istio-ingressgateway證書配置指南
阿新 • • 發佈:2022-03-02
istio閘道器配置ssl
istio-ingressgateway作為服務訪問的最外層,還需要做一些ssl加密的工作,同時又不會影響其它的服務,下面介紹幾種實現方法。
檔案掛載方式
- 檢視istio-ingressgateway配置中的證書掛載配置
kubectl get deploy/istio-ingressgateway -n istio-system -o yaml apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "1" ... terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/run/ingress_gateway name: ingressgatewaysdsudspath - mountPath: /etc/istio/pod name: podinfo - mountPath: /etc/istio/ingressgateway-certs # 證書目錄 name: ingressgateway-certs # 引用的volume readOnly: true - mountPath: /etc/istio/ingressgateway-ca-certs name: ingressgateway-ca-certs readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: istio-ingressgateway-service-account serviceAccountName: istio-ingressgateway-service-account terminationGracePeriodSeconds: 30 volumes: - configMap: defaultMode: 420 name: istio-ca-root-cert name: istiod-ca-cert - downwardAPI: defaultMode: 420 items: - fieldRef: apiVersion: v1 fieldPath: metadata.labels path: labels - fieldRef: apiVersion: v1 fieldPath: metadata.annotations path: annotations name: podinfo - emptyDir: {} name: ingressgatewaysdsudspath - name: ingressgateway-certs secret: defaultMode: 420 optional: true secretName: istio-ingressgateway-certs # 引用tls型別的secret - name: ingressgateway-ca-certs secret: defaultMode: 420 optional: true secretName: istio-ingressgateway-ca-certs status: availableReplicas: 1 ... # istio-ingressgateway預設配置了一個掛載secret證書的方式,但是這個secret不會建立 # 我們把自己的證書生成istio下的secret,名稱和定義中的一致istio-ingressgateway-certs # istio閘道器將會自動載入該secret
- 建立ingressgateway-certs
證書建立方法見ssl管理指南
# 使用kubectl在名稱空間istio-system下建立secret istio-ingressgateway-certs wangw@t460p:~$ kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ssl/server.key --cert ssl/server.pem secret/istio-ingressgateway-certs created wangw@t460p:~$ kubectl get secret/istio-ingressgateway-certs -n istio-system NAME TYPE DATA AGE istio-ingressgateway-certs kubernetes.io/tls 2 68s # 檢視ingressgateway是否掛載了證書 wangw@t460p:~$ kubectl get pod -n istio-system |grep ingress istio-ingressgateway-7bd5586b79-pgrmd 1/1 Running 0 5h49m wangw@t460p:~$ kubectl exec -it -n istio-system pod/istio-ingressgateway-7bd5586b79-pgrmd ls /etc/istio/ingressgateway-certs kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead. tls.crt tls.key # 檢視tls.crt內容,確認掛載正確 wangw@t460p:~$ kubectl exec -it -n istio-system pod/istio-ingressgateway-7bd5586b79-pgrmd cat /etc/istio/ingressgateway-certs/tls.crt kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead. -----BEGIN CERTIFICATE----- MIIECjCCAvKgAwIBAgIUdtWnDoOLZBefhqtO68h5ZtSpm0owDQYJKoZIhvcNAQEL BQAwZzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl aUppbmcxEDAOBgNVBAoTB2dpc3RhY2sxETAPBgNVBAsTCE9wZXJhdG9yMQ8wDQYD VQQDEwZnaXN1bmkwHhcNMjAwMTE0MTA1MTAwWhcNMzAwMTExMTA1MTAwWjBnMQsw CQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpSmluZzEQMA4GA1UEBxMHQmVpSmluZzEP MA0GA1UEChMGR0lTVU5JMREwDwYDVQQLEwhPcGVyYXRvcjEQMA4GA1UEAxMHcmFu Y2hlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANxZg4xAzwRgq/ro iFGoVhHwHutuh3x7ncs2xbC822Xx1u5xNzkx3REjkwQuRRlgfbBzAiO6dgw6KMrP HZ3YXz9KOphol8B1t6MMeOCAZevp56doOL1XiywpTfYoPf95XkZplKBG8GtKeE/Z RQPW9kZdfavSOYSlBrBaLqF16QJMm36tW0W5TdxBnFZ6EqGkL7tnTpf8t0IQEzpo atcqOL/LKNUzM84HtT3xxUy/nRhXKsItKChW2iK/SqgRoeK6zqw3klmGD2ChPil0 Xb6KIFSI1zFFwkCQOoZElGO1QzLQ66n2nmHd8FHfIH0/XM8QUAizxq27kxVBMQlK 8hJSmeUCAwEAAaOBrTCBqjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB BQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU7e1JjfLxOjxUvDYlhV+H9e5z OG0wHwYDVR0jBBgwFoAU+zTk/UHaHwOY/OEMKj7qm07Erl4wNQYDVR0RBC4wLIIU cmFuY2hlci5naXN1bmkubG9jYWyCDiouZ2lzdW5pLmxvY2FshwTAqMfJMA0GCSqG SIb3DQEBCwUAA4IBAQBRD0wBESZN8BmEa2fr/wvO3cNksgiCfOgAS3wSrh2yrRdv MuCKm4KVnK5xCGce+W3RCIZSgeWoA+3hIvLXpccXa7Y2mAvJZx+x9I/2CiiaskhW H+XJAAtU36XhkXBG3AjBdnIEZHDDgOMS+RAhK7Va5EGhoNl12BqTI0Qpw9iy6TVH o3mHPfHo6g2Vp+ZcDVIO7rXhrZ1UCvj07fwEJTxoitqsV21jSTnzjzYvWAANqbcn FhJ7mJVMl2AWqdxSwFfHC6pHljT/rY9coMEf+1PY1bIOp9LGMLNF3bTJWz4DLrBh ucQ7v1u7G9GP/CcdzGp0ZSlkMTp2LiDZc+eVNwR7 -----END CERTIFICATE-----
- 修改gateway配置
[root@vm networking]# cat bookinfo-gateway1.yaml apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: bookinfo-gateway spec: selector: istio: ingressgateway # use istio default controller servers: - port: number: 443 # ssl埠 name: https protocol: HTTPS # HTTPS協議 hosts: - "bookinfo.gisuni.local" tls: # 新增tls,此處引用ingressgateway本地證書檔案 mode: SIMPLE serverCertificate: /etc/istio/ingressgateway-certs/tls.crt privateKey: /etc/istio/ingressgateway-certs/tls.key ... # 配置規則 [root@vm networking]# kubectl apply -f bookinfo-gateway1.yaml -n istio-example gateway.networking.istio.io/bookinfo-gateway changed virtualservice.networking.istio.io/bookinfo unchanged
- 訪問bookinfo
通過SDS方式
通過配置TLS Ingress Gateway,讓它從Ingress Gateway代理通過SDS獲取憑據。Ingress Gateway代理和Ingress Gateway在同一個Pod中執行,監視Ingress Gateway所在名稱空間中新建的Secret。
在Ingress Gateway中啟用SDS 具有如下好處:
- Ingress Gateway無需重啟,就可以動態的新增、刪除或者更新金鑰/證書對以及根證書;
- 無需載入 Secret 卷,建立了kubernetes Secret之後,這個Secret就會被Gateway代理捕獲,並以金鑰/證書對和根證書的形式傳送給Ingress Gateway ;
- Gateway代理能夠監視多個金鑰/證書對。只需要為每個主機名建立Secret並更新Gateway定義就可以了。
開啟SDS(預設禁止)
# 通過--set values.gateways.istio-ingressgateway.sds.enabled=true開啟SDS
# 不要忘了加上原來的配置--set profile=demo,預設--set profile=default
# 重置配置並應用到istio
[root@vm istio-1.5.1]# bin/istioctl manifest generate --set profile=demo \
--set values.gateways.istio-ingressgateway.sds.enabled=true
建立證書secret
# 必須建立在ingressgateway同一ns下
[root@vm ~]# kubectl create -n istio-system secret tls gismesh-com --key ssl/server.key --cert ssl/server.pem
secret/gismesh-com created
修改gateway配置
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: "gismesh-com" # 引用證書secret
hosts:
- "bookinfo.gismesh.com"