diff --git a/Istio/00-Troubleshooting/README.md b/Istio/00-Troubleshooting/README.md
index fe5d235..76e484c 100644
--- a/Istio/00-Troubleshooting/README.md
+++ b/Istio/00-Troubleshooting/README.md
@@ -3,8 +3,6 @@ gitea: none
include_toc: true
---
-
-
# Istioctl analyze
`istioctl analyze` reviews the current configuration set.
@@ -39,10 +37,27 @@ istioctl analyze -n istio-operator
Info [IST0102] (Namespace istio-operator) The namespace is not enabled for Istio injection. Run 'kubectl label namespace istio-operator istio-injection=enabled' to enable it, or 'kubectl label namespace istio-operator istio-injection=disabled' to explicitly mark it as not needing injection.
```
+## Example of spotting a misconfiguration
+
+In this example, I have configured the gateway to listen to a port that currently is not open in the Isito Load Balancer selected.
+
+```shell
+istioctl analyze
+```
+```text
+Warning [IST0104] (Gateway default/helloworld-gateway) The gateway refers to a port that is not exposed on the workload (pod selector istio=ingressgateway; port 81)
+```
+
# Start the packet capture process on the istio-proxy container from a pod.
Target a pod and start a packet capture on the istio-proxy container.
+This step requires istio to be installed with the flag `values.global.proxy.privileged=true`
+
+This is very useful to confirm if the service is receiving any traffic, or which is the traffic received.
+
+If mTLS is enabled and configured, the traffic received should be encrypted.
+
```shell
$ kubectl exec -n default "$(kubectl get pod -n default -l app=helloworld -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port 80 -A
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
diff --git a/Istio/01-Simple/01-hello_world_1_service_1_deployment/README.md b/Istio/01-Simple/01-hello_world_1_service_1_deployment/README.md
index 794d4d1..f48a3ab 100755
--- a/Istio/01-Simple/01-hello_world_1_service_1_deployment/README.md
+++ b/Istio/01-Simple/01-hello_world_1_service_1_deployment/README.md
@@ -107,7 +107,7 @@ helloworld-nginx 1/1 1 1 44s
### Get LB IP
```shell
-$ kubectl get svc istio-ingressgateway -n istio-system
+$ kubectl get svc -l istio=ingressgateway -A
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
diff --git a/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md b/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md
index 0b74632..ac080b5 100644
--- a/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md
+++ b/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md
@@ -147,6 +147,14 @@ x-envoy-upstream-service-time: 96
```shell
kubectl delete -n istio-system secret my-tls-cert-secret
```
+
+```text
+secret "my-tls-cert-secret" deleted
+```
+
+```shell
+kubectl delete -f ./
+```
```text
service "helloworld" deleted
deployment.apps "helloworld-nginx" deleted
@@ -154,12 +162,6 @@ gateway.networking.istio.io "helloworld-gateway" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
-```shell
-kubectl delete -f ./
-```
-```text
-secret "my-tls-cert-secret" deleted
-```
```shell
rm -rv certfolder/
```
diff --git a/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md
index 42d9907..76708e4 100644
--- a/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md
+++ b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md
@@ -152,18 +152,19 @@ x-envoy-upstream-service-time: 13
kubectl delete -n istio-system secret my-tls-cert-secret
```
```text
-service "helloworld" deleted
-deployment.apps "helloworld-nginx" deleted
-gateway.networking.istio.io "helloworld-gateway" deleted
-virtualservice.networking.istio.io "helloworld-vs" deleted
+secret "my-tls-cert-secret" deleted
```
```shell
kubectl delete -f ./
```
```text
-secret "my-tls-cert-secret" deleted
+service "helloworld" deleted
+deployment.apps "helloworld-nginx" deleted
+gateway.networking.istio.io "helloworld-gateway" deleted
+virtualservice.networking.istio.io "helloworld-vs" deleted
```
+
```shell
rm -rv certfolder/
```
@@ -175,4 +176,6 @@ removed directory 'certfolder/'
# Links of Interest
-- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
\ No newline at end of file
+- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
+
+- https://discuss.istio.io/t/minimum-tls-version/5541/3
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md
index 97ac603..e3833f4 100644
--- a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md
+++ b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md
@@ -15,6 +15,8 @@ The previous example was modified to limit and specify the maximum TLS version.
## Gateway
+Gateway has been modified to limit the maximum TLS version to v1.2.
+
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
@@ -36,7 +38,6 @@ spec:
maxProtocolVersion: TLSV1_2
```
-Gateway has been modified to limit the maximum TLS version to v1.2.
# Walkthrough
@@ -149,17 +150,17 @@ curl: (35) OpenSSL/3.0.8: error:0A00042E:SSL routines::tlsv1 alert protocol vers
kubectl delete -n istio-system secret my-tls-cert-secret
```
```text
-service "helloworld" deleted
-deployment.apps "helloworld-nginx" deleted
-gateway.networking.istio.io "helloworld-gateway" deleted
-virtualservice.networking.istio.io "helloworld-vs" deleted
+secret "my-tls-cert-secret" deleted
```
```shell
kubectl delete -f ./
```
```text
-secret "my-tls-cert-secret" deleted
+service "helloworld" deleted
+deployment.apps "helloworld-nginx" deleted
+gateway.networking.istio.io "helloworld-gateway" deleted
+virtualservice.networking.istio.io "helloworld-vs" deleted
```
```shell
rm -rv certfolder/
@@ -172,4 +173,6 @@ removed directory 'certfolder/'
# Links of Interest
-- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
\ No newline at end of file
+- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
+
+- https://discuss.istio.io/t/minimum-tls-version/5541/3
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/09-HTTPS-backend/README.md b/Istio/02-Traffic_management/09-HTTPS-backend/README.md
new file mode 100644
index 0000000..76d945b
--- /dev/null
+++ b/Istio/02-Traffic_management/09-HTTPS-backend/README.md
@@ -0,0 +1,345 @@
+---
+gitea: none
+include_toc: true
+---
+
+# Based on
+
+- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
+
+# Description
+
+This example contains a backend that serves HTTPS traffic and can be accessed from both `HTTP` and `HTTPS` requests through the gateway resource.
+
+
+> **Note:**\
+> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo)
+
+# Configuration
+
+## Gateway
+
+The gateway is configured to listen to the port `80` for `HTTP` traffic, and to the port `443` for `HTTPS` traffic.
+
+The TLS configuration is set to `simple`, and the credentials (the object that contains the certificates/TLS configuration) is set to `my-tls-cert-secret`.
+
+Any of the configured ports has limited the hosts.
+
+```shell
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: helloworld-gateway
+spec:
+ selector:
+ istio: ingressgateway
+ servers:
+ - port:
+ number: 80
+ name: http
+ protocol: HTTP
+ hosts:
+ - "*"
+ - port:
+ number: 443
+ name: https
+ protocol: HTTPS
+ hosts:
+ - "*"
+ tls:
+ credentialName: my-tls-cert-secret
+ mode: SIMPLE
+```
+
+> **Note:**\
+> The credentials resource is created further bellow through the [Walkthrough](#walkthrough) steps.
+
+> **Note:**\
+> For more information regarding the TLS mode configuration, refer to the following [Istio documentation regarding the TLS mode field](https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode).
+
+## VirtualService
+
+The rule that contains, will receive traffic from the port `443` and `80`.
+
+This traffic will be directed towards destination of such is the service `helloworld.default.svc.cluster.local`, with port destination 8443.
+
+This destination is the service that contains the `HTTPS` deployment, running over the port `8443`
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: helloworld-vs
+spec:
+ hosts:
+ - "*"
+ gateways:
+ - helloworld-gateway
+ http:
+ - name: https-vs
+ match:
+ - port: 80
+ - port: 443
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 8443
+```
+
+## DestinationRule
+
+This DestinationRule, will interject the traffic destined to the service `helloworld.default.svc.cluster.local` with port `8443`.
+
+As mentioned in the [Virtual Service](#virtualservice) section, the destination is the `HTTPS` service.
+
+By default, the call would be made with `HTTP` protocol, yet, as the destination is an `HTTPS` service, the request would result in the status code `400 Bad Request`, due sending HTTP traffic to an HTTPS service.
+
+To avoid this, we need to specify that the destination handles HTTPS traffic.
+
+By setting the `tls.mode` field with `simple`, it means that there will be an attempt to initialize a TLS handshake.
+
+> **Note:**
+> For more information about the TLS mode, refer to the [Istio official documentation from the DestinationRule object regarding the TLS mode field](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ClientTLSSettings-TLSmode).
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: helloworld
+ namespace: default
+spec:
+ host: helloworld.default.svc.cluster.local
+ trafficPolicy:
+ portLevelSettings:
+ - port:
+ number: 8443
+ tls:
+ mode: SIMPLE
+```
+
+## Service
+
+The service will forward incoming TCP traffic from the port `8443`, towards the deployment port `443`.
+
+It's been specified the protocol expected to service, it being `HTTPS`.
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: helloworld
+ labels:
+ app: helloworld
+ service: helloworld
+spec:
+ ports:
+ - name: https
+ port: 8443
+ targetPort: 443
+ protocol: TCP
+ appProtocol: HTTPS
+ selector:
+ app: helloworld
+```
+
+## Deployment
+
+Deployment listens to port 80 and 443.
+
+> **Note:**\
+> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo)
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: helloworld-nginx
+ labels:
+ app: helloworld
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: helloworld
+ template:
+ metadata:
+ labels:
+ app: helloworld
+ spec:
+ containers:
+ - name: helloworld
+ image: oriolfilter/https-nginx-demo
+ resources:
+ requests:
+ cpu: "100m"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 80
+ - containerPort: 443
+```
+
+## PeerAuthentication
+
+Due to the deployment having an `HTTPS`, and already initializing a TLS termination towards that service, we need to disable the **mTLS** tool for that specific service/deployment.
+
+On the [Destination Rule](#destinationrule) section we set the `tls` to `simple`, meaning that the service is expecting to receive `HTTPS` traffic, if `mTLS` is enabled, it will perform the handshake with the `mTLS` service, instead of with the destination `HTTPS` service.
+
+```yaml
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+ name: default-mtls
+ namespace: default
+spec:
+ mtls:
+ mode: DISABLE
+```
+
+> **Note**:\
+> As this configuration is very board, and targets the whole namespace, I would strongly recommend referring to the following example [06-Internal-Authentication/02-target-service-accounts](../../06-Internal-Authentication/02-target-service-accounts), which shows how to target service accounts set to resources, limiting the scope of this rule set.
+
+# Walkthrough
+
+## Generate client and server certificate and key files
+
+First step will be to generate the certificate and key files to be able to set them to the Gateway resource.
+
+### Create a folder to store files.
+
+Create the folder to contain the files that will be generated.
+
+```shell
+mkdir certfolder
+```
+
+### Create a certificate and a private key.
+
+```shell
+openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt
+```
+
+The files generated are the following:
+
+```yaml
+private-key: certfolder/istio.cert.key
+root-certificate: certfolder/istio.cert.crt
+```
+
+The information set to the certificate generated is the following:
+
+```yaml
+Organization-name: Internet of things
+CN: lb.net
+```
+
+### Create a TLS secret
+
+At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`.
+
+```shell
+kubectl create -n istio-system secret tls my-tls-cert-secret \
+ --key=certfolder/istio.cert.key \
+ --cert=certfolder/istio.cert.crt
+```
+```text
+secret/my-tls-cert-secret created
+```
+```text
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+> **Note:**\
+> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
+
+## Deploy resources
+
+```shell
+kubectl apply -f ./
+```
+```text
+peerauthentication.security.istio.io/default-mtls created
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+destinationrule.networking.istio.io/helloworld created
+```
+
+## Test the service
+
+### Get LB IP
+
+```shell
+kubectl get svc -l istio=ingressgateway -A
+```
+```text
+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
+```
+### curl HTTP gateway
+
+Well, it works as expected.
+
+```shell
+curl --insecure 192.168.1.50 -I
+```
+```text
+HTTP/1.1 200 OK
+server: istio-envoy
+date: Tue, 25 Apr 2023 04:41:19 GMT
+content-type: text/html
+content-length: 15
+last-modified: Tue, 25 Apr 2023 00:47:17 GMT
+etag: "64472315-f"
+strict-transport-security: max-age=7200
+accept-ranges: bytes
+x-envoy-upstream-service-time: 28
+```
+
+### curl HTTPS gateway
+
+Well, it works as expected.
+
+```shell
+curl --insecure https://192.168.1.50 -I
+```
+```text
+HTTP/2 200
+server: istio-envoy
+date: Tue, 25 Apr 2023 04:42:07 GMT
+content-type: text/html
+content-length: 15
+last-modified: Tue, 25 Apr 2023 00:47:17 GMT
+etag: "64472315-f"
+strict-transport-security: max-age=7200
+accept-ranges: bytes
+x-envoy-upstream-service-time: 13
+```
+
+
+## Cleanup
+
+```shell
+kubectl delete -f ./
+```
+
+```text
+peerauthentication.security.istio.io "default-mtls" deleted
+service "helloworld" deleted
+deployment.apps "helloworld-nginx" deleted
+gateway.networking.istio.io "helloworld-gateway" deleted
+virtualservice.networking.istio.io "helloworld-vs" deleted
+destinationrule.networking.istio.io "helloworld" deleted
+```
+
+# Links of Interest
+
+- https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway
+
+- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode
+
+- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ClientTLSSettings-TLSmode
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/09-HTTPS-backend/authentication.yaml b/Istio/02-Traffic_management/09-HTTPS-backend/authentication.yaml
new file mode 100644
index 0000000..221a86d
--- /dev/null
+++ b/Istio/02-Traffic_management/09-HTTPS-backend/authentication.yaml
@@ -0,0 +1,8 @@
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+ name: default-mtls
+ namespace: default
+spec:
+ mtls:
+ mode: DISABLE
diff --git a/Istio/02-Traffic_management/09-HTTPS-backend/deployment.yaml b/Istio/02-Traffic_management/09-HTTPS-backend/deployment.yaml
new file mode 100755
index 0000000..82e781b
--- /dev/null
+++ b/Istio/02-Traffic_management/09-HTTPS-backend/deployment.yaml
@@ -0,0 +1,43 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: helloworld
+ labels:
+ app: helloworld
+ service: helloworld
+spec:
+ ports:
+ - port: 8443
+ name: https
+ targetPort: 443
+ protocol: TCP
+ appProtocol: https
+ selector:
+ app: helloworld
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: helloworld-nginx
+ labels:
+ app: helloworld
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: helloworld
+ template:
+ metadata:
+ labels:
+ app: helloworld
+ spec:
+ containers:
+ - name: helloworld
+ image: oriolfilter/https-nginx-demo
+ resources:
+ requests:
+ cpu: "100m"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 80
+ - containerPort: 443
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/09-HTTPS-backend/gateway.yaml b/Istio/02-Traffic_management/09-HTTPS-backend/gateway.yaml
new file mode 100755
index 0000000..861d59e
--- /dev/null
+++ b/Istio/02-Traffic_management/09-HTTPS-backend/gateway.yaml
@@ -0,0 +1,57 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: helloworld-gateway
+spec:
+ selector:
+ istio: ingressgateway
+ servers:
+ - port:
+ number: 80
+ name: http
+ protocol: HTTP
+ hosts:
+ - "*"
+ - port:
+ number: 443
+ name: https
+ protocol: HTTPS
+ hosts:
+ - "*"
+ tls:
+ credentialName: my-tls-cert-secret
+ mode: SIMPLE
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: helloworld-vs
+spec:
+ hosts:
+ - "*"
+ gateways:
+ - helloworld-gateway
+ http:
+ - name: https-vs
+ match:
+ - port: 80
+ - port: 443
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 8443
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: helloworld
+ namespace: default
+spec:
+ host: helloworld.default.svc.cluster.local
+ trafficPolicy:
+ portLevelSettings:
+ - port:
+ number: 8443
+ tls:
+ mode: SIMPLE
diff --git a/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md
new file mode 100644
index 0000000..7ca8464
--- /dev/null
+++ b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md
@@ -0,0 +1,240 @@
+---
+gitea: none
+include_toc: true
+---
+
+# Based on
+
+- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
+
+# Description
+
+The previous example was modified to set TCP forwarding towards the backend (HTTP and HTTPS backend).
+
+The backend contains an HTTPS service, which is used to demonstrate how the TCP forwarding is working as intended (aka doesn't disturb HTTP traffic).
+
+The same backend also contains the same service but running as HTTP, and for such has also been set in the gateway to display both working as intended.
+
+Additionally, the backend used, has HTTP2 enable, which also will be used to confirm that it's working as intended.
+
+> **Note:**\
+> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo)
+
+# Configuration
+
+## Gateway
+
+The gateway has been configured to listen both ports `80` and `443` through the TCP protocol, without any host specified.
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: helloworld-gateway
+spec:
+ selector:
+ istio: ingressgateway
+ servers:
+ - port:
+ number: 80
+ name: tcp-1
+ protocol: TCP
+ hosts:
+ - "*"
+ - port:
+ number: 443
+ name: tcp-2
+ protocol: TCP
+ hosts:
+ - "*"
+```
+
+## Virtual service
+
+Virtual service have 2 rules that perform the same behavior, on different ports.
+
+The rules will receive the traffic and forward it to the destination service and port.
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: helloworld-vs
+spec:
+ hosts:
+ - "*"
+ gateways:
+ - helloworld-gateway
+ tcp:
+ - match:
+ - port: 80
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 8080
+ - match:
+ - port: 443
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 8443
+```
+
+## Service
+
+The service will forward incoming traffic from the service port 8443, that will be forwarded towards the port 443 from the deployment.
+
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: helloworld
+ labels:
+ app: helloworld
+ service: helloworld
+spec:
+ ports:
+ - port: 8443
+ name: https
+ targetPort: 443
+ protocol: TCP
+ appProtocol: https
+ selector:
+ app: helloworld
+```
+
+## Deployment
+
+Deployment listens to port 80 and 443.
+
+> **Note:**\
+> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo)
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: helloworld-nginx
+ labels:
+ app: helloworld
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: helloworld
+ template:
+ metadata:
+ labels:
+ app: helloworld
+ spec:
+ containers:
+ - name: helloworld
+ image: oriolfilter/https-nginx-demo
+ resources:
+ requests:
+ cpu: "100m"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 80
+ - containerPort: 443
+```
+
+## PeerAuthentication
+
+```yaml
+
+```
+
+# Walkthrough
+
+## Deploy resources
+
+```shell
+kubectl apply -f ./
+```
+```text
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+## Test the service
+
+### Get LB IP
+
+```shell
+kubectl get svc -l istio=ingressgateway -A
+```
+```text
+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
+```
+
+### curl HTTP
+
+```shell
+curl http://192.168.1.50 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n'
+```
+```text
+http_version: 1.1
+status_code: 426
+```
+
+#### curl HTTPS
+
+This already confirms that `HTTP2` is working as intended.
+
+```shell
+curl https://192.168.1.50 -ks -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http1.1
+```
+```text
+http_version: 2
+status_code: 200
+```
+
+#### Curl HTTP2
+
+The previous example already displayed that `HTTP2` is working as intended.
+
+This example is maintained due being explicitly to confirm the `HTTP2` feature.
+
+```shell
+curl https://192.168.1.50 -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http2 -sk -o=/dev/null
+```
+```text
+http_version: 2
+status_code: 200
+```
+
+#### Curl HTTP1.1
+
+We can confirm that `HTTP1.1` also works over `TCP forwarding`.
+
+```shell
+curl https://192.168.1.50 -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http1.1 -sk -o=/dev/null
+```
+```text
+http_version: 1.1
+status_code: 200
+```
+
+## Cleanup
+
+```shell
+kubectl delete -f ./
+```
+
+```text
+service "helloworld" deleted
+deployment.apps "helloworld-nginx" deleted
+gateway.networking.istio.io "helloworld-gateway" deleted
+virtualservice.networking.istio.io "helloworld-vs" deleted
+```
+
+# Links of Interest
+
+- https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway
diff --git a/Istio/02-Traffic_management/10-TCP-FORWARDING/deployment.yaml b/Istio/02-Traffic_management/10-TCP-FORWARDING/deployment.yaml
new file mode 100755
index 0000000..92c59bd
--- /dev/null
+++ b/Istio/02-Traffic_management/10-TCP-FORWARDING/deployment.yaml
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: helloworld
+ labels:
+ app: helloworld
+ service: helloworld
+spec:
+ ports:
+ - port: 8080
+ name: http-web
+ targetPort: 80
+ protocol: TCP
+ - port: 8443
+ name: https-web
+ targetPort: 443
+ protocol: TCP
+ selector:
+ app: helloworld
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: helloworld-nginx
+ labels:
+ app: helloworld
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: helloworld
+ template:
+ metadata:
+ labels:
+ app: helloworld
+ spec:
+ containers:
+ - name: helloworld
+ image: oriolfilter/https-nginx-demo
+ resources:
+ requests:
+ cpu: "100m"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 80
+ - containerPort: 443
diff --git a/Istio/02-Traffic_management/10-TCP-FORWARDING/gateway.yaml b/Istio/02-Traffic_management/10-TCP-FORWARDING/gateway.yaml
new file mode 100755
index 0000000..036596c
--- /dev/null
+++ b/Istio/02-Traffic_management/10-TCP-FORWARDING/gateway.yaml
@@ -0,0 +1,45 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: helloworld-gateway
+spec:
+ selector:
+ istio: ingressgateway
+ servers:
+ - port:
+ number: 80
+ name: tcp-1
+ protocol: TCP
+ hosts:
+ - "*"
+ - port:
+ number: 443
+ name: tcp-2
+ protocol: TCP
+ hosts:
+ - "*"
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: helloworld-vs
+spec:
+ hosts:
+ - "*"
+ gateways:
+ - helloworld-gateway
+ tcp:
+ - match:
+ - port: 80
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 8080
+ - match:
+ - port: 443
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 8443
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md
new file mode 100644
index 0000000..2437b2f
--- /dev/null
+++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md
@@ -0,0 +1,220 @@
+---
+gitea: none
+include_toc: true
+---
+
+# Based on
+
+- [10-TCP-FORWARDING](../10-TCP-FORWARDING)
+
+# Description
+
+The previous example was modified set TLS Forwarding for the HTTPS, meaning that the TLS will be terminated by the backend containing a service capable of such.
+
+This requires a deployment with a service HTTPS (as it will need to handle the TLS termination ...).
+
+> **Note:**\
+> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo)
+
+# Configuration
+
+## Gateway
+
+The gateway was configured to listen the port `443` for `HTTPS` traffic protocol.
+
+The tls was configured as `PASSTHROUGH`
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: helloworld-gateway
+ namespace: default
+spec:
+ selector:
+ istio: ingressgateway
+ servers:
+ - port:
+ number: 443
+ name: https-web
+ protocol: HTTPS
+ hosts:
+ - "*"
+ tls:
+ mode: PASSTHROUGH
+```
+
+## Virtual service
+
+Virtual service expected to receive traffic with designation, the host `lb.net`.
+
+The rule that contains, will receive traffic from the port `443`, with host destination `lb.net`.
+
+The destination of such is the service `helloworld.default.svc.cluster.local`, with port destination 8443.
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: helloworld-vs
+ namespace: default
+spec:
+ hosts:
+ - "lb.net"
+ gateways:
+ - helloworld-gateway
+ tls:
+ - match:
+ - port: 443
+ sniHosts: ["lb.net"]
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 8443
+```
+
+## Service
+
+The service will forward incoming TCP traffic from the port `8443`, towards the deployment port `443`.
+
+It's been specified the protocol expected to service, it being `HTTPS`.
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: helloworld
+ labels:
+ app: helloworld
+ service: helloworld
+spec:
+ ports:
+ - name: https
+ port: 8443
+ targetPort: 443
+ protocol: TCP
+ appProtocol: HTTPS
+ selector:
+ app: helloworld
+```
+
+## Deployment
+
+Deployment listens to port 80 and 443.
+
+> **Note:**\
+> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo)
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: helloworld-nginx
+ labels:
+ app: helloworld
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: helloworld
+ template:
+ metadata:
+ labels:
+ app: helloworld
+ spec:
+ containers:
+ - name: helloworld
+ image: oriolfilter/https-nginx-demo
+ resources:
+ requests:
+ cpu: "100m"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 80
+ - containerPort: 443
+```
+
+# Walkthrough
+
+## Deploy resources
+
+```shell
+kubectl apply -f ./
+```
+```text
+service/helloworld created
+deployment.apps/helloworld-nginx created
+gateway.networking.istio.io/helloworld-gateway created
+virtualservice.networking.istio.io/helloworld-vs created
+```
+
+## Test the service
+
+### Get LB IP
+
+```shell
+kubectl get svc -l istio=ingressgateway -A
+```
+```text
+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
+```
+### curl HTTPS
+
+Well, it just works.
+
+The `--resolve` flag it's used to "fake" the traffic to match the filters we specified in the `Virtual Service`, specifically the `host` and `hostSNI` fields.
+
+```shell
+curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net
+```
+```text
+Howdy
+```
+
+### curl HTTPS (HEAD)
+
+Here we can spot the following sentence:
+
+- `server: nginx/1.23.4`
+
+This means that the TLS was handled by Nginx (verifying that the `TLS Passthrough` was performed correctly).
+
+If it had been managed by Istio, it would say:
+
+- `server: istio-envoy`
+
+```shell
+curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net --HEAD
+```
+```text
+HTTP/2 200
+server: nginx/1.23.4
+date: Tue, 25 Apr 2023 02:49:33 GMT
+content-type: text/html
+content-length: 15
+last-modified: Tue, 25 Apr 2023 00:47:17 GMT
+etag: "64472315-f"
+strict-transport-security: max-age=7200
+accept-ranges: bytes
+```
+
+## Cleanup
+
+```shell
+kubectl delete -f ./
+```
+
+```text
+service "helloworld" deleted
+deployment.apps "helloworld-nginx" deleted
+gateway.networking.istio.io "helloworld-gateway" deleted
+virtualservice.networking.istio.io "helloworld-vs" deleted
+```
+
+# Links of Interest
+
+- https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway
+
+- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml
new file mode 100755
index 0000000..f94f650
--- /dev/null
+++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml
@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: helloworld
+ labels:
+ app: helloworld
+ service: helloworld
+spec:
+ ports:
+ - name: https
+ port: 8443
+ targetPort: 443
+ protocol: TCP
+ appProtocol: HTTPS
+ selector:
+ app: helloworld
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: helloworld-nginx
+ labels:
+ app: helloworld
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: helloworld
+ template:
+ metadata:
+ labels:
+ app: helloworld
+ spec:
+ containers:
+ - name: helloworld
+ image: oriolfilter/https-nginx-demo
+ resources:
+ requests:
+ cpu: "100m"
+ imagePullPolicy: Always #Always
+ ports:
+ - containerPort: 80
+ - containerPort: 443
+#---
+#apiVersion: apps/v1
+#kind: Deployment
+#metadata:
+# name: nginx
+# labels:
+# app: nginx
+# version: v1
+#spec:
+# replicas: 1
+# selector:
+# matchLabels:
+# app: nginx
+# version: v1
+# template:
+# metadata:
+# labels:
+# app: nginx
+# version: v1
+# spec:
+# # serviceAccountName: istio-helloworld
+# containers:
+# - name: nginx
+# image: nginx
+# resources:
+# requests:
+# cpu: "100m"
+# imagePullPolicy: IfNotPresent
+# ports:
+# - containerPort: 80
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml
new file mode 100755
index 0000000..2f092f6
--- /dev/null
+++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml
@@ -0,0 +1,37 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: helloworld-gateway
+ namespace: default
+spec:
+ selector:
+ istio: ingressgateway
+ servers:
+ - port:
+ number: 443
+ name: https-web
+ protocol: HTTPS
+ hosts:
+ - "*"
+ tls:
+ mode: PASSTHROUGH
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: helloworld-vs
+ namespace: default
+spec:
+ hosts:
+ - "lb.net"
+ gateways:
+ - helloworld-gateway
+ tls:
+ - match:
+ - port: 443
+ sniHosts: ["lb.net"]
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 8443
\ No newline at end of file
diff --git a/Istio/06-Internal-Authentication/03-disable-mTLS/README.md b/Istio/06-Internal-Authentication/03-disable-mTLS/README.md
new file mode 100644
index 0000000..1aa4192
--- /dev/null
+++ b/Istio/06-Internal-Authentication/03-disable-mTLS/README.md
@@ -0,0 +1,6 @@
+# Based on
+
+- [02-Traffic_management/09-HTTPS-backend (pending document)](../../02-Traffic_management/09-HTTPS-backend%20(pending%20document))
+
+On the previous example only uses a HTTPS backend, here boards both HTTP and HTTPS backends.
+
diff --git a/Istio/06-Internal-Authentication/03-disable-mTLS/authentication.yaml b/Istio/06-Internal-Authentication/03-disable-mTLS/authentication.yaml
new file mode 100644
index 0000000..221a86d
--- /dev/null
+++ b/Istio/06-Internal-Authentication/03-disable-mTLS/authentication.yaml
@@ -0,0 +1,8 @@
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+ name: default-mtls
+ namespace: default
+spec:
+ mtls:
+ mode: DISABLE
diff --git a/Istio/06-Internal-Authentication/03-disable-mTLS/deployment.yaml b/Istio/06-Internal-Authentication/03-disable-mTLS/deployment.yaml
new file mode 100755
index 0000000..5b2d589
--- /dev/null
+++ b/Istio/06-Internal-Authentication/03-disable-mTLS/deployment.yaml
@@ -0,0 +1,79 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: helloworld
+ labels:
+ app: helloworld
+ service: helloworld
+spec:
+ ports:
+ - port: 8080
+ name: http
+ targetPort: 80
+ protocol: TCP
+ appProtocol: http
+
+ - port: 8443
+ name: https
+ targetPort: 443
+ protocol: TCP
+ appProtocol: https
+ selector:
+ app: helloworld
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: helloworld-nginx
+ labels:
+ app: helloworld
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: helloworld
+ template:
+ metadata:
+ labels:
+ app: helloworld
+ sidecar.istio.io/inject: "true"
+ spec:
+ containers:
+ - name: helloworld
+ image: oriolfilter/https-nginx-demo
+ resources:
+ requests:
+ cpu: "100m"
+ imagePullPolicy: Always #Always
+ ports:
+ - containerPort: 80
+ - containerPort: 443
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nginx
+ labels:
+ app: nginx
+ version: v1
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: nginx
+ version: v1
+ template:
+ metadata:
+ labels:
+ app: nginx
+ version: v1
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ resources:
+ requests:
+ cpu: "100m"
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 80
\ No newline at end of file
diff --git a/Istio/06-Internal-Authentication/03-disable-mTLS/gateway.yaml b/Istio/06-Internal-Authentication/03-disable-mTLS/gateway.yaml
new file mode 100755
index 0000000..f88d191
--- /dev/null
+++ b/Istio/06-Internal-Authentication/03-disable-mTLS/gateway.yaml
@@ -0,0 +1,70 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ name: helloworld-gateway
+spec:
+ selector:
+ istio: ingressgateway
+ servers:
+ - port:
+ number: 80
+ name: http
+ protocol: HTTP
+ hosts:
+ - "*"
+ - port:
+ number: 443
+ name: https
+ protocol: HTTPS
+ hosts:
+ - "*"
+ tls:
+ credentialName: my-tls-cert-secret
+ minProtocolVersion: TLSV1_2
+ mode: SIMPLE
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: helloworld-vs
+spec:
+ hosts:
+ - "*"
+ gateways:
+ - helloworld-gateway
+ http:
+ - name: http-vs
+ match:
+ - port: 80
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 8080
+ - name: https-vs
+ match:
+ - port: 443
+ route:
+ - destination:
+ host: helloworld.default.svc.cluster.local
+ port:
+ number: 8443
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+ name: helloworld
+ namespace: default
+spec:
+ host: helloworld.default.svc.cluster.local
+ trafficPolicy:
+ portLevelSettings:
+ - port:
+ number: 8080
+ tls:
+ mode: SIMPLE
+
+ - port:
+ number: 8443
+ tls:
+ mode: SIMPLE
diff --git a/Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md
index e7b29b3..f81c507 100644
--- a/Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md
+++ b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md
@@ -160,6 +160,17 @@ x-envoy-upstream-service-time: 15
[Yeah no idea, gl with that.](https://stackoverflow.com/a/55731730)
+```shell
+kubectl delete -f ./deployment.yaml
+kubectl delete -f ./gateway.yaml
+```
+```text
+service "helloworld" deleted
+deployment.apps "helloworld-nginx" deleted
+gateway.networking.istio.io "helloworld-gateway" deleted
+virtualservice.networking.istio.io "helloworld-vs" deleted
+```
+
```shell
istioctl uninstall --purge
```
diff --git a/Istio/99-resources/HTTPS-NGINX-DOCKERFILE/Dockerfile b/Istio/99-resources/HTTPS-NGINX-DOCKERFILE/Dockerfile
new file mode 100644
index 0000000..f8ecbf1
--- /dev/null
+++ b/Istio/99-resources/HTTPS-NGINX-DOCKERFILE/Dockerfile
@@ -0,0 +1,8 @@
+FROM nginx
+
+ADD server.conf /etc/nginx/conf.d/default.conf
+
+RUN mkdir -p /var/www/html
+RUN echo "Howdy
" | tee /var/www/html/index.html
+
+RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt
\ No newline at end of file
diff --git a/Istio/99-resources/HTTPS-NGINX-DOCKERFILE/README.md b/Istio/99-resources/HTTPS-NGINX-DOCKERFILE/README.md
new file mode 100644
index 0000000..10792fd
--- /dev/null
+++ b/Istio/99-resources/HTTPS-NGINX-DOCKERFILE/README.md
@@ -0,0 +1,209 @@
+# Description
+
+This image was intended to be used on configuration tests or troubleshooting.
+
+URL: [`docker.io/oriolfilter/https-nginx-demo:latest`](https://hub.docker.com/r/oriolfilter/https-nginx-demo)
+
+---
+
+## Breakdown
+
+### Capabilities
+
+- Multi arch
+- HTTP
+- HTTPS (with built-in certificate)
+- HTTP2
+- Nginx
+
+### Platforms it was build on:
+
+- linux/amd64
+- linux/arm64
+- linux/arm/v7
+
+### Dockerfile
+
+The orders given are very simple:
+
+1. Grab the nginx image as a base/template (this allows me to forget about the entrypoint configuration).
+
+2. Take the file `server.conf` and place it in the path `/etc/nginx/conf.d/default.conf` from the container/image.
+
+3. Create the directory `/var/www/html`, and afterwards create a simple index.
+
+4. Create a certificate and a key that will be used on the Nginx to allow HTTPS traffic requests.
+
+```Dockerfile
+FROM nginx
+
+ADD server.conf /etc/nginx/conf.d/default.conf
+
+RUN mkdir -p /var/www/html
+RUN echo "Howdy
" | tee /var/www/html/index.html
+
+RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt
+```
+### server.conf
+
+Read it if you please.
+
+The port listens to both port 80 and port 443, for HTTP and HTTPS traffic.
+
+Port 443 has enabled http2.
+
+Could have configured HTTP to HTTPS forwarding, yet this way I can verify the status of the service or configurations through HTTP requests. (also the HTTP to HTTPS forwarding should be handled by the Load Balancer / Ingress)
+
+It uses the certificates generated previously.
+
+```nginx
+server {
+ listen 80;
+
+ server_name lb.net;
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log info;
+
+ add_header Strict-Transport-Security "max-age=7200";
+
+ root /var/www/html;
+ index index.html;
+}
+
+server {
+ listen 443 ssl default_server http2;
+
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+
+ ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
+
+ server_name lb.net;
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log info;
+
+ ssl on;
+ ssl_certificate /cert.crt;
+ ssl_certificate_key /cert.key;
+ ssl_session_timeout 5m;
+
+ add_header Strict-Transport-Security "max-age=7200";
+
+ root /var/www/html;
+ index index.html;
+}
+```
+
+# Build it yourself
+
+[Used this guide through this process](https://docs.docker.com/build/building/multi-platform/)
+
+# Yes
+
+As far I understood, runs this as privileged to install certain packages / architectures / platforms to your device.
+
+```shell
+docker run --privileged --rm tonistiigi/binfmt --install all
+```
+```text
+Unable to find image 'tonistiigi/binfmt:latest' locally
+latest: Pulling from tonistiigi/binfmt
+8d4d64c318a5: Pull complete
+e9c608ddc3cb: Pull complete
+Digest: sha256:66e11bea77a5ea9d6f0fe79b57cd2b189b5d15b93a2bdb925be22949232e4e55
+Status: Downloaded newer image for tonistiigi/binfmt:latest
+installing: arm OK
+installing: mips64le OK
+installing: mips64 OK
+installing: arm64 OK
+installing: riscv64 OK
+installing: s390x OK
+installing: ppc64le OK
+{
+ "supported": [
+ "linux/amd64",
+ "linux/arm64",
+ "linux/riscv64",
+ "linux/ppc64le",
+ "linux/s390x",
+ "linux/386",
+ "linux/mips64le",
+ "linux/mips64",
+ "linux/arm/v7",
+ "linux/arm/v6"
+ ],
+ "emulators": [
+ "qemu-aarch64",
+ "qemu-arm",
+ "qemu-mips64",
+ "qemu-mips64el",
+ "qemu-ppc64le",
+ "qemu-riscv64",
+ "qemu-s390x"
+ ]
+}
+```
+
+## Create builder profile
+
+```shell
+docker buildx create --name mybuilder --driver docker-container --bootstrap
+```
+```text
+[+] Building 2.0s (1/1) FINISHED
+ => [internal] booting buildkit 2.0s
+ => => pulling image moby/buildkit:buildx-stable-1 1.2s
+ => => creating container buildx_buildkit_mybuilder0 0.8s
+mybuilder
+```
+
+## Use created buildx profile
+
+```shell
+docker buildx use mybuilder
+```
+
+## Inspect selected buildx profile
+
+```shell
+docker buildx inspect
+```
+```text
+Name: mybuilder
+Driver: docker-container
+Last Activity: 2023-04-25 00:33:29 +0000 UTC
+
+Nodes:
+Name: mybuilder0
+Endpoint: unix:///var/run/docker.sock
+Status: running
+Buildkit: v0.11.5
+Platforms: linux/amd64, linux/amd64/v2, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/mips64le, linux/mips64, linux/arm/v7, linux/arm/v6
+```
+
+
+## Build, tag and push
+
+I am targeting the repo directly, but any registry can be targeted.
+
+```shell
+docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 -t oriolfilter/https-nginx-demo:latest . --push
+```
+
+```text
+[+] Building 11.0s (24/24) FINISHED
+ => [internal] load .dockerignore 0.0s
+ => => transferring context: 2B 0.0s
+ => [internal] load build definition from Dockerfile 0.0s
+ => => transferring dockerfile: 383B 0.0s
+ => [linux/arm/v7 internal] load metadata for docker.io/library/nginx:latest 0.8s
+ => [linux/arm64 internal] load metadata for docker.io/library/nginx:latest 0.8s
+ => [linux/amd64 internal] load metadata for docker.io/library/nginx:latest 0.8s
+...
+
+<> Building sounds intensifies <>
+
+...
+ => [auth] oriolfilter/https-nginx-demo:pull,push token for registry-1.docker.io
+```
\ No newline at end of file
diff --git a/Istio/99-resources/HTTPS-NGINX-DOCKERFILE/server.conf b/Istio/99-resources/HTTPS-NGINX-DOCKERFILE/server.conf
new file mode 100644
index 0000000..6904874
--- /dev/null
+++ b/Istio/99-resources/HTTPS-NGINX-DOCKERFILE/server.conf
@@ -0,0 +1,36 @@
+server {
+ listen 80;
+
+ server_name lb.net;
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log info;
+
+ add_header Strict-Transport-Security "max-age=7200";
+
+ root /var/www/html;
+ index index.html;
+}
+
+server {
+ listen 443 ssl default_server http2;
+
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+
+ ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
+
+ server_name lb.net;
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log info;
+
+ ssl on;
+ ssl_certificate /cert.crt;
+ ssl_certificate_key /cert.key;
+ ssl_session_timeout 5m;
+
+ add_header Strict-Transport-Security "max-age=7200";
+
+ root /var/www/html;
+ index index.html;
+}
\ No newline at end of file
diff --git a/Istio/ingress.yaml b/Istio/ingress.yaml
deleted file mode 100755
index 12b0027..0000000
--- a/Istio/ingress.yaml
+++ /dev/null
@@ -1,119 +0,0 @@
-#apiVersion: v1
-#kind: Service
-#metadata:
-# name: istio-lb
-# namespace: istio-system
-# labels:
-# istio: istio-ingress
-#spec:
-# type: LoadBalancer
-# ports:
-# - port: 80
-# name: http
-# - port: 443
-# name: https
-# selector:
-# istio: istio-ingress
-#---
-#apiVersion: install.istio.io/v1alpha1
-#kind: IstioOperator
-#metadata:
-# namespace: istio-system
-# name: my-istio-operator
-#spec:
-## profile: default
-# profile: empty
-# components:
-# ingressGateways:
-# - name: istio-ingress
-# enabled: true
-# label:
-# istio: my-istio-ingress
----
-#apiVersion: install.istio.io/v1alpha1
-#kind: IstioOperator
-#spec:
-# components:
-# ingressGateways:
-# - name: istio-ingress
-# enabled: true
-## - name: istio-ingressgateway-staging
-# namespace: staging
-# enabled: true
----
-#apiVersion: install.istio.io/v1alpha1
-#kind: IstioOperator
-#metadata:
-# namespace: istio-system
-# name: istio-operator
-#spec:
-# profile: default
-# components:
-# ingressGateways:
-# - name: istio-ingress
-# enabled: true
-# - namespace: default
-# name: istio-ingressgateway-private
-# enabled: true
-# k8s:
-# serviceAnnotations:
-# service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type: "private"
-# values:
-# gateways:
-# istio-ingressgateway:
-# sds:
-# enabled: true
----
-apiVersion: v1
-kind: Service
-metadata:
- annotations:
- labels:
- app: istio-ingressgateway
-# install.operator.istio.io/owning-resource: unknown
-# install.operator.istio.io/owning-resource-namespace: istio-system
- istio: my-ingress-gateway
-# istio.io/rev: default
- operator.istio.io/component: IngressGateways
-# operator.istio.io/managed: Reconcile
-# operator.istio.io/version: 1.16.1
-# release: istio
- name: my-ingress-gateway
- namespace: istio-system
- resourceVersion: "880342"
- uid: 289a34e8-fe45-43ad-8dad-bc3dc9534f5c
-spec:
-# allocateLoadBalancerNodePorts: true
-# clusterIP: 10.110.130.2
-# clusterIPs:
-# - 10.110.130.2
- externalTrafficPolicy: Cluster
- internalTrafficPolicy: Cluster
- ipFamilies:
- - IPv4
- ipFamilyPolicy: SingleStack
- ports:
- - name: status-port
- nodePort: 30276
- port: 15021
- protocol: TCP
- targetPort: 15021
- - name: http2
- nodePort: 32188
- port: 80
- protocol: TCP
- targetPort: 8080
- - name: https
-# nodePort: 32437
- port: 443
- protocol: TCP
-# targetPort: 8443
- selector:
- app: istio-ingressgateway
- istio: ingressgateway
-# sessionAffinity: None
- type: LoadBalancer
-status:
- loadBalancer:
- ingress:
- - ip: 192.168.1.50
\ No newline at end of file
diff --git a/Istio/tmp/README.md b/Istio/tmp/README.md
deleted file mode 100644
index 0bcf9ac..0000000
--- a/Istio/tmp/README.md
+++ /dev/null
@@ -1 +0,0 @@
-https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/
\ No newline at end of file
diff --git a/Istio/tmp/ingress.yaml b/Istio/tmp/ingress.yaml
deleted file mode 100755
index 8743294..0000000
--- a/Istio/tmp/ingress.yaml
+++ /dev/null
@@ -1,63 +0,0 @@
-## https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway
-#apiVersion: v1
-#kind: Service
-#metadata:
-# name: istio-ingressgateway2
-# namespace: istio-ingress
-#spec:
-# type: LoadBalancer
-# selector:
-# istio: ingressgateway
-# ports:
-# - port: 80
-# name: http
-# - port: 443
-# name: https
-#---
-#apiVersion: apps/v1
-#kind: Deployment
-#metadata:
-# name: istio-ingressgateway2
-# namespace: istio-ingress
-#spec:
-# selector:
-# matchLabels:
-# istio: ingressgateway
-# template:
-# metadata:
-# annotations:
-# # Select the gateway injection template (rather than the default sidecar template)
-# inject.istio.io/templates: gateway
-# labels:
-# # Set a unique label for the gateway. This is required to ensure Gateways can select this workload
-# istio: ingressgateway
-# # Enable gateway injection. If connecting to a revisioned control plane, replace with "istio.io/rev: revision-name"
-# sidecar.istio.io/inject: "true"
-# spec:
-# containers:
-# - name: istio-proxy
-# image: auto # The image will automatically update each time the pod starts.
-#---
-## Set up roles to allow reading credentials for TLS
-#apiVersion: rbac.authorization.k8s.io/v1
-#kind: Role
-#metadata:
-# name: istio-ingressgateway2-sds
-# namespace: istio-ingress
-#rules:
-# - apiGroups: [""]
-# resources: ["secrets"]
-# verbs: ["get", "watch", "list"]
-#---
-#apiVersion: rbac.authorization.k8s.io/v1
-#kind: RoleBinding
-#metadata:
-# name: istio-ingressgateway2-sds
-# namespace: istio-ingress
-#roleRef:
-# apiGroup: rbac.authorization.k8s.io
-# kind: Role
-# name: istio-ingressgateway2-sds
-#subjects:
-# - kind: ServiceAccount
-# name: default
\ No newline at end of file
diff --git a/Istio/tmp/tmp.txt b/Istio/tmp/tmp.txt
deleted file mode 100755
index bc35189..0000000
--- a/Istio/tmp/tmp.txt
+++ /dev/null
@@ -1,29 +0,0 @@
-https://medium.com/@dinup24/expose-apps-on-private-network-through-istio-ingress-gateway-7dcb8a16d5bc
-
-
-cat << EOF > istio-operator.yaml
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-metadata:
- namespace: istio-system
- name: istio-operator
-spec:
- profile: default
- components:
- ingressGateways:
- - name: istio-ingressgateway
- enabled: true
- - namespace: istio-system
- name: istio-ingressgateway-private
- enabled: true
- k8s:
- serviceAnnotations:
- service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type: "private"
- values:
- gateways:
- istio-ingressgateway:
- sds:
- enabled: true
-EOF
-
-istioctl manifest apply -f istio-operator.yaml
\ No newline at end of file