ISTIO:网格外旧服务的目标
我在istio-system名称空间中部署了一个K8S群集,默认情况下,在另一个名为mesh-apps的名称空间中启用了SIDECAR注入。我也有第二个旧版名称空间,其中包含某些执行自己TLS终止的应用程序。我正在尝试在mesh-apps名称空间中运行的服务与logacy内部运行的服务设置MTLS访问。
为此,我完成了以下操作:
在
网格应用中创建了一个秘密包含客户端证书,键和cacert的命名空间,用于通过MTLS与Legacy连接。将它们安装在
。mesh-apps中的POD内部定义明确的位置(Sleeppod)。部署了一个应用程序
Legacy,并使用群集服务曝光了mymtls-app在端口8443中。- 在
Legacy中部署了一个应用程序,并使用port 8443上的mymtls-app在 命名空间,希望这可以使MTLS从MESH-APPSLegacy。访问。---- apiversion:networking.istio.io/v1alpha3 KINT:目标列 元数据: 名称:起源-MTL 规格: 主机:mymtls-app.legacy.svc.cluster.local 交通质量: portlevelSettings: - 港口: 编号:8443 TLS: 模式:相互 clientcertificate:/etc/sleep/tls/server.cert privateKey:/etc/sleep/tls/server.key cacertificates:/etc/sleep/tls/ca.pem SNI:mymtls-app.legacy.svc.cluster.local
现在,当我从sleep pod中运行以下命令时,我本来可以期望以上destination rule生效:
kubectl exec sleep-37893-foobar -c sleep -- curl http://mymtls-app.legacy.svc.cluster.local:8443/hello
但是我只会得到错误:
Client sent an HTTP request to an HTTPS server.
如果我添加https在URL中,这是错误:
curl: (56) OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0
command terminated with exit code 56
I have a k8s cluster with Istio deployed in the istio-system namespace, and sidecar injection enabled by default in another namespace called mesh-apps. I also have a second legacy namespace which contains certain applications that do their own TLS termination. I am trying to setup mTLS access between services running inside the mesh-apps namespace and those running inside legacy.
For this purpose, I have done the following:
Created a secret in the
mesh-appsnamespace containing the client cert, key and CAcert to be used to connect with an application in legacy via mTLS.Mounted these at a well-defined location inside a pod (the
sleeppod in Istio samples actually) running inmesh-apps.Deployed an app inside
legacyand exposed it using a ClusterIP service calledmymtls-appon port 8443.Created the following destination rule in the
mesh-appsnamespace, hoping that this enables mTLS access frommesh-appstolegacy.--- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: originate-mtls spec: host: mymtls-app.legacy.svc.cluster.local trafficPolicy: portLevelSettings: - port: number: 8443 tls: mode: MUTUAL clientCertificate: /etc/sleep/tls/server.cert privateKey: /etc/sleep/tls/server.key caCertificates: /etc/sleep/tls/ca.pem sni: mymtls-app.legacy.svc.cluster.local
Now when I run the following command from inside the sleep pod, I would have expected the above DestinationRule to take effect:
kubectl exec sleep-37893-foobar -c sleep -- curl http://mymtls-app.legacy.svc.cluster.local:8443/hello
But instead I just get the error:
Client sent an HTTP request to an HTTPS server.
If I add https in the URL, then this is the error:
curl: (56) OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0
command terminated with exit code 56
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我想知道自己的错误。我需要正确安装证书,私钥和CA链,而不是在应用程序容器中。为了将它们安装在边路上,我执行了以下操作:
用证书,私钥和CA链创建了一个秘密。
修改了睡眠容器的部署表现:
实际上我已经较早地创建了秘密,但是它已安装在应用程序容器中(
sleep),而不是SideCar,以此方式:I figured my own mistake. I needed to correctly mount the certificate, private key, and CA chain in the sidecar, not in the app container. In order to mount them in the sidecar, I performed the following actions:
Created a secret with the cert, private key and CA chain.
Modified the deployment manifest for the sleep container thus:
Actually I had already created the secret earlier, but it was mounted in the app container (
sleep) instead of the sidecar, in this way: