Kube:在Istio中使用安全的Gateway(1)
使用TLS
增加gateway定义。
gateway定义中包括80和443。
在80中启用httpsredirect。
在443中启用simple tls。
指定443的key和cert。
ipvsadm -A -t 192.168.0.62:443 -s wrr -p 300
ipvsadm -a -t 192.168.0.62:443 -r 192.168.0.72:443 -g
ipvsadm -a -t 192.168.0.62:443 -r 192.168.0.73:443 -g
ipvsadm -A -t 192.168.0.62:80 -s wrr -p 300
ipvsadm -a -t 192.168.0.62:80 -r 192.168.0.72:80 -g
ipvsadm -a -t 192.168.0.62:80 -r 192.168.0.73:80 -g
ipvs相关配置。
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout ca.key \
-x509 -days 3655 -out ca.crt
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout istio-httpbin.key \
-out istio-httpbin.csr
echo subjectAltName = IP:192.168.0.62, IP:192.168.0.72, IP:192.168.0.73, DNS:httpbin.istio.local, DNS:app.istio.local > extfile.cnf
openssl x509 \
-req -days 3655 -in istio-httpbin.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -extfile extfile.cnf -out istio-httpbin.crt
自签名证书相关配置。
kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ./istio-httpbin.key --cert ./istio-httpbin.crt
k8s secret相关配置。
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway-tls
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "*"
gateway相关配置。
kind: VirtualService
metadata:
name: httpbin-vs
spec:
hosts:
- "192.168.0.62"
gateways:
- httpbin-gateway-tls
http:
- match:
- uri:
prefix: /status
- uri:
prefix: /delay
- uri:
prefix: /headers
route:
- destination:
port:
number: 8000
host: httpbin
virtualservice相关配置。
[~/K8s/istio/istio-1.0.2/samples/certs]$ http http://192.168.0.62/status/418 --verify no --follow -v
GET /status/418 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: 192.168.0.62
User-Agent: HTTPie/0.9.9
HTTP/1.1 301 Moved Permanently
content-length: 0
date: Sun, 30 Sep 2018 09:04:21 GMT
location: https://192.168.0.62/status/418
server: envoy
GET /status/418 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: 192.168.0.62
User-Agent: HTTPie/0.9.9
HTTP/1.1 418 Unknown
access-control-allow-credentials: true
access-control-allow-origin: *
content-length: 135
date: Sun, 30 Sep 2018 09:04:21 GMT
server: envoy
x-envoy-upstream-service-time: 2
x-more-info: http://tools.ietf.org/html/rfc2324
-=[ teapot ]=-
_...._
.' _ _ `.
| ."` ^ `". _,
\_;`"---"`|//
| ;/
\_ _/
`"""`
[~/K8s/istio/istio-1.0.2/samples/certs]$
httpredirect测试结果。
[~/K8s/istio/istio-1.0.2/samples/certs]$ http https://192.168.0.62/status/418 --verify no -v
GET /status/418 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: 192.168.0.62
User-Agent: HTTPie/0.9.9
HTTP/1.1 418 Unknown
access-control-allow-credentials: true
access-control-allow-origin: *
content-length: 135
date: Sun, 30 Sep 2018 09:06:07 GMT
server: envoy
x-envoy-upstream-service-time: 7
x-more-info: http://tools.ietf.org/html/rfc2324
-=[ teapot ]=-
_...._
.' _ _ `.
| ."` ^ `". _,
\_;`"---"`|//
| ;/
\_ _/
`"""`
[~/K8s/istio/istio-1.0.2/samples/certs]$
https测试结果。
领取专属 10元无门槛券
私享最新 技术干货