通过配置443端口的ingress网关以处理HTTPS流量
生成证书
mkdir -p /etc/istio/ingressgateway-certs
cd /etc/istio/ingressgateway-certs
openssl genrsa -out "ca.key" 2048
# Common Name 填写域名
openssl req -new -key "ca.key" -out "ca.csr"
openssl x509 -req -days 365 -in "ca.csr" -signkey "/ca.key" -out "ca.crt"
|
生成secret
该 secret 必须在 istio-system 命名空间下,且名为 istio-ingressgateway-certs
kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ca.key --cert ca.crt
|
生成Deployment资源
apiVersion: v1
kind: ServiceAccount
metadata:
name: httpbin
---
apiVersion: v1
kind: Service
metadata:
name: httpbin
labels:
app: httpbin
spec:
ports:
- name: http
port: 8000
targetPort: 80
selector:
app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
version: v1
template:
metadata:
labels:
app: httpbin
version: v1
spec:
serviceAccountName: httpbin
containers:
- image: docker.io/kennethreitz/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 80
|
配置Gateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "httpbin.twf.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- "httpbin.twf.com"
gateways:
- httpbin-gateway
http:
- match:
- uri:
prefix: /headers
- uri:
prefix: /status
- uri:
prefix: /delay
route:
- destination:
port:
number: 8000
host: httpbin
|
测试
通过 kubectl get svc -n istio-system 查看443端口对应的NodePort端口
curl -v -HHost:httpbin.twf.com --resolve httpbin.twf.com:30276:192.168.1.110 --cacert ca.crt https://httpbin.twf.com:30276/status/418
|
