ICode9

精准搜索请尝试: 精确搜索
首页 > 其他分享> 文章详细

istio 泛域名TLS

2022-04-01 17:04:12  阅读:239  来源: 互联网

标签:TLS INGRESS httpbin cn -- xxx istio 域名 name


参考文档:https://istio.io/latest/zh/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-TLS-ingress-gateway-for-multiple-hosts

文档中都是三级域名(国内)一个证书,我自行测试了一下。

 

1、准备一个非自签的证书

xxx.key
xxx.crt

2、先配置一个单机tls入口网关

2.1) 准备基础服务

apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
    service: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80
View Code

2.2) 为gw 创建secret 

kubectl create -n istio-system secret tls httpbin-credential --key=xxx.key --cert=xxx.crt

2.3) 为端口443定义一个带有 servers: 部分的网关,并将 credentialName 的值指定为 httpbin-credential。这些值与 Secret 名称相同。 TLS 模式的值应为 SIMPLE

cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: httpbin-credential # must be the same as secret
    hosts:
    - weiwei.xxx.cn
EOF
View Code

2.4) 配置网关的入口流量路由,定义相应的虚拟服务。

cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - "weiwei.xxx.cn"
  gateways:
  - mygateway
  http:
  - match:
    - uri:
        prefix: /status
    - uri:
        prefix: /delay
    route:
    - destination:
        port:
          number: 8000
        host: httpbin
EOF
View Code

2.5) 发送 HTTPS 请求访问 httpbin 服务:

curl -v -HHost:weiwei.xxx.cn --resolve "weiwei.xxx.cn:$SECURE_INGRESS_PORT:$INGRESS_HOST" \
--cacert xxx.crt "https://weiwei.xxx.cn:$SECURE_INGRESS_PORT/status/418"

访问没有异常。

2.6)此时增加一个server_name,二级域名是一样的,验证同一个secret。启动helloworld-v1

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
  name: helloworld-v1
  labels:
    app: helloworld-v1
spec:
  ports:
  - name: http
    port: 5000
  selector:
    app: helloworld-v1
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: helloworld-v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: helloworld-v1
      version: v1
  template:
    metadata:
      labels:
        app: helloworld-v1
        version: v1
    spec:
      containers:
      - name: helloworld
        image: istio/examples-helloworld-v1
        resources:
          requests:
            cpu: "100m"
        imagePullPolicy: IfNotPresent #Always
        ports:
        - containerPort: 5000
EOF
View Code

2.7)创建gw和vs

at <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https-httpbin
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: httpbin-credential
    hosts:
    - weiwei.xxx.cn
  - port:
      number: 443
      name: https-helloworld
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: httpbin-credential
    hosts:
    - hello.xxx.cn
EOF



cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: helloworld-v1
spec:
  hosts:
  - hello.xxx.cn
  gateways:
  - mygateway
  http:
  - match:
    - uri:
        exact: /hello
    route:
    - destination:
        host: helloworld-v1
        port:
          number: 5000
EOF
View Code

2.,8) 请求验证

curl -v -HHost:hello.xxx.cn --resolve "hello.xxx.cn:$SECURE_INGRESS_PORT:$INGRESS_HOST" \
--cacert xxx.crt "https://hello.xxx.cn:$SECURE_INGRESS_PORT/hello"

 

2.9)分别的请求结果

 

 

 

 

 

 

 

 

 

标签:TLS,INGRESS,httpbin,cn,--,xxx,istio,域名,name
来源: https://www.cnblogs.com/bill2014/p/16087824.html

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有