如何配置Istio虚拟服务目标协议

时间:2020-05-20 18:37:21

标签: kubernetes istio

如何配置Istio VirtualService将流量路由到侦听HTTPS的目标后端?

配置protocol: HTTPSscheme: HTTPS无效。

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: api-rpi-access
spec:
  hosts:
  - "test.example.com"
  gateways:
  - api-gateway
  http:
  - match:
    - uri:
        port: https
        prefix: /
    route:
    - destination:
        host: some-https-service
        port:
          number: 8443
          protocol: HTTPS
        # scheme: HTTPS

这是我的网关:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: api-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "test.example.com"

3 个答案:

答案 0 :(得分:3)

例如,您是否还设置了目标规则:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: dr-test.example.com
spec:
  host: test.example.com
  trafficPolicy: # Apply to all ports
    portLevelSettings:
    - port:
        number: 443
      loadBalancer:
        simple: LEAST_CONN

一些有关istio路由的好信息:

https://istio.io/docs/concepts/traffic-management/

答案 1 :(得分:1)

当前,您的网关配置为在网关上终止TLS。您的VirtualService也几乎不需要修改。

您需要将网关的TLS模式更改为Passthrough。

    tls:
      mode: PASSTHROUGH

根据istio文档:

  1. 在端口443的Gateway部分定义server。请注意PASSTHROUGH TLS模式,该模式指示网关按原样通过入口流量,而不会终止TLS。
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: PASSTHROUGH
    hosts:
    - nginx.example.com
  1. 配置通过Gateway进入的流量的路由:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: nginx
spec:
  hosts:
  - nginx.example.com
  gateways:
  - mygateway
  tls:
  - match:
    - port: 443
      sniHosts:
      - nginx.example.com
    route:
    - destination:
        host: my-nginx
        port:
          number: 443

希望有帮助。

答案 2 :(得分:1)

为了在istio ingressgateway上执行LTS终止并将https流量发送到后端,我必须添加以下DestinationRule 

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: some-https-service
spec:
  host: diary
  trafficPolicy:
    tls:
      mode: SIMPLE

这是网关和虚拟服务:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: api-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "test.example.com"
---
kind: VirtualService
metadata:
  name: ext-access
spec:
  hosts:
  - "test.example.com"
  gateways:
  - api-gateway
  http:
  - match:
    - uri:
        port: https
        prefix: /
    route:
    - destination:
        host: some-https-service
        port:
          number: 8443
相关问题
最新问题