Kubernetes Istio网关&x2B；证书管理器&x2B；letsencrypt证书_Kubernetes_Ssl Certificate_Google Kubernetes Engine_Istio_Cert Manager

Kubernetes Istio网关&x2B；证书管理器&x2B；letsencrypt证书

kubernetes

Kubernetes Istio网关&x2B；证书管理器&x2B；letsencrypt证书,kubernetes,ssl-certificate,google-kubernetes-engine,istio,cert-manager,Kubernetes,Ssl Certificate,Google Kubernetes Engine,Istio,Cert Manager,基于我使用的是从集群插件安装的GKE 1.13.6-GKE.6+Istio 1.1.3-GKE.0 按照相同的步骤安装cert_manager并创建我需要的颁发者和证书：发行人在Chrome浏览器中，它无法访问带有ERR_CONNECTION_RESET错误消息的页面但是，如果我使用基于文件系统的自签名证书更改网关的tls设置，如： tls: mode: PASSTHROUGH serverCertificate: /etc/istio/ingressga

基于

我使用的是从集群插件安装的GKE 1.13.6-GKE.6+Istio 1.1.3-GKE.0

按照相同的步骤安装cert_manager并创建我需要的颁发者和证书：

发行人

在Chrome浏览器中，它无法访问带有ERR_CONNECTION_RESET错误消息的页面

但是，如果我使用基于文件系统的自签名证书更改网关的tls设置，如：

    tls:
      mode: PASSTHROUGH
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key

该站点是可访问的。因此，我怀疑credentialName设置有问题。网关似乎无法获取证书资源来启动连接

如有任何建议，如检查/调试等，将不胜感激

我终于明白了，而且帮了大忙

从头开始安装Istio（v1.1.8），而不是使用插件（v1.1.3）
确保在安装过程中使用--set gateways.istio ingresgateway.sds.enabled=true
Enable istio injection=在要创建的特使代理的命名空间上启用
适当增加节点容量以承载Istio。至少需要一个具有2个vCPU机器类型的4节点群集
最后，从我部署的NodeApp中删除手动TLS证书，因为Istio处理TLS，而mTLS尚未启用

什么是NodeApp？你是说sds特工？

$ kubectl describe certificate dreamy-plum-bee-certificate -n istio-system
Name:         dreamy-plum-bee-certificate
Namespace:    istio-system
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"dreamy-plum-bee-certificate","namespace":"istio-s...
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2019-06-14T03:24:43Z
  Generation:          3
  Resource Version:    10048432
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/namespaces/istio-system/certificates/dreamy-plum-bee-certificate
  UID:                 f3ed9f15-8e53-11e9-9ba7-42010a9801a6
Spec:
  Acme:
    Config:
      Domains:
        dreamy-plum-bee.somewhere.net
      Http 01:
        Ingress Class:  istio
  Common Name:          dreamy-plum-bee.somewhere.net
  Dns Names:
    dreamy-plum-bee.somewhere.net
  Issuer Ref:
    Name:       letsencrypt-prod
  Secret Name:  dreamy-plum-bee-certificate
Status:
  Conditions:
    Last Transition Time:  2019-06-14T03:25:12Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2019-09-12T02:25:10Z
Events:                    <none>

$ kubectl describe gateway dreamy-plum-bee-gtw -n istio-system
Name:         dreamy-plum-bee-gtw
Namespace:    istio-system
Labels:       k8s-app=istio
Annotations:  <none>
API Version:  networking.istio.io/v1alpha3
Kind:         Gateway
Metadata:
  Creation Timestamp:  2019-06-14T06:08:13Z
  Generation:          1
  Resource Version:    10084555
  Self Link:           /apis/networking.istio.io/v1alpha3/namespaces/istio-system/gateways/dreamy-plum-bee-gtw
  UID:                 cabffdf1-8e6a-11e9-9ba7-42010a9801a6
Spec:
  Selector:
    Istio:  ingressgateway
  Servers:
    Hosts:
      dreamy-plum-bee.somewhere.net
    Port:
      Name:      https
      Number:    443
      Protocol:  HTTPS
    Tls:
      Credential Name:     dreamy-plum-bee-certificate
      Mode:                SIMPLE
      Private Key:         sds
      Server Certificate:  sds
Events:                    <none>

$ kubectl get gateway dreamy-plum-bee-gtw -n istio-system -o yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  creationTimestamp: 2019-06-14T06:08:13Z
  generation: 1
  labels:
    k8s-app: istio
  name: dreamy-plum-bee-gtw
  namespace: istio-system
  resourceVersion: "10084555"
  selfLink: /apis/networking.istio.io/v1alpha3/namespaces/istio-system/gateways/dreamy-plum-bee-gtw
  uid: cabffdf1-8e6a-11e9-9ba7-42010a9801a6
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - dreamy-plum-bee.somewhere.net
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: dreamy-plum-bee-certificate
      mode: SIMPLE
      privateKey: sds
      serverCertificate: sds

$ $ openssl s_client -connect dreamy-plum-bee.somewhere.net:443
CONNECTED(00000005)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1560492782
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

    tls:
      mode: PASSTHROUGH
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key