Istio 配置istio-ingressgateway 单向TLS

一、 部署正常服务

1.初始化

# 创建ns
k create ns istio-demo
# 开启自动注入
k label ns istio-demo istio-injection=enabled

2.部署nginx

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-v1
  namespace: istio-demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
      version: v1
  template:
    metadata:
      labels:
        app: nginx
        version: v1
    spec:
      initContainers:
      - name: busybox
        image: busybox
        volumeMounts:
        - name: www
          mountPath: /tmp
        command: ["sh", "-c", "echo 'v1' > /tmp/index.html"]
      containers:
      - name: nginx
        image: nginx:1.14-alpine
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
          containerPort: 80
        volumeMounts:
        - name: www
          mountPath: /usr/share/nginx/html/
      volumes:
      - name: www
        emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-svc
  namespace: istio-demo
spec:
  type: ClusterIP
  ports:
  - name: http
    port: 80
    targetPort: 80
  selector:
    app: nginx

3.暴露服务

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: nginx-gw
  namespace: istio-demo
spec:
  selector:
    istio: ingressgateway 
  servers:
  - hosts:
    - "nginx-istio.ops.cn"
    port:
      number: 80
      name: http
      protocol: HTTP
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: nginx-vs
  namespace: istio-demo
spec:
  exportTo:
  - "*"
  gateways:
  - nginx-gw
  hosts:
  - 'nginx-svc'
  - 'nginx-istio.ops.cn'
  http:
  - route:
    - destination:
        host: nginx-svc
        subset: v1
      weight: 100
    - destination:
        host: nginx-svc
        subset: v2
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: nginx-dr
  namespace: istio-demo
spec:
  host: nginx-svc
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2

访问测试:

二、修改为https访问

在我们这里例子中只需要修改gw就可以了,首先需要准备证书和私钥,这一步略过了(配置自签证书)

第二步: 创建一个包含证书信息的secret

k create -n istio-system secret generic nginx-istio.ops.cn-tls \
--from-file=key=tls/ops.cn_key \
--from-file=cert=tls/ops.cn_crt

第三步: 修改Gateway

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: nginx-gw
  namespace: istio-demo
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - nginx-istio.ops.cn
    port:
      name: http
      number: 80
      protocol: HTTP
  - hosts:
    - nginx-istio.ops.cn
    port:
      name: https
      number: 8443
      protocol: HTTPS
    tls:
      credentialName: nginx-istio.ops.cn-tls
      mode: SIMPLE

第四步: 验证 由于是自签名证书所以是不受信任的


本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!