gateway资源详解
istio课程发布:https://edu.csdn.net/course/detail/29911
这是我目前见过最详细,最有深度的istio课程
学习目标
什么是gateway
在Kubernetes环境中,Kubernetes Ingress用于配置需要在集群外部公开的服务。但是在Istio服务网格中,更好的方法是使用新的配置模型,即Istio Gateway。Gateway允许将Istio流量管理的功能应用于进入集群的流量。
gateway 分为两种,分别是ingress-gateway和egress-gateway,分别用来处理入口流量和出口流量。gateway本质也是一个envoy pod。
资源详解
selector
1.7.0/gateway/gateway-01.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "*"
servers
hosts
所有域名:
1.7.0/gateway/gateway-server-hosts-star.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "*"
具体域名:
1.7.0/gateway/gateway-server-hosts-bookinfo-com.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "bookinfo.com"
多个域名:
1.7.0/gateway/gateway-server-hosts-multi.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "bookinfo.com"- "bookinfo.demo"
混合域名
1.7.0/gateway/gateway-server-hosts-mix.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "*.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "bookinfo.com"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
name
1.7.0/gateway/gateway-server-name.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "*"name: bookinfo-gateway
port
Field | Type | Description | Required |
---|---|---|---|
number | uint32 | 一个有效的端口号 | 是 |
protocol | string | 所使用的协议,支持HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. | 是 |
name | string | 给端口分配一个名称 | 是 |
istio支持的协议:
grpc
grpc-web
http
http2
https
mongo
mysql
*redis
*tcp
tls
udp
* These protocols are disabled by default to avoid accidentally enabling experimental features. To enable them, configure the corresponding Pilot environment variables.
http
1部署gateway
1.7.0/gateway/gateway-01.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "*"
2部署vs
1.7.0/virtaulservice/vs-bookinfo-hosts-star.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
3访问浏览器
https
1创建secret
kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ./cert.key --cert=./cert.crt
kubectl exec deploy/istio-ingressgateway -n istio-system – ls /etc/istio/ingressgateway-certs
2创建gateway
1.7.0/gateway/gateway-https.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "bookinfo.demo"- "ratings.demo"tls:mode: SIMPLEserverCertificate: /etc/istio/ingressgateway-certs/tls.crtprivateKey: /etc/istio/ingressgateway-certs/tls.key
3创建vs
1.7.0/virtaulservice/vs-bookinfo-hosts-star.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
4访问浏览器
tcp
1创建gateway
1.7.0/gateway/gateway-tcp.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: tcp-echo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 31400name: tcpprotocol: TCPhosts:- "*"
2创建vs dr
1.7.0/gateway/protocol/vs-dr-tcp-echo.yaml
kind: DestinationRule
metadata:name: tcp-echo-destination
spec:host: tcp-echosubsets:- name: v1labels:version: v1- name: v2labels:version: v2
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: tcp-echo
spec:hosts:- "*"gateways:- tcp-echo-gatewaytcp:- match:- port: 31400route:- destination:host: tcp-echoport:number: 9000subset: v1
3添加端口
kubectl edit svc istio-ingressgateway -n istio-system
4测试
telnet 10.68.12.164 31400
http2
1创建gateway
1.7.0/gateway/gateway-http2.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 15444name: http2protocol: HTTP2targetPort: 15444hosts:- "*"
2部署vs
1.7.0/virtaulservice/ vs-bookinfo-hosts-star.yaml
kubectl apply -f vs-bookinfo-hosts-star.yaml -n istio
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
3访问浏览器
mongo
1部署gateway
1.7.0/gateway/gateway-mongo.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: mongo
spec:selector:istio: ingressgatewayservers:- port:number: 27017name: mongoprotocol: MONGOhosts:- "*"
2部署vs
1.7.0/gateway/protocol/vs-mongodb.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: mongo
spec:hosts:- "*"gateways:- mongotcp:- match:- port: 27017route:- destination:host: mongodb.istio.svc.cluster.localport:number: 27017
3添加端口
kubectl edit svc istio-ingressgateway -n istio-system
4测试
tls
1创建gateway
1.7.0/gateway/gateway-tls.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 15443name: tlsprotocol: TLShosts:- "bookinfo.com"tls:mode: SIMPLEserverCertificate: /etc/istio/ingressgateway-certs/tls.crtprivateKey: /etc/istio/ingressgateway-certs/tls.key
2创建vs
1.7.0/gateway/protocol/vs-tls-protocol-echo.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: tcp-echo
spec:hosts:- "*"gateways:- bookinfo-gatewaytcp:- match:- port: 15443route:- destination:host: tcp-echoport:number: 9000
3修改/etc/hosts
10.68.12.164 bookinfo.com
4测试
openssl s_client -connect bookinfo.com:15443 -servername bookinfo.com
mysql
1创建gateway
1.7.0/gateway/gateway-mysql.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: mysql
spec:selector:istio: ingressgatewayservers:- port:number: 3306name: mysqlprotocol: MYSQLhosts:- "*"
~
2创建vs
1.7.0/gateway/protocol/vs-mysql.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: mysql
spec:hosts:- "*"gateways:- mysqltcp:- match:- port: 3306route:- destination:host: mysqldb.istio.svc.cluster.localport:number: 3306
3新增端口
kubectl edit svc istio-ingressgateway -nistio-system
4istio启用mysql协议
kubectl set env deploy istiod -n istio-system PILOT_ENABLE_MYSQL_FILTER=true
5测试
mysql -h 192.168.198.154 --port 37031 -uroot -p
redis
1创建gateway
1.7.0/gateway/gateway-redis.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: redis
spec:selector:istio: ingressgatewayservers:- port:number: 6379name: redisprotocol: REDIShosts:- "*"
~
2部署redis
1.7.0/gateway/protocol/redis-deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: bciams-name: redisname: bcia-redis
spec:replicas: 1selector:matchLabels:app: bciams-name: redistemplate:metadata:labels:app: bciams-name: redisname: bcia-redisspec:containers:- name: bcia-redisimage: redis:5.0.8command:- "redis-server"
---
apiVersion: v1
kind: Service
metadata:name: redis
spec:selector:app: bciams-name: redisports:- port: 6379targetPort: 6379
3创建vs
1.7.0/gateway/protocol/vs-redis.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: redis
spec:hosts:- "*"gateways:- redistcp:- match:- port: 6379route:- destination:host: redis.istio.svc.cluster.localport:number: 6379
4新增端口
kubectl edit svc istio-ingressgateway -nistio-system
5istio启用redis协议
kubectl set env deploy istiod -n istio-system PILOT_ENABLE_REDIS_FILTER=true
6测试
redis-cli -h 192.168.198.154 -p 29525
tls
Field | Type | Description | Required |
---|---|---|---|
httpsRedirect | bool | 是否要做 HTTP 重定向 | 否 |
mode | TLSmode | 在配置的外部端口上使用 TLS 服务时,可以取 PASSTHROUGH、SIMPLE、MUTUAL、AUTO_PASSTHROUGH 这 4 种模式 | 否 |
serverCertificate | string | 服务端证书的路径。当模式是 SIMPLE 和 MUTUAL 时必须指定 | 否 |
privateKey | string | 服务端密钥的路径。当模式是 SIMPLE 和 MUTUAL 时必须指定 | 否 |
caCertificates | string | CA 证书路径。当模式是 MUTUAL 时指定 | 否 |
credentialName | string | 用于唯一标识服务端证书和秘钥。Gateway 使用 credentialName从远端的凭证存储中获取证书和秘钥,而不是使用 Mount 的文件 | 否 |
subjectAltNames | string[] | SAN 列表,SubjectAltName 允许一个证书指定多个域名 | 否 |
verifyCertificateSpki | string[] | 授权客户端证书的SKPI的base64编码的SHA-256哈希值的可选列表 | 否 |
verifyCertificateHash | string[] | 授权客户端证书的十六进制编码SHA-256哈希值的可选列表 | 否 |
minProtocolVersion | TLSProtocol | TLS 协议的最小版本 | 否 |
maxProtocolVersion | TLSProtocol | TLS 协议的最大版本 | 否 |
cipherSuites | string[] | 指定的加密套件,默认使用 Envoy 支持的加密套件 | 否 |
httpsRedirect
1.7.0/gateway/tls/gw-httpsRedirect.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "*"tls:httpsRedirect: true- port:number: 443name: https-443protocol: HTTPShosts:- "*"tls:mode: SIMPLEserverCertificate: /etc/istio/ingressgateway-certs/tls.crtprivateKey: /etc/istio/ingressgateway-certs/tls.key
wget http://bookinfo.com:80/productpage --no-check-certificate
测试访问浏览器
mode
Name | Description |
---|---|
PASSTHROUGH | 客户端提供的SNI字符串将用作VirtualService TLS路由中的匹配条件,以根据服务注册表确定目标服务 |
SIMPLE | 使用标准TLS语义的安全连接 |
MUTUAL | 通过提供服务器证书进行身份验证,使用双边TLS来保护与下游的连接 |
AUTO_PASSTHROUGH | 与直通模式相似,不同之处在于具有此TLS模式的服务器不需要关联的VirtualService即可从SNI值映射到注册表中的服务。目标详细信息(例如服务/子集/端口)被编码在SNI值中。代理将转发到SNI值指定的上游(Envoy)群集(一组端点)。 |
ISTIO_MUTUAL | 通过提供用于身份验证的服务器证书,使用相互TLS使用来自下游的安全连接 |
PASSTHROUGH
1创建证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj ‘/O=example Inc./CN=example.com’ -keyout example.com.key -out example.com.crt
openssl req -out nginx.example.com.csr -newkey rsa:2048 -nodes -keyout nginx.example.com.key -subj “/CN=nginx.example.com/O=some organization”
openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in nginx.example.com.csr -out nginx.example.com.crt
2创建secret
kubectl create secret tls nginx-server-certs --key nginx.example.com.key --cert nginx.example.com.crt -n istio
3创建nginx配置文件
events {
}http {log_format main '$remote_addr - $remote_user [$time_local] $status ''"$request" $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log /var/log/nginx/access.log main;error_log /var/log/nginx/error.log;server {listen 443 ssl;root /usr/share/nginx/html;index index.html;server_name nginx.example.com;ssl_certificate /etc/nginx-server-certs/tls.crt;ssl_certificate_key /etc/nginx-server-certs/tls.key;}
}
kubectl create configmap nginx-configmap --from-file=nginx.conf=./nginx.conf -nistio
4创建deploy
apiVersion: v1
kind: Service
metadata:name: my-nginxlabels:run: my-nginx
spec:ports:- port: 443protocol: TCPselector:run: my-nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:name: my-nginx
spec:selector:matchLabels:run: my-nginxreplicas: 1template:metadata:labels:run: my-nginxspec:containers:- name: my-nginximage: nginxports:- containerPort: 443volumeMounts:- name: nginx-configmountPath: /etc/nginxreadOnly: true- name: nginx-server-certsmountPath: /etc/nginx-server-certsreadOnly: truevolumes:- name: nginx-configconfigMap:name: nginx-configmap- name: nginx-server-certssecret:secretName: nginx-server-certs
5创建gateway
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: https-443protocol: HTTPShosts:- "nginx.example.com"tls:mode: PASSTHROUGH
6创建vs
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: nginx
spec:hosts:- nginx.example.comgateways:- bookinfo-gatewaytls:- match:- port: 443sniHosts:- nginx.example.comroute:- destination:host: my-nginxport:number: 443
7访问url
https://nginx.example.com:39329/
SIMPLE
1创建gateway
1.7.0/gateway/tls/simple/gateway-simple.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "bookinfo.demo"- "ratings.demo"- "nginx.example.com"tls:mode: SIMPLEserverCertificate: /etc/istio/ingressgateway-certs/tls.crtprivateKey: /etc/istio/ingressgateway-certs/tls.key
2创建vs
1.7.0/virtaulservice/vs-bookinfo-hosts-star.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
3访问 https://bookinfo.demo:39329/productpage
MUTUAL
1创建证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj ‘/O=example Inc./CN=example.com’ -keyout example.com.key -out example.com.crt
openssl req -out bookinfo.example.com.csr -newkey rsa:2048 -nodes -keyout bookinfo.example.com.key -subj “/CN=bookinfo.example.com/O=some organization”
openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in bookinfo.example.com.csr -out bookinfo.example.com.crt
2创建secret
kubectl create -n istio-system secret generic bookinfo-credential --from-file=tls.key=bookinfo.example.com.key --from-file=tls.crt=bookinfo.example.com.crt --from-file=ca.crt=example.com.crt
3创建gateway
1.7.0/gateway/tls/mutual/gateway-mutual.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgateway servers:- port:number: 443name: httpsprotocol: HTTPStls:mode: MUTUALcredentialName: bookinfo-credential hosts:- bookinfo.example.com
4创建vs
1.7.0/virtaulservice/vs-bookinfo-hosts-star.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
5生成客户端证书
openssl req -out client.example.com.csr -newkey rsa:2048 -nodes -keyout client.example.com.key -subj “/CN=client.example.com/O=client organization”
openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 1 -in client.example.com.csr -out client.example.com.crt
6访问
curl -v -HHost:bookinfo.example.com --resolve “bookinfo.example.com:39329:192.168.198.154” --cacert example.com.crt --cert client.example.com.crt --key client.example.com.key “https://bookinfo.example.com:39329/productpage”
AUTO_PASSTHROUGH
http://www.finbit.org/docs/examples/multicluster/split-horizon-eds//eAEFwUEKwCAMBMAX2b37m6IBF2IjboTS13dmZC5VgErGxUCPJth7z-UmzOPJ5kdpG1rOLCM2v3iKdeEH6-4X5Q,
主要用于多k8s集群,单istio控制面
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: tlsprotocol: TLStls:mode: AUTO_PASSTHROUGHhosts:- "*.local"
ISTIO_MUTUAL
1创建证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj ‘/O=example Inc./CN=example.com’ -keyout example.com.key -out example.com.crt
openssl req -out bookinfo.example.com.csr -newkey rsa:2048 -nodes -keyout bookinfo.example.com.key -subj “/CN=bookinfo.example.com/O=some organization”
openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in bookinfo.example.com.csr -out bookinfo.example.com.crt
2创建secret
kubectl create -n istio-system secret generic bookinfo-credential --from-file=tls.key=bookinfo.example.com.key --from-file=tls.crt=bookinfo.example.com.crt --from-file=ca.crt=example.com.crt
3创建gateway
1.7.0/gateway/tls/istio-mutual/gateway-istio-mutual.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPStls:mode: ISTIO_MUTUALcredentialName: "bookinfo-credential"hosts:- "*"
4创建vs
1.7.0/virtaulservice/vs-bookinfo-hosts-star.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
5访问
curl -v -HHost:bookinfo.example.com --resolve “bookinfo.example.com:39329:192.168.198.154” --cacert example.com.crt “https://bookinfo.example.com:39329/productpage”
credentialName
1创建secret
cd 1.7.0/gateway/certs
kubectl create -n istio-system secret tls bookinfo-secret --key ./cert.key --cert=./cert.crt
2创建gateway
kubectl apply -f gateway-credentialName.yaml -n istio
1.7.0/gateway/tls/gateway-credentialName.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "*"tls:credentialName: bookinfo-secretmode: SIMPLE
3创建vs
1.7.0/virtaulservice/vs-bookinfo-hosts-star.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
4访问 https://bookinfo.demo:39329/productpage
caCertificates
1生成证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj ‘/O=example Inc./CN=example.com’ -keyout example.com.key -out example.com.crt
openssl req -out bookinfo.example.com.csr -newkey rsa:2048 -nodes -keyout bookinfo.example.com.key -subj “/CN=bookinfo.example.com/O=some organization”
openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in bookinfo.example.com.csr -out bookinfo.example.com.crt
2创建secret
kubectl create -n istio-system secret generic istio-ingressgateway-certs --from-file=tls.key=bookinfo.example.com.key --from-file=tls.crt=bookinfo.example.com.crt --from-file=ca.crt=example.com.crt
检查配置是否生效:
kubectl exec deploy/istio-ingressgateway -n istio-system – ls /etc/istio/ingressgateway-certs
3创建gateway
1.7.0/gateway/tls/gateway-caCertificates.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "*"tls:mode: MUTUALcaCertificates: /etc/istio/ingressgateway-certs/ca.crtserverCertificate: /etc/istio/ingressgateway-certs/tls.crtprivateKey: /etc/istio/ingressgateway-certs/tls.key
4创建vs
1.7.0/virtaulservice/vs-bookinfo-hosts-star.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
5生成客户端证书
openssl req -out client.example.com.csr -newkey rsa:2048 -nodes -keyout client.example.com.key -subj “/CN=client.example.com/O=client organization”
openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 1 -in client.example.com.csr -out client.example.com.crt
6访问
curl -v -HHost:bookinfo.example.com --resolve “bookinfo.example.com:39329:192.168.198.154” --cacert example.com.crt --cert client.example.com.crt --key client.example.com.key “https://bookinfo.example.com:39329/productpage”
cipherSuites
部署gateway
1.7.0/gateway/tls/gateway-cipherSuites.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "bookinfo.demo"- "ratings.demo"- "nginx.example.com"tls:mode: SIMPLEcipherSuites: - ECDHE-RSA-AES256-GCM-SHA384- ECDHE-RSA-AES128-GCM-SHA256credentialName: bookinfo-secret
minProtocolVersion maxProtocolVersion
Name | Description |
---|---|
TLS_AUTO | 自动选择DLS版本 |
TLSV1_0 | TLS 1.0 |
TLSV1_1 | TLS 1.1 |
TLSV1_2 | TLS 1.2 |
TLSV1_3 | TLS 1.3 |
TLS_AUTO
1.7.0/gateway/tls/protocolVersion/gateway-tls-version-tls_auto.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "*"tls:credentialName: bookinfo-secretmode: SIMPLEminProtocolVersion: TLS_AUTOmaxProtocolVersion: TLS_AUTO
TLSV1_0
1.7.0/gateway/tls/protocolVersion/gateway-tls-version-tlsv1_0.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "*"tls:credentialName: bookinfo-secretmode: SIMPLEminProtocolVersion: TLSV1_0maxProtocolVersion: TLSV1_0
TLSV1_0 - TLSV1_3
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "*"tls:credentialName: bookinfo-secretmode: SIMPLEminProtocolVersion: TLSV1_0maxProtocolVersion: TLSV1_3
subjectAltNames
gRPC config for type.googleapis.com/envoy.config.listener.v3.Listener rejected: Error adding/updating listener(s) 0.0.0.0_8443: SAN-based verification of peer certificates without trusted CA is insecure and not allowed
gateway资源详解相关推荐
- VirtualService资源详解
** istio课程发布:https://edu.csdn.net/course/detail/29911 这是我目前见过最详细,最有深度的istio课程 ** VirtualService资源详解 ...
- VS2010-MFC(菜单:VS2010菜单资源详解)
转自:http://www.jizhuomi.com/software/210.html 上一节讲了标签控件Tab Control以后,常用控件的内容就全部讲完了,当然并没有包括所有控件,主要是一些很 ...
- VMWare虚拟机处理器数量与每个处理器内核数量概念,以及分配CPU资源详解
VMWare虚拟机处理器数量与每个处理器内核数量概念,以及分配CPU资源详解 概念 CPU的物理核心和超线程 CPU的睿频机制 总结 概念 处理器数量:虚拟机上的CPU个数(上图中的插槽数,是机器主板 ...
- flannel 介绍(UTP、VXLAN、Host Gateway模式详解)
flannel 介绍(UTP.VXLAN.Host Gateway模式详解) 使用kubernetes安装flannel flannel backend 详解(flannel 各种模式详解) 1.UD ...
- stm32存储资源详解
战舰STM32F103ZET6开发板 ZET6芯片 该芯片内部自带了64k字节的SRAM,以及512K的内部FLASH IROM1=0x80000=512K 和IRAM1=0X10000=64k的大小 ...
- Icon资源详解[1]
本文分享&备忘最近了解到的icon资源在windows平台下相关的一部分知识,所有测试代码都尽可能的依赖win32 API实现.更全面的知识,参考文末列出的"参考资料". ...
- 微服务网关spring cloud gateway入门详解
1.API网关 API 网关是一个处于应用程序或服务( REST API 接口服务)之前的系统,用来管理授权.访问控制和流量限制等,这样 REST API 接口服务就被 API 网关保护起来,对所有的 ...
- SpringCloud Gateway用法详解
零.人在月球 目录 零.人在月球 一.功能简介 1.网关是一个服务: 二.Gateway 断言 1.path断言 2.Query断言 3.Method断言 4.Host断言 5.Cookie断言 6. ...
- 静态资源详解和帮助文档的使用
1.静态:(static 修饰变量,方法) 概述:静态就是static关键字修饰的变量或方法 static是一个关键字,静止的,在java中表示资源共享的. 为什么要使用静态?: 1.例子:人人都有国 ...
最新文章
- [SPOJ] 1043 Can you answer these queries I [GSS1]
- request获得请求参数
- web开发的跨域问题详解
- 蒙昧的意思_蒙昧的意思
- java rmi 使用管道_使用Java RMI时要记住的两件事
- 微课|玩转Python轻松过二级(2.2.2节):关系运算符
- Mybatis异常There is no getter for property named ‘XXX‘ in ‘class java.lang.String‘
- sql SELECT时的with(nolock)选项说明
- HTML弹窗上下一步,JS实现从网页顶部掉下弹出层效果的方法
- 需求分析报告模板(免费)
- html网页音乐手机播放,网页添加背景音乐代码,支持手机端的html5代码播放器
- Java使用iText PDF按页(逐页、单页)拆分PDF
- 3. 用户/管理员注册登录 - 如何使用个人Facebook来登录门户网站
- 深度学习模块介绍 —— Hourglass Module
- Windows 11镜像文件
- 《零基础入门学习Python》第019讲:函数:我的地盘听我的
- android 图片3d,Android实现3D图片浏览效果示例
- Typora+PicGo-core+SMMS图床踩坑记
- sublime_字体更换
- 【Python简单爬虫练习--Bilibili榜单】爬取+梳理B站排行榜页面