一个istio-ingressgateway和多个TLS网关

时间:2018-10-09 10:27:32

标签: ssl kubernetes google-kubernetes-engine istio

问题简要

  • 如果我尝试附加多个TLS网关(使用同一证书) 到一个入口网关,只能使用一个TLS。 (最后一次应用)
  • 将多个非TLS网关附加到同一入口网关可以正常工作。

错误消息

域1(确定):

✗ curl -I https://integration.domain.com
HTTP/2 200 
server: envoy
[...]

域2(错误):

✗ curl -vI https://staging.domain.com    
* Rebuilt URL to: https://staging.domain.com/
*   Trying 35.205.120.133...
* TCP_NODELAY set
* Connected to staging.domain.com (35.x.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to staging.domain.com:443 
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to staging.domain.com:443

事实

我有一个通配符TLS证书(请说“ * .domain.com”),我的秘密是:

kubectl create -n istio-system secret tls istio-ingressgateway-certs --key tls.key --cert tls.crt

我将默认的istio-ingressgateway附加到静态IP:

apiVersion: v1
kind: Service
metadata:
  name: istio-ingressgateway
  namespace: istio-system
  annotations:
  labels:
    chart: gateways-1.0.0
    release: istio
    heritage: Tiller
    app: istio-ingressgateway
    istio: ingressgateway
spec:
  loadBalancerIP: "35.x.x.x"
  type: LoadBalancer
  selector:
    app: istio-ingressgateway
    istio: ingressgateway
[...]

然后,对于TLS通配符(staging.domain.com,integration.domain.com)中包含的两个域,我在不同的命名空间中有两个网关:

分期:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: domain-web-gateway
  namespace: staging
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "staging.domain.com"
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "staging.domain.com"

集成:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: domain-web-gateway
  namespace: integration
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "integration.domain.com"
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "integration.domain.com"

1 个答案:

答案 0 :(得分:4)

问题在于,在由相同工作负载(选择器)管理的两个网关中,您对端口443使用了相同的名称(https)。他们需要具有唯一的名称。 here中记录了此限制。

您可以通过更改第二个网关的名称来修复它,例如:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: domain-web-gateway
  namespace: integration
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 443
      name: https-integration
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "integration.domain.com"
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "integration.domain.com"
相关问题
最新问题