From 9a9eaed74d06d87d6c314003ead9703ec0074e07 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Thu, 27 Jul 2023 00:58:15 +0200 Subject: [PATCH] Added Local LB thingies to Part 3 to consolidate the steps. --- .../P3_External_Services/01-Namespace.yaml | 6 --- .../Filebrowser/VirtualService.yaml | 1 + .../P3_External_Services/Gateway.yaml | 7 +-- .../Gitea/VirtualService.yaml | 1 + .../Jelly/VirtualService.yaml | 1 + .../Tube/VirtualService.yaml | 1 + .../P3_Local_Gateway/Gateway.yaml | 44 +++++++++++++++++++ Migrations/Forget_Traefik_2023/README.md | 42 ++++++++++++++---- 8 files changed, 85 insertions(+), 18 deletions(-) delete mode 100644 Migrations/Forget_Traefik_2023/P3_External_Services/01-Namespace.yaml create mode 100755 Migrations/Forget_Traefik_2023/P3_Local_Gateway/Gateway.yaml diff --git a/Migrations/Forget_Traefik_2023/P3_External_Services/01-Namespace.yaml b/Migrations/Forget_Traefik_2023/P3_External_Services/01-Namespace.yaml deleted file mode 100644 index 182d2da..0000000 --- a/Migrations/Forget_Traefik_2023/P3_External_Services/01-Namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: external - labels: - istio-injection: "enabled" \ No newline at end of file diff --git a/Migrations/Forget_Traefik_2023/P3_External_Services/Filebrowser/VirtualService.yaml b/Migrations/Forget_Traefik_2023/P3_External_Services/Filebrowser/VirtualService.yaml index 739bfd3..025471c 100644 --- a/Migrations/Forget_Traefik_2023/P3_External_Services/Filebrowser/VirtualService.yaml +++ b/Migrations/Forget_Traefik_2023/P3_External_Services/Filebrowser/VirtualService.yaml @@ -10,6 +10,7 @@ spec: - "filebrowser.filterhome.duckdns.org" gateways: - default/public-gateway + - default/local-gateway http: - route: - destination: diff --git a/Migrations/Forget_Traefik_2023/P3_External_Services/Gateway.yaml b/Migrations/Forget_Traefik_2023/P3_External_Services/Gateway.yaml index 04340a5..aca19a4 100755 --- a/Migrations/Forget_Traefik_2023/P3_External_Services/Gateway.yaml +++ b/Migrations/Forget_Traefik_2023/P3_External_Services/Gateway.yaml @@ -1,7 +1,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: - name: http-to-https + name: http-to-https-public namespace: default spec: selector: @@ -32,8 +32,9 @@ spec: hosts: - "*.filterhome.xyz" - "filterhome.xyz" - - "filterhome.duckdns.org" - - "*.filterhome.duckdns.org" + +# - "filterhome.duckdns.org" +# - "*.filterhome.duckdns.org" tls: mode: SIMPLE credentialName: filterhome-domain-cert-public diff --git a/Migrations/Forget_Traefik_2023/P3_External_Services/Gitea/VirtualService.yaml b/Migrations/Forget_Traefik_2023/P3_External_Services/Gitea/VirtualService.yaml index 3d1458f..61d151d 100644 --- a/Migrations/Forget_Traefik_2023/P3_External_Services/Gitea/VirtualService.yaml +++ b/Migrations/Forget_Traefik_2023/P3_External_Services/Gitea/VirtualService.yaml @@ -10,6 +10,7 @@ spec: - "gitea.filterhome.duckdns.org" gateways: - default/public-gateway + - default/local-gateway http: - route: - destination: diff --git a/Migrations/Forget_Traefik_2023/P3_External_Services/Jelly/VirtualService.yaml b/Migrations/Forget_Traefik_2023/P3_External_Services/Jelly/VirtualService.yaml index 303810a..8b17908 100644 --- a/Migrations/Forget_Traefik_2023/P3_External_Services/Jelly/VirtualService.yaml +++ b/Migrations/Forget_Traefik_2023/P3_External_Services/Jelly/VirtualService.yaml @@ -10,6 +10,7 @@ spec: - "jelly.filterhome.duckdns.org" gateways: - default/public-gateway + - default/local-gateway http: - route: - destination: diff --git a/Migrations/Forget_Traefik_2023/P3_External_Services/Tube/VirtualService.yaml b/Migrations/Forget_Traefik_2023/P3_External_Services/Tube/VirtualService.yaml index 69c8021..3aa2a1b 100644 --- a/Migrations/Forget_Traefik_2023/P3_External_Services/Tube/VirtualService.yaml +++ b/Migrations/Forget_Traefik_2023/P3_External_Services/Tube/VirtualService.yaml @@ -10,6 +10,7 @@ spec: - "tube.filterhome.duckdns.org" gateways: - default/public-gateway + - default/local-gateway http: - route: - destination: diff --git a/Migrations/Forget_Traefik_2023/P3_Local_Gateway/Gateway.yaml b/Migrations/Forget_Traefik_2023/P3_Local_Gateway/Gateway.yaml new file mode 100755 index 0000000..41f8bf4 --- /dev/null +++ b/Migrations/Forget_Traefik_2023/P3_Local_Gateway/Gateway.yaml @@ -0,0 +1,44 @@ +#apiVersion: networking.istio.io/v1alpha3 +#kind: Gateway +#metadata: +# name: http-to-https-local +# namespace: default +#spec: +# selector: +# istio: public-ingress +# servers: +# - port: +# number: 80 +# name: http2 +# protocol: HTTP2 +# hosts: +# - "*" +# tls: +# httpsRedirect: true +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: local-gateway + namespace: default +spec: + selector: + istio: local-ingress + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "filter.home" + - "*.filter.home" + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - "filter.home" + - "*.filter.home" + tls: + mode: SIMPLE + credentialName: domain-cert-local diff --git a/Migrations/Forget_Traefik_2023/README.md b/Migrations/Forget_Traefik_2023/README.md index 89132fc..d232a32 100644 --- a/Migrations/Forget_Traefik_2023/README.md +++ b/Migrations/Forget_Traefik_2023/README.md @@ -164,12 +164,17 @@ Current Issue? For X and y, I need to wait for a while for the DNS provider to r - [x] Backup the Istio/Kubernetes configuration files used so far. +- [x] Deploy configurations to route some services through the Istio `istio-local-ingress` Load Balancer deployed. + > **Note**:\ > Regarding Let's Encrypt certificate provisioning, for testing purposes the `staging` environment should be used, nevertheless on my scenario I am running directly on the production environment, why?\ > - `Staging` and `Production` behave different, therefore one can get the certificates verified on `Staging` and not on `Production`. > - I ran into some issues regarding the sentence from above, so there was some back and forth, this topic is mentioned [here at the end.](#2x1-able-to-get-staging-le-certs-but-not-the-production-one-when-using-custom-istio-selector-and-only-able-to-get-production-le-certs-when-using-the-default-istio-ingressgateway-selector) > - Since there was "back and forth" I sort of cheated and set this as it is. +> **Additional Note**:\ +> The "local" gateway will have a TLS secret that won't be created until the next part. + #### Rollback plan - Update the router `Virtual Service Port Mapping` to set back the Traefik Ingress form the Pi4 host. @@ -177,22 +182,21 @@ Current Issue? For X and y, I need to wait for a while for the DNS provider to r ### Part 4 -So far we deployed an Internal LB, but it is being unused, therefore: +- [ ] Update local DNS records accordingly. -- [ ] - -- [x] Update local DNS records accordingly. - -### Part 7 - -- Deploy locally a Certificate Authorization Service (on the SRV host.) +- [ ] Deploy locally a Certificate Authorization Service (on the SRV host.) > **Notes**:\ +> Since the `VirtualService` files from Part + +> **Additional Notes**:\ > - https://www.reddit.com/r/selfhosted/comments/owplv5/any_self_hosted_certificate_authority/ \ > - https://github.com/minio/certgen \ > - https://github.com/rabbitmq/tls-gen \ > - https://smallstep.com/blog/private-acme-server/ \ > - https://hub.docker.com/r/smallstep/step-ca + + #### Rollback plan @@ -968,7 +972,7 @@ namespace/external created destinationrule.networking.istio.io/filebrowser created serviceentry.networking.istio.io/filebrowser-se created virtualservice.networking.istio.io/filebrowser-vs created -gateway.networking.istio.io/http-to-https created +gateway.networking.istio.io/http-to-https-public created gateway.networking.istio.io/public-gateway created destinationrule.networking.istio.io/gitea created serviceentry.networking.istio.io/gitea-se created @@ -1101,6 +1105,26 @@ x-envoy-upstream-service-time: 6 server: istio-envoy ``` +### Test the local Ingress Load Balancer + +Good ol' fake headers bypassing. + +```shell +curl 192.168.1.81/web/index.html -HHOST:"jelly.filter.home" -I +``` + +```text +HTTP/1.1 200 OK +accept-ranges: bytes +content-type: text/html +date: Wed, 26 Jul 2023 22:56:13 GMT +etag: "1d975f47df7d992" +last-modified: Sun, 23 Apr 2023 15:01:33 GMT +server: istio-envoy +x-response-time-ms: 1 +content-length: 7442 +x-envoy-upstream-service-time: 3 +``` ## Part 4