Istio Gateway + Cert-Manager + letencrypt证书

时间:2019-06-14 06:17:38

标签: kubernetes ssl-certificate google-kubernetes-engine istio cert-manager

基于guide

我正在使用从集群插件安装的GKE 1.13.6-gke.6 + Istio 1.1.3-gke.0。

按照相同的步骤安装cert_manager并创建我需要的颁发者和证书:

ISSUER

$ kubectl describe issuer letsencrypt-prod -n istio-system
Name:         letsencrypt-prod
Namespace:    istio-system
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Issuer","metadata":{"annotations":{},"name":"letsencrypt-prod","namespace":"istio-system"},"spec":{...
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Issuer
Metadata:
  Creation Timestamp:  2019-06-14T03:11:17Z
  Generation:          2
  Resource Version:    10044939
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/namespaces/istio-system/issuers/letsencrypt-prod
  UID:                 131f1cdd-8e52-11e9-9ba7-42010a9801a6
Spec:
  Acme:
    Email:  ---obscured---@---.net
    Http 01:
    Private Key Secret Ref:
      Name:  prod-issuer-account-key
    Server:  https://acme-v02.api.letsencrypt.org/directory
Status:
  Acme:
    Uri:  https://acme-v02.api.letsencrypt.org/acme/acct/59211199
  Conditions:
    Last Transition Time:  2019-06-14T03:11:18Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

证书

$ kubectl describe certificate dreamy-plum-bee-certificate -n istio-system
Name:         dreamy-plum-bee-certificate
Namespace:    istio-system
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"dreamy-plum-bee-certificate","namespace":"istio-s...
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2019-06-14T03:24:43Z
  Generation:          3
  Resource Version:    10048432
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/namespaces/istio-system/certificates/dreamy-plum-bee-certificate
  UID:                 f3ed9f15-8e53-11e9-9ba7-42010a9801a6
Spec:
  Acme:
    Config:
      Domains:
        dreamy-plum-bee.somewhere.net
      Http 01:
        Ingress Class:  istio
  Common Name:          dreamy-plum-bee.somewhere.net
  Dns Names:
    dreamy-plum-bee.somewhere.net
  Issuer Ref:
    Name:       letsencrypt-prod
  Secret Name:  dreamy-plum-bee-certificate
Status:
  Conditions:
    Last Transition Time:  2019-06-14T03:25:12Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2019-09-12T02:25:10Z
Events:                    <none>

网关

$ kubectl describe gateway dreamy-plum-bee-gtw -n istio-system
Name:         dreamy-plum-bee-gtw
Namespace:    istio-system
Labels:       k8s-app=istio
Annotations:  <none>
API Version:  networking.istio.io/v1alpha3
Kind:         Gateway
Metadata:
  Creation Timestamp:  2019-06-14T06:08:13Z
  Generation:          1
  Resource Version:    10084555
  Self Link:           /apis/networking.istio.io/v1alpha3/namespaces/istio-system/gateways/dreamy-plum-bee-gtw
  UID:                 cabffdf1-8e6a-11e9-9ba7-42010a9801a6
Spec:
  Selector:
    Istio:  ingressgateway
  Servers:
    Hosts:
      dreamy-plum-bee.somewhere.net
    Port:
      Name:      https
      Number:    443
      Protocol:  HTTPS
    Tls:
      Credential Name:     dreamy-plum-bee-certificate
      Mode:                SIMPLE
      Private Key:         sds
      Server Certificate:  sds
Events:                    <none>

$ kubectl get gateway dreamy-plum-bee-gtw -n istio-system -o yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  creationTimestamp: 2019-06-14T06:08:13Z
  generation: 1
  labels:
    k8s-app: istio
  name: dreamy-plum-bee-gtw
  namespace: istio-system
  resourceVersion: "10084555"
  selfLink: /apis/networking.istio.io/v1alpha3/namespaces/istio-system/gateways/dreamy-plum-bee-gtw
  uid: cabffdf1-8e6a-11e9-9ba7-42010a9801a6
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - dreamy-plum-bee.somewhere.net
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: dreamy-plum-bee-certificate
      mode: SIMPLE
      privateKey: sds
      serverCertificate: sds

现在使用当前设置,如果我使用openssl命令进行测试:

$ $ openssl s_client -connect dreamy-plum-bee.somewhere.net:443
CONNECTED(00000005)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1560492782
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

在Chrome浏览器中,它无法访问该页面,并显示ERR_CONNECTION_RESET错误消息。

但是,如果我使用基于自签名文件系统的证书来更改Gateway的tls设置,例如:

    tls:
      mode: PASSTHROUGH
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key

该站点可访问。因此,我怀疑使用credentialName设置不正确。网关似乎无法获取证书资源来启动连接。

任何建议都会受到喜欢,例如检查/调试等...

1 个答案:

答案 0 :(得分:1)

最终我发现,Envoy SDS: Fortifying Istio Security - Yonggang Liu & Quanjie Lin, Google很有帮助。

  • 从头开始安装Istio(v1.1.8),而不使用插件(v1.1.3)
  • 确保在安装过程中使用了--set gateways.istio-ingressgateway.sds.enabled = true。
  • 在命名空间上启用istio-injection = enabled来创建特使代理。
  • 增加节点容量以正确托管Istio。 Google suggest至少需要具有2个vCPU计算机类型的4个节点群集。
  • 最后,从Istio处理TLS且尚未启用mTLS的NodeApp中删除手动TLS证书。