ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

dev #27

Merged
ofilter merged 22 commits from dev into main 2023-04-25 08:18:00 +02:00
Conversation 1 Commits 22 Files Changed 27 -768
9 changed files with 0 additions and 768 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 27030b4c58 - Show all commits

321
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/README.md
View File

@ -1,321 +0,0 @@
---
gitea: none
include_toc: true
---
# Based on
- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
# Description
The previous example was modified set the gateway to enable for HTTP2 traffic.
https://stackoverflow.com/a/59610581
# Changelog
## Gateway
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: secure-http2
protocol: HTTP2
hosts:
- "*"
tls:
mode: SIMPLE
credentialName: my-tls-cert-secret
minProtocolVersion: TLSV1_2
```
`<text>`
# Walkthrough
## Generate client and server certificate and key files
First step will be to generate the certificate and key files to be able to set them to the Gateway resource.
### Create a folder to store files.
Create the folder to contain the files that will be generated.
```shell
mkdir certfolder
```
### Create a certificate and a private key.
```shell
openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt
```
The files generated are the following:
```yaml
private-key: certfolder/istio.cert.key
root-certificate: certfolder/istio.cert.crt
```
The information set to the certificate generated is the following:
```yaml
Organization-name: Internet of things
CN: lb.net
```
### Create a TLS secret
At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`.
```shell
kubectl create -n istio-system secret tls my-tls-cert-secret \
--key=certfolder/istio.cert.key \
--cert=certfolder/istio.cert.crt
```
```text
secret/my-tls-cert-secret created
```
```text
service/helloworld created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
> **Note:**\
> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
## Deploy resources
```shell
kubectl apply -f ./
```
```text
service/helloworld created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
## Test the service
### http2
#### Curl HTTP1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0
```
```text
http_version: 1.1
status_code: 426
```
#### Curl HTTP1.1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1
```
```text
http_version: 1.1
status_code: 200
```
#### Curl HTTP2
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2
```
```text
http_version: 1.1
status_code: 200
```
### http1-web
#### Curl HTTP1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0
```
```text
http_version: 1.1
status_code: 426
```
#### Curl HTTP1.1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1
```
```text
http_version: 1.1
status_code: 200
```
#### Curl HTTP2
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2
```
```text
http_version: 1.1
status_code: 200
```
## Cleanup
```shell
kubectl delete -f ./
```
```text
service "helloworld" deleted
deployment.apps "helloworld-nginx" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
# Links of Interest
- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
- https://stackoverflow.com/a/51279606
- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile
docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest .
[+] Building 0.0s (0/0)
ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
---
## Create the Dockerfile
```bash
FROM ubuntu/apache2
RUN apt-get update && \
apt-get install apache2 openssl -y && \
a2ensite default-ssl && \
a2enmod ssl && \
echo "<h2>Howdy</h2>" | tee /var/www/html/index.html
RUN /usr/bin/printf "<VirtualHost *:80>\n\
ServerAdmin webmaster@localhost\n\
DocumentRoot /var/www/html\n\
ErrorLog \${APACHE_LOG_DIR}/error.log\n\
CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
</VirtualHost>\n\
<VirtualHost *:443>\n\
ServerAdmin webmaster@localhost\n\
DocumentRoot /var/www/html\n\
ErrorLog \${APACHE_LOG_DIR}/error.log\n\
CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
SSLEngine on\n\
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\
</VirtualHost>" > /etc/apache2/sites-available/000-default.conf
RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
```
## Build the image
Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images.
For my own commodity, I have used a raspberry pi 4 to build this images.
The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image.
```shell
docker build --tag https-demo:armv7 .
```
```text
docker build --tag https-demo:armv7 . --no-cache
[+] Building 16.5s (8/8) FINISHED
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 1.09kB 0.0s
=> [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s
=> CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s
=> [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s
=> [3/4] RUN /usr/bin/printf "<VirtualHost *:80>\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s
=> [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s
=> exporting to image 1.0s
=> => exporting layers 1.0s
=> => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s
=> => naming to docker.io/library/https-demo:armv7 0.0s
```
## Tag the image
```shell
docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7
```
## Upload to the registery server
```text
docker image push registery.filter.home:5000/https-demo:armv7
The push refers to repository [registery.filter.home:5000/https-demo]
c6d858706b08: Pushed
9e077e0202f0: Pushed
6ffc708d0cf3: Pushed
69e01b4bf4d7: Pushed
17c5b30f3843: Pushed
0b9f60fbcaf1: Pushed
armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578
```
## ?
curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe
---
Has apache2 installed with a default certificate.
Port 80 visible for HTTP
Port 443 visible for HTTPS.
curl https:/192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k
http_version: 2
status_code: 200
```shell
curl --insecure --resolve lb.net:80:192.168.1.50 http://lb.net
```
```shell
curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net
```

8
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/authentication.yaml
View File

@ -1,8 +0,0 @@
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default-mtls
namespace: default
spec:
mtls:
mode: PERMISSIVE

80
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/deployment.yaml
View File

@ -1,80 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- port: 8080
name: http-s
targetPort: 80
protocol: TCP
appProtocol: HTTP
- port: 8443
name: https
targetPort: 443
protocol: TCP
appProtocol: https
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
sidecar.istio.io/inject: "true"
spec:
containers:
- name: helloworld
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: Always #Always
ports:
- containerPort: 80
- containerPort: 443
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: nginx
version: v1
template:
metadata:
labels:
app: nginx
version: v1
spec:
# serviceAccountName: istio-helloworld
containers:
- name: nginx
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80

118
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/gateway.yaml
View File

@ -1,118 +0,0 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
# istio: myingressgateway
istio: ingressgateway
servers:
# - port:
# number: 443
# name: secure-http2
# protocol: HTTP2
# hosts:
# - "*"
- port:
number: 80
name: http2-i
protocol: HTTP2
hosts:
- "*"
- port:
number: 443
name: https-i
protocol: HTTPS
hosts:
- "*"
tls:
credentialName: my-tls-cert-secret
minProtocolVersion: TLSV1_2
#
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts:
- "*"
gateways:
- helloworld-gateway
http:
- name: http-vs
match:
- port: 80
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8080
- name: https-vs
match:
- port: 443
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: helloworld
namespace: default
spec:
host: helloworld.default.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8080
tls:
mode: DISABLE
- port:
number: 8443
tls:
# credentialName: client-credential
mode: SIMPLE
# port:
# name: https-backend
# number: 8443
# protocol: HTTPS
# tls:
# credentialName: my-tls-cert-secret
# mode: SIMPLE
# tcp:
## - match:
## - port: 80
## route:
## - destination:
## host: helloworld
## port:
## number: 8080
## - match:
## - port: 443
# - route:
# - destination:
# host: helloworld
# port:
# number: 8443
#
# tls:
# - match:
# - port: 443
# sniHosts:
# - "hello.si"
## - uri:
## exact: /helloworld
# route:
# - destination:
# host: helloworld
# port:
# number: 8443
## protocol: HTTPS
## rewrite:
## uri: "/"

29
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/ingress.yaml
View File

@ -1,29 +0,0 @@
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: ingress
spec:
profile: empty # Do not install CRDs or the control plane
components:
ingressGateways:
- name: myistio-ingressgateway
namespace: istio-ingress
enabled: true
label:
istio: myingressgateway
k8s:
service:
ports:
- name: https-ingress
port: 443
protocol: TCP
targetPort: 1055
- name: http-ingress
port: 80
protocol: TCP
targetPort: 1085
values:
gateways:
istio-ingressgateway:
injectionTemplate: gateway

119
Istio/ingress.yaml
View File

@ -1,119 +0,0 @@
#apiVersion: v1
#kind: Service
#metadata:
# name: istio-lb
# namespace: istio-system
# labels:
# istio: istio-ingress
#spec:
# type: LoadBalancer
# ports:
# - port: 80
# name: http
# - port: 443
# name: https
# selector:
# istio: istio-ingress
#---
#apiVersion: install.istio.io/v1alpha1
#kind: IstioOperator
#metadata:
# namespace: istio-system
# name: my-istio-operator
#spec:
## profile: default
# profile: empty
# components:
# ingressGateways:
# - name: istio-ingress
# enabled: true
# label:
# istio: my-istio-ingress
---
#apiVersion: install.istio.io/v1alpha1
#kind: IstioOperator
#spec:
# components:
# ingressGateways:
# - name: istio-ingress
# enabled: true
## - name: istio-ingressgateway-staging
# namespace: staging
# enabled: true
---
#apiVersion: install.istio.io/v1alpha1
#kind: IstioOperator
#metadata:
# namespace: istio-system
# name: istio-operator
#spec:
# profile: default
# components:
# ingressGateways:
# - name: istio-ingress
# enabled: true
# - namespace: default
# name: istio-ingressgateway-private
# enabled: true
# k8s:
# serviceAnnotations:
# service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type: "private"
# values:
# gateways:
# istio-ingressgateway:
# sds:
# enabled: true
---
apiVersion: v1
kind: Service
metadata:
annotations:
labels:
app: istio-ingressgateway
# install.operator.istio.io/owning-resource: unknown
# install.operator.istio.io/owning-resource-namespace: istio-system
istio: my-ingress-gateway
# istio.io/rev: default
operator.istio.io/component: IngressGateways
# operator.istio.io/managed: Reconcile
# operator.istio.io/version: 1.16.1
# release: istio
name: my-ingress-gateway
namespace: istio-system
resourceVersion: "880342"
uid: 289a34e8-fe45-43ad-8dad-bc3dc9534f5c
spec:
# allocateLoadBalancerNodePorts: true
# clusterIP: 10.110.130.2
# clusterIPs:
# - 10.110.130.2
externalTrafficPolicy: Cluster
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: status-port
nodePort: 30276
port: 15021
protocol: TCP
targetPort: 15021
- name: http2
nodePort: 32188
port: 80
protocol: TCP
targetPort: 8080
- name: https
# nodePort: 32437
port: 443
protocol: TCP
# targetPort: 8443
selector:
app: istio-ingressgateway
istio: ingressgateway
# sessionAffinity: None
type: LoadBalancer
status:
loadBalancer:
ingress:
- ip: 192.168.1.50

1
Istio/tmp/README.md
View File

@ -1 +0,0 @@
https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/

63
Istio/tmp/ingress.yaml
View File

@ -1,63 +0,0 @@
## https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway
#apiVersion: v1
#kind: Service
#metadata:
# name: istio-ingressgateway2
# namespace: istio-ingress
#spec:
# type: LoadBalancer
# selector:
# istio: ingressgateway
# ports:
# - port: 80
# name: http
# - port: 443
# name: https
#---
#apiVersion: apps/v1
#kind: Deployment
#metadata:
# name: istio-ingressgateway2
# namespace: istio-ingress
#spec:
# selector:
# matchLabels:
# istio: ingressgateway
# template:
# metadata:
# annotations:
# # Select the gateway injection template (rather than the default sidecar template)
# inject.istio.io/templates: gateway
# labels:
# # Set a unique label for the gateway. This is required to ensure Gateways can select this workload
# istio: ingressgateway
# # Enable gateway injection. If connecting to a revisioned control plane, replace with "istio.io/rev: revision-name"
# sidecar.istio.io/inject: "true"
# spec:
# containers:
# - name: istio-proxy
# image: auto # The image will automatically update each time the pod starts.
#---
## Set up roles to allow reading credentials for TLS
#apiVersion: rbac.authorization.k8s.io/v1
#kind: Role
#metadata:
# name: istio-ingressgateway2-sds
# namespace: istio-ingress
#rules:
# - apiGroups: [""]
# resources: ["secrets"]
# verbs: ["get", "watch", "list"]
#---
#apiVersion: rbac.authorization.k8s.io/v1
#kind: RoleBinding
#metadata:
# name: istio-ingressgateway2-sds
# namespace: istio-ingress
#roleRef:
# apiGroup: rbac.authorization.k8s.io
# kind: Role
# name: istio-ingressgateway2-sds
#subjects:
# - kind: ServiceAccount
# name: default

29
Istio/tmp/tmp.txt
View File

@ -1,29 +0,0 @@
https://medium.com/@dinup24/expose-apps-on-private-network-through-istio-ingress-gateway-7dcb8a16d5bc
cat << EOF > istio-operator.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: istio-operator
spec:
profile: default
components:
ingressGateways:
- name: istio-ingressgateway
enabled: true
- namespace: istio-system
name: istio-ingressgateway-private
enabled: true
k8s:
serviceAnnotations:
service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type: "private"
values:
gateways:
istio-ingressgateway:
sds:
enabled: true
EOF
istioctl manifest apply -f istio-operator.yaml