTPS. - - - - -curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k -http_version: 2 -status_code: 200 \ No newline at end of file diff --git a/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md index 10fc093..f9a4a51 100644 --- a/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md +++ b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md @@ -164,7 +164,9 @@ virtualservice.networking.istio.io/helloworld-vs created ### Get LB IP ```shell -$ kubectl get svc -l istio=ingressgateway -A +kubectl get svc -l istio=ingressgateway -A +``` +```text NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h ``` @@ -232,8 +234,4 @@ virtualservice.networking.istio.io "helloworld-vs" deleted # Links of Interest -- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol - -- https://stackoverflow.com/a/51279606 - -- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy +- https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md index 9a7e81b..716777a 100644 --- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md +++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md @@ -9,13 +9,9 @@ include_toc: true # Description -The previous example was modified set TCP forwarding towards the backend. +The previous example was modified set TLS Forwarding for the HTTPS, meaning that the TLS will be terminated by the backend containing a service capable of such. -The backend contains an HTTPS service, which is used to demonstrate how the TCP forwarding is working as intended (aka doesn't disturb HTTP traffic). - -The same backend also contains the same service but running as HTTP, and for such has also been set in the gateway to display both working as intended. - -Additionally, the backend used, has HTTP2 enable, which also will be used to confirm that it's working as intended. +This requires a deployment with a service HTTPS (as it will need to handle the TLS termination ...). > **Note:**\ > For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) @@ -24,68 +20,65 @@ Additionally, the backend used, has HTTP2 enable, which also will be used to con ## Gateway -Gateway been configured to listen both ports `80` and `443` through the TCP protocol, without any host specified. +Gateway configured to listen the port `443` for `HTTPS` traffic protocol. + +The tls was configured as `PASSTHROUGH` ```yaml apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: helloworld-gateway + namespace: default spec: selector: istio: ingressgateway servers: - - port: - number: 80 - name: tcp-1 - protocol: TCP - hosts: - - "*" - port: number: 443 - name: tcp-2 - protocol: TCP + name: https-web + protocol: HTTPS hosts: - "*" + tls: + mode: PASSTHROUGH ``` ## Virtual service -Virtual service have 2 rules that perform the same behavior, on different ports. +Virtual service expected to receive traffic with designation, the host `lb.net`. -The rules will receive the traffic and forward it to the destination service and port. +The rule that contains, will receive traffic from the port `443`, with host destination `lb.net`. + +The destination of such is the service `helloworld.default.svc.cluster.local`, with port destination 8443. ```yaml apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: helloworld-vs + namespace: default spec: hosts: - - "*" + - "lb.net" gateways: - helloworld-gateway - tcp: + tls: - match: - - port: 80 + - port: 443 + sniHosts: ["lb.net"] route: - destination: host: helloworld.default.svc.cluster.local - port: - number: 8080 - - match: - - port: 443 - route: - - destination: - host: helloworld.default.svc.cluster.local port: number: 8443 ``` ## Service -The service will forward the incoming TCP traffic with port 8080, to the deployment port 80. -The same behavior is applied for the service port 8443, that will be forwarded towards the port 443 from the deployment. +The service will forward incoming TCP traffic from the port `8443`, towards the deployment port `443`. + +It's been specified the protocol expected to service, it being `HTTPS`. ```yaml apiVersion: v1 @@ -97,14 +90,11 @@ metadata: service: helloworld spec: ports: - - port: 8080 - name: http-web - targetPort: 80 - protocol: TCP - - port: 8443 - name: https-web + - name: https + port: 8443 targetPort: 443 protocol: TCP + appProtocol: HTTPS selector: app: helloworld ``` @@ -164,57 +154,50 @@ virtualservice.networking.istio.io/helloworld-vs created ### Get LB IP ```shell -$ kubectl get svc -l istio=ingressgateway -A +kubectl get svc -l istio=ingressgateway -A +``` +```text NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h ``` +### curl HTTPS -### curl HTTP +Well, it just works. + +The `--resolve` flag it's used to "fake" the traffic to match the filters we specified in the `Virtual Service`, specifically the `host` and `hostSNI` fields. ```shell -curl http://192.168.1.50 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' +curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net ``` ```text -http_version: 1.1 -status_code: 426 +

Howdy

``` -#### curl HTTPS +### curl HTTPS (HEAD) -This already confirms that `HTTP2` is working as intended. +Here we can spot the following sentence: + +- `server: nginx/1.23.4` + +This means that the TLS was handled by Nginx (verifying that the `TLS Passthrough` was performed correctly). + +If it had been managed by Istio, it would say: + +- `server: istio-envoy` ```shell -curl https://192.168.1.50 -ks -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http1.1 +curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net --HEAD ``` ```text -http_version: 2 -status_code: 200 -``` - -#### Curl HTTP2 - -The previous example already displayed that `HTTP2` is working as intended. - -This example is maintained due being explicitly to confirm the `HTTP2` feature. - -```shell -curl https://192.168.1.50 -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http2 -sk -o=/dev/null -``` -```text -http_version: 2 -status_code: 200 -``` - -#### Curl HTTP1.1 - -We can confirm that `HTTP1.1` also works over `TCP forwarding`. - -```shell -curl https://192.168.1.50 -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http1.1 -sk -o=/dev/null -``` -```text -http_version: 1.1 -status_code: 200 +HTTP/2 200 +server: nginx/1.23.4 +date: Tue, 25 Apr 2023 02:49:33 GMT +content-type: text/html +content-length: 15 +last-modified: Tue, 25 Apr 2023 00:47:17 GMT +etag: "64472315-f" +strict-transport-security: max-age=7200 +accept-ranges: bytes ``` ## Cleanup @@ -232,8 +215,6 @@ virtualservice.networking.istio.io "helloworld-vs" deleted # Links of Interest -- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol +- https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway -- https://stackoverflow.com/a/51279606 - -- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode \ No newline at end of file diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml deleted file mode 100755 index 4305bf6..0000000 --- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml +++ /dev/null @@ -1,113 +0,0 @@ -#apiVersion: networking.istio.io/v1alpha3 -#kind: Gateway -#metadata: -# name: helloworld-gateway -#spec: -# selector: -## istio: myingressgateway -# istio: ingressgateway -# servers: -# - hosts: -# ["lb.net","*.lb.net"] -# port: -# name: tls-443 -# number: 443 -# protocol: HTTPS -# tls: -# mode: SIMPLE -# credentialName: my-tls-cert-secret -# minProtocolVersion: TLSV1_2 -#--- -#apiVersion: networking.istio.io/v1alpha3 -#kind: VirtualService -#metadata: -# name: helloworld-vs -#spec: -# hosts: -# - "*" -# gateways: -# - helloworld-gateway -# http: -## - name: http-vs -## match: -## - port: 80 -## route: -## - destination: -## host: helloworld.default.svc.cluster.local -## port: -## number: 8080 -# - name: https-vs -# match: -# - port: 443 -# route: -# - destination: -# host: helloworld.default.svc.cluster.local -# port: -# number: 443 -## -## tls: -## - match: -## - port: 443 -## sniHosts: ["lb.net"] -## route: -## - destination: -## host: helloworld.default.svc.cluster.local -## port: -## number: 443 -##--- -##apiVersion: networking.istio.io/v1alpha3 -##kind: DestinationRule -##metadata: -## name: helloworld -## namespace: default -##spec: -## host: helloworld.default.svc.cluster.local -## trafficPolicy: -## portLevelSettings: -## - port: -## number: 8080 -## tls: -## mode: DISABLE -## - port: -## number: 8443 -## tls: -## credentialName: client-credential -## mode: SIMPLE -## port: -## name: https-backend -## number: 8443 -## protocol: HTTPS -## tls: -## credentialName: my-tls-cert-secret -## mode: SIMPLE -## tcp: -### - match: -### - port: 80 -### route: -### - destination: -### host: helloworld -### port: -### number: 8080 -### - match: -### - port: 443 -## - route: -## - destination: -## host: helloworld -## port: -## number: 8443 -## -## tls: -## - match: -## - port: 443 -## sniHosts: -## - "hello.si" -### - uri: -### exact: /helloworld -## route: -## - destination: -## host: helloworld -## port: -## number: 8443 -### protocol: HTTPS -### rewrite: -### uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml index 3f9ad6c..f94f650 100755 --- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml +++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml @@ -7,17 +7,11 @@ metadata: service: helloworld spec: ports: - - port: 8080 - name: http-s - targetPort: 80 - protocol: TCP - appProtocol: HTTP - - - port: 8443 - name: https + - name: https + port: 8443 targetPort: 443 protocol: TCP - appProtocol: https + appProtocol: HTTPS selector: app: helloworld --- @@ -36,7 +30,6 @@ spec: metadata: labels: app: helloworld - sidecar.istio.io/inject: "true" spec: containers: - name: helloworld @@ -48,33 +41,33 @@ spec: ports: - containerPort: 80 - containerPort: 443 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx - labels: - app: nginx - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: nginx - version: v1 - template: - metadata: - labels: - app: nginx - version: v1 - spec: - # serviceAccountName: istio-helloworld - containers: - - name: nginx - image: nginx - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 80 \ No newline at end of file +#--- +#apiVersion: apps/v1 +#kind: Deployment +#metadata: +# name: nginx +# labels: +# app: nginx +# version: v1 +#spec: +# replicas: 1 +# selector: +# matchLabels: +# app: nginx +# version: v1 +# template: +# metadata: +# labels: +# app: nginx +# version: v1 +# spec: +# # serviceAccountName: istio-helloworld +# containers: +# - name: nginx +# image: nginx +# resources: +# requests: +# cpu: "100m" +# imagePullPolicy: IfNotPresent +# ports: +# - containerPort: 80 \ No newline at end of file diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway-02.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway-02.yaml deleted file mode 100755 index 5070950..0000000 --- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway-02.yaml +++ /dev/null @@ -1,36 +0,0 @@ -#apiVersion: networking.istio.io/v1beta1 -#kind: Gateway -#metadata: -# name: helloworld-gateway -#spec: -# selector: -# istio: ingressgateway -# servers: -# - hosts: -# - "*" -# port: -# name: https -# number: 443 -# protocol: HTTPS -# tls: -# mode: PASSTHROUGH -#--- -#apiVersion: networking.istio.io/v1beta1 -#kind: VirtualService -#metadata: -# name: helloworld-vs -#spec: -# gateways: -# - helloworld-gateway -# hosts: ["lb.net","*.lb.net"] -## http: -## - route: -## - destination: -## host: helloworld.default.svc.cluster.local -##spec: -# tls: -# - match: -# - sniHosts: ["lb.net","*.lb.net"] -# route: -# - destination: -# host: helloworld.default.svc.cluster.local \ No newline at end of file diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml index a313d3a..2f092f6 100755 --- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml +++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml @@ -2,61 +2,30 @@ apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: helloworld-gateway + namespace: default spec: selector: - # istio: myingressgateway istio: ingressgateway servers: - # - port: - # number: 443 - # name: secure-http2 - # protocol: HTTP2 - # hosts: - # - "*" - - port: - number: 80 - name: http2-i - protocol: HTTP2 - hosts: - - "*" - port: number: 443 - name: https-i + name: https-web protocol: HTTPS hosts: - "*" tls: -# credentialName: my-tls-cert-secret -# minProtocolVersion: TLSV1_2 - # mode: PASSTHROUGH --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: helloworld-vs + namespace: default spec: hosts: - "lb.net" gateways: - helloworld-gateway - http: - - name: http-vs - match: - - port: 80 - route: - - destination: - host: helloworld.default.svc.cluster.local - port: - number: 8080 -# - name: https-vs -# match: -# - port: 443 -# route: -# - destination: -# host: helloworld.default.svc.cluster.local -# port: -# number: 8443 tls: - match: - port: 443 @@ -65,23 +34,4 @@ spec: - destination: host: helloworld.default.svc.cluster.local port: - number: 8443 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: helloworld - namespace: default -spec: - host: helloworld.default.svc.cluster.local - trafficPolicy: - portLevelSettings: - - port: - number: 8080 - tls: - mode: DISABLE - - - port: - number: 8443 - tls: - mode: DISABLE + number: 8443 \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/README.md similarity index 100% rename from Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md rename to Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/README.md diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/authentication.yaml similarity index 100% rename from Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml rename to Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/authentication.yaml diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/deployment.yaml similarity index 100% rename from Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml rename to Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/deployment.yaml diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/gateway.yaml similarity index 100% rename from Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml rename to Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/gateway.yaml diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/ingress.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/ingress.yaml similarity index 100% rename from Istio/02-Traffic_management/11-TLS-PASSTHROUGH/ingress.yaml rename to Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/ingress.yaml diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml deleted file mode 100644 index 850c2eb..0000000 --- a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - name: ingress -spec: - profile: empty # Do not install CRDs or the control plane - components: - ingressGateways: - - name: myistio-ingressgateway - namespace: istio-ingress - enabled: true - label: - istio: myingressgateway - k8s: - service: - ports: - - name: https-ingress - port: 443 - protocol: TCP - targetPort: 1055 - - name: http-ingress - port: 80 - protocol: TCP - targetPort: 1085 - - values: - gateways: - istio-ingressgateway: - injectionTemplate: gateway diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md deleted file mode 100644 index f356e8b..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md +++ /dev/null @@ -1,313 +0,0 @@ ---- -gitea: none -include_toc: true ---- - -# Based on - -- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) - -# Description - -The previous example was modified set the gateway to enable for HTTP2 traffic. - -https://stackoverflow.com/a/59610581 - - -# Changelog - -## Gateway - -```yaml -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 443 - name: secure-http2 - protocol: HTTP2 - hosts: - - "*" - tls: - mode: SIMPLE - credentialName: my-tls-cert-secret - minProtocolVersion: TLSV1_2 -``` - -`` - -# Walkthrough - - -## Generate client and server certificate and key files - -First step will be to generate the certificate and key files to be able to set them to the Gateway resource. - -### Create a folder to store files. - -Create the folder to contain the files that will be generated. - -```shell -mkdir certfolder -``` - -### Create a certificate and a private key. - -```shell -openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt -``` - -The files generated are the following: - -```yaml -private-key: certfolder/istio.cert.key -root-certificate: certfolder/istio.cert.crt -``` - -The information set to the certificate generated is the following: - -```yaml -Organization-name: Internet of things -CN: lb.net -``` - -### Create a TLS secret - -At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. - -```shell -kubectl create -n istio-system secret tls my-tls-cert-secret \ - --key=certfolder/istio.cert.key \ - --cert=certfolder/istio.cert.crt -``` -```text -secret/my-tls-cert-secret created -``` -```text -service/helloworld created -deployment.apps/helloworld-nginx created -gateway.networking.istio.io/helloworld-gateway created -virtualservice.networking.istio.io/helloworld-vs created -``` - -> **Note:**\ -> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. - - -## Deploy resources - -```shell -kubectl apply -f ./ -``` -```text -service/helloworld created -deployment.apps/helloworld-nginx created -gateway.networking.istio.io/helloworld-gateway created -virtualservice.networking.istio.io/helloworld-vs created -``` - -## Test the service -### http2 -#### Curl HTTP1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 -``` -```text -http_version: 1.1 -status_code: 426 -``` - -#### Curl HTTP1.1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -#### Curl HTTP2 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -### http1-web - -#### Curl HTTP1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 -``` -```text -http_version: 1.1 -status_code: 426 -``` - -#### Curl HTTP1.1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -#### Curl HTTP2 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -## Cleanup - -```shell -kubectl delete -f ./ -``` - -```text -service "helloworld" deleted -deployment.apps "helloworld-nginx" deleted -gateway.networking.istio.io "helloworld-gateway" deleted -virtualservice.networking.istio.io "helloworld-vs" deleted -``` - -# Links of Interest - -- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol - -- https://stackoverflow.com/a/51279606 - -- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy - - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . -[+] Building 0.0s (0/0) -ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") - ---- -## Create the Dockerfile - -```bash -FROM ubuntu/apache2 - -RUN apt-get update && \ -apt-get install apache2 openssl -y && \ -a2ensite default-ssl && \ -a2enmod ssl && \ -echo "

Howdy

" | tee /var/www/html/index.html - -RUN /usr/bin/printf "\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ -\n\ -\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ - SSLEngine on\n\ - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ - SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ -" > /etc/apache2/sites-available/000-default.conf - -RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -``` - -## Build the image - -Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. - -For my own commodity, I have used a raspberry pi 4 to build this images. - -The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. - -```shell - docker build --tag https-demo:armv7 . -``` -```text -docker build --tag https-demo:armv7 . --no-cache -[+] Building 16.5s (8/8) FINISHED - => [internal] load .dockerignore 0.0s - => => transferring context: 2B 0.0s - => [internal] load build definition from Dockerfile 0.0s - => => transferring dockerfile: 1.09kB 0.0s - => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s - => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s - => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s - => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s - => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s - => exporting to image 1.0s - => => exporting layers 1.0s - => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s - => => naming to docker.io/library/https-demo:armv7 0.0s -``` - -## Tag the image - -```shell -docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 -``` - -## Upload to the registery server - -```text -docker image push registery.filter.home:5000/https-demo:armv7 -The push refers to repository [registery.filter.home:5000/https-demo] -c6d858706b08: Pushed -9e077e0202f0: Pushed -6ffc708d0cf3: Pushed -69e01b4bf4d7: Pushed -17c5b30f3843: Pushed -0b9f60fbcaf1: Pushed -armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 -``` - - - -## ? -curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe - - - - - ---- - - -Has apache2 installed with a default certificate. - -Port 80 visible for HTTP - -Port 443 visible for HTTPS. - - - - -curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k -http_version: 2 -status_code: 200 - -# Recv failure: Connection reset by peer diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml deleted file mode 100644 index da9883d..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default-mtls - namespace: default -spec: - mtls: - mode: DISABLE - - -#curl -v --resolve ":$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example_certs/example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT" diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml deleted file mode 100755 index 871a985..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml +++ /dev/null @@ -1,117 +0,0 @@ -#apiVersion: networking.istio.io/v1alpha3 -#kind: Gateway -#metadata: -# name: helloworld-gateway -#spec: -# selector: -## istio: myingressgateway -# istio: ingressgateway -# servers: -# - hosts: -# ["lb.net","*.lb.net"] -# port: -# name: tls-443 -# number: 443 -# protocol: HTTPS -# tls: -# mode: SIMPLE -# credentialName: my-tls-cert-secret -# minProtocolVersion: TLSV1_2 -#--- -#apiVersion: networking.istio.io/v1alpha3 -#kind: VirtualService -#metadata: -# name: helloworld-vs -#spec: -# hosts: -# - "*" -# gateways: -# - helloworld-gateway -# http: -## - name: http-vs -## match: -## - port: 80 -## route: -## - destination: -## host: helloworld.default.svc.cluster.local -## port: -## number: 8080 -# - name: https-vs -# match: -# - port: 443 -# route: -# - destination: -# host: helloworld.default.svc.cluster.local -# port: -# number: 443 -## -## tls: -## - match: -## - port: 443 -## sniHosts: ["lb.net"] -## route: -## - destination: -## host: helloworld.default.svc.cluster.local -## port: -## number: 443 -# -##--- -##apiVersion: networking.istio.io/v1alpha3 -##kind: DestinationRule -##metadata: -## name: helloworld -## namespace: default -##spec: -## host: helloworld.default.svc.cluster.local -## trafficPolicy: -## portLevelSettings: -## - port: -## number: 8080 -## tls: -## mode: DISABLE -# -## - port: -## number: 8443 -## tls: -## credentialName: client-credential -## mode: SIMPLE -# -# -## port: -## name: https-backend -## number: 8443 -## protocol: HTTPS -## tls: -## credentialName: my-tls-cert-secret -## mode: SIMPLE -## tcp: -### - match: -### - port: 80 -### route: -### - destination: -### host: helloworld -### port: -### number: 8080 -### - match: -### - port: 443 -## - route: -## - destination: -## host: helloworld -## port: -## number: 8443 -## -## tls: -## - match: -## - port: 443 -## sniHosts: -## - "hello.si" -### - uri: -### exact: /helloworld -## route: -## - destination: -## host: helloworld -## port: -## number: 8443 -### protocol: HTTPS -### rewrite: -### uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml deleted file mode 100755 index 233c5ed..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - name: p1 - port: 80 - protocol: TCP - - name: https - port: 443 - protocol: TCP - selector: - app: helloworld ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: helloworld-nginx - labels: - app: helloworld -spec: - replicas: 1 - selector: - matchLabels: - app: helloworld - template: - metadata: - labels: - app: helloworld - sidecar.istio.io/inject: "true" - spec: - containers: - - name: helloworld - image: oriolfilter/https-apache-demo:armv7 - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent #Always - ports: - - containerPort: 443 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx - labels: - app: nginx - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: nginx - version: v1 - template: - metadata: - labels: - app: nginx - version: v1 - spec: - # serviceAccountName: istio-helloworld - containers: - - name: nginx - image: nginx - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 80 \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml deleted file mode 100755 index 5070950..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml +++ /dev/null @@ -1,36 +0,0 @@ -#apiVersion: networking.istio.io/v1beta1 -#kind: Gateway -#metadata: -# name: helloworld-gateway -#spec: -# selector: -# istio: ingressgateway -# servers: -# - hosts: -# - "*" -# port: -# name: https -# number: 443 -# protocol: HTTPS -# tls: -# mode: PASSTHROUGH -#--- -#apiVersion: networking.istio.io/v1beta1 -#kind: VirtualService -#metadata: -# name: helloworld-vs -#spec: -# gateways: -# - helloworld-gateway -# hosts: ["lb.net","*.lb.net"] -## http: -## - route: -## - destination: -## host: helloworld.default.svc.cluster.local -##spec: -# tls: -# - match: -# - sniHosts: ["lb.net","*.lb.net"] -# route: -# - destination: -# host: helloworld.default.svc.cluster.local \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml deleted file mode 100755 index 210ef29..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml +++ /dev/null @@ -1,85 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: - # istio: myingressgateway - istio: ingressgateway - servers: - # - port: - # number: 443 - # name: secure-http2 - # protocol: HTTP2 - # hosts: - # - "*" - - port: - number: 80 - name: http2-i - protocol: HTTP2 - hosts: - - "*" - - port: - number: 443 - name: https-i - protocol: HTTPS - hosts: - - "*" - tls: - credentialName: my-tls-cert-secret - minProtocolVersion: TLSV1_2 - # - mode: SIMPLE ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: helloworld-vs -spec: - hosts: ["lb.net"] - gateways: - - helloworld-gateway - http: - - name: http-vs - match: - - port: 80 - route: - - destination: - host: helloworld.default.svc.cluster.local - port: - number: 80 - - name: https-vs - match: - - port: 443 - sniHosts: ["lb.net"] - route: - - destination: - host: helloworld.default.svc.cluster.local - port: - number: 443 -# tls: -# - match: -# - sniHosts: ["lb.net"] -# route: -# - destination: -# host: helloworld.default.svc.cluster.local ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: helloworld - namespace: default -spec: - host: helloworld.default.svc.cluster.local - trafficPolicy: - portLevelSettings: - - port: - number: 8080 - tls: - mode: DISABLE -# - - port: - number: 443 - tls: - credentialName: client-credential - mode: DISABLE \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml deleted file mode 100644 index 850c2eb..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - name: ingress -spec: - profile: empty # Do not install CRDs or the control plane - components: - ingressGateways: - - name: myistio-ingressgateway - namespace: istio-ingress - enabled: true - label: - istio: myingressgateway - k8s: - service: - ports: - - name: https-ingress - port: 443 - protocol: TCP - targetPort: 1055 - - name: http-ingress - port: 80 - protocol: TCP - targetPort: 1085 - - values: - gateways: - istio-ingressgateway: - injectionTemplate: gateway diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/authentication.yaml b/Istio/06-Internal-Authentication/03-disable-mTLS/authentication.yaml similarity index 50% rename from Istio/02-Traffic_management/11-TLS-PASSTHROUGH/authentication.yaml rename to Istio/06-Internal-Authentication/03-disable-mTLS/authentication.yaml index da9883d..221a86d 100644 --- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/authentication.yaml +++ b/Istio/06-Internal-Authentication/03-disable-mTLS/authentication.yaml @@ -6,6 +6,3 @@ metadata: spec: mtls: mode: DISABLE - - -#curl -v --resolve ":$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example_certs/example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT" -- 2.47.2 From 5e0abdebd4da97f6b10eea8d34279f9e9867928c Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 06:45:34 +0200 Subject: [PATCH 18/21] HTTPS backend documented, need to fix 2 refference links (unless I set them right already ) --- .../08b-HTTPS-max-TLS-version/README.md | 3 +- .../README.md | 264 ++++++++++++++---- .../authentication.yaml | 8 + .../deployment.yaml | 41 +-- .../gateway.yaml | 69 +---- .../10-TCP-FORWARDING/README.md | 19 +- .../11-TLS-PASSTHROUGH/README.md | 2 +- .../03-disable-mTLS/README.md | 6 + .../03-disable-mTLS/deployment.yaml | 79 ++++++ .../03-disable-mTLS/gateway.yaml | 70 +++++ 10 files changed, 391 insertions(+), 170 deletions(-) create mode 100644 Istio/02-Traffic_management/09-HTTPS-backend (pending document)/authentication.yaml create mode 100644 Istio/06-Internal-Authentication/03-disable-mTLS/README.md create mode 100755 Istio/06-Internal-Authentication/03-disable-mTLS/deployment.yaml create mode 100755 Istio/06-Internal-Authentication/03-disable-mTLS/gateway.yaml diff --git a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md index 3629bec..e3833f4 100644 --- a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md +++ b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md @@ -15,6 +15,8 @@ The previous example was modified to limit and specify the maximum TLS version. ## Gateway +Gateway has been modified to limit the maximum TLS version to v1.2. + ```yaml apiVersion: networking.istio.io/v1alpha3 kind: Gateway @@ -36,7 +38,6 @@ spec: maxProtocolVersion: TLSV1_2 ``` -Gateway has been modified to limit the maximum TLS version to v1.2. # Walkthrough diff --git a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md index 3b9d38e..966300f 100644 --- a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md +++ b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md @@ -9,16 +9,23 @@ include_toc: true # Description -The previous example was modified set the gateway to enable for HTTP2 traffic. - -https://stackoverflow.com/a/59610581 +This example contains a backend that serves HTTPS traffic and can be accessed from both `HTTP` and `HTTPS` requests through the gateway resource. -# Changelog +> **Note:**\ +> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) + +# Configuration ## Gateway -```yaml +The gateway is configured to listen to the port `80` for `HTTP` traffic, and to the port `443` for `HTTPS` traffic. + +The TLS configuration is set to `simple`, and the credentials (the object that contains the certificates/TLS configuration) is set to `my-tls-cert-secret`. + +Any of the configured ports has limited the hosts. + +```shell apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: @@ -27,23 +34,173 @@ spec: selector: istio: ingressgateway servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" - port: number: 443 - name: secure-http2 - protocol: HTTP2 + name: https + protocol: HTTPS hosts: - "*" tls: - mode: SIMPLE credentialName: my-tls-cert-secret - minProtocolVersion: TLSV1_2 + mode: SIMPLE ``` -`` +> **Note:**\ +> The credentials resource is created further bellow through the [Walkthrough](#walkthrough) steps. + +> **Note:**\ +> For more information regarding the TLS mode configuration, refer to the following [Istio documentation regarding the TLS mode field](https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode). + +## Virtual service + +The rule that contains, will receive traffic from the port `443` and `80`. + +This traffic will be directed towards destination of such is the service `helloworld.default.svc.cluster.local`, with port destination 8443. + +This destination is the service that contains the `HTTPS` deployment, running over the port `8443` + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - name: https-vs + match: + - port: 80 + - port: 443 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8443 +``` + +## DestinationRule + +This DestinationRule, will interject the traffic destined to the service `helloworld.default.svc.cluster.local` with port `8443`. + +As mentioned in the [Virtual Service](#virtual%20service) section, the destination is the `HTTPS` service. + +By default, the call would be made with `HTTP` protocol, yet, as the destination is an `HTTPS` service, the request would result in the status code `400 Bad Request`, due sending HTTP traffic to an HTTPS service. + +To avoid this, we need to specify that the destination handles HTTPS traffic. + +By setting the `tls.mode` field with `simple`, it means that there will be an attempt to initialize a TLS handshake. + +> **Note:** +> For more information about the TLS mode, refer to the [Istio official documentation from the DestinationRule object regarding the TLS mode field](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ClientTLSSettings-TLSmode). + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: helloworld + namespace: default +spec: + host: helloworld.default.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8443 + tls: + mode: SIMPLE +``` + +## Service + +The service will forward incoming TCP traffic from the port `8443`, towards the deployment port `443`. + +It's been specified the protocol expected to service, it being `HTTPS`. + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - name: https + port: 8443 + targetPort: 443 + protocol: TCP + appProtocol: HTTPS + selector: + app: helloworld +``` + +## Deployment + +Deployment listens to port 80 and 443. + +> **Note:**\ +> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: oriolfilter/https-nginx-demo + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + - containerPort: 443 +``` + +## PeerAuthentication + +Due to the deployment having an `HTTPS`, and already initializing a TLS termination towards that service, we need to disable the **mTLS** tool for that specific service/deployment. + +On the [Destination Rule](#destination%20rule) section we set the `tls` to `simple`, meaning that the service is expecting to receive `HTTPS` traffic, if `mTLS` is enabled, it will perform the handshake with the `mTLS` service, instead of with the destination `HTTPS` service. + +```yaml +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default-mtls + namespace: default +spec: + mtls: + mode: DISABLE +``` + +> **Note**:\ +> As this configuration is very board, and targets the whole namespace, I would strongly recommend referring to the following example [06-Internal-Authentication/02-target-service-accounts](../../06-Internal-Authentication/02-target-service-accounts), which shows how to target service accounts set to resources, limiting the scope of this rule set. # Walkthrough - ## Generate client and server certificate and key files First step will be to generate the certificate and key files to be able to set them to the Gateway resource. @@ -98,82 +255,71 @@ virtualservice.networking.istio.io/helloworld-vs created > **Note:**\ > It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. - ## Deploy resources ```shell kubectl apply -f ./ ``` ```text +peerauthentication.security.istio.io/default-mtls created service/helloworld created deployment.apps/helloworld-nginx created gateway.networking.istio.io/helloworld-gateway created virtualservice.networking.istio.io/helloworld-vs created +destinationrule.networking.istio.io/helloworld created ``` ## Test the service -### http2 -#### Curl HTTP1 + +### Get LB IP ```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 +kubectl get svc -l istio=ingressgateway -A ``` ```text -http_version: 1.1 -status_code: 426 +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h ``` +### curl HTTP gateway -#### Curl HTTP1.1 +Well, it works as expected. ```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 +curl --insecure 192.168.1.50 -I ``` ```text -http_version: 1.1 -status_code: 200 +HTTP/1.1 200 OK +server: istio-envoy +date: Tue, 25 Apr 2023 04:41:19 GMT +content-type: text/html +content-length: 15 +last-modified: Tue, 25 Apr 2023 00:47:17 GMT +etag: "64472315-f" +strict-transport-security: max-age=7200 +accept-ranges: bytes +x-envoy-upstream-service-time: 28 ``` -#### Curl HTTP2 +### curl HTTPS gateway + +Well, it works as expected. ```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 +curl --insecure https://192.168.1.50 -I ``` ```text -http_version: 1.1 -status_code: 200 +HTTP/2 200 +server: istio-envoy +date: Tue, 25 Apr 2023 04:42:07 GMT +content-type: text/html +content-length: 15 +last-modified: Tue, 25 Apr 2023 00:47:17 GMT +etag: "64472315-f" +strict-transport-security: max-age=7200 +accept-ranges: bytes +x-envoy-upstream-service-time: 13 ``` -### http1-web - -#### Curl HTTP1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 -``` -```text -http_version: 1.1 -status_code: 426 -``` - -#### Curl HTTP1.1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -#### Curl HTTP2 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -``` -```text -http_version: 1.1 -status_code: 200 -``` ## Cleanup @@ -189,3 +335,9 @@ virtualservice.networking.istio.io "helloworld-vs" deleted ``` # Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode + +- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ClientTLSSettings-TLSmode \ No newline at end of file diff --git a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/authentication.yaml b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/authentication.yaml new file mode 100644 index 0000000..221a86d --- /dev/null +++ b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/authentication.yaml @@ -0,0 +1,8 @@ +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default-mtls + namespace: default +spec: + mtls: + mode: DISABLE diff --git a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/deployment.yaml b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/deployment.yaml index 3f9ad6c..82e781b 100755 --- a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/deployment.yaml +++ b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/deployment.yaml @@ -7,12 +7,6 @@ metadata: service: helloworld spec: ports: - - port: 8080 - name: http-s - targetPort: 80 - protocol: TCP - appProtocol: HTTP - - port: 8443 name: https targetPort: 443 @@ -36,45 +30,14 @@ spec: metadata: labels: app: helloworld - sidecar.istio.io/inject: "true" spec: containers: - name: helloworld image: oriolfilter/https-nginx-demo - resources: - requests: - cpu: "100m" - imagePullPolicy: Always #Always - ports: - - containerPort: 80 - - containerPort: 443 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx - labels: - app: nginx - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: nginx - version: v1 - template: - metadata: - labels: - app: nginx - version: v1 - spec: - # serviceAccountName: istio-helloworld - containers: - - name: nginx - image: nginx resources: requests: cpu: "100m" imagePullPolicy: IfNotPresent ports: - - containerPort: 80 \ No newline at end of file + - containerPort: 80 + - containerPort: 443 \ No newline at end of file diff --git a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/gateway.yaml b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/gateway.yaml index 1fe0fa3..861d59e 100755 --- a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/gateway.yaml +++ b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/gateway.yaml @@ -4,31 +4,22 @@ metadata: name: helloworld-gateway spec: selector: -# istio: myingressgateway istio: ingressgateway servers: -# - port: -# number: 443 -# name: secure-http2 -# protocol: HTTP2 -# hosts: -# - "*" - port: number: 80 - name: http2-i - protocol: HTTP2 + name: http + protocol: HTTP hosts: - "*" - port: number: 443 - name: https-i + name: https protocol: HTTPS hosts: - "*" tls: credentialName: my-tls-cert-secret - minProtocolVersion: TLSV1_2 -# mode: SIMPLE --- apiVersion: networking.istio.io/v1alpha3 @@ -41,16 +32,9 @@ spec: gateways: - helloworld-gateway http: - - name: http-vs - match: - - port: 80 - route: - - destination: - host: helloworld.default.svc.cluster.local - port: - number: 8080 - name: https-vs match: + - port: 80 - port: 443 route: - destination: @@ -67,52 +51,7 @@ spec: host: helloworld.default.svc.cluster.local trafficPolicy: portLevelSettings: - - port: - number: 8080 - tls: - mode: DISABLE - - port: number: 8443 tls: -# credentialName: client-credential mode: SIMPLE - -# port: -# name: https-backend -# number: 8443 -# protocol: HTTPS -# tls: -# credentialName: my-tls-cert-secret -# mode: SIMPLE -# tcp: -## - match: -## - port: 80 -## route: -## - destination: -## host: helloworld -## port: -## number: 8080 -## - match: -## - port: 443 -# - route: -# - destination: -# host: helloworld -# port: -# number: 8443 -# -# tls: -# - match: -# - port: 443 -# sniHosts: -# - "hello.si" -## - uri: -## exact: /helloworld -# route: -# - destination: -# host: helloworld -# port: -# number: 8443 -## protocol: HTTPS -## rewrite: -## uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md index f9a4a51..39a768e 100644 --- a/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md +++ b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md @@ -24,7 +24,7 @@ Additionally, the backend used, has HTTP2 enable, which also will be used to con ## Gateway -Gateway been configured to listen both ports `80` and `443` through the TCP protocol, without any host specified. +The gateway has been configured to listen both ports `80` and `443` through the TCP protocol, without any host specified. ```yaml apiVersion: networking.istio.io/v1alpha3 @@ -84,8 +84,8 @@ spec: ## Service -The service will forward the incoming TCP traffic with port 8080, to the deployment port 80. -The same behavior is applied for the service port 8443, that will be forwarded towards the port 443 from the deployment. +The service will forward incoming traffic from the service port 8443, that will be forwarded towards the port 443 from the deployment. + ```yaml apiVersion: v1 @@ -97,14 +97,11 @@ metadata: service: helloworld spec: ports: - - port: 8080 - name: http-web - targetPort: 80 - protocol: TCP - port: 8443 - name: https-web + name: https targetPort: 443 protocol: TCP + appProtocol: https selector: app: helloworld ``` @@ -145,6 +142,12 @@ spec: - containerPort: 443 ``` +## PeerAuthentication + +```yaml + +``` + # Walkthrough ## Deploy resources diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md index 716777a..2d118b0 100644 --- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md +++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md @@ -20,7 +20,7 @@ This requires a deployment with a service HTTPS (as it will need to handle the T ## Gateway -Gateway configured to listen the port `443` for `HTTPS` traffic protocol. +The gateway was configured to listen the port `443` for `HTTPS` traffic protocol. The tls was configured as `PASSTHROUGH` diff --git a/Istio/06-Internal-Authentication/03-disable-mTLS/README.md b/Istio/06-Internal-Authentication/03-disable-mTLS/README.md new file mode 100644 index 0000000..1aa4192 --- /dev/null +++ b/Istio/06-Internal-Authentication/03-disable-mTLS/README.md @@ -0,0 +1,6 @@ +# Based on + +- [02-Traffic_management/09-HTTPS-backend (pending document)](../../02-Traffic_management/09-HTTPS-backend%20(pending%20document)) + +On the previous example only uses a HTTPS backend, here boards both HTTP and HTTPS backends. + diff --git a/Istio/06-Internal-Authentication/03-disable-mTLS/deployment.yaml b/Istio/06-Internal-Authentication/03-disable-mTLS/deployment.yaml new file mode 100755 index 0000000..5b2d589 --- /dev/null +++ b/Istio/06-Internal-Authentication/03-disable-mTLS/deployment.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http + targetPort: 80 + protocol: TCP + appProtocol: http + + - port: 8443 + name: https + targetPort: 443 + protocol: TCP + appProtocol: https + selector: + app: helloworld +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + sidecar.istio.io/inject: "true" + spec: + containers: + - name: helloworld + image: oriolfilter/https-nginx-demo + resources: + requests: + cpu: "100m" + imagePullPolicy: Always #Always + ports: + - containerPort: 80 + - containerPort: 443 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx + labels: + app: nginx + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + version: v1 + template: + metadata: + labels: + app: nginx + version: v1 + spec: + containers: + - name: nginx + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 \ No newline at end of file diff --git a/Istio/06-Internal-Authentication/03-disable-mTLS/gateway.yaml b/Istio/06-Internal-Authentication/03-disable-mTLS/gateway.yaml new file mode 100755 index 0000000..f88d191 --- /dev/null +++ b/Istio/06-Internal-Authentication/03-disable-mTLS/gateway.yaml @@ -0,0 +1,70 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - "*" + tls: + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 + mode: SIMPLE +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - name: http-vs + match: + - port: 80 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8080 + - name: https-vs + match: + - port: 443 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8443 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: helloworld + namespace: default +spec: + host: helloworld.default.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8080 + tls: + mode: SIMPLE + + - port: + number: 8443 + tls: + mode: SIMPLE -- 2.47.2 From 3c9ea0d1f8b456a6700f1826a75cbc26c428eb08 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 06:53:07 +0200 Subject: [PATCH 19/21] Fixed broken links (reference && dockerhub image). --- .../README.md | 8 ++++---- .../authentication.yaml | 0 .../deployment.yaml | 0 .../gateway.yaml | 0 Istio/02-Traffic_management/10-TCP-FORWARDING/README.md | 4 ++-- Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md | 4 ++-- 6 files changed, 8 insertions(+), 8 deletions(-) rename Istio/02-Traffic_management/{09-HTTPS-backend (pending document) => 09-HTTPS-backend}/README.md (94%) rename Istio/02-Traffic_management/{09-HTTPS-backend (pending document) => 09-HTTPS-backend}/authentication.yaml (100%) rename Istio/02-Traffic_management/{09-HTTPS-backend (pending document) => 09-HTTPS-backend}/deployment.yaml (100%) rename Istio/02-Traffic_management/{09-HTTPS-backend (pending document) => 09-HTTPS-backend}/gateway.yaml (100%) diff --git a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md b/Istio/02-Traffic_management/09-HTTPS-backend/README.md similarity index 94% rename from Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md rename to Istio/02-Traffic_management/09-HTTPS-backend/README.md index 966300f..dd8b72d 100644 --- a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md +++ b/Istio/02-Traffic_management/09-HTTPS-backend/README.md @@ -13,7 +13,7 @@ This example contains a backend that serves HTTPS traffic and can be accessed fr > **Note:**\ -> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) +> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo) # Configuration @@ -91,7 +91,7 @@ spec: This DestinationRule, will interject the traffic destined to the service `helloworld.default.svc.cluster.local` with port `8443`. -As mentioned in the [Virtual Service](#virtual%20service) section, the destination is the `HTTPS` service. +As mentioned in the [Virtual Service](#virtual-service) section, the destination is the `HTTPS` service. By default, the call would be made with `HTTP` protocol, yet, as the destination is an `HTTPS` service, the request would result in the status code `400 Bad Request`, due sending HTTP traffic to an HTTPS service. @@ -148,7 +148,7 @@ spec: Deployment listens to port 80 and 443. > **Note:**\ -> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) +> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo) ```yaml apiVersion: apps/v1 @@ -183,7 +183,7 @@ spec: Due to the deployment having an `HTTPS`, and already initializing a TLS termination towards that service, we need to disable the **mTLS** tool for that specific service/deployment. -On the [Destination Rule](#destination%20rule) section we set the `tls` to `simple`, meaning that the service is expecting to receive `HTTPS` traffic, if `mTLS` is enabled, it will perform the handshake with the `mTLS` service, instead of with the destination `HTTPS` service. +On the [Destination Rule](#destination-rule) section we set the `tls` to `simple`, meaning that the service is expecting to receive `HTTPS` traffic, if `mTLS` is enabled, it will perform the handshake with the `mTLS` service, instead of with the destination `HTTPS` service. ```yaml apiVersion: security.istio.io/v1beta1 diff --git a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/authentication.yaml b/Istio/02-Traffic_management/09-HTTPS-backend/authentication.yaml similarity index 100% rename from Istio/02-Traffic_management/09-HTTPS-backend (pending document)/authentication.yaml rename to Istio/02-Traffic_management/09-HTTPS-backend/authentication.yaml diff --git a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/deployment.yaml b/Istio/02-Traffic_management/09-HTTPS-backend/deployment.yaml similarity index 100% rename from Istio/02-Traffic_management/09-HTTPS-backend (pending document)/deployment.yaml rename to Istio/02-Traffic_management/09-HTTPS-backend/deployment.yaml diff --git a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/gateway.yaml b/Istio/02-Traffic_management/09-HTTPS-backend/gateway.yaml similarity index 100% rename from Istio/02-Traffic_management/09-HTTPS-backend (pending document)/gateway.yaml rename to Istio/02-Traffic_management/09-HTTPS-backend/gateway.yaml diff --git a/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md index 39a768e..7ca8464 100644 --- a/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md +++ b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md @@ -18,7 +18,7 @@ The same backend also contains the same service but running as HTTP, and for suc Additionally, the backend used, has HTTP2 enable, which also will be used to confirm that it's working as intended. > **Note:**\ -> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) +> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo) # Configuration @@ -111,7 +111,7 @@ spec: Deployment listens to port 80 and 443. > **Note:**\ -> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) +> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo) ```yaml apiVersion: apps/v1 diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md index 2d118b0..2437b2f 100644 --- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md +++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md @@ -14,7 +14,7 @@ The previous example was modified set TLS Forwarding for the HTTPS, meaning that This requires a deployment with a service HTTPS (as it will need to handle the TLS termination ...). > **Note:**\ -> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) +> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo) # Configuration @@ -104,7 +104,7 @@ spec: Deployment listens to port 80 and 443. > **Note:**\ -> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) +> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo) ```yaml apiVersion: apps/v1 -- 2.47.2 From 9d0f6637b8c69f5f331fc09c0866f052b4f70089 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 06:58:48 +0200 Subject: [PATCH 20/21] fixed link refference --- Istio/02-Traffic_management/09-HTTPS-backend/README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Istio/02-Traffic_management/09-HTTPS-backend/README.md b/Istio/02-Traffic_management/09-HTTPS-backend/README.md index dd8b72d..76d945b 100644 --- a/Istio/02-Traffic_management/09-HTTPS-backend/README.md +++ b/Istio/02-Traffic_management/09-HTTPS-backend/README.md @@ -57,7 +57,7 @@ spec: > **Note:**\ > For more information regarding the TLS mode configuration, refer to the following [Istio documentation regarding the TLS mode field](https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode). -## Virtual service +## VirtualService The rule that contains, will receive traffic from the port `443` and `80`. @@ -91,7 +91,7 @@ spec: This DestinationRule, will interject the traffic destined to the service `helloworld.default.svc.cluster.local` with port `8443`. -As mentioned in the [Virtual Service](#virtual-service) section, the destination is the `HTTPS` service. +As mentioned in the [Virtual Service](#virtualservice) section, the destination is the `HTTPS` service. By default, the call would be made with `HTTP` protocol, yet, as the destination is an `HTTPS` service, the request would result in the status code `400 Bad Request`, due sending HTTP traffic to an HTTPS service. @@ -183,7 +183,7 @@ spec: Due to the deployment having an `HTTPS`, and already initializing a TLS termination towards that service, we need to disable the **mTLS** tool for that specific service/deployment. -On the [Destination Rule](#destination-rule) section we set the `tls` to `simple`, meaning that the service is expecting to receive `HTTPS` traffic, if `mTLS` is enabled, it will perform the handshake with the `mTLS` service, instead of with the destination `HTTPS` service. +On the [Destination Rule](#destinationrule) section we set the `tls` to `simple`, meaning that the service is expecting to receive `HTTPS` traffic, if `mTLS` is enabled, it will perform the handshake with the `mTLS` service, instead of with the destination `HTTPS` service. ```yaml apiVersion: security.istio.io/v1beta1 @@ -328,10 +328,12 @@ kubectl delete -f ./ ``` ```text +peerauthentication.security.istio.io "default-mtls" deleted service "helloworld" deleted deployment.apps "helloworld-nginx" deleted gateway.networking.istio.io "helloworld-gateway" deleted virtualservice.networking.istio.io "helloworld-vs" deleted +destinationrule.networking.istio.io "helloworld" deleted ``` # Links of Interest -- 2.47.2 From 27030b4c58f62f72bd30e517a9953bd981d79c13 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 08:03:17 +0200 Subject: [PATCH 21/21] Deleted HTTP2 attempt. Moving on. --- .../README.md | 321 ------------------ .../authentication.yaml | 8 - .../deployment.yaml | 80 ----- .../gateway.yaml | 118 ------- .../ingress.yaml | 29 -- Istio/ingress.yaml | 119 ------- Istio/tmp/README.md | 1 - Istio/tmp/ingress.yaml | 63 ---- Istio/tmp/tmp.txt | 29 -- 9 files changed, 768 deletions(-) delete mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/README.md delete mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/authentication.yaml delete mode 100755 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/deployment.yaml delete mode 100755 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/gateway.yaml delete mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/ingress.yaml delete mode 100755 Istio/ingress.yaml delete mode 100644 Istio/tmp/README.md delete mode 100755 Istio/tmp/ingress.yaml delete mode 100755 Istio/tmp/tmp.txt diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/README.md b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/README.md deleted file mode 100644 index bdab5da..0000000 --- a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/README.md +++ /dev/null @@ -1,321 +0,0 @@ ---- -gitea: none -include_toc: true ---- - -# Based on - -- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) - -# Description - -The previous example was modified set the gateway to enable for HTTP2 traffic. - -https://stackoverflow.com/a/59610581 - - -# Changelog - -## Gateway - -```yaml -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 443 - name: secure-http2 - protocol: HTTP2 - hosts: - - "*" - tls: - mode: SIMPLE - credentialName: my-tls-cert-secret - minProtocolVersion: TLSV1_2 -``` - -`` - -# Walkthrough - - -## Generate client and server certificate and key files - -First step will be to generate the certificate and key files to be able to set them to the Gateway resource. - -### Create a folder to store files. - -Create the folder to contain the files that will be generated. - -```shell -mkdir certfolder -``` - -### Create a certificate and a private key. - -```shell -openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt -``` - -The files generated are the following: - -```yaml -private-key: certfolder/istio.cert.key -root-certificate: certfolder/istio.cert.crt -``` - -The information set to the certificate generated is the following: - -```yaml -Organization-name: Internet of things -CN: lb.net -``` - -### Create a TLS secret - -At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. - -```shell -kubectl create -n istio-system secret tls my-tls-cert-secret \ - --key=certfolder/istio.cert.key \ - --cert=certfolder/istio.cert.crt -``` -```text -secret/my-tls-cert-secret created -``` -```text -service/helloworld created -deployment.apps/helloworld-nginx created -gateway.networking.istio.io/helloworld-gateway created -virtualservice.networking.istio.io/helloworld-vs created -``` - -> **Note:**\ -> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. - - -## Deploy resources - -```shell -kubectl apply -f ./ -``` -```text -service/helloworld created -deployment.apps/helloworld-nginx created -gateway.networking.istio.io/helloworld-gateway created -virtualservice.networking.istio.io/helloworld-vs created -``` - -## Test the service -### http2 -#### Curl HTTP1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 -``` -```text -http_version: 1.1 -status_code: 426 -``` - -#### Curl HTTP1.1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -#### Curl HTTP2 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -### http1-web - -#### Curl HTTP1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 -``` -```text -http_version: 1.1 -status_code: 426 -``` - -#### Curl HTTP1.1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -#### Curl HTTP2 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -## Cleanup - -```shell -kubectl delete -f ./ -``` - -```text -service "helloworld" deleted -deployment.apps "helloworld-nginx" deleted -gateway.networking.istio.io "helloworld-gateway" deleted -virtualservice.networking.istio.io "helloworld-vs" deleted -``` - -# Links of Interest - -- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol - -- https://stackoverflow.com/a/51279606 - -- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy - - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . -[+] Building 0.0s (0/0) -ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") - ---- -## Create the Dockerfile - -```bash -FROM ubuntu/apache2 - -RUN apt-get update && \ -apt-get install apache2 openssl -y && \ -a2ensite default-ssl && \ -a2enmod ssl && \ -echo "

Howdy

" | tee /var/www/html/index.html - -RUN /usr/bin/printf "\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ -\n\ -\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ - SSLEngine on\n\ - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ - SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ -" > /etc/apache2/sites-available/000-default.conf - -RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -``` - -## Build the image - -Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. - -For my own commodity, I have used a raspberry pi 4 to build this images. - -The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. - -```shell - docker build --tag https-demo:armv7 . -``` -```text -docker build --tag https-demo:armv7 . --no-cache -[+] Building 16.5s (8/8) FINISHED - => [internal] load .dockerignore 0.0s - => => transferring context: 2B 0.0s - => [internal] load build definition from Dockerfile 0.0s - => => transferring dockerfile: 1.09kB 0.0s - => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s - => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s - => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s - => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s - => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s - => exporting to image 1.0s - => => exporting layers 1.0s - => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s - => => naming to docker.io/library/https-demo:armv7 0.0s -``` - -## Tag the image - -```shell -docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 -``` - -## Upload to the registery server - -```text -docker image push registery.filter.home:5000/https-demo:armv7 -The push refers to repository [registery.filter.home:5000/https-demo] -c6d858706b08: Pushed -9e077e0202f0: Pushed -6ffc708d0cf3: Pushed -69e01b4bf4d7: Pushed -17c5b30f3843: Pushed -0b9f60fbcaf1: Pushed -armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 -``` - - - -## ? -curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe - - - - - ---- - - -Has apache2 installed with a default certificate. - -Port 80 visible for HTTP - -Port 443 visible for HTTPS. - - - - -curl https:/192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k -http_version: 2 -status_code: 200 - - - -```shell -curl --insecure --resolve lb.net:80:192.168.1.50 http://lb.net -``` - -```shell -curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net -``` diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/authentication.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/authentication.yaml deleted file mode 100644 index 7553d94..0000000 --- a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/authentication.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default-mtls - namespace: default -spec: - mtls: - mode: PERMISSIVE diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/deployment.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/deployment.yaml deleted file mode 100755 index 3f9ad6c..0000000 --- a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/deployment.yaml +++ /dev/null @@ -1,80 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: helloworld - labels: - app: helloworld - service: helloworld -spec: - ports: - - port: 8080 - name: http-s - targetPort: 80 - protocol: TCP - appProtocol: HTTP - - - port: 8443 - name: https - targetPort: 443 - protocol: TCP - appProtocol: https - selector: - app: helloworld ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: helloworld-nginx - labels: - app: helloworld -spec: - replicas: 1 - selector: - matchLabels: - app: helloworld - template: - metadata: - labels: - app: helloworld - sidecar.istio.io/inject: "true" - spec: - containers: - - name: helloworld - image: oriolfilter/https-nginx-demo - resources: - requests: - cpu: "100m" - imagePullPolicy: Always #Always - ports: - - containerPort: 80 - - containerPort: 443 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx - labels: - app: nginx - version: v1 -spec: - replicas: 1 - selector: - matchLabels: - app: nginx - version: v1 - template: - metadata: - labels: - app: nginx - version: v1 - spec: - # serviceAccountName: istio-helloworld - containers: - - name: nginx - image: nginx - resources: - requests: - cpu: "100m" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 80 \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/gateway.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/gateway.yaml deleted file mode 100755 index 1fe0fa3..0000000 --- a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/gateway.yaml +++ /dev/null @@ -1,118 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: -# istio: myingressgateway - istio: ingressgateway - servers: -# - port: -# number: 443 -# name: secure-http2 -# protocol: HTTP2 -# hosts: -# - "*" - - port: - number: 80 - name: http2-i - protocol: HTTP2 - hosts: - - "*" - - port: - number: 443 - name: https-i - protocol: HTTPS - hosts: - - "*" - tls: - credentialName: my-tls-cert-secret - minProtocolVersion: TLSV1_2 -# - mode: SIMPLE ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: helloworld-vs -spec: - hosts: - - "*" - gateways: - - helloworld-gateway - http: - - name: http-vs - match: - - port: 80 - route: - - destination: - host: helloworld.default.svc.cluster.local - port: - number: 8080 - - name: https-vs - match: - - port: 443 - route: - - destination: - host: helloworld.default.svc.cluster.local - port: - number: 8443 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: helloworld - namespace: default -spec: - host: helloworld.default.svc.cluster.local - trafficPolicy: - portLevelSettings: - - port: - number: 8080 - tls: - mode: DISABLE - - - port: - number: 8443 - tls: -# credentialName: client-credential - mode: SIMPLE - -# port: -# name: https-backend -# number: 8443 -# protocol: HTTPS -# tls: -# credentialName: my-tls-cert-secret -# mode: SIMPLE -# tcp: -## - match: -## - port: 80 -## route: -## - destination: -## host: helloworld -## port: -## number: 8080 -## - match: -## - port: 443 -# - route: -# - destination: -# host: helloworld -# port: -# number: 8443 -# -# tls: -# - match: -# - port: 443 -# sniHosts: -# - "hello.si" -## - uri: -## exact: /helloworld -# route: -# - destination: -# host: helloworld -# port: -# number: 8443 -## protocol: HTTPS -## rewrite: -## uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/ingress.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/ingress.yaml deleted file mode 100644 index 850c2eb..0000000 --- a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - name: ingress -spec: - profile: empty # Do not install CRDs or the control plane - components: - ingressGateways: - - name: myistio-ingressgateway - namespace: istio-ingress - enabled: true - label: - istio: myingressgateway - k8s: - service: - ports: - - name: https-ingress - port: 443 - protocol: TCP - targetPort: 1055 - - name: http-ingress - port: 80 - protocol: TCP - targetPort: 1085 - - values: - gateways: - istio-ingressgateway: - injectionTemplate: gateway diff --git a/Istio/ingress.yaml b/Istio/ingress.yaml deleted file mode 100755 index 12b0027..0000000 --- a/Istio/ingress.yaml +++ /dev/null @@ -1,119 +0,0 @@ -#apiVersion: v1 -#kind: Service -#metadata: -# name: istio-lb -# namespace: istio-system -# labels: -# istio: istio-ingress -#spec: -# type: LoadBalancer -# ports: -# - port: 80 -# name: http -# - port: 443 -# name: https -# selector: -# istio: istio-ingress -#--- -#apiVersion: install.istio.io/v1alpha1 -#kind: IstioOperator -#metadata: -# namespace: istio-system -# name: my-istio-operator -#spec: -## profile: default -# profile: empty -# components: -# ingressGateways: -# - name: istio-ingress -# enabled: true -# label: -# istio: my-istio-ingress ---- -#apiVersion: install.istio.io/v1alpha1 -#kind: IstioOperator -#spec: -# components: -# ingressGateways: -# - name: istio-ingress -# enabled: true -## - name: istio-ingressgateway-staging -# namespace: staging -# enabled: true ---- -#apiVersion: install.istio.io/v1alpha1 -#kind: IstioOperator -#metadata: -# namespace: istio-system -# name: istio-operator -#spec: -# profile: default -# components: -# ingressGateways: -# - name: istio-ingress -# enabled: true -# - namespace: default -# name: istio-ingressgateway-private -# enabled: true -# k8s: -# serviceAnnotations: -# service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type: "private" -# values: -# gateways: -# istio-ingressgateway: -# sds: -# enabled: true ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - labels: - app: istio-ingressgateway -# install.operator.istio.io/owning-resource: unknown -# install.operator.istio.io/owning-resource-namespace: istio-system - istio: my-ingress-gateway -# istio.io/rev: default - operator.istio.io/component: IngressGateways -# operator.istio.io/managed: Reconcile -# operator.istio.io/version: 1.16.1 -# release: istio - name: my-ingress-gateway - namespace: istio-system - resourceVersion: "880342" - uid: 289a34e8-fe45-43ad-8dad-bc3dc9534f5c -spec: -# allocateLoadBalancerNodePorts: true -# clusterIP: 10.110.130.2 -# clusterIPs: -# - 10.110.130.2 - externalTrafficPolicy: Cluster - internalTrafficPolicy: Cluster - ipFamilies: - - IPv4 - ipFamilyPolicy: SingleStack - ports: - - name: status-port - nodePort: 30276 - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - nodePort: 32188 - port: 80 - protocol: TCP - targetPort: 8080 - - name: https -# nodePort: 32437 - port: 443 - protocol: TCP -# targetPort: 8443 - selector: - app: istio-ingressgateway - istio: ingressgateway -# sessionAffinity: None - type: LoadBalancer -status: - loadBalancer: - ingress: - - ip: 192.168.1.50 \ No newline at end of file diff --git a/Istio/tmp/README.md b/Istio/tmp/README.md deleted file mode 100644 index 0bcf9ac..0000000 --- a/Istio/tmp/README.md +++ /dev/null @@ -1 +0,0 @@ -https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/ \ No newline at end of file diff --git a/Istio/tmp/ingress.yaml b/Istio/tmp/ingress.yaml deleted file mode 100755 index 8743294..0000000 --- a/Istio/tmp/ingress.yaml +++ /dev/null @@ -1,63 +0,0 @@ -## https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway -#apiVersion: v1 -#kind: Service -#metadata: -# name: istio-ingressgateway2 -# namespace: istio-ingress -#spec: -# type: LoadBalancer -# selector: -# istio: ingressgateway -# ports: -# - port: 80 -# name: http -# - port: 443 -# name: https -#--- -#apiVersion: apps/v1 -#kind: Deployment -#metadata: -# name: istio-ingressgateway2 -# namespace: istio-ingress -#spec: -# selector: -# matchLabels: -# istio: ingressgateway -# template: -# metadata: -# annotations: -# # Select the gateway injection template (rather than the default sidecar template) -# inject.istio.io/templates: gateway -# labels: -# # Set a unique label for the gateway. This is required to ensure Gateways can select this workload -# istio: ingressgateway -# # Enable gateway injection. If connecting to a revisioned control plane, replace with "istio.io/rev: revision-name" -# sidecar.istio.io/inject: "true" -# spec: -# containers: -# - name: istio-proxy -# image: auto # The image will automatically update each time the pod starts. -#--- -## Set up roles to allow reading credentials for TLS -#apiVersion: rbac.authorization.k8s.io/v1 -#kind: Role -#metadata: -# name: istio-ingressgateway2-sds -# namespace: istio-ingress -#rules: -# - apiGroups: [""] -# resources: ["secrets"] -# verbs: ["get", "watch", "list"] -#--- -#apiVersion: rbac.authorization.k8s.io/v1 -#kind: RoleBinding -#metadata: -# name: istio-ingressgateway2-sds -# namespace: istio-ingress -#roleRef: -# apiGroup: rbac.authorization.k8s.io -# kind: Role -# name: istio-ingressgateway2-sds -#subjects: -# - kind: ServiceAccount -# name: default \ No newline at end of file diff --git a/Istio/tmp/tmp.txt b/Istio/tmp/tmp.txt deleted file mode 100755 index bc35189..0000000 --- a/Istio/tmp/tmp.txt +++ /dev/null @@ -1,29 +0,0 @@ -https://medium.com/@dinup24/expose-apps-on-private-network-through-istio-ingress-gateway-7dcb8a16d5bc - - -cat << EOF > istio-operator.yaml -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: istio-system - name: istio-operator -spec: - profile: default - components: - ingressGateways: - - name: istio-ingressgateway - enabled: true - - namespace: istio-system - name: istio-ingressgateway-private - enabled: true - k8s: - serviceAnnotations: - service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type: "private" - values: - gateways: - istio-ingressgateway: - sds: - enabled: true -EOF - -istioctl manifest apply -f istio-operator.yaml \ No newline at end of file -- 2.47.2