diff --git a/.spelling b/.spelling index 5c6e3798e5361..0459a7adcbab7 100644 --- a/.spelling +++ b/.spelling @@ -259,6 +259,7 @@ grpc helloworld hostIP hostname +hostnames hotspots html http @@ -438,8 +439,10 @@ webhook webhooks whitelist whitelists +wikipedia wikipedia.org wildcard +wildcarded www.google.com x-envoy-upstream-rq-timeout-ms x.509 diff --git a/content/docs/examples/advanced-gateways/wildcard-https-egress-gateway/index.md b/content/docs/examples/advanced-gateways/wildcard-https-egress-gateway/index.md new file mode 100644 index 0000000000000..2e5775c294c96 --- /dev/null +++ b/content/docs/examples/advanced-gateways/wildcard-https-egress-gateway/index.md @@ -0,0 +1,1015 @@ +--- +title: Configure Egress Gateway for HTTPS traffic to wildcarded domains +description: Use an SNI proxy in addition to the Envoy instance in the istio-egressgateway for wildcarded domains. +keywords: [traffic-management,egress] +weight: 44 +--- + +The [Configure an Egress Gateway](/docs/examples/advanced-egress/egress-gateway/) example, the +[Direct HTTPS traffic through an egress gateway](/docs/examples/advanced-egress/egress-gateway/#direct-https-traffic-through-an-egress-gateway) +section described how to configure an Istio egress gateway for HTTPS traffic for specific hostnames, like +`edition.cnn.com`. This example explains how to enable an egress gateway for HTTPS traffic to a set of domains, for +example to `*.wikipedia.org`, without the need to specify each and every host. + +## Background + +Suppose you want to enable secure egress traffic control in Istio for the `wikipedia.org` sites in all the languages. +Each version of `wikipedia.org` in a particular language has its own hostname, e.g. `en.wikipedia.org` and +`de.wikipedia.org` in the English and the German languages, respectively. You want to enable the egress traffic by common +configuration items for all the _wikipedia_ sites, without the need to specify the sites in all the languages. + +## Before you begin + +This examples assumes you deployed Istio with [mutual TLS Authentication](/docs/tasks/security/mutual-tls/) +enabled. Follow the steps in the [Before you begin](/docs/examples/advanced-egress/egress-gateway/#before-you-begin) +section of the [Configure an Egress Gateway](/docs/examples/advanced-egress/egress-gateway) example. + +## Configure HTTPS traffic to _*.wikipedia.org_ + +1. Define a `ServiceEntry` for `*.wikipedia.org`: + + {{< text bash >}} + $ cat <}} + +1. Verify that your `ServiceEntry` was applied correctly. Send HTTPS requests to + [https://en.wikipedia.org](https://en.wikipedia.org) and [https://de.wikipedia.org](https://de.wikipedia.org): + + {{< text bash >}} + $ kubectl exec -it $SOURCE_POD -c sleep -- bash -c 'curl -s https://en.wikipedia.org/wiki/Main_Page | grep -o ".*"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o ".*"' + Wikipedia, the free encyclopedia + Wikipedia – Die freie Enzyklopädie + {{< /text >}} + +1. Create an egress `Gateway` for _*.wikipedia.org_, port 443, protocol TLS; and a destination rule to set the + [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication) for the gateway; and also a virtual service to direct + the traffic destined for _*.wikipedia.org_ to the gateway. + + {{< text bash >}} + $ cat <}} + +1. Route the traffic destined for _*.wikipedia.org_ to the egress gateway and from the egress gateway to + _www.wikipedia.org_. + You can use this trick since all the _*.wikipedia.org_ sites are apparently served by each of the + _wikipedia.org_ servers. It means that you can route the traffic to an IP of any _*.wikipedia.org_ sites, in + particular to _www.wikipedia.org_, and the server at that IP will + [manage to serve](https://en.wikipedia.org/wiki/Virtual_hosting) any of the Wikipedia sites. + For a general case, in which all the domain names of a `ServiceEntry` are not served by all the hosting + servers, a more complex configuration is required. Note that you must create a `ServiceEntry` for _www.wikipedia.org_ + with resolution `DNS` so the gateway will be able to perform the routing. + + {{< text bash >}} + $ cat <}} + +1. Send HTTPS requests to + [https://en.wikipedia.org](https://en.wikipedia.org) and [https://de.wikipedia.org](https://de.wikipedia.org): + + {{< text bash >}} + $ kubectl exec -it $SOURCE_POD -c sleep -- bash -c 'curl -s https://en.wikipedia.org/wiki/Main_Page | grep -o ".*"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o ".*"' + Wikipedia, the free encyclopedia + Wikipedia – Die freie Enzyklopädie + {{< /text >}} + +1. Check the statistics of the egress gateway's proxy and see a counter that corresponds to our + requests to _*.wikipedia.org_. If Istio is deployed in the `istio-system` namespace, the command to print the + counter is: + + {{< text bash >}} + $ kubectl exec -it $(kubectl get pod -l istio=egressgateway -n istio-system -o jsonpath='{.items[0].metadata.name}') -c egressgateway -n istio-system -- curl -s localhost:15000/stats | grep www.wikipedia.org.upstream_cx_total + cluster.outbound|443||www.wikipedia.org.upstream_cx_total: 2 + {{< /text >}} + +### Cleanup of HTTPS traffic configuration to _*.wikipedia.org_ + +{{< text bash >}} +$ kubectl delete serviceentry wikipedia www-wikipedia +$ kubectl delete gateway istio-egressgateway +$ kubectl delete virtualservice direct-wikipedia-through-egress-gateway +$ kubectl delete destinationrule egressgateway-for-wikipedia +{{< /text >}} + +## Enable HTTPS traffic to arbitrary wildcarded domains + +The configuration in the previous section works thanks to the fact that all the _*.wikipedia.org_ sites are apparently +served by each of the _wikipedia.org_ servers. However, this may not always be the case. In many cases you may want to +configure egress control for HTTPS access to `*.com` or `*.org` domains, or even to `*` (all the domains). + +Configuring traffic to arbitrary wildcarded domains introduces a challenge for Istio gateways. In the previous section +you directed the traffic to _www.wikipedia.org_, and this host was known to your gateway during the configuration. +The gateway, however, cannot know an IP address of an arbitrary host it receives a request for. Would you want to +control access to `*.com`, and send requests to _www.cnn.com_ and _www.abc.com_, the Istio gateway would not know which +IP address to forward the requests. +This limitation is due to the limitation of [Envoy](https://www.envoyproxy.io), the proxy Istio is based on. Envoy +routes traffic either to predefined hosts, or to predefined IP addresses, or to the original destination IP address of +the request. In the case of the gateway the original destination IP of the request is lost (since the request was routed +to the egress gateway and its destination IP address is the IP address of the gateway). + +In short, the Istio gateway based on Envoy cannot route traffic to an arbitrary, not preconfigured host, and AS-IS is +unable to perform traffic control to arbitrary wildcarded domains. To enable such traffic control for HTTPS (and for any +TLS), you need to deploy an SNI forward proxy in addition to Envoy. Envoy will route the requests destined for a +wildcarded domain to the SNI forward proxy, which, in turn, will forward the requests to the destination by the value of +SNI. + +In this section you will configure Istio to route HTTPS traffic to arbitrary wildcarded domains, through an egress +gateway. + +### Prepare a new egress gateway with an SNI proxy + +In this subsection you deploy an egress gateway with an SNI proxy, in addition to the standard Istio Envoy proxy. You +can use any SNI proxy that is capable to route traffic according to arbitrary, not-preconfigured SNI values; we used +[Nginx](http://nginx.org) to achieve this functionality. The SNI proxy will listen on the port `8443`, you can use any +port other than the ports specified for the egress `Gateway` and for the `VirtualServices` defined on it. The SNI proxy +will forward the traffic to the port `443`. + +1. Create a configuration file for the Nginx SNI proxy. You may want to edit the file to specify additional Nginx + settings, if required. Note that the `server`'s `listen` directive specifies the port `8443`, its `proxy_pass` + directive uses `ssl_preread_server_name` with port `443` and `ssl_preread` directive enables `SNI` reading. + + {{< text bash >}} + $ cat < ./sni-proxy.conf + user www-data; + + events { + } + + stream { + log_format log_stream '\$remote_addr [\$time_local] \$protocol [\$ssl_preread_server_name]' + '\$status \$bytes_sent \$bytes_received \$session_time'; + + access_log /var/log/nginx/access.log log_stream; + error_log /var/log/nginx/error.log; + + # tcp forward proxy by SNI + server { + resolver 8.8.8.8 ipv6=off; + listen 127.0.0.1:8443; + proxy_pass \$ssl_preread_server_name:443; + ssl_preread on; + } + } + EOF + {{< /text >}} + +1. Create a Kubernetes [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/) +to hold the configuration of the Nginx SNI proxy: + + {{< text bash >}} + $ kubectl create configmap egress-sni-proxy-configmap -n istio-system --from-file=nginx.conf=./sni-proxy.conf + {{< /text >}} + + +1. The following command will generate `istio-egressgateway-with-sni-proxy.yaml` to edit and deploy. + + {{< text bash >}} + $ cat < ./istio-egressgateway-with-sni-proxy.yaml + gateways: + enabled: true + istio-ingressgateway: + enabled: false + istio-egressgateway: + enabled: false + istio-egressgateway-with-sni-proxy: + enabled: true + labels: + app: istio-egressgateway-with-sni-proxy + istio: egressgateway-with-sni-proxy + replicaCount: 1 + autoscaleMin: 1 + autoscaleMax: 5 + cpu: + targetAverageUtilization: 80 + serviceAnnotations: {} + type: ClusterIP + ports: + - port: 443 + name: https + secretVolumes: + - name: egressgateway-certs + secretName: istio-egressgateway-certs + mountPath: /etc/istio/egressgateway-certs + - name: egressgateway-ca-certs + secretName: istio-egressgateway-ca-certs + mountPath: /etc/istio/egressgateway-ca-certs + configVolumes: + - name: sni-proxy-config + configMapName: egress-sni-proxy-configmap + additionalContainers: + - name: sni-proxy + image: nginx + volumeMounts: + - name: sni-proxy-config + mountPath: /etc/nginx + readOnly: true + EOF + {{< /text >}} + +1. Deploy the new egress gateway: + + {{< text bash >}} + $ kubectl apply -f ./istio-egressgateway-with-sni-proxy.yaml + serviceaccount "istio-egressgateway-with-sni-proxy-service-account" created + clusterrole "istio-egressgateway-with-sni-proxy-istio-system" created + clusterrolebinding "istio-egressgateway-with-sni-proxy-istio-system" created + service "istio-egressgateway-with-sni-proxy" created + deployment "istio-egressgateway-with-sni-proxy" created + horizontalpodautoscaler "istio-egressgateway-with-sni-proxy" created + {{< /text >}} + +1. Verify that the new egress gateway is running. Note that the pod has two containers (one is the Envoy proxy and the + second one is the SNI proxy). + + {{< text bash >}} + $ kubectl get pod -l istio=egressgateway-with-sni-proxy -n istio-system + NAME READY STATUS RESTARTS AGE + istio-egressgateway-with-sni-proxy-79f6744569-pf9t2 2/2 Running 0 17s + {{< /text >}} + +1. Create a service entry with a static address equal to 127.0.0.1 (`localhost`), and disable mutual TLS on the traffic directed to the new + service entry: + + {{< text bash >}} + $ cat <}} + +### Configure access to _*.wikipedia.org_ using the egress gateway with SNI proxy + +1. Define a `ServiceEntry` for `*.wikipedia.org`: + + {{< text bash >}} + $ cat <}} + +1. Verify that your `ServiceEntry` was applied correctly. Send HTTPS requests to + [https://en.wikipedia.org](https://en.wikipedia.org) and [https://de.wikipedia.org](https://de.wikipedia.org): + + {{< text bash >}} + $ kubectl exec -it $SOURCE_POD -c sleep -- bash -c 'curl -s https://en.wikipedia.org/wiki/Main_Page | grep -o ".*"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o ".*"' + Wikipedia, the free encyclopedia + Wikipedia – Die freie Enzyklopädie + {{< /text >}} + +1. Create an egress `Gateway` for _*.wikipedia.org_, port 443, protocol TLS, a destination rule to set the + [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication) for the gateway, and a virtual service to direct the + traffic destined for _*.wikipedia.org_ to the gateway. + + If you want to enable [mutual TLS Authentication](/docs/tasks/security/mutual-tls/) between the sidecar proxies of + your application pods and the egress gateway, use the following command. (You may want to enable mutual TLS to let + the egress gateway monitor the identity of the source pods and to enable Mixer policy enforcement based on that + identity.) + + {{< text bash >}} + $ cat <}} + + Otherwise, if you do not need to enable mutual TLS Authentication between the sidecar proxies of your application + pods and the egress gateway, perform: + + {{< text bash >}} + $ cat <}} + +1. In case you applied mutual TLS between the sidecar proxy and the egress gateway, you must apply a special Envoy + filter to report the SNI correctly: + + {{< text bash >}} + $ cat <}} + +1. Send HTTPS requests to + [https://en.wikipedia.org](https://en.wikipedia.org) and [https://de.wikipedia.org](https://de.wikipedia.org): + + {{< text bash >}} + $ kubectl exec -it $SOURCE_POD -c sleep -- bash -c 'curl -s https://en.wikipedia.org/wiki/Main_Page | grep -o ".*"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o ".*"' + Wikipedia, the free encyclopedia + Wikipedia – Die freie Enzyklopädie + {{< /text >}} + +1. Check the statistics of the egress gateway's Envoy proxy and see a counter that corresponds to our requests to + _*.wikipedia.org_ (the counter for traffic to the SNI proxy). If Istio is deployed in the `istio-system` namespace, the command + to print the counter is: + + {{< text bash >}} + $ kubectl exec -it $(kubectl get pod -l istio=egressgateway-with-sni-proxy -n istio-system -o jsonpath='{.items[0].metadata.name}') -c istio-proxy -n istio-system -- curl -s localhost:15000/stats | grep sni-proxy.local.upstream_cx_total + cluster.outbound|8443||sni-proxy.local.upstream_cx_total: 2 + {{< /text >}} + +1. Check the logs of the SNI proxy. If Istio is deployed in the `istio-system` namespace, the command to print the + log is: + + {{< text bash >}} + $ kubectl logs $(kubectl get pod -l istio=egressgateway-with-sni-proxy -n istio-system -o jsonpath='{.items[0].metadata.name}') -n istio-system -c sni-proxy + 127.0.0.1 [01/Aug/2018:15:32:02 +0000] TCP [en.wikipedia.org]200 81513 280 0.600 + 127.0.0.1 [01/Aug/2018:15:32:03 +0000] TCP [de.wikipedia.org]200 67745 291 0.659 + {{< /text >}} + +1. Check the mixer log. If Istio is deployed in the `istio-system` namespace, the command to print the + log is: + + {{< text bash >}} + $ for TELEMETRY_POD in $(kubectl -n istio-system get pods -l istio-mixer-type=telemetry -o jsonpath='{.items[*].metadata.name}'); do kubectl -n istio-system logs $TELEMETRY_POD mixer | grep '"connectionEvent":"open"' | grep '"sourceName":"istio-egressgateway' | grep 'wikipedia.org'; done + {"level":"info","time":"2018-08-26T16:16:34.784571Z","instance":"tcpaccesslog.logentry.istio-system","connectionDuration":"0s","connectionEvent":"open","connection_security_policy":"unknown","destinationApp":"","destinationIp":"127.0.0.1","destinationName":"unknown","destinationNamespace":"default","destinationOwner":"unknown","destinationPrincipal":"cluster.local/ns/istio-system/sa/istio-egressgateway-with-sni-proxy-service-account","destinationServiceHost":"","destinationWorkload":"unknown","protocol":"tcp","receivedBytes":298,"reporter":"source","requestedServerName":"placeholder.wikipedia.org","sentBytes":0,"sourceApp":"istio-egressgateway-with-sni-proxy","sourceIp":"172.30.146.88","sourceName":"istio-egressgateway-with-sni-proxy-7c4f7868fb-rc8pr","sourceNamespace":"istio-system","sourceOwner":"kubernetes://apis/extensions/v1beta1/namespaces/istio-system/deployments/istio-egressgateway-with-sni-proxy","sourcePrincipal":"cluster.local/ns/default/sa/default","sourceWorkload":"istio-egressgateway-with-sni-proxy","totalReceivedBytes":298,"totalSentBytes":0} + {{< /text >}} + + Note the `requestedServerName` attribute. + +### Monitor the SNI and enforce access policies based on it + +1. Create the `logentry`, `rules` and `handlers`: + + {{< text bash >}} + $ cat <}} + +1. Send HTTPS requests to + [https://en.wikipedia.org](https://en.wikipedia.org) and [https://de.wikipedia.org](https://de.wikipedia.org): + + {{< text bash >}} + $ kubectl exec -it $SOURCE_POD -c sleep -- bash -c 'curl -s https://en.wikipedia.org/wiki/Main_Page | grep -o ".*"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o ".*"' + Wikipedia, the free encyclopedia + Wikipedia – Die freie Enzyklopädie + {{< /text >}} + +1. Check the mixer log. If Istio is deployed in the `istio-system` namespace, the command to print the log is: + + {{< text bash >}} + $ for TELEMETRY_POD in $(kubectl -n istio-system get pods -l istio-mixer-type=telemetry -o jsonpath='{.items[*].metadata.name}'); do kubectl -n istio-system logs $TELEMETRY_POD mixer | grep 'egress-access.logentry.istio-system'; done + {{< /text >}} + +1. Define a policy that will allow access to the hostnames matching `*.wikipedia.org` except for the Wikipedia in + English: + + {{< text bash >}} + $ cat <}} + +1. Send an HTTPS request to the blacklisted [https://en.wikipedia.org](https://en.wikipedia.org): + + {{< text bash >}} + $ kubectl exec -it $SOURCE_POD -c sleep -- bash -c 'curl -v https://en.wikipedia.org/wiki/Main_Page' + ... + curl: (35) Unknown SSL protocol error in connection to en.wikipedia.org:443 + command terminated with exit code 35 + {{< /text >}} + +1. Send HTTPS requests to some other sites, for example [https://es.wikipedia.org](https://es.wikipedia.org) and + [https://de.wikipedia.org](https://de.wikipedia.org): + + {{< text bash >}} + $ kubectl exec -it $SOURCE_POD -c sleep -- bash -c 'curl -s https://es.wikipedia.org/wiki/Wikipedia:Portada | grep -o ".*"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o ".*"' + Wikipedia, la enciclopedia libre + Wikipedia – Die freie Enzyklopädie + {{< /text >}} + +#### Cleanup of monitoring and policy enforcement + +{{< text bash >}} +$ kubectl delete rule handle-wikipedia-access check-wikipedia-access -n istio-system +$ kubectl delete logentry egress-access -n istio-system +$ kubectl delete stdio egress-access-logger -n istio-system +$ kubectl delete listentry requested-server-name -n istio-system +$ kubectl delete listchecker wikipedia-checker -n istio-system +{{< /text >}} + +### Monitor the SNI and the source identity, and enforce access policies based on them + +If you used mutual TLS between the sidecar proxy and the egress gateway, you can monitor the [service identity](/docs/concepts/what-is-istio/#citadel) and enforce policies based on it. In Istio on Kubernetes, the +identities are based on +[Service Accounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/). In this +subsection, you define two service accounts, namely, `us` and `canada`. Then you define a policy that allows services +with the `us` identity access the English and the Spanish versions of Wikipedia, and services with `canada` identity the +English and the French versions. + +1. Create the service accounts: + + {{< text bash >}} + $ cat <}} + +1. Deploy two _sleep_ containers, namely _sleep-us_ and _sleep-canada_, with _us_ and _canada_ service accounts, + respectively: + + {{< text bash >}} + $ cat <}} + +1. Create the `logentry`, `rules` and `handlers`: + + {{< text bash >}} + $ cat <}} + +1. Send HTTPS requests to Wikipedia sites in English, German, Spanish and French, from `sleep-us`: + + {{< text bash >}} + $ kubectl exec -it $(kubectl get pod -l app=sleep-us -o jsonpath='{.items[0].metadata.name}') -c sleep -- bash -c 'curl -s https://en.wikipedia.org/wiki/Main_Page | grep -o ".*"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o ".*"; curl -s https://es.wikipedia.org/wiki/Wikipedia:Portada | grep -o ".*"; curl -s https://fr.wikipedia.org/wiki/Wikip%C3%A9dia:Accueil_principal | grep -o ".*"' + Wikipedia, the free encyclopedia + Wikipedia – Die freie Enzyklopädie + Wikipedia, la enciclopedia libre + Wikipédia, l'encyclopédie libre + {{< /text >}} + +1. Check the mixer log. If Istio is deployed in the `istio-system` namespace, the command to print the log is: + + {{< text bash >}} + $ for TELEMETRY_POD in $(kubectl -n istio-system get pods -l istio-mixer-type=telemetry -o jsonpath='{.items[*].metadata.name}'); do kubectl -n istio-system logs $TELEMETRY_POD mixer | grep 'egress-access.logentry.istio-system'; done + {"level":"info","time":"2018-09-11T16:07:03.990619Z","instance":"egress-access.logentry.istio-system","connectionEvent":"open","destinationApp":"","requestedServerName":"en.wikipedia.org","source":"istio-egressgateway-with-sni-proxy","sourceNamespace":"default","sourcePrincipal":"cluster.local/ns/default/sa/us","sourceWorkload":"istio-egressgateway-with-sni-proxy"} + {"level":"info","time":"2018-09-11T16:07:04.779349Z","instance":"egress-access.logentry.istio-system","connectionEvent":"open","destinationApp":"","requestedServerName":"de.wikipedia.org","source":"istio-egressgateway-with-sni-proxy","sourceNamespace":"default","sourcePrincipal":"cluster.local/ns/default/sa/us","sourceWorkload":"istio-egressgateway-with-sni-proxy"} + {"level":"info","time":"2018-09-11T16:07:05.564542Z","instance":"egress-access.logentry.istio-system","connectionEvent":"open","destinationApp":"","requestedServerName":"es.wikipedia.org","source":"istio-egressgateway-with-sni-proxy","sourceNamespace":"default","sourcePrincipal":"cluster.local/ns/default/sa/us","sourceWorkload":"istio-egressgateway-with-sni-proxy"} + {"level":"info","time":"2018-09-11T16:07:06.256554Z","instance":"egress-access.logentry.istio-system","connectionEvent":"open","destinationApp":"","requestedServerName":"fr.wikipedia.org","source":"istio-egressgateway-with-sni-proxy","sourceNamespace":"default","sourcePrincipal":"cluster.local/ns/default/sa/us","sourceWorkload":"istio-egressgateway-with-sni-proxy"} + {{< /text >}} + + Note the `requestedServerName` attribute, and `sourcePrincipal`, it should be `cluster.local/ns/default/sa/us`. + +1. Define a policy that will allow access to the Wikipedia in English and Spanish for the services with the _us_ + service account and to the Wikipedia in English and French for services with the _canada_ service account. + + {{< text bash >}} + $ cat <}} + +1. Resend HTTPS requests to Wikipedia sites in English, German, Spanish and French, from `sleep-us`: + + {{< text bash >}} + $ kubectl exec -it $(kubectl get pod -l app=sleep-us -o jsonpath='{.items[0].metadata.name}') -c sleep -- bash -c 'curl -s https://en.wikipedia.org/wiki/Main_Page | grep -o ".*"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o ".*"; curl -s https://es.wikipedia.org/wiki/Wikipedia:Portada | grep -o ".*"; curl -s https://fr.wikipedia.org/wiki/Wikip%C3%A9dia:Accueil_principal | grep -o ".*";:' + Wikipedia, the free encyclopedia + Wikipedia, la enciclopedia libre + {{< /text >}} + +1. Resend HTTPS requests to Wikipedia sites in English, German, Spanish and French, from `sleep-canada`: + + {{< text bash >}} + $ kubectl exec -it $(kubectl get pod -l app=sleep-canada -o jsonpath='{.items[0].metadata.name}') -c sleep -- bash -c 'curl -s https://en.wikipedia.org/wiki/Main_Page | grep -o ".*"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o ".*"; curl -s https://es.wikipedia.org/wiki/Wikipedia:Portada | grep -o ".*"; curl -s https://fr.wikipedia.org/wiki/Wikip%C3%A9dia:Accueil_principal | grep -o ".*";:' + Wikipedia, the free encyclopedia + Wikipédia, l'encyclopédie libre + {{< /text >}} + +#### Cleanup of monitoring and policy enforcement + +{{< text bash >}} +$ kubectl delete serviceaccount us canada +$ kubectl delete service sleep-us sleep-canada +$ kubectl delete deployment sleep-us sleep-canada +$ kubectl delete rule handle-wikipedia-access deny-forbidden-access -n istio-system +$ kubectl delete logentry egress-access -n istio-system +$ kubectl delete stdio egress-access-logger -n istio-system +$ kubectl delete checknothing null-instance -n istio-system +$ kubectl delete denier forbidden-access -n istio-system +{{< /text >}} + +### Cleanup of HTTPS traffic configuration to arbitrary wildcarded domains + +1. Delete the configuration items for _*.wikipedia.org_: + + {{< text bash >}} + $ kubectl delete serviceentry wikipedia + $ kubectl delete gateway istio-egressgateway-with-sni-proxy + $ kubectl delete virtualservice direct-wikipedia-through-egress-gateway + $ kubectl delete destinationrule egressgateway-for-wikipedia + $ kubectl delete envoyfilter network-level-sni-reader + {{< /text >}} + +1. Delete the configuration items for the `egressgateway-with-sni-proxy` `Deployment`: + + {{< text bash >}} + $ kubectl delete serviceentry sni-proxy + $ kubectl delete destinationrule disable-mtls-for-sni-proxy + $ kubectl delete -f ./istio-egressgateway-with-sni-proxy.yaml + $ kubectl delete configmap egress-sni-proxy-configmap -n istio-system + {{< /text >}} + +1. Remove the configuration files you created: + + {{< text bash >}} + $ rm ./istio-egressgateway-with-sni-proxy.yaml + $ rm ./sni-proxy.conf + {{< /text >}} + +## Cleanup + +Perform the instructions in the [Cleanup](/docs/examples/advanced-egress/egress-gateway/#cleanup) +section of the [Configure an Egress Gateway](/docs/examples/advanced-egress/egress-gateway) example.