从没有 sidecar 的 istio gw 访问 https 和 http 后端服务

时间:2021-01-28 15:36:57

标签: http nginx https istio nginx-ingress

我有一些本地集群,一些后端服务在 http 中运行,一些在 https 中运行。 目前还没有配置 istio side car。

使用 http 后端流量调用正在工作.. 但是使用 https 后端时出现 503 错误。 网关:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: istio-gateway
  namespace: istio-system

spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: https
      number: 8443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/tls.key
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
  - hosts:
    - '*'
    port:
      name: http
      number: 80
      protocol: HTTP

虚拟服务:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: metalk8s-ui-proxies-https
  namespace: metalk8s-ui
spec:
  gateways:
  - istio-system/istio-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        prefix: /api/kubernetes/
    route:
    - destination:
        host: kubernetes-api-ds
        port:
          number: 443
      weight: 100
  - match:
    - uri:
        prefix: /api/salt/
    route:
    - destination:
        host: salt-api
        port:
          number: 4507
      weight: 100

目的地规则:

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: kubernetes-api-ds
  namespace: metalk8s-ui
spec:
  host: kubernetes-api
  trafficPolicy:
    portLevelSettings:
    - loadBalancer:
        simple: ROUND_ROBIN
      port:
        number: 443
    tls:
      caCertificates: /etc/istio/ingressgateway-certs/tls.crt
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/tls.key

没有配置目标规则,它给出了 400 错误(客户端向 https 服务器发送了 http 请求)。

基本上后端服务与 nginx ingress 一起工作.. 我们正在尝试用 istio 替换 nginx.. 对于这个特定的 uri 路径,nginx 入口是:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-control-plane
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/use-regex: "true"
  labels:
    app: metalk8s-ui
    app.kubernetes.io/managed-by: salt
    app.kubernetes.io/name: metalk8s-ui
    app.kubernetes.io/part-of: metalk8s
    heritage: salt
    metalk8s.scality.com/version: 2.6.0-dev
  name: metalk8s-ui-proxies-https
  namespace: metalk8s-ui
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: kubernetes-api
          servicePort: 443
        path: /api/kubernetes(/|$)(.*)
      - backend:
          serviceName: salt-api
          servicePort: 4507
        path: /api/salt(/|$)(.*)
status:
  loadBalancer:
    ingress:
    - ip: 10.105.58.133

nginx.ingress.kubernetes.io/backend-protocol: HTTPS --> 这是定义后端协议的注解..

有人可以帮忙吗,如何在 istio 中实现相同的..

0 个答案:

没有答案
相关问题
最新问题