update harbor docs

Author: mfanjie

module10/harbor/harbor.MD

@@ -6,7 +6,7 @@ kubectl create ns harbor
 ```
 ### update values.yaml
 ```
-vi .harbor/values.yaml and change
+vi ./harbor/values.yaml and change
 
 
 expose:
@@ -25,28 +25,26 @@ helm install harbor ./harbor -n harbor
 192.168.34.2:30002
 admin/Harbor12345
 ```
-### add insecure registry to docker client and restart docker
-```
-{
-  "features": {
-    "buildkit": true
-  },
-  "experimental": false,
-  "builder": {
-    "gc": {
-      "enabled": true,
-      "defaultKeepStorage": "20GB"
-    }
-  },
-  "insecure-registries": [
-    "core.harbor.domain:32177"
-  ]
-}
+### download repository certs from 
+```
+https://192.168.34.2:30003/harbor/projects/1/repositories
+```
+### copy the downloaded ca.crt to vm docker certs configuration folder
+```
+mkdir /etc/docker/certs.d/core.harbor.domain
+copy the ca.crt to this folder
+systemctl restart docker
+```
+### edit /etc/hosts to map core.harbor.domain to harbor svc clusterip
+```
+10.104.231.99 core.harbor.domain
 ```
 ### docker login
 ```
-docker login -u harbor_registry_user -p harbor_registry_password core.harbor.domain:32083
+docker login -u admin -p Harbor12345 core.harbor.domain
 ```
+### docker tag a image to core.harbor.domain and push it and you will see it in harbor portal
+
 ### check repositories and blobs
 ```
 kubectl exec -it harbor-registry-7d686859d7-xs5nv -n harbor bash

module15/2.security-hardening/https-gateway.MD

@@ -1,5 +1,36 @@
+### enable sidecar auto inject
+```
+kubectl label namespace default istio-injection=enabled
+```
+### cd istio root
+```
+cd istio-1.12.0/
+```
+### create bookinfo app
+```
+kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
+kubectl get pods
+```
+### create expose to gateway
+```
+kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
+```
+### check ingress service http nodePort
+```
+kubectl get svc -n istio-system
+```
+### access productpage
+```
+curl http://192.168.34.2:31783/productpage
+```
+
+### secure the gateway by https protocol
 ```
 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=cncamp Inc./CN=192.168.34.2' -keyout bookinfo.key -out bookinfo.crt
 kubectl create -n istio-system secret tls bookinfo-credential --key=bookinfo.key --cert=bookinfo.crt
 kubectl apply -f https-gateway.yaml
-```
+```
+### access product page via safari(chrome blocks self sign certs)
+```
+https://192.168.34.2:31106/productpage
+```

module15/2.security-hardening/jwt/authorizationpolicy.yaml

@@ -0,0 +1,13 @@
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: require-jwt
+spec:
+  selector:
+    matchLabels:
+      app: details
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            requestPrincipals: ["testing@secure.istio.io/testing@secure.istio.io"]

module15/2.security-hardening/jwt/jwt-details.MD

@@ -0,0 +1,37 @@
+### create RequestAuthentication which enables jwt token validation
+after this, requests with invalid token will be rejected
+requests without token or with valid token will be accepted
+```
+kubectl apply -f requestauthentication.yaml
+```
+### create AuthorizationPolicy which enables check of authorization
+after this, requests without token will be rejected
+```
+kubectl apply -f authorizationpolicy.yaml
+```
+### access productpage and you will see 
+```
+Sorry, product details are currently unavailable for this book.
+```
+### get jwt token
+```
+TOKEN_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/release-1.12/security/tools/jwt/samples/groups-scope.jwt -s) && echo "$TOKEN_GROUP" | cut -d '.' -f2 - | base64 --decode -
+
+echo eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjM1MzczOTExMDQsImdyb3VwcyI6WyJncm91cDEiLCJncm91cDIiXSwiaWF0IjoxNTM3MzkxMTA0LCJpc3MiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyIsInNjb3BlIjpbInNjb3BlMSIsInNjb3BlMiJdLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.EdJnEZSH6X8hcyEii7c8H5lnhgjB5dwo07M5oheC8Xz8mOllyg--AHCFWHybM48reunF--oGaG6IXVngCEpVF0_P5DwsUoBgpPmK1JOaKN6_pe9sh0ZwTtdgK_RP01PuI7kUdbOTlkuUi2AO-qUyOm7Art2POzo36DLQlUXv8Ad7NBOqfQaKjE9ndaPWT7aexUsBHxmgiGbz1SyLH879f7uHYPbPKlpHU6P9S-DaKnGLaEchnoKnov7ajhrEhGXAQRukhDPKUHO9L30oPIr5IJllEQfHYtt6IZvlNUGeLUcif3wpry1R5tBXRicx2sXMQ7LyuDremDbcNy_iE76Upg| cut -d '.' -f2 -|base64 -d
+{"exp":3537391104,"groups":["group1","group2"],"iat":1537391104,"iss":"testing@secure.istio.io","scope":["scope1","scope2"],"sub":"testing@secure.istio.io"}
+```
+ 
+### add jwt token to productpage source code
+```
+cat productpage-v2/productpage.py
+```
+### build docker images for productpage v2 with jwt token
+### create product page v2
+```
+kubectl apply -f productpage-v2/productpage.py
+```
+### access productpage and you will see error in 50% percents
+```
+Sorry, product details are currently unavailable for this book.
+```
+### this is how microservice talks to each others with jwt token

module15/2.security-hardening/jwt/jwt.MD

@@ -31,3 +31,4 @@ TOKEN_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/release-1.12/se
 echo eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjM1MzczOTExMDQsImdyb3VwcyI6WyJncm91cDEiLCJncm91cDIiXSwiaWF0IjoxNTM3MzkxMTA0LCJpc3MiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyIsInNjb3BlIjpbInNjb3BlMSIsInNjb3BlMiJdLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.EdJnEZSH6X8hcyEii7c8H5lnhgjB5dwo07M5oheC8Xz8mOllyg--AHCFWHybM48reunF--oGaG6IXVngCEpVF0_P5DwsUoBgpPmK1JOaKN6_pe9sh0ZwTtdgK_RP01PuI7kUdbOTlkuUi2AO-qUyOm7Art2POzo36DLQlUXv8Ad7NBOqfQaKjE9ndaPWT7aexUsBHxmgiGbz1SyLH879f7uHYPbPKlpHU6P9S-DaKnGLaEchnoKnov7ajhrEhGXAQRukhDPKUHO9L30oPIr5IJllEQfHYtt6IZvlNUGeLUcif3wpry1R5tBXRicx2sXMQ7LyuDremDbcNy_iE76Upg| cut -d '.' -f2 -|base64 -d
 {"exp":3537391104,"groups":["group1","group2"],"iat":1537391104,"iss":"testing@secure.istio.io","scope":["scope1","scope2"],"sub":"testing@secure.istio.io"}
 ```
+### access gateway with jwt to

module15/2.security-hardening/jwt/productpage-v2/Dockerfile

@@ -0,0 +1,2 @@
+FROM docker.io/istio/examples-bookinfo-productpage-v1:1.16.2
+ADD productpage.py /opt/microservices