使用 API 网关的 Openshift TLS 配置
Openshift TLS configuration with API Gateway
我正在尝试使用 Istio 作为服务网格在 Openshift 上部署一个 angular 应用程序。服务 yaml:
- apiVersion: v1
kind: Service
metadata:
labels:
app: angularapp
service: angularapp
version: v1
name: angularapp
spec:
ports:
- name: http
protocol: TCP
port: 8080
targetPort: 8080
selector:
name: angularapp
到目前为止一切都适用于 http 连接。为了更改为 https 连接,我将 Red Hat Openshift Service Mesh operator 安装提供的 istio-ingressgateway 路由配置为使用 passthrough
spec:
host: istio-ingressgateway-istio-system.apps.xxx.xx.xxxxxxx.opentlc.com
tls:
insecureEdgeTerminationPolicy: None
termination: passthrough
和 istio 的网关资源:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: testnamespace-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: "router-certs"
hosts:
- "*"
VirtualService 指向 angular 应用的 8080 端口:
route:
- destination:
host: angularapp
port:
number: 8080
问题:TLS 配置有效,暴露的 istio 入口网关 URL 确实有 https 连接。但是,API 网关在向提到的 istio URL:
发出请求时发出此错误
Execution failed due to configuration error: Unrecognized SSL message, plaintext connection?
奇怪的是它只发生一半,另一半有效,即使在每次 运行 后清除浏览器缓存后也是如此。请注意,只有 istio 入口网关 URL 具有 https 连接,而作为独立服务的 angular 应用程序仅具有 http.
抱歉这个冗长的问题,希望能在这里得到一些帮助。谢谢!
With passthrough termination, encrypted traffic is sent straight to
the destination without the router providing TLS termination.
Therefore no key or certificate is required.
因为您的后端服务是 http,所以您应该使用
在边缘终止 SSL
termination: edge
参考:https://docs.openshift.com/container-platform/3.9/architecture/networking/routes.html
通过添加段解决了这个问题:
port:
targetPort: https
tls:
termination: passthrough
到 istio 入口路由配置,因为 istio 入口服务默认配置侦听端口名称:https
name: https
port: 443
protocol: TCP
targetPort: 8080
我正在尝试使用 Istio 作为服务网格在 Openshift 上部署一个 angular 应用程序。服务 yaml:
- apiVersion: v1
kind: Service
metadata:
labels:
app: angularapp
service: angularapp
version: v1
name: angularapp
spec:
ports:
- name: http
protocol: TCP
port: 8080
targetPort: 8080
selector:
name: angularapp
到目前为止一切都适用于 http 连接。为了更改为 https 连接,我将 Red Hat Openshift Service Mesh operator 安装提供的 istio-ingressgateway 路由配置为使用 passthrough
spec:
host: istio-ingressgateway-istio-system.apps.xxx.xx.xxxxxxx.opentlc.com
tls:
insecureEdgeTerminationPolicy: None
termination: passthrough
和 istio 的网关资源:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: testnamespace-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: "router-certs"
hosts:
- "*"
VirtualService 指向 angular 应用的 8080 端口:
route:
- destination:
host: angularapp
port:
number: 8080
问题:TLS 配置有效,暴露的 istio 入口网关 URL 确实有 https 连接。但是,API 网关在向提到的 istio URL:
发出请求时发出此错误Execution failed due to configuration error: Unrecognized SSL message, plaintext connection?
奇怪的是它只发生一半,另一半有效,即使在每次 运行 后清除浏览器缓存后也是如此。请注意,只有 istio 入口网关 URL 具有 https 连接,而作为独立服务的 angular 应用程序仅具有 http.
抱歉这个冗长的问题,希望能在这里得到一些帮助。谢谢!
With passthrough termination, encrypted traffic is sent straight to the destination without the router providing TLS termination. Therefore no key or certificate is required.
因为您的后端服务是 http,所以您应该使用
在边缘终止 SSLtermination: edge
参考:https://docs.openshift.com/container-platform/3.9/architecture/networking/routes.html
通过添加段解决了这个问题:
port:
targetPort: https
tls:
termination: passthrough
到 istio 入口路由配置,因为 istio 入口服务默认配置侦听端口名称:https
name: https
port: 443
protocol: TCP
targetPort: 8080