istio 安全閘道器
阿新 • • 發佈:2022-04-02
使用簡單或雙向 TLS 暴露安全 HTTPS 服務。
https://istio.io/latest/zh/docs/tasks/traffic-management/ingress/secure-ingress-mount/
1、基於檔案掛載的方式配置 TLS ingress 閘道器
1.1)建立一個 Kubernetes secret 以儲存伺服器的證書和私鑰。使用 kubectl
在名稱空間 istio-system
下建立 secret istio-ingressgateway-certs
。Istio 閘道器將會自動載入該 secret。
kubectl create -n istio-system secret tls istio-ingressgateway-certs --key httpbin.example.com.key --cert httpbin.example.com.crt
驗證 tls.crt
和 tls.key
是否都已經掛載到 ingress 閘道器 pod 中:
kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-certs
1.2)配置gw和vs
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: httpbin-gateway spec: selector: istio: ingressgateway # use istio default ingress gateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE serverCertificate: /etc/istio/ingressgateway-certs/tls.crt privateKey: /etc/istio/ingressgateway-certs/tls.key hosts:- "httpbin.example.com" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: httpbin spec: hosts: - "httpbin.example.com" gateways: - httpbin-gateway http: - match: - uri: prefix: /status - uri: prefix: /delay route: - destination: port: number: 8000 host: httpbin
2、配置雙向 TLS ingress 閘道器
2.1)建立一個 Kubernetes Secret
以儲存服務端將用來驗證它的客戶端的 CA 證書。使用 kubectl
在名稱空間 istio-system
中建立 secret istio-ingressgateway-ca-certs
。Istio 閘道器將會自動載入該 secret。
kubectl create -n istio-system secret generic istio-ingressgateway-ca-certs --from-file=example.com.crt
2.2) 重新定義之前的 Gateway
,修改 TLS 模式為 MUTUAL
,並指定 caCertificates
:
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: httpbin-gateway spec: selector: istio: ingressgateway # use istio default ingress gateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: MUTUAL serverCertificate: /etc/istio/ingressgateway-certs/tls.crt privateKey: /etc/istio/ingressgateway-certs/tls.key caCertificates: /etc/istio/ingressgateway-ca-certs/example.com.crt hosts: - "httpbin.example.com"
2.3) 像上一節中一樣通過 HTTPS 訪問 httpbin
服務:
$ curl -HHost:httpbin.example.com --resolve httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST --cacert example.com.crt https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418 curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
2.4) 為 httpbin.example.com
服務建立客戶端證書。您可以使用 httpbin-client.example.com
URI 來指定客戶端,或使用其它 URI。
openssl req -out httpbin-client.example.com.csr -newkey rsa:2048 -nodes -keyout httpbin-client.example.com.key -subj "/CN=httpbin-client.example.com/O=httpbin's client organization" openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in httpbin-client.example.com.csr -out httpbin-client.example.com.crt
2.5) 重新用 curl 傳送之前的請求,這次通過引數傳遞客戶端證書(新增 --cert
選項)和您的私鑰(--key
選項):
curl -HHost:httpbin.example.com --resolve httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST --cacert example.com.crt --cert httpbin-client.example.com.crt --key httpbin-client.example.com.key https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418 -=[ teapot ]=- _...._ .' _ _ `. | ."` ^ `". _, \_;`"---"`|// | ;/ \_ _/ `"""`
3、為多主機配置TLS ingress閘道器 參考:https://www.cnblogs.com/bill2014/p/16087824.html
3、無 TLS 終止的 Ingress Gateway
ingress gw作用就是透傳443埠的請求,具體證書有後端提供。