0

我有一个在 EKS 内运行的应用程序。Istio 用作 ServiceMesh。我在将 https 重定向到 http 然后再重定向到 https 时遇到一些问题。看起来问题出在 istio 虚拟服务上,它会暂时切换到我想要阻止的 http。

卷曲输出

这就是我们安装 istio 的方式 [安装的版本是 1.5.1]

istioctl -n infrastructure manifest apply \
 --set profile=default --set values.kiali.enabled=true \
 --set values.gateways.istio-ingressgateway.enabled=true \
 --set values.gateways.enabled=true \
 --set values.gateways.istio-ingressgateway.type=NodePort \
 --set values.global.k8sIngress.enabled=false \
 --set values.global.k8sIngress.gatewayName=ingressgateway \
 --set values.global.proxy.accessLogFile="/dev/stdout" 

这是我们的虚拟服务。集群包含两个部署:

  1. 我的应用程序前端
  2. myapps-api
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: dev-sanojapps-virtual-service
  namespace: istio-system
spec:
  hosts:
    - "dev-mydomain.com"
  gateways:
    - ingressgateway
  http:
    - match:
        - uri:
            prefix: /myapp/
        - uri:
            prefix: /myapp
      rewrite:
        uri: /
      route:
        - destination:
              host: myapp-front.sanojapps-dev.svc.cluster.local
          headers:
            request:
              set:
                "X-Forwarded-Proto": "https"
                "X-Forwarded-Port": "443"
            response:
              set:
                Strict-Transport-Security: max-age=31536000; includeSubDomains
    - match:
        - uri:
            prefix: /v1/myapp-api/
        - uri:
            prefix: /v1/myapp-api
      rewrite:
        uri: /
      route:
        - destination:
            host: myapp-api.sanojapps-dev.svc.cluster.local
            port:
              number: 8080
    - match:
        - uri:
            prefix: /
      redirect:
        uri: /myapp/
        https_redirect: true
      headers:
            request:
              set:
                "X-Forwarded-Proto": "https"
                "X-Forwarded-Port": "443"
            response:
              set:
                Strict-Transport-Security: max-age=31536000; includeSubDomains

下面是前端应用 yaml 部署。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-front
  namespace: sanojapps-dev
  labels:
    app: myapp-front
spec:
  selector:
    matchLabels:
      app: myapp-front
  template:
    metadata:
      labels:
        app: myapp-front
    spec:
      containers:
      - name: myapp-front
        image: <ECR_REPO:TAG>
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
        resources:
          limits:
            cpu: 500m
            memory: 1024Mi
          requests:
            cpu: 50m
            memory: 256Mi

我们的网关配置如下:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  namespace: istio-system
  name: sanojapps-ingress
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/subnets: ""
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:region:account:certificate/<ACM_ID>
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-FS-1-2-2019-08
    alb.ingress.kubernetes.io/wafv2-acl-arn: arn:aws:wafv2:region:account:regional/webacl/sanojapps-acl/<ACM_ID>
spec:
  rules:
    - http:
        paths:
         - path: /*
           backend:
             serviceName: ssl-redirect
             servicePort: use-annotation
         - path: /*
           backend:
             serviceName: istio-ingressgateway
             servicePort: 80
             
4

0 回答 0