in progress migration, backing progress.

Migrations/Forget_Traefik_2023/Istio/External_Services/01-Namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: external
+  labels:
+    istio-injection: "enabled"

Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/DestinationRule.yaml

@@ -0,0 +1,14 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: filebrowser
+#  namespace: default
+  namespace: external
+spec:
+  host: "filebrowser.filterhome.xyz"
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+    connectionPool:
+      http:
+        h2UpgradePolicy: UPGRADE

Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/ServiceEntry.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: filebrowser-se
+#  namespace: default
+  namespace: external
+spec:
+  hosts:
+    - filebrowser.filterhome.xyz
+    - filebrowser.filterhome.duckdns.org
+    - filebrowser.filter.home
+  location: MESH_INTERNAL
+  ports:
+    - number: 443
+      name: https
+      protocol: HTTPS
+  resolution: NONE
+  workloadSelector:
+    labels:
+      host: srv

Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/VirtualService.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: filebrowser-vs
+#  namespace: default
+  namespace: external
+spec:
+  hosts:
+    - "filebrowser.filter.home"
+    - "filebrowser.filterhome.xyz"
+    - "filebrowser.filterhome.duckdns.org"
+  gateways:
+    - default/public-gateway
+  http:
+    - route:
+        - destination:
+            host: filebrowser.filterhome.xyz
+            port:
+              number: 443
+#          headers:
+#            request:
+#              set:
+#                HOST: "filebrowser.filterhome.xyz"

Migrations/Forget_Traefik_2023/Istio/External_Services/Gateway.yaml

@@ -0,0 +1,63 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: public-gateway
+  namespace: default
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+    - port:
+        number: 80
+        name: http
+        protocol: HTTP
+      hosts:
+        - "*"
+#          - "*.filterhome.xyz"
+#          - "filterhome.xyz"
+#
+#          - "filterhome.duckdns.org"
+#          - "*.filterhome.duckdns.org"
+      tls:
+        httpsRedirect: true
+    - port:
+        number: 443
+        name: https
+        protocol: HTTPS
+      hosts:
+        - "*.filterhome.xyz"
+        - "filterhome.xyz"
+
+        - "filterhome.duckdns.org"
+        - "*.filterhome.duckdns.org"
+      tls:
+        mode: SIMPLE
+        credentialName: filterhome-domain-cert-public
+---
+#apiVersion: networking.istio.io/v1alpha3
+#kind: Gateway
+#metadata:
+#  name: home-gateway
+#spec:
+#  selector:
+#    istio: ingressgateway
+#  servers:
+#    - port:
+#        number: 80
+#        name: http
+#        protocol: HTTP
+#      hosts:
+#        - "*.filter.home"
+#        - "filter.home"
+#    #      tls:
+#    #        httpsRedirect: true
+##    - port:
+##        number: 443
+##        name: secure-http
+##        protocol: HTTPS
+##      hosts:
+##        - "*.filter.home"
+##        - "filter.home"
+##      tls:
+##        mode: SIMPLE
+##        credentialName: filterhome-domain-cert-public

Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/DestinationRule.yaml

@@ -0,0 +1,14 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: gitea
+#  namespace: default
+  namespace: external
+spec:
+  host: "gitea.filterhome.xyz"
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+    connectionPool:
+      http:
+        h2UpgradePolicy: UPGRADE

Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/ServiceEntry.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: gitea-se
+#  namespace: default
+  namespace: external
+spec:
+  hosts:
+    - gitea.filterhome.xyz
+    - gitea.filterhome.duckdns.org
+    - gitea.filter.home
+  location: MESH_INTERNAL
+  ports:
+    - number: 443
+      name: https
+      protocol: HTTPS
+  resolution: NONE
+  workloadSelector:
+    labels:
+      host: srv

Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/VirtualService.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: gitea-vs
+#  namespace: default
+  namespace: external
+spec:
+  hosts:
+    - "gitea.filter.home"
+    - "gitea.filterhome.xyz"
+    - "gitea.filterhome.duckdns.org"
+  gateways:
+    - default/public-gateway
+  http:
+    - route:
+        - destination:
+            host: gitea.filterhome.xyz
+            port:
+              number: 443
+#          headers:
+#            request:
+#              set:
+#                HOST: "gitea.filterhome.xyz"

Migrations/Forget_Traefik_2023/Istio/External_Services/Hosts.yaml

@@ -0,0 +1,9 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: WorkloadEntry
+metadata:
+  name: srv-host
+  namespace: external
+spec:
+  address: 192.168.1.3
+  labels:
+    host: srv

Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/DestinationRule.yaml

@@ -0,0 +1,14 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: jelly
+#  namespace: default
+  namespace: external
+spec:
+  host: "jelly.filterhome.xyz"
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+    connectionPool:
+      http:
+        h2UpgradePolicy: UPGRADE

Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/ServiceEntry.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: jelly-se
+#  namespace: default
+  namespace: external
+spec:
+  hosts:
+    - jelly.filterhome.xyz
+    - jelly.filterhome.duckdns.org
+    - jelly.filter.home
+  location: MESH_INTERNAL
+  ports:
+    - number: 443
+      name: https
+      protocol: HTTPS
+  resolution: NONE
+  workloadSelector:
+    labels:
+      host: srv

Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/VirtualService.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: jelly-vs
+#  namespace: default
+  namespace: external
+spec:
+  hosts:
+    - "jelly.filter.home"
+    - "jelly.filterhome.xyz"
+    - "jelly.filterhome.duckdns.org"
+  gateways:
+    - default/public-gateway
+  http:
+    - route:
+        - destination:
+            host: jelly.filterhome.xyz
+            port:
+              number: 443
+#          headers:
+#            request:
+#              set:
+#                HOST: "jelly.filterhome.xyz"

Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/DestinationRule.yaml

@@ -0,0 +1,14 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: tube
+#  namespace: default
+  namespace: external
+spec:
+  host: "tube.filterhome.xyz"
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+    connectionPool:
+      http:
+        h2UpgradePolicy: UPGRADE

Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/ServiceEntry.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: tube-se
+#  namespace: default
+  namespace: external
+spec:
+  hosts:
+    - tube.filterhome.xyz
+    - tube.filterhome.duckdns.org
+    - tube.filter.home
+  location: MESH_INTERNAL
+  ports:
+    - number: 443
+      name: https
+      protocol: HTTPS
+  resolution: NONE
+  workloadSelector:
+    labels:
+      host: srv

Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/VirtualService.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: tube-vs
+#  namespace: default
+  namespace: external
+spec:
+  hosts:
+    - "tube.filter.home"
+    - "tube.filterhome.xyz"
+    - "tube.filterhome.duckdns.org"
+  gateways:
+    - default/public-gateway
+  http:
+    - route:
+        - destination:
+            host: tube.filterhome.xyz
+            port:
+              number: 443
+#          headers:
+#            request:
+#              set:
+#                HOST: "tube.filterhome.xyz"

Migrations/Forget_Traefik_2023/Istio/Issuer.yaml

@@ -0,0 +1,57 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-public
+  namespace: istio-system
+spec:
+  acme:
+    # The ACME server URL
+#    server: https://acme-staging-v02.api.letsencrypt.org/directory # Testing
+    server: https://acme-v02.api.letsencrypt.org/directory # Prod
+    # Email address used for ACME registration
+    email: filter.oriol@gmail.com
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-public
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            class: istio
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: filterhome-domain-cert-public
+  namespace: istio-system
+spec:
+  secretName: filterhome-domain-cert-public
+  duration: 48h # 90d
+  renewBefore: 2h # 15d
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 4096
+    rotationPolicy: Always
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+#    - "*.filterhome.xyz"
+
+    # Gitea
+    - "gitea.filterhome.xyz"
+
+    # Jellyfin
+    - "jelly.filterhome.xyz"
+
+    # Filebrowser
+    - "filebrowser.filterhome.xyz"
+
+    # Tube
+    - "tube.filterhome.xyz"
+  issuerRef:
+    name: letsencrypt-public
+    kind: ClusterIssuer
+    group: cert-manager.io

Migrations/Forget_Traefik_2023/README.md

@@ -68,6 +68,30 @@ Slave01: 192.168.1.11
 
 - Another option would be, moving everything to the SRV and use that meanwhile, this would allow for less downtime, and I could get to do whatever I want with the Pi4 and Cluster in the meantime, could deploy the `Traefik` with the Pi4 IP (.2) to allow for *shooting down the Pi4 shenanigans*.
 
+### Regarding the Cert-Manager
+
+> https://cert-manager.io/
+
+`HTTP01 challenge`, doesn't allow for wildcard certificates, therefore, for better comfort, use the `DNS01 challange`.
+
+Current Issue? For X and y, I need to wait for a while for the DNS provider to release the domain and acquire it back again.
+
+### Core services
+
+- Tube
+ 
+- Jellyfin
+
+- Gitea
+
+- Filebrowser
+
+## Limitations
+
+- Limited hardware
+
+- Only 1 external IP / router, therefore I need to do some Cert Manager tests before.
+
 ## Pi4 Storage related-specific
 
 - If I keep using a SSD, 3D print a base for it, the Pi4 doesn't need a shell as it already has one, but just a platform that allows the Pi4 to sit on the top.  
@@ -103,21 +127,27 @@ Slave01: 192.168.1.11
 
 [//]: # (> Started 19/July/2023)
 
-- [ ] Deploy Certificate Manager on the current `Kluster` with let's encrypt certificate provisioning. 
+[//]: # (> Finished /July/2023)
 
-- [ ] Deploy an Istio Ingress to allow access to the Gitea service.
 
-- [ ] Update the router `Virtual Service Port Mapping` to set the Istio Ingress deployed as the new Public Ingress.
+- [x] Deploy Certificate Manager on the current `Kluster` with let's encrypt certificate provisioning. 
 
-- [ ] Ensure the Certificates are being provisioned.
+- [ ] Deploy an Istio Ingress Gateway to allow access to the "core" services.
+
+- [ ] Deploy an Istio Egress Gateway to allow egress towards the "core" services.
+
+- [x] Update the router `Virtual Service Port Mapping` to set the Istio Ingress deployed as the new Public Ingress.
+
+- [x] Ensure the Certificates are being provisioned.
 
 #### Rollback plan
 
-- As much, delete the deployed configurations.
+- Delete the deployed configurations.
+- Update the router `Virtual Service Port Mapping` to set back the Traefik Ingress form the Pi4 host.
 
 ### Part 3
 
-- [ ] Configure Istio to route traffic towards Jellyfin and Filebrowser services.
+- [x] Configure Istio to route traffic towards Jellyfin and Filebrowser services.
 
 - [ ] Backup the Istio/Kubernetes configurations used.
 
@@ -139,6 +169,9 @@ Slave01: 192.168.1.11
 
 - [ ] ~~Wipe~~ (**don't wipe** just use a different drive) and recreate the current `Kluster`, this time using the Pi4 as a _master_, and the 2 Orange Pi5 as _slaves_ (this will require updating the DNS/DHCP local services).
 
+> **Note**:\
+> I can make a new cluster on the Pi4, and remove the taint that prevents from scheduling pods on that node. Deploy everything inside (a well a LB with the same exact IP than the current one, and proceed to stop the Orange PI 5), then "reformat" the OPi5s with a new distro, install stuff etc, and join them to the cluster running on the Pi4. 
+
 - [ ] Update the `Current Setup` documentation with the new container and architecture rearrangement. 
 
 - [ ] Deploy NFS service on the `media SRV` host.
@@ -147,6 +180,10 @@ Slave01: 192.168.1.11
 
 - [ ] Update the `Current Setup` documentation with the new container and architecture rearrangement.
 
+### Part 6
+
+- Set wildcards certificates.
+
 #### Rollback plan
 
 - Revert orange Pi 5 to the previous drive.
@@ -157,9 +194,9 @@ Slave01: 192.168.1.11
 
 - Run the old migrated services back on the `media SRV` host.
 
-## Execution
-
+# Execution
 
+## Part 1
 ### Transfer local network dependencies services from Pi4 to SRV.
 
 #### Install ZIP on `Pi4`
@@ -792,7 +829,9 @@ x-frame-options: DENY
 x-xss-protection: 1; mode=block
 ```
 
-...
+## Part 2 & 3
+
+
 
 **I am HERE right now**
 

README.md

@@ -119,8 +119,7 @@ Traefik generates public certificates automatically
 
 #### Kluster
 
-> Idk I can run whatever I want.
-> 
+> Idk I can run whatever I want.\
 > So far been a playground of Istio for me to create [an Istio documentation](https://gitea.filterhome.xyz/ofilter/Istio_Examples).