kubernetes istio之gateway

[root@master istio-1.1.5]# kubectl apply -f samples/httpbin/httpbin.yaml 
service/httpbin created
deployment.extensions/httpbin created
[root@master istio-1.1.5]# 
[root@master istio-1.1.5]# kubectl get svc
NAME           TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
details        ClusterIP      10.106.209.133   <none>        9080/TCP       23h
httpbin        ClusterIP      10.104.20.107    <none>        8000/TCP       9s
kubernetes     ClusterIP      10.96.0.1        <none>        443/TCP        14d
productpage    ClusterIP      10.96.27.39      <none>        9080/TCP       23h
ratings        ClusterIP      10.109.45.236    <none>        9080/TCP       23h
reviews        ClusterIP      10.102.249.50    <none>        9080/TCP       23h


[root@master istio-1.1.5]# kubectl get pod -o wide
NAME                             READY   STATUS    RESTARTS   AGE     IP             NODE     NOMINATED NODE   READINESS GATES
details-v1-79c6548b59-d8448      1/1     Running   0          23h     10.244.3.186   node02   <none>           <none>
httpbin-5446f4d9b4-jtnzw         1/1     Running   0          3m38s   10.244.1.207   node01   <none>           <none>
ratings-v1-7665579b75-jjvv7      1/1     Running   0          23h     10.244.1.203   node01   <none>           <none>
reviews-v1-67446f7d9b-hrhbj      1/1     Running   0          23h     10.244.1.204   node01   <none>           <none>
reviews-v2-6bc7b4f678-vhjwh      1/1     Running   0          23h     10.244.1.206   node01   <none>           <none>
reviews-v3-59b5b6948-sxxhj       1/1     Running   0          23h     10.244.1.205   node01   <none>           <none>
[root@master istio-1.1.5]# curl 10.104.20.107:8000/headers
{
  "headers": {
    "Accept": "*/*", 
    "Host": "10.104.20.107:8000", 
    "User-Agent": "curl/7.29.0"
  }
}
//只有集群内部可以访问，外部不行

//创建网关，让集群外部也可以访问
[root@master istio-1.1.5]# kubectl apply -f samples/httpbin/httpbin-gateway.yaml 
gateway.networking.istio.io/httpbin-gateway created
virtualservice.networking.istio.io/httpbin created
[root@master istio-1.1.5]# kubectl get gateway
NAME               AGE
bookinfo-gateway   23h
httpbin-gateway    3m15s
[root@master istio-1.1.5]# kubectl get virtualservice
NAME       GATEWAYS             HOSTS       AGE
bookinfo   [bookinfo-gateway]   [*]         23h
httpbin    [httpbin-gateway]    [*]         5m22s
reviews                         [reviews]   18h

 

生成证书

https://istio.io/docs/tasks/traffic-management/secure-ingress/#generate-clinet-and-server-certificates-and-keys

[root@master istio-1.1.5]# wget https://github.com/nicholasjackson/mtls-go-example/archive/master.zip
[root@master istio-1.1.5]# unzip master.zip 
Archive:  master.zip
85f7453487e47c018961ca11f3526fd3e5d888d9
   creating: mtls-go-example-master/
  inflating: mtls-go-example-master/LICENSE  
  inflating: mtls-go-example-master/README.md  
  inflating: mtls-go-example-master/generate.sh  
  inflating: mtls-go-example-master/intermediate_openssl.cnf  
  inflating: mtls-go-example-master/main.go  
  inflating: mtls-go-example-master/openssl.cnf  
[root@master istio-1.1.5]# ls
bin  install  istio.VERSION  LICENSE  master.zip  mtls-go-example-master  README.md  samples  tools
[root@master istio-1.1.5]# cd mtls-go-example-master/
[root@master mtls-go-example-master]# ls
generate.sh  intermediate_openssl.cnf  LICENSE  main.go  openssl.cnf  README.md
[root@master mtls-go-example-master]# ./generate.sh httpbin.example.com 123456
//出现提示时，选择y所有问题。该命令将产生四个目录：1_root， 2_intermediate，3_application，和4_client包含您在下面的程序使用客户端和服务器证书。
[root@master mtls-go-example-master]# ls
1_root  2_intermediate  3_application  4_client  generate.sh  intermediate_openssl.cnf  LICENSE  main.go  openssl.cnf  README.md
//将证书移动到名为的目录中httpbin.example.com
[root@master mtls-go-example-master]# mkdir ../httpbin.example.com && mv 1_root 2_intermediate 3_application 4_client ../httpbin.example.com
[root@master mtls-go-example-master]# ls ../
bin  httpbin.example.com  install  istio.VERSION  LICENSE  master.zip  mtls-go-example-master  README.md  samples  tools

创建证书

[root@master istio-1.1.5]# kubectl create -n istio-system secret tls istio-ingressgateway-certs --key httpbin.example.com/3_application/private/httpbin.example.com.key.pem --cert httpbin.example.com/3_application/certs/httpbin.example.com.cert.pem
secret/istio-ingressgateway-certs created
//验证tls.crt并tls.key已安装在入口网关pod中：
[root@master istio-1.1.5]# kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-certs
total 4
drwxrwxrwt 3 root root  120 May 25 09:34 .
drwxr-xr-x 1 root root 4096 May 24 08:12 ..
drwxr-xr-x 2 root root   80 May 25 09:34 ..2019_05_25_09_34_54.605006539
lrwxrwxrwx 1 root root   31 May 25 09:34 ..data -> ..2019_05_25_09_34_54.605006539
lrwxrwxrwx 1 root root   14 May 25 09:34 tls.crt -> ..data/tls.crt
lrwxrwxrwx 1 root root   14 May 25 09:34 tls.key -> ..data/tls.key
//删掉之前创建的httpbin-gateway
[root@master istio-1.1.5]# kubectl delete -f samples/httpbin/httpbin-gateway.yaml 
gateway.networking.istio.io "httpbin-gateway" deleted
virtualservice.networking.istio.io "httpbin" deleted
//创建新的
[root@master istio-1.1.5]# vim samples/httpbin/httpbin-gateway-https.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "httpbin.example.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - "httpbin.example.com"
  gateways:
  - httpbin-gateway
  http:
  - match:
    - uri:
        prefix: /status
    - uri:
        prefix: /delay
    route:
    - destination:
        port:
          number: 8000
        host: httpbin

[root@master istio-1.1.5]# kubectl apply -f samples/httpbin/httpbin-gateway-https.yaml 
gateway.networking.istio.io/httpbin-gateway created
virtualservice.networking.istio.io/httpbin created

[root@master istio-1.1.5]# kubectl get gateway
NAME               AGE
bookinfo-gateway   24h
httpbin-gateway    58s
[root@master istio-1.1.5]# kubectl get virtualservice
NAME       GATEWAYS             HOSTS                   AGE
bookinfo   [bookinfo-gateway]   [*]                     24h
httpbin    [httpbin-gateway]    [httpbin.example.com]   70s
reviews                         [reviews]               20h

[root@master istio-1.1.5]# curl -v -HHost:httpbin.example.com --resolve httpbin.example.com:31390:10.0.1.133 --cacert httpbin.example.com/2_intermediate/certs/ca-chain.cert.pem https://httpbin.example.com:31390/status/418
* Added httpbin.example.com:31390:10.0.1.133 to DNS cache
* About to connect() to httpbin.example.com port 31390 (#0)
*   Trying 10.0.1.133...
* Connected to httpbin.example.com (10.0.1.133) port 31390 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: httpbin.example.com/2_intermediate/certs/ca-chain.cert.pem
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*     subject: CN=httpbin.example.com,O=Dis,L=Springfield,ST=Denial,C=US
*     start date: May 25 09:24:18 2019 GMT
*     expire date: Jun 03 09:24:18 2020 GMT
*     common name: httpbin.example.com
*     issuer: CN=httpbin.example.com,O=Dis,ST=Denial,C=US
> GET /status/418 HTTP/1.1
> User-Agent: curl/7.29.0
> Accept: */*
> Host:httpbin.example.com
> 
< HTTP/1.1 418 Unknown
< server: istio-envoy
< date: Sat, 25 May 2019 10:12:24 GMT
< x-more-info: http://tools.ietf.org/html/rfc2324
< access-control-allow-origin: *
< access-control-allow-credentials: true
< content-length: 135
< x-envoy-upstream-service-time: 2
< 

    -=[ teapot ]=-

       _...._
     .'  _ _ `.
    | ."` ^ `". _,
    \_;`"---"`|//
      |       ;/
      \_     _/
        `"""`
* Connection #0 to host httpbin.example.com left intact
[root@master istio-1.1.5]#