我有一个 grpc asp.net 服务器,位于 istio 入口网关后面。 grpc 请求在使用 TCP 作为网关协议时有效,但如果协议设置为 HTTPS,则会失败。我正在尝试使用 istio 终止 ssl/tls grpc 请求,但到目前为止还没有运气。
# working tcp gateway
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: gateway
namespace: testing
spec:
selector:
istio: ingress # using istio ingress gateway
servers:
- port:
number: 9093
name: tcp-9093
protocol: TCP
hosts:
- "mydomain.com"
# failing https gateway
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: gateway
namespace: testing
spec:
selector:
istio: ingress # use istio ingress gateway
servers:
- port:
number: 9093
name: https-9093
protocol: HTTPS
hosts:
- "mydomain.com"
tls:
mode: SIMPLE
credentialName: my_tls_cred_secret
下面是客户端通过 https 获得的响应
StatusCode="Unavailable", Detail="上游连接错误或在标头之前断开/重置。重置原因:远程重置"
下面是来自 istio 入口网关控制器的日志
[2023-08-09T08:22:26.459Z] "POST /greet.Greeter/SayHello HTTP/2" 200 UR upload_reset_before_response_started{remote_reset} - "-" 12 0 2 - “91.145.126.17”“grpc-dotnet/2.54.0(.NET 7.0.9;CLR 7.0.9;net7.0;osx;x64)”“706488d1-1954-4dc5-a252-d1df34a23576”“mydomain.com: 9093" "10.244.0.41:5001" 出站|5001||app-svc.testing.svc.cluster.local 10.244.0.12:35426 10.244.0.12:9093 91.145.126.17:62974 mydomain.com -
版本:
这似乎是因为
:schemeKestrelServerOptions.AllowAlternate = trueWebApplicationBuilder builder = WebApplication.CreateBuilder(args);
builder.Services.AddGrpc()
builder.WebHost.ConfigureKestrel(options =>
{
options.AllowAlternateSchemes = true;
});