ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

dev #27

Merged
ofilter merged 22 commits from dev into main 2023-04-25 08:18:00 +02:00
Conversation 1 Commits 22 Files Changed 27 +391 -170
10 changed files with 391 additions and 170 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 5e0abdebd4 - Show all commits

3
Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md
View File

@ -15,6 +15,8 @@ The previous example was modified to limit and specify the maximum TLS version.
## Gateway
Gateway has been modified to limit the maximum TLS version to v1.2.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
@ -36,7 +38,6 @@ spec:
maxProtocolVersion: TLSV1_2
```
Gateway has been modified to limit the maximum TLS version to v1.2.
# Walkthrough

264
Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md
View File

@ -9,16 +9,23 @@ include_toc: true
# Description
The previous example was modified set the gateway to enable for HTTP2 traffic.
https://stackoverflow.com/a/59610581
This example contains a backend that serves HTTPS traffic and can be accessed from both `HTTP` and `HTTPS` requests through the gateway resource.
# Changelog
> **Note:**\
> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo)
# Configuration
## Gateway
```yaml
The gateway is configured to listen to the port `80` for `HTTP` traffic, and to the port `443` for `HTTPS` traffic.
The TLS configuration is set to `simple`, and the credentials (the object that contains the certificates/TLS configuration) is set to `my-tls-cert-secret`.
Any of the configured ports has limited the hosts.
```shell
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
@ -27,23 +34,173 @@ spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
- port:
number: 443
name: secure-http2
protocol: HTTP2
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
credentialName: my-tls-cert-secret
minProtocolVersion: TLSV1_2
mode: SIMPLE
```
`<text>`
> **Note:**\
> The credentials resource is created further bellow through the [Walkthrough](#walkthrough) steps.
> **Note:**\
> For more information regarding the TLS mode configuration, refer to the following [Istio documentation regarding the TLS mode field](https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode).
## Virtual service
The rule that contains, will receive traffic from the port `443` and `80`.
This traffic will be directed towards destination of such is the service `helloworld.default.svc.cluster.local`, with port destination 8443.
This destination is the service that contains the `HTTPS` deployment, running over the port `8443`
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- name: https-vs
match:
- port: 80
- port: 443
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443
```
## DestinationRule
This DestinationRule, will interject the traffic destined to the service `helloworld.default.svc.cluster.local` with port `8443`.
As mentioned in the [Virtual Service](#virtual%20service) section, the destination is the `HTTPS` service.
By default, the call would be made with `HTTP` protocol, yet, as the destination is an `HTTPS` service, the request would result in the status code `400 Bad Request`, due sending HTTP traffic to an HTTPS service.
To avoid this, we need to specify that the destination handles HTTPS traffic.
By setting the `tls.mode` field with `simple`, it means that there will be an attempt to initialize a TLS handshake.
> **Note:**
> For more information about the TLS mode, refer to the [Istio official documentation from the DestinationRule object regarding the TLS mode field](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ClientTLSSettings-TLSmode).
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: helloworld
namespace: default
spec:
host: helloworld.default.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8443
tls:
mode: SIMPLE
```
## Service
The service will forward incoming TCP traffic from the port `8443`, towards the deployment port `443`.
It's been specified the protocol expected to service, it being `HTTPS`.
```yaml
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- name: https
port: 8443
targetPort: 443
protocol: TCP
appProtocol: HTTPS
selector:
app: helloworld
```
## Deployment
Deployment listens to port 80 and 443.
> **Note:**\
> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo)
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
spec:
containers:
- name: helloworld
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443
```
## PeerAuthentication
Due to the deployment having an `HTTPS`, and already initializing a TLS termination towards that service, we need to disable the **mTLS** tool for that specific service/deployment.
On the [Destination Rule](#destination%20rule) section we set the `tls` to `simple`, meaning that the service is expecting to receive `HTTPS` traffic, if `mTLS` is enabled, it will perform the handshake with the `mTLS` service, instead of with the destination `HTTPS` service.
```yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default-mtls
namespace: default
spec:
mtls:
mode: DISABLE
```
> **Note**:\
> As this configuration is very board, and targets the whole namespace, I would strongly recommend referring to the following example [06-Internal-Authentication/02-target-service-accounts](../../06-Internal-Authentication/02-target-service-accounts), which shows how to target service accounts set to resources, limiting the scope of this rule set.
# Walkthrough
## Generate client and server certificate and key files
First step will be to generate the certificate and key files to be able to set them to the Gateway resource.
@ -98,82 +255,71 @@ virtualservice.networking.istio.io/helloworld-vs created
> **Note:**\
> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
## Deploy resources
```shell
kubectl apply -f ./
```
```text
peerauthentication.security.istio.io/default-mtls created
service/helloworld created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
destinationrule.networking.istio.io/helloworld created
```
## Test the service
### http2
#### Curl HTTP1
### Get LB IP
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0
kubectl get svc -l istio=ingressgateway -A
```
```text
http_version: 1.1
status_code: 426
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
### curl HTTP gateway
#### Curl HTTP1.1
Well, it works as expected.
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1
curl --insecure 192.168.1.50 -I
```
```text
http_version: 1.1
status_code: 200
HTTP/1.1 200 OK
server: istio-envoy
date: Tue, 25 Apr 2023 04:41:19 GMT
content-type: text/html
content-length: 15
last-modified: Tue, 25 Apr 2023 00:47:17 GMT
etag: "64472315-f"
strict-transport-security: max-age=7200
accept-ranges: bytes
x-envoy-upstream-service-time: 28
```
#### Curl HTTP2
### curl HTTPS gateway
Well, it works as expected.
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2
curl --insecure https://192.168.1.50 -I
```
```text
http_version: 1.1
status_code: 200
HTTP/2 200
server: istio-envoy
date: Tue, 25 Apr 2023 04:42:07 GMT
content-type: text/html
content-length: 15
last-modified: Tue, 25 Apr 2023 00:47:17 GMT
etag: "64472315-f"
strict-transport-security: max-age=7200
accept-ranges: bytes
x-envoy-upstream-service-time: 13
```
### http1-web
#### Curl HTTP1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0
```
```text
http_version: 1.1
status_code: 426
```
#### Curl HTTP1.1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1
```
```text
http_version: 1.1
status_code: 200
```
#### Curl HTTP2
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2
```
```text
http_version: 1.1
status_code: 200
```
## Cleanup
@ -189,3 +335,9 @@ virtualservice.networking.istio.io "helloworld-vs" deleted
```
# Links of Interest
- https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway
- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode
- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ClientTLSSettings-TLSmode

8
Istio/02-Traffic_management/09-HTTPS-backend (pending document)/authentication.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default-mtls
namespace: default
spec:
mtls:
mode: DISABLE

41
Istio/02-Traffic_management/09-HTTPS-backend (pending document)/deployment.yaml
View File

@ -7,12 +7,6 @@ metadata:
service: helloworld
spec:
ports:
- port: 8080
name: http-s
targetPort: 80
protocol: TCP
appProtocol: HTTP
- port: 8443
name: https
targetPort: 443
@ -36,45 +30,14 @@ spec:
metadata:
labels:
app: helloworld
sidecar.istio.io/inject: "true"
spec:
containers:
- name: helloworld
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: Always #Always
ports:
- containerPort: 80
- containerPort: 443
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: nginx
version: v1
template:
metadata:
labels:
app: nginx
version: v1
spec:
# serviceAccountName: istio-helloworld
containers:
- name: nginx
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 80
- containerPort: 443

69
Istio/02-Traffic_management/09-HTTPS-backend (pending document)/gateway.yaml
View File

@ -4,31 +4,22 @@ metadata:
name: helloworld-gateway
spec:
selector:
# istio: myingressgateway
istio: ingressgateway
servers:
# - port:
# number: 443
# name: secure-http2
# protocol: HTTP2
# hosts:
# - "*"
- port:
number: 80
name: http2-i
protocol: HTTP2
name: http
protocol: HTTP
hosts:
- "*"
- port:
number: 443
name: https-i
name: https
protocol: HTTPS
hosts:
- "*"
tls:
credentialName: my-tls-cert-secret
minProtocolVersion: TLSV1_2
#
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
@ -41,16 +32,9 @@ spec:
gateways:
- helloworld-gateway
http:
- name: http-vs
match:
- port: 80
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8080
- name: https-vs
match:
- port: 80
- port: 443
route:
- destination:
@ -67,52 +51,7 @@ spec:
host: helloworld.default.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8080
tls:
mode: DISABLE
- port:
number: 8443
tls:
# credentialName: client-credential
mode: SIMPLE
# port:
# name: https-backend
# number: 8443
# protocol: HTTPS
# tls:
# credentialName: my-tls-cert-secret
# mode: SIMPLE
# tcp:
## - match:
## - port: 80
## route:
## - destination:
## host: helloworld
## port:
## number: 8080
## - match:
## - port: 443
# - route:
# - destination:
# host: helloworld
# port:
# number: 8443
#
# tls:
# - match:
# - port: 443
# sniHosts:
# - "hello.si"
## - uri:
## exact: /helloworld
# route:
# - destination:
# host: helloworld
# port:
# number: 8443
## protocol: HTTPS
## rewrite:
## uri: "/"

19
Istio/02-Traffic_management/10-TCP-FORWARDING/README.md
View File

@ -24,7 +24,7 @@ Additionally, the backend used, has HTTP2 enable, which also will be used to con
## Gateway
Gateway been configured to listen both ports `80` and `443` through the TCP protocol, without any host specified.
The gateway has been configured to listen both ports `80` and `443` through the TCP protocol, without any host specified.
```yaml
apiVersion: networking.istio.io/v1alpha3
@ -84,8 +84,8 @@ spec:
## Service
The service will forward the incoming TCP traffic with port 8080, to the deployment port 80.
The same behavior is applied for the service port 8443, that will be forwarded towards the port 443 from the deployment.
The service will forward incoming traffic from the service port 8443, that will be forwarded towards the port 443 from the deployment.
```yaml
apiVersion: v1
@ -97,14 +97,11 @@ metadata:
service: helloworld
spec:
ports:
- port: 8080
name: http-web
targetPort: 80
protocol: TCP
- port: 8443
name: https-web
name: https
targetPort: 443
protocol: TCP
appProtocol: https
selector:
app: helloworld
```
@ -145,6 +142,12 @@ spec:
- containerPort: 443
```
## PeerAuthentication
```yaml
```
# Walkthrough
## Deploy resources

2
Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md
View File

@ -20,7 +20,7 @@ This requires a deployment with a service HTTPS (as it will need to handle the T
## Gateway
Gateway configured to listen the port `443` for `HTTPS` traffic protocol.
The gateway was configured to listen the port `443` for `HTTPS` traffic protocol.
The tls was configured as `PASSTHROUGH`

6
Istio/06-Internal-Authentication/03-disable-mTLS/README.md Normal file
View File

@ -0,0 +1,6 @@
# Based on
- [02-Traffic_management/09-HTTPS-backend (pending document)](../../02-Traffic_management/09-HTTPS-backend%20(pending%20document))
On the previous example only uses a HTTPS backend, here boards both HTTP and HTTPS backends.

79
Istio/06-Internal-Authentication/03-disable-mTLS/deployment.yaml Executable file
View File

@ -0,0 +1,79 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http
targetPort: 80
protocol: TCP
appProtocol: http
- port: 8443
name: https
targetPort: 443
protocol: TCP
appProtocol: https
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
sidecar.istio.io/inject: "true"
spec:
containers:
- name: helloworld
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: Always #Always
ports:
- containerPort: 80
- containerPort: 443
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: nginx
version: v1
template:
metadata:
labels:
app: nginx
version: v1
spec:
containers:
- name: nginx
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80

70
Istio/06-Internal-Authentication/03-disable-mTLS/gateway.yaml Executable file
View File

@ -0,0 +1,70 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
credentialName: my-tls-cert-secret
minProtocolVersion: TLSV1_2
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- name: http-vs
match:
- port: 80
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8080
- name: https-vs
match:
- port: 443
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: helloworld
namespace: default
spec:
host: helloworld.default.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8080
tls:
mode: SIMPLE
- port:
number: 8443
tls:
mode: SIMPLE