我的书签
添加书签
移除书签无 TLS 终止的 Ingress Gateway
本任务中的 HTTPS 示例服务是一个简单的 NGINX 服务。在接下来的步骤中,您首先在 Kubernetes 集群中创建一个 NGINX 服务。接着,通过网关给这个服务配置一个域名是 的访问入口。
对于此任务,您可以使用自己喜欢的工具来生成证书和密钥。以下命令使用
创建根证书和私钥来为您的服务签名证书:
为
nginx.example.com创建证书和私钥:$ openssl req -out nginx.example.com.csr -newkey rsa:2048 -nodes -keyout nginx.example.com.key -subj "/CN=nginx.example.com/O=some organization"$ openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in nginx.example.com.csr -out nginx.example.com.crt
-
$ kubectl create secret tls nginx-server-certs --key nginx.example.com.key --cert nginx.example.com.crt
为 NGINX 服务创建一个配置文件:
$ cat <<\EOF > ./nginx.confevents {}http {log_format main '$remote_addr - $remote_user [$time_local] $status ''"$request" $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log /var/log/nginx/access.log main;error_log /var/log/nginx/error.log;server {listen 443 ssl;root /usr/share/nginx/html;index index.html;server_name nginx.example.com;ssl_certificate /etc/nginx-server-certs/tls.crt;ssl_certificate_key /etc/nginx-server-certs/tls.key;}}EOF
创建一个 Kubernetes 的 ConfigMap 资源来保存 NGINX 服务的配置:
部署 NGINX 服务
$ cat <<EOF | istioctl kube-inject -f - | kubectl apply -f -apiVersion: v1kind: Servicemetadata:name: my-nginxlabels:run: my-nginxspec:ports:- port: 443protocol: TCPselector:run: my-nginx---apiVersion: apps/v1metadata:name: my-nginxspec:selector:matchLabels:replicas: 1template:metadata:labels:run: my-nginxspec:containers:- name: my-nginximage: nginxports:- containerPort: 443volumeMounts:- name: nginx-configmountPath: /etc/nginxreadOnly: true- name: nginx-server-certsmountPath: /etc/nginx-server-certsreadOnly: truevolumes:- name: nginx-configconfigMap:name: nginx-configmap- name: nginx-server-certssecret:secretName: nginx-server-certsEOF
要测试 NGINX 服务是否已成功部署,需要从其 Sidecar 代理发送请求,并忽略检查服务端的证书(使用
curl的-k选项)。确保正确打印服务端的证书,即common name (CN)等于nginx.example.com。$ kubectl exec "$(kubectl get pod -l run=my-nginx -o jsonpath={.items..metadata.name})" -c istio-proxy -- curl -sS -v -k --resolve nginx.example.com:443:127.0.0.1 https://nginx.example.com...SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384ALPN, server accepted to use http/1.1Server certificate:subject: CN=nginx.example.com; O=some organizationstart date: May 27 14:18:47 2020 GMTexpire date: May 27 14:18:47 2021 GMTissuer: O=example Inc.; CN=example.comSSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.> GET / HTTP/1.1> User-Agent: curl/7.58.0> Host: nginx.example.com...< HTTP/1.1 200 OK< Server: nginx/1.17.10<!DOCTYPE html><html><head><title>Welcome to nginx!</title>...
-
$ kubectl apply -f - <<EOFapiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: mygatewayspec:selector:istio: ingressgateway # use istio default ingress gatewayservers:- port:number: 443name: httpsprotocol: HTTPStls:mode: PASSTHROUGHhosts:- nginx.example.comEOF
为通过
Gateway进入的流量配置路由:根据中的指令来定义环境变量
SECURE_INGRESS_PORT和INGRESS_HOST。从集群外访问 NGINX 服务。注意,服务端返回了正确的证书,并且该证书已成功验证(输出了 _SSL certificate verify ok_)。
$ curl -v --resolve "nginx.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" --cacert example.com.crt "https://nginx.example.com:$SECURE_INGRESS_PORT"Server certificate:subject: CN=nginx.example.com; O=some organizationstart date: Wed, 15 Aug 2018 07:29:07 GMTexpire date: Sun, 25 Aug 2019 07:29:07 GMTissuer: O=example Inc.; CN=example.comSSL certificate verify ok.< HTTP/1.1 200 OK< Server: nginx/1.15.2...<html><head><title>Welcome to nginx!</title>
删除已创建的 Kubernetes 资源:
$ kubectl delete secret nginx-server-certs$ kubectl delete configmap nginx-configmap$ kubectl delete service my-nginx$ kubectl delete deployment my-nginx$ kubectl delete gateway mygateway
-
$ rm example.com.crt example.com.key nginx.example.com.crt nginx.example.com.key nginx.example.com.csr
删除本示例中生成的配置文件:
