1

我正在尝试使用 Istio 配置具有复制控制平面的多集群网格拓扑,如https://istio.io/docs/setup/install/multicluster/gateways/中所述。我的 PKI 设置有 3 层,如下所示。

PKI 层次结构

  1. 根 CA (root-ca.pem)
  2. 中间 CA 签署每个集群 Citadel CA (intermediate-ca.pem)
  3. 每个集群的 Citadel CA (ca-cert.pem)

按照安装说明,我使用以下命令将证书安装到 istio-system 命名空间中。

kubectl create secret generic cacerts -n istio-system --from-file=./ca-cert.pem \
--from-file=./ca-key.pem --from-file=./root-cert.pem \
--from-file=./cert-chain.pem

在此命令中,ca-cert.pem 是集群的 CA 证书。ca-key.pem 是 ca-cert 的私钥。cert-chain.pem 是 ca-cert.pem 的完整链,即。cert-chain.pem=$(cat ca-cert.pem intermediate-ca.pem root-ca.pem)

当我将此设置安装到集群中时,mTLS 按预期使用我的自定义 CA 在集群中正常工作。但是,当我去设置多集群环境时,从集群 A 到集群 b 的调用无法通过根证书验证。

有没有人了解为什么这些证书在共享相同的根 CA 结构时不受信任?

更新:我相信这可能与目标集群的入口网关在尝试代理与后端服务的连接时崩溃有关。

[Envoy (Epoch 0)] [2020-04-07 15:58:34.193][22][debug][filter] [external/envoy/source/common/tcp_proxy/tcp_proxy.cc:232] [C2] new tcp proxy session
[Envoy (Epoch 0)] [2020-04-07 15:58:34.193][22][trace][connection] [external/envoy/source/common/network/connection_impl.cc:294] [C2] readDisable: enabled=true disable=true state=0
[Envoy (Epoch 0)] [2020-04-07 15:58:34.194][22][trace][filter] [external/envoy/source/extensions/filters/network/sni_cluster/sni_cluster.cc:16] [C2] sni_cluster: new connection with server name outbound_.80_._.nginx.istio-fkt.global
[Envoy (Epoch 0)] [2020-04-07 15:58:34.194][22][trace][filter] [src/envoy/tcp/tcp_cluster_rewrite/tcp_cluster_rewrite.cc:55] [C2] tcp_cluster_rewrite: new connection with server name outbound_.80_._.nginx.istio-fkt.global
[Envoy (Epoch 0)] [2020-04-07 15:58:34.194][22][trace][filter] [src/envoy/tcp/tcp_cluster_rewrite/tcp_cluster_rewrite.cc:64] [C2] tcp_cluster_rewrite: final tcp proxy cluster name outbound_.80_._.nginx.istio-fkt.svc.cluster.local
[Envoy (Epoch 0)] [2020-04-07 15:58:34.194][22][critical][main] [external/envoy/source/exe/terminate_handler.cc:13] std::terminate called! (possible uncaught exception, see trace)
[Envoy (Epoch 0)] [2020-04-07 15:58:34.194][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:70] Backtrace (use tools/stack_decode.py to get line numbers):
[Envoy (Epoch 0)] [2020-04-07 15:58:34.194][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:71] Envoy version: 73f240a29bece92a8882a36893ccce07b4a54664/1.13.1-dev/Clean/RELEASE/BoringSSL
[Envoy (Epoch 0)] [2020-04-07 15:58:34.205][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #0: Envoy::TerminateHandler::logOnTerminate()::$_0::operator()() [0x562ba8ae7dae]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.216][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:77] #1: [0x562ba8ae7cb9]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.225][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #2: std::__terminate() [0x562ba904aa73]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.234][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #3: Envoy::Tcp::TcpClusterRewrite::TcpClusterRewriteFilter::onNewConnection() [0x562ba7209c4d]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.244][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #4: Envoy::Network::FilterManagerImpl::onContinueReading() [0x562ba862a582]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.256][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #5: Envoy::Network::FilterManagerImpl::initializeReadFilters() [0x562ba862a4e5]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.267][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #6: Envoy::Server::ConnectionHandlerImpl::ActiveTcpListener::newConnection() [0x562ba861a547]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.278][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #7: Envoy::Server::ConnectionHandlerImpl::ActiveTcpSocket::continueFilterChain() [0x562ba861a1fb]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.287][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #8: Envoy::Server::ConnectionHandlerImpl::ActiveTcpListener::onAcceptWorker() [0x562ba861a2f1]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.295][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #9: Envoy::Network::ListenerImpl::listenCallback() [0x562ba862dd4c]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.306][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #10: listener_read_cb [0x562ba89547c3]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.317][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #11: event_process_active_single_queue [0x562ba89529ab]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.329][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #12: event_base_loop [0x562ba895123e]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.341][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #13: Envoy::Server::WorkerImpl::threadRoutine() [0x562ba8617278]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.352][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #14: Envoy::Thread::ThreadImplPosix::ThreadImplPosix()::$_0::__invoke() [0x562ba8b1d953]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.352][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #15: start_thread [0x7ff80cbd16db]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.352][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:83] Caught Aborted, suspect faulting address 0x10
[Envoy (Epoch 0)] [2020-04-07 15:58:34.352][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:70] Backtrace (use tools/stack_decode.py to get line numbers):
[Envoy (Epoch 0)] [2020-04-07 15:58:34.352][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:71] Envoy version: 73f240a29bece92a8882a36893ccce07b4a54664/1.13.1-dev/Clean/RELEASE/BoringSSL
[Envoy (Epoch 0)] [2020-04-07 15:58:34.352][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #0: __restore_rt [0x7ff80cbdc890]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:77] #1: [0x562ba8ae7cb9]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #2: std::__terminate() [0x562ba904aa73]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #3: Envoy::Tcp::TcpClusterRewrite::TcpClusterRewriteFilter::onNewConnection() [0x562ba7209c4d]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #4: Envoy::Network::FilterManagerImpl::onContinueReading() [0x562ba862a582]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #5: Envoy::Network::FilterManagerImpl::initializeReadFilters() [0x562ba862a4e5]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #6: Envoy::Server::ConnectionHandlerImpl::ActiveTcpListener::newConnection() [0x562ba861a547]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #7: Envoy::Server::ConnectionHandlerImpl::ActiveTcpSocket::continueFilterChain() [0x562ba861a1fb]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #8: Envoy::Server::ConnectionHandlerImpl::ActiveTcpListener::onAcceptWorker() [0x562ba861a2f1]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #9: Envoy::Network::ListenerImpl::listenCallback() [0x562ba862dd4c]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #10: listener_read_cb [0x562ba89547c3]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #11: event_process_active_single_queue [0x562ba89529ab]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #12: event_base_loop [0x562ba895123e]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #13: Envoy::Server::WorkerImpl::threadRoutine() [0x562ba8617278]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #14: Envoy::Thread::ThreadImplPosix::ThreadImplPosix()::$_0::__invoke() [0x562ba8b1d953]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #15: start_thread [0x7ff80cbd16db]
2020-04-07T15:58:34.392193Z error   Epoch 0 exited with error: signal: aborted (core dumped)
2020-04-07T15:58:34.392220Z info    No more active epochs, terminating
4

0 回答 0