mirror of https://github.com/istio/istio.io.git
391 lines
12 KiB
Bash
391 lines
12 KiB
Bash
#!/bin/bash
|
|
# shellcheck disable=SC2034,SC2153,SC2155,SC2164
|
|
|
|
# Copyright Istio Authors. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
####################################################################################################
|
|
# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
|
|
# docs/tasks/traffic-management/ingress/secure-ingress/index.md
|
|
####################################################################################################
|
|
|
|
snip_before_you_begin_1() {
|
|
curl --version | grep LibreSSL
|
|
}
|
|
|
|
! read -r -d '' snip_before_you_begin_1_out <<\ENDSNIP
|
|
curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20 zlib/1.2.11 nghttp2/1.24.0
|
|
ENDSNIP
|
|
|
|
snip_generate_client_and_server_certificates_and_keys_1() {
|
|
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt
|
|
}
|
|
|
|
snip_generate_client_and_server_certificates_and_keys_2() {
|
|
openssl req -out httpbin.example.com.csr -newkey rsa:2048 -nodes -keyout httpbin.example.com.key -subj "/CN=httpbin.example.com/O=httpbin organization"
|
|
openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in httpbin.example.com.csr -out httpbin.example.com.crt
|
|
}
|
|
|
|
snip_configure_a_tls_ingress_gateway_for_a_single_host_1() {
|
|
kubectl create -n istio-system secret tls httpbin-credential --key=httpbin.example.com.key --cert=httpbin.example.com.crt
|
|
}
|
|
|
|
snip_configure_a_tls_ingress_gateway_for_a_single_host_2() {
|
|
cat <<EOF | kubectl apply -f -
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: Gateway
|
|
metadata:
|
|
name: mygateway
|
|
spec:
|
|
selector:
|
|
istio: ingressgateway # use istio default ingress gateway
|
|
servers:
|
|
- port:
|
|
number: 443
|
|
name: https
|
|
protocol: HTTPS
|
|
tls:
|
|
mode: SIMPLE
|
|
credentialName: httpbin-credential # must be the same as secret
|
|
hosts:
|
|
- httpbin.example.com
|
|
EOF
|
|
}
|
|
|
|
snip_configure_a_tls_ingress_gateway_for_a_single_host_3() {
|
|
cat <<EOF | kubectl apply -f -
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: VirtualService
|
|
metadata:
|
|
name: httpbin
|
|
spec:
|
|
hosts:
|
|
- "httpbin.example.com"
|
|
gateways:
|
|
- mygateway
|
|
http:
|
|
- match:
|
|
- uri:
|
|
prefix: /status
|
|
- uri:
|
|
prefix: /delay
|
|
route:
|
|
- destination:
|
|
port:
|
|
number: 8000
|
|
host: httpbin
|
|
EOF
|
|
}
|
|
|
|
snip_configure_a_tls_ingress_gateway_for_a_single_host_4() {
|
|
curl -v -HHost:httpbin.example.com --resolve "httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" \
|
|
--cacert example.com.crt "https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418"
|
|
}
|
|
|
|
snip_configure_a_tls_ingress_gateway_for_a_single_host_5() {
|
|
kubectl -n istio-system delete secret httpbin-credential
|
|
}
|
|
|
|
snip_configure_a_tls_ingress_gateway_for_a_single_host_6() {
|
|
mkdir new_certificates
|
|
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout new_certificates/example.com.key -out new_certificates/example.com.crt
|
|
openssl req -out new_certificates/httpbin.example.com.csr -newkey rsa:2048 -nodes -keyout new_certificates/httpbin.example.com.key -subj "/CN=httpbin.example.com/O=httpbin organization"
|
|
openssl x509 -req -sha256 -days 365 -CA new_certificates/example.com.crt -CAkey new_certificates/example.com.key -set_serial 0 -in new_certificates/httpbin.example.com.csr -out new_certificates/httpbin.example.com.crt
|
|
kubectl create -n istio-system secret tls httpbin-credential \
|
|
--key=new_certificates/httpbin.example.com.key \
|
|
--cert=new_certificates/httpbin.example.com.crt
|
|
}
|
|
|
|
snip_configure_a_tls_ingress_gateway_for_a_single_host_7() {
|
|
curl -v -HHost:httpbin.example.com --resolve "httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" \
|
|
--cacert new_certificates/example.com.crt "https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418"
|
|
}
|
|
|
|
! read -r -d '' snip_configure_a_tls_ingress_gateway_for_a_single_host_7_out <<\ENDSNIP
|
|
...
|
|
HTTP/2 418
|
|
...
|
|
-=[ teapot ]=-
|
|
|
|
_...._
|
|
.' _ _ `.
|
|
| ."` ^ `". _,
|
|
\_;`"---"`|//
|
|
| ;/
|
|
\_ _/
|
|
`"""`
|
|
ENDSNIP
|
|
|
|
snip_configure_a_tls_ingress_gateway_for_a_single_host_8() {
|
|
curl -v -HHost:httpbin.example.com --resolve "httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" \
|
|
--cacert example.com.crt "https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418"
|
|
}
|
|
|
|
! read -r -d '' snip_configure_a_tls_ingress_gateway_for_a_single_host_8_out <<\ENDSNIP
|
|
...
|
|
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
|
|
* TLSv1.2 (IN), TLS handshake, Server hello (2):
|
|
* TLSv1.2 (IN), TLS handshake, Certificate (11):
|
|
* TLSv1.2 (OUT), TLS alert, Server hello (2):
|
|
* curl: (35) error:04FFF06A:rsa routines:CRYPTO_internal:block type is not 01
|
|
ENDSNIP
|
|
|
|
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_1() {
|
|
kubectl -n istio-system delete secret httpbin-credential
|
|
kubectl create -n istio-system secret tls httpbin-credential \
|
|
--key=httpbin.example.com.key \
|
|
--cert=httpbin.example.com.crt
|
|
}
|
|
|
|
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_2() {
|
|
cat <<EOF | kubectl apply -f -
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: helloworld-v1
|
|
labels:
|
|
app: helloworld-v1
|
|
spec:
|
|
ports:
|
|
- name: http
|
|
port: 5000
|
|
selector:
|
|
app: helloworld-v1
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: helloworld-v1
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: helloworld-v1
|
|
version: v1
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: helloworld-v1
|
|
version: v1
|
|
spec:
|
|
containers:
|
|
- name: helloworld
|
|
image: istio/examples-helloworld-v1
|
|
resources:
|
|
requests:
|
|
cpu: "100m"
|
|
imagePullPolicy: IfNotPresent #Always
|
|
ports:
|
|
- containerPort: 5000
|
|
EOF
|
|
}
|
|
|
|
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_3() {
|
|
openssl req -out helloworld-v1.example.com.csr -newkey rsa:2048 -nodes -keyout helloworld-v1.example.com.key -subj "/CN=helloworld-v1.example.com/O=helloworld organization"
|
|
openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 1 -in helloworld-v1.example.com.csr -out helloworld-v1.example.com.crt
|
|
}
|
|
|
|
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_4() {
|
|
kubectl create -n istio-system secret tls helloworld-credential --key=helloworld-v1.example.com.key --cert=helloworld-v1.example.com.crt
|
|
}
|
|
|
|
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_5() {
|
|
cat <<EOF | kubectl apply -f -
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: Gateway
|
|
metadata:
|
|
name: mygateway
|
|
spec:
|
|
selector:
|
|
istio: ingressgateway # use istio default ingress gateway
|
|
servers:
|
|
- port:
|
|
number: 443
|
|
name: https-httpbin
|
|
protocol: HTTPS
|
|
tls:
|
|
mode: SIMPLE
|
|
credentialName: httpbin-credential
|
|
hosts:
|
|
- httpbin.example.com
|
|
- port:
|
|
number: 443
|
|
name: https-helloworld
|
|
protocol: HTTPS
|
|
tls:
|
|
mode: SIMPLE
|
|
credentialName: helloworld-credential
|
|
hosts:
|
|
- helloworld-v1.example.com
|
|
EOF
|
|
}
|
|
|
|
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_6() {
|
|
cat <<EOF | kubectl apply -f -
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: VirtualService
|
|
metadata:
|
|
name: helloworld-v1
|
|
spec:
|
|
hosts:
|
|
- helloworld-v1.example.com
|
|
gateways:
|
|
- mygateway
|
|
http:
|
|
- match:
|
|
- uri:
|
|
exact: /hello
|
|
route:
|
|
- destination:
|
|
host: helloworld-v1
|
|
port:
|
|
number: 5000
|
|
EOF
|
|
}
|
|
|
|
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7() {
|
|
curl -v -HHost:helloworld-v1.example.com --resolve "helloworld-v1.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" \
|
|
--cacert example.com.crt "https://helloworld-v1.example.com:$SECURE_INGRESS_PORT/hello"
|
|
}
|
|
|
|
! read -r -d '' snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7_out <<\ENDSNIP
|
|
HTTP/2 200
|
|
ENDSNIP
|
|
|
|
snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8() {
|
|
curl -v -HHost:httpbin.example.com --resolve "httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" \
|
|
--cacert example.com.crt "https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418"
|
|
}
|
|
|
|
! read -r -d '' snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8_out <<\ENDSNIP
|
|
...
|
|
-=[ teapot ]=-
|
|
|
|
_...._
|
|
.' _ _ `.
|
|
| ."` ^ `". _,
|
|
\_;`"---"`|//
|
|
| ;/
|
|
\_ _/
|
|
`"""`
|
|
ENDSNIP
|
|
|
|
snip_configure_a_mutual_tls_ingress_gateway_1() {
|
|
kubectl -n istio-system delete secret httpbin-credential
|
|
kubectl create -n istio-system secret generic httpbin-credential --from-file=tls.key=httpbin.example.com.key \
|
|
--from-file=tls.crt=httpbin.example.com.crt --from-file=ca.crt=example.com.crt
|
|
}
|
|
|
|
snip_configure_a_mutual_tls_ingress_gateway_2() {
|
|
cat <<EOF | kubectl apply -f -
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: Gateway
|
|
metadata:
|
|
name: mygateway
|
|
spec:
|
|
selector:
|
|
istio: ingressgateway # use istio default ingress gateway
|
|
servers:
|
|
- port:
|
|
number: 443
|
|
name: https
|
|
protocol: HTTPS
|
|
tls:
|
|
mode: MUTUAL
|
|
credentialName: httpbin-credential # must be the same as secret
|
|
hosts:
|
|
- httpbin.example.com
|
|
EOF
|
|
}
|
|
|
|
snip_configure_a_mutual_tls_ingress_gateway_3() {
|
|
curl -v -HHost:httpbin.example.com --resolve "httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" \
|
|
--cacert example.com.crt "https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418"
|
|
}
|
|
|
|
! read -r -d '' snip_configure_a_mutual_tls_ingress_gateway_3_out <<\ENDSNIP
|
|
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
|
|
* TLSv1.3 (IN), TLS handshake, Server hello (2):
|
|
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
|
|
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
|
|
* TLSv1.3 (IN), TLS handshake, Certificate (11):
|
|
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
|
|
* TLSv1.3 (IN), TLS handshake, Finished (20):
|
|
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
|
|
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
|
|
* TLSv1.3 (OUT), TLS handshake, Finished (20):
|
|
* TLSv1.3 (IN), TLS alert, unknown (628):
|
|
* OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0
|
|
ENDSNIP
|
|
|
|
snip_configure_a_mutual_tls_ingress_gateway_4() {
|
|
openssl req -out client.example.com.csr -newkey rsa:2048 -nodes -keyout client.example.com.key -subj "/CN=client.example.com/O=client organization"
|
|
openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 1 -in client.example.com.csr -out client.example.com.crt
|
|
}
|
|
|
|
snip_configure_a_mutual_tls_ingress_gateway_5() {
|
|
curl -v -HHost:httpbin.example.com --resolve "httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" \
|
|
--cacert example.com.crt --cert client.example.com.crt --key client.example.com.key \
|
|
"https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418"
|
|
}
|
|
|
|
! read -r -d '' snip_configure_a_mutual_tls_ingress_gateway_5_out <<\ENDSNIP
|
|
...
|
|
-=[ teapot ]=-
|
|
|
|
_...._
|
|
.' _ _ `.
|
|
| ."` ^ `". _,
|
|
\_;`"---"`|//
|
|
| ;/
|
|
\_ _/
|
|
`"""`
|
|
ENDSNIP
|
|
|
|
snip_troubleshooting_1() {
|
|
kubectl get svc -n istio-system
|
|
echo "INGRESS_HOST=$INGRESS_HOST, SECURE_INGRESS_PORT=$SECURE_INGRESS_PORT"
|
|
}
|
|
|
|
snip_troubleshooting_2() {
|
|
kubectl logs -n istio-system "$(kubectl get pod -l istio=ingressgateway \
|
|
-n istio-system -o jsonpath='{.items[0].metadata.name}')"
|
|
}
|
|
|
|
snip_troubleshooting_3() {
|
|
kubectl -n istio-system get secrets
|
|
}
|
|
|
|
snip_troubleshooting_4() {
|
|
kubectl logs -n istio-system "$(kubectl get pod -l istio=ingressgateway \
|
|
-n istio-system -o jsonpath='{.items[0].metadata.name}')"
|
|
}
|
|
|
|
snip_cleanup_1() {
|
|
kubectl delete gateway mygateway
|
|
kubectl delete virtualservice httpbin
|
|
kubectl delete --ignore-not-found=true -n istio-system secret httpbin-credential \
|
|
helloworld-credential
|
|
kubectl delete --ignore-not-found=true virtualservice helloworld-v1
|
|
}
|
|
|
|
snip_cleanup_2() {
|
|
rm -rf example.com.crt example.com.key httpbin.example.com.crt httpbin.example.com.key httpbin.example.com.csr helloworld-v1.example.com.crt helloworld-v1.example.com.key helloworld-v1.example.com.csr client.example.com.crt client.example.com.csr client.example.com.key ./new_certificates
|
|
}
|
|
|
|
snip_cleanup_3() {
|
|
kubectl delete deployment --ignore-not-found=true httpbin helloworld-v1
|
|
kubectl delete service --ignore-not-found=true httpbin helloworld-v1
|
|
}
|