使用ISTIO的信任链内部和外部运行网格的服务之间的MTL
我知道我可以为其城堡组件配置Istio,以使用我提供的root X509证书 +私钥。我可以以一种还使用相同的根来扩展此系统,以向在同一K8S群集中运行的旧工作负载发布证书,然后配置目标规则以从网格内部访问这些工作负载?类似:
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: originate-mtls
spec:
host: mymtls-app.legacy.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8443
tls:
mode: ISTIO_MUTUAL
sni: mymtls-app.legacy.svc.cluster.local
以上可以工作吗?除上述内容以外,我还需要其他配置吗?我可能无法运行Spiffe/Spire来管理网格外工作负载的证书 - 这使Spiffe -FeDeration解决方案像这样对我来说有点遥不可及。但这在任何情况下似乎也不是完全支持的机制。
我已经能够使用单独的证书层次结构来配置MTL,我必须通过秘密注入该层次结构并将其安装到有问题的Pods/SideCars中(图解了在这里)。
I understand that I can configure Istio for its Citadel component to use a root x509 certificate + private key that I provide. Can I extend this system in a way that I also use the same root to issue certificates to legacy workloads running in the same k8s cluster, and then configure a destination rule to access these workloads from inside the mesh? Something like:
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: originate-mtls
spec:
host: mymtls-app.legacy.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 8443
tls:
mode: ISTIO_MUTUAL
sni: mymtls-app.legacy.svc.cluster.local
Can the above work? Do I need any additional configuration besides the above? I may not be in a position to run spiffe / spire to manage the certificates for workloads outside the mesh - which puts a spiffe-federation solution like this somewhat out of reach for me. But this also doesn't seem like a fully supported mechanism in any case.
I have been able to configure mTLS using a separate certificate hierarchy which I have to inject via secrets and mount into the pods / sidecars in question (illustrated here).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论