Istio

Question

我正在尝试在 istio 中设置一个简单的重定向（不是代理传递）：

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: test
spec:
  gateways:
  - test
  hosts:
  - test.com
  http:
  - redirect:
      authority: testredirect.com
      redirectCode: 302
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: test
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - test.com
    port:
      name: http
      number: 80
      protocol: HTTP2

这会创建到 http://testredirect.com

的重定向

如何将其重定向到 http**s**://？

备注：

我尝试添加 DestinationRule 和 ServiceEntry，但这没有帮助
我们在负载均衡器上终止了 SSL，因此我们的请求来自未加密的端口 80

Answer 1

看来您需要使用 istio gateway。

Gateway describes a load balancer operating at the edge of the mesh receiving incoming or outgoing HTTP/TCP connections. The specification describes a set of ports that should be exposed, the type of protocol to use, SNI configuration for the load balancer, etc.

For example, the following Gateway configuration sets up a proxy to act as a load balancer exposing port 80 and 9080 (http), 443 (https), 9443(https) and port 2379 (TCP) for ingress. The gateway will be applied to the proxy running on a pod with labels app: my-gateway-controller. While Istio will configure the proxy to listen on these ports, it is the responsibility of the user to ensure that external traffic to these ports are allowed into the mesh.

您可以找到重定向到 https 的示例。 http://uk.bookinfo.com 将被重定向到 https://uk.bookinfo.com（即 80 重定向到 443）。

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
spec:
  selector:
    app: my-gateway-controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - uk.bookinfo.com
    - eu.bookinfo.com
    tls:
      httpsRedirect: true # sends 301 redirect for http requests
  - port:
      number: 443
      name: https-443
      protocol: HTTPS
    hosts:
    - uk.bookinfo.com
    - eu.bookinfo.com
    tls:
      mode: SIMPLE # enables HTTPS on this port
      serverCertificate: /etc/certs/servercert.pem
      privateKey: /etc/certs/privatekey.pem
  - port:
      number: 9443
      name: https-9443
      protocol: HTTPS
    hosts:
    - "bookinfo-namespace/*.bookinfo.com"
    tls:
      mode: SIMPLE # enables HTTPS on this port
      credentialName: bookinfo-secret # fetches certs from Kubernetes secret
  - port:
      number: 9080
      name: http-wildcard
      protocol: HTTP
    hosts:
    - "*"
  - port:
      number: 2379 # to expose internal service via external port 2379
      name: mongo
      protocol: MONGO
    hosts:
    - "*"

这是Server配置：

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: my-ingress
spec:
  selector:
    app: my-ingressgateway
  servers:
  - port:
      number: 80
      name: http2
      protocol: HTTP2
    hosts:
    - "*"

您还可以找到端口 443 的 TLS 配置示例：

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: my-tls-ingress
spec:
  selector:
    app: my-tls-ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "*"
    tls:
      mode: SIMPLE
      serverCertificate: /etc/certs/server.pem
      privateKey: /etc/certs/privatekey.pem

Answer 2

您可以尝试在 VirtualService 中添加响应 header，键为 location，值为“https://testredirect.com”。

redirect:
  authority: "testredirect.com"
headers:
  response:
    set:
      location: "https://testredirect.com"

Answer 3

以下是对我有用的。

- match:
  - authority:
      exact: test.com
  redirect:
    authority: testredirect.com

Istio - 重定向到 https 外部 url

Istio - redirect to https external url