From 4bb07eebce9494d6694eea2619a5961be26ddf86 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 00:16:52 +0200 Subject: [PATCH] small backup cause things work and scared of proceeding without modifying anything, also say hi to my registry at home --- .gitignore | 1 + Istio/00-Troubleshooting/README.md | 2 + .../XX-HTTP2-gateway-made-it-work/Dockerfile | 13 + .../XX-HTTP2-gateway-made-it-work/README.md | 321 +++++++++++++++++ .../authentication.yaml | 8 + .../deployment.yaml | 80 +++++ .../gateway.yaml | 118 +++++++ .../ingress.yaml | 29 ++ .../XX-HTTP2-gateway-made-it-work/server.conf | 37 ++ .../XX-HTTPS-backend/README.md | 311 +++++++++++++++++ .../XX-HTTPS-backend/deployment.yaml | 80 +++++ .../XX-HTTPS-backend/gateway.yaml | 118 +++++++ .../__XX-TLS-PASSTHROUGH/Dockerfile | 13 + .../__XX-TLS-PASSTHROUGH/README.md | 325 ++++++++++++++++++ .../__XX-TLS-PASSTHROUGH/authentication.yaml | 11 + .../bk_old_nonworking_gateway.yaml | 113 ++++++ .../__XX-TLS-PASSTHROUGH/deployment.yaml | 80 +++++ .../__XX-TLS-PASSTHROUGH/gateway-02.yaml | 36 ++ .../__XX-TLS-PASSTHROUGH/gateway.yaml | 87 +++++ .../__XX-TLS-PASSTHROUGH/ingress.yaml | 29 ++ .../__XX-TLS-PASSTHROUGH/server.conf | 37 ++ .../Dockerfile | 13 + .../README.md | 313 +++++++++++++++++ .../authentication.yaml | 11 + .../bk_old_nonworking_gateway.yaml | 117 +++++++ .../deployment.yaml | 74 ++++ .../gateway-02.yaml | 36 ++ .../gateway.yaml | 85 +++++ .../ingress.yaml | 29 ++ .../server.conf | 37 ++ 30 files changed, 2564 insertions(+) create mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/Dockerfile create mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md create mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml create mode 100755 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml create mode 100755 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml create mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml create mode 100644 Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/server.conf create mode 100644 Istio/02-Traffic_management/XX-HTTPS-backend/README.md create mode 100755 Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml create mode 100755 Istio/02-Traffic_management/XX-HTTPS-backend/gateway.yaml create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/Dockerfile create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/authentication.yaml create mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml create mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml create mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway-02.yaml create mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway.yaml create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/ingress.yaml create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/server.conf create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/Dockerfile create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml create mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml create mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml create mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml create mode 100755 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml create mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/server.conf diff --git a/.gitignore b/.gitignore index 85e7c1d..9cef47e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /.idea/ +/Istio/02-Traffic_management/XX-HTTPS-backend/ diff --git a/Istio/00-Troubleshooting/README.md b/Istio/00-Troubleshooting/README.md index 8477018..340f1c4 100644 --- a/Istio/00-Troubleshooting/README.md +++ b/Istio/00-Troubleshooting/README.md @@ -55,6 +55,8 @@ Warning [IST0104] (Gateway default/helloworld-gateway) The gateway refers to a p Target a pod and start a packet capture on the istio-proxy container. +This step requires istio to be installed with the flag `values.global.proxy.privileged=true` + ```shell $ kubectl exec -n default "$(kubectl get pod -n default -l app=helloworld -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port 80 -A tcpdump: verbose output suppressed, use -v[v]... for full protocol decode diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/Dockerfile b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/Dockerfile new file mode 100644 index 0000000..e3df53b --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/Dockerfile @@ -0,0 +1,13 @@ +FROM nginx + +ADD server.conf /etc/nginx/conf.d/default.conf + +# RUN apt-get update && \ +# apt-get install apache2 openssl -y && \ +# a2ensite default-ssl && \ +# a2enmod ssl && \ + +RUN mkdir -p /var/www/html +RUN echo "

Howdy

" | tee /var/www/html/index.html + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md new file mode 100644 index 0000000..bdab5da --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md @@ -0,0 +1,321 @@ +--- +gitea: none +include_toc: true +--- + +# Based on + +- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) + +# Description + +The previous example was modified set the gateway to enable for HTTP2 traffic. + +https://stackoverflow.com/a/59610581 + + +# Changelog + +## Gateway + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: secure-http2 + protocol: HTTP2 + hosts: + - "*" + tls: + mode: SIMPLE + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 +``` + +`` + +# Walkthrough + + +## Generate client and server certificate and key files + +First step will be to generate the certificate and key files to be able to set them to the Gateway resource. + +### Create a folder to store files. + +Create the folder to contain the files that will be generated. + +```shell +mkdir certfolder +``` + +### Create a certificate and a private key. + +```shell +openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt +``` + +The files generated are the following: + +```yaml +private-key: certfolder/istio.cert.key +root-certificate: certfolder/istio.cert.crt +``` + +The information set to the certificate generated is the following: + +```yaml +Organization-name: Internet of things +CN: lb.net +``` + +### Create a TLS secret + +At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. + +```shell +kubectl create -n istio-system secret tls my-tls-cert-secret \ + --key=certfolder/istio.cert.key \ + --cert=certfolder/istio.cert.crt +``` +```text +secret/my-tls-cert-secret created +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +> **Note:**\ +> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. + + +## Deploy resources + +```shell +kubectl apply -f ./ +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Test the service +### http2 +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +### http1-web + +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +## Cleanup + +```shell +kubectl delete -f ./ +``` + +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +# Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol + +- https://stackoverflow.com/a/51279606 + +- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy + + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . +[+] Building 0.0s (0/0) +ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") + +--- +## Create the Dockerfile + +```bash +FROM ubuntu/apache2 + +RUN apt-get update && \ +apt-get install apache2 openssl -y && \ +a2ensite default-ssl && \ +a2enmod ssl && \ +echo "

Howdy

" | tee /var/www/html/index.html + +RUN /usr/bin/printf "\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ +\n\ +\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ + SSLEngine on\n\ + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ +" > /etc/apache2/sites-available/000-default.conf + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem +``` + +## Build the image + +Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. + +For my own commodity, I have used a raspberry pi 4 to build this images. + +The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. + +```shell + docker build --tag https-demo:armv7 . +``` +```text +docker build --tag https-demo:armv7 . --no-cache +[+] Building 16.5s (8/8) FINISHED + => [internal] load .dockerignore 0.0s + => => transferring context: 2B 0.0s + => [internal] load build definition from Dockerfile 0.0s + => => transferring dockerfile: 1.09kB 0.0s + => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s + => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s + => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s + => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s + => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s + => exporting to image 1.0s + => => exporting layers 1.0s + => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s + => => naming to docker.io/library/https-demo:armv7 0.0s +``` + +## Tag the image + +```shell +docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 +``` + +## Upload to the registery server + +```text +docker image push registery.filter.home:5000/https-demo:armv7 +The push refers to repository [registery.filter.home:5000/https-demo] +c6d858706b08: Pushed +9e077e0202f0: Pushed +6ffc708d0cf3: Pushed +69e01b4bf4d7: Pushed +17c5b30f3843: Pushed +0b9f60fbcaf1: Pushed +armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 +``` + + + +## ? +curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe + + + + + +--- + + +Has apache2 installed with a default certificate. + +Port 80 visible for HTTP + +Port 443 visible for HTTPS. + + + + +curl https:/192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k +http_version: 2 +status_code: 200 + + + +```shell +curl --insecure --resolve lb.net:80:192.168.1.50 http://lb.net +``` + +```shell +curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net +``` diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml new file mode 100644 index 0000000..7553d94 --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml @@ -0,0 +1,8 @@ +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default-mtls + namespace: default +spec: + mtls: + mode: PERMISSIVE diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml new file mode 100755 index 0000000..afeb40d --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml @@ -0,0 +1,80 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http-s + targetPort: 80 + protocol: TCP + appProtocol: HTTP + + - port: 8443 + name: https + targetPort: 443 + protocol: TCP + appProtocol: https + selector: + app: helloworld +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + sidecar.istio.io/inject: "true" + spec: + containers: + - name: helloworld + image: oriolfilter/https-apache-demo:armv7 + resources: + requests: + cpu: "100m" + imagePullPolicy: Always #Always + ports: + - containerPort: 80 + - containerPort: 443 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx + labels: + app: nginx + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + version: v1 + template: + metadata: + labels: + app: nginx + version: v1 + spec: + # serviceAccountName: istio-helloworld + containers: + - name: nginx + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml new file mode 100755 index 0000000..1fe0fa3 --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml @@ -0,0 +1,118 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: +# istio: myingressgateway + istio: ingressgateway + servers: +# - port: +# number: 443 +# name: secure-http2 +# protocol: HTTP2 +# hosts: +# - "*" + - port: + number: 80 + name: http2-i + protocol: HTTP2 + hosts: + - "*" + - port: + number: 443 + name: https-i + protocol: HTTPS + hosts: + - "*" + tls: + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 +# + mode: SIMPLE +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - name: http-vs + match: + - port: 80 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8080 + - name: https-vs + match: + - port: 443 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8443 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: helloworld + namespace: default +spec: + host: helloworld.default.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8080 + tls: + mode: DISABLE + + - port: + number: 8443 + tls: +# credentialName: client-credential + mode: SIMPLE + +# port: +# name: https-backend +# number: 8443 +# protocol: HTTPS +# tls: +# credentialName: my-tls-cert-secret +# mode: SIMPLE +# tcp: +## - match: +## - port: 80 +## route: +## - destination: +## host: helloworld +## port: +## number: 8080 +## - match: +## - port: 443 +# - route: +# - destination: +# host: helloworld +# port: +# number: 8443 +# +# tls: +# - match: +# - port: 443 +# sniHosts: +# - "hello.si" +## - uri: +## exact: /helloworld +# route: +# - destination: +# host: helloworld +# port: +# number: 8443 +## protocol: HTTPS +## rewrite: +## uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml new file mode 100644 index 0000000..850c2eb --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml @@ -0,0 +1,29 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + name: ingress +spec: + profile: empty # Do not install CRDs or the control plane + components: + ingressGateways: + - name: myistio-ingressgateway + namespace: istio-ingress + enabled: true + label: + istio: myingressgateway + k8s: + service: + ports: + - name: https-ingress + port: 443 + protocol: TCP + targetPort: 1055 + - name: http-ingress + port: 80 + protocol: TCP + targetPort: 1085 + + values: + gateways: + istio-ingressgateway: + injectionTemplate: gateway diff --git a/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/server.conf b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/server.conf new file mode 100644 index 0000000..1b7c17a --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/server.conf @@ -0,0 +1,37 @@ +server { + listen 80; +# rewrite ^ https://$server_name$request_uri? permanent; + + server_name lb.net; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log info; + + add_header Strict-Transport-Security "max-age=7200"; + + root /var/www/html; + index index.html; +} + +server { + listen 443 ssl default_server http2; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + + ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; + + server_name lb.net; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log info; + + ssl on; + ssl_certificate /cert.crt; + ssl_certificate_key /cert.key; + ssl_session_timeout 5m; + + add_header Strict-Transport-Security "max-age=7200"; + + root /var/www/html; + index index.html; +} \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTPS-backend/README.md b/Istio/02-Traffic_management/XX-HTTPS-backend/README.md new file mode 100644 index 0000000..ad5fd8a --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTPS-backend/README.md @@ -0,0 +1,311 @@ +--- +gitea: none +include_toc: true +--- + +# Based on + +- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) + +# Description + +The previous example was modified set the gateway to enable for HTTP2 traffic. + +https://stackoverflow.com/a/59610581 + + +# Changelog + +## Gateway + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: secure-http2 + protocol: HTTP2 + hosts: + - "*" + tls: + mode: SIMPLE + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 +``` + +`` + +# Walkthrough + + +## Generate client and server certificate and key files + +First step will be to generate the certificate and key files to be able to set them to the Gateway resource. + +### Create a folder to store files. + +Create the folder to contain the files that will be generated. + +```shell +mkdir certfolder +``` + +### Create a certificate and a private key. + +```shell +openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt +``` + +The files generated are the following: + +```yaml +private-key: certfolder/istio.cert.key +root-certificate: certfolder/istio.cert.crt +``` + +The information set to the certificate generated is the following: + +```yaml +Organization-name: Internet of things +CN: lb.net +``` + +### Create a TLS secret + +At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. + +```shell +kubectl create -n istio-system secret tls my-tls-cert-secret \ + --key=certfolder/istio.cert.key \ + --cert=certfolder/istio.cert.crt +``` +```text +secret/my-tls-cert-secret created +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +> **Note:**\ +> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. + + +## Deploy resources + +```shell +kubectl apply -f ./ +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Test the service +### http2 +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +### http1-web + +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +## Cleanup + +```shell +kubectl delete -f ./ +``` + +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +# Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol + +- https://stackoverflow.com/a/51279606 + +- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy + + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . +[+] Building 0.0s (0/0) +ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") + +--- +## Create the Dockerfile + +```bash +FROM ubuntu/apache2 + +RUN apt-get update && \ +apt-get install apache2 openssl -y && \ +a2ensite default-ssl && \ +a2enmod ssl && \ +echo "

Howdy

" | tee /var/www/html/index.html + +RUN /usr/bin/printf "\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ +\n\ +\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ + SSLEngine on\n\ + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ +" > /etc/apache2/sites-available/000-default.conf + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem +``` + +## Build the image + +Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. + +For my own commodity, I have used a raspberry pi 4 to build this images. + +The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. + +```shell + docker build --tag https-demo:armv7 . +``` +```text +docker build --tag https-demo:armv7 . --no-cache +[+] Building 16.5s (8/8) FINISHED + => [internal] load .dockerignore 0.0s + => => transferring context: 2B 0.0s + => [internal] load build definition from Dockerfile 0.0s + => => transferring dockerfile: 1.09kB 0.0s + => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s + => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s + => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s + => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s + => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s + => exporting to image 1.0s + => => exporting layers 1.0s + => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s + => => naming to docker.io/library/https-demo:armv7 0.0s +``` + +## Tag the image + +```shell +docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 +``` + +## Upload to the registery server + +```text +docker image push registery.filter.home:5000/https-demo:armv7 +The push refers to repository [registery.filter.home:5000/https-demo] +c6d858706b08: Pushed +9e077e0202f0: Pushed +6ffc708d0cf3: Pushed +69e01b4bf4d7: Pushed +17c5b30f3843: Pushed +0b9f60fbcaf1: Pushed +armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 +``` + + + +## ? +curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe + + + + + +--- + + +Has apache2 installed with a default certificate. + +Port 80 visible for HTTP + +Port 443 visible for HTTPS. + + + + +curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k +http_version: 2 +status_code: 200 \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml b/Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml new file mode 100755 index 0000000..afeb40d --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml @@ -0,0 +1,80 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http-s + targetPort: 80 + protocol: TCP + appProtocol: HTTP + + - port: 8443 + name: https + targetPort: 443 + protocol: TCP + appProtocol: https + selector: + app: helloworld +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + sidecar.istio.io/inject: "true" + spec: + containers: + - name: helloworld + image: oriolfilter/https-apache-demo:armv7 + resources: + requests: + cpu: "100m" + imagePullPolicy: Always #Always + ports: + - containerPort: 80 + - containerPort: 443 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx + labels: + app: nginx + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + version: v1 + template: + metadata: + labels: + app: nginx + version: v1 + spec: + # serviceAccountName: istio-helloworld + containers: + - name: nginx + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 \ No newline at end of file diff --git a/Istio/02-Traffic_management/XX-HTTPS-backend/gateway.yaml b/Istio/02-Traffic_management/XX-HTTPS-backend/gateway.yaml new file mode 100755 index 0000000..1fe0fa3 --- /dev/null +++ b/Istio/02-Traffic_management/XX-HTTPS-backend/gateway.yaml @@ -0,0 +1,118 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: +# istio: myingressgateway + istio: ingressgateway + servers: +# - port: +# number: 443 +# name: secure-http2 +# protocol: HTTP2 +# hosts: +# - "*" + - port: + number: 80 + name: http2-i + protocol: HTTP2 + hosts: + - "*" + - port: + number: 443 + name: https-i + protocol: HTTPS + hosts: + - "*" + tls: + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 +# + mode: SIMPLE +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - name: http-vs + match: + - port: 80 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8080 + - name: https-vs + match: + - port: 443 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8443 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: helloworld + namespace: default +spec: + host: helloworld.default.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8080 + tls: + mode: DISABLE + + - port: + number: 8443 + tls: +# credentialName: client-credential + mode: SIMPLE + +# port: +# name: https-backend +# number: 8443 +# protocol: HTTPS +# tls: +# credentialName: my-tls-cert-secret +# mode: SIMPLE +# tcp: +## - match: +## - port: 80 +## route: +## - destination: +## host: helloworld +## port: +## number: 8080 +## - match: +## - port: 443 +# - route: +# - destination: +# host: helloworld +# port: +# number: 8443 +# +# tls: +# - match: +# - port: 443 +# sniHosts: +# - "hello.si" +## - uri: +## exact: /helloworld +# route: +# - destination: +# host: helloworld +# port: +# number: 8443 +## protocol: HTTPS +## rewrite: +## uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/Dockerfile b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/Dockerfile new file mode 100644 index 0000000..e3df53b --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/Dockerfile @@ -0,0 +1,13 @@ +FROM nginx + +ADD server.conf /etc/nginx/conf.d/default.conf + +# RUN apt-get update && \ +# apt-get install apache2 openssl -y && \ +# a2ensite default-ssl && \ +# a2enmod ssl && \ + +RUN mkdir -p /var/www/html +RUN echo "

Howdy

" | tee /var/www/html/index.html + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md new file mode 100644 index 0000000..611f8be --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md @@ -0,0 +1,325 @@ +--- +gitea: none +include_toc: true +--- + +# Based on + +- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) + +# Description + +The previous example was modified set the gateway to enable for HTTP2 traffic. + +https://stackoverflow.com/a/59610581 + + +# Changelog + +## Gateway + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: secure-http2 + protocol: HTTP2 + hosts: + - "*" + tls: + mode: SIMPLE + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 +``` + +`` + +# Walkthrough + + +## Generate client and server certificate and key files + +First step will be to generate the certificate and key files to be able to set them to the Gateway resource. + +### Create a folder to store files. + +Create the folder to contain the files that will be generated. + +```shell +mkdir certfolder +``` + +### Create a certificate and a private key. + +```shell +openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt +``` + +The files generated are the following: + +```yaml +private-key: certfolder/istio.cert.key +root-certificate: certfolder/istio.cert.crt +``` + +The information set to the certificate generated is the following: + +```yaml +Organization-name: Internet of things +CN: lb.net +``` + +### Create a TLS secret + +At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. + +```shell +kubectl create -n istio-system secret tls my-tls-cert-secret \ + --key=certfolder/istio.cert.key \ + --cert=certfolder/istio.cert.crt +``` +```text +secret/my-tls-cert-secret created +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +> **Note:**\ +> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. + + +## Deploy resources + +```shell +kubectl apply -f ./ +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Test the service +### http2 +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +### http1-web + +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +## Cleanup + +```shell +kubectl delete -f ./ +``` + +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +# Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol + +- https://stackoverflow.com/a/51279606 + +- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy + + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . +[+] Building 0.0s (0/0) +ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") + +--- +## Create the Dockerfile + +```bash +FROM ubuntu/apache2 + +RUN apt-get update && \ +apt-get install apache2 openssl -y && \ +a2ensite default-ssl && \ +a2enmod ssl && \ +echo "

Howdy

" | tee /var/www/html/index.html + +RUN /usr/bin/printf "\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ +\n\ +\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ + SSLEngine on\n\ + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ +" > /etc/apache2/sites-available/000-default.conf + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem +``` + +## Build the image + +Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. + +For my own commodity, I have used a raspberry pi 4 to build this images. + +The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. + +```shell + docker build --tag https-demo:armv7 . +``` +```text +docker build --tag https-demo:armv7 . --no-cache +[+] Building 16.5s (8/8) FINISHED + => [internal] load .dockerignore 0.0s + => => transferring context: 2B 0.0s + => [internal] load build definition from Dockerfile 0.0s + => => transferring dockerfile: 1.09kB 0.0s + => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s + => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s + => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s + => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s + => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s + => exporting to image 1.0s + => => exporting layers 1.0s + => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s + => => naming to docker.io/library/https-demo:armv7 0.0s +``` + +## Tag the image + +```shell +docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 +``` + +## Upload to the registery server + +```text +docker image push registery.filter.home:5000/https-demo:armv7 +The push refers to repository [registery.filter.home:5000/https-demo] +c6d858706b08: Pushed +9e077e0202f0: Pushed +6ffc708d0cf3: Pushed +69e01b4bf4d7: Pushed +17c5b30f3843: Pushed +0b9f60fbcaf1: Pushed +armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 +``` + + + +## ? +curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe + + + + + +--- + + +Has apache2 installed with a default certificate. + +Port 80 visible for HTTP + +Port 443 visible for HTTPS. + + + + +curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k +http_version: 2 +status_code: 200 + +# Recv failure: Connection reset by peer + +```shell +kubectl apply -f ./ +``` + +```shell +curl --insecure --resolve lb.net:80:192.168.1.50 http://lb.net +``` + +```shell +curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net +``` diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/authentication.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/authentication.yaml new file mode 100644 index 0000000..da9883d --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/authentication.yaml @@ -0,0 +1,11 @@ +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default-mtls + namespace: default +spec: + mtls: + mode: DISABLE + + +#curl -v --resolve ":$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example_certs/example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT" diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml new file mode 100755 index 0000000..4305bf6 --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml @@ -0,0 +1,113 @@ +#apiVersion: networking.istio.io/v1alpha3 +#kind: Gateway +#metadata: +# name: helloworld-gateway +#spec: +# selector: +## istio: myingressgateway +# istio: ingressgateway +# servers: +# - hosts: +# ["lb.net","*.lb.net"] +# port: +# name: tls-443 +# number: 443 +# protocol: HTTPS +# tls: +# mode: SIMPLE +# credentialName: my-tls-cert-secret +# minProtocolVersion: TLSV1_2 +#--- +#apiVersion: networking.istio.io/v1alpha3 +#kind: VirtualService +#metadata: +# name: helloworld-vs +#spec: +# hosts: +# - "*" +# gateways: +# - helloworld-gateway +# http: +## - name: http-vs +## match: +## - port: 80 +## route: +## - destination: +## host: helloworld.default.svc.cluster.local +## port: +## number: 8080 +# - name: https-vs +# match: +# - port: 443 +# route: +# - destination: +# host: helloworld.default.svc.cluster.local +# port: +# number: 443 +## +## tls: +## - match: +## - port: 443 +## sniHosts: ["lb.net"] +## route: +## - destination: +## host: helloworld.default.svc.cluster.local +## port: +## number: 443 +##--- +##apiVersion: networking.istio.io/v1alpha3 +##kind: DestinationRule +##metadata: +## name: helloworld +## namespace: default +##spec: +## host: helloworld.default.svc.cluster.local +## trafficPolicy: +## portLevelSettings: +## - port: +## number: 8080 +## tls: +## mode: DISABLE +## - port: +## number: 8443 +## tls: +## credentialName: client-credential +## mode: SIMPLE +## port: +## name: https-backend +## number: 8443 +## protocol: HTTPS +## tls: +## credentialName: my-tls-cert-secret +## mode: SIMPLE +## tcp: +### - match: +### - port: 80 +### route: +### - destination: +### host: helloworld +### port: +### number: 8080 +### - match: +### - port: 443 +## - route: +## - destination: +## host: helloworld +## port: +## number: 8443 +## +## tls: +## - match: +## - port: 443 +## sniHosts: +## - "hello.si" +### - uri: +### exact: /helloworld +## route: +## - destination: +## host: helloworld +## port: +## number: 8443 +### protocol: HTTPS +### rewrite: +### uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml new file mode 100755 index 0000000..afeb40d --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml @@ -0,0 +1,80 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http-s + targetPort: 80 + protocol: TCP + appProtocol: HTTP + + - port: 8443 + name: https + targetPort: 443 + protocol: TCP + appProtocol: https + selector: + app: helloworld +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + sidecar.istio.io/inject: "true" + spec: + containers: + - name: helloworld + image: oriolfilter/https-apache-demo:armv7 + resources: + requests: + cpu: "100m" + imagePullPolicy: Always #Always + ports: + - containerPort: 80 + - containerPort: 443 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx + labels: + app: nginx + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + version: v1 + template: + metadata: + labels: + app: nginx + version: v1 + spec: + # serviceAccountName: istio-helloworld + containers: + - name: nginx + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway-02.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway-02.yaml new file mode 100755 index 0000000..5070950 --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway-02.yaml @@ -0,0 +1,36 @@ +#apiVersion: networking.istio.io/v1beta1 +#kind: Gateway +#metadata: +# name: helloworld-gateway +#spec: +# selector: +# istio: ingressgateway +# servers: +# - hosts: +# - "*" +# port: +# name: https +# number: 443 +# protocol: HTTPS +# tls: +# mode: PASSTHROUGH +#--- +#apiVersion: networking.istio.io/v1beta1 +#kind: VirtualService +#metadata: +# name: helloworld-vs +#spec: +# gateways: +# - helloworld-gateway +# hosts: ["lb.net","*.lb.net"] +## http: +## - route: +## - destination: +## host: helloworld.default.svc.cluster.local +##spec: +# tls: +# - match: +# - sniHosts: ["lb.net","*.lb.net"] +# route: +# - destination: +# host: helloworld.default.svc.cluster.local \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway.yaml new file mode 100755 index 0000000..a313d3a --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway.yaml @@ -0,0 +1,87 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + # istio: myingressgateway + istio: ingressgateway + servers: + # - port: + # number: 443 + # name: secure-http2 + # protocol: HTTP2 + # hosts: + # - "*" + - port: + number: 80 + name: http2-i + protocol: HTTP2 + hosts: + - "*" + - port: + number: 443 + name: https-i + protocol: HTTPS + hosts: + - "*" + tls: +# credentialName: my-tls-cert-secret +# minProtocolVersion: TLSV1_2 + # + mode: PASSTHROUGH +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "lb.net" + gateways: + - helloworld-gateway + http: + - name: http-vs + match: + - port: 80 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8080 +# - name: https-vs +# match: +# - port: 443 +# route: +# - destination: +# host: helloworld.default.svc.cluster.local +# port: +# number: 8443 + tls: + - match: + - port: 443 + sniHosts: ["lb.net"] + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8443 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: helloworld + namespace: default +spec: + host: helloworld.default.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8080 + tls: + mode: DISABLE + + - port: + number: 8443 + tls: + mode: DISABLE diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/ingress.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/ingress.yaml new file mode 100644 index 0000000..850c2eb --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/ingress.yaml @@ -0,0 +1,29 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + name: ingress +spec: + profile: empty # Do not install CRDs or the control plane + components: + ingressGateways: + - name: myistio-ingressgateway + namespace: istio-ingress + enabled: true + label: + istio: myingressgateway + k8s: + service: + ports: + - name: https-ingress + port: 443 + protocol: TCP + targetPort: 1055 + - name: http-ingress + port: 80 + protocol: TCP + targetPort: 1085 + + values: + gateways: + istio-ingressgateway: + injectionTemplate: gateway diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/server.conf b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/server.conf new file mode 100644 index 0000000..1b7c17a --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/server.conf @@ -0,0 +1,37 @@ +server { + listen 80; +# rewrite ^ https://$server_name$request_uri? permanent; + + server_name lb.net; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log info; + + add_header Strict-Transport-Security "max-age=7200"; + + root /var/www/html; + index index.html; +} + +server { + listen 443 ssl default_server http2; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + + ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; + + server_name lb.net; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log info; + + ssl on; + ssl_certificate /cert.crt; + ssl_certificate_key /cert.key; + ssl_session_timeout 5m; + + add_header Strict-Transport-Security "max-age=7200"; + + root /var/www/html; + index index.html; +} \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/Dockerfile b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/Dockerfile new file mode 100644 index 0000000..e3df53b --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/Dockerfile @@ -0,0 +1,13 @@ +FROM nginx + +ADD server.conf /etc/nginx/conf.d/default.conf + +# RUN apt-get update && \ +# apt-get install apache2 openssl -y && \ +# a2ensite default-ssl && \ +# a2enmod ssl && \ + +RUN mkdir -p /var/www/html +RUN echo "

Howdy

" | tee /var/www/html/index.html + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /cert.key -out /cert.crt \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md new file mode 100644 index 0000000..f356e8b --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md @@ -0,0 +1,313 @@ +--- +gitea: none +include_toc: true +--- + +# Based on + +- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) + +# Description + +The previous example was modified set the gateway to enable for HTTP2 traffic. + +https://stackoverflow.com/a/59610581 + + +# Changelog + +## Gateway + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: secure-http2 + protocol: HTTP2 + hosts: + - "*" + tls: + mode: SIMPLE + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 +``` + +`` + +# Walkthrough + + +## Generate client and server certificate and key files + +First step will be to generate the certificate and key files to be able to set them to the Gateway resource. + +### Create a folder to store files. + +Create the folder to contain the files that will be generated. + +```shell +mkdir certfolder +``` + +### Create a certificate and a private key. + +```shell +openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt +``` + +The files generated are the following: + +```yaml +private-key: certfolder/istio.cert.key +root-certificate: certfolder/istio.cert.crt +``` + +The information set to the certificate generated is the following: + +```yaml +Organization-name: Internet of things +CN: lb.net +``` + +### Create a TLS secret + +At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. + +```shell +kubectl create -n istio-system secret tls my-tls-cert-secret \ + --key=certfolder/istio.cert.key \ + --cert=certfolder/istio.cert.crt +``` +```text +secret/my-tls-cert-secret created +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +> **Note:**\ +> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. + + +## Deploy resources + +```shell +kubectl apply -f ./ +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Test the service +### http2 +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +### http1-web + +#### Curl HTTP1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### Curl HTTP1.1 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +#### Curl HTTP2 + +```shell +curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 +``` +```text +http_version: 1.1 +status_code: 200 +``` + +## Cleanup + +```shell +kubectl delete -f ./ +``` + +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +# Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol + +- https://stackoverflow.com/a/51279606 + +- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy + + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile + + +docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . +[+] Building 0.0s (0/0) +ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") + +--- +## Create the Dockerfile + +```bash +FROM ubuntu/apache2 + +RUN apt-get update && \ +apt-get install apache2 openssl -y && \ +a2ensite default-ssl && \ +a2enmod ssl && \ +echo "

Howdy

" | tee /var/www/html/index.html + +RUN /usr/bin/printf "\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ +\n\ +\n\ + ServerAdmin webmaster@localhost\n\ + DocumentRoot /var/www/html\n\ + ErrorLog \${APACHE_LOG_DIR}/error.log\n\ + CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ + SSLEngine on\n\ + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ +" > /etc/apache2/sites-available/000-default.conf + +RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem +``` + +## Build the image + +Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. + +For my own commodity, I have used a raspberry pi 4 to build this images. + +The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. + +```shell + docker build --tag https-demo:armv7 . +``` +```text +docker build --tag https-demo:armv7 . --no-cache +[+] Building 16.5s (8/8) FINISHED + => [internal] load .dockerignore 0.0s + => => transferring context: 2B 0.0s + => [internal] load build definition from Dockerfile 0.0s + => => transferring dockerfile: 1.09kB 0.0s + => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s + => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s + => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s + => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s + => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s + => exporting to image 1.0s + => => exporting layers 1.0s + => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s + => => naming to docker.io/library/https-demo:armv7 0.0s +``` + +## Tag the image + +```shell +docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 +``` + +## Upload to the registery server + +```text +docker image push registery.filter.home:5000/https-demo:armv7 +The push refers to repository [registery.filter.home:5000/https-demo] +c6d858706b08: Pushed +9e077e0202f0: Pushed +6ffc708d0cf3: Pushed +69e01b4bf4d7: Pushed +17c5b30f3843: Pushed +0b9f60fbcaf1: Pushed +armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 +``` + + + +## ? +curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe + + + + + +--- + + +Has apache2 installed with a default certificate. + +Port 80 visible for HTTP + +Port 443 visible for HTTPS. + + + + +curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k +http_version: 2 +status_code: 200 + +# Recv failure: Connection reset by peer diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml new file mode 100644 index 0000000..da9883d --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml @@ -0,0 +1,11 @@ +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default-mtls + namespace: default +spec: + mtls: + mode: DISABLE + + +#curl -v --resolve ":$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example_certs/example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT" diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml new file mode 100755 index 0000000..871a985 --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml @@ -0,0 +1,117 @@ +#apiVersion: networking.istio.io/v1alpha3 +#kind: Gateway +#metadata: +# name: helloworld-gateway +#spec: +# selector: +## istio: myingressgateway +# istio: ingressgateway +# servers: +# - hosts: +# ["lb.net","*.lb.net"] +# port: +# name: tls-443 +# number: 443 +# protocol: HTTPS +# tls: +# mode: SIMPLE +# credentialName: my-tls-cert-secret +# minProtocolVersion: TLSV1_2 +#--- +#apiVersion: networking.istio.io/v1alpha3 +#kind: VirtualService +#metadata: +# name: helloworld-vs +#spec: +# hosts: +# - "*" +# gateways: +# - helloworld-gateway +# http: +## - name: http-vs +## match: +## - port: 80 +## route: +## - destination: +## host: helloworld.default.svc.cluster.local +## port: +## number: 8080 +# - name: https-vs +# match: +# - port: 443 +# route: +# - destination: +# host: helloworld.default.svc.cluster.local +# port: +# number: 443 +## +## tls: +## - match: +## - port: 443 +## sniHosts: ["lb.net"] +## route: +## - destination: +## host: helloworld.default.svc.cluster.local +## port: +## number: 443 +# +##--- +##apiVersion: networking.istio.io/v1alpha3 +##kind: DestinationRule +##metadata: +## name: helloworld +## namespace: default +##spec: +## host: helloworld.default.svc.cluster.local +## trafficPolicy: +## portLevelSettings: +## - port: +## number: 8080 +## tls: +## mode: DISABLE +# +## - port: +## number: 8443 +## tls: +## credentialName: client-credential +## mode: SIMPLE +# +# +## port: +## name: https-backend +## number: 8443 +## protocol: HTTPS +## tls: +## credentialName: my-tls-cert-secret +## mode: SIMPLE +## tcp: +### - match: +### - port: 80 +### route: +### - destination: +### host: helloworld +### port: +### number: 8080 +### - match: +### - port: 443 +## - route: +## - destination: +## host: helloworld +## port: +## number: 8443 +## +## tls: +## - match: +## - port: 443 +## sniHosts: +## - "hello.si" +### - uri: +### exact: /helloworld +## route: +## - destination: +## host: helloworld +## port: +## number: 8443 +### protocol: HTTPS +### rewrite: +### uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml new file mode 100755 index 0000000..233c5ed --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml @@ -0,0 +1,74 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - name: p1 + port: 80 + protocol: TCP + - name: https + port: 443 + protocol: TCP + selector: + app: helloworld +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + sidecar.istio.io/inject: "true" + spec: + containers: + - name: helloworld + image: oriolfilter/https-apache-demo:armv7 + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 443 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx + labels: + app: nginx + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + version: v1 + template: + metadata: + labels: + app: nginx + version: v1 + spec: + # serviceAccountName: istio-helloworld + containers: + - name: nginx + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml new file mode 100755 index 0000000..5070950 --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml @@ -0,0 +1,36 @@ +#apiVersion: networking.istio.io/v1beta1 +#kind: Gateway +#metadata: +# name: helloworld-gateway +#spec: +# selector: +# istio: ingressgateway +# servers: +# - hosts: +# - "*" +# port: +# name: https +# number: 443 +# protocol: HTTPS +# tls: +# mode: PASSTHROUGH +#--- +#apiVersion: networking.istio.io/v1beta1 +#kind: VirtualService +#metadata: +# name: helloworld-vs +#spec: +# gateways: +# - helloworld-gateway +# hosts: ["lb.net","*.lb.net"] +## http: +## - route: +## - destination: +## host: helloworld.default.svc.cluster.local +##spec: +# tls: +# - match: +# - sniHosts: ["lb.net","*.lb.net"] +# route: +# - destination: +# host: helloworld.default.svc.cluster.local \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml new file mode 100755 index 0000000..210ef29 --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml @@ -0,0 +1,85 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + # istio: myingressgateway + istio: ingressgateway + servers: + # - port: + # number: 443 + # name: secure-http2 + # protocol: HTTP2 + # hosts: + # - "*" + - port: + number: 80 + name: http2-i + protocol: HTTP2 + hosts: + - "*" + - port: + number: 443 + name: https-i + protocol: HTTPS + hosts: + - "*" + tls: + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_2 + # + mode: SIMPLE +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: ["lb.net"] + gateways: + - helloworld-gateway + http: + - name: http-vs + match: + - port: 80 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 80 + - name: https-vs + match: + - port: 443 + sniHosts: ["lb.net"] + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 443 +# tls: +# - match: +# - sniHosts: ["lb.net"] +# route: +# - destination: +# host: helloworld.default.svc.cluster.local +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: helloworld + namespace: default +spec: + host: helloworld.default.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 8080 + tls: + mode: DISABLE +# + - port: + number: 443 + tls: + credentialName: client-credential + mode: DISABLE \ No newline at end of file diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml new file mode 100644 index 0000000..850c2eb --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml @@ -0,0 +1,29 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + name: ingress +spec: + profile: empty # Do not install CRDs or the control plane + components: + ingressGateways: + - name: myistio-ingressgateway + namespace: istio-ingress + enabled: true + label: + istio: myingressgateway + k8s: + service: + ports: + - name: https-ingress + port: 443 + protocol: TCP + targetPort: 1055 + - name: http-ingress + port: 80 + protocol: TCP + targetPort: 1085 + + values: + gateways: + istio-ingressgateway: + injectionTemplate: gateway diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/server.conf b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/server.conf new file mode 100644 index 0000000..1b7c17a --- /dev/null +++ b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/server.conf @@ -0,0 +1,37 @@ +server { + listen 80; +# rewrite ^ https://$server_name$request_uri? permanent; + + server_name lb.net; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log info; + + add_header Strict-Transport-Security "max-age=7200"; + + root /var/www/html; + index index.html; +} + +server { + listen 443 ssl default_server http2; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + + ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; + + server_name lb.net; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log info; + + ssl on; + ssl_certificate /cert.crt; + ssl_certificate_key /cert.key; + ssl_session_timeout 5m; + + add_header Strict-Transport-Security "max-age=7200"; + + root /var/www/html; + index index.html; +} \ No newline at end of file