incfly

[
    {
        "name": "10.20.0.33_443",
        "address": {
            "socketAddress": {
                "address": "10.20.0.33",
                "portValue": 443
            }
        },
        "filterChains": [

incfly

{
    "apiVersion": "v1",
    "items": [
        {
            "apiVersion": "v1",
            "kind": "Service",
            "metadata": {
                "annotations": {
                    "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Service\",\"metadata\":{\"annotations\":{},\"labels\":{\"app\":\"istio-ingressgateway\",\"chart\":\"gateways\",\"heritage\":\"Tiller\",\"istio\":\"ingressgateway\",\"release\":\"istio\"},\"name\":\"istio-ingressgateway\",\"namespace\":\"istio-system\"},\"spec\":{\"ports\":[{\"name\":\"http2\",\"nodePort\":31380,\"port\":80,\"targetPort\":80},{\"name\":\"https\",\"nodePort\":31390,\"port\":443},{\"name\":\"tcp\",\"nodePort\":31400,\"port\":31400},{\"name\":\"http-kiali\",\"port\":15029,\"targetPort\":15029},{\"name\":\"http2-prometheus\",\"port\":15030,\"targetPort\":15030},{\"name\":\"http2-grafana\",\"port\":15031,\"targetPort\":15031},{\"name\":\"http2-tracing\",\"port\":15032,\"targetPort\":15032},{\"name\":\"tls\",\"port\":15443,\

incfly

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"extensions/v1beta1","kind":"Deployment","metadata":{"annotations":{},"creationTimestamp":null,"labels":{"app":"nginx-default-http-backend"},"name":"nginx-default-http-backend","namespace":"istio-system"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"nginx-default-http-backend"}},"strategy":{},"template":{"metadata":{"annotations":{"sidecar.istio.io/status":"{\"version\":\"4d97cbe372b31684ae1db7f97ea9b938f4f7ef0aae7269bcf6d15d3b7c09624e\",\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"istio-envoy\",\"istio-certs\"],\"imagePullSecrets\":null}"},"creationTimestamp":null,"labels":{"app":"nginx-default-http-backend"}},"spec":{"containers":[{"image":"gcr.io/google_containers/defaultbackend:1.4","livenessProbe":{"httpGet":{"path":"/healthz","port":8080,"scheme":"HTTP"},"initialDela

incfly

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"extensions/v1beta1","kind":"Deployment","metadata":{"annotations":{},"creationTimestamp":null,"labels":{"app":"nginx-default-http-backend"},"name":"nginx-default-http-backend","namespace":"istio-system"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"nginx-default-http-backend"}},"strategy":{},"template":{"metadata":{"annotations":{"sidecar.istio.io/status":"{\"version\":\"4d97cbe372b31684ae1db7f97ea9b938f4f7ef0aae7269bcf6d15d3b7c09624e\",\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"istio-envoy\",\"istio-certs\"],\"imagePullSecrets\":null}"},"creationTimestamp":null,"labels":{"app":"nginx-default-http-backend"}},"spec":{"containers":[{"image":"gcr.io/google_containers/defaultbackend:1.4","livenessProbe":{"httpGet":{"path":"/healthz","port":8080,"scheme":"HTTP"},"initialDela

incfly

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: mysql-pvc
spec:
  accessModes:
    - ReadWriteMany
  volumeMode: Filesystem
  resources:
    requests:

incfly

apiVersion: v1
kind: Pod
metadata:
  annotations:
    sidecar.istio.io/inject: "false"
  name: redis-cli-nosidecar
  namespace: default
spec:
  containers:
  - args:

incfly

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-default-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:

incfly

#!/bin/bash

rootcert() {
  echo "Fetching root cert from istio-system namespace..."
  kubectl get secret -n istio-system istio-ca-secret -o yaml | awk '/ca-cert/ {print $2}' | base64 --decode > ca.cert
  if [[ ! -f ./ca.cert ]]; then
    echo "failed to get cacert, check the istio installation namespace."
    return
  fi

incfly

• Envoy Server configure listener with http1.1 ALPN and TLS enabled, DirectResponse. Two filter chains, one matching the alpn == http1.1, one is default filter chain, returns response "hello world, selected from alpn http1.1."
• Envoy Client configures Cluster with http1.1 ALPN and TLS enabled, cluster requests sends to server Envoy.
• Sending request from curl -> Client Envoy -> Server Envoy, returns "hello world alpn 1.1"
• However ALPN "http1.1" can't be fetched via SslSocket::protocol(), returns empy.

Note, these two parts are using different SSL methods.

1. FilterChainMatch uses boringssl::SSL_early_callback_ctx_extension_get
2. SslSocket::protocol invokes borgingssl::SSL_get0_alpn_selected, link

incfly

[2019-08-13 18:40:42.351][19331][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:156] [C1] handshake complete
[2019-08-13 18:40:42.351][19331][debug][client] [source/common/http/codec_client.cc:77] [C1] connected
[2019-08-13 18:40:42.351][19331][debug][pool] [source/common/http/httpx/conn_pool.cc:244] [C1] attaching to next request
[2019-08-13 18:40:42.351][19331][debug][router] [source/common/router/router.cc:1543] [C0][S16466317785413821041] pool ready
[2019-08-13 18:40:42.351][19331][trace][connection] [source/common/network/connection_impl.cc:393] [C1] writing 213 bytes, end_stream false
[2019-08-13 18:40:42.351][19331][info][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:396] jianfeih debug consulting the alpn in sslsocket.
[2019-08-13 18:40:42.351][19331][info][pool] [source/common/http/httpx/conn_pool.cc:190] incfly debug print out the connection alpn h2
[2019-08-13 18:40:42.352][19331][trace][http2] [source/common/http/http2/nghttp2.cc:20] nghttp2: send: r