Skip to content

Instantly share code, notes, and snippets.

@JulienBreux

JulienBreux/_etc_nginx_sites-enabled_default

Last active June 28, 2023 15:58
Show Gist options
  • Save JulienBreux/db64fd80903b04a40f766f6708cfb405 to your computer and use it in GitHub Desktop.
Save JulienBreux/db64fd80903b04a40f766f6708cfb405 to your computer and use it in GitHub Desktop.
Download ZIP
Istio Minimal Config To External HTTPS
Raw
readme.md

Soon blog post

Raw
_etc_nginx_sites-enabled_default
server {
# listen 80 default_server;
# listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/self-signed.conf;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
Raw
_etc_nginx_snippets_self-signed.conf
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_client_certificate /etc/ssl/certs/nginx-selfsigned-client.crt;
ssl_verify_client optional;
Raw
deploy.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: sleep
---
apiVersion: v1
kind: Service
metadata:
name: sleep
labels:
app: sleep
service: sleep
spec:
ports:
- port: 80
name: http
selector:
app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sleep
spec:
replicas: 1
selector:
matchLabels:
app: sleep
template:
metadata:
labels:
app: sleep
spec:
terminationGracePeriodSeconds: 0
serviceAccountName: sleep
containers:
- name: sleep
image: curlimages/curl
command: ["/bin/sleep", "infinity"]
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /etc/sleep/tls
name: secret-volume
volumes:
- name: secret-volume
secret:
secretName: sleep-secret
optional: true
---
Raw
destinationrule.yaml
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: foobarbaz
spec:
host: foobarbaz.europe-west1-b.c.mesh-one.internal
workloadSelector:
matchLabels:
app: sleep
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE # vs MUTUAL
credentialName: foobarbaz-credential
Raw
ganerate-certificate.sh
# Server side
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
# Client side
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA nginx-selfsigned.crt -CAkey nginx-selfsigned.key -set_serial 01 -out nginx-selfsigned-client.crt
Raw
save-secret.txt
kubectl create secret generic foobarbaz-credential \
--from-file=key=nginx-selfsigned.key \
--from-file=cert=nginx-selfsigned-client.crt \
--from-file=cacert=nginx-selfsigned.crt
Raw
serviceentry.yaml
---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: foobarbaz
spec:
hosts:
- foobarbaz.europe-west1-b.c.mesh-one.internal
ports:
- number: 443
name: https
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNAL
Raw
virtualservice.yaml
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: foobarbaz
spec:
hosts:
- foobarbaz.europe-west1-b.c.mesh-one.internal
http:
- match:
- port: 80
route:
- destination:
host: foobarbaz.europe-west1-b.c.mesh-one.internal
port:
number: 443
Raw
vm.sh
gcloud compute instances create foobarbaz \
--image-family=debian-10 \
--image-project=debian-cloud \
--machine-type=e2-medium
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment