Added Local LB thingies to Part 3 to consolidate the steps.

Migrations/Forget_Traefik_2023/P3_External_Services/01-Namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: external
-  labels:
-    istio-injection: "enabled"

Migrations/Forget_Traefik_2023/P3_External_Services/Filebrowser/VirtualService.yaml

@@ -10,6 +10,7 @@ spec:
     - "filebrowser.filterhome.duckdns.org"
   gateways:
     - default/public-gateway
+    - default/local-gateway
   http:
     - route:
         - destination:

Migrations/Forget_Traefik_2023/P3_External_Services/Gateway.yaml

@@ -1,7 +1,7 @@
 apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
-  name: http-to-https
+  name: http-to-https-public
   namespace: default
 spec:
   selector:
@@ -32,8 +32,9 @@ spec:
       hosts:
         - "*.filterhome.xyz"
         - "filterhome.xyz"
-        - "filterhome.duckdns.org"
-        - "*.filterhome.duckdns.org"
+
+#        - "filterhome.duckdns.org"
+#        - "*.filterhome.duckdns.org"
       tls:
         mode: SIMPLE
         credentialName: filterhome-domain-cert-public

Migrations/Forget_Traefik_2023/P3_External_Services/Gitea/VirtualService.yaml

@@ -10,6 +10,7 @@ spec:
     - "gitea.filterhome.duckdns.org"
   gateways:
     - default/public-gateway
+    - default/local-gateway
   http:
     - route:
         - destination:

Migrations/Forget_Traefik_2023/P3_External_Services/Jelly/VirtualService.yaml

@@ -10,6 +10,7 @@ spec:
     - "jelly.filterhome.duckdns.org"
   gateways:
     - default/public-gateway
+    - default/local-gateway
   http:
     - route:
         - destination:

Migrations/Forget_Traefik_2023/P3_External_Services/Tube/VirtualService.yaml

@@ -10,6 +10,7 @@ spec:
     - "tube.filterhome.duckdns.org"
   gateways:
     - default/public-gateway
+    - default/local-gateway
   http:
     - route:
         - destination:

Migrations/Forget_Traefik_2023/P3_Local_Gateway/Gateway.yaml

@@ -0,0 +1,44 @@
+#apiVersion: networking.istio.io/v1alpha3
+#kind: Gateway
+#metadata:
+#  name: http-to-https-local
+#  namespace: default
+#spec:
+#  selector:
+#    istio: public-ingress
+#  servers:
+#    - port:
+#        number: 80
+#        name: http2
+#        protocol: HTTP2
+#      hosts:
+#        - "*"
+#      tls:
+#        httpsRedirect: true
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: local-gateway
+  namespace: default
+spec:
+  selector:
+    istio: local-ingress
+  servers:
+    - port:
+        number: 80
+        name: http
+        protocol: HTTP
+      hosts:
+        - "filter.home"
+        - "*.filter.home"
+    - port:
+        number: 443
+        name: https
+        protocol: HTTPS
+      hosts:
+        - "filter.home"
+        - "*.filter.home"
+      tls:
+        mode: SIMPLE
+        credentialName: domain-cert-local

Migrations/Forget_Traefik_2023/README.md

@@ -164,12 +164,17 @@ Current Issue? For X and y, I need to wait for a while for the DNS provider to r
 
 - [x] Backup the Istio/Kubernetes configuration files used so far.
 
+- [x] Deploy configurations to route some services through the Istio `istio-local-ingress` Load Balancer deployed.
+
 > **Note**:\
 > Regarding Let's Encrypt certificate provisioning, for testing purposes the `staging` environment should be used, nevertheless on my scenario I am running directly on the production environment, why?\
 > - `Staging` and `Production` behave different, therefore one can get the certificates verified on `Staging` and not on `Production`.
 > - I ran into some issues regarding the sentence from above, so there was some back and forth, this topic is mentioned [here at the end.](#2x1-able-to-get-staging-le-certs-but-not-the-production-one-when-using-custom-istio-selector-and-only-able-to-get-production-le-certs-when-using-the-default-istio-ingressgateway-selector)
 > - Since there was "back and forth" I sort of cheated and set this as it is.
 
+> **Additional Note**:\
+> The "local" gateway will have a TLS secret that won't be created until the next part.
+
 #### Rollback plan
 
 - Update the router `Virtual Service Port Mapping` to set back the Traefik Ingress form the Pi4 host.
@@ -177,22 +182,21 @@ Current Issue? For X and y, I need to wait for a while for the DNS provider to r
 
 ### Part 4
 
-So far we deployed an Internal LB, but it is being unused, therefore:
+- [ ] Update local DNS records accordingly.
 
-- [ ]
-
-- [x] Update local DNS records accordingly.
-
-### Part 7
-
-- Deploy locally a Certificate Authorization Service (on the SRV host.)
+- [ ] Deploy locally a Certificate Authorization Service (on the SRV host.)
 
 > **Notes**:\
+> Since the `VirtualService` files from Part 
+
+> **Additional Notes**:\
 > - https://www.reddit.com/r/selfhosted/comments/owplv5/any_self_hosted_certificate_authority/ \
 > - https://github.com/minio/certgen \
 > - https://github.com/rabbitmq/tls-gen \
 > - https://smallstep.com/blog/private-acme-server/ \
 > - https://hub.docker.com/r/smallstep/step-ca
+ 
+
 
 #### Rollback plan
 
@@ -968,7 +972,7 @@ namespace/external created
 destinationrule.networking.istio.io/filebrowser created
 serviceentry.networking.istio.io/filebrowser-se created
 virtualservice.networking.istio.io/filebrowser-vs created
-gateway.networking.istio.io/http-to-https created
+gateway.networking.istio.io/http-to-https-public created
 gateway.networking.istio.io/public-gateway created
 destinationrule.networking.istio.io/gitea created
 serviceentry.networking.istio.io/gitea-se created
@@ -1101,6 +1105,26 @@ x-envoy-upstream-service-time: 6
 server: istio-envoy
 ```
 
+### Test the local Ingress Load Balancer
+
+Good ol' fake headers bypassing.
+
+```shell
+curl 192.168.1.81/web/index.html -HHOST:"jelly.filter.home" -I
+```
+
+```text
+HTTP/1.1 200 OK
+accept-ranges: bytes
+content-type: text/html
+date: Wed, 26 Jul 2023 22:56:13 GMT
+etag: "1d975f47df7d992"
+last-modified: Sun, 23 Apr 2023 15:01:33 GMT
+server: istio-envoy
+x-response-time-ms: 1
+content-length: 7442
+x-envoy-upstream-service-time: 3
+```
 
 ## Part 4