Kube：在Istio中使用安全的Gateway（1）

Kube：在Istio中使用安全的Gateway（1）

使用TLS

增加gateway定义。

gateway定义中包括80和443。

在80中启用httpsredirect。

在443中启用simple tls。

指定443的key和cert。

ipvsadm -A -t 192.168.0.62:443 -s wrr -p 300

ipvsadm -a -t 192.168.0.62:443 -r 192.168.0.72:443 -g

ipvsadm -a -t 192.168.0.62:443 -r 192.168.0.73:443 -g

ipvsadm -A -t 192.168.0.62:80 -s wrr -p 300

ipvsadm -a -t 192.168.0.62:80 -r 192.168.0.72:80 -g

ipvsadm -a -t 192.168.0.62:80 -r 192.168.0.73:80 -g

ipvs相关配置。

openssl req \

-newkey rsa:4096 -nodes -sha256 -keyout ca.key \

-x509 -days 3655 -out ca.crt

openssl req \

-newkey rsa:4096 -nodes -sha256 -keyout istio-httpbin.key \

-out istio-httpbin.csr

echo subjectAltName = IP:192.168.0.62, IP:192.168.0.72, IP:192.168.0.73, DNS:httpbin.istio.local, DNS:app.istio.local > extfile.cnf

openssl x509 \

-req -days 3655 -in istio-httpbin.csr -CA ca.crt -CAkey ca.key \

-CAcreateserial -extfile extfile.cnf -out istio-httpbin.crt

自签名证书相关配置。

kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ./istio-httpbin.key --cert ./istio-httpbin.crt

k8s secret相关配置。

apiVersion: networking.istio.io/v1alpha3

kind: Gateway

metadata:

name: httpbin-gateway-tls

spec:

selector:

istio: ingressgateway # use istio default ingress gateway

servers:

- port:

number: 80

name: http

protocol: HTTP

hosts:

- "*"

tls:

httpsRedirect: true

- port:

number: 443

name: https

protocol: HTTPS

tls:

mode: SIMPLE

serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

privateKey: /etc/istio/ingressgateway-certs/tls.key

hosts:

- "*"

gateway相关配置。

kind: VirtualService

metadata:

name: httpbin-vs

spec:

hosts:

- "192.168.0.62"

gateways:

- httpbin-gateway-tls

http:

- match:

- uri:

prefix: /status

- uri:

prefix: /delay

- uri:

prefix: /headers

route:

- destination:

port:

number: 8000

host: httpbin

virtualservice相关配置。

[~/K8s/istio/istio-1.0.2/samples/certs]$ http http://192.168.0.62/status/418 --verify no --follow -v

GET /status/418 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Connection: keep-alive

Host: 192.168.0.62

User-Agent: HTTPie/0.9.9

HTTP/1.1 301 Moved Permanently

content-length: 0

date: Sun, 30 Sep 2018 09:04:21 GMT

location: https://192.168.0.62/status/418

server: envoy

GET /status/418 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Connection: keep-alive

Host: 192.168.0.62

User-Agent: HTTPie/0.9.9

HTTP/1.1 418 Unknown

access-control-allow-credentials: true

access-control-allow-origin: *

content-length: 135

date: Sun, 30 Sep 2018 09:04:21 GMT

server: envoy

x-envoy-upstream-service-time: 2

x-more-info: http://tools.ietf.org/html/rfc2324

-=[ teapot ]=-

_...._

.' _ _ `.

| ."` ^ `". _,

\_;`"---"`|//

| ;/

\_ _/

`"""`

[~/K8s/istio/istio-1.0.2/samples/certs]$

httpredirect测试结果。

[~/K8s/istio/istio-1.0.2/samples/certs]$ http https://192.168.0.62/status/418 --verify no -v

GET /status/418 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Connection: keep-alive

Host: 192.168.0.62

User-Agent: HTTPie/0.9.9

HTTP/1.1 418 Unknown

access-control-allow-credentials: true

access-control-allow-origin: *

content-length: 135

date: Sun, 30 Sep 2018 09:06:07 GMT

server: envoy

x-envoy-upstream-service-time: 7

x-more-info: http://tools.ietf.org/html/rfc2324

-=[ teapot ]=-

_...._

.' _ _ `.

| ."` ^ `". _,

\_;`"---"`|//

| ;/

\_ _/

`"""`

[~/K8s/istio/istio-1.0.2/samples/certs]$

https测试结果。