ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

dev #27

Merged
ofilter merged 22 commits from dev into main 2023-04-25 08:18:00 +02:00
Conversation 1 Commits 22 Files Changed 27 +97 -1141
21 changed files with 97 additions and 1141 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 2b7f83c208 - Show all commits

120
Istio/02-Traffic_management/09-HTTPS-backend (pending document)/README.md
View File

@ -189,123 +189,3 @@ virtualservice.networking.istio.io "helloworld-vs" deleted
```
# Links of Interest
- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
- https://stackoverflow.com/a/51279606
- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile
docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest .
[+] Building 0.0s (0/0)
ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
---
## Create the Dockerfile
```bash
FROM ubuntu/apache2
RUN apt-get update && \
apt-get install apache2 openssl -y && \
a2ensite default-ssl && \
a2enmod ssl && \
echo "<h2>Howdy</h2>" | tee /var/www/html/index.html
RUN /usr/bin/printf "<VirtualHost *:80>\n\
ServerAdmin webmaster@localhost\n\
DocumentRoot /var/www/html\n\
ErrorLog \${APACHE_LOG_DIR}/error.log\n\
CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
</VirtualHost>\n\
<VirtualHost *:443>\n\
ServerAdmin webmaster@localhost\n\
DocumentRoot /var/www/html\n\
ErrorLog \${APACHE_LOG_DIR}/error.log\n\
CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
SSLEngine on\n\
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\
</VirtualHost>" > /etc/apache2/sites-available/000-default.conf
RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
```
## Build the image
Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images.
For my own commodity, I have used a raspberry pi 4 to build this images.
The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image.
```shell
docker build --tag https-demo:armv7 .
```
```text
docker build --tag https-demo:armv7 . --no-cache
[+] Building 16.5s (8/8) FINISHED
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 1.09kB 0.0s
=> [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s
=> CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s
=> [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s
=> [3/4] RUN /usr/bin/printf "<VirtualHost *:80>\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s
=> [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s
=> exporting to image 1.0s
=> => exporting layers 1.0s
=> => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s
=> => naming to docker.io/library/https-demo:armv7 0.0s
```
## Tag the image
```shell
docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7
```
## Upload to the registery server
```text
docker image push registery.filter.home:5000/https-demo:armv7
The push refers to repository [registery.filter.home:5000/https-demo]
c6d858706b08: Pushed
9e077e0202f0: Pushed
6ffc708d0cf3: Pushed
69e01b4bf4d7: Pushed
17c5b30f3843: Pushed
0b9f60fbcaf1: Pushed
armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578
```
## ?
curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe
---
Has apache2 installed with a default certificate.
Port 80 visible for HTTP
Port 443 visible for HTTPS.
curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k
http_version: 2
status_code: 200

10
Istio/02-Traffic_management/10-TCP-FORWARDING/README.md
View File

@ -164,7 +164,9 @@ virtualservice.networking.istio.io/helloworld-vs created
### Get LB IP
```shell
$ kubectl get svc -l istio=ingressgateway -A
kubectl get svc -l istio=ingressgateway -A
```
```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
@ -232,8 +234,4 @@ virtualservice.networking.istio.io "helloworld-vs" deleted
# Links of Interest
- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
- https://stackoverflow.com/a/51279606
- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
- https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway

131
Istio/02-Traffic_management/11-TLS-PASSTHROUGH/README.md
View File

@ -9,13 +9,9 @@ include_toc: true
# Description
The previous example was modified set TCP forwarding towards the backend.
The previous example was modified set TLS Forwarding for the HTTPS, meaning that the TLS will be terminated by the backend containing a service capable of such.
The backend contains an HTTPS service, which is used to demonstrate how the TCP forwarding is working as intended (aka doesn't disturb HTTP traffic).
The same backend also contains the same service but running as HTTP, and for such has also been set in the gateway to display both working as intended.
Additionally, the backend used, has HTTP2 enable, which also will be used to confirm that it's working as intended.
This requires a deployment with a service HTTPS (as it will need to handle the TLS termination ...).
> **Note:**\
> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-apache-demo)
@ -24,68 +20,65 @@ Additionally, the backend used, has HTTP2 enable, which also will be used to con
## Gateway
Gateway been configured to listen both ports `80` and `443` through the TCP protocol, without any host specified.
Gateway configured to listen the port `443` for `HTTPS` traffic protocol.
The tls was configured as `PASSTHROUGH`
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: tcp-1
protocol: TCP
hosts:
- "*"
- port:
number: 443
name: tcp-2
protocol: TCP
name: https-web
protocol: HTTPS
hosts:
- "*"
tls:
mode: PASSTHROUGH
```
## Virtual service
Virtual service have 2 rules that perform the same behavior, on different ports.
Virtual service expected to receive traffic with designation, the host `lb.net`.
The rules will receive the traffic and forward it to the destination service and port.
The rule that contains, will receive traffic from the port `443`, with host destination `lb.net`.
The destination of such is the service `helloworld.default.svc.cluster.local`, with port destination 8443.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
namespace: default
spec:
hosts:
- "*"
- "lb.net"
gateways:
- helloworld-gateway
tcp:
tls:
- match:
- port: 80
- port: 443
sniHosts: ["lb.net"]
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8080
- match:
- port: 443
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443
```
## Service
The service will forward the incoming TCP traffic with port 8080, to the deployment port 80.
The same behavior is applied for the service port 8443, that will be forwarded towards the port 443 from the deployment.
The service will forward incoming TCP traffic from the port `8443`, towards the deployment port `443`.
It's been specified the protocol expected to service, it being `HTTPS`.
```yaml
apiVersion: v1
@ -97,14 +90,11 @@ metadata:
service: helloworld
spec:
ports:
- port: 8080
name: http-web
targetPort: 80
protocol: TCP
- port: 8443
name: https-web
- name: https
port: 8443
targetPort: 443
protocol: TCP
appProtocol: HTTPS
selector:
app: helloworld
```
@ -164,57 +154,50 @@ virtualservice.networking.istio.io/helloworld-vs created
### Get LB IP
```shell
$ kubectl get svc -l istio=ingressgateway -A
kubectl get svc -l istio=ingressgateway -A
```
```text
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/TCP,80:32012/TCP,443:32486/TCP 39h
```
### curl HTTPS
### curl HTTP
Well, it just works.
The `--resolve` flag it's used to "fake" the traffic to match the filters we specified in the `Virtual Service`, specifically the `host` and `hostSNI` fields.
```shell
curl http://192.168.1.50 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n'
curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net
```
```text
http_version: 1.1
status_code: 426
<h2>Howdy</h2>
```
#### curl HTTPS
### curl HTTPS (HEAD)
This already confirms that `HTTP2` is working as intended.
Here we can spot the following sentence:
- `server: nginx/1.23.4`
This means that the TLS was handled by Nginx (verifying that the `TLS Passthrough` was performed correctly).
If it had been managed by Istio, it would say:
- `server: istio-envoy`
```shell
curl https://192.168.1.50 -ks -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http1.1
curl --insecure --resolve lb.net:443:192.168.1.50 https://lb.net --HEAD
```
```text
http_version: 2
status_code: 200
```
#### Curl HTTP2
The previous example already displayed that `HTTP2` is working as intended.
This example is maintained due being explicitly to confirm the `HTTP2` feature.
```shell
curl https://192.168.1.50 -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http2 -sk -o=/dev/null
```
```text
http_version: 2
status_code: 200
```
#### Curl HTTP1.1
We can confirm that `HTTP1.1` also works over `TCP forwarding`.
```shell
curl https://192.168.1.50 -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' --http1.1 -sk -o=/dev/null
```
```text
http_version: 1.1
status_code: 200
HTTP/2 200
server: nginx/1.23.4
date: Tue, 25 Apr 2023 02:49:33 GMT
content-type: text/html
content-length: 15
last-modified: Tue, 25 Apr 2023 00:47:17 GMT
etag: "64472315-f"
strict-transport-security: max-age=7200
accept-ranges: bytes
```
## Cleanup
@ -232,8 +215,6 @@ virtualservice.networking.istio.io "helloworld-vs" deleted
# Links of Interest
- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
- https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway
- https://stackoverflow.com/a/51279606
- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSmode

113
Istio/02-Traffic_management/11-TLS-PASSTHROUGH/bk_old_nonworking_gateway.yaml
View File

@ -1,113 +0,0 @@
#apiVersion: networking.istio.io/v1alpha3
#kind: Gateway
#metadata:
# name: helloworld-gateway
#spec:
# selector:
## istio: myingressgateway
# istio: ingressgateway
# servers:
# - hosts:
# ["lb.net","*.lb.net"]
# port:
# name: tls-443
# number: 443
# protocol: HTTPS
# tls:
# mode: SIMPLE
# credentialName: my-tls-cert-secret
# minProtocolVersion: TLSV1_2
#---
#apiVersion: networking.istio.io/v1alpha3
#kind: VirtualService
#metadata:
# name: helloworld-vs
#spec:
# hosts:
# - "*"
# gateways:
# - helloworld-gateway
# http:
## - name: http-vs
## match:
## - port: 80
## route:
## - destination:
## host: helloworld.default.svc.cluster.local
## port:
## number: 8080
# - name: https-vs
# match:
# - port: 443
# route:
# - destination:
# host: helloworld.default.svc.cluster.local
# port:
# number: 443
##
## tls:
## - match:
## - port: 443
## sniHosts: ["lb.net"]
## route:
## - destination:
## host: helloworld.default.svc.cluster.local
## port:
## number: 443
##---
##apiVersion: networking.istio.io/v1alpha3
##kind: DestinationRule
##metadata:
## name: helloworld
## namespace: default
##spec:
## host: helloworld.default.svc.cluster.local
## trafficPolicy:
## portLevelSettings:
## - port:
## number: 8080
## tls:
## mode: DISABLE
## - port:
## number: 8443
## tls:
## credentialName: client-credential
## mode: SIMPLE
## port:
## name: https-backend
## number: 8443
## protocol: HTTPS
## tls:
## credentialName: my-tls-cert-secret
## mode: SIMPLE
## tcp:
### - match:
### - port: 80
### route:
### - destination:
### host: helloworld
### port:
### number: 8080
### - match:
### - port: 443
## - route:
## - destination:
## host: helloworld
## port:
## number: 8443
##
## tls:
## - match:
## - port: 443
## sniHosts:
## - "hello.si"
### - uri:
### exact: /helloworld
## route:
## - destination:
## host: helloworld
## port:
## number: 8443
### protocol: HTTPS
### rewrite:
### uri: "/"

73
Istio/02-Traffic_management/11-TLS-PASSTHROUGH/deployment.yaml
View File

@ -7,17 +7,11 @@ metadata:
service: helloworld
spec:
ports:
- port: 8080
name: http-s
targetPort: 80
protocol: TCP
appProtocol: HTTP
- port: 8443
name: https
- name: https
port: 8443
targetPort: 443
protocol: TCP
appProtocol: https
appProtocol: HTTPS
selector:
app: helloworld
---
@ -36,7 +30,6 @@ spec:
metadata:
labels:
app: helloworld
sidecar.istio.io/inject: "true"
spec:
containers:
- name: helloworld
@ -48,33 +41,33 @@ spec:
ports:
- containerPort: 80
- containerPort: 443
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: nginx
version: v1
template:
metadata:
labels:
app: nginx
version: v1
spec:
# serviceAccountName: istio-helloworld
containers:
- name: nginx
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
#---
#apiVersion: apps/v1
#kind: Deployment
#metadata:
# name: nginx
# labels:
# app: nginx
# version: v1
#spec:
# replicas: 1
# selector:
# matchLabels:
# app: nginx
# version: v1
# template:
# metadata:
# labels:
# app: nginx
# version: v1
# spec:
# # serviceAccountName: istio-helloworld
# containers:
# - name: nginx
# image: nginx
# resources:
# requests:
# cpu: "100m"
# imagePullPolicy: IfNotPresent
# ports:
# - containerPort: 80

36
Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway-02.yaml
View File

@ -1,36 +0,0 @@
#apiVersion: networking.istio.io/v1beta1
#kind: Gateway
#metadata:
# name: helloworld-gateway
#spec:
# selector:
# istio: ingressgateway
# servers:
# - hosts:
# - "*"
# port:
# name: https
# number: 443
# protocol: HTTPS
# tls:
# mode: PASSTHROUGH
#---
#apiVersion: networking.istio.io/v1beta1
#kind: VirtualService
#metadata:
# name: helloworld-vs
#spec:
# gateways:
# - helloworld-gateway
# hosts: ["lb.net","*.lb.net"]
## http:
## - route:
## - destination:
## host: helloworld.default.svc.cluster.local
##spec:
# tls:
# - match:
# - sniHosts: ["lb.net","*.lb.net"]
# route:
# - destination:
# host: helloworld.default.svc.cluster.local

58
Istio/02-Traffic_management/11-TLS-PASSTHROUGH/gateway.yaml
View File

@ -2,61 +2,30 @@ apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
namespace: default
spec:
selector:
# istio: myingressgateway
istio: ingressgateway
servers:
# - port:
# number: 443
# name: secure-http2
# protocol: HTTP2
# hosts:
# - "*"
- port:
number: 80
name: http2-i
protocol: HTTP2
hosts:
- "*"
- port:
number: 443
name: https-i
name: https-web
protocol: HTTPS
hosts:
- "*"
tls:
# credentialName: my-tls-cert-secret
# minProtocolVersion: TLSV1_2
#
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
namespace: default
spec:
hosts:
- "lb.net"
gateways:
- helloworld-gateway
http:
- name: http-vs
match:
- port: 80
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8080
# - name: https-vs
# match:
# - port: 443
# route:
# - destination:
# host: helloworld.default.svc.cluster.local
# port:
# number: 8443
tls:
- match:
- port: 443
@ -65,23 +34,4 @@ spec:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: helloworld
namespace: default
spec:
host: helloworld.default.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8080
tls:
mode: DISABLE
- port:
number: 8443
tls:
mode: DISABLE
number: 8443

0
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/README.md → Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/README.md
View File

0
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/authentication.yaml → Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/authentication.yaml
View File

0
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/deployment.yaml → Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/deployment.yaml
View File

0
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/gateway.yaml → Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/gateway.yaml
View File

0
Istio/02-Traffic_management/11-TLS-PASSTHROUGH/ingress.yaml → Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work-maybe/ingress.yaml
View File

29
Istio/02-Traffic_management/XX-HTTP2-gateway-made-it-work/ingress.yaml
View File

@ -1,29 +0,0 @@
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: ingress
spec:
profile: empty # Do not install CRDs or the control plane
components:
ingressGateways:
- name: myistio-ingressgateway
namespace: istio-ingress
enabled: true
label:
istio: myingressgateway
k8s:
service:
ports:
- name: https-ingress
port: 443
protocol: TCP
targetPort: 1055
- name: http-ingress
port: 80
protocol: TCP
targetPort: 1085
values:
gateways:
istio-ingressgateway:
injectionTemplate: gateway

313
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/README.md
View File

@ -1,313 +0,0 @@
---
gitea: none
include_toc: true
---
# Based on
- [08a-HTTPS-min-TLS-version](../08a-HTTPS-min-TLS-version)
# Description
The previous example was modified set the gateway to enable for HTTP2 traffic.
https://stackoverflow.com/a/59610581
# Changelog
## Gateway
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: secure-http2
protocol: HTTP2
hosts:
- "*"
tls:
mode: SIMPLE
credentialName: my-tls-cert-secret
minProtocolVersion: TLSV1_2
```
`<text>`
# Walkthrough
## Generate client and server certificate and key files
First step will be to generate the certificate and key files to be able to set them to the Gateway resource.
### Create a folder to store files.
Create the folder to contain the files that will be generated.
```shell
mkdir certfolder
```
### Create a certificate and a private key.
```shell
openssl req -x509 -sha256 -nodes -days 365 -subj '/O=Internet of things/CN=lb.net' -newkey rsa:2048 -keyout certfolder/istio.cert.key -out certfolder/istio.cert.crt
```
The files generated are the following:
```yaml
private-key: certfolder/istio.cert.key
root-certificate: certfolder/istio.cert.crt
```
The information set to the certificate generated is the following:
```yaml
Organization-name: Internet of things
CN: lb.net
```
### Create a TLS secret
At this step we create the tls secret `my-tls-cert-secret` on the namespace `istio-system`.
```shell
kubectl create -n istio-system secret tls my-tls-cert-secret \
--key=certfolder/istio.cert.key \
--cert=certfolder/istio.cert.crt
```
```text
secret/my-tls-cert-secret created
```
```text
service/helloworld created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
> **Note:**\
> It's Important that the secret is located in the same namespace as the Load Balancer used. In my case is the `istio-system`, but it will vary based on the environment.
## Deploy resources
```shell
kubectl apply -f ./
```
```text
service/helloworld created
deployment.apps/helloworld-nginx created
gateway.networking.istio.io/helloworld-gateway created
virtualservice.networking.istio.io/helloworld-vs created
```
## Test the service
### http2
#### Curl HTTP1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.0
```
```text
http_version: 1.1
status_code: 426
```
#### Curl HTTP1.1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http1.1
```
```text
http_version: 1.1
status_code: 200
```
#### Curl HTTP2
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http2.lb --http2
```
```text
http_version: 1.1
status_code: 200
```
### http1-web
#### Curl HTTP1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.0
```
```text
http_version: 1.1
status_code: 426
```
#### Curl HTTP1.1
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http1.1
```
```text
http_version: 1.1
status_code: 200
```
#### Curl HTTP2
```shell
curl 192.168.1.50/helloworld -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2
```
```text
http_version: 1.1
status_code: 200
```
## Cleanup
```shell
kubectl delete -f ./
```
```text
service "helloworld" deleted
deployment.apps "helloworld-nginx" deleted
gateway.networking.istio.io "helloworld-gateway" deleted
virtualservice.networking.istio.io "helloworld-vs" deleted
```
# Links of Interest
- https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings-TLSProtocol
- https://stackoverflow.com/a/51279606
- https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings-H2UpgradePolicy
docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest -f Dockerfile
docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag registery.filter.home:5000/https-demo:latest .
[+] Building 0.0s (0/0)
ERROR: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
---
## Create the Dockerfile
```bash
FROM ubuntu/apache2
RUN apt-get update && \
apt-get install apache2 openssl -y && \
a2ensite default-ssl && \
a2enmod ssl && \
echo "<h2>Howdy</h2>" | tee /var/www/html/index.html
RUN /usr/bin/printf "<VirtualHost *:80>\n\
ServerAdmin webmaster@localhost\n\
DocumentRoot /var/www/html\n\
ErrorLog \${APACHE_LOG_DIR}/error.log\n\
CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
</VirtualHost>\n\
<VirtualHost *:443>\n\
ServerAdmin webmaster@localhost\n\
DocumentRoot /var/www/html\n\
ErrorLog \${APACHE_LOG_DIR}/error.log\n\
CustomLog \${APACHE_LOG_DIR}/access.log combined\n\
SSLEngine on\n\
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem\n\
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key\n\
</VirtualHost>" > /etc/apache2/sites-available/000-default.conf
RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE/CN=lb.net' -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
```
## Build the image
Due to my Kubernetes cluster environment, where I am using Orange 5, their architecture is arm7, and for such, I require to compile such images.
For my own commodity, I have used a raspberry pi 4 to build this images.
The images where pushed to a local registry server, and afterwards the Kubernetes cluster will pull such image.
```shell
docker build --tag https-demo:armv7 .
```
```text
docker build --tag https-demo:armv7 . --no-cache
[+] Building 16.5s (8/8) FINISHED
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 1.09kB 0.0s
=> [internal] load metadata for docker.io/ubuntu/apache2:latest 0.4s
=> CACHED [1/4] FROM docker.io/ubuntu/apache2@sha256:0a5e7179fa8fccf17843a8862e58ac783628b7d448cd68fda8fb1e 0.0s
=> [2/4] RUN apt-get update && apt-get install apache2 openssl -y && a2ensite default-ssl && a2enmod ssl & 12.0s
=> [3/4] RUN /usr/bin/printf "<VirtualHost *:80>\n ServerAdmin webmaster@localhost\n DocumentRoot /var/www/ 0.7s
=> [4/4] RUN openssl req -x509 -sha256 -nodes -days 358000 -subj '/O=SSL EXAMPLE' -newkey rsa:2048 -keyout 2.4s
=> exporting to image 1.0s
=> => exporting layers 1.0s
=> => writing image sha256:591c6d233100a48bf132eef7a792942cfd0b7057817c4ac5e156c1d33e24cd89 0.0s
=> => naming to docker.io/library/https-demo:armv7 0.0s
```
## Tag the image
```shell
docker image tag https-demo:armv7 registery.filter.home/https-demo:armv7
```
## Upload to the registery server
```text
docker image push registery.filter.home:5000/https-demo:armv7
The push refers to repository [registery.filter.home:5000/https-demo]
c6d858706b08: Pushed
9e077e0202f0: Pushed
6ffc708d0cf3: Pushed
69e01b4bf4d7: Pushed
17c5b30f3843: Pushed
0b9f60fbcaf1: Pushed
armv7: digest: sha256:d8c81c27f23bf3945ae8a794c82182f9e6c48ec927f388fdf4a88caa0e284bd1 size: 1578
```
## ?
curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version numbe
---
Has apache2 installed with a default certificate.
Port 80 visible for HTTP
Port 443 visible for HTTPS.
curl https://192.168.1.2:8443 -s -o=/dev/null -w 'http_version: %{http_version}\nstatus_code: %{response_code}\n' -HHOST:http1.lb --http2 -k
http_version: 2
status_code: 200
# Recv failure: Connection reset by peer

11
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/authentication.yaml
View File

@ -1,11 +0,0 @@
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default-mtls
namespace: default
spec:
mtls:
mode: DISABLE
#curl -v --resolve ":$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example_certs/example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT"

117
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/bk_old_nonworking_gateway.yaml
View File

@ -1,117 +0,0 @@
#apiVersion: networking.istio.io/v1alpha3
#kind: Gateway
#metadata:
# name: helloworld-gateway
#spec:
# selector:
## istio: myingressgateway
# istio: ingressgateway
# servers:
# - hosts:
# ["lb.net","*.lb.net"]
# port:
# name: tls-443
# number: 443
# protocol: HTTPS
# tls:
# mode: SIMPLE
# credentialName: my-tls-cert-secret
# minProtocolVersion: TLSV1_2
#---
#apiVersion: networking.istio.io/v1alpha3
#kind: VirtualService
#metadata:
# name: helloworld-vs
#spec:
# hosts:
# - "*"
# gateways:
# - helloworld-gateway
# http:
## - name: http-vs
## match:
## - port: 80
## route:
## - destination:
## host: helloworld.default.svc.cluster.local
## port:
## number: 8080
# - name: https-vs
# match:
# - port: 443
# route:
# - destination:
# host: helloworld.default.svc.cluster.local
# port:
# number: 443
##
## tls:
## - match:
## - port: 443
## sniHosts: ["lb.net"]
## route:
## - destination:
## host: helloworld.default.svc.cluster.local
## port:
## number: 443
#
##---
##apiVersion: networking.istio.io/v1alpha3
##kind: DestinationRule
##metadata:
## name: helloworld
## namespace: default
##spec:
## host: helloworld.default.svc.cluster.local
## trafficPolicy:
## portLevelSettings:
## - port:
## number: 8080
## tls:
## mode: DISABLE
#
## - port:
## number: 8443
## tls:
## credentialName: client-credential
## mode: SIMPLE
#
#
## port:
## name: https-backend
## number: 8443
## protocol: HTTPS
## tls:
## credentialName: my-tls-cert-secret
## mode: SIMPLE
## tcp:
### - match:
### - port: 80
### route:
### - destination:
### host: helloworld
### port:
### number: 8080
### - match:
### - port: 443
## - route:
## - destination:
## host: helloworld
## port:
## number: 8443
##
## tls:
## - match:
## - port: 443
## sniHosts:
## - "hello.si"
### - uri:
### exact: /helloworld
## route:
## - destination:
## host: helloworld
## port:
## number: 8443
### protocol: HTTPS
### rewrite:
### uri: "/"

74
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/deployment.yaml
View File

@ -1,74 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
service: helloworld
spec:
ports:
- name: p1
port: 80
protocol: TCP
- name: https
port: 443
protocol: TCP
selector:
app: helloworld
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nginx
labels:
app: helloworld
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
sidecar.istio.io/inject: "true"
spec:
containers:
- name: helloworld
image: oriolfilter/https-apache-demo:armv7
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent #Always
ports:
- containerPort: 443
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: nginx
version: v1
template:
metadata:
labels:
app: nginx
version: v1
spec:
# serviceAccountName: istio-helloworld
containers:
- name: nginx
image: nginx
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80

36
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway-02.yaml
View File

@ -1,36 +0,0 @@
#apiVersion: networking.istio.io/v1beta1
#kind: Gateway
#metadata:
# name: helloworld-gateway
#spec:
# selector:
# istio: ingressgateway
# servers:
# - hosts:
# - "*"
# port:
# name: https
# number: 443
# protocol: HTTPS
# tls:
# mode: PASSTHROUGH
#---
#apiVersion: networking.istio.io/v1beta1
#kind: VirtualService
#metadata:
# name: helloworld-vs
#spec:
# gateways:
# - helloworld-gateway
# hosts: ["lb.net","*.lb.net"]
## http:
## - route:
## - destination:
## host: helloworld.default.svc.cluster.local
##spec:
# tls:
# - match:
# - sniHosts: ["lb.net","*.lb.net"]
# route:
# - destination:
# host: helloworld.default.svc.cluster.local

85
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/gateway.yaml
View File

@ -1,85 +0,0 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: helloworld-gateway
spec:
selector:
# istio: myingressgateway
istio: ingressgateway
servers:
# - port:
# number: 443
# name: secure-http2
# protocol: HTTP2
# hosts:
# - "*"
- port:
number: 80
name: http2-i
protocol: HTTP2
hosts:
- "*"
- port:
number: 443
name: https-i
protocol: HTTPS
hosts:
- "*"
tls:
credentialName: my-tls-cert-secret
minProtocolVersion: TLSV1_2
#
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld-vs
spec:
hosts: ["lb.net"]
gateways:
- helloworld-gateway
http:
- name: http-vs
match:
- port: 80
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 80
- name: https-vs
match:
- port: 443
sniHosts: ["lb.net"]
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 443
# tls:
# - match:
# - sniHosts: ["lb.net"]
# route:
# - destination:
# host: helloworld.default.svc.cluster.local
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: helloworld
namespace: default
spec:
host: helloworld.default.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8080
tls:
mode: DISABLE
#
- port:
number: 443
tls:
credentialName: client-credential
mode: DISABLE

29
Istio/02-Traffic_management/__XX-TLS-PASSTHROUGH_BK_pcap_see_encrypted_traffic/ingress.yaml
View File

@ -1,29 +0,0 @@
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: ingress
spec:
profile: empty # Do not install CRDs or the control plane
components:
ingressGateways:
- name: myistio-ingressgateway
namespace: istio-ingress
enabled: true
label:
istio: myingressgateway
k8s:
service:
ports:
- name: https-ingress
port: 443
protocol: TCP
targetPort: 1055
- name: http-ingress
port: 80
protocol: TCP
targetPort: 1085
values:
gateways:
istio-ingressgateway:
injectionTemplate: gateway

3
Istio/02-Traffic_management/11-TLS-PASSTHROUGH/authentication.yaml → Istio/06-Internal-Authentication/03-disable-mTLS/authentication.yaml
View File

@ -6,6 +6,3 @@ metadata:
spec:
mtls:
mode: DISABLE
#curl -v --resolve ":$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example_certs/example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT"