diff --git a/Istio/01-Simple/06-hello_world_1_HTTPS-Service_Entry/README.md b/Istio/01-Simple/06-hello_world_1_HTTPS-Service_Entry/README.md new file mode 100755 index 0000000..69813e6 --- /dev/null +++ b/Istio/01-Simple/06-hello_world_1_HTTPS-Service_Entry/README.md @@ -0,0 +1,188 @@ +# Description + +This example configures an `ServiceEntry` service pointing to a URL external to our `Istio Service Mesh`. + +The main difference with the previous example, is that on this example the resource selected requires `HTTPS` communication. + +The page used as a destination is my own [GitHub page](https://github.com/). + +# Based on + +- [05-hello_world_1_Service_Entry](../05-hello_world_1_Service_Entry) + +# Configuration + +## ServiceEntry + +This `ServiceEntry` resource, defines as a destination the URL `github.com`. + +Note that location is set to `MESH_EXTERNAL` and that the resolution is set to `DNS`, this means that the resource is external to ou `Istio Service Mesh`, and the URL will be resolved through `DNS` + +This resource listens for the port `8443`, and will connect to its destination with the port `443`, intending to handle `HTTPS` protocol traffic. + +Bear in mind that when Istio is communicating with resources externals to the mesh, `mTLS` is disabled. + +Also, policy enforcement is performed in the client side instead of the server side. + +> **Note:**/ +> For more information regarding the `resolution` field or the `location` field, refer to the following official Istio documentations: +> [ServiceEntry.Location](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location) +> [ServiceEntry.Resolution](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Resolution) + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: external-github-service +spec: + hosts: + - github.com + ports: + - number: 8443 + name: https + protocol: HTTPS + targetPort: 443 + resolution: DNS + location: MESH_EXTERNAL +``` + +## Gateway + +Listens for `HTTP` traffic at the port `80` without limiting to any host. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +``` + + +## VirtualService + +The path `/external` will forward the request towards the destination URL `github.com`, and path `/OriolFilter`. + + +Highlight that the destination is `github.com`, which is the same as the contents set on the field `host` from the [ServiceEntry resource configured above](#serviceentry). + +As seen [in the previous example, where the host that didn't have the `HOST` header wasn't able to receive a response by the destination](../05-hello_world_1_Service_Entry/#external-noh), we configured the `HOST` header to match the URL from the external service. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - name: https-external-service + timeout: 3s + match: + - uri: + exact: "/external" + route: + - destination: + host: "github.com" + port: + number: 8443 + rewrite: + uri: "/OriolFilter/" + headers: + request: + set: + HOST: "github.com" +``` + +## DestinationRule + +As seen in the example [02-Traffic_management/09-HTTPS-backend](../../02-Traffic_management/09-HTTPS-backend), where we configure Istio to use an `HTTPS` backend, the same configuration is applied on this case (yes, I am aware that a `ServiceEntry` is also a backend). + +For such, we deploy a `DestinationRule` setting to expect to terminate the TLS traffic, for the traffic with resource destination `github.com`, and port `8443`, which matches the settings set in our [ServiceEntry](#serviceentry) deployed. + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: github.com + namespace: default +spec: + host: github.com + trafficPolicy: + portLevelSettings: + - port: + number: 8443 + tls: + mode: SIMPLE +``` + +# Walkthrough + +## Deploy the resources + +```shell +kubectl apply -f ./ +``` +```text +serviceentry.networking.istio.io/external-github-service created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +destinationrule.networking.istio.io/github.com created +``` + +## Test the service + +### Get LB IP + +```shell +$ kubectl get svc -l istio=ingressgateway -A +``` +```text +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h +``` + +### /external + +We can visualize the page contents without issues, nothing to highlight. + +```shell +curl 192.168.1.50/external +``` +```text +... +I mean, we can use curl but it's certainly quite an ugly output, it works tho. +... +``` + +As performing the test through `curl` is ugly, here is a screenshot of the setting working correctly. + +![github-screenshot.png](./src/github-screenshot.png) + +## Cleanup + +```shell +kubectl delete -f ./ +``` +```text +serviceentry.networking.istio.io "external-github-service" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +destinationrule.networking.istio.io "github.com" deleted +``` + +# Links of interest: + +- https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry-Location \ No newline at end of file diff --git a/Istio/01-Simple/06-hello_world_1_HTTPS-Service_Entry/ServiceEntry.yaml b/Istio/01-Simple/06-hello_world_1_HTTPS-Service_Entry/ServiceEntry.yaml new file mode 100644 index 0000000..5e19a86 --- /dev/null +++ b/Istio/01-Simple/06-hello_world_1_HTTPS-Service_Entry/ServiceEntry.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: external-github-service +spec: + hosts: + - github.com + ports: + - number: 8443 + name: https + protocol: HTTPS + targetPort: 443 + resolution: DNS + location: MESH_EXTERNAL \ No newline at end of file diff --git a/Istio/01-Simple/06-hello_world_1_HTTPS-Service_Entry/gateway.yaml b/Istio/01-Simple/06-hello_world_1_HTTPS-Service_Entry/gateway.yaml new file mode 100755 index 0000000..387584a --- /dev/null +++ b/Istio/01-Simple/06-hello_world_1_HTTPS-Service_Entry/gateway.yaml @@ -0,0 +1,55 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - name: https-external-service + timeout: 3s + match: + - uri: + exact: "/external" + route: + - destination: + host: "github.com" + port: + number: 8443 + rewrite: + uri: "/OriolFilter/" + headers: + request: + set: + HOST: "github.com" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: github.com + namespace: default +spec: + host: github.com + trafficPolicy: + portLevelSettings: + - port: + number: 8443 + tls: + mode: SIMPLE \ No newline at end of file diff --git a/Istio/01-Simple/06-hello_world_1_HTTPS-Service_Entry/src/github-screenshot.png b/Istio/01-Simple/06-hello_world_1_HTTPS-Service_Entry/src/github-screenshot.png new file mode 100644 index 0000000..ebf30e6 Binary files /dev/null and b/Istio/01-Simple/06-hello_world_1_HTTPS-Service_Entry/src/github-screenshot.png differ