参考文档:https://istio.io/latest/zh/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-TLS-ingress-gateway-for-multiple-hosts
文档中都是三级域名(国内)一个证书,我自行测试了一下。
1、准备一个非自签的证书
xxx.key
xxx.crt
2、先配置一个单机tls入口网关
2.1) 准备基础服务
apiVersion: v1 kind: ServiceAccount metadata: name: httpbin --- apiVersion: v1 kind: Service metadata: name: httpbin labels: app: httpbin service: httpbin spec: ports: - name: http port: 8000 targetPort: 80 selector: app: httpbin --- apiVersion: apps/v1 kind: Deployment metadata: name: httpbin spec: replicas: 1 selector: matchLabels: app: httpbin version: v1 template: metadata: labels: app: httpbin version: v1 spec: serviceAccountName: httpbin containers: - image: docker.io/kennethreitz/httpbin imagePullPolicy: IfNotPresent name: httpbin ports: - containerPort: 80
2.2) 为gw 创建secret
kubectl create -n istio-system secret tls httpbin-credential --key=xxx.key --cert=xxx.crt
2.3) 为端口443定义一个带有 servers: 部分的网关,并将 credentialName 的值指定为 httpbin-credential。这些值与 Secret 名称相同。 TLS 模式的值应为 SIMPLE。
cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: mygateway spec: selector: istio: ingressgateway # use istio default ingress gateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: httpbin-credential # must be the same as secret hosts: - weiwei.xxx.cn EOF
2.4) 配置网关的入口流量路由,定义相应的虚拟服务。
cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: httpbin spec: hosts: - "weiwei.xxx.cn" gateways: - mygateway http: - match: - uri: prefix: /status - uri: prefix: /delay route: - destination: port: number: 8000 host: httpbin EOF
2.5) 发送 HTTPS 请求访问 httpbin 服务:
curl -v -HHost:weiwei.xxx.cn --resolve "weiwei.xxx.cn:$SECURE_INGRESS_PORT:$INGRESS_HOST" \ --cacert xxx.crt "https://weiwei.xxx.cn:$SECURE_INGRESS_PORT/status/418"
访问没有异常。
2.6)此时增加一个server_name,二级域名是一样的,验证同一个secret。启动helloworld-v1
cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Service metadata: name: helloworld-v1 labels: app: helloworld-v1 spec: ports: - name: http port: 5000 selector: app: helloworld-v1 --- apiVersion: apps/v1 kind: Deployment metadata: name: helloworld-v1 spec: replicas: 1 selector: matchLabels: app: helloworld-v1 version: v1 template: metadata: labels: app: helloworld-v1 version: v1 spec: containers: - name: helloworld image: istio/examples-helloworld-v1 resources: requests: cpu: "100m" imagePullPolicy: IfNotPresent #Always ports: - containerPort: 5000 EOF
2.7)创建gw和vs
at <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: mygateway spec: selector: istio: ingressgateway # use istio default ingress gateway servers: - port: number: 443 name: https-httpbin protocol: HTTPS tls: mode: SIMPLE credentialName: httpbin-credential hosts: - weiwei.xxx.cn - port: number: 443 name: https-helloworld protocol: HTTPS tls: mode: SIMPLE credentialName: httpbin-credential hosts: - hello.xxx.cn EOF cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: helloworld-v1 spec: hosts: - hello.xxx.cn gateways: - mygateway http: - match: - uri: exact: /hello route: - destination: host: helloworld-v1 port: number: 5000 EOF
2.,8) 请求验证
curl -v -HHost:hello.xxx.cn --resolve "hello.xxx.cn:$SECURE_INGRESS_PORT:$INGRESS_HOST" \ --cacert xxx.crt "https://hello.xxx.cn:$SECURE_INGRESS_PORT/hello"
2.9)分别的请求结果
