Kubernetes Istio网关&x2B;证书管理器&x2B;letsencrypt证书
基于 我使用的是从集群插件安装的GKE 1.13.6-GKE.6+Istio 1.1.3-GKE.0 按照相同的步骤安装cert_manager并创建我需要的颁发者和证书: 发行人 在Chrome浏览器中,它无法访问带有ERR_CONNECTION_RESET错误消息的页面 但是,如果我使用基于文件系统的自签名证书更改网关的tls设置,如:Kubernetes Istio网关&x2B;证书管理器&x2B;letsencrypt证书,kubernetes,ssl-certificate,google-kubernetes-engine,istio,cert-manager,Kubernetes,Ssl Certificate,Google Kubernetes Engine,Istio,Cert Manager,基于 我使用的是从集群插件安装的GKE 1.13.6-GKE.6+Istio 1.1.3-GKE.0 按照相同的步骤安装cert_manager并创建我需要的颁发者和证书: 发行人 在Chrome浏览器中,它无法访问带有ERR_CONNECTION_RESET错误消息的页面 但是,如果我使用基于文件系统的自签名证书更改网关的tls设置,如: tls: mode: PASSTHROUGH serverCertificate: /etc/istio/ingressga
tls:
mode: PASSTHROUGH
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
该站点是可访问的。因此,我怀疑credentialName设置有问题。网关似乎无法获取证书资源来启动连接
如有任何建议,如检查/调试等,将不胜感激 我终于明白了,而且帮了大忙
- 从头开始安装Istio(v1.1.8),而不是使用插件(v1.1.3)
- 确保在安装过程中使用--set gateways.istio ingresgateway.sds.enabled=true
- Enable istio injection=在要创建的特使代理的命名空间上启用
- 适当增加节点容量以承载Istio。至少需要一个具有2个vCPU机器类型的4节点群集
- 最后,从我部署的NodeApp中删除手动TLS证书,因为Istio处理TLS,而mTLS尚未启用
$ kubectl describe certificate dreamy-plum-bee-certificate -n istio-system
Name: dreamy-plum-bee-certificate
Namespace: istio-system
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"dreamy-plum-bee-certificate","namespace":"istio-s...
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-06-14T03:24:43Z
Generation: 3
Resource Version: 10048432
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/istio-system/certificates/dreamy-plum-bee-certificate
UID: f3ed9f15-8e53-11e9-9ba7-42010a9801a6
Spec:
Acme:
Config:
Domains:
dreamy-plum-bee.somewhere.net
Http 01:
Ingress Class: istio
Common Name: dreamy-plum-bee.somewhere.net
Dns Names:
dreamy-plum-bee.somewhere.net
Issuer Ref:
Name: letsencrypt-prod
Secret Name: dreamy-plum-bee-certificate
Status:
Conditions:
Last Transition Time: 2019-06-14T03:25:12Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2019-09-12T02:25:10Z
Events: <none>
$ kubectl describe gateway dreamy-plum-bee-gtw -n istio-system
Name: dreamy-plum-bee-gtw
Namespace: istio-system
Labels: k8s-app=istio
Annotations: <none>
API Version: networking.istio.io/v1alpha3
Kind: Gateway
Metadata:
Creation Timestamp: 2019-06-14T06:08:13Z
Generation: 1
Resource Version: 10084555
Self Link: /apis/networking.istio.io/v1alpha3/namespaces/istio-system/gateways/dreamy-plum-bee-gtw
UID: cabffdf1-8e6a-11e9-9ba7-42010a9801a6
Spec:
Selector:
Istio: ingressgateway
Servers:
Hosts:
dreamy-plum-bee.somewhere.net
Port:
Name: https
Number: 443
Protocol: HTTPS
Tls:
Credential Name: dreamy-plum-bee-certificate
Mode: SIMPLE
Private Key: sds
Server Certificate: sds
Events: <none>
$ kubectl get gateway dreamy-plum-bee-gtw -n istio-system -o yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
creationTimestamp: 2019-06-14T06:08:13Z
generation: 1
labels:
k8s-app: istio
name: dreamy-plum-bee-gtw
namespace: istio-system
resourceVersion: "10084555"
selfLink: /apis/networking.istio.io/v1alpha3/namespaces/istio-system/gateways/dreamy-plum-bee-gtw
uid: cabffdf1-8e6a-11e9-9ba7-42010a9801a6
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- dreamy-plum-bee.somewhere.net
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: dreamy-plum-bee-certificate
mode: SIMPLE
privateKey: sds
serverCertificate: sds
$ $ openssl s_client -connect dreamy-plum-bee.somewhere.net:443
CONNECTED(00000005)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1560492782
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
tls:
mode: PASSTHROUGH
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key