Question

我在openshift集群上安装了istio。为了测试，我在http上获得了样例bookinfo应用程序。当我尝试将其用于我的实际应用程序时，http可以正常运行，但是https无法。我不确定是否需要更改路由器配置？以下是yaml

以下显示了ingressgateway上的正确证书

kubectl exec -ti $(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].metadata.name}') -n istio-system -- curl  127.0.0.1:15000/certs

以下是路线

 oc get route istio-wildcard-ingress -n istio-system
NAME                     HOST/PORT                         PATH      SERVICES               PORT      TERMINATION   WILDCARD
istio-wildcard-ingress   www.istio.myurl.myexample.com             istio-ingressgateway   http2                   Subdomain

当我尝试卷曲http

时

curl -kv http://asdfgapi.istio.myurl.myexample.com/api/v1/applicant/searchByANumber?aNumber=A123456789

我得到200和正确的回复。我在Pod和Envoy代理中看到了正确的日志

但是https上的以下卷曲不起作用

curl -kv https://asdfgapi.istio.myurl.myexample.com/api/v1/applicant/searchByANumber?aNumber=A123456789

我将503和以下信息一起退回

<div>
      <h1>Application is not available</h1>
      <p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p>

      <div class="alert alert-info">
        <p class="info">
          Possible reasons you are seeing this page:
        </p>
        .....
      </div>
    </div>

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: asdfgapi-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "*.istio.myurl.myexample.com"
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*.istio.myurl.myexample.com"

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: asdfgapi
spec:
  hosts:
  - "asdfgapi.istio.myurl.myexample.com"
  gateways:
  - asdfgapi-gateway
  http:
  - route:
    - destination:
        host: asdfgapi.myexample-dt.svc.cluster.local
        port:
          number: 8080


---
apiVersion: v1
kind: Service
metadata:
  name: asdfgapi
  labels:
    app: asdfgapi
    service: asdfgapi
spec:
  ports:
  - port: 8080
    name: http
  selector:
    app: asdfgapi

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: asdfgapi
  labels:
    app: asdfgapi
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: asdfgapi
    spec:
      containers:
        - env:
            - name: SPRING_PROFILES_ACTIVE
              value: dt
          image: 'nexus.myexample.com:9083/asdfgapi:162db1e'
          imagePullPolicy: Always
          name: asdfgapi
          ports:
            - containerPort: 8080
              protocol: TCP
          volumeMounts:
            - mountPath: /var/log/app
              name: volume1
      volumes:
        - emptyDir: {}
          name: volume1

---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: asdfgapi
spec:
  host: asdfgapi
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

---

以下内容不会返回与我的广告连播相关的任何日志

kubectl logs istio-ingressgateway-7f8dd8f46f-xnlwq -n istio-system

很明显，请求没有到达豆荚

关于https为什么行不通的问题的任何建议？

Openshift入口网关`http`与`https`

0 个答案: