标签:TLS INGRESS httpbin cn -- xxx istio 域名 name
参考文档:https://istio.io/latest/zh/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-TLS-ingress-gateway-for-multiple-hosts
文档中都是三级域名(国内)一个证书,我自行测试了一下。
1、准备一个非自签的证书
xxx.key xxx.crt
2、先配置一个单机tls入口网关
2.1) 准备基础服务
apiVersion: v1 kind: ServiceAccount metadata: name: httpbin --- apiVersion: v1 kind: Service metadata: name: httpbin labels: app: httpbin service: httpbin spec: ports: - name: http port: 8000 targetPort: 80 selector: app: httpbin --- apiVersion: apps/v1 kind: Deployment metadata: name: httpbin spec: replicas: 1 selector: matchLabels: app: httpbin version: v1 template: metadata: labels: app: httpbin version: v1 spec: serviceAccountName: httpbin containers: - image: docker.io/kennethreitz/httpbin imagePullPolicy: IfNotPresent name: httpbin ports: - containerPort: 80View Code
2.2) 为gw 创建secret
kubectl create -n istio-system secret tls httpbin-credential --key=xxx.key --cert=xxx.crt
2.3) 为端口443定义一个带有 servers:
部分的网关,并将 credentialName
的值指定为 httpbin-credential
。这些值与 Secret 名称相同。 TLS 模式的值应为 SIMPLE
。
cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: mygateway spec: selector: istio: ingressgateway # use istio default ingress gateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: httpbin-credential # must be the same as secret hosts: - weiwei.xxx.cn EOFView Code
2.4) 配置网关的入口流量路由,定义相应的虚拟服务。
cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: httpbin spec: hosts: - "weiwei.xxx.cn" gateways: - mygateway http: - match: - uri: prefix: /status - uri: prefix: /delay route: - destination: port: number: 8000 host: httpbin EOFView Code
2.5) 发送 HTTPS 请求访问 httpbin
服务:
curl -v -HHost:weiwei.xxx.cn --resolve "weiwei.xxx.cn:$SECURE_INGRESS_PORT:$INGRESS_HOST" \ --cacert xxx.crt "https://weiwei.xxx.cn:$SECURE_INGRESS_PORT/status/418"
访问没有异常。
2.6)此时增加一个server_name,二级域名是一样的,验证同一个secret。启动helloworld-v1
cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Service metadata: name: helloworld-v1 labels: app: helloworld-v1 spec: ports: - name: http port: 5000 selector: app: helloworld-v1 --- apiVersion: apps/v1 kind: Deployment metadata: name: helloworld-v1 spec: replicas: 1 selector: matchLabels: app: helloworld-v1 version: v1 template: metadata: labels: app: helloworld-v1 version: v1 spec: containers: - name: helloworld image: istio/examples-helloworld-v1 resources: requests: cpu: "100m" imagePullPolicy: IfNotPresent #Always ports: - containerPort: 5000 EOFView Code
2.7)创建gw和vs
at <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: mygateway spec: selector: istio: ingressgateway # use istio default ingress gateway servers: - port: number: 443 name: https-httpbin protocol: HTTPS tls: mode: SIMPLE credentialName: httpbin-credential hosts: - weiwei.xxx.cn - port: number: 443 name: https-helloworld protocol: HTTPS tls: mode: SIMPLE credentialName: httpbin-credential hosts: - hello.xxx.cn EOF cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: helloworld-v1 spec: hosts: - hello.xxx.cn gateways: - mygateway http: - match: - uri: exact: /hello route: - destination: host: helloworld-v1 port: number: 5000 EOFView Code
2.,8) 请求验证
curl -v -HHost:hello.xxx.cn --resolve "hello.xxx.cn:$SECURE_INGRESS_PORT:$INGRESS_HOST" \ --cacert xxx.crt "https://hello.xxx.cn:$SECURE_INGRESS_PORT/hello"
2.9)分别的请求结果
标签:TLS,INGRESS,httpbin,cn,--,xxx,istio,域名,name 来源: https://www.cnblogs.com/bill2014/p/16087824.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。