Istio上所有服务上都启用mtls

将模式改为STRICT,用外部客户端(没有加密认证)直接访问demoapp是可以访问成功的,网格是内部是加密的。

client-------------->proxy-------------->demoapp

        非加密可以访问                加密可以访问

后面的时间是把client到proxy之间也加密

[root@master 01-PeerAuthentication-Policy-Basics]# cat 01-namespace-default-peerauthn.yaml 
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: default
spec:
  mtls:
    mode: STRICT
---
[root@master 01-PeerAuthentication-Policy-Basics]# kubectl apply -f 01-namespace-default-peerauthn.yaml 
peerauthentication.security.istio.io/default unchanged

 创建CA、Key和CSR

mkdir certificates/
cd certificates/
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=MageEdu Inc./CN=magedu.com' -keyout magedu.com.key -out magedu.com.crt
openssl req -out kiali.magedu.com.csr -newkey rsa:2048 -nodes -keyout kiali.magedu.com.key -subj "/CN=kiali.magedu.com/O=kiali organization"
openssl x509 -req -days 365 -CA magedu.com.crt -CAkey magedu.com.key -set_serial 1 -in kiali.magedu.com.csr -out kiali.magedu.com.crt

 创建Secret

kubectl create secret tls kiali-credential --key=kiali.magedu.com.key --cert=kiali.magedu.com.crt -n istio-system

把网关服务开放出去

[root@k8s-master 03-Ingress-Gateway-TLS]# kubectl apply -f ./kiali/
[root@k8s-master 03-Ingress-Gateway-TLS]# cat kiali/kiali-gateway.yaml 
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: kiali-gateway
  namespace: istio-system
spec:
  selector:
    app: istio-ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "kiali.magedu.com"
    tls:
      httpsRedirect: true
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: kiali-credential
    hosts:
    - "kiali.magedu.com"
---
[root@k8s-master 03-Ingress-Gateway-TLS]# cat kiali/kiali-virtualservice.yaml 
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: kiali-virtualservice
  namespace: istio-system
spec:
  hosts:
  - "kiali.magedu.com"
  gateways:
  - kiali-gateway
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: kiali
        port:
          number: 20001
---

 

 

 创建ca和secret

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=YZY Inc./CN=yzy.com' -keyout yzy.com.key -out yzy.com.crt
openssl req -out fe.yzy.com.csr -newkey rsa:2048 -nodes -keyout fe.yzy.com.key -subj "/CN=fe.yzy.com/O=fe organization"
openssl x509 -req -days 365 -CA yzy.com.crt -CAkey yzy.com.key -set_serial 2 -in fe.yzy.com.csr -out fe.yzy.com.crt

kubectl create secret tls fe-credential --key=fe.yzy.com.key --cert=fe.yzy.com.crt -n istio-system

创建gateway和vs

[root@k8s-master fe-proxy]# kubectl apply -f ./
gateway.networking.istio.io/proxy-gateway configured
virtualservice.networking.istio.io/proxy configured
[root@k8s-master fe-proxy]# cat gateway-proxy.yaml 
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: proxy-gateway
  namespace: istio-system        # 要指定为ingress gateway pod所在名称空间
spec:
  selector:
    app: istio-ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "fe.yzy.com"
    tls:
      httpsRedirect: true
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: fe-credential
    hosts:
    - "fe.yzy.com"
---
[root@k8s-master fe-proxy]# cat virtualservice-proxy.yaml 
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: proxy
  namespace: default
spec:
  hosts:
  - "fe.yzy.com"
  gateways:
  - istio-system/proxy-gateway
  - mesh
  http:
  - name: default
    route:
    - destination:
        host: proxy
        port:
          number: 80 
---

 直接curl访问可以看到已经永久重定向到https://fe.yzy.com

 

bookinfo开启加密

kubectl apply -f /root/istio/samples/bookinfo/platform/kube/bookinfo.yaml

创建key和secret

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=MageEdu Inc./CN=magedu.com' -keyout magedu.com.key -out magedu.com.crt
openssl req -out bookinfo.magedu.com.csr -newkey rsa:2048 -nodes -keyout bookinfo.magedu.com.key -subj "/CN=bookinfo.magedu.com/O=Bookinfo Project"
openssl x509 -req -days 365 -CA magedu.com.crt -CAkey magedu.com.key -set_serial 30 -in bookinfo.magedu.com.csr -out bookinfo.magedu.com.crt
kubectl create -n istio-system secret tls bookinfo-credential --key=bookinfo.magedu.com.key --cert=bookinfo.magedu.com.crt

 

[root@k8s-master 03-Ingress-Gateway-TLS]# kubectl apply -f bookinfo-productpage/
gateway.networking.istio.io/bookinfo-gateway configured
virtualservice.networking.istio.io/bookinfo-virtualservice configured
[root@k8s-master 03-Ingress-Gateway-TLS]# cat bookinfo-productpage/bookinfo-gateway.yaml 
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: bookinfo-gateway
  namespace: istio-system
spec:
  selector:
    app: istio-ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "bookinfo.magedu.com"
    tls:
      httpsRedirect: true
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: bookinfo-credential
    hosts:
    - "bookinfo.magedu.com"
---
[root@k8s-master 03-Ingress-Gateway-TLS]# cat bookinfo-productpage/bookinfo-virtualservice.yaml 
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookinfo-virtualservice
spec:
  hosts:
  - "bookinfo.magedu.com"
  gateways:
  - istio-system/bookinfo-gateway
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage
        port:
          number: 9080

 

posted @ 2022-09-22 15:42  Maniana  阅读(121)  评论(0编辑  收藏  举报