我对Kubernetes和istio有点陌生。我正在尝试创建服务并通过HTTPS访问它。
kubectl create secret generic clouddns --namespace=cert-manager --from-literal=GCP_PROJECT=<PROJECT> --from-file=/etc/keys/<KEY>.json
这些是我的网关,虚拟服务,群集颁发者和证书的配置文件。
网关
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: messaging-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "<HOST>"
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "<HOST>"
tls:
credentialName: messaging-certificate
mode: SIMPLE
privateKey: sds
serverCertificate: sds
虚拟服务
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: messaging
spec:
hosts:
- "<HOST>"
gateways:
- messaging-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: messaging
port:
number: 8082
集群发行人
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: messaging-cluster-issuer
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: <EMAIL>
privateKeySecretRef:
name: messaging-letsencrypt
solvers:
- dns01:
clouddns:
serviceAccountSecretRef:
name: clouddns
key: <KEY>.json
project: <PROJECT>
证书
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: messaging-certificate
spec:
secretName: messaging-certificate
duration: 2160h # 90d
renewBefore: 360h # 15d
organization:
- RELE.AI
commonName: <HOST>
isCA: false
keySize: 2048
keyAlgorithm: rsa
keyEncoding: pkcs1
usages:
- server auth
- client auth
dnsNames:
- <HOST>
issuerRef:
name: messaging-cluster-issuer
kind: ClusterIssuer
运行kubectl get secrets messaging-certificate -o yaml
时,我可以同时看到tls.crt和tls.key内容。
为什么我无法通过HTTPS进行访问?
----编辑
完整istio manifest-我使用istioctl manifest generate
生成了清单。希望这是正确的方法
答案 0 :(得分:0)
您应该执行以下操作:
tls
字段中删除serverCertificate和privateKey字段,如https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-sds/#configure-a-tls-ingress-gateway-for-a-single-host