我试图在AKS(v1.16.13)上设置istio(v1.7.3),以便对域内的所有HTTPS请求来说,TLS握手由出口网关透明执行。
我最终得到了这样的内容(abc.mydomain.com是一个外部URL,所以这就是我为其创建ServiceEntry的原因):
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*.mydomain.com"
tls:
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-mydomain
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: mydomain
trafficPolicy:
tls:
mode: SIMPLE
caCertificates: /etc/istio/mydomain-ca-certs/mydomain.crt
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-mydomain-through-egress-gateway
spec:
hosts:
- "*.mydomain.com"
gateways:
- mesh
- istio-egressgateway
tls:
- match:
- gateways:
- mesh
port: 443
sniHosts:
- "*.mydomain.com"
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: mydomain
port:
number: 443
weight: 100
- match:
- gateways:
- istio-egressgateway
port: 443
sniHosts:
- "*.mydomain.com"
route:
- destination:
host: abc.mydomain.com
port:
number: 443
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: www-mydomain
spec:
hosts:
- abc.mydomain.com
ports:
- number: 443
name: https
protocol: HTTPS
resolution: DNS
我已将我的证书安装在出口网关中,并通过kubectl exec -n istio-system “$(kubectl -n istio-system get pods -l istio=egressgateway -o jsonpath=’{.items[0].metadata.name}’)” – ls -al /etc/istio/mydomain-ca-certs
从另一个命名空间中运行的一个pod调用curl -vvI https://abc.mydomain.com时,我得到以下信息:
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to abc.mydomain.com:443
我也尝试了此处描述的内容(在Egress Gateway上信任自定义根CA),但出现了上述错误。
知道我可能在做什么错吗?
UPDATE1
这是istioctl proxy-status的输出(出口rds是 STALE ):
istio-egressgateway-695dc4fc7c-p5p42.istio-system SYNCED SYNCED SYNCED STALE istiod-5c6b7b5b8f-csggg 1.7.3 41d
istio-ingressgateway-5689f7c67-j54m7.istio-system SYNCED SYNCED SYNCED SYNCED istiod-5c6b7b5b8f-csggg 1.7.3 118d
curl -vvI https://abc.mydomain.com的输出:
* Expire in 0 ms for 1 (transfer 0x55ce54104f50)
* Trying 10.223.24.254...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55ce54104f50)
* Connected to abc.mydomain.com (10.223.24.254) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to abc.mydomain.com:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to abc.mydomain.com:443
openssl s_client -connect abc.mydomain.com:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 328 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---