From dd3dcdbdf354b8229a1d621274d4f4ed33538122 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sun, 23 Apr 2023 02:24:45 +0200 Subject: [PATCH 1/8] set note --- PLACEHOLDER.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/PLACEHOLDER.md b/PLACEHOLDER.md index 1eab1fa..46a9440 100644 --- a/PLACEHOLDER.md +++ b/PLACEHOLDER.md @@ -14,4 +14,10 @@ graph LR B --> NO --> D[Google] B --> YES --> C[GREAT!] D --> A -``` \ No newline at end of file +``` + + +> NOTE:\ +> Gitea has support for mermaid.\ +> Doesn't have support for puml.\ +> (obv talking about default behavior) \ No newline at end of file From ee0c95e56d81efaf35806c414b6b144e71119d6f Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sun, 23 Apr 2023 07:09:22 +0200 Subject: [PATCH 2/8] Did the TLS gateway example. Somewhat filled the troubleshooting documentation for a bit. --- Istio/00-Troubleshooting/README.md | 280 ++++++++---------- .../07-HTTPS-Gateway-Simple-TLS/README.md | 174 +++++++++++ .../deployment.yaml | 39 +++ .../07-HTTPS-Gateway-Simple-TLS/gateway.yaml | 38 +++ Istio/02-Traffic_management/README.md | 18 -- Istio/README.md | 31 +- .../01-namespace.yaml | 0 .../README.md | 0 .../ingress.yaml | 0 9 files changed, 375 insertions(+), 205 deletions(-) create mode 100644 Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md create mode 100755 Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/deployment.yaml create mode 100755 Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/gateway.yaml rename Istio/__Ingress/{ => 01-Create-Istio-LoadBalancer}/01-namespace.yaml (100%) rename Istio/__Ingress/{ => 01-Create-Istio-LoadBalancer}/README.md (100%) rename Istio/__Ingress/{ => 01-Create-Istio-LoadBalancer}/ingress.yaml (100%) diff --git a/Istio/00-Troubleshooting/README.md b/Istio/00-Troubleshooting/README.md index 124cc39..75ab419 100644 --- a/Istio/00-Troubleshooting/README.md +++ b/Istio/00-Troubleshooting/README.md @@ -1,142 +1,127 @@ IDK put some text in there +# Istioctl analyze -### Start the packet capture process on the istio-proxy from a pod. +`istioctl analyze` reviews the current configuration set. + +Can be helpful to spot some improvements on the current configurations set, as well of the possibility of displaying misconfigurations / lack of them that might be causing issues. + +```shell +istioctl analyze +``` +```text +✔ No validation issues found when analyzing namespace: default. +``` + +By using the flag -A, it will review from all namespaces + +```shell +istioctl analyze -A +``` +```text +Info [IST0102] (Namespace istio-operator) The namespace is not enabled for Istio injection. Run 'kubectl label namespace istio-operator istio-injection=enabled' to enable it, or 'kubectl label namespace istio-operator istio-injection=disabled' to explicitly mark it as not needing injection. +Info [IST0118] (Service istio-system/grafana) Port name service (port: 3000, targetPort: 3000) doesn't follow the naming convention of Istio port. +Info [IST0118] (Service istio-system/jaeger-collector) Port name jaeger-collector-grpc (port: 14250, targetPort: 14250) doesn't follow the naming convention of Istio port. +Info [IST0118] (Service istio-system/jaeger-collector) Port name jaeger-collector-http (port: 14268, targetPort: 14268) doesn't follow the naming convention of Istio port. +``` + +One can specify/target a single namespace by using the flag `-n` + +```shell +istioctl analyze -n istio-operator +``` +```text +Info [IST0102] (Namespace istio-operator) The namespace is not enabled for Istio injection. Run 'kubectl label namespace istio-operator istio-injection=enabled' to enable it, or 'kubectl label namespace istio-operator istio-injection=disabled' to explicitly mark it as not needing injection. +``` + +# Start the packet capture process on the istio-proxy container from a pod. + +Target a pod and start a packet capture on the istio-proxy container. ```shell $ kubectl exec -n default "$(kubectl get pod -n default -l app=helloworld -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port 80 -A tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes +... ``` -### Logs +# Logs -Istio system logs +> **Note:**\ +> Remember that you can use the command `watch` or `watch -n 5` (where 5 refers every 5 seconds) in case of being interested on execute this commands periodically. + +## Istiod ```shell -kubectl logs -f deployments/istiod -n istio-system +kubectl logs -n istio-system -f deployments/istiod ``` +## Ingress - -## Istioctl proxy-config - +The service targeted, `istio-ingressgateway`, is an Ingress Load Balancer service from Istio. ```shell -istioctl proxy-config all helloworld-nginx-5d99f88767-cwcmd +kubectl logs -n istio-system services/istio-ingressgateway ``` -```txt -SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE - 80 - inbound ORIGINAL_DST -BlackHoleCluster - - - STATIC -InboundPassthroughClusterIpv4 - - - ORIGINAL_DST -PassthroughCluster - - - ORIGINAL_DST -agent - - - STATIC -byeworld.foo.svc.cluster.local 9090 - outbound EDS -grafana.istio-system.svc.cluster.local 3000 - outbound EDS -helloworld.default.svc.cluster.local 8080 - outbound EDS -istio-ingressgateway.istio-system.svc.cluster.local 80 - outbound EDS -istio-ingressgateway.istio-system.svc.cluster.local 443 - outbound EDS -istio-ingressgateway.istio-system.svc.cluster.local 15021 - outbound EDS -istiod.istio-system.svc.cluster.local 443 - outbound EDS -istiod.istio-system.svc.cluster.local 15010 - outbound EDS -istiod.istio-system.svc.cluster.local 15012 - outbound EDS -istiod.istio-system.svc.cluster.local 15014 - outbound EDS -jaeger-collector.istio-system.svc.cluster.local 9411 - outbound EDS -jaeger-collector.istio-system.svc.cluster.local 14250 - outbound EDS -jaeger-collector.istio-system.svc.cluster.local 14268 - outbound EDS -kiali.istio-system.svc.cluster.local 9090 - outbound EDS -kiali.istio-system.svc.cluster.local 20001 - outbound EDS -kube-dns.kube-system.svc.cluster.local 53 - outbound EDS -kube-dns.kube-system.svc.cluster.local 9153 - outbound EDS -kubernetes.default.svc.cluster.local 443 - outbound EDS -myistio-ingressgateway.istio-ingress.svc.cluster.local 80 - outbound EDS -myistio-ingressgateway.istio-ingress.svc.cluster.local 443 - outbound EDS -myistio-ingressgateway.istio-ingress.svc.cluster.local 15021 - outbound EDS -prometheus.istio-system.svc.cluster.local 9090 - outbound EDS -prometheus_stats - - - STATIC -sds-grpc - - - STATIC -tracing.istio-system.svc.cluster.local 80 - outbound EDS -tracing.istio-system.svc.cluster.local 16685 - outbound EDS -xds-grpc - - - STATIC -zipkin - - - STRICT_DNS -zipkin.istio-system.svc.cluster.local 9411 - outbound EDS +#### Invalid TLS context has neither subject CN nor SAN names -ADDRESS PORT MATCH DESTINATION -10.96.0.10 53 ALL Cluster: outbound|53||kube-dns.kube-system.svc.cluster.local -0.0.0.0 80 Trans: raw_buffer; App: http/1.1,h2c Route: 80 -0.0.0.0 80 ALL PassthroughCluster -10.102.38.206 443 ALL Cluster: outbound|443||myistio-ingressgateway.istio-ingress.svc.cluster.local -10.109.184.232 443 ALL Cluster: outbound|443||istiod.istio-system.svc.cluster.local -10.96.0.1 443 ALL Cluster: outbound|443||kubernetes.default.svc.cluster.local -10.96.248.46 443 ALL Cluster: outbound|443||istio-ingressgateway.istio-system.svc.cluster.local -10.98.124.246 3000 Trans: raw_buffer; App: http/1.1,h2c Route: grafana.istio-system.svc.cluster.local:3000 -10.98.124.246 3000 ALL Cluster: outbound|3000||grafana.istio-system.svc.cluster.local -0.0.0.0 8080 Trans: raw_buffer; App: http/1.1,h2c Route: 8080 -0.0.0.0 8080 ALL PassthroughCluster -0.0.0.0 9090 Trans: raw_buffer; App: http/1.1,h2c Route: 9090 -0.0.0.0 9090 ALL PassthroughCluster -10.96.0.10 9153 Trans: raw_buffer; App: http/1.1,h2c Route: kube-dns.kube-system.svc.cluster.local:9153 -10.96.0.10 9153 ALL Cluster: outbound|9153||kube-dns.kube-system.svc.cluster.local -0.0.0.0 9411 Trans: raw_buffer; App: http/1.1,h2c Route: 9411 -0.0.0.0 9411 ALL PassthroughCluster -10.100.204.154 14250 Trans: raw_buffer; App: http/1.1,h2c Route: jaeger-collector.istio-system.svc.cluster.local:14250 -10.100.204.154 14250 ALL Cluster: outbound|14250||jaeger-collector.istio-system.svc.cluster.local -10.100.204.154 14268 Trans: raw_buffer; App: http/1.1,h2c Route: jaeger-collector.istio-system.svc.cluster.local:14268 -10.100.204.154 14268 ALL Cluster: outbound|14268||jaeger-collector.istio-system.svc.cluster.local -0.0.0.0 15001 ALL PassthroughCluster -0.0.0.0 15001 Addr: *:15001 Non-HTTP/Non-TCP -0.0.0.0 15006 Addr: *:15006 Non-HTTP/Non-TCP -0.0.0.0 15006 Trans: tls; App: istio-http/1.0,istio-http/1.1,istio-h2; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4 -0.0.0.0 15006 Trans: tls; Addr: 0.0.0.0/0 InboundPassthroughClusterIpv4 -0.0.0.0 15006 Trans: tls; Addr: *:80 Cluster: inbound|80|| -0.0.0.0 15010 Trans: raw_buffer; App: http/1.1,h2c Route: 15010 -0.0.0.0 15010 ALL PassthroughCluster -10.109.184.232 15012 ALL Cluster: outbound|15012||istiod.istio-system.svc.cluster.local -0.0.0.0 15014 Trans: raw_buffer; App: http/1.1,h2c Route: 15014 -0.0.0.0 15014 ALL PassthroughCluster -0.0.0.0 15021 ALL Inline Route: /healthz/ready* -10.102.38.206 15021 Trans: raw_buffer; App: http/1.1,h2c Route: myistio-ingressgateway.istio-ingress.svc.cluster.local:15021 -10.102.38.206 15021 ALL Cluster: outbound|15021||myistio-ingressgateway.istio-ingress.svc.cluster.local -10.96.248.46 15021 Trans: raw_buffer; App: http/1.1,h2c Route: istio-ingressgateway.istio-system.svc.cluster.local:15021 -10.96.248.46 15021 ALL Cluster: outbound|15021||istio-ingressgateway.istio-system.svc.cluster.local -0.0.0.0 15090 ALL Inline Route: /stats/prometheus* -0.0.0.0 16685 Trans: raw_buffer; App: http/1.1,h2c Route: 16685 -0.0.0.0 16685 ALL PassthroughCluster -0.0.0.0 20001 Trans: raw_buffer; App: http/1.1,h2c Route: 20001 -0.0.0.0 20001 ALL PassthroughCluster +The TLS certificate specified don't have the field CN or the field SAN. -NAME DOMAINS MATCH VIRTUAL SERVICE -myistio-ingressgateway.istio-ingress.svc.cluster.local:15021 * /* -8080 helloworld, helloworld.default + 1 more... /* -kube-dns.kube-system.svc.cluster.local:9153 * /* -80 istio-ingressgateway.istio-system, 10.96.248.46 /* -80 myistio-ingressgateway.istio-ingress, 10.102.38.206 /* -80 tracing.istio-system, 10.103.51.183 /* -jaeger-collector.istio-system.svc.cluster.local:14250 * /* -grafana.istio-system.svc.cluster.local:3000 * /* -istio-ingressgateway.istio-system.svc.cluster.local:15021 * /* - * /stats/prometheus* -InboundPassthroughClusterIpv4 * /* - * /healthz/ready* -inbound|80|| * /* -jaeger-collector.istio-system.svc.cluster.local:14268 * /* -9090 byeworld.foo, 10.103.187.190 /* -9090 kiali.istio-system, 10.104.141.120 /* -9090 prometheus.istio-system, 10.107.129.0 /* -9411 jaeger-collector.istio-system, 10.100.204.154 /* -9411 zipkin.istio-system, 10.104.238.43 /* -15010 istiod.istio-system, 10.109.184.232 /* -15014 istiod.istio-system, 10.109.184.232 /* -16685 tracing.istio-system, 10.103.51.183 /* -20001 kiali.istio-system, 10.104.141.120 /* +To address this issue, issue a new certificate that has at least one of those fields. -RESOURCE NAME TYPE STATUS VALID CERT SERIAL NUMBER NOT AFTER NOT BEFORE -default Cert Chain ACTIVE true 224526398421470636195992462181330755939 2023-04-23T23:57:50Z 2023-04-22T23:55:50Z -ROOTCA CA ACTIVE true 3144612513681150263454419199256531619 2033-04-17T19:15:16Z 2023-04-20T19:15:16Z +#### initial fetch timed out for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secretthread + +This is due not being able to retrieve the TLS configuration assigned to the gateway. + +It's Important that the secret is located in the same namespace as the Istio Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. + +# Istioctl proxy-config + +## Check listeners + +Useful to review which is the configuration assigned to an Istio ingress. / Confirm if the configuration we are intending to deploy is being applied / learned. + +### Get Istio ingress pod name + +> **Note:**\ +> Depending on the ingress gateway set, and your environment, it could be that the Load Balancer is not located in the namespace `istio-system`. + +```shell +kubectl get pods -n istio-system ``` +```text +NAME READY STATUS RESTARTS AGE +grafana-6cb5b7fbb8-2nlp6 1/1 Running 0 2d3h +istio-ingressgateway-864db96c47-nvjc7 1/1 Running 0 20h +istiod-649d466b9-bwx7j 1/1 Running 0 2d8h +jaeger-cc4688b98-h52xt 1/1 Running 0 2d3h +kiali-594965b98c-zc67p 1/1 Running 0 2d3h +prometheus-67f6764db9-szd5b 2/2 Running 0 2d3h + +``` + +### List listeners + +```shell +kubectl get pods -n istio-system istio-ingressgateway-864db96c47-nvjc7 +``` + +```text +istioctl proxy-config listeners -n istio-system istio-ingressgateway-864db96c47-nvjc7 +ADDRESS PORT MATCH DESTINATION +0.0.0.0 8443 SNI: lb.net Route: https.443.secure-http.helloworld-gateway.default +0.0.0.0 15021 ALL Inline Route: /healthz/ready* +0.0.0.0 15090 ALL Inline Route: /stats/prometheus* +``` + +This makes reference to the configuration set in the gateway resources. +Here we can notice a route with SNI match "lb.net", which is listening to the port 443 and HTTPS protocol. + +## Check logs verbosity level settings + +`istioctl proxy-config log` will display the verbosity level set from each log type for the specified pod. ```shell istioctl proxy-config log helloworld-nginx-5d99f88767-cwcmd @@ -153,53 +138,22 @@ active loggers: client: warning config: warning connection: warning - conn_handler: warning - decompression: warning - dns: warning - dubbo: warning - envoy_bug: warning - ext_authz: warning - ext_proc: warning - rocketmq: warning - file: warning - filter: warning - forward_proxy: warning - grpc: warning - happy_eyeballs: warning - hc: warning - health_checker: warning - http: warning - http2: warning - hystrix: warning - init: warning - io: warning - jwt: warning - kafka: warning - key_value_store: warning - lua: warning - main: warning - matcher: warning - misc: error - mongo: warning - multi_connection: warning - oauth2: warning - quic: warning - quic_stream: warning - pool: warning - rate_limit_quota: warning - rbac: warning - rds: warning - redis: warning - router: warning - runtime: warning - stats: warning - secret: warning - tap: warning - testing: warning - thrift: warning - tracing: warning - upstream: warning - udp: warning - wasm: warning - websocket: warning +... +``` + +## List all + +It displays ALL from the specified pod. + +```shell +istioctl proxy-config all helloworld-nginx-5d99f88767-cwcmd +``` +```txt +SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE + 80 - inbound ORIGINAL_DST +BlackHoleCluster - - - STATIC +InboundPassthroughClusterIpv4 - - - ORIGINAL_DST +PassthroughCluster - - - ORIGINAL_DST +agent - - - STATIC +... ``` \ No newline at end of file diff --git a/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md b/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md new file mode 100644 index 0000000..e59d76b --- /dev/null +++ b/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md @@ -0,0 +1,174 @@ +# Based on + +- 01-hello_world_1_service_1_deployment + +# Description + +On this example, we generate a TLS configuration, and afterwards we attach such to a `Gateway` resource listening to the port `443` for `HTTPS` traffic. + +> **Note:** \ +> This was based on the information from the following Istio documentation: +> - [Secure Gateways](https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/) + +# Configuration applied + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: secure-http + protocol: HTTPS + hosts: + - "*" + tls: + mode: SIMPLE + credentialName: my-tls-cert-secret +``` + +- Gateway is listening to the port `443` and `HTTPS` protocol. + +- Allows for all hosts. + +- The TLS configuration is set to simple, and the credentials (the object that contains the certificates/TLS configuration) is set to `my-tls-cert-secret`. + +> **Note:**\ +> The credentials resource is created further bellow through the [Walkthrough](#Walkthrough) steps. + +> **Note:**\ +> For more information regarding the TLS mode configuration, refer to the following [Istio documentation regarding the TLS mode field](https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode). + +# Walkthrough + +## Generate client and server certificate and key files + +First step will be to generate the certificate and key files to be able to set them to the Gateway resource. + +### Create a folder to store files. + +Create the folder to contain the files that will be generated. + +```shell +mkdir certfolder +``` + +### Create a certificate and a private key. + +```shell +openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt +``` + +The files generated are the following: + +```yaml +private-key: certfolder/istio.cert.key +root-certificate: certfolder/istio.cert.crt +``` + +The information set to the certificate generated is the following: + +```yaml +Organization-name: Internet of things +CN: lb.net +``` + +### Create a TLS secret + +At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. + +```shell +kubectl create -n istio-system secret tls my-tls-cert-secret \ + --key=certfolder/istio.cert.key \ + --cert=certfolder/istio.cert.crt +``` +```text +secret/my-tls-cert-secret created +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +> **Note:**\ +> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. + + +## Deploy resources + +```shell +kubectl apply -f ./ +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Test the service + +[//]: # (```shell) +[//]: # (curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net/helloworld) +[//]: # (```) + +```shell +curl --insecure https://192.168.1.50/helloworld -I +``` + +```text +HTTP/2 200 +server: istio-envoy +date: Sun, 23 Apr 2023 05:06:47 GMT +content-type: text/html +content-length: 615 +last-modified: Tue, 28 Mar 2023 15:01:54 GMT +etag: "64230162-267" +accept-ranges: bytes +x-envoy-upstream-service-time: 96 +``` + +## Cleanup + +```shell +kubectl delete -n istio-system secret my-tls-cert-secret +``` + +```shell +kubectl delete -f ./ +``` + +```shell +rm -rv certfolder/ +``` + +# Troubleshooting. + +## curl: (7) Failed to connect to 192.168.1.51 port 443 after 2 ms: Couldn't connect to server + +- Ensure that the gateway is listening to the right port, in this case, the port 443. + +- Refer to the troubleshooting documentation, specifically the `Logs>Ingress`. \ +Check if it displays any log activity that could facilitate the troubleshooting / investigation. + +## curl: (35) Recv failure: Connection reset by peer + +- Refer to the troubleshooting documentation, specifically the `Logs>Ingress`. \ + Check if it displays any log activity that could facilitate the troubleshooting / investigation. + +## 404 + +Ensure the URL used to thest the connectivity, matches the host and path rules applied, both in the `Gateway` and `VirtualService` resources. + +# Links of Interest + +- https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode \ No newline at end of file diff --git a/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/deployment.yaml b/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/deployment.yaml new file mode 100755 index 0000000..a283aab --- /dev/null +++ b/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/deployment.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 diff --git a/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/gateway.yaml b/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/gateway.yaml new file mode 100755 index 0000000..cc236c0 --- /dev/null +++ b/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/gateway.yaml @@ -0,0 +1,38 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: secure-http + protocol: HTTPS + hosts: + - "*" + tls: + mode: SIMPLE + credentialName: my-tls-cert-secret +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/README.md b/Istio/02-Traffic_management/README.md index 964367b..002a99d 100644 --- a/Istio/02-Traffic_management/README.md +++ b/Istio/02-Traffic_management/README.md @@ -9,21 +9,3 @@ ALL NEEDS DOCUMENTATION - 05a-FaultInjection-delay - 05b-FaultInjection-abort - 06-mTLS (would need some documentation review, mainly go over the differences respective to the template/prior configuration used) - - -# TODO - - - -minimum TLS version: -https://istio.io/latest/docs/tasks/security/tls-configuration/workload-min-tls-version/ - - -Should try to do a double Virtual Service chain - -https://academy.tetrate.io/courses/take/istio-fundamentals/lessons/19068816-lab-2-observing-failure-injection - - -Circuit breaking - -https://istio.io/latest/docs/tasks/traffic-management/circuit-breaking/ \ No newline at end of file diff --git a/Istio/README.md b/Istio/README.md index 996cd0f..126d5c8 100755 --- a/Istio/README.md +++ b/Istio/README.md @@ -1,4 +1,9 @@ + + + +# Stuff + ## Glossary https://istio.io/latest/docs/reference/glossary/ @@ -19,33 +24,11 @@ https://istio.io/latest/docs/ops/deployment/vm-architecture/ https://kubebyexample.com/learning-paths/istio/intro +# Notes for myself - -My current issues: - -- Understanding authentication - - -https://tetrate.io/blog/istio-how-to-enforce-egress-traffic-using-istios-authorization-policies/ - - - - - - - -Multiple Ingress - -https://youtu.be/QIkryA8HnQ0 - - - -https://github.com/redkubes/otomi-core/blob/main/charts/team-ns/templates/istio-gateway.yaml +Internal and external authentication should be set together. https://istio.io/latest/docs/ops/diagnostic-tools/proxy-cmd/ - -Using service accounts - diff --git a/Istio/__Ingress/01-namespace.yaml b/Istio/__Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml similarity index 100% rename from Istio/__Ingress/01-namespace.yaml rename to Istio/__Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml diff --git a/Istio/__Ingress/README.md b/Istio/__Ingress/01-Create-Istio-LoadBalancer/README.md similarity index 100% rename from Istio/__Ingress/README.md rename to Istio/__Ingress/01-Create-Istio-LoadBalancer/README.md diff --git a/Istio/__Ingress/ingress.yaml b/Istio/__Ingress/01-Create-Istio-LoadBalancer/ingress.yaml similarity index 100% rename from Istio/__Ingress/ingress.yaml rename to Istio/__Ingress/01-Create-Istio-LoadBalancer/ingress.yaml From a9b08a5925bd4213df21d50cc809a32e08344abd Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sun, 23 Apr 2023 07:14:12 +0200 Subject: [PATCH 3/8] quality improvements --- Istio/00-Troubleshooting/README.md | 6 +++++- .../07-HTTPS-Gateway-Simple-TLS/README.md | 11 +++++++++-- Istio/02-Traffic_management/README.md | 1 + 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/Istio/00-Troubleshooting/README.md b/Istio/00-Troubleshooting/README.md index 75ab419..fe5d235 100644 --- a/Istio/00-Troubleshooting/README.md +++ b/Istio/00-Troubleshooting/README.md @@ -1,4 +1,8 @@ -IDK put some text in there +--- +gitea: none +include_toc: true +--- + # Istioctl analyze diff --git a/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md b/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md index e59d76b..fb945c3 100644 --- a/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md +++ b/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md @@ -1,6 +1,11 @@ +--- +gitea: none +include_toc: true +--- + # Based on -- 01-hello_world_1_service_1_deployment +- [01-hello_world_1_service_1_deployment](../../01-Simple/01-hello_world_1_service_1_deployment) # Description @@ -12,6 +17,8 @@ On this example, we generate a TLS configuration, and afterwards we attach such # Configuration applied +## Gateway + ```yaml apiVersion: networking.istio.io/v1alpha3 kind: Gateway @@ -39,7 +46,7 @@ spec: - The TLS configuration is set to simple, and the credentials (the object that contains the certificates/TLS configuration) is set to `my-tls-cert-secret`. > **Note:**\ -> The credentials resource is created further bellow through the [Walkthrough](#Walkthrough) steps. +> The credentials resource is created further bellow through the [Walkthrough](#walkthrough) steps. > **Note:**\ > For more information regarding the TLS mode configuration, refer to the following [Istio documentation regarding the TLS mode field](https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode). diff --git a/Istio/02-Traffic_management/README.md b/Istio/02-Traffic_management/README.md index 002a99d..50b20e1 100644 --- a/Istio/02-Traffic_management/README.md +++ b/Istio/02-Traffic_management/README.md @@ -9,3 +9,4 @@ ALL NEEDS DOCUMENTATION - 05a-FaultInjection-delay - 05b-FaultInjection-abort - 06-mTLS (would need some documentation review, mainly go over the differences respective to the template/prior configuration used) +- 07-HTTPS-Gateway-Simple-TLS <- Doesn't respect the changelog format. \ No newline at end of file From c4afa3a1690ebba9d8891c5cb15e0ca758084b4b Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sun, 23 Apr 2023 07:28:16 +0200 Subject: [PATCH 4/8] quality improvements --- .../07-HTTPS-Gateway-Simple-TLS/README.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md b/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md index fb945c3..0b74632 100644 --- a/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md +++ b/Istio/02-Traffic_management/07-HTTPS-Gateway-Simple-TLS/README.md @@ -147,14 +147,27 @@ x-envoy-upstream-service-time: 96 ```shell kubectl delete -n istio-system secret my-tls-cert-secret ``` +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` ```shell kubectl delete -f ./ ``` - +```text +secret "my-tls-cert-secret" deleted +``` ```shell rm -rv certfolder/ ``` +```text +removed 'certfolder/istio.cert.key' +removed 'certfolder/istio.cert.crt' +removed directory 'certfolder/' +``` # Troubleshooting. From d86fc9a7419b41a60030d5a1d67e3e72c5694614 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sun, 23 Apr 2023 07:49:11 +0200 Subject: [PATCH 5/8] created the minimum maximium TLS gateway examples. --- .../08a-HTTPS-min-TLS-version/README.md | 178 ++++++++++++++++++ .../08a-HTTPS-min-TLS-version/deployment.yaml | 39 ++++ .../08a-HTTPS-min-TLS-version/gateway.yaml | 39 ++++ .../08b-HTTPS-max-TLS-version/README.md | 175 +++++++++++++++++ .../08b-HTTPS-max-TLS-version/deployment.yaml | 39 ++++ .../08b-HTTPS-max-TLS-version/gateway.yaml | 39 ++++ 6 files changed, 509 insertions(+) create mode 100644 Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md create mode 100755 Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/deployment.yaml create mode 100755 Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/gateway.yaml create mode 100644 Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md create mode 100755 Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/deployment.yaml create mode 100755 Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/gateway.yaml diff --git a/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md new file mode 100644 index 0000000..42d9907 --- /dev/null +++ b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/README.md @@ -0,0 +1,178 @@ +--- +gitea: none +include_toc: true +--- + +# Based on + +- [07-HTTPS-Gateway-Simple-TLS](../07-HTTPS-Gateway-Simple-TLS) + +# Description + +The previous example was modified to limit and specify the minimum TLS version. + +# Changelog + +## Gateway + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: secure-http + protocol: HTTPS + hosts: + - "*" + tls: + mode: SIMPLE + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_3 +``` + +Gateway has been modified to limit the minimum TLS version to v1.3. + +# Walkthrough + +## Generate client and server certificate and key files + +First step will be to generate the certificate and key files to be able to set them to the Gateway resource. + +### Create a folder to store files. + +Create the folder to contain the files that will be generated. + +```shell +mkdir certfolder +``` + +### Create a certificate and a private key. + +```shell +openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt +``` + +The files generated are the following: + +```yaml +private-key: certfolder/istio.cert.key +root-certificate: certfolder/istio.cert.crt +``` + +The information set to the certificate generated is the following: + +```yaml +Organization-name: Internet of things +CN: lb.net +``` + +### Create a TLS secret + +At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. + +```shell +kubectl create -n istio-system secret tls my-tls-cert-secret \ + --key=certfolder/istio.cert.key \ + --cert=certfolder/istio.cert.crt +``` +```text +secret/my-tls-cert-secret created +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +> **Note:**\ +> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. + + +## Deploy resources + +```shell +kubectl apply -f ./ +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Test the service + +[//]: # (```shell) +[//]: # (curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net/helloworld) +[//]: # (```) +### Curl TLS 1.2 + +It fails as intended. + +As the TLS v1.2 is smaller than the TLS v1.3 set as a minimal TLS version accepted, it doesn't allow us to proceed with the request. + +```shell +curl --insecure https://192.168.1.50/helloworld -I --tlsv1.2 --tls-max 1.2 +``` + +```text +curl: (35) OpenSSL/3.0.8: error:0A00042E:SSL routines::tlsv1 alert protocol version +``` + +### Curl TLS 1.3 + +It works as intended due respecting the minimal TLS version set. + +```shell +curl --insecure https://192.168.1.50/helloworld -I --tlsv1.3 --tls-max 1.3 +``` + +```text +HTTP/2 200 +server: istio-envoy +date: Sun, 23 Apr 2023 05:43:18 GMT +content-type: text/html +content-length: 615 +last-modified: Tue, 28 Mar 2023 15:01:54 GMT +etag: "64230162-267" +accept-ranges: bytes +x-envoy-upstream-service-time: 13 +``` + +## Cleanup + +```shell +kubectl delete -n istio-system secret my-tls-cert-secret +``` +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +```shell +kubectl delete -f ./ +``` +```text +secret "my-tls-cert-secret" deleted +``` +```shell +rm -rv certfolder/ +``` +```text +removed 'certfolder/istio.cert.key' +removed 'certfolder/istio.cert.crt' +removed directory 'certfolder/' +``` + +# Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol \ No newline at end of file diff --git a/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/deployment.yaml b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/deployment.yaml new file mode 100755 index 0000000..a283aab --- /dev/null +++ b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/deployment.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 diff --git a/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/gateway.yaml b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/gateway.yaml new file mode 100755 index 0000000..9829a3f --- /dev/null +++ b/Istio/02-Traffic_management/08a-HTTPS-min-TLS-version/gateway.yaml @@ -0,0 +1,39 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: secure-http + protocol: HTTPS + hosts: + - "*" + tls: + mode: SIMPLE + credentialName: my-tls-cert-secret + minProtocolVersion: TLSV1_3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" \ No newline at end of file diff --git a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md new file mode 100644 index 0000000..845f64c --- /dev/null +++ b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md @@ -0,0 +1,175 @@ +--- +gitea: none +include_toc: true +--- + +# Based on + +- [07-HTTPS-Gateway-Simple-TLS](../07-HTTPS-Gateway-Simple-TLS) + +# Description + +The previous example was modified to limit and specify the maximum TLS version. + +# Changelog + +## Gateway + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: secure-http + protocol: HTTPS + hosts: + - "*" + tls: + mode: SIMPLE + credentialName: my-tls-cert-secret + maxProtocolVersion: TLSV1_2 +``` + +Gateway has been modified to limit the maximum TLS version to v1.2. + +# Walkthrough + +## Generate client and server certificate and key files + +First step will be to generate the certificate and key files to be able to set them to the Gateway resource. + +### Create a folder to store files. + +Create the folder to contain the files that will be generated. + +```shell +mkdir certfolder +``` + +### Create a certificate and a private key. + +```shell +openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt +``` + +The files generated are the following: + +```yaml +private-key: certfolder/istio.cert.key +root-certificate: certfolder/istio.cert.crt +``` + +The information set to the certificate generated is the following: + +```yaml +Organization-name: Internet of things +CN: lb.net +``` + +### Create a TLS secret + +At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`. + +```shell +kubectl create -n istio-system secret tls my-tls-cert-secret \ + --key=certfolder/istio.cert.key \ + --cert=certfolder/istio.cert.crt +``` +```text +secret/my-tls-cert-secret created +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +> **Note:**\ +> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment. + + +## Deploy resources + +```shell +kubectl apply -f ./ +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +## Test the service + +### Curl TLS 1.2 + +It fails as intended. + +As the TLS v1.2 is smaller than the TLS v1.3 set as a minimal TLS version accepted, it doesn't allow us to proceed with the request. + +```shell +curl --insecure https://192.168.1.50/helloworld -I --tlsv1.2 --tls-max 1.2 +``` + +```text +HTTP/2 200 +server: istio-envoy +date: Sun, 23 Apr 2023 05:48:04 GMT +content-type: text/html +content-length: 615 +last-modified: Tue, 28 Mar 2023 15:01:54 GMT +etag: "64230162-267" +accept-ranges: bytes +x-envoy-upstream-service-time: 7 +``` + +### Curl TLS 1.3 + +It works as intended due respecting the minimal TLS version set. + +```shell +curl --insecure https://192.168.1.50/helloworld -I --tlsv1.3 --tls-max 1.3 +``` + +```text +curl: (35) OpenSSL/3.0.8: error:0A00042E:SSL routines::tlsv1 alert protocol version +``` + +## Cleanup + +```shell +kubectl delete -n istio-system secret my-tls-cert-secret +``` +```text +service "helloworld" deleted +deployment.apps "helloworld-nginx" deleted +gateway.networking.istio.io "helloworld-gateway" deleted +virtualservice.networking.istio.io "helloworld-vs" deleted +``` + +```shell +kubectl delete -f ./ +``` +```text +secret "my-tls-cert-secret" deleted +``` +```shell +rm -rv certfolder/ +``` +```text +removed 'certfolder/istio.cert.key' +removed 'certfolder/istio.cert.crt' +removed directory 'certfolder/' +``` + +# Links of Interest + +- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol \ No newline at end of file diff --git a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/deployment.yaml b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/deployment.yaml new file mode 100755 index 0000000..a283aab --- /dev/null +++ b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/deployment.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 diff --git a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/gateway.yaml b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/gateway.yaml new file mode 100755 index 0000000..e7b67fe --- /dev/null +++ b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/gateway.yaml @@ -0,0 +1,39 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: secure-http + protocol: HTTPS + hosts: + - "*" + tls: + mode: SIMPLE + credentialName: my-tls-cert-secret + maxProtocolVersion: TLSV1_2 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" \ No newline at end of file From bcaa6524914f8b6cc38f7fa9b6ef66197f226fd4 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sun, 23 Apr 2023 07:55:18 +0200 Subject: [PATCH 6/8] fixed link reference to previous example --- Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md index 845f64c..97ac603 100644 --- a/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md +++ b/Istio/02-Traffic_management/08b-HTTPS-max-TLS-version/README.md @@ -5,7 +5,7 @@ include_toc: true # Based on -- [07-HTTPS-Gateway-Simple-TLS](../07-HTTPS-Gateway-Simple-TLS) +- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version) # Description From 205f4c3716ede27611f6da48ac40195322e777e0 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sun, 23 Apr 2023 08:45:52 +0200 Subject: [PATCH 7/8] Did an Ingress deployment example. Small quality improvements. --- .../gateway.yaml | 1 - Istio/02-Traffic_management/06-mTLS/README.md | 7 +- .../01-namespace.yaml | 0 .../01-Create-Istio-LoadBalancer/README.md | 185 ++++++++++++++++++ .../deployment.yaml | 48 +++++ .../01-Create-Istio-LoadBalancer/gateway.yaml | 36 ++++ .../01-Create-Istio-LoadBalancer/ingress.yaml | 1 - Istio/README.md | 4 +- .../01-Create-Istio-LoadBalancer/README.md | 37 ---- 9 files changed, 275 insertions(+), 44 deletions(-) rename Istio/{__Ingress => 09-Ingress}/01-Create-Istio-LoadBalancer/01-namespace.yaml (100%) create mode 100644 Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md create mode 100755 Istio/09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml create mode 100755 Istio/09-Ingress/01-Create-Istio-LoadBalancer/gateway.yaml rename Istio/{__Ingress => 09-Ingress}/01-Create-Istio-LoadBalancer/ingress.yaml (99%) delete mode 100644 Istio/__Ingress/01-Create-Istio-LoadBalancer/README.md diff --git a/Istio/01-Simple/01-hello_world_1_service_1_deployment/gateway.yaml b/Istio/01-Simple/01-hello_world_1_service_1_deployment/gateway.yaml index 8ba8a20..252a01e 100755 --- a/Istio/01-Simple/01-hello_world_1_service_1_deployment/gateway.yaml +++ b/Istio/01-Simple/01-hello_world_1_service_1_deployment/gateway.yaml @@ -1,4 +1,3 @@ -# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: diff --git a/Istio/02-Traffic_management/06-mTLS/README.md b/Istio/02-Traffic_management/06-mTLS/README.md index d6a79dc..51daca6 100755 --- a/Istio/02-Traffic_management/06-mTLS/README.md +++ b/Istio/02-Traffic_management/06-mTLS/README.md @@ -30,7 +30,6 @@ From the Kiali dashboard we will review the mTLS label displayed ```shell kubectl apply -f ./ ```` - ```txt peerauthentication.security.istio.io/default-mtls created service/helloworld created @@ -46,9 +45,9 @@ virtualservice.networking.istio.io/helloworld-vs created [Source Folder](https://github.com/istio/istio/tree/master/samples/addons) ```shell -kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/grafana.yaml && \ -kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/kiali.yaml && \ -kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml && \ +kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/grafana.yaml +kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/kiali.yaml +kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml ``` diff --git a/Istio/__Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml similarity index 100% rename from Istio/__Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml rename to Istio/09-Ingress/01-Create-Istio-LoadBalancer/01-namespace.yaml diff --git a/Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md new file mode 100644 index 0000000..e7b29b3 --- /dev/null +++ b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/README.md @@ -0,0 +1,185 @@ +--- +gitea: none +include_toc: true +--- + + +# Based on + +- [01-hello_world_1_service_1_deployment](../../01-Simple/01-hello_world_1_service_1_deployment) + +# Description + +On this example, a new Istio Ingress Load Balancer is deployed. + +The previous example has been modified to utilize the Ingress resource just deployed. + +# Changelog + +## Gateway + +```yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: myingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +``` + +The selector `Istio` has been updated to `myingressgateway`, to match the selector of the Istio Ingress Load Balancer that will be created. + +## Namespace + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: istio-ingress + labels: + istio-injection: "enabled" +``` + +The namespace `istio-ingress` will have the label `istio-injection` with the contents set to `enabled` to allow Istio to automatically inject the Istio sidecars to the resources within that namespace, unless specified otherwise. + +## IstioOperator + +```yaml +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + name: ingress +spec: + profile: empty # Do not install CRDs or the control plane + components: + ingressGateways: + - name: myistio-ingressgateway + namespace: istio-ingress + enabled: true + label: + # Set a unique label for the gateway. This is required to ensure Gateways + # can select this workload + istio: myingressgateway + values: + gateways: + istio-ingressgateway: + # Enable gateway injection + injectionTemplate: gateway +``` + +The following configuration will create an Istio Ingress Load Balancer named `myistio-ingressgateway`, located at the namespace `istio-ingress`. + +The label `istio`, refers to the selector that the `Gateway` resources will use to specify the targeted Istio resource. + +# Walkthrough + +## Deploy resources + +### Create namespace + +```shell +kubectl apply -f 01-namespace.yaml +``` +```text +namespace/istio-ingress created +``` + +### Create / Install the Istio Ingress resource + + +```shell +istioctl install -f ingress.yaml +``` +```text +This will install the Istio 1.17.2 empty profile into the cluster. Proceed? (y/N) y +✔ Ingress gateways installed +✔ Installation complete +Thank you for installing Istio 1.17. Please take a few minutes to tell us about your install/upgrade experience! https://forms.gle/hMHGiwZHPU7UQRWe9 +``` + +### Deploy gateway + +```shell +kubectl apply -f gateway.yaml +``` +```text + +gateway.networking.istio.io/helloworld-gateway created +virtualservice.networking.istio.io/helloworld-vs created +``` + +### Deploy deployment + +```shell +kubectl apply -f deployment.yaml +``` +```text +service/helloworld created +deployment.apps/helloworld-nginx created +``` + +## Testing deployment + +### Get Load Balancer IP + +```shell +kubectl get svc -n istio-ingress +``` +```text +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +myistio-ingressgateway LoadBalancer 10.102.158.128 192.168.1.51 15021:31181/TCP,80:30090/TCP,443:31285/TCP 5m10s +``` + +### Curl + +The request results in status code `200`, meaning a correct handling of the request. + +```shell +curl 192.168.1.51/helloworld -I +``` +```text +HTTP/1.1 200 OK +server: istio-envoy +date: Sun, 23 Apr 2023 06:40:57 GMT +content-type: text/html +content-length: 615 +last-modified: Tue, 28 Mar 2023 15:01:54 GMT +etag: "64230162-267" +accept-ranges: bytes +x-envoy-upstream-service-time: 15 +``` +# Cleanup + +[Yeah no idea, gl with that.](https://stackoverflow.com/a/55731730) + +```shell +istioctl uninstall --purge +``` + +Also read that "just removing" the namespace works to purge the config/remove resources. + +Meanwhile, I did that (and seems like it performed correctly), I am not entirely sure about it. I'm not bothered myself as the environment where I am performing the tests is intended to be destroyed anytime and recreated, yet in a production environment I am not sure how this would need to be approached. + +Maybe with a `kubectl get all -A` and through `grep` and `less` find resources and configurations, and delete them manually. + +```shell +kubectl delete namespace istio-ingress +``` + +# Troubleshooting + +## curl: (7) Failed to connect to 192.168.1.51 port 80 after 2 ms: Couldn't connect to server + +Ensure that the gateway is using the correct `selector` to target the Istio Ingress Load Balancer created. + +# Links of interest + +- https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway \ No newline at end of file diff --git a/Istio/09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml new file mode 100755 index 0000000..36e6b76 --- /dev/null +++ b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/deployment.yaml @@ -0,0 +1,48 @@ +# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld.yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld + service: helloworld +spec: + ports: + - port: 80 + name: http + selector: + app: helloworld +--- +#apiVersion: v1 +#kind: ServiceAccount +#metadata: +# name: istio-helloworld +# labels: +# account: +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-nginx + labels: + app: helloworld +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + template: + metadata: + labels: + app: helloworld + spec: +# serviceAccountName: istio-helloworld + containers: + - name: helloworld + image: nginx + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 80 diff --git a/Istio/09-Ingress/01-Create-Istio-LoadBalancer/gateway.yaml b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/gateway.yaml new file mode 100755 index 0000000..38b5390 --- /dev/null +++ b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/gateway.yaml @@ -0,0 +1,36 @@ +# https://github.com/istio/istio/blob/master/samples/helloworld/helloworld-gateway.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: myingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld-vs +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /helloworld + route: + - destination: + host: helloworld + port: + number: 80 + rewrite: + uri: "/" \ No newline at end of file diff --git a/Istio/__Ingress/01-Create-Istio-LoadBalancer/ingress.yaml b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/ingress.yaml similarity index 99% rename from Istio/__Ingress/01-Create-Istio-LoadBalancer/ingress.yaml rename to Istio/09-Ingress/01-Create-Istio-LoadBalancer/ingress.yaml index 082cf45..3f3191d 100644 --- a/Istio/__Ingress/01-Create-Istio-LoadBalancer/ingress.yaml +++ b/Istio/09-Ingress/01-Create-Istio-LoadBalancer/ingress.yaml @@ -1,4 +1,3 @@ - apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: diff --git a/Istio/README.md b/Istio/README.md index 126d5c8..53d112f 100755 --- a/Istio/README.md +++ b/Istio/README.md @@ -1,6 +1,8 @@ +# Disclaimer: +I have absolutely used as a reference and or template other party configurations/files. - +I have tried to reference as much as possible as long it's relevant/useful for the reader. # Stuff diff --git a/Istio/__Ingress/01-Create-Istio-LoadBalancer/README.md b/Istio/__Ingress/01-Create-Istio-LoadBalancer/README.md deleted file mode 100644 index 354dbdd..0000000 --- a/Istio/__Ingress/01-Create-Istio-LoadBalancer/README.md +++ /dev/null @@ -1,37 +0,0 @@ -https://istio.io/latest/docs/tasks/traffic-management/ingress/ - - -TLS -https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ - - - - -https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway - - -kubectl apply -f 01-namespace.yaml - -istioctl install -f ingress.yaml - - -kubectl get all -A | grep myistio -istio-ingress pod/myistio-ingressgateway-5cdcd89cfb-s4fsz 1/1 Running 0 43s -istio-ingress service/myistio-ingressgateway LoadBalancer 10.102.38.206 192.168.1.51 15021:30287/TCP,80:30979/TCP,443:31405/TCP 43s -istio-ingress deployment.apps/myistio-ingressgateway 1/1 1 1 44s -istio-ingress replicaset.apps/myistio-ingressgateway-5cdcd89cfb 1 1 1 44s -istio-ingress horizontalpodautoscaler.autoscaling/myistio-ingressgateway Deployment/myistio-ingressgateway /80% 1 5 1 44s - - ---- - -It gets its own service account. - -We can use this to restrict the network activity and enforce traffic rules. - -```shell -kubectl get pod -n istio-ingress myistio-ingressgateway-5cdcd89cfb-s4fsz -o jsonpath='{.spec.serviceAccount}' -``` -```text -myistio-ingressgateway-service-account -``` From 2603371255773c2ffcc208636ab188ee3e50fe6a Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Sun, 23 Apr 2023 08:47:24 +0200 Subject: [PATCH 8/8] Quality improvements --- Istio/02-Traffic_management/06-mTLS/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Istio/02-Traffic_management/06-mTLS/README.md b/Istio/02-Traffic_management/06-mTLS/README.md index 51daca6..84e2185 100755 --- a/Istio/02-Traffic_management/06-mTLS/README.md +++ b/Istio/02-Traffic_management/06-mTLS/README.md @@ -3,7 +3,7 @@ gitea: none include_toc: true --- -# Continues from +# Based on - [01-hello_world_1_service_1_deployment](../../01-Simple/01-hello_world_1_service_1_deployment) @@ -22,7 +22,6 @@ From the Kiali dashboard we will review the mTLS label displayed # Changelog - # Walkthrough ## Deploy the resources