无法使用ISTIO网关和虚拟服务连接到HTTPS服务

时间:2018-09-03 10:02:29

标签: kubernetes ssl-certificate tls1.2 istio

由于我是istio的新手,所以我和我的所有团队成员都会很感激,如果我们能在这里获得一些帮助。

问题 我已按照以下文档使用应用程序证书和密钥在k8s中创建证书和创建机密 https://istio.io/docs/tasks/traffic-management/secure-ingress/#troubleshooting

此后,我重新启动了istio-ingressgateway吊舱,以便它加载证书。当我执行时,无论如何我可以在吊舱内看到。

我在istio-ingressgateway服务中添加了以下注释以使用域名: * external-dns.alpha.kubernetes.io /主机名: .byom-i344382.xxx.xxx.xxx.xxx.com

我的virtualService和Gateway资源如下所示,它们位于“默认”名称空间中: 

    apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: ms-is-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "ms-1234.byom-i344382.xxx.xxx.xxx.xxx.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: ms-is
spec:
  hosts:
  - "ms-1234.byom-i344382.xxx.xxx.xxx.xxx.com"
  gateways:
  - ms-is-gateway
  http:
  - match:
    - uri:
        exact: /api/v2/predict
    route:
    - destination:
        host: mlf-is
        port:
          number: 53547
  

请注意,mlf-is服务也在默认名称空间中。 istio-ingressgateway只有在istio-system名称空间中

预期的行为 当我从POSTMAN中打https://ms-1234.byom-i344382.xxx.xxx.xxx.xxx.com/api/v2/predict时,我应该可以使用ms-is服务。但是,我无法使用该服务。

即使下面的curl命令失败: curl -v --cacert /home/vagrant/exmaple/mtls-go-example/2_intermediate/certs/ca-chain.cert.pem https://ms-1234.byom-i344382.xxx.xxx.xxx.xxx.com:443/api/v2/predict

卷曲的错误: Trying 18.195.217.210... * TCP_NODELAY set * Connected to ms-1234.byom-i344382.xxx.xxx.xxx.xxx.com (18.195.217.210) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /home/vagrant/exmaple/mtls-go-example/2_intermediate/certs/ca-chain.cert.pem CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ms-1234.byom-i344382.xxx.xxx.xxx.xxx.com:443 * Closing connection 0 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ms-1234.byom-i344382.xxx.xxx.xxx.xxx.com:443

版本 istio版本:1.0.1和Kubernetes:1.0.9

是否启用了Istio Auth? 已安装istio.yaml

环境 云供应商是AWS

0 个答案:

没有答案
相关问题
最新问题