istio-配置双向 TLS ingress 网关
2020-06-29 本文已影响0人
与诗小睡
本节中您将您的网关的定义从上一节中扩展为支持外部客户端和网关之间的双向 TLS
- 创建一个 Kubernetes
Secret以保存服务端将用来验证它的客户端的 CA 证书。使用kubectl在命名空间istio-system中创建 secretistio-ingressgateway-ca-certs。Istio 网关将会自动加载该 secret。
- 该 secret 必须在 istio-system 命名空间下,且名为 istio-ingressgateway-ca-certs,以与此任务中使用的 Istio 默认 ingress 网关的配置保持一致。
[root@master ~]# kubectl create -n istio-system secret generic istio-ingressgateway-ca-certs --from-file=example.com.crt
secret/istio-ingressgateway-ca-certs created
[root@master ~]#
[root@master ~]# kubectl get secret -n istio-system
NAME TYPE DATA AGE
default-token-m78lx kubernetes.io/service-account-token 3 2d17h
istio-ca-secret istio.io/ca-root 5 2d17h
istio-egressgateway-service-account-token-swflz kubernetes.io/service-account-token 3 2d17h
istio-ingressgateway-ca-certs Opaque 1 23s
istio-ingressgateway-certs kubernetes.io/tls 2 63m
istio-ingressgateway-service-account-token-gvv4t kubernetes.io/service-account-token 3 2d17h
istio-reader-service-account-token-fnc89 kubernetes.io/service-account-token 3 2d17h
istiod-service-account-token-r7pw6 kubernetes.io/service-account-token 3 2d17h
kiali Opaque 2 2d17h
kiali-service-account-token-s5gvn kubernetes.io/service-account-token 3 2d17h
prometheus-token-xjd87 kubernetes.io/service-account-token 3 2d17h
[root@master ~]
2 重新定义之前的 Gateway,修改 TLS 模式为 MUTUAL,并指定 caCertificates
[root@master ~]# kubectl apply -f - <<EOF
> apiVersion: networking.istio.io/v1alpha3
> kind: Gateway
> metadata:
> name: httpbin-gateway
> spec:
> selector:
> istio: ingressgateway # use istio default ingress gateway
> servers:
> - port:
> number: 443
> name: https
> protocol: HTTPS
> tls:
> mode: MUTUAL
> serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
> privateKey: /etc/istio/ingressgateway-certs/tls.key
> caCertificates: /etc/istio/ingressgateway-ca-certs/example.com.crt
> hosts:
> - "httpbin.example.com"
> EOF
gateway.networking.istio.io/httpbin-gateway configured
[root@master ~]#
- 为 httpbin.example.com 服务创建客户端证书。您可以使用 httpbin-client.example.com URI 来指定客户端,或使用其它 URI
[root@master ~]# openssl req -out httpbin-client.example.com.csr -newkey rsa:2048 -nodes -keyout httpbin-client.example.com.key -subj "/CN=httpbin-client.example.com/O=httpbin's client organization"
Generating a RSA private key
.......................+++++
..................................+++++
writing new private key to 'httpbin-client.example.com.key'
-----
[root@master ~]# openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in httpbin-client.example.com.csr -out httpbin-client.example.com.crt
Signature ok
subject=CN = httpbin-client.example.com, O = httpbin's client organization
Getting CA Private Key
[root@master ~]#
- 测试:
[root@master ~]# curl -v -HHost:httpbin.example.com --resolve httpbin.example.com:30416 --cacert example.com.crt https://httpbin.example.com:30416/status/418 --cert httpbin-client.example.com.crt --key httpbin-client.example.com.key
* Couldn't parse CURLOPT_RESOLVE entry 'httpbin.example.com:30416'!
* Trying 192.168.14.130...
* TCP_NODELAY set
* Connected to httpbin.example.com (192.168.14.130) port 30416 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: example.com.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=httpbin.example.com; O=httpbin organization
* start date: Jun 29 06:13:03 2020 GMT
* expire date: Jun 29 06:13:03 2021 GMT
* common name: httpbin.example.com (matched)
* issuer: O=example Inc.; CN=example.com
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* Using Stream ID: 1 (easy handle 0x562afbc11740)
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET /status/418 HTTP/2
> Host:httpbin.example.com
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/2 418
< server: istio-envoy
< date: Mon, 29 Jun 2020 08:11:51 GMT
< x-more-info: http://tools.ietf.org/html/rfc2324
< access-control-allow-origin: *
< access-control-allow-credentials: true
< content-length: 135
< x-envoy-upstream-service-time: 20
<
-=[ teapot ]=-
_...._
.' _ _ `.
| ."` ^ `". _,
\_;`"---"`|//
| ;/
\_ _/
`"""`
* Connection #0 to host httpbin.example.com left intact
[root@master ~]#
为多主机配置 TLS ingress 网关
本节中您将为多个主机(httpbin.example.com 和 bookinfo.com)配置 ingress 网关。 Ingress 网关将向客户端提供与每个请求的服务器相对应的唯一证书.
与之前的小节不同,Istio 默认 ingress 网关无法立即使用,因为它仅被预配置为支持一个安全主机。 您需要先使用另一个 secret 配置并重新部署 ingress 网关服务器,然后才能使用它来处理第二台主机。
