Merge pull request 'dev - mid update' (#63) from dev into main

Reviewed-on: https://gitea.filterhome.xyz/ofilter/Istio_Examples/pulls/63

00-Troubleshooting/README.md

@@ -3,6 +3,63 @@ gitea: none
 include_toc: true
 ---
 
+
+# Logs
+
+> **Note:**\
+> Remember that you can use the command `watch` or `watch -n 5` (where 5 refers every 5 seconds) in case of being interested on execute this commands periodically.
+
+## Istiod
+
+```shell
+kubectl logs -n istio-system -f deployments/istiod
+```
+
+## Istio-Proxy Pod
+
+This will display the logs from a deployment while targeting the `istio-proxy` container from the targeted pod/deployment.
+
+As well will attach the session to stream new logs. (`-f` `--follow`)
+
+```shell
+kubectl logs deployments/helloworld-default -f -c istio-proxy
+```
+
+```text
+[2023-05-15T00:42:03.699Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.111.90.232:8080 172.17.121.65:52006 - -
+[2023-05-15T00:42:24.785Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 2 1 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" inbound|80|| 127.0.0.6:51695 172.17.121.65:80 172.17.121.65:43786 outbound_.80_._.helloworld.default.svc.cluster.local default
+[2023-05-15T00:42:24.784Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 5 4 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" outbound|80||helloworld.default.svc.cluster.local 172.17.121.65:43786 10.111.90.232:80 172.17.121.65:57030 - default
+[2023-05-15T00:43:23.209Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 6 5 "-" "curl/7.74.0" "e1f0a2f3-93ff-4c41-8cb3-6d3a53fce065" "helloworld.foo.svc.cluster.local" "172.17.247.42:80" outbound|80||helloworld.foo.svc.cluster.local 172.17.121.65:55040 10.109.248.148:80 172.17.121.65:60520 - default
+[2023-05-15T00:43:29.751Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40370 - -
+[2023-05-15T00:43:31.979Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40402 - -
+```
+
+## Ingress
+
+The service targeted, `istio-ingressgateway`, is an Ingress Load Balancer service from Istio.
+
+```shell
+kubectl logs -n istio-system services/istio-ingressgateway
+```
+#### Invalid TLS context has neither subject CN nor SAN names
+
+The TLS certificate specified don't have the field CN or the field SAN.
+
+To address this issue, issue a new certificate that has at least one of those fields.
+
+#### initial fetch timed out for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secretthread
+
+This is due not being able to retrieve the TLS configuration assigned to the gateway.
+
+It's Important that the secret is located in the same namespace as the Istio Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
+
+
+
+
+
+
+
+
 # Istioctl analyze
 
 `istioctl analyze` reviews the current configuration set.
@@ -67,57 +124,24 @@ listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
 ...
 ```
 
-# Logs
-
-> **Note:**\
-> Remember that you can use the command `watch` or `watch -n 5` (where 5 refers every 5 seconds) in case of being interested on execute this commands periodically.
-
-## Istiod
+# Istioctl proxy-status
+> **Note:** Shorthand is `ps`
 
 ```shell
-kubectl logs -n istio-system -f deployments/istiod
+istioctl ps
 ```
-
-## Istio-Proxy Pod
-
-This will display the logs from a deployment while targeting the `istio-proxy` container from the targeted pod/deployment.
-
-As well will attach the session to stream new logs. (`-f` `--follow`)
-
-```shell
-kubectl logs deployments/helloworld-default -f -c istio-proxy
-```
-
 ```text
-[2023-05-15T00:42:03.699Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.111.90.232:8080 172.17.121.65:52006 - -
-[2023-05-15T00:42:24.785Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 2 1 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" inbound|80|| 127.0.0.6:51695 172.17.121.65:80 172.17.121.65:43786 outbound_.80_._.helloworld.default.svc.cluster.local default
-[2023-05-15T00:42:24.784Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 5 4 "-" "curl/7.74.0" "c133cbf0-b57d-4fba-8f84-d683ab903399" "helloworld.default.svc.cluster.local" "172.17.121.65:80" outbound|80||helloworld.default.svc.cluster.local 172.17.121.65:43786 10.111.90.232:80 172.17.121.65:57030 - default
-[2023-05-15T00:43:23.209Z] "HEAD / HTTP/1.1" 200 - via_upstream - "-" 0 0 6 5 "-" "curl/7.74.0" "e1f0a2f3-93ff-4c41-8cb3-6d3a53fce065" "helloworld.foo.svc.cluster.local" "172.17.247.42:80" outbound|80||helloworld.foo.svc.cluster.local 172.17.121.65:55040 10.109.248.148:80 172.17.121.65:60520 - default
-[2023-05-15T00:43:29.751Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40370 - -
-[2023-05-15T00:43:31.979Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 10.109.248.148:8080 172.17.121.65:40402 - -
+NAME                                                  CLUSTER        CDS        LDS        EDS        RDS          ECDS         ISTIOD                    VERSION
+helloworld-6798765f88-ql26n.default                   Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-dbf5ff64-9kxxs     1.17.2
+helloworld2-dc9cb5db6-m47x7.default                   Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-dbf5ff64-9kxxs     1.17.2
+istio-egressgateway-676bf68b54-d28fn.istio-system     Kubernetes     SYNCED     SYNCED     SYNCED     NOT SENT     NOT SENT     istiod-dbf5ff64-9kxxs     1.17.2
+istio-ingressgateway-8d56c999d-nv7ph.istio-system     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-dbf5ff64-9kxxs     1.17.2
 ```
 
 
-## Ingress
-
-The service targeted, `istio-ingressgateway`, is an Ingress Load Balancer service from Istio.
-
-```shell
-kubectl logs -n istio-system services/istio-ingressgateway
-```
-#### Invalid TLS context has neither subject CN nor SAN names
-
-The TLS certificate specified don't have the field CN or the field SAN.
-
-To address this issue, issue a new certificate that has at least one of those fields.
-
-#### initial fetch timed out for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secretthread 
-
-This is due not being able to retrieve the TLS configuration assigned to the gateway.
-
-It's Important that the secret is located in the same namespace as the Istio Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
-
 # Istioctl proxy-config
+> **Note:** Shorthand is `pc`
+
 
 ## Check listeners
 

01-Getting_Started/01-hello_world_1_service_1_deployment/README.md

@@ -219,7 +219,7 @@ I would like to put emphasis on the following line returned:
 server: istio-envoy
 ```
 
-This means that the contents returned was performed by the Istio service, instead of the Nginx or any other possible backend service.
+This means that the contents returned was performed by the Istio service, therefore, the request was able to reach Istio and received a response from it.
 
 ## Cleanup
 

01-Getting_Started/03-hello_world_1_service_2_deployments_managed_version/VirtualService.yaml

@@ -19,13 +19,13 @@ spec:
             port:
               number: 80
             subset: v1
-          weight: 20
+          weight: 80
         - destination:
             #            host: helloworld (OLD)
             host: helloworld.default.svc.cluster.local
             port:
               number: 80
             subset: v2
-          weight: 80
+          weight: 20
       rewrite:
         uri: "/"

02-Traffic_management/README.md

@@ -1 +1,2 @@
-This gloves the resources `Virtual Service` and `Destination Rule`
+This gloves the resources `Virtual Service` and `Destination Rule`.
+

03-Gateway_Ingress/03-HTTPS-Gateway-Simple-TLS/README.md

@@ -5,7 +5,7 @@ include_toc: true
 
 # Based on
 
-- [01-hello_world_1_service_1_deployment](../../01-Getting%20Started/01-hello_world_1_service_1_deployment)
+- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
 
 # Description
 

03-Gateway_Ingress/04a-HTTPS-min-TLS-version/README.md

@@ -5,7 +5,7 @@ include_toc: true
 
 # Based on
 
-- [07-HTTPS-Gateway-Simple-TLS](../07-HTTPS-Gateway-Simple-TLS)
+- [07-HTTPS-Gateway-Simple-TLS](../03-HTTPS-Gateway-Simple-TLS)
 
 # Description
 

03-Gateway_Ingress/04b-HTTPS-max-TLS-version/README.md

@@ -5,7 +5,7 @@ include_toc: true
 
 # Based on
 
-- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
+- [08a-HTTPS-min-TLS-version](../04a-HTTPS-min-TLS-version)
 
 # Description
 

03-Gateway_Ingress/05-TCP-FORWARDING/README.md

@@ -5,7 +5,7 @@ include_toc: true
 
 # Based on
 
-- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
+- [08a-HTTPS-min-TLS-version](../04a-HTTPS-min-TLS-version)
 
 # Description
 

03-Gateway_Ingress/06-TLS-PASSTHROUGH/README.md

@@ -5,7 +5,7 @@ include_toc: true
 
 # Based on
 
-- [10-TCP-FORWARDING](../10-TCP-FORWARDING)
+- [10-TCP-FORWARDING](../05-TCP-FORWARDING)
 
 # Description
 

03-Gateway_Ingress/07-HTTP-to-HTTPS-traffic-redirect/README.md

@@ -5,7 +5,7 @@ include_toc: true
 
 # Based on
 
-- [07-HTTPS-Gateway-Simple-TLS](../07-HTTPS-Gateway-Simple-TLS)
+- [07-HTTPS-Gateway-Simple-TLS](../03-HTTPS-Gateway-Simple-TLS)
 
 # Description
 

04-Backends/01-Service_Entry/README.md

@@ -143,7 +143,7 @@ virtualservice.networking.istio.io/helloworld-vs created
 ### Get LB IP
 
 ```shell
-$ kubectl get svc -l istio=ingressgateway -A
+kubectl get svc -l istio=ingressgateway -A
 ```
 ```text
 NAME                   TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)                                      AGE
@@ -177,14 +177,15 @@ curl 192.168.1.50/external
 
 We don't receive any output.
 
-This could be due, even if we resolve the destination IP for the URL `info.cern.ch`, the destination might have a Reverse Proxy or any other ingress resource that could condition handling this request.
+Even if we resolve the destination IP for the URL `info.cern.ch`, the destination might have a **Reverse Proxy** or any other ingress resource that could condition handling this request.
 
-Due to the `HOST` field not being modified after we set the request, it might not be able to pass the filtering set, weather it is security wise, for example, requiring such field to allow the request; or it being a routing condition, which due not having this field specified, it's not able to route the request towards the destination desired.
+Due to the `HOST` field not being modified after we set the request, it might not be able to pass the filtering rules set on the destination server, on this scenario being the service responsible for receiving requests with the URL `info.cern.ch`.
 
 ```shell
 curl 192.168.1.50/external-noh
 ```
 ```text
+</pre></body></html>
 ```
 
 ## Cleanup

04-Backends/02-HTTPS-backend/README.md

@@ -5,7 +5,7 @@ include_toc: true
 
 # Based on
 
-- [08a-HTTPS-min-TLS-version](../../03-Gateway_Ingress/08a-HTTPS-min-TLS-version)
+- [08a-HTTPS-min-TLS-version](../../03-Gateway_Ingress/04a-HTTPS-min-TLS-version)
 
 # Description
 

05-Sidecar/02-egress-proxy/README.md

@@ -288,21 +288,21 @@ foo              helloworld-foo            1/1     1            1           10s
 
 Reminder of the **egress** criteria that has been configured to be met:
 
-[ ] Port `80`.
+- [ ] Port `80`.
 
-[ ] `HTTP` protocol.
+- [ ] `HTTP` protocol.
 
-[ ] Namespace destination `foo`.
+- [ ] Namespace destination `foo`.
 
 #### Curl helloworld.foo.svc.cluster.local:80
 
 On this scenario we meet the following criteria:
 
-[x] Port `80`.
+- [x] Port `80`.
 
-[x] `HTTP` protocol.
+- [x] `HTTP` protocol.
 
-[x] Namespace destination `foo`.
+- [x] Namespace destination `foo`.
 
 ```shell
 NAMESPACE="default" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.foo.svc.cluster.local:80 -sI
@@ -326,11 +326,11 @@ x-envoy-upstream-service-time: 10
 
 #### Curl helloworld.foo.svc.cluster.local:8080
 
-[ ] Port `80`.
+- [ ] Port `80`.
 
-[x] `HTTP` protocol.
+- [x] `HTTP` protocol.
 
-[x] Namespace destination `foo`.
+- [x] Namespace destination `foo`.
 
 
 ```shell
@@ -375,11 +375,11 @@ For such, instead the is sent towards `BlackHoleCluster`.
 
 #### Curl helloworld.default.svc.cluster.local:80
 
-[x] Port `80`.
+- [x] Port `80`.
 
-[x] `HTTP` protocol.
+- [x] `HTTP` protocol.
 
-[ ] Namespace destination `foo`.
+- [ ] Namespace destination `foo`.
 
 
 ```shell
@@ -432,11 +432,11 @@ For such it raises a `direct response` with status code `502`, as the `istio-pro
 
 #### Curl helloworld.default.svc.cluster.local:8080
 
-[x] Port `8080`.
+- [x] Port `8080`.
 
-[x] `HTTP` protocol.
+- [x] `HTTP` protocol.
 
-[ ] Namespace destination `foo`.
+- [ ] Namespace destination `foo`.
 
 
 ```shell
@@ -479,11 +479,11 @@ We can see, how the `istio-proxy` container, from the `helloworld` POD, in the n
 
 Reminder of the **egress** criteria that has been configured to be met:
 
-[ ] Port `8080`.
+- [ ] Port `8080`.
 
-[ ] `HTTP` protocol.
+- [ ] `HTTP` protocol.
 
-[ ] Namespace destination `foo` or `default`.
+- [ ] Namespace destination `foo` or `default`.
 
 
 
@@ -492,11 +492,11 @@ Reminder of the **egress** criteria that has been configured to be met:
 
 On this scenario we meet the following criteria:
 
-[ ] Port `8080`.
+- [ ] Port `8080`.
 
-[x] `HTTP` protocol.
+- [x] `HTTP` protocol.
 
-[x] Namespace destination `foo` or `default`.
+- [x] Namespace destination `foo` or `default`.
 
 ```shell
 NAMESPACE="foo" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.foo.svc.cluster.local:80 -sI
@@ -538,11 +538,11 @@ We can see, how the `istio-proxy` container, from the `helloworld` POD, in the n
 
 On this scenario we meet the following criteria:
 
-[x] Port `8080`.
+- [x] Port `8080`.
 
-[x] `HTTP` protocol.
+- [x] `HTTP` protocol.
 
-[x] Namespace destination `foo` or `default`.
+- [x] Namespace destination `foo` or `default`.
 
 ```shell
 NAMESPACE="foo" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.foo.svc.cluster.local:8080 -sI
@@ -568,11 +568,11 @@ x-envoy-upstream-service-time: 77
 
 On this scenario we meet the following criteria:
 
-[ ] Port `8080`.
+- [ ] Port `8080`.
 
-[x] `HTTP` protocol.
+- [x] `HTTP` protocol.
 
-[x] Namespace destination `foo` or `default`.
+- [x] Namespace destination `foo` or `default`.
 
 ```shell
 NAMESPACE="foo" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.default.svc.cluster.local:80 -sI
@@ -612,11 +612,11 @@ We can see, how the `istio-proxy` container, from the `helloworld` POD, in the n
 
 On this scenario we meet the following criteria:
 
-[x] Port `8080`.
+- [x] Port `8080`.
 
-[x] `HTTP` protocol.
+- [x] `HTTP` protocol.
 
-[x] Namespace destination `foo` or `default`.
+- [x] Namespace destination `foo` or `default`.
 
 ```shell
 NAMESPACE="foo" && kubectl exec -n ${NAMESPACE} "$(kubectl get pod -n ${NAMESPACE} -l app=helloworld -o jsonpath={.items..metadata.name})" -- curl helloworld.default.svc.cluster.local:8080 -sI

09-Ingress/01-Create-Istio-LoadBalancer/01-Namespace.yaml

@@ -3,5 +3,4 @@ kind: Namespace
 metadata:
   name: istio-ingress
   labels:
-    istio-injection: "enabled"
----
+    istio-injection: "enabled"

09-Ingress/01-Create-Istio-LoadBalancer/Deployment.yaml

@@ -1,25 +1,3 @@
-# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: helloworld
-  labels:
-    app: helloworld
-    service: helloworld
-spec:
-  ports:
-    - port: 80
-      name: http
-  selector:
-    app: helloworld
----
-#apiVersion: v1
-#kind: ServiceAccount
-#metadata:
-#  name: istio-helloworld
-#  labels:
-#    account:
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -36,7 +14,6 @@ spec:
       labels:
         app: helloworld
     spec:
-#      serviceAccountName: istio-helloworld
       containers:
         - name: helloworld
           image: nginx

09-Ingress/01-Create-Istio-LoadBalancer/Gateway.yaml

@@ -1,36 +1,14 @@
-# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml
 apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
   name: helloworld-gateway
 spec:
   selector:
-    istio: myingressgateway # use istio default controller
+    istio: myingressgateway # Uses the selector we just deployed
   servers:
     - port:
         number: 80
         name: http
         protocol: HTTP
       hosts:
-        - "*"
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: helloworld-vs
-spec:
-  hosts:
-    - "*"
-  gateways:
-    - helloworld-gateway
-  http:
-    - match:
-        - uri:
-            exact: /helloworld
-      route:
-        - destination:
-            host: helloworld
-            port:
-              number: 80
-      rewrite:
-        uri: "/"
+        - "*"

09-Ingress/01-Create-Istio-LoadBalancer/README.md

@@ -4,41 +4,31 @@ include_toc: true
 ---
 
 
-# Based on
-
-- [01-hello_world_1_service_1_deployment](../../01-Getting_Started/01-hello_world_1_service_1_deployment)
-
 # Description
 
-On this example, a new Istio Ingress Load Balancer is deployed.
+On this example, a new Istio Ingress Load Balancer is deployed through the usage of an `IstioOperator` object, as well deploys a simple service for testing purposes.
 
-The previous example has been modified to utilize the Ingress resource just deployed.
 
-# Changelog
+This example configures:
 
-## Gateway
+    Generic Kubernetes resources:
+    - 1 Service
+    - 1 Deployment
+    
+    Istio resources:
+    - 1 Ingress Gateway Load Balancer
+    - 1 Gateway
+    - 1 Virtual Service
 
-```yaml
-apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: helloworld-gateway
-spec:
-  selector:
-    istio: myingressgateway # use istio default controller
-  servers:
-    - port:
-        number: 80
-        name: http
-        protocol: HTTP
-      hosts:
-        - "*"
-```
+> **Note:**\
+> I don't intend to explain thing related to Kubernetes unless necessary.
 
-The selector `Istio` has been updated to `myingressgateway`, to match the selector of the Istio Ingress Load Balancer that will be created.
+# Configuration
 
 ## Namespace
 
+Creates the namespace `istio-ingress` with the `istio-injection` enabled.
+
 ```yaml
 apiVersion: v1
 kind: Namespace
@@ -48,10 +38,67 @@ metadata:
     istio-injection: "enabled"
 ```
 
-The namespace `istio-ingress` will have the label `istio-injection` with the contents set to `enabled` to allow Istio to automatically inject the Istio sidecars to the resources within that namespace, unless specified otherwise.
+## Service
+
+Creates a service named `helloworld`.
+
+This service listens for the port `80` expecting `HTTP` traffic and will forward the incoming traffic towards the port `80` from the destination pod.
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld
+  labels:
+    app: helloworld
+    service: helloworld
+spec:
+  ports:
+    - port: 80
+      name: http
+  selector:
+    app: helloworld
+```
+
+## Deployment
+
+Deploys a Nginx server that listens for the port `80`.
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: helloworld-nginx
+  labels:
+    app: helloworld
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: helloworld
+  template:
+    metadata:
+      labels:
+        app: helloworld
+    spec:
+      containers:
+        - name: helloworld
+          image: nginx
+          resources:
+            requests:
+              cpu: "100m"
+          imagePullPolicy: IfNotPresent #Always
+          ports:
+            - containerPort: 80
+```
 
 ## IstioOperator
 
+
+Deploys an Istio Ingress Load Balancer named `myistio-ingressgateway`.
+
+It will contain the selector `istio: myingressgateway`.
+
 ```yaml
 apiVersion: install.istio.io/v1alpha1
 kind: IstioOperator
@@ -75,28 +122,104 @@ spec:
         injectionTemplate: gateway
 ```
 
-The following configuration will create an Istio Ingress Load Balancer named `myistio-ingressgateway`, located at the namespace `istio-ingress`.
+## Gateway
 
-The label `istio`, refers to the selector that the `Gateway` resources will use to specify the targeted Istio resource.
+Deploys an Istio gateway that's listening to the port `80` for `HTTP` traffic.
+
+It doesn't filter for any specific host.
+
+The `selector` field is used to "choose" which Istio Load Balancers will have this gateway assigned to.
+
+On this scenario, we want to target the Istio Ingress Load Balancer we just created, therefore the value of the selector will be `istio: myingressgateway`.
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: helloworld-gateway
+spec:
+  selector:
+    istio: myingressgateway # Uses the selector we just deployed
+  servers:
+    - port:
+        number: 80
+        name: http
+        protocol: HTTP
+      hosts:
+        - "*"
+```
+
+## VirtualService
+
+The Virtual Service resources are used to route and filter the received traffic from the gateway resources, and route it towards the desired destination.
+
+On this example we select the gateway `helloworld-gateway`, which is the [gateway that 's described in the `Gateway` section](#gateway).
+
+On this resource, we are also not limiting the incoming traffic to any specific host, allowing for all the incoming traffic to go through the rules set.
+
+Here we created a rule that will be applied on `HTTP` related traffic (including `HTTPS` and `HTTP2`) when the destination path is exactly `/helloworld`.
+
+This traffic will be forwarded to the port `80` of the destination service `helloworld` (the full path URL equivalent would be `helloworld.$NAMESPACE.svc.cluster.local`).
+
+Additionally, there will be an internal URL rewrite set, as if the URL is not modified, it would attempt to reach to the `/helloworld` path from the Nginx deployment, which currently has no content and would result in an error code `404` (Not found).
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: helloworld-vs
+spec:
+  hosts:
+    - "*"
+  gateways:
+    - helloworld-gateway
+  http:
+    - match:
+        - uri:
+            exact: /helloworld
+      route:
+        - destination:
+            host: helloworld
+            port:
+              number: 80
+      rewrite:
+        uri: "/"
+```
 
 # Walkthrough
 
 ## Deploy resources
 
-### Create namespace
+Deploy the resources.
 
 ```shell
-kubectl apply -f 01-namespace.yaml
+kubectl apply -f ./ 
 ```
 ```text
 namespace/istio-ingress created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+service/helloworld created
 ```
 
-### Create / Install the Istio Ingress resource
+## Wait for the deployment to be ready
 
+Wait for the Nginx deployment to be up and ready.
 
 ```shell
-istioctl install -f ingress.yaml
+kubectl get deployment helloworld-nginx -w 
+```
+```text
+NAME               READY   UP-TO-DATE   AVAILABLE   AGE
+helloworld-nginx   1/1     1            1           16s
+```
+
+## Install the Istio Ingress Gateway Load Balancer
+
+Press `y` to install.
+
+```shell
+istioctl install -f IstioOperator/IstioOperator.yaml
 ```
 ```text
 This will install the Istio 1.17.2 empty profile into the cluster. Proceed? (y/N) y
@@ -105,92 +228,73 @@ This will install the Istio 1.17.2 empty profile into the cluster. Proceed? (y/N
 Thank you for installing Istio 1.17.  Please take a few minutes to tell us about your install/upgrade experience!  https://forms.gle/hMHGiwZHPU7UQRWe9
 ```
 
-### Deploy gateway
+## Test the service
+
+### Get LB IP
+
+To perform the desired tests, we will need to obtain the IP Istio Load Balancer that we selected in the [Gateway section](#gateway).
+
+On my environment, the IP is the `192.168.1.50`.
 
 ```shell
-kubectl apply -f Gateway.yaml
+kubectl get svc -l istio=myingressgateway -A
 ```
 ```text
- 
-gateway.networking.istio.io/helloworld-gateway created
-virtualservice.networking.istio.io/helloworld-vs created
+NAMESPACE       NAME                     TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)                                      AGE
+istio-ingress   myistio-ingressgateway   LoadBalancer   10.96.116.25   192.168.1.51   15021:31681/TCP,80:31993/TCP,443:32596/TCP   116s
 ```
 
-### Deploy deployment
+### Curl /helloworld
+
+Due to accessing the path `/helloworld`, we are triggering the rule set on the [VirtualService configuration](#virtualservice), sending a request to the Nginx backend and returning us its contents.
 
 ```shell
-kubectl apply -f deployment-nomtls.yaml
+curl 192.168.1.51/helloworld -s | grep "<title>.*</title>" 
 ```
 ```text
-service/helloworld created
-deployment.apps/helloworld-nginx created
+<title>Welcome to nginx!</title>
 ```
 
-## Testing deployment
+### Curl /other
+
+What happens if we access a path or URL that doesn't trigger any rule?
 
-### Get Load Balancer IP
 
 ```shell
-kubectl get svc -n istio-ingress
+curl 192.168.1.51/other -s -I 
 ```
 ```text
-NAME                     TYPE           CLUSTER-IP       EXTERNAL-IP    PORT(S)                                      AGE
-myistio-ingressgateway   LoadBalancer   10.102.158.128   192.168.1.51   15021:31181/TCP,80:30090/TCP,443:31285/TCP   5m10s
-```
-
-### Curl
-
-The request results in status code `200`, meaning a correct handling of the request.
-
-```shell
-curl 192.168.1.51/helloworld -I
-```
-```text
-HTTP/1.1 200 OK
+HTTP/1.1 404 Not Found
+date: Sat, 01 Jul 2023 13:27:14 GMT
 server: istio-envoy
-date: Sun, 23 Apr 2023 06:40:57 GMT
-content-type: text/html
-content-length: 615
-last-modified: Tue, 28 Mar 2023 15:01:54 GMT
-etag: "64230162-267"
-accept-ranges: bytes
-x-envoy-upstream-service-time: 15
+transfer-encoding: chunked
 ```
-# Cleanup
 
-[Yeah no idea, gl with that.](https://stackoverflow.com/a/55731730)
+We receive a status code `404`.
+
+I would like to put emphasis on the following line returned:
+
+```text
+server: istio-envoy
+```
+
+This means that the contents returned was performed by the Istio service, therefore, the request was able to reach Istio and received a response from it.
+
+## Cleanup
+
+Finally, a cleanup from the resources deployed.
+
+It might take a minute or two, don't **panik** if that's the case.
+
+Take into account that deleting the namespace will also delete the resources in it, **so be careful!**
 
 ```shell
-kubectl delete -f ./deployment-nomtls.yaml
-kubectl delete -f ./Gateway.yaml
+kubectl delete -f ./
 ```
 ```text
-service "helloworld" deleted
+namespace "istio-ingress" deleted
 deployment.apps "helloworld-nginx" deleted
 gateway.networking.istio.io "helloworld-gateway" deleted
+service "helloworld" deleted
 virtualservice.networking.istio.io "helloworld-vs" deleted
-```
-
-```shell
-istioctl uninstall --purge
-```
-
-Also read that "just removing" the namespace works to purge the config/remove resources.
-
-Meanwhile, I did that (and seems like it performed correctly), I am not entirely sure about it. I'm not bothered myself as the environment where I am performing the tests is intended to be destroyed anytime and recreated, yet in a production environment I am not sure how this would need to be approached.
-
-Maybe with a `kubectl get all -A` and through `grep` and `less` find resources and configurations, and delete them manually.
-
-```shell
-kubectl delete namespace istio-ingress
-```
-
-# Troubleshooting
-
-## curl: (7) Failed to connect to 192.168.1.51 port 80 after 2 ms: Couldn't connect to server
-
-Ensure that the gateway is using the correct `selector` to target the Istio Ingress Load Balancer created.  
-
-# Links of interest
-
-- https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway
+```

09-Ingress/01-Create-Istio-LoadBalancer/Service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: helloworld
+  labels:
+    app: helloworld
+    service: helloworld
+spec:
+  ports:
+    - port: 80
+      name: http
+  selector:
+    app: helloworld

09-Ingress/01-Create-Istio-LoadBalancer/VirtualService.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: helloworld-vs
+spec:
+  hosts:
+    - "*"
+  gateways:
+    - helloworld-gateway
+  http:
+    - match:
+        - uri:
+            exact: /helloworld
+      route:
+        - destination:
+            host: helloworld
+            port:
+              number: 80
+      rewrite:
+        uri: "/"

10-mTLS_PeerAuthentication/01-disable-mTLS/README.md

@@ -558,7 +558,7 @@ On this scenario, we met a fatal error, not allowing us to access the service, u
 
 From my understanding, not only from this interaction, but from investigating through Istio forums (yet I don't have the link handy, so take this words with some grains of salt), **the traffic cannot be double terminated**, for such if we have an `HTTPS` backend, we might require to disable `mTLS` in order to communicate with it. We also would need to set a [Destination Rule like we did further above](#destination-rule), to specify that the traffic must be terminated with the backend (`tls.mode: STRICT`).
 
-Yet this depends on which would be our architecture, due also being able to set up [TLS Passthrough](../../03-Gateway_Ingress/11-TLS-PASSTHROUGH), or use a [TCP Forwarding](../../03-Gateway_Ingress/10-TCP-FORWARDING).
+Yet this depends on which would be our architecture, due also being able to set up [TLS Passthrough](../../03-Gateway_Ingress/06-TLS-PASSTHROUGH), or use a [TCP Forwarding](../../03-Gateway_Ingress/05-TCP-FORWARDING).
 
 ```shell
 curl 192.168.1.50/https-mTLS

90-MixConfigs/01-HTTPS-Gateway_Service_Entry/README.md

@@ -8,7 +8,7 @@ The page used as a destination is my own [GitHub page](https://github.com/).
 
 # Based on
 
-- [05-hello_world_1_Service_Entry](../../04-Backends/05-Service_Entry)
+- [05-hello_world_1_Service_Entry](../../04-Backends/01-Service_Entry)
 
 # Configuration
 
@@ -24,10 +24,10 @@ Bear in mind that when Istio is communicating with resources externals to the me
 
 Also, policy enforcement is performed in the client side instead of the server side.
 
-> **Note:**/
+> **Note:**\
 > For more information regarding the `resolution` field or the `location` field, refer to the following official Istio documentations:
-> [ServiceEntry.Location](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location)
-> [ServiceEntry.Resolution](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Resolution)
+> - [ServiceEntry.Location](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location)
+> - [ServiceEntry.Resolution](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Resolution)
 
 ```yaml
 apiVersion: networking.istio.io/v1alpha3
@@ -75,7 +75,7 @@ The path `/external` will forward the request towards the destination URL `githu
 
 Highlight that the destination is `github.com`, which is the same as the contents set on the field `host` from the [ServiceEntry resource configured above](#serviceentry).
 
-As seen [in the previous example, where the host that didn't have the `HOST` header wasn't able to receive a response by the destination](../../04-Backends/05-Service_Entry/#external-noh), we configured the `HOST` header to match the URL from the external service.
+As seen [in the previous example, where the host that didn't have the `HOST` header wasn't able to receive a response by the destination](../../04-Backends/01-Service_Entry/#external-noh), we configured the `HOST` header to match the URL from the external service.
 
 ```yaml
 apiVersion: networking.istio.io/v1alpha3
@@ -108,7 +108,7 @@ spec:
 
 ## DestinationRule
 
-As seen in the example [02-Traffic_management/09-HTTPS-backend](../../04-Backends/09-HTTPS-backend), where we configure Istio to use an `HTTPS` backend, the same configuration is applied on this case (yes, I am aware that a `ServiceEntry` is also a backend).
+As seen in the example [02-Traffic_management/09-HTTPS-backend](../../04-Backends/02-HTTPS-backend), where we configure Istio to use an `HTTPS` backend, the same configuration is applied on this case (yes, I am aware that a `ServiceEntry` is also a backend).
 
 For such, we deploy a `DestinationRule` setting to expect to terminate the TLS traffic, for the traffic with resource destination `github.com`, and port `8443`, which matches the settings set in our [ServiceEntry](#serviceentry) deployed.
 

90-MixConfigs/Minecraft/ConfigMap.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: minecraft-config
+  namespace: default
+  labels:
+    app: minecraft
+data:
+  EULA: "TRUE"
+  MEMORY: 1G
+  TYPE: "FOLIA"
+  FORCE_REDOWNLOAD: "FALSE"
+  VERSION: "1.19.4"
+  MOTD: "My minecraft world!"
+  ONLINE_MODE: "FALSE"
+  ENABLE_QUERY: "TRUE"
+  ENABLE_RCON: "FALSE"
+  ALLOW_NETHER: "FALSE"
+  GENERATE_STRUCTURES: "FALSE"
+  SNOOPER_ENABLED: "FALSE"
+  SPAWN_ANIMALS: "FALSE"
+  SPAWN_MONSTERS: "FALSE"
+  SPAWN_NPCS: "FALSE"
+  ENABLE_AUTOPAUSE: "TRUE"

90-MixConfigs/Minecraft/Deployment.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: minecraft-1
+  namespace: default
+  labels:
+    app: minecraft
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: minecraft
+  template:
+    metadata:
+      labels:
+        app: minecraft
+    spec:
+      containers:
+        - name: minecraft
+          image: itzg/minecraft-server
+          resources:
+            requests:
+              cpu: "100m"
+          imagePullPolicy: IfNotPresent #Always
+          ports:
+            - containerPort: 25565
+          envFrom:
+            - configMapRef:
+                name: minecraft-config
+          env:
+            - name: MOTD
+              value: "World 1 Server"

90-MixConfigs/Minecraft/Gateway.yaml

@@ -0,0 +1,15 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: minecraft-gateway
+  namespace: default
+spec:
+  selector:
+    istio: games
+  servers:
+    - port:
+        number: 25565
+        name: tcp-1
+        protocol: TCP
+      hosts:
+        - "*"

90-MixConfigs/Minecraft/Istio-Ingress/Ingress.yaml

@@ -0,0 +1,27 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+metadata:
+  name: ingress
+spec:
+  profile: empty # Do not install CRDs or the control plane
+  components:
+    ingressGateways:
+      - name: ingress-games-gateway
+        namespace: istio-system
+        enabled: true
+        label:
+          # Set a unique label for the gateway. This is required to ensure Gateways
+          # can select this workload
+          istio: games
+        k8s:
+          service:
+            ports:
+              - port: 25565
+                targetPort: 25565
+                name: minecraft-port
+                protocol: TCP
+  values:
+    gateways:
+      istio-ingressgateway:
+        # Enable gateway injection
+        injectionTemplate: gateway

90-MixConfigs/Minecraft/README.md

@@ -0,0 +1 @@
+https://github.com/itzg/docker-minecraft-server/#server-configuration

90-MixConfigs/Minecraft/Service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: minecraft
+  namespace: default
+  labels:
+    app: minecraft
+    world: "1"
+spec:
+  ports:
+    - port: 25565
+      name: tcp-minecraft
+      protocol: TCP
+#      nodePort: 30000
+  selector:
+    app: minecraft
+    world: "1"
+#  type: NodePort

90-MixConfigs/Minecraft/VirtualService.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: minecraft-1
+  namespace: default
+spec:
+  hosts:
+    - "*"
+  gateways:
+    - minecraft-gateway
+  tcp:
+    - match:
+        - port: 25565
+      route:
+        - destination:
+            host: minecraft.default.svc.cluster.local
+            port:
+              number: 25565

README.md

@@ -1,92 +1,20 @@
 # Disclaimer:
 
-I have absolutely used as a reference and or template other party configurations/files.
+I have absolutely used as a reference and/or template other parties configurations/files as well of documentations and examples.
 
 I have tried to reference as much as possible as long it's relevant/useful for the reader.
 
-Refer to the specific `README.md` in each example for more information, as the documentation is still in progress.
-
-As per the moment, most of the examples are located in 02-Traffic_management.
+Refer to the specific `README.md` in each example for more information, as (**my**) documentation is still in progress.
 
 Currently, the resources are under a relocation and the folders might contain things that don't _really match the topic_.  
 
-# Stuff
 
-## Directories
-
-```text
-├── 00-Troubleshooting
-├── 01-Getting_Started
-│   ├── 01-hello_world_1_service_1_deployment
-│   ├── 02-hello_world_1_service_2_deployments_unmanaged
-│   ├── 03-hello_world_1_service_2_deployments_managed_version
-│   └── 04-hello_world_1_service_2_deployments_managed_version_foo_namespace
-├── 02-Traffic_management
-│   ├── 01-2_deployments_method
-│   ├── 02-DirectResponse-HTTP-Body
-│   ├── 03-HTTPRewrite
-│   ├── 04-HTTPRedirect
-│   ├── 05a-FaultInjection-delay
-│   ├── 05b-FaultInjection-abort
-│   ├── 05-hello_world_1_Service_Entry
-│   ├── 06-hello_world_1_HTTPS-Service_Entry
-│   │   └── src
-│   ├── 06-mTLS
-│   ├── 07-HTTPS-Gateway-Simple-TLS
-│   ├── 08a-HTTPS-min-TLS-version
-│   ├── 08b-HTTPS-max-TLS-version
-│   ├── 09-HTTPS-backend
-│   ├── 10-TCP-FORWARDING
-│   ├── 11-TLS-PASSTHROUGH
-│   ├── 12-HTTP-to-HTTPS-traffic-redirect
-│   └── src
-├── 03-Sidecar
-│   └── 01-ingress-proxy-forwarding
-├── 04-Envoy
-│   └── 01-envoy_add_headers
-├── 05-MeshConfig
-│   └── 01-Outboud-Traffic-Policy
-├── 06-AuthorizationPolicy
-│   ├── 01-target-namespaces
-│   ├── 02-target-service-accounts
-│   └── 03-target-deployments
-├── 09-Ingress
-│   └── 01-Create-Istio-LoadBalancer
-├── 10-PeerAuthentication
-│   ├── 01-disable-mTLS
-│   └── 02-portLevelMtls
-├── 99-resources
-│   └── HTTPS-NGINX-DOCKERFILE
-└── XX-CirtcuitBreaking
-```
-
-## Glossary
+# Glossary
 
 https://istio.io/latest/docs/reference/glossary/
 
-## Workload
-
-https://istio.io/latest/docs/reference/glossary/#workload
-
-https://kiali.io/docs/architecture/terminology/concepts/#workload
 
 
-https://istio.io/latest/docs/ops/deployment/vm-architecture/
-
-
-## Sidecar
-
-https://kubebyexample.com/learning-paths/istio/intro
-
-
-# Notes for myself
-
-Internal and external authentication should be set together.
-
-
-https://istio.io/latest/docs/ops/diagnostic-tools/proxy-cmd/
-
-https://istio.io/latest/docs/ops/deployment/deployment-models/
 
 ## Services port names
 
@@ -106,12 +34,66 @@ https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selec
 
 
 
-# Workload selector is cool
-
-- https://istio.io/latest/docs/reference/config/type/workload-selector/#WorkloadSelector
-
 # Links of interest
 
+- https://istio.io/latest/docs/
+
 - https://istiobyexample.dev/
 
-- https://www.istioworkshop.io/
+- https://www.istioworkshop.io/
+
+- https://istio.io/latest/news/
+
+- https://istio.io/latest/blog/
+
+- https://istio.io/latest/about/ecosystem/
+
+# Tree of folders
+
+```text
+├── 00-Troubleshooting
+├── 01-Getting_Started
+│   ├── 01-hello_world_1_service_1_deployment
+│   ├── 02-hello_world_1_service_2_deployments_unmanaged
+│   ├── 03-hello_world_1_service_2_deployments_managed_version
+│   └── 04-hello_world_1_service_2_deployments_managed_version_foo_namespace
+├── 02-Traffic_management
+│   ├── 01-header_routing
+│   ├── 02-DirectResponse-HTTP-Body
+│   ├── 03-HTTPRewrite
+│   └── 04-HTTPRedirect
+├── 03-Gateway_Ingress
+│   ├── 01-Host_Based_Routing
+│   ├── 02-Restrict_Namespaces
+│   ├── 03-HTTPS-Gateway-Simple-TLS
+│   ├── 04a-HTTPS-min-TLS-version
+│   ├── 04b-HTTPS-max-TLS-version
+│   ├── 05-TCP-FORWARDING
+│   ├── 06-TLS-PASSTHROUGH
+│   └── 07-HTTP-to-HTTPS-traffic-redirect
+├── 04-Backends
+│   ├── 01-Service_Entry
+│   └── 02-HTTPS-backend
+├── 05-Sidecar
+│   ├── 01-ingress-proxy-forwarding
+│   └── 02-egress-proxy
+├── 08-AuthorizationPolicy
+│   ├── 01-target-namespaces
+│   ├── 02-target-service-accounts
+│   └── 03-target-deployments
+├── 09-Ingress
+│   └── 01-Create-Istio-LoadBalancer
+├── 10-mTLS_PeerAuthentication
+│   ├── 01-disable-mTLS
+│   ├── 02-portLevelMtls
+│   └── 06-mTLS
+├── 11-Fault_Injection
+│   ├── 05a-FaultInjection-delay
+│   └── 05b-FaultInjection-abort
+├── 12-CircuitBreaking
+├── 90-MixConfigs
+│   ├── 01-HTTPS-Gateway_Service_Entry
+│   └── Minecraft
+└── 99-resources
+    └── HTTPS-NGINX-DOCKERFILE
+```