Let's define a virtual service for bookinfo.istio.io so that the gateway knows the URI matches and patterns it requires to send requests to the productpage.istio-lab.svc.cluster.local hostname on port 9080:
- Enter the following command:
# Script : 03-create-virtual-service-for-bookinfo.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- bookinfo.istio.io
gateways:
- mygateway
http:
...
route:
- destination:
host: productpage.istio-lab.svc.cluster.local
port:
number: 9080
- Create a virtual service in the istio-system namespace:
$ kubectl -n istio-system apply -f 03-create-virtual-service-for-bookinfo.yaml
virtualservice.networking.istio.io/bookinfo configured
- From a web browser within the VM, open two more tabs:
-
- Open http://bookinfo.istio.io from the first tab; it should load normally.
- Open https://bookinfo.istio.io from the second tab.
- You will see a notice stating that your connection is not private. This is normal as browsers don't like self-signed certificates.
- Click Advanced and click Proceed to go to bookinfo.istio.io (unsafe).
You will notice that you are able to run both protocol HTTP and HTTPS since our gateway is allowing HTTP traffic for all hosts, and the SIMPLE tls mode is only applicable for httpbin.istio.io and bookinfo.istio.io.
- Open one more tab and run http://httpbin.istio.io/headers. Now, you should see the headers.
The internet did not provide a robust method for revoking certificates before their expiration date. A certain amount of time is lost for the revocation due to real-time distribution. Another method to check against the revocation of certificates is Online Certificate Status Protocol (OCSP—https://tools.ietf.org/html/rfc2560), which is also open to criticism due to latency, overhead issues, and privacy concerns regarding leaking information about websites that have been given to a central OCSP server. Until this problem is solved, another method is to rotate keys and certificates at a short interval to reduce the time window for security compromise. Next, we will look at the procedure of rotating keys and certificates.