3

根据指南

我正在使用从集群插件安装的 GKE 1.13.6-gke.6 + Istio 1.1.3-gke.0。

按照相同的步骤安装 cert_manager 并创建我需要的颁发者和证书:

发行人

$ kubectl describe issuer letsencrypt-prod -n istio-system
Name:         letsencrypt-prod
Namespace:    istio-system
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Issuer","metadata":{"annotations":{},"name":"letsencrypt-prod","namespace":"istio-system"},"spec":{...
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Issuer
Metadata:
  Creation Timestamp:  2019-06-14T03:11:17Z
  Generation:          2
  Resource Version:    10044939
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/namespaces/istio-system/issuers/letsencrypt-prod
  UID:                 131f1cdd-8e52-11e9-9ba7-42010a9801a6
Spec:
  Acme:
    Email:  ---obscured---@---.net
    Http 01:
    Private Key Secret Ref:
      Name:  prod-issuer-account-key
    Server:  https://acme-v02.api.letsencrypt.org/directory
Status:
  Acme:
    Uri:  https://acme-v02.api.letsencrypt.org/acme/acct/59211199
  Conditions:
    Last Transition Time:  2019-06-14T03:11:18Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

证书

$ kubectl describe certificate dreamy-plum-bee-certificate -n istio-system
Name:         dreamy-plum-bee-certificate
Namespace:    istio-system
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"dreamy-plum-bee-certificate","namespace":"istio-s...
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2019-06-14T03:24:43Z
  Generation:          3
  Resource Version:    10048432
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/namespaces/istio-system/certificates/dreamy-plum-bee-certificate
  UID:                 f3ed9f15-8e53-11e9-9ba7-42010a9801a6
Spec:
  Acme:
    Config:
      Domains:
        dreamy-plum-bee.somewhere.net
      Http 01:
        Ingress Class:  istio
  Common Name:          dreamy-plum-bee.somewhere.net
  Dns Names:
    dreamy-plum-bee.somewhere.net
  Issuer Ref:
    Name:       letsencrypt-prod
  Secret Name:  dreamy-plum-bee-certificate
Status:
  Conditions:
    Last Transition Time:  2019-06-14T03:25:12Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2019-09-12T02:25:10Z
Events:                    <none>

网关

$ kubectl describe gateway dreamy-plum-bee-gtw -n istio-system
Name:         dreamy-plum-bee-gtw
Namespace:    istio-system
Labels:       k8s-app=istio
Annotations:  <none>
API Version:  networking.istio.io/v1alpha3
Kind:         Gateway
Metadata:
  Creation Timestamp:  2019-06-14T06:08:13Z
  Generation:          1
  Resource Version:    10084555
  Self Link:           /apis/networking.istio.io/v1alpha3/namespaces/istio-system/gateways/dreamy-plum-bee-gtw
  UID:                 cabffdf1-8e6a-11e9-9ba7-42010a9801a6
Spec:
  Selector:
    Istio:  ingressgateway
  Servers:
    Hosts:
      dreamy-plum-bee.somewhere.net
    Port:
      Name:      https
      Number:    443
      Protocol:  HTTPS
    Tls:
      Credential Name:     dreamy-plum-bee-certificate
      Mode:                SIMPLE
      Private Key:         sds
      Server Certificate:  sds
Events:                    <none>

$ kubectl get gateway dreamy-plum-bee-gtw -n istio-system -o yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  creationTimestamp: 2019-06-14T06:08:13Z
  generation: 1
  labels:
    k8s-app: istio
  name: dreamy-plum-bee-gtw
  namespace: istio-system
  resourceVersion: "10084555"
  selfLink: /apis/networking.istio.io/v1alpha3/namespaces/istio-system/gateways/dreamy-plum-bee-gtw
  uid: cabffdf1-8e6a-11e9-9ba7-42010a9801a6
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - dreamy-plum-bee.somewhere.net
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: dreamy-plum-bee-certificate
      mode: SIMPLE
      privateKey: sds
      serverCertificate: sds

现在使用当前设置,如果我使用 openssl 命令进行测试:

$ $ openssl s_client -connect dreamy-plum-bee.somewhere.net:443
CONNECTED(00000005)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1560492782
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

在 Chrome 浏览器中,它无法访问带有 ERR_CONNECTION_RESET 错误消息的页面。

但是,如果我使用基于自签名文件系统的证书更改网关的 tls 设置,例如:

    tls:
      mode: PASSTHROUGH
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key

该站点是可访问的。因此,我怀疑 credentialName 设置有问题。网关似乎无法获取证书资源来启动连接。

任何建议都将不胜感激,例如检查/调试等...

4

1 回答 1

3

最终我想通了,Envoy SDS:加强 Istio 安全性 - Yonggang Liu 和 Quanjie Lin,Google非常有帮助。

  • 从头开始安装 Istio (v1.1.8) 而不是使用插件 (v1.1.3)
  • 确保在安装过程中使用了 --set gateways.istio-ingressgateway.sds.enabled=true。
  • 在命名空间上启用 istio-injection=enabled 以创建特使代理。
  • 增加节点容量以正确托管 Istio。Google 建议至少需要一个具有 2 个 vCPU 机器类型的 4 节点集群。
  • 最后,从我正在部署的 NodeApp 中删除手动 TLS 证书,因为 Istio 处理 TLS 并且 mTLS 尚未启用。
于 2019-06-16T23:08:28.340 回答