把我们的 httpserver 服务以 Istio Ingress Gateway 的形式发布出来。以下是你需要考虑的几点:
如何实现安全保证;
七层路由规则;
考虑 open tracing 的接入。
建立一个 http 的 gateway
apiVersion: networking.istio.io/v1beta1kind: Gatewaymetadata: name: gatewayspec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - '*'
kubectl apply -f httpgw.yaml
kubectl get gw
复制代码
部署 virtualserver
kind: VirtualServicemetadata: name: httpserverspec: hosts: - "*" gateways: - gateway http: - route: - destination: host: 127.0.0.1 port: number: 80
kubectl apply -f httpvs.yaml
复制代码
证书
手动签发
如果是手动签发证书,这里直接签发一个 wildcard 证书
wildcard 通配符的证书是按照段来匹配
*.cncamp.com node1.cncamp.com*.*.cncamp.com
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=cncamp Inc./CN=*.cncamp.com' -keyout cncamp.com.key -out cncamp.com.crt
kubectl create -n istio-system secret tls wildcard-credential --key=cncamp.com.key --cert=cncamp.com.crt
复制代码
使用 letsencrypt 申请一张证书
在 istio-system 里配置 issuer
kubectl get issuer -n istio-system letsencrypt-prod -oyaml
apiVersion: cert-manager.io/v1kind: Issuermetadata: name: letsencrypt-prodspec: acme: email: xxx@cncamp.com preferredChain: "" privateKeySecretRef: name: letsencrypt-prod server: https://xxx.api.letsencrypt.org/directory solvers: - http01: ingress: class: istio
复制代码
提交一个 cert 的请求,同样也是放在 istio-system 里
apiVersion: cert-manager.io/v1kind: Certificatemetadata: name: httpserver namespace: istio-systemspec: dnsNames: - httpserver.cncamp.com issuerRef: group: cert-manager.io kind: Issuer name: letsencrypt-prod secretName: httpserver usages: - digital signature - key encipherment
kubectl get secret -n istio-system httpserver
复制代码
验证
curl https://httpserver.cncamp.com/healthz
复制代码
如果自签名验证
curl --resolve {domain}:443:10.233.57.182 https://{domain/url} -H "Custom-header: hello" -v -k
复制代码
评论