istio课程发布:https://edu.csdn.net/course/detail/29911
这是我目前见过最详细,最有深度的istio课程

学习目标

什么是gateway

在Kubernetes环境中,Kubernetes Ingress用于配置需要在集群外部公开的服务。但是在Istio服务网格中,更好的方法是使用新的配置模型,即Istio Gateway。Gateway允许将Istio流量管理的功能应用于进入集群的流量。

gateway 分为两种,分别是ingress-gateway和egress-gateway,分别用来处理入口流量和出口流量。gateway本质也是一个envoy pod。

资源详解

selector

1.7.0/gateway/gateway-01.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "*"

servers

hosts

所有域名:

1.7.0/gateway/gateway-server-hosts-star.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "*"

具体域名:

1.7.0/gateway/gateway-server-hosts-bookinfo-com.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "bookinfo.com"

多个域名:

1.7.0/gateway/gateway-server-hosts-multi.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "bookinfo.com"- "bookinfo.demo"

混合域名

1.7.0/gateway/gateway-server-hosts-mix.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "*.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "bookinfo.com"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

name

1.7.0/gateway/gateway-server-name.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "*"name: bookinfo-gateway

port

Field Type Description Required
number uint32 一个有效的端口号
protocol string 所使用的协议,支持HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
name string 给端口分配一个名称

istio支持的协议:

  • grpc
  • grpc-web
  • http
  • http2
  • https
  • mongo
  • mysql*
  • redis*
  • tcp
  • tls
  • udp

* These protocols are disabled by default to avoid accidentally enabling experimental features. To enable them, configure the corresponding Pilot environment variables.

http

1部署gateway

1.7.0/gateway/gateway-01.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "*"

2部署vs

1.7.0/virtaulservice/vs-bookinfo-hosts-star.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

3访问浏览器

https

1创建secret

kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ./cert.key --cert=./cert.crt

kubectl exec deploy/istio-ingressgateway -n istio-system – ls /etc/istio/ingressgateway-certs

2创建gateway

1.7.0/gateway/gateway-https.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "bookinfo.demo"- "ratings.demo"tls:mode: SIMPLEserverCertificate: /etc/istio/ingressgateway-certs/tls.crtprivateKey: /etc/istio/ingressgateway-certs/tls.key

3创建vs

1.7.0/virtaulservice/vs-bookinfo-hosts-star.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

4访问浏览器

tcp

1创建gateway

1.7.0/gateway/gateway-tcp.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: tcp-echo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 31400name: tcpprotocol: TCPhosts:- "*"

2创建vs dr

1.7.0/gateway/protocol/vs-dr-tcp-echo.yaml

kind: DestinationRule
metadata:name: tcp-echo-destination
spec:host: tcp-echosubsets:- name: v1labels:version: v1- name: v2labels:version: v2
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: tcp-echo
spec:hosts:- "*"gateways:- tcp-echo-gatewaytcp:- match:- port: 31400route:- destination:host: tcp-echoport:number: 9000subset: v1

3添加端口

kubectl edit svc istio-ingressgateway -n istio-system

4测试

telnet 10.68.12.164 31400

http2

1创建gateway

1.7.0/gateway/gateway-http2.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 15444name: http2protocol: HTTP2targetPort: 15444hosts:- "*"

2部署vs

1.7.0/virtaulservice/ vs-bookinfo-hosts-star.yaml

kubectl apply -f vs-bookinfo-hosts-star.yaml -n istio

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

3访问浏览器

mongo

1部署gateway

1.7.0/gateway/gateway-mongo.yaml

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: mongo
spec:selector:istio: ingressgatewayservers:- port:number: 27017name: mongoprotocol: MONGOhosts:- "*"

2部署vs

1.7.0/gateway/protocol/vs-mongodb.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: mongo
spec:hosts:- "*"gateways:- mongotcp:- match:- port: 27017route:- destination:host: mongodb.istio.svc.cluster.localport:number: 27017

3添加端口

kubectl edit svc istio-ingressgateway -n istio-system

4测试

tls

1创建gateway

1.7.0/gateway/gateway-tls.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 15443name: tlsprotocol: TLShosts:- "bookinfo.com"tls:mode: SIMPLEserverCertificate: /etc/istio/ingressgateway-certs/tls.crtprivateKey: /etc/istio/ingressgateway-certs/tls.key

2创建vs

1.7.0/gateway/protocol/vs-tls-protocol-echo.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: tcp-echo
spec:hosts:- "*"gateways:- bookinfo-gatewaytcp:- match:- port: 15443route:- destination:host: tcp-echoport:number: 9000

3修改/etc/hosts

10.68.12.164 bookinfo.com

4测试

openssl s_client -connect bookinfo.com:15443 -servername bookinfo.com

mysql

1创建gateway

1.7.0/gateway/gateway-mysql.yaml

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: mysql
spec:selector:istio: ingressgatewayservers:- port:number: 3306name: mysqlprotocol: MYSQLhosts:- "*"
~

2创建vs

1.7.0/gateway/protocol/vs-mysql.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: mysql
spec:hosts:- "*"gateways:- mysqltcp:- match:- port: 3306route:- destination:host: mysqldb.istio.svc.cluster.localport:number: 3306

3新增端口

kubectl edit svc istio-ingressgateway -nistio-system

4istio启用mysql协议

kubectl set env deploy istiod -n istio-system PILOT_ENABLE_MYSQL_FILTER=true

5测试

mysql -h 192.168.198.154 --port 37031 -uroot -p

redis

1创建gateway

1.7.0/gateway/gateway-redis.yaml

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: redis
spec:selector:istio: ingressgatewayservers:- port:number: 6379name: redisprotocol: REDIShosts:- "*"
~

2部署redis

1.7.0/gateway/protocol/redis-deploy.yaml

apiVersion: apps/v1
kind: Deployment
metadata:labels:app: bciams-name: redisname: bcia-redis
spec:replicas: 1selector:matchLabels:app: bciams-name: redistemplate:metadata:labels:app: bciams-name: redisname: bcia-redisspec:containers:- name: bcia-redisimage: redis:5.0.8command:- "redis-server"
---
apiVersion: v1
kind: Service
metadata:name: redis
spec:selector:app: bciams-name: redisports:- port: 6379targetPort: 6379

3创建vs

1.7.0/gateway/protocol/vs-redis.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: redis
spec:hosts:- "*"gateways:- redistcp:- match:- port: 6379route:- destination:host: redis.istio.svc.cluster.localport:number: 6379

4新增端口

kubectl edit svc istio-ingressgateway -nistio-system

5istio启用redis协议

kubectl set env deploy istiod -n istio-system PILOT_ENABLE_REDIS_FILTER=true

6测试

redis-cli -h 192.168.198.154 -p 29525

tls

Field Type Description Required
httpsRedirect bool 是否要做 HTTP 重定向
mode TLSmode 在配置的外部端口上使用 TLS 服务时,可以取 PASSTHROUGH、SIMPLE、MUTUAL、AUTO_PASSTHROUGH 这 4 种模式
serverCertificate string 服务端证书的路径。当模式是 SIMPLE 和 MUTUAL 时必须指定
privateKey string 服务端密钥的路径。当模式是 SIMPLE 和 MUTUAL 时必须指定
caCertificates string CA 证书路径。当模式是 MUTUAL 时指定
credentialName string 用于唯一标识服务端证书和秘钥。Gateway 使用 credentialName从远端的凭证存储中获取证书和秘钥,而不是使用 Mount 的文件
subjectAltNames string[] SAN 列表,SubjectAltName 允许一个证书指定多个域名
verifyCertificateSpki string[] 授权客户端证书的SKPI的base64编码的SHA-256哈希值的可选列表
verifyCertificateHash string[] 授权客户端证书的十六进制编码SHA-256哈希值的可选列表
minProtocolVersion TLSProtocol TLS 协议的最小版本
maxProtocolVersion TLSProtocol TLS 协议的最大版本
cipherSuites string[] 指定的加密套件,默认使用 Envoy 支持的加密套件

httpsRedirect

1.7.0/gateway/tls/gw-httpsRedirect.yaml

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "*"tls:httpsRedirect: true- port:number: 443name: https-443protocol: HTTPShosts:- "*"tls:mode: SIMPLEserverCertificate: /etc/istio/ingressgateway-certs/tls.crtprivateKey: /etc/istio/ingressgateway-certs/tls.key

wget http://bookinfo.com:80/productpage --no-check-certificate

测试访问浏览器

mode

Name Description
PASSTHROUGH 客户端提供的SNI字符串将用作VirtualService TLS路由中的匹配条件,以根据服务注册表确定目标服务
SIMPLE 使用标准TLS语义的安全连接
MUTUAL 通过提供服务器证书进行身份验证,使用双边TLS来保护与下游的连接
AUTO_PASSTHROUGH 与直通模式相似,不同之处在于具有此TLS模式的服务器不需要关联的VirtualService即可从SNI值映射到注册表中的服务。目标详细信息(例如服务/子集/端口)被编码在SNI值中。代理将转发到SNI值指定的上游(Envoy)群集(一组端点)。
ISTIO_MUTUAL 通过提供用于身份验证的服务器证书,使用相互TLS使用来自下游的安全连接
PASSTHROUGH

1创建证书

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj ‘/O=example Inc./CN=example.com’ -keyout example.com.key -out example.com.crt

openssl req -out nginx.example.com.csr -newkey rsa:2048 -nodes -keyout nginx.example.com.key -subj “/CN=nginx.example.com/O=some organization”

openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in nginx.example.com.csr -out nginx.example.com.crt

2创建secret

kubectl create secret tls nginx-server-certs --key nginx.example.com.key --cert nginx.example.com.crt -n istio

3创建nginx配置文件

events {
}http {log_format main '$remote_addr - $remote_user [$time_local]  $status ''"$request" $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log /var/log/nginx/access.log main;error_log  /var/log/nginx/error.log;server {listen 443 ssl;root /usr/share/nginx/html;index index.html;server_name nginx.example.com;ssl_certificate /etc/nginx-server-certs/tls.crt;ssl_certificate_key /etc/nginx-server-certs/tls.key;}
}

kubectl create configmap nginx-configmap --from-file=nginx.conf=./nginx.conf -nistio

4创建deploy

apiVersion: v1
kind: Service
metadata:name: my-nginxlabels:run: my-nginx
spec:ports:- port: 443protocol: TCPselector:run: my-nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:name: my-nginx
spec:selector:matchLabels:run: my-nginxreplicas: 1template:metadata:labels:run: my-nginxspec:containers:- name: my-nginximage: nginxports:- containerPort: 443volumeMounts:- name: nginx-configmountPath: /etc/nginxreadOnly: true- name: nginx-server-certsmountPath: /etc/nginx-server-certsreadOnly: truevolumes:- name: nginx-configconfigMap:name: nginx-configmap- name: nginx-server-certssecret:secretName: nginx-server-certs

5创建gateway

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: https-443protocol: HTTPShosts:- "nginx.example.com"tls:mode: PASSTHROUGH

6创建vs

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: nginx
spec:hosts:- nginx.example.comgateways:- bookinfo-gatewaytls:- match:- port: 443sniHosts:- nginx.example.comroute:- destination:host: my-nginxport:number: 443

7访问url

https://nginx.example.com:39329/

SIMPLE

1创建gateway

1.7.0/gateway/tls/simple/gateway-simple.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "bookinfo.demo"- "ratings.demo"- "nginx.example.com"tls:mode: SIMPLEserverCertificate: /etc/istio/ingressgateway-certs/tls.crtprivateKey: /etc/istio/ingressgateway-certs/tls.key

2创建vs

1.7.0/virtaulservice/vs-bookinfo-hosts-star.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

3访问 https://bookinfo.demo:39329/productpage

MUTUAL

1创建证书

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj ‘/O=example Inc./CN=example.com’ -keyout example.com.key -out example.com.crt

openssl req -out bookinfo.example.com.csr -newkey rsa:2048 -nodes -keyout bookinfo.example.com.key -subj “/CN=bookinfo.example.com/O=some organization”

openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in bookinfo.example.com.csr -out bookinfo.example.com.crt

2创建secret

kubectl create -n istio-system secret generic bookinfo-credential --from-file=tls.key=bookinfo.example.com.key --from-file=tls.crt=bookinfo.example.com.crt --from-file=ca.crt=example.com.crt

3创建gateway

1.7.0/gateway/tls/mutual/gateway-mutual.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgateway servers:- port:number: 443name: httpsprotocol: HTTPStls:mode: MUTUALcredentialName: bookinfo-credential hosts:- bookinfo.example.com

4创建vs

1.7.0/virtaulservice/vs-bookinfo-hosts-star.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

5生成客户端证书

openssl req -out client.example.com.csr -newkey rsa:2048 -nodes -keyout client.example.com.key -subj “/CN=client.example.com/O=client organization”

openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 1 -in client.example.com.csr -out client.example.com.crt

6访问

curl -v -HHost:bookinfo.example.com --resolve “bookinfo.example.com:39329:192.168.198.154” --cacert example.com.crt --cert client.example.com.crt --key client.example.com.key “https://bookinfo.example.com:39329/productpage”

AUTO_PASSTHROUGH

http://www.finbit.org/docs/examples/multicluster/split-horizon-eds//eAEFwUEKwCAMBMAX2b37m6IBF2IjboTS13dmZC5VgErGxUCPJth7z-UmzOPJ5kdpG1rOLCM2v3iKdeEH6-4X5Q,

主要用于多k8s集群,单istio控制面

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: tlsprotocol: TLStls:mode: AUTO_PASSTHROUGHhosts:- "*.local"
ISTIO_MUTUAL

1创建证书

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj ‘/O=example Inc./CN=example.com’ -keyout example.com.key -out example.com.crt

openssl req -out bookinfo.example.com.csr -newkey rsa:2048 -nodes -keyout bookinfo.example.com.key -subj “/CN=bookinfo.example.com/O=some organization”

openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in bookinfo.example.com.csr -out bookinfo.example.com.crt

2创建secret

kubectl create -n istio-system secret generic bookinfo-credential --from-file=tls.key=bookinfo.example.com.key --from-file=tls.crt=bookinfo.example.com.crt --from-file=ca.crt=example.com.crt

3创建gateway

1.7.0/gateway/tls/istio-mutual/gateway-istio-mutual.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPStls:mode: ISTIO_MUTUALcredentialName: "bookinfo-credential"hosts:- "*"

4创建vs

1.7.0/virtaulservice/vs-bookinfo-hosts-star.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

5访问

curl -v -HHost:bookinfo.example.com --resolve “bookinfo.example.com:39329:192.168.198.154” --cacert example.com.crt “https://bookinfo.example.com:39329/productpage”

credentialName

1创建secret

cd 1.7.0/gateway/certs

kubectl create -n istio-system secret tls bookinfo-secret --key ./cert.key --cert=./cert.crt

2创建gateway

kubectl apply -f gateway-credentialName.yaml -n istio

1.7.0/gateway/tls/gateway-credentialName.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "*"tls:credentialName: bookinfo-secretmode: SIMPLE

3创建vs

1.7.0/virtaulservice/vs-bookinfo-hosts-star.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

4访问 https://bookinfo.demo:39329/productpage

caCertificates

1生成证书

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj ‘/O=example Inc./CN=example.com’ -keyout example.com.key -out example.com.crt

openssl req -out bookinfo.example.com.csr -newkey rsa:2048 -nodes -keyout bookinfo.example.com.key -subj “/CN=bookinfo.example.com/O=some organization”

openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in bookinfo.example.com.csr -out bookinfo.example.com.crt

2创建secret

kubectl create -n istio-system secret generic istio-ingressgateway-certs --from-file=tls.key=bookinfo.example.com.key --from-file=tls.crt=bookinfo.example.com.crt --from-file=ca.crt=example.com.crt

检查配置是否生效:

kubectl exec deploy/istio-ingressgateway -n istio-system – ls /etc/istio/ingressgateway-certs

3创建gateway

1.7.0/gateway/tls/gateway-caCertificates.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "*"tls:mode: MUTUALcaCertificates: /etc/istio/ingressgateway-certs/ca.crtserverCertificate: /etc/istio/ingressgateway-certs/tls.crtprivateKey: /etc/istio/ingressgateway-certs/tls.key

4创建vs

1.7.0/virtaulservice/vs-bookinfo-hosts-star.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

5生成客户端证书

openssl req -out client.example.com.csr -newkey rsa:2048 -nodes -keyout client.example.com.key -subj “/CN=client.example.com/O=client organization”

openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 1 -in client.example.com.csr -out client.example.com.crt

6访问

curl -v -HHost:bookinfo.example.com --resolve “bookinfo.example.com:39329:192.168.198.154” --cacert example.com.crt --cert client.example.com.crt --key client.example.com.key “https://bookinfo.example.com:39329/productpage”

cipherSuites

部署gateway

1.7.0/gateway/tls/gateway-cipherSuites.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "bookinfo.demo"- "ratings.demo"- "nginx.example.com"tls:mode: SIMPLEcipherSuites: - ECDHE-RSA-AES256-GCM-SHA384- ECDHE-RSA-AES128-GCM-SHA256credentialName: bookinfo-secret

minProtocolVersion maxProtocolVersion

Name Description
TLS_AUTO 自动选择DLS版本
TLSV1_0 TLS 1.0
TLSV1_1 TLS 1.1
TLSV1_2 TLS 1.2
TLSV1_3 TLS 1.3
TLS_AUTO

1.7.0/gateway/tls/protocolVersion/gateway-tls-version-tls_auto.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "*"tls:credentialName: bookinfo-secretmode: SIMPLEminProtocolVersion: TLS_AUTOmaxProtocolVersion: TLS_AUTO
TLSV1_0

1.7.0/gateway/tls/protocolVersion/gateway-tls-version-tlsv1_0.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "*"tls:credentialName: bookinfo-secretmode: SIMPLEminProtocolVersion: TLSV1_0maxProtocolVersion: TLSV1_0
TLSV1_0 - TLSV1_3
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "*"tls:credentialName: bookinfo-secretmode: SIMPLEminProtocolVersion: TLSV1_0maxProtocolVersion: TLSV1_3

subjectAltNames

gRPC config for type.googleapis.com/envoy.config.listener.v3.Listener rejected: Error adding/updating listener(s) 0.0.0.0_8443: SAN-based verification of peer certificates without trusted CA is insecure and not allowed

gateway资源详解相关推荐

  1. VirtualService资源详解

    ** istio课程发布:https://edu.csdn.net/course/detail/29911 这是我目前见过最详细,最有深度的istio课程 ** VirtualService资源详解 ...

  2. VS2010-MFC(菜单:VS2010菜单资源详解)

    转自:http://www.jizhuomi.com/software/210.html 上一节讲了标签控件Tab Control以后,常用控件的内容就全部讲完了,当然并没有包括所有控件,主要是一些很 ...

  3. VMWare虚拟机处理器数量与每个处理器内核数量概念,以及分配CPU资源详解

    VMWare虚拟机处理器数量与每个处理器内核数量概念,以及分配CPU资源详解 概念 CPU的物理核心和超线程 CPU的睿频机制 总结 概念 处理器数量:虚拟机上的CPU个数(上图中的插槽数,是机器主板 ...

  4. flannel 介绍(UTP、VXLAN、Host Gateway模式详解)

    flannel 介绍(UTP.VXLAN.Host Gateway模式详解) 使用kubernetes安装flannel flannel backend 详解(flannel 各种模式详解) 1.UD ...

  5. stm32存储资源详解

    战舰STM32F103ZET6开发板 ZET6芯片 该芯片内部自带了64k字节的SRAM,以及512K的内部FLASH IROM1=0x80000=512K 和IRAM1=0X10000=64k的大小 ...

  6. Icon资源详解[1]

    本文分享&备忘最近了解到的icon资源在windows平台下相关的一部分知识,所有测试代码都尽可能的依赖win32 API实现.更全面的知识,参考文末列出的"参考资料". ...

  7. 微服务网关spring cloud gateway入门详解

    1.API网关 API 网关是一个处于应用程序或服务( REST API 接口服务)之前的系统,用来管理授权.访问控制和流量限制等,这样 REST API 接口服务就被 API 网关保护起来,对所有的 ...

  8. SpringCloud Gateway用法详解

    零.人在月球 目录 零.人在月球 一.功能简介 1.网关是一个服务: 二.Gateway 断言 1.path断言 2.Query断言 3.Method断言 4.Host断言 5.Cookie断言 6. ...

  9. 静态资源详解和帮助文档的使用

    1.静态:(static 修饰变量,方法) 概述:静态就是static关键字修饰的变量或方法 static是一个关键字,静止的,在java中表示资源共享的. 为什么要使用静态?: 1.例子:人人都有国 ...

最新文章

  1. [SPOJ] 1043 Can you answer these queries I [GSS1]
  2. request获得请求参数
  3. web开发的跨域问题详解
  4. 蒙昧的意思_蒙昧的意思
  5. java rmi 使用管道_使用Java RMI时要记住的两件事
  6. 微课|玩转Python轻松过二级(2.2.2节):关系运算符
  7. Mybatis异常There is no getter for property named ‘XXX‘ in ‘class java.lang.String‘
  8. sql SELECT时的with(nolock)选项说明
  9. HTML弹窗上下一步,JS实现从网页顶部掉下弹出层效果的方法
  10. 需求分析报告模板(免费)
  11. html网页音乐手机播放,网页添加背景音乐代码,支持手机端的html5代码播放器
  12. Java使用iText PDF按页(逐页、单页)拆分PDF
  13. 3. 用户/管理员注册登录 - 如何使用个人Facebook来登录门户网站
  14. 深度学习模块介绍 —— Hourglass Module
  15. Windows 11镜像文件
  16. 《零基础入门学习Python》第019讲:函数:我的地盘听我的
  17. android 图片3d,Android实现3D图片浏览效果示例
  18. Typora+PicGo-core+SMMS图床踩坑记
  19. sublime_字体更换
  20. 【Python简单爬虫练习--Bilibili榜单】爬取+梳理B站排行榜页面

热门文章

  1. fieldset lengend 的应用
  2. CVE-2010-2729(MS10-061)
  3. 为什么戏说php,戏说PHP——1.1切的开始
  4. 【Redis笔记】发布与订阅
  5. 二手物品交易管理系统
  6. 奥比中光 ORBBEC Astra Mini Pro简单使用
  7. Spring Cloud 学习总结
  8. 深大uooc大学生心理健康章节答案第八章
  9. Java基础教程--安卓入门教程(七)
  10. 测试手机速度的软件叫什么,手机测网速哪个软件好? 精确测速软件推荐