Merge pull request #5 from ethinx/pr-bidir-mtls

[fix] bidir-mTLS: update TLS certs and remove `-k` option in curl command

content/en/demos/security/bidirection_tls_fsm.md

@@ -36,6 +36,7 @@ kubectl wait --namespace fsm-system \
 ```bash
 #Sample server service
 kubectl create namespace egress-server
+
 kubectl apply -n egress-server -f https://raw.githubusercontent.com/flomesh-io/fsm-docs/{{< param fsm_branch >}}/manifests/samples/bidir-mtls/server.yaml
 
 #Sample middle-ware service
@@ -70,7 +71,7 @@ The correct return result is similar to :
 
 ```bash
 HTTP/1.1 404 Not Found
-Server: pipy/0.70.0
+Server: pipy/0.90.0
 content-length: 17
 connection: keep-alive
 
@@ -89,7 +90,8 @@ metadata:
 spec:
   ingressClassName: pipy
   rules:
-  - http:
+  - host: fsm-ingress.fsm-system
+    http:
       paths:
       - path: /
         pathType: Prefix
@@ -139,12 +141,9 @@ The correct return result is similar to :
 
 ```bash
 HTTP/1.1 200 OK
-date: Sun, 04 Dec 2022 12:03:47 GMT
+date: Fri, 17 Nov 2023 09:10:45 GMT
 content-type: text/plain; charset=utf-8
-fsm-stats-namespace: egress-middle
-fsm-stats-kind: Deployment
-fsm-stats-name: middle
-fsm-stats-pod: middle-58d9865569-dwcvf
+fsm-stats: egress-middle,Deployment,middle,middle-7965485977-nlnl2
 content-length: 13
 connection: keep-alive
 
@@ -226,16 +225,13 @@ The correct return result is similar to :
 
 ```bash
 HTTP/1.1 200 OK
-date: Sun, 04 Dec 2022 12:08:14 GMT
+date: Fri, 17 Nov 2023 09:11:53 GMT
 content-type: text/plain; charset=utf-8
-fsm-stats-namespace: egress-middle
-fsm-stats-kind: Deployment
-fsm-stats-name: middle
-fsm-stats-pod: middle-58d9865569-dwcvf
-content-length: 76
+fsm-stats: egress-middle,Deployment,middle,middle-7965485977-nlnl2
+content-length: 74
 connection: keep-alive
 
-The current time: 2022-12-04 12:08:14.034663797 +0000 UTC m=+1093.291560087
+The current time: 2023-11-17 09:11:53.67111584 +0000 UTC m=+110.875627674
 ```
 
 This business scenario is tested and the strategy is cleaned up to avoid affecting subsequent tests
@@ -265,7 +261,7 @@ The correct return result is similar to :
 
 ```bash
 HTTP/1.1 404 Not Found
-Server: pipy/0.70.0
+Server: pipy/0.90.0
 content-length: 17
 connection: keep-alive
 
@@ -312,7 +308,8 @@ metadata:
 spec:
   ingressClassName: pipy
   rules:
-  - http:
+  - host: fsm-ingress.fsm-system
+    http:
       paths:
       - path: /
         pathType: Prefix
@@ -366,12 +363,9 @@ The correct return result is similar to :
 
 ```bash
 HTTP/1.1 200 OK
-date: Fri, 09 Dec 2022 08:00:36 GMT
+date: Fri, 17 Nov 2023 09:12:39 GMT
 content-type: text/plain; charset=utf-8
-fsm-stats-namespace: egress-middle
-fsm-stats-kind: Deployment
-fsm-stats-name: middle
-fsm-stats-pod: middle-7956998bd5-bm5vx
+fsm-stats: egress-middle,Deployment,middle,middle-7965485977-nlnl2
 content-length: 13
 connection: keep-alive
 
@@ -453,16 +447,13 @@ The correct return result is similar to :
 
 ```bash
 HTTP/1.1 200 OK
-date: Fri, 09 Dec 2022 08:03:59 GMT
+date: Fri, 17 Nov 2023 09:13:09 GMT
 content-type: text/plain; charset=utf-8
-fsm-stats-namespace: egress-middle
-fsm-stats-kind: Deployment
-fsm-stats-name: middle
-fsm-stats-pod: middle-7956998bd5-bm5vx
-content-length: 77
+fsm-stats: egress-middle,Deployment,middle,middle-7965485977-nlnl2
+content-length: 72
 connection: keep-alive
 
-The current time: 2022-12-09 08:03:59.990118972 +0000 UTC m=+21257.813505728
+The current time: 2023-11-17 09:13:09.478407 +0000 UTC m=+186.682918839
 ```
 
 This business scenario is tested and the strategy is cleaned up to avoid affecting subsequent tests
@@ -496,7 +487,7 @@ The correct return result is similar to :
 
 ```bash
 HTTP/1.1 404 Not Found
-Server: pipy/0.70.0
+Server: pipy/0.90.0
 content-length: 17
 connection: keep-alive
 
@@ -516,6 +507,7 @@ kubectl patch meshconfig fsm-mesh-config -n "$FSM_NAMESPACE" -p '{"spec":{"certi
 curl -s https://raw.githubusercontent.com/flomesh-io/fsm-docs/{{< param fsm_branch >}}/manifests/samples/bidir-mtls/certs/pipy-ca.crt -o pipy-ca.crt
 curl -s https://raw.githubusercontent.com/flomesh-io/fsm-docs/{{< param fsm_branch >}}/manifests/samples/bidir-mtls/certs/ingress-pipy.crt -o ingress-pipy.crt
 curl -s https://raw.githubusercontent.com/flomesh-io/fsm-docs/{{< param fsm_branch >}}/manifests/samples/bidir-mtls/certs/ingress-pipy.key -o ingress-pipy.key
+
 kubectl create secret generic -n egress-middle ingress-pipy-cert-secret \
   --from-file=ca.crt=./pipy-ca.crt \
   --from-file=tls.crt=./ingress-pipy.crt \
@@ -552,7 +544,8 @@ metadata:
 spec:
   ingressClassName: pipy
   rules:
-  - http:
+  - host: fsm-ingress.fsm-system
+    http:
       paths:
       - path: /
         pathType: Prefix
@@ -594,7 +587,7 @@ spec:
 EOF
 ```
 
-#### Replace client TLS
+#### Replace client TLS certificate
 
 ```shell
 curl -s https://raw.githubusercontent.com/flomesh-io/fsm-docs/{{< param fsm_branch >}}/manifests/samples/bidir-mtls/certs/client.crt -o client.crt
@@ -644,7 +637,7 @@ Traffic flow:
 Client --**tls**--> Ingress FSM --**mtls** --> sidecar --> Middle
 
 ```bash
-kubectl exec "$(kubectl get pod -n egress-client -l app=client -o jsonpath='{.items..metadata.name}')" -n egress-client -- curl -ksi https://fsm-ingress.fsm-system/hello --key /client/tls.key --cert /client/tls.crt
+kubectl exec "$(kubectl get pod -n egress-client -l app=client -o jsonpath='{.items..metadata.name}')" -n egress-client -- curl -si https://fsm-ingress.fsm-system/hello --cacert /client/ca.crt
 ```
 
 #### Test Results
@@ -653,12 +646,9 @@ The correct return result is similar to :
 
 ```bash
 HTTP/2 200
-date: Thu, 15 Dec 2022 07:02:42 GMT
+date: Fri, 17 Nov 2023 09:17:43 GMT
 content-type: text/plain; charset=utf-8
-fsm-stats-namespace: egress-middle
-fsm-stats-kind: Deployment
-fsm-stats-name: middle
-fsm-stats-pod: middle-5bf7d76c4c-xr24j
+fsm-stats: egress-middle,Deployment,middle,middle-7965485977-nlnl2
 content-length: 13
 
 hello world.
@@ -717,7 +707,7 @@ Traffic flow:
 Client --**tls**-->  Ingress FSM --**mtls**--> sidecar --> Middle --> sidecar --**egress mtls**--> Server
 
 ```bash
-kubectl exec "$(kubectl get pod -n egress-client -l app=client -o jsonpath='{.items..metadata.name}')" -n egress-client -- curl -ksi https://fsm-ingress.fsm-system/time --key /client/tls.key --cert /client/tls.crt
+kubectl exec "$(kubectl get pod -n egress-client -l app=client -o jsonpath='{.items..metadata.name}')" -n egress-client -- curl -si https://fsm-ingress.fsm-system/time --cacert /client/ca.crt
 ```
 
 #### Test Results
@@ -726,15 +716,12 @@ The correct return result is similar to :
 
 ```bash
 HTTP/2 200
-date: Thu, 15 Dec 2022 07:04:26 GMT
+date: Fri, 17 Nov 2023 09:18:02 GMT
 content-type: text/plain; charset=utf-8
-fsm-stats-namespace: egress-middle
-fsm-stats-kind: Deployment
-fsm-stats-name: middle
-fsm-stats-pod: middle-5bf7d76c4c-xr24j
+fsm-stats: egress-middle,Deployment,middle,middle-7965485977-nlnl2
 content-length: 75
 
-The current time: 2022-12-15 07:04:26.62032737 +0000 UTC m=+4972.430170668
+The current time: 2023-11-17 09:18:02.826626944 +0000 UTC m=+480.031138782
 ```
 
 This business scenario is tested and the strategy is cleaned up to avoid affecting subsequent tests
@@ -748,6 +735,7 @@ kubectl delete ingressbackend -n egress-middle egress-middle
 kubectl delete egress -n egress-middle server-8443
 kubectl delete secrets -n fsm-system egress-middle-cert
 kubectl delete secrets -n egress-middle ingress-pipy-cert-secret
+kubectl delete secrets -n egress-client egress-client-secret
 ```
 
 ### Scenario#4：mTLS FSM & mTLS Ingress & mTLS Egress
@@ -768,7 +756,7 @@ The correct return result is similar to :
 
 ```bash
 HTTP/1.1 404 Not Found
-Server: pipy/0.70.0
+Server: pipy/0.90.0
 content-length: 17
 connection: keep-alive
 
@@ -801,7 +789,6 @@ kubectl create secret generic -n egress-middle ingress-controller-ca-secret \
 #### Replace client TLS certificate
 
 ```shell
-
 curl -s https://raw.githubusercontent.com/flomesh-io/fsm-docs/{{< param fsm_branch >}}/manifests/samples/bidir-mtls/certs/client.crt -o client.crt
 curl -s https://raw.githubusercontent.com/flomesh-io/fsm-docs/{{< param fsm_branch >}}/manifests/samples/bidir-mtls/certs/client.key -o client.key
 
@@ -858,7 +845,8 @@ metadata:
 spec:
   ingressClassName: pipy
   rules:
-  - http:
+  - host: fsm-ingress.fsm-system
+    http:
       paths:
       - path: /
         pathType: Prefix
@@ -913,7 +901,7 @@ Traffic flow:
 Client --**mtls**--> Ingress FSM --**mtls** --> sidecar --> Middle
 
 ```bash
-kubectl exec "$(kubectl get pod -n egress-client -l app=client -o jsonpath='{.items..metadata.name}')" -n egress-client -- curl -ksi https://fsm-ingress.fsm-system/hello  --cacert /client/ca.crt --key /client/tls.key --cert /client/tls.crt
+kubectl exec "$(kubectl get pod -n egress-client -l app=client -o jsonpath='{.items..metadata.name}')" -n egress-client -- curl -si https://fsm-ingress.fsm-system/hello  --cacert /client/ca.crt --key /client/tls.key --cert /client/tls.crt
 ```
 
 #### Test Results
@@ -922,12 +910,9 @@ The correct return result is similar to :
 
 ```bash
 HTTP/2 200
-date: Thu, 15 Dec 2022 08:55:01 GMT
+date: Fri, 17 Nov 2023 09:19:57 GMT
 content-type: text/plain; charset=utf-8
-fsm-stats-namespace: egress-middle
-fsm-stats-kind: Deployment
-fsm-stats-name: middle
-fsm-stats-pod: middle-5bf7d76c4c-xr24j
+fsm-stats: egress-middle,Deployment,middle,middle-7965485977-nlnl2
 content-length: 13
 
 hello world.
@@ -978,6 +963,8 @@ spec:
       issuer: other
       cert:
         sn: 1
+        subjectAltNames: 
+        - flomesh.io
         expiration: 2030-1-1 00:00:00
         secret:
           name: egress-middle-cert
@@ -997,7 +984,7 @@ Traffic flow:
 Client --**mtls**--> Ingress FSM --**mtls**--> sidecar --> Middle --> sidecar --**egress mtls**--> Server
 
 ```bash
-kubectl exec "$(kubectl get pod -n egress-client -l app=client -o jsonpath='{.items..metadata.name}')" -n egress-client -- curl -ksi https://fsm-ingress.fsm-system/time --cacert /client/ca.crt --key /client/tls.key --cert /client/tls.crt
+kubectl exec "$(kubectl get pod -n egress-client -l app=client -o jsonpath='{.items..metadata.name}')" -n egress-client -- curl -si https://fsm-ingress.fsm-system/time --cacert /client/ca.crt --key /client/tls.key --cert /client/tls.crt
 ```
 
 #### Test Results
@@ -1006,13 +993,26 @@ The correct return result is similar to :
 
 ```bash
 HTTP/2 200
-date: Thu, 15 Dec 2022 08:56:12 GMT
+date: Fri, 17 Nov 2023 09:20:24 GMT
 content-type: text/plain; charset=utf-8
-fsm-stats-namespace: egress-middle
-fsm-stats-kind: Deployment
-fsm-stats-name: middle
-fsm-stats-pod: middle-5bf7d76c4c-xr24j
-content-length: 76
-
-The current time: 2022-12-15 08:56:12.953677725 +0000 UTC m=+6997.289902113
-```
+fsm-stats: egress-middle,Deployment,middle,middle-7965485977-nlnl2
+content-length: 75
+
+The current time: 2023-11-17 09:20:24.101929396 +0000 UTC m=+621.306441226
+```
+
+This business scenario is tested and the strategy is cleaned up to avoid affecting subsequent tests
+
+```bash
+export FSM_NAMESPACE=fsm-system
+kubectl patch meshconfig fsm-mesh-config -n "$FSM_NAMESPACE" -p '{"spec":{"certificate":{"ingressGateway":null}}}' --type=merge
+kubectl patch meshconfig fsm-mesh-config -n "$FSM_NAMESPACE" -p '{"spec":{"ingress":{"tls":{"mTLS": false}}}}' --type=merge
+
+kubectl delete ingress -n egress-middle egress-middle
+kubectl delete ingressbackend -n egress-middle egress-middle
+kubectl delete egress -n egress-middle server-8443
+kubectl delete secrets -n fsm-system egress-middle-cert
+kubectl delete secrets -n egress-middle ingress-pipy-cert-secret
+kubectl delete secrets -n egress-middle ingress-controller-ca-secret
+kubectl delete secrets -n egress-client egress-client-secret
+```

manifests/samples/bidir-mtls/certs/client.crt

@@ -1,17 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIICsTCCAZkCFHMG3MjzGcAhNSiOjvwwet9HaM9QMA0GCSqGSIb3DQEBCwUAMBUx
-EzARBgNVBAMMCmZsb21lc2guaW8wHhcNMjMwOTE1MTA0MDIzWhcNMjQwOTE0MTA0
-MDIzWjAVMRMwEQYDVQQDDApmbG9tZXNoLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAkO/8EUsthMYF88z5N2mmfETyL//qBMzehD7k7FpeNcQ9ZJIo
-gmBI+JU+w3JXxUn4Yq6s9x6cF5cH98HmzGORBCAXlayEPFX0HbQpYW7EOju1TEzC
-5TMIhVfKxiXYz1E0IVx+exa/AA0etVRA3oiVnUM3Th07rzNBKR8KsqvKXQ++DPxA
-RlOuhT+oWKFVZxjcC2J7/5nzOlm/5LFdr/c2rO05dOL7yKg6wvIDnm2G6OPPUhbS
-EywMGrU2XdF5jBhxEvkMpNIWEK+7/pbTJaDo+YHxZCg6PvfUEGmfOntSLcIdDKzs
-wUL5/X7AZe5E14vrNXpbYjE5tvCAWif7N8AhgQIDAQABMA0GCSqGSIb3DQEBCwUA
-A4IBAQAobQFB8+G+6/FFbZwXvsiqI4dMV9EjvjlefcE4aWnbAIzbwWgBXKYIygDG
-0Hd2YgvPzYtEF7eSLRh4rQRaXyBBAPgolsQ5h5C/3TFJKwB8xq7M0t9pJwRJnV4i
-xJ0Az/X5hfnC2Xg22DUYdqrlW9btTPCLw+k5TIkTHnN70SbOcHYRn2h28B30tiqo
-jzbByasq/8BCUi/uSUKf2EufvSnbxR/p6dT1+WV+ikXLwrfDu9fYQHuH7xVq1mhq
-WnZWuSxLBS+3J0mBMAPTfObmQNRwxIJknIqZNvk62awmnk4svhTBooexvxnoUjJc
-Wr1Pfd6J+9xLSzRID/IlIhgKwrv6
+MIIDTTCCAjWgAwIBAgIULTM99LrencZ0rXQdH65UtuJ2t9kwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKZmxvbWVzaC5pbzAeFw0yMzExMTcwODM5MjhaFw0yODEx
+MTUwODM5MjhaMDExLzAtBgNVBAMMJmNsaWVudC5lZ3Jlc3MtY2xpZW50LnN2Yy5j
+bHVzdGVyLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApyCw
+Ocume+bi5ATiTismC4c9qyOgjiS7rFCewBx5uGygPbw14XFYAcqMWBb9JkNAEDFG
+kKRrE11ClTTUvLbk+xcfDSuHsHHXXuxbAOJPR8MZKkWSDELhdRcFijA+eJjDQrtq
+TIGMwVWy3lnSLOCZbAZ+Hs+/2w+eU64FohYohPr7z/ir5pZALekwEvp+V3w9jZ7u
+EDBMGH9AOTuHYul//LX3w3QlHZQX1m0VvZFke+p/YGoDqPRQ6aYZlq7cd6C7dC/H
+lLtVav4+O1zRKFJKA0eWfQxhil68DSVSf9Ew4B+z+pDKVfuSvTLKQ+4Fy9aRXSgm
+ER/NcwQZJE9a9riFnwIDAQABo3kwdzAdBgNVHQ4EFgQUc3pQ6bXkT+bs6o2tAoLb
+BsnJpVUwHwYDVR0jBBgwFoAUz1vumPWTxrnvIjOAChv63UQEjC4wHQYDVR0lBBYw
+FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAJBgNVHRMEAjAAMA0G
+CSqGSIb3DQEBCwUAA4IBAQAFtmUOgGtH3v/kq74Jp1LSxzgSE0cLRjIT1za+Wodm
+reLFbfDW9fylPVFxuTj9RduqnB4l0i70cB6AVWdPJt8FInr91tWlOn/szgJK2mMm
+cxG5ZXIfLW4gPEgG4uOT7s3n39RFkEbCuWT4PoAgXUDJNs0OMLwXVki48kf3Mwss
+dtwywqsc6nGC3dPYr1NX2mqvd7gAUxNyjT171m3TR4MtJ42/ZP+VbcUFUofYb2eH
+qD/O2hEgzUK7MgDN4FgINakykcPZlmEyUJE+pcMYVlPnjM734MWWCZRP639IennJ
+hVDA1dEF14FYNI8A+44uZcwXRKl5XvqRMquI1THvZ8Fj
 -----END CERTIFICATE-----