ISTIO 入口网关日志

ISTIO Ingress Gateway logs

我们已经设置了 Istio,我们正在使用 ISTIO 入口网关处理入站流量。我们已经为 TCP 端口设置了 TLS。可以找到示例代码 here.

我们还通过关注 this ISTIO guide

启用了日志

我们使用 openssl 测试了 TLS 连接,它工作正常。

但是,当我们尝试从应用程序连接时,TLS 协商失败。我已经使用 wireshark here

提供了更多详细信息

我们想从 ISTIO 获取有关 TLS 协商的日志...并找出它失败的原因。

Istio 网关 YAML

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: dremio-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    tls:
      httpsRedirect: true
    hosts:
    - testdomain.net
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: testdomain-credentials
    hosts:
    - testdomain.net
  - port:
      number: 31020
      name: odbc-dremio-tls
      protocol: tls
    tls:
      mode: SIMPLE
      minProtocolVersion: TLSV1_0
      maxProtocolVersion: TLSV1_3
      credentialName: testdomain-credentials
    hosts:
    - testdomain.net

虚拟服务

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: dremio
spec:
  hosts:
  - testdomain.net
  gateways:
  - dremio-gateway
  http:
  - match:
    - port: 443
    - port: 80
    route:
    - destination:
        host: dremio-client
        port:
          number: 9047
  tcp:
  - match:
    - port: 31020
    route:
    - destination:
        host: dremio-client
        port:
          number: 31010

部分配置转储

{
     "name": "0.0.0.0_31020",
     "active_state": {
      "version_info": "2020-07-21T12:11:49Z/9",
      "listener": {
       "@type": "type.googleapis.com/envoy.api.v2.Listener",
       "name": "0.0.0.0_31020",
       "address": {
        "socket_address": {
         "address": "0.0.0.0",
         "port_value": 31020
        }
       },
       "filter_chains": [
        {
         "filter_chain_match": {
          "server_names": [
           "testdomain.net"
          ]
         },
         "filters": [
          {
           "name": "istio.stats",
           "typed_config": {
            "@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
            "type_url": "type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm",
            "value": {
             "config": {
              "root_id": "stats_outbound",
              "vm_config": {
               "vm_id": "tcp_stats_outbound",
               "runtime": "envoy.wasm.runtime.null",
               "code": {
                "local": {
                 "inline_string": "envoy.wasm.stats"
                }
               }
              },
              "configuration": "{\n  \"debug\": \"false\",\n  \"stat_prefix\": \"istio\"\n}\n"
             }
            }
           }
          },
          {
           "name": "envoy.tcp_proxy",
           "typed_config": {
            "@type": "type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy",
            "stat_prefix": "outbound|31010||dremio-client.dremio.svc.cluster.local",
            "cluster": "outbound|31010||dremio-client.dremio.svc.cluster.local",
            "access_log": [
             {
              "name": "envoy.file_access_log",
              "typed_config": {
               "@type": "type.googleapis.com/envoy.config.accesslog.v2.FileAccessLog",
               "path": "/dev/stdout",
               "format": "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% \"%DYNAMIC_METADATA(istio.mixer:status)%\" \"%UPSTREAM_TRANSPORT_FAILURE_REASON%\" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%\n"
              }
             }
            ]
           }
          }
         ],
         "transport_socket": {
          "name": "envoy.transport_sockets.tls",
          "typed_config": {
           "@type": "type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext",
           "common_tls_context": {
            "tls_params": {
             "tls_minimum_protocol_version": "TLSv1_0",
             "tls_maximum_protocol_version": "TLSv1_3"
            },
            "alpn_protocols": [
             "h2",
             "http/1.1"
            ],
            "tls_certificate_sds_secret_configs": [
             {
              "name": "testdomain-credentials",
              "sds_config": {
               "api_config_source": {
                "api_type": "GRPC",
                "grpc_services": [
                 {
                  "google_grpc": {
                   "target_uri": "unix:/var/run/ingress_gateway/sds",
                   "stat_prefix": "sdsstat"
                  }
                 }
                ]
               }
              }
             }
            ]
           },
           "require_client_certificate": false
          }
         }
        }
       ],
       "listener_filters": [
        {
         "name": "envoy.listener.tls_inspector",
         "typed_config": {
          "@type": "type.googleapis.com/envoy.config.filter.listener.tls_inspector.v2.TlsInspector"
         }
        }
       ],
       "traffic_direction": "OUTBOUND"
      },
      "last_updated": "2020-07-21T12:11:50.303Z"
     }
    }

通过在 Envoy conn_handler 上启用跟踪,我们可以看到以下消息:

closing connection: no matching filter chain found

收到没有匹配的过滤器链的消息后,我找到了端口 31020 的过滤器链,其中包含我在网关配置中提供的域。看起来在连接我的应用程序 (ODBC) 时,没有提供主机。

解决方法就是将主机域替换为“*”

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: dremio-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    tls:
      httpsRedirect: true
    hosts:
    - testdomain.net
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: testdomain-credentials
    hosts:
    - testdomain.net
  - port:
      number: 31020
      name: odbc-dremio-tls
      protocol: tls
    tls:
      mode: SIMPLE
      minProtocolVersion: TLSV1_0
      maxProtocolVersion: TLSV1_3
      credentialName: testdomain-credentials
    hosts:
    - '*'