0

我正在尝试直接从 sidecar 代理容器启动 mTLS 连接到外部服务,而无需任何出口网关。
我当前的配置如下所示。如您所见,在联系外部服务之前,我正在尝试使用客户端证书将 http 请求升级为 https。
不确定我的配置是否正确。

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: somedomain-mtls
spec:
  hosts:
  - somedomain.com
  ports:
  - number: 443
    name: http
    protocol: HTTP
  resolution: DNS
  location: MESH_EXTERNAL
---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: somedomain-mtls
spec:
  hosts:
  - somedomain.com
  http:
  - match:
    - port: 80
    route:
    - destination:
        host: somedomain.com
        port:
          number: 443
      weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: somedomain-mtls
spec:
  host: somedomain.com
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 443
      tls:
          mode: MUTUAL
          clientCertificate: /etc/istio/client-certs/client.pem
          privateKey: /etc/istio/client-certs/client.key
          caCertificates: /etc/istio/client-certs/ca.pem
          sni: somedomain.com
---

从容器中,我尝试使用 http 访问服务,但得到 503。在进一步检查 sidecar 代理日志时,我看到 OpenSSL 内部错误,但没有任何原因。想知道这里出了什么问题或被遗漏了。

2020-12-09T22:29:13.832279Z debug   envoy pool  [external/envoy/source/common/http/conn_pool_base.cc:337] queueing request due to no available connections
2020-12-09T22:29:13.832283Z debug   envoy pool  [external/envoy/source/common/http/conn_pool_base.cc:47] creating a new connection
2020-12-09T22:29:13.832310Z debug   envoy client    [external/envoy/source/common/http/codec_client.cc:34] [C1272] connecting
2020-12-09T22:29:13.832315Z debug   envoy connection    [external/envoy/source/common/network/connection_impl.cc:727] [C1272] connecting to x.x.x.x:443
2020-12-09T22:29:13.832357Z debug   envoy connection    [external/envoy/source/common/network/connection_impl.cc:736] [C1272] connection in progress
2020-12-09T22:29:13.857767Z debug   envoy connection    [external/envoy/source/common/network/connection_impl.cc:592] [C1272] connected
2020-12-09T22:29:13.857823Z debug   envoy connection    [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:191] [C1272] handshake expecting read
2020-12-09T22:29:13.881971Z debug   envoy connection    [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:198] [C1272] handshake error: 1
2020-12-09T22:29:13.881983Z debug   envoy connection    [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:226] [C1272] TLS error: 268436576:SSL routines:OPENSSL_internal:
2020-12-09T22:29:13.881989Z debug   envoy connection    [external/envoy/source/common/network/connection_impl.cc:200] [C1272] closing socket: 0
2020-12-09T22:29:13.882004Z debug   envoy client    [external/envoy/source/common/http/codec_client.cc:91] [C1272] disconnect. resetting 0 pending requests
2020-12-09T22:29:13.882010Z debug   envoy pool  [external/envoy/source/common/http/conn_pool_base.cc:265] [C1272] client disconnected, failure reason: TLS error: 268436576:SSL routines:OPENSSL_internal:
2020-12-09T22:29:13.882022Z debug   envoy router    [external/envoy/source/common/router/router.cc:1018] [C1271][S2062324833167670924] upstream reset: reset reason connection failure

任何指针都会非常有帮助。

谢谢

4

0 回答 0