diff --git a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md
index ad5fd8a..3b9d38e 100644
--- a/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md
+++ b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md
@@ -189,123 +189,3 @@ virtualservice.networking.istio.io "helloworld-vs" deleted
```
# Links of Interest
-
-- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
-
-- https://stackoverflow.com/a/51279606
-
-- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
-
-
-
-docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile
-
-
-docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest .
-[+] Building 0.0s (0/0)
-ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
-
----
-## Create the Dockerfile
-
-```bash
-FROM ubuntu/apache2
-
-RUN apt-get update && \
-apt-get install apache2 openssl -y && \
-a2ensite default-ssl && \
-a2enmod ssl && \
-echo "Howdy
" | tee /var/www/html/index.html
-
-RUN /usr/bin/printf "\n\
- ServerAdmin webmaster@localhost\n\
- DocumentRoot /var/www/html\n\
- ErrorLog \${APACHE_LOG_DIR}/error.log\n\
- CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
-\n\
-\n\
- ServerAdmin webmaster@localhost\n\
- DocumentRoot /var/www/html\n\
- ErrorLog \${APACHE_LOG_DIR}/error.log\n\
- CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
- SSLEngine on\n\
- SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\
- SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\
-" > /etc/apache2/sites-available/000-default.conf
-
-RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
-```
-
-## Build the image
-
-Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images.
-
-For my own commodity, I have used a raspberry pi 4 to build this images.
-
-The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image.
-
-```shell
- docker build --tag https-demo:armv7 .
-```
-```text
-docker build --tag https-demo:armv7 . --no-cache
-[+] Building 16.5s (8/8) FINISHED
- => [internal] load .dockerignore 0.0s
- => => transferring context: 2B 0.0s
- => [internal] load build definition from Dockerfile 0.0s
- => => transferring dockerfile: 1.09kB 0.0s
- => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s
- => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s
- => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s
- => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s
- => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s
- => exporting to image 1.0s
- => => exporting layers 1.0s
- => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s
- => => naming to docker.io/library/https-demo:armv7 0.0s
-```
-
-## Tag the image
-
-```shell
-docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7
-```
-
-## Upload to the registery server
-
-```text
-docker image push registery.filter.home:5000/https-demo:armv7
-The push refers to repository [registery.filter.home:5000/https-demo]
-c6d858706b08: Pushed
-9e077e0202f0: Pushed
-6ffc708d0cf3: Pushed
-69e01b4bf4d7: Pushed
-17c5b30f3843: Pushed
-0b9f60fbcaf1: Pushed
-armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578
-```
-
-
-
-## ?
-curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe
-
-
-
-
-
----
-
-
-Has apache2 installed with a default certificate.
-
-Port 80 visible for HTTP
-
-Port 443 visible for HTTPS.
-
-
-
-
-curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k
-http_version: 2
-status_code: 200
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md
index 10fc093..f9a4a51 100644
--- a/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md
+++ b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md
@@ -164,7 +164,9 @@ virtualservice.networking.istio.io/helloworld-vs created
### Get LB IP
```shell
-$ kubectl get svc -l istio=ingressgateway -A
+kubectl get svc -l istio=ingressgateway -A
+```
+```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
@@ -232,8 +234,4 @@ virtualservice.networking.istio.io "helloworld-vs" deleted
# Links of Interest
-- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
-
-- https://stackoverflow.com/a/51279606
-
-- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
+- https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway
diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md
index 9a7e81b..716777a 100644
--- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md
+++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md
@@ -9,13 +9,9 @@ include_toc: true
# Description
-The previous example was modified set TCP forwarding towards the backend.
+The previous example was modified set TLS Forwarding for the HTTPS, meaning that the TLS will be terminated by the backend containing a service capable of such.
-The backend contains an HTTPS service, which is used to demonstrate how the TCP forwarding is working as intended (aka doesn't disturb HTTP traffic).
-
-The same backend also contains the same service but running as HTTP, and for such has also been set in the gateway to display both working as intended.
-
-Additionally, the backend used, has HTTP2 enable, which also will be used to confirm that it's working as intended.
+This requires a deployment with a service HTTPS (as it will need to handle the TLS termination ...).
> **Note:**\
> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo)
@@ -24,68 +20,65 @@ Additionally, the backend used, has HTTP2 enable, which also will be used to con
## Gateway
-Gateway been configured to listen both ports `80` and `443` through the TCP protocol, without any host specified.
+Gateway configured to listen the port `443` for `HTTPS` traffic protocol.
+
+The tls was configured as `PASSTHROUGH`
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
+ namespace: default
spec:
selector:
istio: ingressgateway
servers:
- - port:
- number: 80
- name: tcp-1
- protocol: TCP
- hosts:
- - "*"
- port:
number: 443
- name: tcp-2
- protocol: TCP
+ name: https-web
+ protocol: HTTPS
hosts:
- "*"
+ tls:
+ mode: PASSTHROUGH
```
## Virtual service
-Virtual service have 2 rules that perform the same behavior, on different ports.
+Virtual service expected to receive traffic with designation, the host `lb.net`.
-The rules will receive the traffic and forward it to the destination service and port.
+The rule that contains, will receive traffic from the port `443`, with host destination `lb.net`.
+
+The destination of such is the service `helloworld.default.svc.cluster.local`, with port destination 8443.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
+ namespace: default
spec:
hosts:
- - "*"
+ - "lb.net"
gateways:
- helloworld-gateway
- tcp:
+ tls:
- match:
- - port: 80
+ - port: 443
+ sniHosts: ["lb.net"]
route:
- destination:
host: helloworld.default.svc.cluster.local
- port:
- number: 8080
- - match:
- - port: 443
- route:
- - destination:
- host: helloworld.default.svc.cluster.local
port:
number: 8443
```
## Service
-The service will forward the incoming TCP traffic with port 8080, to the deployment port 80.
-The same behavior is applied for the service port 8443, that will be forwarded towards the port 443 from the deployment.
+The service will forward incoming TCP traffic from the port `8443`, towards the deployment port `443`.
+
+It's been specified the protocol expected to service, it being `HTTPS`.
```yaml
apiVersion: v1
@@ -97,14 +90,11 @@ metadata:
service: helloworld
spec:
ports:
- - port: 8080
- name: http-web
- targetPort: 80
- protocol: TCP
- - port: 8443
- name: https-web
+ - name: https
+ port: 8443
targetPort: 443
protocol: TCP
+ appProtocol: HTTPS
selector:
app: helloworld
```
@@ -164,57 +154,50 @@ virtualservice.networking.istio.io/helloworld-vs created
### Get LB IP
```shell
-$ kubectl get svc -l istio=ingressgateway -A
+kubectl get svc -l istio=ingressgateway -A
+```
+```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
+### curl HTTPS
-### curl HTTP
+Well, it just works.
+
+The `--resolve` flag it's used to "fake" the traffic to match the filters we specified in the `Virtual Service`, specifically the `host` and `hostSNI` fields.
```shell
-curl http://192.168.1.50 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n'
+curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net
```
```text
-http_version: 1.1
-status_code: 426
+Howdy
```
-#### curl HTTPS
+### curl HTTPS (HEAD)
-This already confirms that `HTTP2` is working as intended.
+Here we can spot the following sentence:
+
+- `server: nginx/1.23.4`
+
+This means that the TLS was handled by Nginx (verifying that the `TLS Passthrough` was performed correctly).
+
+If it had been managed by Istio, it would say:
+
+- `server: istio-envoy`
```shell
-curl https://192.168.1.50 -ks -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http1.1
+curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net --HEAD
```
```text
-http_version: 2
-status_code: 200
-```
-
-#### Curl HTTP2
-
-The previous example already displayed that `HTTP2` is working as intended.
-
-This example is maintained due being explicitly to confirm the `HTTP2` feature.
-
-```shell
-curl https://192.168.1.50 -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http2 -sk -o=/dev/null
-```
-```text
-http_version: 2
-status_code: 200
-```
-
-#### Curl HTTP1.1
-
-We can confirm that `HTTP1.1` also works over `TCP forwarding`.
-
-```shell
-curl https://192.168.1.50 -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http1.1 -sk -o=/dev/null
-```
-```text
-http_version: 1.1
-status_code: 200
+HTTP/2 200
+server: nginx/1.23.4
+date: Tue, 25 Apr 2023 02:49:33 GMT
+content-type: text/html
+content-length: 15
+last-modified: Tue, 25 Apr 2023 00:47:17 GMT
+etag: "64472315-f"
+strict-transport-security: max-age=7200
+accept-ranges: bytes
```
## Cleanup
@@ -232,8 +215,6 @@ virtualservice.networking.istio.io "helloworld-vs" deleted
# Links of Interest
-- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
+- https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway
-- https://stackoverflow.com/a/51279606
-
-- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
+- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml
deleted file mode 100755
index 4305bf6..0000000
--- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml
+++ /dev/null
@@ -1,113 +0,0 @@
-#apiVersion: networking.istio.io/v1alpha3
-#kind: Gateway
-#metadata:
-# name: helloworld-gateway
-#spec:
-# selector:
-## istio: myingressgateway
-# istio: ingressgateway
-# servers:
-# - hosts:
-# ["lb.net","*.lb.net"]
-# port:
-# name: tls-443
-# number: 443
-# protocol: HTTPS
-# tls:
-# mode: SIMPLE
-# credentialName: my-tls-cert-secret
-# minProtocolVersion: TLSV1_2
-#---
-#apiVersion: networking.istio.io/v1alpha3
-#kind: VirtualService
-#metadata:
-# name: helloworld-vs
-#spec:
-# hosts:
-# - "*"
-# gateways:
-# - helloworld-gateway
-# http:
-## - name: http-vs
-## match:
-## - port: 80
-## route:
-## - destination:
-## host: helloworld.default.svc.cluster.local
-## port:
-## number: 8080
-# - name: https-vs
-# match:
-# - port: 443
-# route:
-# - destination:
-# host: helloworld.default.svc.cluster.local
-# port:
-# number: 443
-##
-## tls:
-## - match:
-## - port: 443
-## sniHosts: ["lb.net"]
-## route:
-## - destination:
-## host: helloworld.default.svc.cluster.local
-## port:
-## number: 443
-##---
-##apiVersion: networking.istio.io/v1alpha3
-##kind: DestinationRule
-##metadata:
-## name: helloworld
-## namespace: default
-##spec:
-## host: helloworld.default.svc.cluster.local
-## trafficPolicy:
-## portLevelSettings:
-## - port:
-## number: 8080
-## tls:
-## mode: DISABLE
-## - port:
-## number: 8443
-## tls:
-## credentialName: client-credential
-## mode: SIMPLE
-## port:
-## name: https-backend
-## number: 8443
-## protocol: HTTPS
-## tls:
-## credentialName: my-tls-cert-secret
-## mode: SIMPLE
-## tcp:
-### - match:
-### - port: 80
-### route:
-### - destination:
-### host: helloworld
-### port:
-### number: 8080
-### - match:
-### - port: 443
-## - route:
-## - destination:
-## host: helloworld
-## port:
-## number: 8443
-##
-## tls:
-## - match:
-## - port: 443
-## sniHosts:
-## - "hello.si"
-### - uri:
-### exact: /helloworld
-## route:
-## - destination:
-## host: helloworld
-## port:
-## number: 8443
-### protocol: HTTPS
-### rewrite:
-### uri: "/"
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml
index 3f9ad6c..f94f650 100755
--- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml
+++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml
@@ -7,17 +7,11 @@ metadata:
service: helloworld
spec:
ports:
- - port: 8080
- name: http-s
- targetPort: 80
- protocol: TCP
- appProtocol: HTTP
-
- - port: 8443
- name: https
+ - name: https
+ port: 8443
targetPort: 443
protocol: TCP
- appProtocol: https
+ appProtocol: HTTPS
selector:
app: helloworld
---
@@ -36,7 +30,6 @@ spec:
metadata:
labels:
app: helloworld
- sidecar.istio.io/inject: "true"
spec:
containers:
- name: helloworld
@@ -48,33 +41,33 @@ spec:
ports:
- containerPort: 80
- containerPort: 443
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: nginx
- labels:
- app: nginx
- version: v1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: nginx
- version: v1
- template:
- metadata:
- labels:
- app: nginx
- version: v1
- spec:
- # serviceAccountName: istio-helloworld
- containers:
- - name: nginx
- image: nginx
- resources:
- requests:
- cpu: "100m"
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 80
\ No newline at end of file
+#---
+#apiVersion: apps/v1
+#kind: Deployment
+#metadata:
+# name: nginx
+# labels:
+# app: nginx
+# version: v1
+#spec:
+# replicas: 1
+# selector:
+# matchLabels:
+# app: nginx
+# version: v1
+# template:
+# metadata:
+# labels:
+# app: nginx
+# version: v1
+# spec:
+# # serviceAccountName: istio-helloworld
+# containers:
+# - name: nginx
+# image: nginx
+# resources:
+# requests:
+# cpu: "100m"
+# imagePullPolicy: IfNotPresent
+# ports:
+# - containerPort: 80
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway-02.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway-02.yaml
deleted file mode 100755
index 5070950..0000000
--- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway-02.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
-#apiVersion: networking.istio.io/v1beta1
-#kind: Gateway
-#metadata:
-# name: helloworld-gateway
-#spec:
-# selector:
-# istio: ingressgateway
-# servers:
-# - hosts:
-# - "*"
-# port:
-# name: https
-# number: 443
-# protocol: HTTPS
-# tls:
-# mode: PASSTHROUGH
-#---
-#apiVersion: networking.istio.io/v1beta1
-#kind: VirtualService
-#metadata:
-# name: helloworld-vs
-#spec:
-# gateways:
-# - helloworld-gateway
-# hosts: ["lb.net","*.lb.net"]
-## http:
-## - route:
-## - destination:
-## host: helloworld.default.svc.cluster.local
-##spec:
-# tls:
-# - match:
-# - sniHosts: ["lb.net","*.lb.net"]
-# route:
-# - destination:
-# host: helloworld.default.svc.cluster.local
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml
index a313d3a..2f092f6 100755
--- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml
+++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml
@@ -2,61 +2,30 @@ apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
+ namespace: default
spec:
selector:
- # istio: myingressgateway
istio: ingressgateway
servers:
- # - port:
- # number: 443
- # name: secure-http2
- # protocol: HTTP2
- # hosts:
- # - "*"
- - port:
- number: 80
- name: http2-i
- protocol: HTTP2
- hosts:
- - "*"
- port:
number: 443
- name: https-i
+ name: https-web
protocol: HTTPS
hosts:
- "*"
tls:
-# credentialName: my-tls-cert-secret
-# minProtocolVersion: TLSV1_2
- #
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
+ namespace: default
spec:
hosts:
- "lb.net"
gateways:
- helloworld-gateway
- http:
- - name: http-vs
- match:
- - port: 80
- route:
- - destination:
- host: helloworld.default.svc.cluster.local
- port:
- number: 8080
-# - name: https-vs
-# match:
-# - port: 443
-# route:
-# - destination:
-# host: helloworld.default.svc.cluster.local
-# port:
-# number: 8443
tls:
- match:
- port: 443
@@ -65,23 +34,4 @@ spec:
- destination:
host: helloworld.default.svc.cluster.local
port:
- number: 8443
----
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
- name: helloworld
- namespace: default
-spec:
- host: helloworld.default.svc.cluster.local
- trafficPolicy:
- portLevelSettings:
- - port:
- number: 8080
- tls:
- mode: DISABLE
-
- - port:
- number: 8443
- tls:
- mode: DISABLE
+ number: 8443
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/README.md
similarity index 100%
rename from Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md
rename to Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/README.md
diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/authentication.yaml
similarity index 100%
rename from Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml
rename to Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/authentication.yaml
diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/deployment.yaml
similarity index 100%
rename from Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml
rename to Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/deployment.yaml
diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/gateway.yaml
similarity index 100%
rename from Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml
rename to Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/gateway.yaml
diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/ingress.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/ingress.yaml
similarity index 100%
rename from Istio/02-Traffic_management/11-TLS-PASSTHROUGH/ingress.yaml
rename to Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/ingress.yaml
diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml
deleted file mode 100644
index 850c2eb..0000000
--- a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-metadata:
- name: ingress
-spec:
- profile: empty # Do not install CRDs or the control plane
- components:
- ingressGateways:
- - name: myistio-ingressgateway
- namespace: istio-ingress
- enabled: true
- label:
- istio: myingressgateway
- k8s:
- service:
- ports:
- - name: https-ingress
- port: 443
- protocol: TCP
- targetPort: 1055
- - name: http-ingress
- port: 80
- protocol: TCP
- targetPort: 1085
-
- values:
- gateways:
- istio-ingressgateway:
- injectionTemplate: gateway
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md
deleted file mode 100644
index f356e8b..0000000
--- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md
+++ /dev/null
@@ -1,313 +0,0 @@
----
-gitea: none
-include_toc: true
----
-
-# Based on
-
-- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
-
-# Description
-
-The previous example was modified set the gateway to enable for HTTP2 traffic.
-
-https://stackoverflow.com/a/59610581
-
-
-# Changelog
-
-## Gateway
-
-```yaml
-apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
- name: helloworld-gateway
-spec:
- selector:
- istio: ingressgateway
- servers:
- - port:
- number: 443
- name: secure-http2
- protocol: HTTP2
- hosts:
- - "*"
- tls:
- mode: SIMPLE
- credentialName: my-tls-cert-secret
- minProtocolVersion: TLSV1_2
-```
-
-``
-
-# Walkthrough
-
-
-## Generate client and server certificate and key files
-
-First step will be to generate the certificate and key files to be able to set them to the Gateway resource.
-
-### Create a folder to store files.
-
-Create the folder to contain the files that will be generated.
-
-```shell
-mkdir certfolder
-```
-
-### Create a certificate and a private key.
-
-```shell
-openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt
-```
-
-The files generated are the following:
-
-```yaml
-private-key: certfolder/istio.cert.key
-root-certificate: certfolder/istio.cert.crt
-```
-
-The information set to the certificate generated is the following:
-
-```yaml
-Organization-name: Internet of things
-CN: lb.net
-```
-
-### Create a TLS secret
-
-At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`.
-
-```shell
-kubectl create -n istio-system secret tls my-tls-cert-secret \
- --key=certfolder/istio.cert.key \
- --cert=certfolder/istio.cert.crt
-```
-```text
-secret/my-tls-cert-secret created
-```
-```text
-service/helloworld created
-deployment.apps/helloworld-nginx created
-gateway.networking.istio.io/helloworld-gateway created
-virtualservice.networking.istio.io/helloworld-vs created
-```
-
-> **Note:**\
-> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
-
-
-## Deploy resources
-
-```shell
-kubectl apply -f ./
-```
-```text
-service/helloworld created
-deployment.apps/helloworld-nginx created
-gateway.networking.istio.io/helloworld-gateway created
-virtualservice.networking.istio.io/helloworld-vs created
-```
-
-## Test the service
-### http2
-#### Curl HTTP1
-
-```shell
-curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0
-```
-```text
-http_version: 1.1
-status_code: 426
-```
-
-#### Curl HTTP1.1
-
-```shell
-curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1
-```
-```text
-http_version: 1.1
-status_code: 200
-```
-
-#### Curl HTTP2
-
-```shell
-curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2
-```
-```text
-http_version: 1.1
-status_code: 200
-```
-
-### http1-web
-
-#### Curl HTTP1
-
-```shell
-curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0
-```
-```text
-http_version: 1.1
-status_code: 426
-```
-
-#### Curl HTTP1.1
-
-```shell
-curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1
-```
-```text
-http_version: 1.1
-status_code: 200
-```
-
-#### Curl HTTP2
-
-```shell
-curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2
-```
-```text
-http_version: 1.1
-status_code: 200
-```
-
-## Cleanup
-
-```shell
-kubectl delete -f ./
-```
-
-```text
-service "helloworld" deleted
-deployment.apps "helloworld-nginx" deleted
-gateway.networking.istio.io "helloworld-gateway" deleted
-virtualservice.networking.istio.io "helloworld-vs" deleted
-```
-
-# Links of Interest
-
-- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
-
-- https://stackoverflow.com/a/51279606
-
-- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
-
-
-
-docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile
-
-
-docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest .
-[+] Building 0.0s (0/0)
-ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
-
----
-## Create the Dockerfile
-
-```bash
-FROM ubuntu/apache2
-
-RUN apt-get update && \
-apt-get install apache2 openssl -y && \
-a2ensite default-ssl && \
-a2enmod ssl && \
-echo "Howdy
" | tee /var/www/html/index.html
-
-RUN /usr/bin/printf "\n\
- ServerAdmin webmaster@localhost\n\
- DocumentRoot /var/www/html\n\
- ErrorLog \${APACHE_LOG_DIR}/error.log\n\
- CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
-\n\
-\n\
- ServerAdmin webmaster@localhost\n\
- DocumentRoot /var/www/html\n\
- ErrorLog \${APACHE_LOG_DIR}/error.log\n\
- CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
- SSLEngine on\n\
- SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\
- SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\
-" > /etc/apache2/sites-available/000-default.conf
-
-RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
-```
-
-## Build the image
-
-Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images.
-
-For my own commodity, I have used a raspberry pi 4 to build this images.
-
-The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image.
-
-```shell
- docker build --tag https-demo:armv7 .
-```
-```text
-docker build --tag https-demo:armv7 . --no-cache
-[+] Building 16.5s (8/8) FINISHED
- => [internal] load .dockerignore 0.0s
- => => transferring context: 2B 0.0s
- => [internal] load build definition from Dockerfile 0.0s
- => => transferring dockerfile: 1.09kB 0.0s
- => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s
- => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s
- => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s
- => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s
- => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s
- => exporting to image 1.0s
- => => exporting layers 1.0s
- => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s
- => => naming to docker.io/library/https-demo:armv7 0.0s
-```
-
-## Tag the image
-
-```shell
-docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7
-```
-
-## Upload to the registery server
-
-```text
-docker image push registery.filter.home:5000/https-demo:armv7
-The push refers to repository [registery.filter.home:5000/https-demo]
-c6d858706b08: Pushed
-9e077e0202f0: Pushed
-6ffc708d0cf3: Pushed
-69e01b4bf4d7: Pushed
-17c5b30f3843: Pushed
-0b9f60fbcaf1: Pushed
-armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578
-```
-
-
-
-## ?
-curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe
-
-
-
-
-
----
-
-
-Has apache2 installed with a default certificate.
-
-Port 80 visible for HTTP
-
-Port 443 visible for HTTPS.
-
-
-
-
-curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k
-http_version: 2
-status_code: 200
-
-# Recv failure: Connection reset by peer
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml
deleted file mode 100644
index da9883d..0000000
--- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: security.istio.io/v1beta1
-kind: PeerAuthentication
-metadata:
- name: default-mtls
- namespace: default
-spec:
- mtls:
- mode: DISABLE
-
-
-#curl -v --resolve ":$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example_certs/example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT"
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml
deleted file mode 100755
index 871a985..0000000
--- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml
+++ /dev/null
@@ -1,117 +0,0 @@
-#apiVersion: networking.istio.io/v1alpha3
-#kind: Gateway
-#metadata:
-# name: helloworld-gateway
-#spec:
-# selector:
-## istio: myingressgateway
-# istio: ingressgateway
-# servers:
-# - hosts:
-# ["lb.net","*.lb.net"]
-# port:
-# name: tls-443
-# number: 443
-# protocol: HTTPS
-# tls:
-# mode: SIMPLE
-# credentialName: my-tls-cert-secret
-# minProtocolVersion: TLSV1_2
-#---
-#apiVersion: networking.istio.io/v1alpha3
-#kind: VirtualService
-#metadata:
-# name: helloworld-vs
-#spec:
-# hosts:
-# - "*"
-# gateways:
-# - helloworld-gateway
-# http:
-## - name: http-vs
-## match:
-## - port: 80
-## route:
-## - destination:
-## host: helloworld.default.svc.cluster.local
-## port:
-## number: 8080
-# - name: https-vs
-# match:
-# - port: 443
-# route:
-# - destination:
-# host: helloworld.default.svc.cluster.local
-# port:
-# number: 443
-##
-## tls:
-## - match:
-## - port: 443
-## sniHosts: ["lb.net"]
-## route:
-## - destination:
-## host: helloworld.default.svc.cluster.local
-## port:
-## number: 443
-#
-##---
-##apiVersion: networking.istio.io/v1alpha3
-##kind: DestinationRule
-##metadata:
-## name: helloworld
-## namespace: default
-##spec:
-## host: helloworld.default.svc.cluster.local
-## trafficPolicy:
-## portLevelSettings:
-## - port:
-## number: 8080
-## tls:
-## mode: DISABLE
-#
-## - port:
-## number: 8443
-## tls:
-## credentialName: client-credential
-## mode: SIMPLE
-#
-#
-## port:
-## name: https-backend
-## number: 8443
-## protocol: HTTPS
-## tls:
-## credentialName: my-tls-cert-secret
-## mode: SIMPLE
-## tcp:
-### - match:
-### - port: 80
-### route:
-### - destination:
-### host: helloworld
-### port:
-### number: 8080
-### - match:
-### - port: 443
-## - route:
-## - destination:
-## host: helloworld
-## port:
-## number: 8443
-##
-## tls:
-## - match:
-## - port: 443
-## sniHosts:
-## - "hello.si"
-### - uri:
-### exact: /helloworld
-## route:
-## - destination:
-## host: helloworld
-## port:
-## number: 8443
-### protocol: HTTPS
-### rewrite:
-### uri: "/"
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml
deleted file mode 100755
index 233c5ed..0000000
--- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml
+++ /dev/null
@@ -1,74 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: helloworld
- labels:
- app: helloworld
- service: helloworld
-spec:
- ports:
- - name: p1
- port: 80
- protocol: TCP
- - name: https
- port: 443
- protocol: TCP
- selector:
- app: helloworld
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: helloworld-nginx
- labels:
- app: helloworld
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: helloworld
- template:
- metadata:
- labels:
- app: helloworld
- sidecar.istio.io/inject: "true"
- spec:
- containers:
- - name: helloworld
- image: oriolfilter/https-apache-demo:armv7
- resources:
- requests:
- cpu: "100m"
- imagePullPolicy: IfNotPresent #Always
- ports:
- - containerPort: 443
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: nginx
- labels:
- app: nginx
- version: v1
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: nginx
- version: v1
- template:
- metadata:
- labels:
- app: nginx
- version: v1
- spec:
- # serviceAccountName: istio-helloworld
- containers:
- - name: nginx
- image: nginx
- resources:
- requests:
- cpu: "100m"
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 80
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml
deleted file mode 100755
index 5070950..0000000
--- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
-#apiVersion: networking.istio.io/v1beta1
-#kind: Gateway
-#metadata:
-# name: helloworld-gateway
-#spec:
-# selector:
-# istio: ingressgateway
-# servers:
-# - hosts:
-# - "*"
-# port:
-# name: https
-# number: 443
-# protocol: HTTPS
-# tls:
-# mode: PASSTHROUGH
-#---
-#apiVersion: networking.istio.io/v1beta1
-#kind: VirtualService
-#metadata:
-# name: helloworld-vs
-#spec:
-# gateways:
-# - helloworld-gateway
-# hosts: ["lb.net","*.lb.net"]
-## http:
-## - route:
-## - destination:
-## host: helloworld.default.svc.cluster.local
-##spec:
-# tls:
-# - match:
-# - sniHosts: ["lb.net","*.lb.net"]
-# route:
-# - destination:
-# host: helloworld.default.svc.cluster.local
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml
deleted file mode 100755
index 210ef29..0000000
--- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml
+++ /dev/null
@@ -1,85 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
- name: helloworld-gateway
-spec:
- selector:
- # istio: myingressgateway
- istio: ingressgateway
- servers:
- # - port:
- # number: 443
- # name: secure-http2
- # protocol: HTTP2
- # hosts:
- # - "*"
- - port:
- number: 80
- name: http2-i
- protocol: HTTP2
- hosts:
- - "*"
- - port:
- number: 443
- name: https-i
- protocol: HTTPS
- hosts:
- - "*"
- tls:
- credentialName: my-tls-cert-secret
- minProtocolVersion: TLSV1_2
- #
- mode: SIMPLE
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
- name: helloworld-vs
-spec:
- hosts: ["lb.net"]
- gateways:
- - helloworld-gateway
- http:
- - name: http-vs
- match:
- - port: 80
- route:
- - destination:
- host: helloworld.default.svc.cluster.local
- port:
- number: 80
- - name: https-vs
- match:
- - port: 443
- sniHosts: ["lb.net"]
- route:
- - destination:
- host: helloworld.default.svc.cluster.local
- port:
- number: 443
-# tls:
-# - match:
-# - sniHosts: ["lb.net"]
-# route:
-# - destination:
-# host: helloworld.default.svc.cluster.local
----
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
- name: helloworld
- namespace: default
-spec:
- host: helloworld.default.svc.cluster.local
- trafficPolicy:
- portLevelSettings:
- - port:
- number: 8080
- tls:
- mode: DISABLE
-#
- - port:
- number: 443
- tls:
- credentialName: client-credential
- mode: DISABLE
\ No newline at end of file
diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml
deleted file mode 100644
index 850c2eb..0000000
--- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-metadata:
- name: ingress
-spec:
- profile: empty # Do not install CRDs or the control plane
- components:
- ingressGateways:
- - name: myistio-ingressgateway
- namespace: istio-ingress
- enabled: true
- label:
- istio: myingressgateway
- k8s:
- service:
- ports:
- - name: https-ingress
- port: 443
- protocol: TCP
- targetPort: 1055
- - name: http-ingress
- port: 80
- protocol: TCP
- targetPort: 1085
-
- values:
- gateways:
- istio-ingressgateway:
- injectionTemplate: gateway
diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/authentication.yaml b/Istio/06-Internal-Authentication/03-disable-mTLS/authentication.yaml
similarity index 50%
rename from Istio/02-Traffic_management/11-TLS-PASSTHROUGH/authentication.yaml
rename to Istio/06-Internal-Authentication/03-disable-mTLS/authentication.yaml
index da9883d..221a86d 100644
--- a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/authentication.yaml
+++ b/Istio/06-Internal-Authentication/03-disable-mTLS/authentication.yaml
@@ -6,6 +6,3 @@ metadata:
spec:
mtls:
mode: DISABLE
-
-
-#curl -v --resolve ":$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example_certs/example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT"