ICode9

精准搜索请尝试: 精确搜索
首页 > 其他分享> 文章详细

Envoy 手动TLS场景1-front-tls

2022-04-10 14:34:10  阅读:170  来源: 互联网

标签:TLS tls name envoy Envoy key address front sidecar


1、环境

K8S:

 

CA和NFS:

主机名    IP                  OS                                 OpenSSL版本     NFS版本

ha01       10.0.8.131    Ubuntu 20.04.3 LTS       1.1.1f                  v4

2、结构拓扑

 

3、操作步骤

3.1、front-envoy制作证书

openssl genrsa -out ca.key 2048 #生成CA的私钥

openssl req -new -key ca.key -out ca.csr #生成CA的证书签署请求

openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt #生成CA的自签证书 

 

openssl genrsa  -out front-envoy.key 2048 #生成front-envoy私钥
openssl req -new -key front-envoy.key -out front-envoy.csr  #生成front-envoy的证书签署请求
openssl x509 -req -days 365 -in front-envoy.csr -CA  ca.crt -CAkey ca.key -CAcreateserial -out front-envoy.crt  #使用CA的证书和私钥签发front-envoy证书
openssl x509 -noout -modulus -in front-envoy.crt | openssl md5  #检查签发的证书和私钥是否匹配
openssl rsa -noout -modulus -in front-envoy.key | openssl md5   #检查签发的证书和私钥是否匹配

 

然后将front-envoy.crt和front-envoy.key 放入nfs 共front-envoy使用

3.2、创建新的namespace

kind: Namespace
apiVersion: v1
metadata:
  name: envoy
  namespace: envoy
View Code

3.3、创建pv和pvc

apiVersion: v1
kind: PersistentVolume
metadata:
  name: nfs       
  labels:
    app: envoy      
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteMany 
  persistentVolumeReclaimPolicy: Retain # 回收策略
  nfs:
    path: /data/k8s-nfs
    server: 10.0.8.131

---

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: envoy    # pvc 名字
  namespace: envoy
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 5Gi  
  selector:
    matchLabels:
      app: envoy      # 指定 pv 的标签 
View Code

3.4、配置configmap为front-envoy和sidecar envoy准备配置文件

kind: ConfigMap
apiVersion: v1
metadata:
  name: envoy
  namespace: envoy
data:
  front-envoy-config: |
    admin:
      profile_path: /tmp/envoy.prof
      access_log_path: /tmp/admin_access.log
      address:
        socket_address:
           address: 0.0.0.0
           port_value: 9901

    static_resources:
          listeners:
          - name: listener_0
            address:
              socket_address: { address: 0.0.0.0, port_value: 443 }
            filter_chains:
            - filters:
              - name: envoy.filters.network.http_connection_manager
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                  stat_prefix: ingress_http
                  codec_type: AUTO
                  route_config:
                    name: local_route
                    virtual_hosts:
                    - name: webservice
                      domains: ["*"]
                      routes:
                      - match: { prefix: "/" }
                        route: { cluster: local_cluster }
                  http_filters:
                  - name: envoy.filters.http.router
              transport_socket:
                name: envoy.transport_sockets.tls
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
                  common_tls_context:
                    tls_certificates:
                    - certificate_chain:
                        filename: "/etc/envoy/certs/front-envoy.crt"
                      private_key:
                        filename: "/etc/envoy/certs/front-envoy.key"
          clusters:
          - name: local_cluster
            connect_timeout: 0.25s
            type: STRICT_DNS
            lb_policy: ROUND_ROBIN
            load_assignment:
              cluster_name: local_cluster
              endpoints:
              - lb_endpoints:
                - endpoint:
                    address:
                      socket_address: { address: webserver-0, port_value: 8080 }
                - endpoint:
                    address:
                      socket_address: { address: webserver-1, port_value: 8080 }
  sidecar-envoy-config: |
    admin:
      profile_path: /tmp/envoy.prof
      access_log_path: /tmp/admin_access.log
      address:
        socket_address:
           address: 0.0.0.0
           port_value: 9901

    static_resources:
          listeners:
          - name: listener_0
            address:
              socket_address: { address: 0.0.0.0, port_value: 8080 }
            filter_chains:
            - filters:
              - name: envoy.filters.network.http_connection_manager
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                  stat_prefix: ingress_http
                  codec_type: AUTO
                  route_config:
                    name: local_route
                    virtual_hosts:
                    - name: webservice
                      domains: ["*"]
                      routes:
                      - match: { prefix: "/" }
                        route: { cluster: local_cluster }
                  http_filters:
                  - name: envoy.filters.http.router
          clusters:
          - name: local_cluster
            connect_timeout: 0.25s
            type: STATIC
            lb_policy: ROUND_ROBIN
            load_assignment:
              cluster_name: local_cluster
              endpoints:
              - lb_endpoints:
                - endpoint:
                    address:
                      socket_address: { address: 127.0.0.1, port_value: 80 }
View Code

3.5、创建front-envoy service和pod

kind: Service
apiVersion: v1
metadata:
  name: front-envoy
  namespace: envoy
spec:
  type: ClusterIP
  selector:
    app: front-envoy
  ports:
  - name: https
    port: 443
    targetPort: 443
    protocol: TCP
  - name: http1
    port: 8080
    targetPort: 443
    protocol: TCP
  - name: http2
    port: 80
    targetPort: 443
    protocol: TCP

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: front-envoy
  namespace: envoy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: front-envoy
  template:
    metadata:
      name: front-envoy
      namespace: envoy
      labels:
        app: front-envoy
    spec:
      containers:
      - name: envoy
        image: envoyproxy/envoy-alpine:v1.20-latest 
        imagePullPolicy: IfNotPresent
        ports:
        - name: admin
          containerPort: 9901
          hostPort: 9901
          protocol: TCP
        - name: https
          containerPort: 443
          hostPort: 30443
          protocol: TCP
        env:
        - name: ENVOY_UID
          value: "0"
        volumeMounts:
          - name: http-front-envoy
            mountPath: /etc/envoy/envoy.yaml
            subPath: envoy.yaml
          - name: certs
            mountPath: /etc/envoy/certs
            subPath: certs 
      volumes:
        - name: http-front-envoy
          configMap:
            name: envoy
            items:
            - key: front-envoy-config
              path: envoy.yaml
        - name: certs
          persistentVolumeClaim:
            claimName: envoy
            readOnly: false
View Code

3.7、创建sidecar service和服务pod

kind: Service
apiVersion: v1
metadata:
  name: webserver-0
  namespace: envoy
spec:
  selector:
    app: sidecar-0
  ports:
  - name: sidecar
    port: 8080
    targetPort: 8080
    protocol: TCP
---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: webserver-0
  namespace: envoy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sidecar-0
  template:
    metadata:
      name: webserver-0
      namespace: envoy
      labels:
        app: sidecar-0
    spec:
      containers:
      - name: sidecar0
        image: envoyproxy/envoy-alpine:v1.20-latest 
        imagePullPolicy: IfNotPresent
        ports:
        - name: admin
          containerPort: 9901
          hostPort: 9901
          protocol: TCP
        env:
        - name: ENVOY_UID
          value: "0"
        volumeMounts:
          - name: sidecar-envoy
            mountPath: /etc/envoy/
      - name: webserver01
        image: ikubernetes/demoapp:v1.0
        env:
        - name: HOST
          value: "127.0.0.1"
      volumes:
        - name: sidecar-envoy
          configMap:
            name: envoy
            items:
            - key: sidecar-envoy-config
              path: envoy.yaml
---
kind: Service
apiVersion: v1
metadata:
  name: webserver-1
  namespace: envoy
spec:
  selector:
    app: sidecar-01
  ports:
  - name: sidecar
    port: 8080
    targetPort: 8080
    protocol: TCP

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: webserver-1
  namespace: envoy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sidecar-01
  template:
    metadata:
      name: webserver-1
      namespace: envoy
      labels:
        app: sidecar-01
    spec:
      containers:
      - name: sidecar01
        image: envoyproxy/envoy-alpine:v1.20-latest 
        imagePullPolicy: IfNotPresent
        ports:
        - name: admin
          containerPort: 9901
          hostPort: 9901
          protocol: TCP
        env:
        - name: ENVOY_UID
          value: "0"
        volumeMounts:
          - name: sidecar-envoy
            mountPath: /etc/envoy/
      - name: webserver01
        image: ikubernetes/demoapp:v1.0
        env:
        - name: HOST
          value: "127.0.0.1"
      volumes:
        - name: sidecar-envoy
          configMap:
            name: envoy
            items:
            - key: sidecar-envoy-config
              path: envoy.yaml
View Code

3.8、验证

 在pod demov10-59d6cd7449-rtxxw中测试

 

 

标签:TLS,tls,name,envoy,Envoy,key,address,front,sidecar
来源: https://www.cnblogs.com/cnblo/p/16125414.html

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有