Skip to content

Commit f2999fe

Browse files
committed
Showing encrypted traffic
Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
1 parent a4f9342 commit f2999fe

File tree

3 files changed

+63
-0
lines changed

3 files changed

+63
-0
lines changed

_posts/2021-05-19-istio.md

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -181,6 +181,69 @@ Events:
181181
Normal Started 37s kubelet Started container istio-proxy
182182
```
183183

184+
You can also use `istioctl` to explore the status of the proxy:
185+
186+
```
187+
~/.arkade/bin/istioctl proxy-status
188+
NAME CDS LDS EDS RDS ISTIOD VERSION
189+
alertmanager-7cb8f6487d-ch4fp.openfaas SYNCED SYNCED SYNCED SYNCED istiod-865fd47fcc-24vdp 1.9.1
190+
basic-auth-plugin-565b7cbc48-h9t8d.openfaas SYNCED SYNCED SYNCED SYNCED istiod-865fd47fcc-24vdp 1.9.1
191+
gateway-5fb6bf58dd-74j8c.openfaas SYNCED SYNCED SYNCED SYNCED istiod-865fd47fcc-24vdp 1.9.1
192+
istio-ingressgateway-5bcdc9b77f-knrpz.istio-system SYNCED SYNCED SYNCED SYNCED istiod-865fd47fcc-24vdp 1.9.1
193+
nats-76b689f8d8-mkwtl.openfaas SYNCED SYNCED SYNCED SYNCED istiod-865fd47fcc-24vdp 1.9.1
194+
nodeinfo-857d9c469b-ww66k.openfaas-fn SYNCED SYNCED SYNCED SYNCED istiod-865fd47fcc-24vdp 1.9.1
195+
prometheus-5664d7cbb9-kchff.openfaas SYNCED SYNCED SYNCED SYNCED istiod-865fd47fcc-24vdp 1.9.1
196+
queue-worker-5b7c5b898d-fqkv5.openfaas SYNCED SYNCED SYNCED SYNCED istiod-865fd47fcc-24vdp 1.9.1
197+
```
198+
199+
Running the following will open a dashboard, and you can run `istioctl dashboard --help` to see how to launch the Grafana or Envoy UI.
200+
201+
```bash
202+
istioctl dashboard controlz deployment/istiod.istio-system
203+
```
204+
205+
![Istio controlz dashboard](/images/2021-05-istio/dash.png)
206+
> Istio controlz dashboard
207+
208+
I was also able to verify that the OpenFaaS gateway was receiving encrypted messages. To do this, I reinstalled Istio using [the instructions in the docs](https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/) in privileged mode. Then I restarted the gateway and observed encrypted messages with `tcpdump`:
209+
210+
![Encrypted traffic to the OpenFaaS Gateway](/images/2021-05-istio/encrypted.png)
211+
> Encrypted messages observed with tcpdump
212+
213+
You can detect the presence of Envoy within your function by looking at the HTTP headers passed on:
214+
215+
```bash
216+
faas-cli deploy \
217+
--name env \
218+
--image ghcr.io/openfaas/alpine:latest \
219+
--fprocess="env"
220+
221+
echo | faas-cli invoke env
222+
223+
HOSTNAME=env-58bd77889c-k8h76
224+
Http_User_Agent=curl/7.68.0
225+
Http_X_Forwarded_Host=faas.o6s.io
226+
Http_X_B3_Spanid=2b4e331b2d6ce20b
227+
Http_X_B3_Parentspanid=9d7bf1a36bdb2462
228+
Http_X_B3_Sampled=0
229+
Http_X_Envoy_Attempt_Count=1
230+
Http_Accept=*/*
231+
Http_X_Call_Id=64d75811-958e-4865-9694-b09806a3685e
232+
Http_X_Forwarded_Proto=https
233+
Http_X_Request_Id=aeffe73e-eee1-431a-af96-8259bca8facb
234+
Http_Accept_Encoding=gzip
235+
Http_X_B3_Traceid=657ff91f248b8ca562effe793263c602
236+
Http_X_Forwarded_For=10.244.0.16
237+
Http_X_Start_Time=1621427147315051123
238+
Http_Content_Length=0
239+
Http_X_Envoy_Internal=true
240+
Http_X_Forwarded_Client_Cert=By=spiffe://cluster.local/ns/openfaas-fn/sa/default;Hash=0fcbc9f3aad0c8bc4b122e9f972a278f35865c92f3bdbdb9312162ada17ea3cc;Subject="";URI=spiffe://cluster.local/ns/openfaas/sa/openfaas-controller
241+
Http_Method=GET
242+
Http_ContentLength=0
243+
Http_Path=/
244+
Http_Host=env.openfaas-fn.svc.cluster.local:8080
245+
```
246+
184247
## Going Further
185248

186249
### Measuring the effects

images/2021-05-istio/dash.png

120 KB
Loading

images/2021-05-istio/encrypted.png

365 KB
Loading

0 commit comments

Comments
 (0)