istio-ingressgateway证书配置指南

istio-ingressgateway作为服务访问的最外层,还需要做一些ssl加密的工作,同时又不会影响其它的服务,下面介绍几种实现方法。

文件挂载方式

  • 查看istio-ingressgateway配置中的证书挂载配置
kubectl get deploy/istio-ingressgateway -n istio-system -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
...
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /var/run/secrets/istio
          name: istiod-ca-cert
        - mountPath: /var/run/ingress_gateway
          name: ingressgatewaysdsudspath
        - mountPath: /etc/istio/pod
          name: podinfo
        - mountPath: /etc/istio/ingressgateway-certs			# 证书目录
          name: ingressgateway-certs											# 引用的volume
          readOnly: true
        - mountPath: /etc/istio/ingressgateway-ca-certs
          name: ingressgateway-ca-certs
          readOnly: true
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: istio-ingressgateway-service-account
      serviceAccountName: istio-ingressgateway-service-account
      terminationGracePeriodSeconds: 30
      volumes:
      - configMap:
          defaultMode: 420
          name: istio-ca-root-cert
        name: istiod-ca-cert
      - downwardAPI:
          defaultMode: 420
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.labels
            path: labels
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.annotations
            path: annotations
        name: podinfo
      - emptyDir: {}
        name: ingressgatewaysdsudspath
      - name: ingressgateway-certs
        secret:
          defaultMode: 420
          optional: true
          secretName: istio-ingressgateway-certs    # 引用tls类型的secret
      - name: ingressgateway-ca-certs
        secret:
          defaultMode: 420
          optional: true
          secretName: istio-ingressgateway-ca-certs
status:
  availableReplicas: 1
...

# istio-ingressgateway默认配置了一个挂载secret证书的方式,但是这个secret不会创建
# 我们把自己的证书生成istio下的secret,名称和定义中的一致istio-ingressgateway-certs
# istio网关将会自动加载该secret
  • 创建ingressgateway-certs

证书创建方法见ssl管理指南

# 使用kubectl在命名空间istio-system下创建secret istio-ingressgateway-certs
wangw@t460p:~$ kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ssl/server.key --cert ssl/server.pem 
secret/istio-ingressgateway-certs created

wangw@t460p:~$ kubectl get secret/istio-ingressgateway-certs -n istio-system
NAME                         TYPE                DATA   AGE
istio-ingressgateway-certs   kubernetes.io/tls   2      68s

# 查看ingressgateway是否挂载了证书
wangw@t460p:~$ kubectl get pod -n istio-system |grep ingress
istio-ingressgateway-7bd5586b79-pgrmd   1/1     Running   0          5h49m
wangw@t460p:~$ kubectl exec -it -n istio-system pod/istio-ingressgateway-7bd5586b79-pgrmd ls /etc/istio/ingressgateway-certs
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
tls.crt  tls.key

# 查看tls.crt内容,确认挂载正确
wangw@t460p:~$ kubectl exec -it -n istio-system pod/istio-ingressgateway-7bd5586b79-pgrmd cat /etc/istio/ingressgateway-certs/tls.crt
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
-----BEGIN CERTIFICATE-----
MIIECjCCAvKgAwIBAgIUdtWnDoOLZBefhqtO68h5ZtSpm0owDQYJKoZIhvcNAQEL
BQAwZzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl
aUppbmcxEDAOBgNVBAoTB2dpc3RhY2sxETAPBgNVBAsTCE9wZXJhdG9yMQ8wDQYD
VQQDEwZnaXN1bmkwHhcNMjAwMTE0MTA1MTAwWhcNMzAwMTExMTA1MTAwWjBnMQsw
CQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpSmluZzEQMA4GA1UEBxMHQmVpSmluZzEP
MA0GA1UEChMGR0lTVU5JMREwDwYDVQQLEwhPcGVyYXRvcjEQMA4GA1UEAxMHcmFu
Y2hlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANxZg4xAzwRgq/ro
iFGoVhHwHutuh3x7ncs2xbC822Xx1u5xNzkx3REjkwQuRRlgfbBzAiO6dgw6KMrP
HZ3YXz9KOphol8B1t6MMeOCAZevp56doOL1XiywpTfYoPf95XkZplKBG8GtKeE/Z
RQPW9kZdfavSOYSlBrBaLqF16QJMm36tW0W5TdxBnFZ6EqGkL7tnTpf8t0IQEzpo
atcqOL/LKNUzM84HtT3xxUy/nRhXKsItKChW2iK/SqgRoeK6zqw3klmGD2ChPil0
Xb6KIFSI1zFFwkCQOoZElGO1QzLQ66n2nmHd8FHfIH0/XM8QUAizxq27kxVBMQlK
8hJSmeUCAwEAAaOBrTCBqjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB
BQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU7e1JjfLxOjxUvDYlhV+H9e5z
OG0wHwYDVR0jBBgwFoAU+zTk/UHaHwOY/OEMKj7qm07Erl4wNQYDVR0RBC4wLIIU
cmFuY2hlci5naXN1bmkubG9jYWyCDiouZ2lzdW5pLmxvY2FshwTAqMfJMA0GCSqG
SIb3DQEBCwUAA4IBAQBRD0wBESZN8BmEa2fr/wvO3cNksgiCfOgAS3wSrh2yrRdv
MuCKm4KVnK5xCGce+W3RCIZSgeWoA+3hIvLXpccXa7Y2mAvJZx+x9I/2CiiaskhW
H+XJAAtU36XhkXBG3AjBdnIEZHDDgOMS+RAhK7Va5EGhoNl12BqTI0Qpw9iy6TVH
o3mHPfHo6g2Vp+ZcDVIO7rXhrZ1UCvj07fwEJTxoitqsV21jSTnzjzYvWAANqbcn
FhJ7mJVMl2AWqdxSwFfHC6pHljT/rY9coMEf+1PY1bIOp9LGMLNF3bTJWz4DLrBh
ucQ7v1u7G9GP/CcdzGp0ZSlkMTp2LiDZc+eVNwR7
-----END CERTIFICATE-----
  • 修改gateway配置
[root@vm networking]# cat bookinfo-gateway1.yaml 
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443								# ssl端口
      name: https
      protocol: HTTPS						# HTTPS协议
    hosts:
    - "bookinfo.gisuni.local"
    tls:												# 添加tls,此处引用ingressgateway本地证书文件
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
...

# 配置规则
[root@vm networking]# kubectl apply -f bookinfo-gateway1.yaml -n istio-example
gateway.networking.istio.io/bookinfo-gateway changed
virtualservice.networking.istio.io/bookinfo unchanged
  • 访问bookinfo

image.png

  • 缺点:只能使用一个证书

通过SDS方式

通过配置TLS Ingress Gateway,让它从Ingress Gateway代理通过SDS获取凭据。Ingress Gateway代理和Ingress Gateway在同一个Pod中运行,监视Ingress Gateway所在命名空间中新建的Secret。
在Ingress Gateway中启用SDS 具有如下好处:

  • Ingress Gateway无需重启,就可以动态的新增、删除或者更新密钥/证书对以及根证书;
  • 无需加载 Secret 卷,创建了kubernetes Secret之后,这个Secret就会被Gateway代理捕获,并以密钥/证书对和根证书的形式发送给Ingress Gateway ;
  • Gateway代理能够监视多个密钥/证书对。只需要为每个主机名创建Secret并更新Gateway定义就可以了。

开启SDS(默认禁止)

# 通过--set values.gateways.istio-ingressgateway.sds.enabled=true开启SDS
# 不要忘了加上原来的配置--set profile=demo,默认--set profile=default
# 重置配置并应用到istio
[root@vm istio-1.5.1]# bin/istioctl manifest generate --set profile=demo  \
--set values.gateways.istio-ingressgateway.sds.enabled=true

创建证书secret

# 必须创建在ingressgateway同一ns下
[root@vm ~]# kubectl create -n istio-system secret tls gismesh-com --key ssl/server.key --cert ssl/server.pem 
secret/gismesh-com created


修改gateway配置

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: "gismesh-com" 	# 引用证书secret
    hosts:
    - "bookinfo.gismesh.com"

SNI透传方式

posted @ 2022-03-02 20:28  longtds  阅读(1391)  评论(0编辑  收藏  举报