把我们的 httpserver 服务以 Istio Ingress Gateway 的形式发布出来。以下是你需要考虑的几点:
如何实现安全保证;
七层路由规则;
考虑 open tracing 的接入。
建立一个 http 的 gateway
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- '*'
kubectl apply -f httpgw.yaml
kubectl get gw
复制代码
部署 virtualserver
kind: VirtualService
metadata:
name: httpserver
spec:
hosts:
- "*"
gateways:
- gateway
http:
- route:
- destination:
host: 127.0.0.1
port:
number: 80
kubectl apply -f httpvs.yaml
复制代码
证书
手动签发
如果是手动签发证书,这里直接签发一个 wildcard 证书
wildcard 通配符的证书是按照段来匹配
*.cncamp.com node1.cncamp.com
*.*.cncamp.com
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=cncamp Inc./CN=*.cncamp.com' -keyout cncamp.com.key -out cncamp.com.crt
kubectl create -n istio-system secret tls wildcard-credential --key=cncamp.com.key --cert=cncamp.com.crt
复制代码
使用 letsencrypt 申请一张证书
在 istio-system 里配置 issuer
kubectl get issuer -n istio-system letsencrypt-prod -oyaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: xxx@cncamp.com
preferredChain: ""
privateKeySecretRef:
name: letsencrypt-prod
server: https://xxx.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: istio
复制代码
提交一个 cert 的请求,同样也是放在 istio-system 里
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: httpserver
namespace: istio-system
spec:
dnsNames:
- httpserver.cncamp.com
issuerRef:
group: cert-manager.io
kind: Issuer
name: letsencrypt-prod
secretName: httpserver
usages:
- digital signature
- key encipherment
kubectl get secret -n istio-system httpserver
复制代码
验证
curl https://httpserver.cncamp.com/healthz
复制代码
如果自签名验证
curl --resolve {domain}:443:10.233.57.182 https://{domain/url} -H "Custom-header: hello" -v -k
复制代码
评论