kubernetes - 使用 istio 作为外部 TLS 服务的反向代理
问题描述
Istio 允许您将一个 http 请求路由VirtualService
到一个存在的外部主机ServiceEntry
。例如:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin-ext
spec:
hosts:
- httpbin.org
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- httpbin.domain.co
gateways:
- public-gateway.istio-system.svc.cluster.local
- mesh
http:
- match:
- gateways:
- public-gateway.istio-system.svc.cluster.local
port: 443
host: httpbin.domain.co
route:
- destination:
host: httpbin.org
port:
number: 80
但是,这只允许 HTTP 端点 - 如何将外部端点配置为 TLS/HTTPS?
解决方案
这花了我几个小时来锻炼 - 我觉得值得分享。
为了终止此服务作为 TLS,Destination Rule
需要 a。我的最终配置:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin-ext
spec:
hosts:
- httpbin.org
ports:
- number: 443
name: https
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- httpbin.domain.co
gateways:
- public-gateway.istio-system.svc.cluster.local
- mesh
http:
- match:
- gateways:
- public-gateway.istio-system.svc.cluster.local
port: 443
host: httpbin.domain.co
- gateways:
- public-gateway.istio-system.svc.cluster.local
port: 80
host: httpbin.domain.co
route:
- destination:
host: httpbin.org
port:
number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: httpbin-org
spec:
host: httpbin.org
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE
推荐阅读
- node.js - async until 不进入 iteratee (async 3.0.1)
- codeigniter - 模型返回空数组
- gcc - Clang 的“scan-build”实用程序不适用于“make”
- android - 如何在范围搜索栏中的两个拇指之间设置渐变颜色背景?
- python - 在 Docker 中,如何允许连接到外部主机中的 Postgres?
- javascript - 并行运行 mocha 测试套件
- php - 如何使用php从服务器下载文件
- powershell - 如何使用 PowerShell 从签名的 dll 中提取摘要算法?
- docker - 如何维护同一存储库的一定数量的 docker 镜像?
- javascript - 我的计数器变量对于并发任务是否安全?