方案架構
本次實例與官方Envoy front_proxy Example相似,首先會有一個Envoy單獨運行。ingress的工作是給其他地方提供一個入口。來自外部的傳入連接請求到這里,前端代理將會決定他們在內部的轉發路徑。
圖源自Envoy官網文檔 front_proxy
生成證書
openssl req -nodes -new -x509 -keyout certs/server.key -out certs/server.crt -days 365 -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=studyenvoy/OU=studyenvoy/CN=*.studyenvoy.cn"
envoy配置說明
v3 api中envoy去掉了tls_context的配置,配置tls首先需要熟悉envoy的如下兩個術語
- Downstream:下游主機連接到 Envoy,發送請求並或獲得響應。
- Upstream:上游主機獲取來自 Envoy 的鏈接請求和響應。
本次使用的是ingress的代理,需要配置的即為 Downstream
v3api中使用的是transport_socket,transport_socket為 listeners 當中某一個 filter_chains 中上線文中的配置。
transport_socket 官方說明為:
(config.core.v3.TransportSocket) Optional custom transport socket implementation to use for downstream connections. To setup TLS, set a transport socket with name tls and DownstreamTlsContext in the typed_config. If no transport socket configuration is specified, new connections will be set up with plaintext.
查看官網的transport_socket配置說明
這里使用的類型為DownstreamTlsContext
transport_socket: # 設置tls
name: envoy.transport_sockets.tls # 定義名稱,不能為空
typed_config: # 實現配置的類型
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context: # 設置tls上下文
tls_certificates:
certificate_chain: # 公鑰設置 必須設置為,filename,inline_bytes
filename: "/etc/envoy/certs/server.crt"
private_key: # 私鑰設置 必須設置為,filename,inline_bytes
filename: "/etc/envoy/certs/server.key"
准備envoy和后端服務運行環境
envoy配置文件
admin:
access_log_path: /dev/null
address:
socket_address: { address: 0.0.0.0, port_value: 9901 }
static_resources:
listeners:
- name: listeners_http
address:
socket_address: { address: 0.0.0.0, port_value: 80 }
filter_chains:
- filters:
- name: envoy.http_connenttion_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: [ "*" ]
routes:
- match: { prefix: "/" }
redirect:
path_redirect: "/"
https_redirect: true
http_filters:
- name: envoy.router
- name: listener_https
address:
socket_address: { address: 0.0.0.0, port_value: 443 }
filter_chains:
- filters:
- name: envoy.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: [ "*" ]
routes:
- match: { prefix: "/" }
route: { cluster: local_service }
http_filters:
- name: envoy.router
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
certificate_chain:
filename: "/etc/envoy/certs/server.crt"
private_key:
filename: "/etc/envoy/certs/server.key"
clusters:
- name: local_service
connect_timeout: 0.25s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: local_service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address: { address: webservice, port_value: 90 }
docker-compose文件示例
version: '3'
services:
envoy:
image: envoyproxy/envoy-alpine:v1.15-latest
environment:
- ENVOY_UID=0
ports:
- 80:80
- 443:443
- 82:9901
volumes:
- ./envoy.yaml:/etc/envoy/envoy.yaml
- ./certs:/etc/envoy/certs
networks:
envoymesh:
aliases:
- envoy
depends_on:
- webserver
webserver:
image: sealloong/envoy-end:latest
environment:
- COLORFUL=blue
networks:
envoymesh:
aliases:
- myservice
- webservice
expose:
- 90
networks:
envoymesh: {}
容器啟動正常
證書使用者也為生成證書的信息一致
