把我们的 httpserver 服务以 Istio Ingress Gateway 的形式发布出来。以下是你需要考虑的几点:
如何实现安全保证;
七层路由规则;
考虑 open tracing 的接入。
部署 httpserver
kubectl create ns securesvc kubectl label ns securesvc istio-injection=enabled
配置文件如下:
apiVersion: apps/v1 kind: Deployment metadata: name: httpserver spec: replicas: 1 selector: matchLabels: app: httpserver template: metadata: annotations: prometheus.io/scrape: "true" prometheus.io/port: "80" labels: app: httpserver spec: containers: - name: httpserver imagePullPolicy: Always image: cncamp/httpserver:v1.0-metrics ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: httpserver spec: ports: - name: http port: 80 protocol: TCP targetPort: 80 selector: app: httpserver
kubectl apply -f httpserver.yaml -n securesvc
制作自签名证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=cncamp Inc./CN=*.cncamp.io' -keyout cncamp.io.key -out cncamp.io.crt
kubectl create -n istio-system secret tls cncamp-credential --key=cncamp.io.key --cert=cncamp.io.crt
➜ 3.https-gw git:(master) ✗ kubectl get -n istio-system secret NAME TYPE DATA AGE cncamp-credential kubernetes.io/tls 2 18s
部署 istio 的 Gateway 和 VirtualService
apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: httpsserver spec: gateways: - httpsserver hosts: - httpsserver.cncamp.io http: - match: - port: 443 route: - destination: host: httpserver.securesvc.svc.cluster.local port: number: 80 --- apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: httpsserver spec: selector: istio: ingressgateway servers: - hosts: - httpsserver.cncamp.io port: name: https-default number: 443 protocol: HTTPS tls: mode: SIMPLE credentialName: cncamp-credential
➜ 3.https-gw git:(master) ✗ kubectl apply -f istio-specs.yaml -n securesvc virtualservice.networking.istio.io/httpsserver created gateway.networking.istio.io/httpsserver created
查询 ingress ip
kubectl get svc -n istio-system istio-ingressgateway LoadBalancer 10.233.57.182 export INGRESS_IP=10.233.57.182
测试服务
curl --resolve httpsserver.cncamp.io:443:$INGRESS_IP https://httpsserver.cncamp.io/healthz -v -k
命令说明:
--resolve HOST:PORT:ADDRESS 将 HOST:PORT 强制解析到 ADDRESS -k 参数指定跳过 SSL 检测。因为证书是自签名,无法通过校验。 -v 参数输出通信的整个过程,用于调试。
➜ 3.https-gw git:(master) ✗ curl --resolve httpsserver.cncamp.io:443:$INGRESS_IP https://httpsserver.cncamp.io/healthz -v -k * Added httpsserver.cncamp.io:443:10.233.57.182 to DNS cache * Hostname httpsserver.cncamp.io was found in DNS cache * Trying 10.233.57.182:443... * TCP_NODELAY set * Connected to httpsserver.cncamp.io (10.233.57.182) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: O=cncamp Inc.; CN=*.cncamp.io * start date: May 11 01:59:15 2022 GMT * expire date: May 11 01:59:15 2023 GMT * issuer: O=cncamp Inc.; CN=*.cncamp.io * SSL certificate verify result: self signed certificate (18), continuing anyway. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x56023aab4e10) > GET /healthz HTTP/2 > Host: httpsserver.cncamp.io > user-agent: curl/7.68.0 > accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)! < HTTP/2 200 < date: Wed, 11 May 2022 02:00:36 GMT < content-length: 3 < content-type: text/plain; charset=utf-8 < x-envoy-upstream-service-time: 29 < server: istio-envoy < ok * Connection #0 to host httpsserver.cncamp.io left intact