Istio 是否支持代理协议?
我使用 TCP 转发和代理协议(“send-proxy”标志)在 haproxy 后面设置了一个网关,但它不起作用。
我知道 Envoy 支持它,但似乎 Istio 不支持。
如果它不支持它,是否有另一种方法来检索源 IP?
谢谢你的帮助。
问问题
1078 次
1 回答
2
你可能需要应用这个:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: proxy-protocol
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
listener_filters:
- name: envoy.listener.proxy_protocol
- name: envoy.listener.tls_inspector
由于我的 istio 入口网关位于 AWS ELB 后面,我还必须在 ELB 上启用代理协议:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
spec:
profile: default
components:
ingressGateways:
- name: istio-ingressgateway
namespace: istio-system
enabled: true
# Copy settings from istio-ingressgateway as needed.
values:
gateways:
istio-ingressgateway:
serviceAnnotations:
# Note that Helm values (spec.values.gateways.istio-ingressgateway/egressgateway)
# are shared by all ingress/egress gateways.
# If these must be customized per gateway,
# it is recommended to use a separate IstioOperator CR
# Enable Prox protocol
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
如果您错过了envoy.listener.tls_inspector,您将获得:
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx
openssl: no peer certificate available
于 2020-06-07T19:02:55.243 回答