Istio上客户端与网关建立TLS通信
[root@master certificates]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=Yang Inc./CN=yang.com' -keyout yang.com.key -out yang.com.crt
[root@master certificates]# openssl req -out fe.yang.com.csr -newkey rsa:2048 -nodes -keyout fe.yang.com.key -subj "/CN=fe.yang.com/O=fe organization"
[root@master certificates]# openssl x509 -req -days 365 -CA yang.com.crt -CAkey yang.com.key -set_serial 2 -in fe.yang.com.csr -out fe.yang.com.crt
[root@master certificates]# kubectl create secret tls fe-credential --key=fe.yang.com.key --cert=fe.yang.com.crt -n istio-system
[root@master certificates]# ll
total 20
-rw-r--r-- 1 root root 1029 Nov 30 22:54 fe.yang.com.crt
-rw-r--r-- 1 root root 928 Nov 30 22:53 fe.yang.com.csr
-rw-r--r-- 1 root root 1704 Nov 30 22:53 fe.yang.com.key
-rw-r--r-- 1 root root 1147 Nov 30 22:52 yang.com.crt
-rw-r--r-- 1 root root 1708 Nov 30 22:52 yang.com.key
[root@master certificates]# kubectl get secret
NAME TYPE DATA AGE
docker-config Opaque 1 26d
[root@master fe-proxy]# kubectl apply -f ./
gateway.networking.istio.io/proxy-gateway unchanged
virtualservice.networking.istio.io/proxy unchanged
[root@master fe-proxy]# cat gateway-proxy.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: proxy-gateway
namespace: istio-system # 要指定为ingress gateway pod所在名称空间
spec:
selector:
app: istio-ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "fe.yang.com"
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: fe-credential
hosts:
- "fe.yang.com"
---
[root@master fe-proxy]# cat virtualservice-proxy.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: proxy
namespace: default
spec:
hosts:
- "fe.yang.com"
gateways:
- istio-system/proxy-gateway
- mesh
http:
- name: default
route:
- destination:
host: proxy
port:
number: 80
---
直接curl访问
[root@master certificates]# curl fe.yang.com #无返回
[root@master certificates]# curl -I fe.yang.com #重定向到https://fe.yang.com
HTTP/1.1 301 Moved Permanently
location: https://fe.yang.com/
date: Wed, 30 Nov 2022 15:02:51 GMT
server: istio-envoy
transfer-encoding: chunked
[root@master certificates]# curl -v https://fe.yang.com #证书认证失败
加-k参数 跳过对端证书校验过程
[root@master certificates]# curl -v -k https://fe.yang.com
* About to connect() to fe.yang.com port 443 (#0)
* Trying 10.211.55.100...
* Connected to fe.yang.com (10.211.55.100) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: O=fe organization,CN=fe.yang.com
* start date: Nov 30 14:54:28 2022 GMT
* expire date: Nov 30 14:54:28 2023 GMT
* common name: fe.yang.com
* issuer: CN=yang.com,O=Yang Inc.
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: fe.yang.com
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Wed, 30 Nov 2022 15:05:24 GMT
< content-length: 157
< x-envoy-upstream-service-time: 24
< server: istio-envoy
<
Proxying value: iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-85cf87cdb4-mnppr, ServerIP: 10.244.166.130!
- Took 20 milliseconds.
* Connection #0 to host fe.yang.com left intact
可以直接curl -k访问
[root@master certificates]# curl -k https://fe.yang.com
Proxying value: iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-85cf87cdb4-cttnn, ServerIP: 10.244.104.33!
- Took 14 milliseconds.
[root@master certificates]# curl -k https://fe.yang.com
Proxying value: iKubernetes demoapp v1.0 !! ClientIP: 127.0.0.6, ServerName: demoappv10-85cf87cdb4-cttnn, ServerIP: 10.244.104.33!
- Took 23 milliseconds.