我正在尝试为HTTPS配置Istio的入口。
我正在关注官方Secure-Ingress教程,但该教程无效。本教程介绍如何在Istio的Ingressgateway窗格上终止TLS。
在先决条件中,他们让您为Istio配置了纯文本HTTP到httpbin服务。 (我只是通过部署到名称空间httpbin而不是默认值来更改了本教程)。纯文本HTTP的前提条件是:curl -i -HHost:httpbin.example.com "https://$(INGRESS_HOST):$(INGRESS_PORT)/status/200"返回
HTTP/1.1 200 OK
server: istio-envoy
告诉我httpbin Kubernetes服务已正确配置,网关和虚拟服务也已正确配置。
接下来,我在istio-system名称空间(入口网关所在的位置)中创建了一个包含两个字段(密钥和cert)的Kubernetes机密。 kubectl create -n istio-system secret tls httpbin-tls-certificate --key=secrets/httpbin.example.com.key --cert=secrets/httpbin.example.com.crt。
下一步,我更新网关和虚拟服务配置以打开端口443:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin
namespace: httpbin
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "httpbin.example.com"
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: httpbin-tls-certificate
hosts:
- httpbin.example.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
namespace: httpbin
spec:
hosts:
- "httpbin.example.com"
gateways:
- httpbin
http:
- match:
- uri:
prefix: /status
- uri:
prefix: /delay
route:
- destination:
host: httpbin
port:
number: 80
Ingressgateway日志中的以下内容告诉我,该秘密已被发现并包含密钥+证书
2020-10-05T20:12:28.524062Z info sds resource:httpbin-tls-certificate pushed key/cert pair to proxy
但是测试HTTP失败:
$ curl -v -i -HHost:httpbin.example.com --cacert secrets/example.com.crt
"https://$(INGRESS_HOST):$(INGRESS_PORT_SECURE)/status/200"
* Trying [Redacted IP]...
* Connected to [redacted domain name].us-west-2.elb.amazonaws.com port 443 (#0)
* found 1 certificates in secrets/example.com.crt
* found 526 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: The TLS connection was non-properly terminated.
* Closing connection 0
curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.
更新1 除了路由端口443,我还打开了端口9444,并尝试使用以下更新的配置为host =“ *”而不是host =“ httpbin.example.com”路由它。
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin
namespace: httpbin
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "httpbin.example.com"
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: httpbin-tls-certificate
hosts:
- "httpbin.example.com"
- port:
number: 9444
name: https2
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: httpbin-tls-certificate
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
namespace: httpbin
spec:
hosts:
- "httpbin.example.com"
gateways:
- httpbin
http:
- match:
- uri:
prefix: /status
- uri:
prefix: /delay
route:
- destination:
host: httpbin
port:
number: 80
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin-tls
namespace: httpbin
spec:
hosts:
- "*"
gateways:
- httpbin
http:
- match:
- port: 9444
uri:
prefix: /status
- port: 9444
uri:
prefix: /delay
route:
- destination:
host: httpbin
在此更新之前进行卷曲操作会导致curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.错误的地方,更新curl命令并将端口更改为9444会产生一个新错误curl: (51) SSL: certificate subject name (httpbin.example.com) does not match target host name [redacted].us-west-2.elb.amazonaws.com。通过--insecure进行卷曲可以解决该问题,我的状态恢复为正常。
所以我有一个部分解决方案,但我正在寻找真正的交易
-Hhostname的istio路由发送到正确的kubernetes服务。