我对 Kubernetes 和 istio 有点陌生。我正在尝试创建一个服务并通过 HTTPS 访问它。
- 通过 HTTP 一切看起来都很棒
- 我已经使用 cert-manager 和 Let's Encrypt 来生成证书
- 证书已成功生成
- 我使用以下命令生成了秘密
kubectl create secret generic clouddns --namespace=cert-manager --from-literal=GCP_PROJECT=<PROJECT> --from-file=/etc/keys/<KEY>.json
这些是我的网关、虚拟服务、集群颁发者和证书的配置文件。
网关
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: messaging-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "<HOST>"
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "<HOST>"
tls:
credentialName: messaging-certificate
mode: SIMPLE
privateKey: sds
serverCertificate: sds
虚拟服务
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: messaging
spec:
hosts:
- "<HOST>"
gateways:
- messaging-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: messaging
port:
number: 8082
集群发行者
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: messaging-cluster-issuer
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: <EMAIL>
privateKeySecretRef:
name: messaging-letsencrypt
solvers:
- dns01:
clouddns:
serviceAccountSecretRef:
name: clouddns
key: <KEY>.json
project: <PROJECT>
证书
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: messaging-certificate
spec:
secretName: messaging-certificate
duration: 2160h # 90d
renewBefore: 360h # 15d
organization:
- RELE.AI
commonName: <HOST>
isCA: false
keySize: 2048
keyAlgorithm: rsa
keyEncoding: pkcs1
usages:
- server auth
- client auth
dnsNames:
- <HOST>
issuerRef:
name: messaging-cluster-issuer
kind: ClusterIssuer
当我运行时kubectl get secrets messaging-certificate -o yaml,我可以看到 tls.crt 和 tls.key 的内容。
有什么想法为什么我无法通过 HTTPS 访问?
- - 编辑
完整的 istio 清单- 我已经使用istioctl manifest generate. 希望这是正确的方法