From be18d7695b06cf008f179b288d43481c3dcd5819 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Tue, 25 Apr 2023 03:54:12 +0200 Subject: [PATCH] Reorganized the files a bit while I am documenting them. --- .gitignore | 1 - .../README.md | 0 .../deployment.yaml | 0 .../gateway.yaml | 0 .../README.md | 2 +- .../deployment.yaml | 0 .../gateway.yaml | 0 .../11-TLS-PASSTHROUGH/README.md | 239 +++++++++++++ .../authentication.yaml | 0 .../bk_old_nonworking_gateway.yaml | 0 .../deployment.yaml | 0 .../gateway-02.yaml | 0 .../gateway.yaml | 0 .../ingress.yaml | 0 .../__XX-TLS-PASSTHROUGH/README.md | 325 ------------------ 15 files changed, 240 insertions(+), 327 deletions(-) rename Istio/02-Traffic_management/{XX-HTTPS-backend => 09-HTTPS-backend (pending document)}/README.md (100%) rename Istio/02-Traffic_management/{XX-HTTPS-backend => 09-HTTPS-backend (pending document)}/deployment.yaml (100%) rename Istio/02-Traffic_management/{XX-HTTPS-backend => 09-HTTPS-backend (pending document)}/gateway.yaml (100%) rename Istio/02-Traffic_management/{09-TCP-FORWARDING => 10-TCP-FORWARDING}/README.md (98%) rename Istio/02-Traffic_management/{09-TCP-FORWARDING => 10-TCP-FORWARDING}/deployment.yaml (100%) rename Istio/02-Traffic_management/{09-TCP-FORWARDING => 10-TCP-FORWARDING}/gateway.yaml (100%) create mode 100644 Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md rename Istio/02-Traffic_management/{__XX-TLS-PASSTHROUGH => 11-TLS-PASSTHROUGH}/authentication.yaml (100%) rename Istio/02-Traffic_management/{__XX-TLS-PASSTHROUGH => 11-TLS-PASSTHROUGH}/bk_old_nonworking_gateway.yaml (100%) rename Istio/02-Traffic_management/{__XX-TLS-PASSTHROUGH => 11-TLS-PASSTHROUGH}/deployment.yaml (100%) rename Istio/02-Traffic_management/{__XX-TLS-PASSTHROUGH => 11-TLS-PASSTHROUGH}/gateway-02.yaml (100%) rename Istio/02-Traffic_management/{__XX-TLS-PASSTHROUGH => 11-TLS-PASSTHROUGH}/gateway.yaml (100%) rename Istio/02-Traffic_management/{__XX-TLS-PASSTHROUGH => 11-TLS-PASSTHROUGH}/ingress.yaml (100%) delete mode 100644 Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md diff --git a/.gitignore b/.gitignore index 9cef47e..85e7c1d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ /.idea/ -/Istio/02-Traffic_management/XX-HTTPS-backend/ diff --git a/Istio/02-Traffic_management/XX-HTTPS-backend/README.md b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md similarity index 100% rename from Istio/02-Traffic_management/XX-HTTPS-backend/README.md rename to Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md diff --git a/Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/deployment.yaml similarity index 100% rename from Istio/02-Traffic_management/XX-HTTPS-backend/deployment.yaml rename to Istio/02-Traffic_management/09-HTTPS-backend (pending document)/deployment.yaml diff --git a/Istio/02-Traffic_management/XX-HTTPS-backend/gateway.yaml b/Istio/02-Traffic_management/09-HTTPS-backend (pending document)/gateway.yaml similarity index 100% rename from Istio/02-Traffic_management/XX-HTTPS-backend/gateway.yaml rename to Istio/02-Traffic_management/09-HTTPS-backend (pending document)/gateway.yaml diff --git a/Istio/02-Traffic_management/09-TCP-FORWARDING/README.md b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md similarity index 98% rename from Istio/02-Traffic_management/09-TCP-FORWARDING/README.md rename to Istio/02-Traffic_management/10-TCP-FORWARDING/README.md index f16da84..10fc093 100644 --- a/Istio/02-Traffic_management/09-TCP-FORWARDING/README.md +++ b/Istio/02-Traffic_management/10-TCP-FORWARDING/README.md @@ -9,7 +9,7 @@ include_toc: true # Description -The previous example was modified set TCP forwarding towards the backend. +The previous example was modified to set TCP forwarding towards the backend (HTTP and HTTPS backend). The backend contains an HTTPS service, which is used to demonstrate how the TCP forwarding is working as intended (aka doesn't disturb HTTP traffic). diff --git a/Istio/02-Traffic_management/09-TCP-FORWARDING/deployment.yaml b/Istio/02-Traffic_management/10-TCP-FORWARDING/deployment.yaml similarity index 100% rename from Istio/02-Traffic_management/09-TCP-FORWARDING/deployment.yaml rename to Istio/02-Traffic_management/10-TCP-FORWARDING/deployment.yaml diff --git a/Istio/02-Traffic_management/09-TCP-FORWARDING/gateway.yaml b/Istio/02-Traffic_management/10-TCP-FORWARDING/gateway.yaml similarity index 100% rename from Istio/02-Traffic_management/09-TCP-FORWARDING/gateway.yaml rename to Istio/02-Traffic_management/10-TCP-FORWARDING/gateway.yaml diff --git a/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md new file mode 100644 index 0000000..9a7e81b --- /dev/null +++ b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md @@ -0,0 +1,239 @@ +--- +gitea: none +include_toc: true +--- + +# Based on + +- [10-TCP-FORWARDING](../10-TCP-FORWARDING) + +# Description + +The previous example was modified set TCP forwarding towards the backend. + +The backend contains an HTTPS service, which is used to demonstrate how the TCP forwarding is working as intended (aka doesn't disturb HTTP traffic). + +The same backend also contains the same service but running as HTTP, and for such has also been set in the gateway to display both working as intended. + +Additionally, the backend used, has HTTP2 enable, which also will be used to confirm that it's working as intended. + +> **Note:**\ +> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) + +# Configuration + +## Gateway + +Gateway been configured to listen both ports `80` and `443` through the TCP protocol, without any host specified. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: tcp-1 + protocol: TCP + hosts: + - "*" + - port: + number: 443 + name: tcp-2 + protocol: TCP + hosts: + - "*" +``` + +## Virtual service + +Virtual service have 2 rules that perform the same behavior, on different ports. + +The rules will receive the traffic and forward it to the destination service and port. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + tcp: + - match: + - port: 80 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8080 + - match: + - port: 443 + route: + - destination: + host: helloworld.default.svc.cluster.local + port: + number: 8443 +``` + +## Service + +The service will forward the incoming TCP traffic with port 8080, to the deployment port 80. +The same behavior is applied for the service port 8443, that will be forwarded towards the port 443 from the deployment. + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 8080 + name: http-web + targetPort: 80 + protocol: TCP + - port: 8443 + name: https-web + targetPort: 443 + protocol: TCP + selector: + app: helloworld +``` + +## Deployment + +Deployment listens to port 80 and 443. + +> **Note:**\ +> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo) + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: oriolfilter/https-nginx-demo + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + - containerPort: 443 +``` + +# Walkthrough + +## Deploy resources + +```shell +kubectl apply -f ./ +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Test the service + +### Get LB IP + +```shell +$ kubectl get svc -l istio=ingressgateway -A +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h +``` + +### curl HTTP + +```shell +curl http://192.168.1.50 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' +``` +```text +http_version: 1.1 +status_code: 426 +``` + +#### curl HTTPS + +This already confirms that `HTTP2` is working as intended. + +```shell +curl https://192.168.1.50 -ks -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http1.1 +``` +```text +http_version: 2 +status_code: 200 +``` + +#### Curl HTTP2 + +The previous example already displayed that `HTTP2` is working as intended. + +This example is maintained due being explicitly to confirm the `HTTP2` feature. + +```shell +curl https://192.168.1.50 -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http2 -sk -o=/dev/null +``` +```text +http_version: 2 +status_code: 200 +``` + +#### Curl HTTP1.1 + +We can confirm that `HTTP1.1` also works over `TCP forwarding`. + +```shell +curl https://192.168.1.50 -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http1.1 -sk -o=/dev/null +``` +```text +http_version: 1.1 +status_code: 200 +``` + +## Cleanup + +```shell +kubectl delete -f ./ +``` + +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +# Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol + +- https://stackoverflow.com/a/51279606 + +- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/authentication.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/authentication.yaml similarity index 100% rename from Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/authentication.yaml rename to Istio/02-Traffic_management/11-TLS-PASSTHROUGH/authentication.yaml diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml similarity index 100% rename from Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml rename to Istio/02-Traffic_management/11-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml similarity index 100% rename from Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/deployment.yaml rename to Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway-02.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway-02.yaml similarity index 100% rename from Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway-02.yaml rename to Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway-02.yaml diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml similarity index 100% rename from Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/gateway.yaml rename to Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/ingress.yaml b/Istio/02-Traffic_management/11-TLS-PASSTHROUGH/ingress.yaml similarity index 100% rename from Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/ingress.yaml rename to Istio/02-Traffic_management/11-TLS-PASSTHROUGH/ingress.yaml diff --git a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md b/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md deleted file mode 100644 index 611f8be..0000000 --- a/Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH/README.md +++ /dev/null @@ -1,325 +0,0 @@ ---- -gitea: none -include_toc: true ---- - -# Based on - -- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) - -# Description - -The previous example was modified set the gateway to enable for HTTP2 traffic. - -https://stackoverflow.com/a/59610581 - - -# Changelog - -## Gateway - -```yaml -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: helloworld-gateway -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 443 - name: secure-http2 - protocol: HTTP2 - hosts: - - "*" - tls: - mode: SIMPLE - credentialName: my-tls-cert-secret - minProtocolVersion: TLSV1_2 -``` - -`` - -# Walkthrough - - -## Generate client and server certificate and key files - -First step will be to generate the certificate and key files to be able to set them to the Gateway resource. - -### Create a folder to store files. - -Create the folder to contain the files that will be generated. - -```shell -mkdir certfolder -``` - -### Create a certificate and a private key. - -```shell -openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt -``` - -The files generated are the following: - -```yaml -private-key: certfolder/istio.cert.key -root-certificate: certfolder/istio.cert.crt -``` - -The information set to the certificate generated is the following: - -```yaml -Organization-name: Internet of things -CN: lb.net -``` - -### Create a TLS secret - -At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. - -```shell -kubectl create -n istio-system secret tls my-tls-cert-secret \ - --key=certfolder/istio.cert.key \ - --cert=certfolder/istio.cert.crt -``` -```text -secret/my-tls-cert-secret created -``` -```text -service/helloworld created -deployment.apps/helloworld-nginx created -gateway.networking.istio.io/helloworld-gateway created -virtualservice.networking.istio.io/helloworld-vs created -``` - -> **Note:**\ -> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. - - -## Deploy resources - -```shell -kubectl apply -f ./ -``` -```text -service/helloworld created -deployment.apps/helloworld-nginx created -gateway.networking.istio.io/helloworld-gateway created -virtualservice.networking.istio.io/helloworld-vs created -``` - -## Test the service -### http2 -#### Curl HTTP1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0 -``` -```text -http_version: 1.1 -status_code: 426 -``` - -#### Curl HTTP1.1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -#### Curl HTTP2 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -### http1-web - -#### Curl HTTP1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0 -``` -```text -http_version: 1.1 -status_code: 426 -``` - -#### Curl HTTP1.1 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -#### Curl HTTP2 - -```shell -curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -``` -```text -http_version: 1.1 -status_code: 200 -``` - -## Cleanup - -```shell -kubectl delete -f ./ -``` - -```text -service "helloworld" deleted -deployment.apps "helloworld-nginx" deleted -gateway.networking.istio.io "helloworld-gateway" deleted -virtualservice.networking.istio.io "helloworld-vs" deleted -``` - -# Links of Interest - -- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol - -- https://stackoverflow.com/a/51279606 - -- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy - - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile - - -docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest . -[+] Building 0.0s (0/0) -ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") - ---- -## Create the Dockerfile - -```bash -FROM ubuntu/apache2 - -RUN apt-get update && \ -apt-get install apache2 openssl -y && \ -a2ensite default-ssl && \ -a2enmod ssl && \ -echo "

Howdy

" | tee /var/www/html/index.html - -RUN /usr/bin/printf "\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ -\n\ -\n\ - ServerAdmin webmaster@localhost\n\ - DocumentRoot /var/www/html\n\ - ErrorLog \${APACHE_LOG_DIR}/error.log\n\ - CustomLog \${APACHE_LOG_DIR}/access.log combined\n\ - SSLEngine on\n\ - SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\ - SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\ -" > /etc/apache2/sites-available/000-default.conf - -RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -``` - -## Build the image - -Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images. - -For my own commodity, I have used a raspberry pi 4 to build this images. - -The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image. - -```shell - docker build --tag https-demo:armv7 . -``` -```text -docker build --tag https-demo:armv7 . --no-cache -[+] Building 16.5s (8/8) FINISHED - => [internal] load .dockerignore 0.0s - => => transferring context: 2B 0.0s - => [internal] load build definition from Dockerfile 0.0s - => => transferring dockerfile: 1.09kB 0.0s - => [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s - => CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s - => [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s - => [3/4] RUN /usr/bin/printf "\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s - => [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s - => exporting to image 1.0s - => => exporting layers 1.0s - => => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s - => => naming to docker.io/library/https-demo:armv7 0.0s -``` - -## Tag the image - -```shell -docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7 -``` - -## Upload to the registery server - -```text -docker image push registery.filter.home:5000/https-demo:armv7 -The push refers to repository [registery.filter.home:5000/https-demo] -c6d858706b08: Pushed -9e077e0202f0: Pushed -6ffc708d0cf3: Pushed -69e01b4bf4d7: Pushed -17c5b30f3843: Pushed -0b9f60fbcaf1: Pushed -armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578 -``` - - - -## ? -curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe - - - - - ---- - - -Has apache2 installed with a default certificate. - -Port 80 visible for HTTP - -Port 443 visible for HTTPS. - - - - -curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k -http_version: 2 -status_code: 200 - -# Recv failure: Connection reset by peer - -```shell -kubectl apply -f ./ -``` - -```shell -curl --insecure --resolve lb.net:80:192.168.1.50 http://lb.net -``` - -```shell -curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net -```