Istio Ingress Gateway中的Envoy配置解析

ServiceMesher發表於2018-11-05
本文作者:ServiceMesher 社群成員沈旭光
本文重點為分析Istio Gateway以及VirtualService定義如何生成Istio Ingress Gateway的Envoy相關配置。
  • gateway定義用於配置在mesh邊緣,到mesh的tcp和http的負載均衡。

非TLS單主機環境

相關拓撲

Istio Ingress Gateway中的Envoy配置解析

  • 使用azure aks環境。

  • ingress gateway的service型別為loadbalancer。

  • ingress gateway的service enternal ip為104.211.54.62。

  • 通過該external ip對應的域名,訪問ingress gateway svc。

Istio Ingress Gateway中的Envoy配置解析

  • 增加gateway定義。

  • gateway定義中的selector會將該設定與相應的gateway pod繫結。

  • gateway定義中的servers會在相應的pod中生成listener例項,該拓撲中的監聽埠為80。

  • 需要將80埠註冊到該gateway pod對應的服務中(預設已註冊)。

  • gateway定義中的hosts表示listener會向哪些特定的虛擬主機轉發流量,在該示例中為httpbin.7cb9a9b7b318440399a0.eastus.aksapp.io。

  • 增加virtualservice定義。

  • virtualservice定義中的hosts與gateway中的hosts相對應,表示該服務可以註冊到gateway的監聽中,這個host寫會更新到gateway pod路由表的虛擬主機條目中。

  • virtualservice定義中的gateways將virtualservice與gateway關聯起來。

  • virtualservice定義中的http定義了路由規則,路由規則會寫入到相應gateway pod的路由表中。

相關配置

apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:  name: httpbin-gatewayspec:  selector:    istio: ingressgateway  servers:  - port:      number: 80      name: http-httpbin      protocol: HTTP    hosts:    - "httpbin.7cb9a9b7b318440399a0.eastus.aksapp.io"複製程式碼
  • gateway相關配置。

  • 該定義與包含istio: ingressgateway label的ingress gateway pod繫結。

  • 新建80埠監聽。

  • 監聽主機為httpbin.7cb9a9b7b318440399a0.eastus.aksapp.io的請求。

apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:  name: httpbin-vsspec:  hosts:  - "httpbin.7cb9a9b7b318440399a0.eastus.aksapp.io"  gateways:  - httpbin-gateway  http:  - match:    - uri:        prefix: /status    - uri:        prefix: /delay    - uri:        prefix: /headers    route:    - destination:        port:          number: 8000        host: httpbin.default.svc.cluster.local複製程式碼
  • virtualservice相關配置。

  • 將該配置應用到名稱為httpbin-gateway的例項中。

  • 定義路由規則和相關轉發目的地。

[~/K8s/istio/istio-azure-1.0.2/samples/httpbin]$ http http://httpbin.7cb9a9b7b318440399a0.eastus.aksapp.io/status/418HTTP/1.1 418 Unknownaccess-control-allow-credentials: trueaccess-control-allow-origin: *content-length: 135date: Sat, 03 Nov 2018 16:20:59 GMTserver: envoyx-envoy-upstream-service-time: 4x-more-info: http://tools.ietf.org/html/rfc2324​    -=[ teapot ]=-​       _...._     .'  _ _ `.    | ."` ^ `". _,    \_;`"---"`|//      |       ;/      \_     _/        `"""`​[~/K8s/istio/istio-azure-1.0.2/samples/httpbin]$複製程式碼
  • 測試結果。

  • 通過主機httpbin.7cb9a9b7b318440399a0.eastus.aksapp.io,可以正常訪問httpbin pod。

TLS單主機環境

相關拓撲

Istio Ingress Gateway中的Envoy配置解析

  • 使用azure aks環境。

  • ingress gateway的service型別為loadbalancer。

  • ingress gateway的service enternal ip為104.211.54.62。

  • 通過該external ip對應的域名,訪問ingress gateway svc。

  • 客戶端使用tls方式訪問主機。

  • tls請求在ingress gateway處被解除安裝,並轉化為http請求。

Istio Ingress Gateway中的Envoy配置解析

  • 增加gateway定義。

  • gateway定義中的監聽埠包括80和443。

  • 在80中啟用httpsredirect。

  • 在443中啟用simple tls。

  • 指定443的key和cert。

  • 增加virtualservice定義,並定義相應路由規則。

相關配置

openssl req \-newkey rsa:4096 -nodes -sha256 -keyout ca.key \-x509 -days 3655 -out ca.crt​openssl req \-newkey rsa:4096 -nodes -sha256 -keyout httpbin-tls.key \-out httpbin-tls.csr​echo subjectAltName = DNS:httpbin.7cb9a9b7b318440399a0.eastus.aksapp.io > extfile-httpbin-tls.cnf​openssl x509 \-req -days 3655 -in httpbin-tls.csr -CA ca.crt -CAkey ca.key \-CAcreateserial -extfile extfile-httpbin-tls.cnf -out httpbin-tls.crt​kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ./httpbin-tls.key --cert ./httpbin-tls.crt複製程式碼
  • 自簽名證書相關配置。

  • k8s secret相關配置。

apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:  name: httpbin-tls-gatewayspec:  selector:    istio: ingressgateway  servers:  - port:      number: 80      name: http-httpbin      protocol: HTTP    hosts:    - "httpbin.7cb9a9b7b318440399a0.eastus.aksapp.io"    tls:      httpsRedirect: true  - port:      number: 443      name: https-httpbin      protocol: HTTPS    tls:      mode: SIMPLE      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt      privateKey: /etc/istio/ingressgateway-certs/tls.key    hosts:    - "httpbin.7cb9a9b7b318440399a0.eastus.aksapp.io"複製程式碼
  • gateway相關配置。

  • 新建監聽埠包括80和443。

  • 在80中啟用httpsredirect。

  • 在443中啟用simple tls。

  • 指定443的key和cert。

apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:  name: httpbin-tls-vsspec:  hosts:  - "httpbin.7cb9a9b7b318440399a0.eastus.aksapp.io"  gateways:  - httpbin-tls-gateway  http:  - match:    - uri:        prefix: /status    route:    - destination:        port:          number: 8000        host: httpbin.default.svc.cluster.local複製程式碼
  • virtualservice相關配置。

  • 配置相關路由。

[~/K8s/istio/istio-azure-1.0.2/samples/httpbin]$ http http://httpbin.7cb9a9b7b318440399a0.eastus.aksapp.io/status/418 --verify no --follow -vGET /status/418 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateConnection: keep-aliveHost: httpbin.7cb9a9b7b318440399a0.eastus.aksapp.ioUser-Agent: HTTPie/0.9.9​HTTP/1.1 301 Moved Permanentlycontent-length: 0date: Sat, 03 Nov 2018 19:25:25 GMTlocation: https://httpbin.7cb9a9b7b318440399a0.eastus.aksapp.io/status/418server: envoy​GET /status/418 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateConnection: keep-aliveHost: httpbin.7cb9a9b7b318440399a0.eastus.aksapp.ioUser-Agent: HTTPie/0.9.9​HTTP/1.1 418 Unknownaccess-control-allow-credentials: trueaccess-control-allow-origin: *content-length: 135date: Sat, 03 Nov 2018 19:25:26 GMTserver: envoyx-envoy-upstream-service-time: 6x-more-info: http://tools.ietf.org/html/rfc2324​    -=[ teapot ]=-​       _...._     .'  _ _ `.    | ."` ^ `". _,    \_;`"---"`|//      |       ;/      \_     _/        `"""`​[~/K8s/istio/istio-azure-1.0.2/samples/httpbin]$複製程式碼
  • httpsredirect測試結果。

  • 通過http方式訪問httpbin.7cb9a9b7b318440399a0.eastus.aksapp.io,可以正常訪問httpbin pod。

[~/K8s/istio/istio-azure-1.0.2/samples/httpbin]$ http https://httpbin.7cb9a9b7b318440399a0.eastus.aksapp.io/status/418 --verify no -vGET /status/418 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateConnection: keep-aliveHost: httpbin.7cb9a9b7b318440399a0.eastus.aksapp.ioUser-Agent: HTTPie/0.9.9​HTTP/1.1 418 Unknownaccess-control-allow-credentials: trueaccess-control-allow-origin: *content-length: 135date: Sat, 03 Nov 2018 19:26:21 GMTserver: envoyx-envoy-upstream-service-time: 5x-more-info: http://tools.ietf.org/html/rfc2324​    -=[ teapot ]=-​       _...._     .'  _ _ `.    | ."` ^ `". _,    \_;`"---"`|//      |       ;/      \_     _/        `"""`​[~/K8s/istio/istio-azure-1.0.2/samples/httpbin]$複製程式碼
  • https測試結果。

  • 通過https方式訪問httpbin.7cb9a9b7b318440399a0.eastus.aksapp.io,可以正常訪問httpbin pod。

mTLS單主機環境

相關拓撲

Istio Ingress Gateway中的Envoy配置解析

  • 使用azure aks環境。

  • ingress gateway的service型別為loadbalancer。

  • ingress gateway的service enternal ip為104.211.54.62。

  • 通過該external ip對應的域名,訪問ingress gateway svc。

  • 客戶端使用mtls方式訪問主機。

  • mtls請求在ingress gateway處被解除安裝,並轉化為http請求。

Istio Ingress Gateway中的Envoy配置解析

  • 增加gateway定義。

  • gateway定義中的監聽埠443。

  • 在443中啟用mtls。

  • 指定443的key和cert。

  • 指定443的ca cert。

  • 指定允許連線443的san。

  • 增加virtualservice定義,並定義相應路由規則。

相關配置

openssl req \-newkey rsa:4096 -nodes -sha256 -keyout ca.key \-x509 -days 3655 -out ca.crt​openssl req \-newkey rsa:4096 -nodes -sha256 -keyout httpbin-mtls.key \-out httpbin-mtls.csr​echo subjectAltName = DNS:httpbin.6491dea3ce6b4d17b109.eastus.aksapp.io > extfile-httpbin-mtls.cnf​openssl x509 \-req -days 3655 -in httpbin-mtls.csr -CA ca.crt -CAkey ca.key \-CAcreateserial -extfile extfile-httpbin-mtls.cnf -out httpbin-mtls.crt​openssl req \-newkey rsa:4096 -nodes -sha256 -keyout client.key \-out client.csr​echo subjectAltName = DNS:is5.istio.client > client-extfile.cnf​openssl x509 \-req -days 3655 -in client.csr -CA ca.crt -CAkey ca.key \-CAcreateserial -extfile client-extfile.cnf -out client.crt​kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ./httpbin-mtls.key --cert ./httpbin-mtls.crtkubectl create -n istio-system secret generic istio-ingressgateway-ca-certs --from-file ./ca.crt複製程式碼
  • server端自簽名證書相關配置。

  • client端自簽名證書相關配置。

  • k8s secret相關配置。

apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:  name: httpbin-mtls-gatewayspec:  selector:    istio: ingressgateway  servers:  - port:      number: 443      name: https-httpbin      protocol: HTTPS    tls:      mode: MUTUAL      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt      privateKey: /etc/istio/ingressgateway-certs/tls.key      caCertificates: /etc/istio/ingressgateway-ca-certs/ca.crt      subjectAltNames:      - is5.istio.client    hosts:    - "httpbin.6491dea3ce6b4d17b109.eastus.aksapp.io"複製程式碼
  • gateway相關配置。

  • 新建監聽埠443。

  • 在443中啟用mtls。

  • 指定443的key和cert。

  • 指定443的ca cert。

  • 指定允許連線443的san。

apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:  name: httpbin-tls-vsspec:  hosts:  - "httpbin.6491dea3ce6b4d17b109.eastus.aksapp.io"  gateways:  - httpbin-mtls-gateway  http:  - match:    - uri:        prefix: /status    route:    - destination:        port:          number: 8000        host: httpbin.default.svc.cluster.local複製程式碼
  • virtualservice相關配置。

  • 配置相關路由。

[~/K8s/istio/istio-azure-1.0.2/samples/httpbin/ssl]$ http https://httpbin.6491dea3ce6b4d17b109.eastus.aksapp.io/status/418 --verify no --cert ./client.crt --cert-key ./client.keyHTTP/1.1 418 Unknownaccess-control-allow-credentials: trueaccess-control-allow-origin: *content-length: 135date: Sun, 04 Nov 2018 15:28:47 GMTserver: envoyx-envoy-upstream-service-time: 6x-more-info: http://tools.ietf.org/html/rfc2324​    -=[ teapot ]=-​       _...._     .'  _ _ `.    | ."` ^ `". _,    \_;`"---"`|//      |       ;/      \_     _/        `"""`​[~/K8s/istio/istio-azure-1.0.2/samples/httpbin/ssl]複製程式碼
  • 測試結果。

  • 通過https mtls方式訪問httpbin.6491dea3ce6b4d17b109.eastus.aksapp.io,可以正常訪問httpbin pod。

非TLS多主機環境

相關拓撲

Istio Ingress Gateway中的Envoy配置解析

  • 使用azure aks環境。

  • ingress gateway的service型別為loadbalancer。

  • ingress gateway的service enternal ip為104.211.54.62。

  • 通過該external ip對應的域名,訪問ingress gateway svc。

  • 2個主機,分別為:httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io和httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io。

  • 客戶端使用http方式訪問主機。

Istio Ingress Gateway中的Envoy配置解析

  • 為2個主機配置統一的gateway定義。

  • 為2個主機分別配置virtualservice定義。

  • 主機httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io被路由至pod httpbin-a的/status uri。

  • 主機httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io被路由至pod httpbin-b的/headers uri。

  • 在gateway的listnener中生成統一的監聽0.0.0.0_80。

  • 在gateway的route中分別生成針對httpbin-a和httpbin-b的虛擬主機。

相關配置

apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:  name: httpbin-dual-gatewayspec:  selector:    istio: ingressgateway  servers:  - port:      number: 80      name: http-httpbin      protocol: HTTP    hosts:    - "httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io"    - "httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io"​apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:  name: httpbin-dual-gatewayspec:  selector:    istio: ingressgateway  servers:  - port:      number: 80      name: http-httpbina      protocol: HTTP    hosts:    - "httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io"  - port:      number: 80      name: http-httpbinb      protocol: HTTP    hosts:    - "httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io"複製程式碼
  • gateway相關配置。

  • 這2個gateway的配置,生成的envoy配置是一致的。

  • 新建監聽埠80。

  • 分別針對兩個主機httpbin-a和httpbin-b進行監聽。

apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:  name: httpbin-a-vsspec:  hosts:  - "httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io"  gateways:  - httpbin-dual-gateway  http:  - match:    - uri:        prefix: /status    route:    - destination:        port:          number: 8000        host: httpbin-a.default.svc.cluster.local​apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:  name: httpbin-b-vsspec:  hosts:  - "httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io"  gateways:  - httpbin-dual-gateway  http:  - match:    - uri:        prefix: /headers    route:    - destination:        port:          number: 8000        host: httpbin-b.default.svc.cluster.local複製程式碼
  • httpbin-a和httpbin-b的virtualservice相關配置。

  • httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io的/status請求被路由至httpbin-a。

  • httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io的/headers請求被路由至httpbin-b。

[~/K8s/istio/istio-azure-1.0.2/samples/httpbin/ssl]$ http http://httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io/status/418HTTP/1.1 418 Unknownaccess-control-allow-credentials: trueaccess-control-allow-origin: *content-length: 135date: Sun, 04 Nov 2018 16:27:07 GMTserver: envoyx-envoy-upstream-service-time: 10x-more-info: http://tools.ietf.org/html/rfc2324​    -=[ teapot ]=-​       _...._     .'  _ _ `.    | ."` ^ `". _,    \_;`"---"`|//      |       ;/      \_     _/        `"""`​[~/K8s/istio/istio-azure-1.0.2/samples/httpbin/ssl]$ http http://httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io/headersHTTP/1.1 200 OKaccess-control-allow-credentials: trueaccess-control-allow-origin: *content-length: 412content-type: application/jsondate: Sun, 04 Nov 2018 16:27:25 GMTserver: envoyx-envoy-upstream-service-time: 7​{    "headers": {        "Accept": "*/*",        "Accept-Encoding": "gzip, deflate",        "Content-Length": "0",        "Host": "httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io",        "User-Agent": "HTTPie/0.9.9",        "X-B3-Sampled": "1",        "X-B3-Spanid": "9b6889437bfe02c8",        "X-B3-Traceid": "9b6889437bfe02c8",        "X-Envoy-Internal": "true",        "X-Request-Id": "e43ae114-52dd-9ee4-930b-dbb0405c6fef"    }}​[~/K8s/istio/istio-azure-1.0.2/samples/httpbin/ssl]$複製程式碼
  • 測試結果。

  • 請求httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io/status/418和httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io/headers均可以被正確路由。

TLS多主機環境

相關拓撲

Istio Ingress Gateway中的Envoy配置解析

  • 使用azure aks環境。

  • ingress gateway的service型別為loadbalancer。

  • ingress gateway的service enternal ip為104.211.54.62。

  • 通過該external ip對應的域名,訪問ingress gateway svc。

  • 2個主機,分別為:httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io和httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io。

  • 客戶端使用tls方式訪問主機。

Istio Ingress Gateway中的Envoy配置解析

  • 為2個主機分別配置gateway中的server定義。

  • 為2個主機的server定義中增加證書的定義,每個server使用不同的證書。

  • 為2個主機分別配置virtualservice定義。

  • 在gateway的listnener中生成統一的監聽0.0.0.0_443。

  • 因為gateway中配置的2個server中有不相同的配置,所以在監聽0.0.0.0_443中,會生成2個server,分別為httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io和httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io。

  • 因為監聽中生成2個server,所以在路由中會生成2條不同的路由相對應,在gateway的路由中生成分別的虛擬主機https.443.https-httpbina和https.443.https-httpbinb。

  • 監聽0.0.0.0_443所屬的server httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io被關聯至路由https.443.https-httpbina,server httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io被關聯至路由https.443.https-httpbinb。

  • 主機httpbin-a被路由至pod httpbin-a的/status uri。

  • 主機httpbin-b被路由至pod httpbin-b的/headers uri。

相關配置

openssl req \-newkey rsa:4096 -nodes -sha256 -keyout ca.key \-x509 -days 3655 -out ca.crt​openssl req \-newkey rsa:4096 -nodes -sha256 -keyout httpbin-a-tls.key \-out httpbin-a-tls.csr​echo subjectAltName = DNS:httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io > extfile-httpbin-a-tls.cnf​openssl x509 \-req -days 3655 -in httpbin-a-tls.csr -CA ca.crt -CAkey ca.key \-CAcreateserial -extfile extfile-httpbin-a-tls.cnf -out httpbin-a-tls.crt​openssl req \-newkey rsa:4096 -nodes -sha256 -keyout httpbin-b-tls.key \-out httpbin-b-tls.csr​echo subjectAltName = DNS:httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io > extfile-httpbin-b-tls.cnf​openssl x509 \-req -days 3655 -in httpbin-b-tls.csr -CA ca.crt -CAkey ca.key \-CAcreateserial -extfile extfile-httpbin-b-tls.cnf -out httpbin-b-tls.crt​kubectl create -n istio-system secret tls istio-ingressgateway-httpbin-a-certs --key ./httpbin-a-tls.key --cert ./httpbin-a-tls.crtkubectl create -n istio-system secret tls istio-ingressgateway-httpbin-b-certs --key ./httpbin-b-tls.key --cert ./httpbin-b-tls.crt複製程式碼
  • 自簽名證書相關配置。

  • k8s secret相關配置。

helm template install/kubernetes/helm/istio/ --name istio-ingressgateway --namespace istio-system -x charts/gateways/templates/deployment.yaml --set gateways.istio-egressgateway.enabled=false \--set gateways.istio-ingressgateway.secretVolumes[0].name=ingressgateway-ca-certs \--set gateways.istio-ingressgateway.secretVolumes[0].secretName=istio-ingressgateway-ca-certs \--set gateways.istio-ingressgateway.secretVolumes[0].mountPath=/etc/istio/ingressgateway-ca-certs \--set gateways.istio-ingressgateway.secretVolumes[1].name=ingressgateway-httpbin-a-certs \--set gateways.istio-ingressgateway.secretVolumes[1].secretName=istio-ingressgateway-httpbin-a-certs \--set gateways.istio-ingressgateway.secretVolumes[1].mountPath=/etc/istio/ingressgateway-httpbin-a-certs \--set gateways.istio-ingressgateway.secretVolumes[2].name=ingressgateway-httpbin-b-certs \--set gateways.istio-ingressgateway.secretVolumes[2].secretName=istio-ingressgateway-httpbin-b-certs \--set gateways.istio-ingressgateway.secretVolumes[2].mountPath=/etc/istio/ingressgateway-httpbin-b-certs > \./helm-ingressgateway-httpbin-dual-tls.yaml​...          volumeMounts:          - name: istio-certs            mountPath: /etc/certs            readOnly: true          - name: ingressgateway-ca-certs            mountPath: "/etc/istio/ingressgateway-ca-certs"            readOnly: true          - name: ingressgateway-httpbin-a-certs            mountPath: "/etc/istio/ingressgateway-httpbin-a-certs"            readOnly: true          - name: ingressgateway-httpbin-b-certs            mountPath: "/etc/istio/ingressgateway-httpbin-b-certs"            readOnly: true      volumes:      - name: istio-certs        secret:          secretName: istio.istio-ingressgateway-service-account          optional: true      - name: ingressgateway-ca-certs        secret:          secretName: "istio-ingressgateway-ca-certs"          optional: true      - name: ingressgateway-httpbin-a-certs        secret:          secretName: "istio-ingressgateway-httpbin-a-certs"          optional: true      - name: ingressgateway-httpbin-b-certs        secret:          secretName: "istio-ingressgateway-httpbin-b-certs"          optional: true...複製程式碼
  • 修改了ingress gateway deployment的配置,可以支援多個證書。

  • 分別包含域名為httpbin-a和httpbin-b的證書。

apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:  name: httpbin-dual-tls-gatewayspec:  selector:    istio: ingressgateway  servers:  - port:      number: 443      name: https-httpbina      protocol: HTTPS    tls:      mode: SIMPLE      serverCertificate: /etc/istio/ingressgateway-httpbin-a-certs/tls.crt      privateKey: /etc/istio/ingressgateway-httpbin-a-certs/tls.key    hosts:    - "httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io"  - port:      number: 443      name: https-httpbinb      protocol: HTTPS    tls:      mode: SIMPLE      serverCertificate: /etc/istio/ingressgateway-httpbin-b-certs/tls.crt      privateKey: /etc/istio/ingressgateway-httpbin-b-certs/tls.key    hosts:    - "httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io"複製程式碼
  • gateway相關配置。

  • 分別定義2個server,每個server配置不同的證書。

apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:  name: httpbin-a-vsspec:  hosts:  - "httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io"  gateways:  - httpbin-dual-tls-gateway  http:  - match:    - uri:        prefix: /status    route:    - destination:        port:          number: 8000        host: httpbin-a.default.svc.cluster.local​apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:  name: httpbin-b-vsspec:  hosts:  - "httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io"  gateways:  - httpbin-dual-tls-gateway  http:  - match:    - uri:        prefix: /headers    route:    - destination:        port:          number: 8000        host: httpbin-b.default.svc.cluster.local複製程式碼
  • httpbin-a和httpbin-b的virtualservice相關配置。

  • httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io的/status請求被路由至httpbin-a。

  • httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io的/headers請求被路由至httpbin-b。

[~/K8s/istio/istio-azure-1.0.2/samples/httpbin/ssl]$ http https://httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io/status/418 --verify noHTTP/1.1 418 Unknownaccess-control-allow-credentials: trueaccess-control-allow-origin: *content-length: 135date: Sun, 04 Nov 2018 17:36:30 GMTserver: envoyx-envoy-upstream-service-time: 6x-more-info: http://tools.ietf.org/html/rfc2324​    -=[ teapot ]=-​       _...._     .'  _ _ `.    | ."` ^ `". _,    \_;`"---"`|//      |       ;/      \_     _/        `"""`​[~/K8s/istio/istio-azure-1.0.2/samples/httpbin/ssl]$ http https://httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io/headers --verify noHTTP/1.1 200 OKaccess-control-allow-credentials: trueaccess-control-allow-origin: *content-length: 412content-type: application/jsondate: Sun, 04 Nov 2018 17:36:33 GMTserver: envoyx-envoy-upstream-service-time: 8​{    "headers": {        "Accept": "*/*",        "Accept-Encoding": "gzip, deflate",        "Content-Length": "0",        "Host": "httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io",        "User-Agent": "HTTPie/0.9.9",        "X-B3-Sampled": "1",        "X-B3-Spanid": "27a46e99214fe1e1",        "X-B3-Traceid": "27a46e99214fe1e1",        "X-Envoy-Internal": "true",        "X-Request-Id": "6c1ace56-7f57-9b0d-bb3d-2eb57519c4a2"    }}​[~/K8s/istio/istio-azure-1.0.2/samples/httpbin/ssl]$​複製程式碼
  • 測試結果。

  • 請求httpbin-a.6491dea3ce6b4d17b109.eastus.aksapp.io/status/418和httpbin-b.6491dea3ce6b4d17b109.eastus.aksapp.io/headers均可以被正確路由。

ServiceMesher社群資訊

微信群:聯絡我入群

社群官網:www.servicemesher.com

Slack:servicemesher.slack.com 需要邀請才能加入

Twitter: twitter.com/servicemesh…

GitHub:github.com/

更多Service Mesh諮詢請掃碼關注微信公眾號ServiceMesher。

Istio Ingress Gateway中的Envoy配置解析


相關文章