1

我正在尝试让 istio 入口网关将客户端证书转发到我的 mTLS 服务。我从页面尝试了以下配置。

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    defaultConfig:
      gatewayTopology:
        forwardClientCertDetails: ALWAYS_FORWARD_ONLY

如果我通过发送带有客户端证书的请求来使用 httpbin 服务进行测试,如下所示:

curl -v https://<my-FQDN>/headers --cacert CAcert.pem --cert client.pem --key client.key.pem

然后在响应中,我看到只有入口网关证书的 XFCC 标头。我在 XFCC 标头中没有看到客户端证书。

  "headers": {
    "Accept": "*/*",
    "Content-Length": "0",
    "Host": "<my-FQDN>",
    "User-Agent": "curl/7.60.0",
    "X-B3-Parentspanid": "535ccd58be2707d1",
    "X-B3-Sampled": "0",
    "X-B3-Spanid": "859fe154b4b4f732",
    "X-B3-Traceid": "c3a2d51fe8843dfa535ccd58be2707d1",
    "X-Custom-Client-Ip": "xxx.xxx.xxx.xxx",
    "X-Envoy-Attempt-Count": "1",
    "X-Envoy-External-Address": "xxx.xxx.xxx.xxx",
    "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/default/sa/httpbin;Hash=be931817624826a918707c148730ee0338b6aaa5e21a27c78b1abeafead6fd04;Subject=\"CN=istio-ingressgateway.istio-system.svc.cluster.local,C=US,OU=MGMT,O=XXXXX\";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
  }

如何在 XFCC 标头中添加客户端证书?

4

1 回答 1

0

也许 ALWAYS_FORWARD_ONLY 意味着将转发现有的 XFCC 标头。你试过 APPEND_FORWARD 吗?

于 2021-05-27T19:07:24.703 回答