基于guide
我正在使用从集群插件安装的GKE 1.13.6-gke.6 + Istio 1.1.3-gke.0。
按照相同的步骤安装cert_manager并创建我需要的颁发者和证书:
ISSUER
$ kubectl describe issuer letsencrypt-prod -n istio-system
Name: letsencrypt-prod
Namespace: istio-system
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Issuer","metadata":{"annotations":{},"name":"letsencrypt-prod","namespace":"istio-system"},"spec":{...
API Version: certmanager.k8s.io/v1alpha1
Kind: Issuer
Metadata:
Creation Timestamp: 2019-06-14T03:11:17Z
Generation: 2
Resource Version: 10044939
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/istio-system/issuers/letsencrypt-prod
UID: 131f1cdd-8e52-11e9-9ba7-42010a9801a6
Spec:
Acme:
Email: ---obscured---@---.net
Http 01:
Private Key Secret Ref:
Name: prod-issuer-account-key
Server: https://acme-v02.api.letsencrypt.org/directory
Status:
Acme:
Uri: https://acme-v02.api.letsencrypt.org/acme/acct/59211199
Conditions:
Last Transition Time: 2019-06-14T03:11:18Z
Message: The ACME account was registered with the ACME server
Reason: ACMEAccountRegistered
Status: True
Type: Ready
Events: <none>
证书
$ kubectl describe certificate dreamy-plum-bee-certificate -n istio-system
Name: dreamy-plum-bee-certificate
Namespace: istio-system
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"dreamy-plum-bee-certificate","namespace":"istio-s...
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-06-14T03:24:43Z
Generation: 3
Resource Version: 10048432
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/istio-system/certificates/dreamy-plum-bee-certificate
UID: f3ed9f15-8e53-11e9-9ba7-42010a9801a6
Spec:
Acme:
Config:
Domains:
dreamy-plum-bee.somewhere.net
Http 01:
Ingress Class: istio
Common Name: dreamy-plum-bee.somewhere.net
Dns Names:
dreamy-plum-bee.somewhere.net
Issuer Ref:
Name: letsencrypt-prod
Secret Name: dreamy-plum-bee-certificate
Status:
Conditions:
Last Transition Time: 2019-06-14T03:25:12Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2019-09-12T02:25:10Z
Events: <none>
网关
$ kubectl describe gateway dreamy-plum-bee-gtw -n istio-system
Name: dreamy-plum-bee-gtw
Namespace: istio-system
Labels: k8s-app=istio
Annotations: <none>
API Version: networking.istio.io/v1alpha3
Kind: Gateway
Metadata:
Creation Timestamp: 2019-06-14T06:08:13Z
Generation: 1
Resource Version: 10084555
Self Link: /apis/networking.istio.io/v1alpha3/namespaces/istio-system/gateways/dreamy-plum-bee-gtw
UID: cabffdf1-8e6a-11e9-9ba7-42010a9801a6
Spec:
Selector:
Istio: ingressgateway
Servers:
Hosts:
dreamy-plum-bee.somewhere.net
Port:
Name: https
Number: 443
Protocol: HTTPS
Tls:
Credential Name: dreamy-plum-bee-certificate
Mode: SIMPLE
Private Key: sds
Server Certificate: sds
Events: <none>
$ kubectl get gateway dreamy-plum-bee-gtw -n istio-system -o yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
creationTimestamp: 2019-06-14T06:08:13Z
generation: 1
labels:
k8s-app: istio
name: dreamy-plum-bee-gtw
namespace: istio-system
resourceVersion: "10084555"
selfLink: /apis/networking.istio.io/v1alpha3/namespaces/istio-system/gateways/dreamy-plum-bee-gtw
uid: cabffdf1-8e6a-11e9-9ba7-42010a9801a6
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- dreamy-plum-bee.somewhere.net
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: dreamy-plum-bee-certificate
mode: SIMPLE
privateKey: sds
serverCertificate: sds
现在使用当前设置,如果我使用openssl命令进行测试:
$ $ openssl s_client -connect dreamy-plum-bee.somewhere.net:443
CONNECTED(00000005)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1560492782
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
在Chrome浏览器中,它无法访问该页面,并显示ERR_CONNECTION_RESET错误消息。
但是,如果我使用基于自签名文件系统的证书来更改Gateway的tls设置,例如:
tls:
mode: PASSTHROUGH
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
该站点可访问。因此,我怀疑使用credentialName设置不正确。网关似乎无法获取证书资源来启动连接。
任何建议都会受到喜欢,例如检查/调试等...
答案 0 :(得分:1)
最终我发现,Envoy SDS: Fortifying Istio Security - Yonggang Liu & Quanjie Lin, Google很有帮助。