在 Istio Ingress 上使用 letsencrypt 证书
Using letsencrypt cert on Istio Ingress
我是 运行 Istio 1.5,显然默认启用了 SDS,我正在尝试在我的 EKS 集群 (v1.15) 的南北向流量上启用 TLS,我已经完成了以下操作:
- 按照此处的步骤设置示例应用程序https://istio.io/latest/docs/setup/getting-started/
- 已安装证书管理器 0.15.1
- 创建集群发布者
- 将集群发行者配置为尝试通过将其与 AWS Route53 集成来解决 DNS 挑战
- 使用集群颁发者和 letsencrypt 生成证书
- 按照此处的步骤使用上面创建的证书配置网关和虚拟服务https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
- 我复制了letsencrypt的根证书来通过curl命令
- 试图 curl 到负载均衡器的 IP,但出现此错误
谁能指导我如何解决这个问题?
cert-manager 和 istio 集成相关 documentation
证书管理器
Configuration
Consult the cert-manager installation documentation to get started. No special changes are needed to work with Istio.
Usage
Istio Gateway
cert-manager can be used to write a secret to Kubernetes, which can then be referenced by a Gateway. To get started, configure a Certificate resource, following the cert-manager documentation. The Certificate should be created in the same namespace as the istio-ingressgateway deployment. For example, a Certificate may look like:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: ingress-cert
namespace: istio-system
spec:
secretName: ingress-cert
commonName: my.example.com
dnsNames:
- my.example.com
...
Once we have the certificate created, we should see the secret created in the istio-system namespace. This can then be referenced in the tls config for a Gateway under credentialName:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: ingress-cert # This should match the Certifcate secretName
hosts:
- my.example.com # This should match a DNS name in the Certificate
cert-manager provides direct integration with Kubernetes Ingress by configuring an annotation on the Ingress object. If this method is used, the Ingress must reside in the same namespace as the istio-ingressgateway deployment, as secrets will only be read within the same namespace.
Alternatively, a Certificate can be created as described in Istio Gateway, then referenced in the Ingress object:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
annotations:
kubernetes.io/ingress.class: istio
spec:
rules:
- host: my.example.com
http: ...
tls:
- hosts:
- my.example.com # This should match a DNS name in the Certificate
secretName: ingress-cert # This should match the Certifcate secretName
此外,@chrisnyc 使用 cert-menager 制作了完整的 reproduction,让我们讨论 istio 上的加密,正如@YYashwanth 在评论中提到的那样解决了他的问题。因此,如果您有类似问题,请查看上面的重现。
我是 运行 Istio 1.5,显然默认启用了 SDS,我正在尝试在我的 EKS 集群 (v1.15) 的南北向流量上启用 TLS,我已经完成了以下操作:
- 按照此处的步骤设置示例应用程序https://istio.io/latest/docs/setup/getting-started/
- 已安装证书管理器 0.15.1
- 创建集群发布者
- 将集群发行者配置为尝试通过将其与 AWS Route53 集成来解决 DNS 挑战
- 使用集群颁发者和 letsencrypt 生成证书
- 按照此处的步骤使用上面创建的证书配置网关和虚拟服务https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
- 我复制了letsencrypt的根证书来通过curl命令
- 试图 curl 到负载均衡器的 IP,但出现此错误
谁能指导我如何解决这个问题?
cert-manager 和 istio 集成相关 documentation
证书管理器
Configuration
Consult the cert-manager installation documentation to get started. No special changes are needed to work with Istio.
Usage
Istio Gateway cert-manager can be used to write a secret to Kubernetes, which can then be referenced by a Gateway. To get started, configure a Certificate resource, following the cert-manager documentation. The Certificate should be created in the same namespace as the istio-ingressgateway deployment. For example, a Certificate may look like:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: ingress-cert
namespace: istio-system
spec:
secretName: ingress-cert
commonName: my.example.com
dnsNames:
- my.example.com
...
Once we have the certificate created, we should see the secret created in the istio-system namespace. This can then be referenced in the tls config for a Gateway under credentialName:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: ingress-cert # This should match the Certifcate secretName
hosts:
- my.example.com # This should match a DNS name in the Certificate
cert-manager provides direct integration with Kubernetes Ingress by configuring an annotation on the Ingress object. If this method is used, the Ingress must reside in the same namespace as the istio-ingressgateway deployment, as secrets will only be read within the same namespace.
Alternatively, a Certificate can be created as described in Istio Gateway, then referenced in the Ingress object:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
annotations:
kubernetes.io/ingress.class: istio
spec:
rules:
- host: my.example.com
http: ...
tls:
- hosts:
- my.example.com # This should match a DNS name in the Certificate
secretName: ingress-cert # This should match the Certifcate secretName
此外,@chrisnyc 使用 cert-menager 制作了完整的 reproduction,让我们讨论 istio 上的加密,正如@YYashwanth 在评论中提到的那样解决了他的问题。因此,如果您有类似问题,请查看上面的重现。