Istio 虚拟服务 - 外部 HTTPS 服务的代理
Istio Virtual Service - Proxy to external HTTPS service
我正在尝试将具有指定 URI 前缀的 HTTP 请求代理到外部 HTTPS 服务器。
这个想法是为 NPM 使用 ower 内部 Nexus 存储库管理器,但不要像这个项目 GitHub Project 那样失去 'npm audit' 的能力。应该使用 Istio 来完成,而不是部署额外的应用程序。
我配置了一个虚拟服务和一个服务条目来将流量路由到外部服务。到目前为止,无法将 HTTP 请求转换为 HTTPS 请求。有没有机会做到这一点?
配置:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: vs-nexus
spec:
hosts:
- "test.com"
gateways:
- gateway-xy
http:
- match:
- uri:
prefix: /-/npm/v1/security/audits/
route:
- destination:
port:
number: 443
host: registry.npmjs.org
- route:
- destination:
port:
number: 80
host: nexus
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: npmjs-ext
spec:
hosts:
- registry.npmjs.org
ports:
- number: 443
name: tls
protocol: tls
resolution: DNS
location: MESH_EXTERNAL
找到解决方案:您需要添加一个采用 TLS 模式的 DestinationRule 'SIMPLE' 以连接到外部 HTTPS 服务。
我将 'npm audit' 请求转发到 public 'registry.npmjs.org' 的问题的整个配置是:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: vs
spec:
hosts:
- "test.com"
gateways:
- gateway
http:
# Route to npm registry for audit
# Like this: https://github.com/chovyy/npm-audit-proxy
# See: https://istio.io/latest/blog/2019/proxy/
- match:
- uri:
prefix: /-/npm/v1/security
headers:
request:
set:
host: "registry.npmjs.org"
route:
- destination:
port:
number: 443
host: registry.npmjs.org
# This is for custom Nexus repositories: You need to rewrite the route, that the prefix of the repository URL is not forwarded to registry.npmjs.org
- match:
- uri:
prefix: /repository/npm-test-repo/-/npm/v1/security
rewrite:
uri: /-/npm/v1/security
headers:
request:
set:
host: "registry.npmjs.org"
route:
- destination:
port:
number: 443
host: registry.npmjs.org
- route:
- destination:
port:
number: 80
host: nexus
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: npmjs-ext
spec:
hosts:
- registry.npmjs.org
ports:
- number: 443
name: tls
protocol: TLS
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: npmjs-ext
spec:
host: registry.npmjs.org
trafficPolicy:
tls:
mode: SIMPLE
我正在尝试将具有指定 URI 前缀的 HTTP 请求代理到外部 HTTPS 服务器。 这个想法是为 NPM 使用 ower 内部 Nexus 存储库管理器,但不要像这个项目 GitHub Project 那样失去 'npm audit' 的能力。应该使用 Istio 来完成,而不是部署额外的应用程序。
我配置了一个虚拟服务和一个服务条目来将流量路由到外部服务。到目前为止,无法将 HTTP 请求转换为 HTTPS 请求。有没有机会做到这一点?
配置:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: vs-nexus
spec:
hosts:
- "test.com"
gateways:
- gateway-xy
http:
- match:
- uri:
prefix: /-/npm/v1/security/audits/
route:
- destination:
port:
number: 443
host: registry.npmjs.org
- route:
- destination:
port:
number: 80
host: nexus
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: npmjs-ext
spec:
hosts:
- registry.npmjs.org
ports:
- number: 443
name: tls
protocol: tls
resolution: DNS
location: MESH_EXTERNAL
找到解决方案:您需要添加一个采用 TLS 模式的 DestinationRule 'SIMPLE' 以连接到外部 HTTPS 服务。
我将 'npm audit' 请求转发到 public 'registry.npmjs.org' 的问题的整个配置是:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: vs
spec:
hosts:
- "test.com"
gateways:
- gateway
http:
# Route to npm registry for audit
# Like this: https://github.com/chovyy/npm-audit-proxy
# See: https://istio.io/latest/blog/2019/proxy/
- match:
- uri:
prefix: /-/npm/v1/security
headers:
request:
set:
host: "registry.npmjs.org"
route:
- destination:
port:
number: 443
host: registry.npmjs.org
# This is for custom Nexus repositories: You need to rewrite the route, that the prefix of the repository URL is not forwarded to registry.npmjs.org
- match:
- uri:
prefix: /repository/npm-test-repo/-/npm/v1/security
rewrite:
uri: /-/npm/v1/security
headers:
request:
set:
host: "registry.npmjs.org"
route:
- destination:
port:
number: 443
host: registry.npmjs.org
- route:
- destination:
port:
number: 80
host: nexus
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: npmjs-ext
spec:
hosts:
- registry.npmjs.org
ports:
- number: 443
name: tls
protocol: TLS
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: npmjs-ext
spec:
host: registry.npmjs.org
trafficPolicy:
tls:
mode: SIMPLE