istio-ingressgateway作為服務訪問的最外層,還需要做一些ssl加密的工作,同時又不會影響其它的服務,下面介紹幾種實現方法。
文件掛載方式
- 查看istio-ingressgateway配置中的證書掛載配置
kubectl get deploy/istio-ingressgateway -n istio-system -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
...
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/run/ingress_gateway
name: ingressgatewaysdsudspath
- mountPath: /etc/istio/pod
name: podinfo
- mountPath: /etc/istio/ingressgateway-certs # 證書目錄
name: ingressgateway-certs # 引用的volume
readOnly: true
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
readOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: istio-ingressgateway-service-account
serviceAccountName: istio-ingressgateway-service-account
terminationGracePeriodSeconds: 30
volumes:
- configMap:
defaultMode: 420
name: istio-ca-root-cert
name: istiod-ca-cert
- downwardAPI:
defaultMode: 420
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.labels
path: labels
- fieldRef:
apiVersion: v1
fieldPath: metadata.annotations
path: annotations
name: podinfo
- emptyDir: {}
name: ingressgatewaysdsudspath
- name: ingressgateway-certs
secret:
defaultMode: 420
optional: true
secretName: istio-ingressgateway-certs # 引用tls類型的secret
- name: ingressgateway-ca-certs
secret:
defaultMode: 420
optional: true
secretName: istio-ingressgateway-ca-certs
status:
availableReplicas: 1
...
# istio-ingressgateway默認配置了一個掛載secret證書的方式,但是這個secret不會創建
# 我們把自己的證書生成istio下的secret,名稱和定義中的一致istio-ingressgateway-certs
# istio網關將會自動加載該secret
- 創建ingressgateway-certs
證書創建方法見ssl管理指南
# 使用kubectl在命名空間istio-system下創建secret istio-ingressgateway-certs
wangw@t460p:~$ kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ssl/server.key --cert ssl/server.pem
secret/istio-ingressgateway-certs created
wangw@t460p:~$ kubectl get secret/istio-ingressgateway-certs -n istio-system
NAME TYPE DATA AGE
istio-ingressgateway-certs kubernetes.io/tls 2 68s
# 查看ingressgateway是否掛載了證書
wangw@t460p:~$ kubectl get pod -n istio-system |grep ingress
istio-ingressgateway-7bd5586b79-pgrmd 1/1 Running 0 5h49m
wangw@t460p:~$ kubectl exec -it -n istio-system pod/istio-ingressgateway-7bd5586b79-pgrmd ls /etc/istio/ingressgateway-certs
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
tls.crt tls.key
# 查看tls.crt內容,確認掛載正確
wangw@t460p:~$ kubectl exec -it -n istio-system pod/istio-ingressgateway-7bd5586b79-pgrmd cat /etc/istio/ingressgateway-certs/tls.crt
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
-----BEGIN CERTIFICATE-----
MIIECjCCAvKgAwIBAgIUdtWnDoOLZBefhqtO68h5ZtSpm0owDQYJKoZIhvcNAQEL
BQAwZzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl
aUppbmcxEDAOBgNVBAoTB2dpc3RhY2sxETAPBgNVBAsTCE9wZXJhdG9yMQ8wDQYD
VQQDEwZnaXN1bmkwHhcNMjAwMTE0MTA1MTAwWhcNMzAwMTExMTA1MTAwWjBnMQsw
CQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpSmluZzEQMA4GA1UEBxMHQmVpSmluZzEP
MA0GA1UEChMGR0lTVU5JMREwDwYDVQQLEwhPcGVyYXRvcjEQMA4GA1UEAxMHcmFu
Y2hlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANxZg4xAzwRgq/ro
iFGoVhHwHutuh3x7ncs2xbC822Xx1u5xNzkx3REjkwQuRRlgfbBzAiO6dgw6KMrP
HZ3YXz9KOphol8B1t6MMeOCAZevp56doOL1XiywpTfYoPf95XkZplKBG8GtKeE/Z
RQPW9kZdfavSOYSlBrBaLqF16QJMm36tW0W5TdxBnFZ6EqGkL7tnTpf8t0IQEzpo
atcqOL/LKNUzM84HtT3xxUy/nRhXKsItKChW2iK/SqgRoeK6zqw3klmGD2ChPil0
Xb6KIFSI1zFFwkCQOoZElGO1QzLQ66n2nmHd8FHfIH0/XM8QUAizxq27kxVBMQlK
8hJSmeUCAwEAAaOBrTCBqjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB
BQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU7e1JjfLxOjxUvDYlhV+H9e5z
OG0wHwYDVR0jBBgwFoAU+zTk/UHaHwOY/OEMKj7qm07Erl4wNQYDVR0RBC4wLIIU
cmFuY2hlci5naXN1bmkubG9jYWyCDiouZ2lzdW5pLmxvY2FshwTAqMfJMA0GCSqG
SIb3DQEBCwUAA4IBAQBRD0wBESZN8BmEa2fr/wvO3cNksgiCfOgAS3wSrh2yrRdv
MuCKm4KVnK5xCGce+W3RCIZSgeWoA+3hIvLXpccXa7Y2mAvJZx+x9I/2CiiaskhW
H+XJAAtU36XhkXBG3AjBdnIEZHDDgOMS+RAhK7Va5EGhoNl12BqTI0Qpw9iy6TVH
o3mHPfHo6g2Vp+ZcDVIO7rXhrZ1UCvj07fwEJTxoitqsV21jSTnzjzYvWAANqbcn
FhJ7mJVMl2AWqdxSwFfHC6pHljT/rY9coMEf+1PY1bIOp9LGMLNF3bTJWz4DLrBh
ucQ7v1u7G9GP/CcdzGp0ZSlkMTp2LiDZc+eVNwR7
-----END CERTIFICATE-----
- 修改gateway配置
[root@vm networking]# cat bookinfo-gateway1.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 443 # ssl端口
name: https
protocol: HTTPS # HTTPS協議
hosts:
- "bookinfo.gisuni.local"
tls: # 添加tls,此處引用ingressgateway本地證書文件
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
...
# 配置規則
[root@vm networking]# kubectl apply -f bookinfo-gateway1.yaml -n istio-example
gateway.networking.istio.io/bookinfo-gateway changed
virtualservice.networking.istio.io/bookinfo unchanged
- 訪問bookinfo
通過SDS方式
通過配置TLS Ingress Gateway,讓它從Ingress Gateway代理通過SDS獲取憑據。Ingress Gateway代理和Ingress Gateway在同一個Pod中運行,監視Ingress Gateway所在命名空間中新建的Secret。
在Ingress Gateway中啟用SDS 具有如下好處:
- Ingress Gateway無需重啟,就可以動態的新增、刪除或者更新密鑰/證書對以及根證書;
- 無需加載 Secret 卷,創建了kubernetes Secret之后,這個Secret就會被Gateway代理捕獲,並以密鑰/證書對和根證書的形式發送給Ingress Gateway ;
- Gateway代理能夠監視多個密鑰/證書對。只需要為每個主機名創建Secret並更新Gateway定義就可以了。
開啟SDS(默認禁止)
# 通過--set values.gateways.istio-ingressgateway.sds.enabled=true開啟SDS
# 不要忘了加上原來的配置--set profile=demo,默認--set profile=default
# 重置配置並應用到istio
[root@vm istio-1.5.1]# bin/istioctl manifest generate --set profile=demo \
--set values.gateways.istio-ingressgateway.sds.enabled=true
創建證書secret
# 必須創建在ingressgateway同一ns下
[root@vm ~]# kubectl create -n istio-system secret tls gismesh-com --key ssl/server.key --cert ssl/server.pem
secret/gismesh-com created
修改gateway配置
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: "gismesh-com" # 引用證書secret
hosts:
- "bookinfo.gismesh.com"