istio-ingressgateway证书配置指南
istio-ingressgateway作为服务访问的最外层,还需要做一些ssl加密的工作,同时又不会影响其它的服务,下面介绍几种实现方法。
文件挂载方式
- 查看istio-ingressgateway配置中的证书挂载配置
kubectl get deploy/istio-ingressgateway -n istio-system -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
...
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/run/ingress_gateway
name: ingressgatewaysdsudspath
- mountPath: /etc/istio/pod
name: podinfo
- mountPath: /etc/istio/ingressgateway-certs # 证书目录
name: ingressgateway-certs # 引用的volume
readOnly: true
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
readOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: istio-ingressgateway-service-account
serviceAccountName: istio-ingressgateway-service-account
terminationGracePeriodSeconds: 30
volumes:
- configMap:
defaultMode: 420
name: istio-ca-root-cert
name: istiod-ca-cert
- downwardAPI:
defaultMode: 420
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.labels
path: labels
- fieldRef:
apiVersion: v1
fieldPath: metadata.annotations
path: annotations
name: podinfo
- emptyDir: {}
name: ingressgatewaysdsudspath
- name: ingressgateway-certs
secret:
defaultMode: 420
optional: true
secretName: istio-ingressgateway-certs # 引用tls类型的secret
- name: ingressgateway-ca-certs
secret:
defaultMode: 420
optional: true
secretName: istio-ingressgateway-ca-certs
status:
availableReplicas: 1
...
# istio-ingressgateway默认配置了一个挂载secret证书的方式,但是这个secret不会创建
# 我们把自己的证书生成istio下的secret,名称和定义中的一致istio-ingressgateway-certs
# istio网关将会自动加载该secret
- 创建ingressgateway-certs
证书创建方法见ssl管理指南
# 使用kubectl在命名空间istio-system下创建secret istio-ingressgateway-certs
wangw@t460p:~$ kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ssl/server.key --cert ssl/server.pem
secret/istio-ingressgateway-certs created
wangw@t460p:~$ kubectl get secret/istio-ingressgateway-certs -n istio-system
NAME TYPE DATA AGE
istio-ingressgateway-certs kubernetes.io/tls 2 68s
# 查看ingressgateway是否挂载了证书
wangw@t460p:~$ kubectl get pod -n istio-system |grep ingress
istio-ingressgateway-7bd5586b79-pgrmd 1/1 Running 0 5h49m
wangw@t460p:~$ kubectl exec -it -n istio-system pod/istio-ingressgateway-7bd5586b79-pgrmd ls /etc/istio/ingressgateway-certs
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
tls.crt tls.key
# 查看tls.crt内容,确认挂载正确
wangw@t460p:~$ kubectl exec -it -n istio-system pod/istio-ingressgateway-7bd5586b79-pgrmd cat /etc/istio/ingressgateway-certs/tls.crt
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
-----BEGIN CERTIFICATE-----
MIIECjCCAvKgAwIBAgIUdtWnDoOLZBefhqtO68h5ZtSpm0owDQYJKoZIhvcNAQEL
BQAwZzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl
aUppbmcxEDAOBgNVBAoTB2dpc3RhY2sxETAPBgNVBAsTCE9wZXJhdG9yMQ8wDQYD
VQQDEwZnaXN1bmkwHhcNMjAwMTE0MTA1MTAwWhcNMzAwMTExMTA1MTAwWjBnMQsw
CQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpSmluZzEQMA4GA1UEBxMHQmVpSmluZzEP
MA0GA1UEChMGR0lTVU5JMREwDwYDVQQLEwhPcGVyYXRvcjEQMA4GA1UEAxMHcmFu
Y2hlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANxZg4xAzwRgq/ro
iFGoVhHwHutuh3x7ncs2xbC822Xx1u5xNzkx3REjkwQuRRlgfbBzAiO6dgw6KMrP
HZ3YXz9KOphol8B1t6MMeOCAZevp56doOL1XiywpTfYoPf95XkZplKBG8GtKeE/Z
RQPW9kZdfavSOYSlBrBaLqF16QJMm36tW0W5TdxBnFZ6EqGkL7tnTpf8t0IQEzpo
atcqOL/LKNUzM84HtT3xxUy/nRhXKsItKChW2iK/SqgRoeK6zqw3klmGD2ChPil0
Xb6KIFSI1zFFwkCQOoZElGO1QzLQ66n2nmHd8FHfIH0/XM8QUAizxq27kxVBMQlK
8hJSmeUCAwEAAaOBrTCBqjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB
BQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU7e1JjfLxOjxUvDYlhV+H9e5z
OG0wHwYDVR0jBBgwFoAU+zTk/UHaHwOY/OEMKj7qm07Erl4wNQYDVR0RBC4wLIIU
cmFuY2hlci5naXN1bmkubG9jYWyCDiouZ2lzdW5pLmxvY2FshwTAqMfJMA0GCSqG
SIb3DQEBCwUAA4IBAQBRD0wBESZN8BmEa2fr/wvO3cNksgiCfOgAS3wSrh2yrRdv
MuCKm4KVnK5xCGce+W3RCIZSgeWoA+3hIvLXpccXa7Y2mAvJZx+x9I/2CiiaskhW
H+XJAAtU36XhkXBG3AjBdnIEZHDDgOMS+RAhK7Va5EGhoNl12BqTI0Qpw9iy6TVH
o3mHPfHo6g2Vp+ZcDVIO7rXhrZ1UCvj07fwEJTxoitqsV21jSTnzjzYvWAANqbcn
FhJ7mJVMl2AWqdxSwFfHC6pHljT/rY9coMEf+1PY1bIOp9LGMLNF3bTJWz4DLrBh
ucQ7v1u7G9GP/CcdzGp0ZSlkMTp2LiDZc+eVNwR7
-----END CERTIFICATE-----
- 修改gateway配置
[root@vm networking]# cat bookinfo-gateway1.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 443 # ssl端口
name: https
protocol: HTTPS # HTTPS协议
hosts:
- "bookinfo.gisuni.local"
tls: # 添加tls,此处引用ingressgateway本地证书文件
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
...
# 配置规则
[root@vm networking]# kubectl apply -f bookinfo-gateway1.yaml -n istio-example
gateway.networking.istio.io/bookinfo-gateway changed
virtualservice.networking.istio.io/bookinfo unchanged
- 访问bookinfo
通过SDS方式
通过配置TLS Ingress Gateway,让它从Ingress Gateway代理通过SDS获取凭据。Ingress Gateway代理和Ingress Gateway在同一个Pod中运行,监视Ingress Gateway所在命名空间中新建的Secret。
在Ingress Gateway中启用SDS 具有如下好处:
- Ingress Gateway无需重启,就可以动态的新增、删除或者更新密钥/证书对以及根证书;
- 无需加载 Secret 卷,创建了kubernetes Secret之后,这个Secret就会被Gateway代理捕获,并以密钥/证书对和根证书的形式发送给Ingress Gateway ;
- Gateway代理能够监视多个密钥/证书对。只需要为每个主机名创建Secret并更新Gateway定义就可以了。
开启SDS(默认禁止)
# 通过--set values.gateways.istio-ingressgateway.sds.enabled=true开启SDS
# 不要忘了加上原来的配置--set profile=demo,默认--set profile=default
# 重置配置并应用到istio
[root@vm istio-1.5.1]# bin/istioctl manifest generate --set profile=demo \
--set values.gateways.istio-ingressgateway.sds.enabled=true
创建证书secret
# 必须创建在ingressgateway同一ns下
[root@vm ~]# kubectl create -n istio-system secret tls gismesh-com --key ssl/server.key --cert ssl/server.pem
secret/gismesh-com created
修改gateway配置
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: "gismesh-com" # 引用证书secret
hosts:
- "bookinfo.gismesh.com"