通过HTTPS访问istio / k8s服务

时间:2019-12-05 17:13:17

标签: kubernetes istio cert-manager

我对Kubernetes和istio有点陌生。我正在尝试创建服务并通过HTTPS访问它。

  • 通过HTTP,一切看起来很好
  • 我已将cert-manager与Let's Encrypt一起使用来生成证书
  • 证书已成功生成
  • 我已经使用以下命令生成了秘密
kubectl create secret generic clouddns --namespace=cert-manager --from-literal=GCP_PROJECT=<PROJECT> --from-file=/etc/keys/<KEY>.json

这些是我的网关,虚拟服务,群集颁发者和证书的配置文件。

网关

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: messaging-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "<HOST>"
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "<HOST>"
    tls:
      credentialName: messaging-certificate
      mode: SIMPLE
      privateKey: sds
      serverCertificate: sds

虚拟服务

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: messaging
spec:
  hosts:
  - "<HOST>"
  gateways:
  - messaging-gateway
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: messaging
        port:
          number: 8082

集群发行人

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: messaging-cluster-issuer
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: <EMAIL>
    privateKeySecretRef:
      name: messaging-letsencrypt
    solvers:
    - dns01:
        clouddns:
          serviceAccountSecretRef:
            name: clouddns
            key: <KEY>.json
          project: <PROJECT>

证书

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: messaging-certificate
spec:
  secretName: messaging-certificate
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  organization:
  - RELE.AI
  commonName: <HOST>
  isCA: false
  keySize: 2048
  keyAlgorithm: rsa
  keyEncoding: pkcs1
  usages:
    - server auth
    - client auth
  dnsNames:
  - <HOST>
  issuerRef:
    name: messaging-cluster-issuer
    kind: ClusterIssuer

运行kubectl get secrets messaging-certificate -o yaml时,我可以同时看到tls.crt和tls.key内容。

为什么我无法通过HTTPS进行访问?

----编辑

完整istio manifest-我使用istioctl manifest generate生成了清单。希望这是正确的方法

1 个答案:

答案 0 :(得分:0)