Secure Gateways

1,示例,为kiali开启TLS,其他类似

第一步,生成证书

openssl req -out fe.magedu.com.csr -newkey rsa:2048 -nodes -keyout fe.magedu.com.key -subj "/CN=fe.magedu.com/O=fe organization"
openssl x509 -req -days 365 -CA magedu.com.crt -CAkey magedu.com.key -set_serial 2 -in fe.magedu.com.csr -out fe.magedu.com.crt
第二步,生成相关的Secret资源 
root@master01:/opt/istio-in-practise/Security/03-Ingress-Gateway-TLS/certs# kubectl create -n istio-system secret tls kiali-credential --key=kiali.magedu.com.key --cert=kiali.magedu.com.crt
secret/kiali-credential created
root@master01:/opt/istio-in-practise/Security/03-Ingress-Gateway-TLS/certs# kubectl get secret  -nistio-system |grep cred
kiali-credential                                   kubernetes.io/tls                     2      12s
root@master01:/opt/istio-in-practise/Security/03-Ingress-Gateway-TLS/kiali# cat kiali-gateway.yaml 
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: kiali-gateway
  namespace: istio-system
spec:
  selector:
    app: istio-ingressgateway
  servers:
  - port:
      number: 80
      name: http-kiali
      protocol: HTTP
    hosts:
    - "kiali.magedu.com"
    tls:
      httpsRedirect: true  #开启http协议,但将相关的流量自动跳转到https之上
  - port:
      number: 443
      name: https-kiali
      protocol: HTTPS
    tls:
      mode: SIMPLE     #simple模式表示不需要验证客户端证书,用户也可以使用ISTIO_MUTUAL模式,验证客户端证书,从而限制其访问来源
      credentialName: kiali-credential
    hosts:
    - "kiali.magedu.com"
---
root@master01:/opt/istio-in-practise/Security/03-Ingress-Gateway-TLS/kiali# cat kiali-virtualservice.yaml 
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: kiali-virtualservice
  namespace: istio-system
spec:
  hosts:
  - "kiali.magedu.com"
  gateways:
  - kiali-gateway
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: kiali
        port:
          number: 20001
---

root@master01:/opt/istio-in-practise/Security/03-Ingress-Gateway-TLS/fe-proxy# cat gateway-proxy.yaml 
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: proxy-gateway
  namespace: istio-system        # 要指定为ingress gateway pod所在名称空间
spec:
  selector:
    app: istio-ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "fe.magedu.com"
    tls:
      httpsRedirect: true
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: fe-credential
    hosts:
    - "fe.magedu.com"
---
envoy+istio

相关

标签