From 31fbb11a681f671a9cf30601215578a695a3a450 Mon Sep 17 00:00:00 2001 From: Faseela K Date: Wed, 7 Jun 2023 09:08:03 +0200 Subject: [PATCH] Enhance mTLS origination example (#13297) * Enhance mTLS origination example Signed-off-by: Faseela K * rebase Signed-off-by: Faseela K --------- Signed-off-by: Faseela K --- .../egress/egress-tls-origination/index.md | 29 +++++++++++++++++-- .../egress/egress-tls-origination/snips.sh | 24 +++++++++++++-- 2 files changed, 48 insertions(+), 5 deletions(-) diff --git a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md index a1f718bf87..3a4e986f0f 100644 --- a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md +++ b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md @@ -246,11 +246,28 @@ Follow [these steps](/docs/tasks/traffic-management/egress/egress-gateway-tls-or ### Configure mutual TLS origination for egress traffic at sidecar -1. Add a `DestinationRule` to perform mutual TLS origination +1. Add a `ServiceEntry` to redirect HTTP requests to port 443 and add a `DestinationRule` to perform mutual TLS origination: {{< text bash >}} $ kubectl apply -f - <}} + The above `DestinationRule` will perform mTLS origination for HTTP requests on port 80 and the `ServiceEntry` + will then redirect the requests on port 80 to target port 443. + 1. Verify that the credential is supplied to the sidecar and active. {{< text bash >}} @@ -283,7 +303,7 @@ Follow [these steps](/docs/tasks/traffic-management/egress/egress-gateway-tls-or 1. Send an HTTP request to `http://my-nginx.mesh-external.svc.cluster.local`: {{< text bash >}} - $ kubectl exec "$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})" -c sleep -- curl -sS http://my-nginx.mesh-external.svc.cluster.local:443 + $ kubectl exec "$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})" -c sleep -- curl -sS http://my-nginx.mesh-external.svc.cluster.local @@ -310,10 +330,13 @@ Follow [these steps](/docs/tasks/traffic-management/egress/egress-gateway-tls-or {{< text bash >}} $ kubectl delete secret nginx-server-certs nginx-ca-certs -n mesh-external $ kubectl delete secret client-credential + $ kubectl delete rolebinding client-credential-role-binding + $ kubectl delete role client-credential-role $ kubectl delete configmap nginx-configmap -n mesh-external $ kubectl delete service my-nginx -n mesh-external $ kubectl delete deployment my-nginx -n mesh-external $ kubectl delete namespace mesh-external + $ kubectl delete serviceentry originate-mtls-for-nginx $ kubectl delete destinationrule originate-mtls-for-nginx {{< /text >}} diff --git a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh index 71d433b548..9d1c452d1f 100644 --- a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh +++ b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh @@ -136,6 +136,23 @@ kubectl create rolebinding client-credential-role-binding --role=client-credenti snip_configure_mutual_tls_origination_for_egress_traffic_at_sidecar_1() { kubectl apply -f - <