Enhance mTLS origination example (#13297)

* Enhance mTLS origination example

Signed-off-by: Faseela K <faseela.k@est.tech>

* rebase

Signed-off-by: Faseela K <faseela.k@est.tech>

---------

Signed-off-by: Faseela K <faseela.k@est.tech>

content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md

@@ -246,11 +246,28 @@ Follow [these steps](/docs/tasks/traffic-management/egress/egress-gateway-tls-or
 
 ### Configure mutual TLS origination for egress traffic at sidecar
 
-1.  Add a `DestinationRule` to perform mutual TLS origination
+1.  Add a `ServiceEntry` to redirect HTTP requests to port 443 and add a `DestinationRule` to perform mutual TLS origination:
 
     {{< text bash >}}
     $ kubectl apply -f - <<EOF
     apiVersion: networking.istio.io/v1alpha3
+    kind: ServiceEntry
+    metadata:
+      name: originate-mtls-for-nginx
+    spec:
+      hosts:
+      - my-nginx.mesh-external.svc.cluster.local
+      ports:
+      - number: 80
+        name: http-port
+        protocol: HTTP
+        targetPort: 443
+      - number: 443
+        name: https-port
+        protocol: HTTPS
+      resolution: DNS
+    ---
+    apiVersion: networking.istio.io/v1alpha3
     kind: DestinationRule
     metadata:
       name: originate-mtls-for-nginx
@@ -264,7 +281,7 @@ Follow [these steps](/docs/tasks/traffic-management/egress/egress-gateway-tls-or
           simple: ROUND_ROBIN
         portLevelSettings:
         - port:
-            number: 443
+            number: 80
           tls:
             mode: MUTUAL
             credentialName: client-credential # this must match the secret created earlier to hold client certs, and works only when DR has a workloadSelector
@@ -272,6 +289,9 @@ Follow [these steps](/docs/tasks/traffic-management/egress/egress-gateway-tls-or
     EOF
     {{< /text >}}
 
+    The above `DestinationRule` will perform mTLS origination for HTTP requests on port 80 and the `ServiceEntry`
+    will then redirect the requests on port 80 to target port 443.
+
 1.  Verify that the credential is supplied to the sidecar and active.
 
     {{< text bash >}}
@@ -283,7 +303,7 @@ Follow [these steps](/docs/tasks/traffic-management/egress/egress-gateway-tls-or
 1.  Send an HTTP request to `http://my-nginx.mesh-external.svc.cluster.local`:
 
     {{< text bash >}}
-    $ kubectl exec "$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})" -c sleep -- curl -sS http://my-nginx.mesh-external.svc.cluster.local:443
+    $ kubectl exec "$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})" -c sleep -- curl -sS http://my-nginx.mesh-external.svc.cluster.local
     <!DOCTYPE html>
     <html>
     <head>
@@ -310,10 +330,13 @@ Follow [these steps](/docs/tasks/traffic-management/egress/egress-gateway-tls-or
     {{< text bash >}}
     $ kubectl delete secret nginx-server-certs nginx-ca-certs -n mesh-external
     $ kubectl delete secret client-credential
+    $ kubectl delete rolebinding client-credential-role-binding
+    $ kubectl delete role client-credential-role
     $ kubectl delete configmap nginx-configmap -n mesh-external
     $ kubectl delete service my-nginx -n mesh-external
     $ kubectl delete deployment my-nginx -n mesh-external
     $ kubectl delete namespace mesh-external
+    $ kubectl delete serviceentry originate-mtls-for-nginx
     $ kubectl delete destinationrule originate-mtls-for-nginx
     {{< /text >}}
 

content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh

@@ -136,6 +136,23 @@ kubectl create rolebinding client-credential-role-binding --role=client-credenti
 snip_configure_mutual_tls_origination_for_egress_traffic_at_sidecar_1() {
 kubectl apply -f - <<EOF
 apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: originate-mtls-for-nginx
+spec:
+  hosts:
+  - my-nginx.mesh-external.svc.cluster.local
+  ports:
+  - number: 80
+    name: http-port
+    protocol: HTTP
+    targetPort: 443
+  - number: 443
+    name: https-port
+    protocol: HTTPS
+  resolution: DNS
+---
+apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
   name: originate-mtls-for-nginx
@@ -149,7 +166,7 @@ spec:
       simple: ROUND_ROBIN
     portLevelSettings:
     - port:
-        number: 443
+        number: 80
       tls:
         mode: MUTUAL
         credentialName: client-credential # this must match the secret created earlier to hold client certs, and works only when DR has a workloadSelector
@@ -167,7 +184,7 @@ kubernetes://client-credential-cacert     Cert Chain     ACTIVE     true
 ENDSNIP
 
 snip_configure_mutual_tls_origination_for_egress_traffic_at_sidecar_3() {
-kubectl exec "$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})" -c sleep -- curl -sS http://my-nginx.mesh-external.svc.cluster.local:443
+kubectl exec "$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})" -c sleep -- curl -sS http://my-nginx.mesh-external.svc.cluster.local
 }
 
 ! read -r -d '' snip_configure_mutual_tls_origination_for_egress_traffic_at_sidecar_3_out <<\ENDSNIP
@@ -185,10 +202,13 @@ kubectl logs -l app=sleep -c istio-proxy | grep 'my-nginx.mesh-external.svc.clus
 snip_cleanup_the_mutual_tls_origination_configuration_1() {
 kubectl delete secret nginx-server-certs nginx-ca-certs -n mesh-external
 kubectl delete secret client-credential
+kubectl delete rolebinding client-credential-role-binding
+kubectl delete role client-credential-role
 kubectl delete configmap nginx-configmap -n mesh-external
 kubectl delete service my-nginx -n mesh-external
 kubectl delete deployment my-nginx -n mesh-external
 kubectl delete namespace mesh-external
+kubectl delete serviceentry originate-mtls-for-nginx
 kubectl delete destinationrule originate-mtls-for-nginx
 }