ICode9
精准搜索请尝试: 精确搜索
首页
编程语言>
数据库
系统相关
互联网
其他分享
Python
Java
JavaScript
android
PHP
首页 > 其他分享> 文章详细

istio-ingressgateway证书配置指南

2022-03-02 20:33:51  阅读:311  来源: 互联网

标签:指南 kubectl ingressgateway name istio secret certs


istio-ingressgateway作为服务访问的最外层,还需要做一些ssl加密的工作,同时又不会影响其它的服务,下面介绍几种实现方法。

文件挂载方式

  • 查看istio-ingressgateway配置中的证书挂载配置
kubectl get deploy/istio-ingressgateway -n istio-system -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
...
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /var/run/secrets/istio
          name: istiod-ca-cert
        - mountPath: /var/run/ingress_gateway
          name: ingressgatewaysdsudspath
        - mountPath: /etc/istio/pod
          name: podinfo
        - mountPath: /etc/istio/ingressgateway-certs			# 证书目录
          name: ingressgateway-certs											# 引用的volume
          readOnly: true
        - mountPath: /etc/istio/ingressgateway-ca-certs
          name: ingressgateway-ca-certs
          readOnly: true
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: istio-ingressgateway-service-account
      serviceAccountName: istio-ingressgateway-service-account
      terminationGracePeriodSeconds: 30
      volumes:
      - configMap:
          defaultMode: 420
          name: istio-ca-root-cert
        name: istiod-ca-cert
      - downwardAPI:
          defaultMode: 420
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.labels
            path: labels
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.annotations
            path: annotations
        name: podinfo
      - emptyDir: {}
        name: ingressgatewaysdsudspath
      - name: ingressgateway-certs
        secret:
          defaultMode: 420
          optional: true
          secretName: istio-ingressgateway-certs    # 引用tls类型的secret
      - name: ingressgateway-ca-certs
        secret:
          defaultMode: 420
          optional: true
          secretName: istio-ingressgateway-ca-certs
status:
  availableReplicas: 1
...

# istio-ingressgateway默认配置了一个挂载secret证书的方式,但是这个secret不会创建
# 我们把自己的证书生成istio下的secret,名称和定义中的一致istio-ingressgateway-certs
# istio网关将会自动加载该secret
  • 创建ingressgateway-certs

证书创建方法见ssl管理指南

# 使用kubectl在命名空间istio-system下创建secret istio-ingressgateway-certs
wangw@t460p:~$ kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ssl/server.key --cert ssl/server.pem 
secret/istio-ingressgateway-certs created

wangw@t460p:~$ kubectl get secret/istio-ingressgateway-certs -n istio-system
NAME                         TYPE                DATA   AGE
istio-ingressgateway-certs   kubernetes.io/tls   2      68s

# 查看ingressgateway是否挂载了证书
wangw@t460p:~$ kubectl get pod -n istio-system |grep ingress
istio-ingressgateway-7bd5586b79-pgrmd   1/1     Running   0          5h49m
wangw@t460p:~$ kubectl exec -it -n istio-system pod/istio-ingressgateway-7bd5586b79-pgrmd ls /etc/istio/ingressgateway-certs
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
tls.crt  tls.key

# 查看tls.crt内容,确认挂载正确
wangw@t460p:~$ kubectl exec -it -n istio-system pod/istio-ingressgateway-7bd5586b79-pgrmd cat /etc/istio/ingressgateway-certs/tls.crt
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
-----BEGIN CERTIFICATE-----
MIIECjCCAvKgAwIBAgIUdtWnDoOLZBefhqtO68h5ZtSpm0owDQYJKoZIhvcNAQEL
BQAwZzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl
aUppbmcxEDAOBgNVBAoTB2dpc3RhY2sxETAPBgNVBAsTCE9wZXJhdG9yMQ8wDQYD
VQQDEwZnaXN1bmkwHhcNMjAwMTE0MTA1MTAwWhcNMzAwMTExMTA1MTAwWjBnMQsw
CQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpSmluZzEQMA4GA1UEBxMHQmVpSmluZzEP
MA0GA1UEChMGR0lTVU5JMREwDwYDVQQLEwhPcGVyYXRvcjEQMA4GA1UEAxMHcmFu
Y2hlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANxZg4xAzwRgq/ro
iFGoVhHwHutuh3x7ncs2xbC822Xx1u5xNzkx3REjkwQuRRlgfbBzAiO6dgw6KMrP
HZ3YXz9KOphol8B1t6MMeOCAZevp56doOL1XiywpTfYoPf95XkZplKBG8GtKeE/Z
RQPW9kZdfavSOYSlBrBaLqF16QJMm36tW0W5TdxBnFZ6EqGkL7tnTpf8t0IQEzpo
atcqOL/LKNUzM84HtT3xxUy/nRhXKsItKChW2iK/SqgRoeK6zqw3klmGD2ChPil0
Xb6KIFSI1zFFwkCQOoZElGO1QzLQ66n2nmHd8FHfIH0/XM8QUAizxq27kxVBMQlK
8hJSmeUCAwEAAaOBrTCBqjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB
BQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU7e1JjfLxOjxUvDYlhV+H9e5z
OG0wHwYDVR0jBBgwFoAU+zTk/UHaHwOY/OEMKj7qm07Erl4wNQYDVR0RBC4wLIIU
cmFuY2hlci5naXN1bmkubG9jYWyCDiouZ2lzdW5pLmxvY2FshwTAqMfJMA0GCSqG
SIb3DQEBCwUAA4IBAQBRD0wBESZN8BmEa2fr/wvO3cNksgiCfOgAS3wSrh2yrRdv
MuCKm4KVnK5xCGce+W3RCIZSgeWoA+3hIvLXpccXa7Y2mAvJZx+x9I/2CiiaskhW
H+XJAAtU36XhkXBG3AjBdnIEZHDDgOMS+RAhK7Va5EGhoNl12BqTI0Qpw9iy6TVH
o3mHPfHo6g2Vp+ZcDVIO7rXhrZ1UCvj07fwEJTxoitqsV21jSTnzjzYvWAANqbcn
FhJ7mJVMl2AWqdxSwFfHC6pHljT/rY9coMEf+1PY1bIOp9LGMLNF3bTJWz4DLrBh
ucQ7v1u7G9GP/CcdzGp0ZSlkMTp2LiDZc+eVNwR7
-----END CERTIFICATE-----
  • 修改gateway配置
[root@vm networking]# cat bookinfo-gateway1.yaml 
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443								# ssl端口
      name: https
      protocol: HTTPS						# HTTPS协议
    hosts:
    - "bookinfo.gisuni.local"
    tls:												# 添加tls,此处引用ingressgateway本地证书文件
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
...

# 配置规则
[root@vm networking]# kubectl apply -f bookinfo-gateway1.yaml -n istio-example
gateway.networking.istio.io/bookinfo-gateway changed
virtualservice.networking.istio.io/bookinfo unchanged
  • 访问bookinfo

image.png

  • 缺点:只能使用一个证书

通过SDS方式

通过配置TLS Ingress Gateway,让它从Ingress Gateway代理通过SDS获取凭据。Ingress Gateway代理和Ingress Gateway在同一个Pod中运行,监视Ingress Gateway所在命名空间中新建的Secret。
在Ingress Gateway中启用SDS 具有如下好处:

  • Ingress Gateway无需重启,就可以动态的新增、删除或者更新密钥/证书对以及根证书;
  • 无需加载 Secret 卷,创建了kubernetes Secret之后,这个Secret就会被Gateway代理捕获,并以密钥/证书对和根证书的形式发送给Ingress Gateway ;
  • Gateway代理能够监视多个密钥/证书对。只需要为每个主机名创建Secret并更新Gateway定义就可以了。

开启SDS(默认禁止)

# 通过--set values.gateways.istio-ingressgateway.sds.enabled=true开启SDS
# 不要忘了加上原来的配置--set profile=demo,默认--set profile=default
# 重置配置并应用到istio
[root@vm istio-1.5.1]# bin/istioctl manifest generate --set profile=demo  \
--set values.gateways.istio-ingressgateway.sds.enabled=true

创建证书secret

# 必须创建在ingressgateway同一ns下
[root@vm ~]# kubectl create -n istio-system secret tls gismesh-com --key ssl/server.key --cert ssl/server.pem 
secret/gismesh-com created


修改gateway配置

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: "gismesh-com" 	# 引用证书secret
    hosts:
    - "bookinfo.gismesh.com"

SNI透传方式

标签:指南,kubectl,ingressgateway,name,istio,secret,certs
来源: https://www.cnblogs.com/longtds/p/15956977.html

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

关于我们 | 联系我们 | 留言反馈

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有