Istio Minimal Config To External HTTPS

readme.md

Soon blog post

_etc_nginx_sites-enabled_default

server {
        # listen 80 default_server;
        # listen [::]:80 default_server;
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        
        include snippets/self-signed.conf;

        root /var/www/html;
        
        index index.html index.htm index.nginx-debian.html;
        
        server_name _;
        
        location / {
                try_files $uri $uri/ =404;
        }
}

_etc_nginx_snippets_self-signed.conf

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_client_certificate /etc/ssl/certs/nginx-selfsigned-client.crt;
ssl_verify_client optional;

create-cluster-gke.sh

echo "TODO :)"

deploy.yaml

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: sleep
---
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
    service: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      terminationGracePeriodSeconds: 0
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: curlimages/curl
        command: ["/bin/sleep", "infinity"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true
---

destinationrule.yaml

---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: foobarbaz
spec:
  host: foobarbaz.europe-west1-b.c.mesh-one.internal
  workloadSelector:
    matchLabels:
      app: sleep
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 443
      tls:
        mode: SIMPLE # vs MUTUAL
        credentialName: foobarbaz-credential

ganerate-certificate.sh

# Server side
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

# Client side
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA nginx-selfsigned.crt -CAkey nginx-selfsigned.key -set_serial 01 -out nginx-selfsigned-client.crt

save-secret.txt

kubectl create secret generic foobarbaz-credential \
--from-file=key=nginx-selfsigned.key \
--from-file=cert=nginx-selfsigned-client.crt \
--from-file=cacert=nginx-selfsigned.crt

serviceentry.yaml

---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: foobarbaz
spec:
  hosts:
  - foobarbaz.europe-west1-b.c.mesh-one.internal
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL

virtualservice.yaml

---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: foobarbaz
spec:
  hosts:
  - foobarbaz.europe-west1-b.c.mesh-one.internal
  http:
  - match:
    - port: 80
    route:
    - destination:
        host: foobarbaz.europe-west1-b.c.mesh-one.internal
        port:
          number: 443

vm.sh

gcloud compute instances create foobarbaz \
--image-family=debian-10 \
--image-project=debian-cloud \
--machine-type=e2-medium