无法通过istio-ingress访问https服务

问题描述 投票:0回答:1

我是 istio 的新手。我尝试在 k8s 中配置 istio ingress。但我无法通过 istio-ingress 访问服务。 如何配置 istio ingress 服务。

问题 # 卷曲https://192.168.4.241 卷曲:(7)连接192.168.4.241:443失败;连接被拒绝

我的服务部署如下。(smartapigw-httpd是HTTPS)

# kubectl get po smartapigw-httpd -n smartapigw --show-labels
NAME               READY   STATUS    RESTARTS   AGE     LABELS
smartapigw-httpd   2/2     Running   0          3h22m   app.kubernetes.io/managed-by=Helm,app=smartapigw-httpd,io.kompose.service=smartapigw-httpd,security.istio.io/tlsMode=istio,service.istio.io/canonical-name=smartapigw-httpd,service.istio.io/canonical-revision=latest

$ kubectl get po,svc -n smartapigw 
... 
pod/smartapigw-httpd          2/2     Running            0                166m 
...
service/smartapigw-httpd           NodePort    10.101.227.150   <none> 18443:31285/TCP   166m

istio-ingress pod 部署如下

$ kubectl get po -n istio-system --show-labels
...
istio-ingressgateway-5ff4fb69fc-trmht   1/1     Running            0                 28h   app=istio-ingressgateway,chart=gateways,heritage=Tiller,install.operator.istio.io/owning-resource=unknown,istio.io/rev=default,istio=ingressgateway,operator.istio.io/component=IngressGateways,pod-template-hash=5ff4fb69fc,release=istio,service.istio.io/canonical-name=istio-ingressgateway,service.istio.io/canonical-revision=latest,sidecar.istio.io/inject=false
istiod-6d79fdc756-lr5zv
...

istio ingressgateway 部署如下

$ kubectl get svc -n istio-system
istio-ingressgateway   LoadBalancer   10.110.145.103   192.168.4.241   15021:32010/TCP,80:31631/TCP,443:30495/TCP       28h

然后我尝试了如下配置。

网关配置

# cat istio-smartapigw-gateway.yml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: smartagigw-gateway
  namespace: smartapigw
spec:
  selector:
    istio: ingressgateway  # istio=ingressgateway in istio-ingressgateway pod's label
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPs
hosts:
- "*"
tls:
  mode: PASSTHROUGH  # smartapigw-httpd service's protocol is already https

# kubectl apply -f istio-smartapigw-gateway.yml

VirtualService 的配置

# cat istio-smartapigw-virtualservice.yml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: smartapigw
  namespace: smartapigw
spec:
  hosts:
  - "*"
  gateways:
  - smartagigw-gateway
  http:
  - match:
    - uri:
       prefix: /
    route:
    - destination:
        host: smartapigw-httpd  # same with label "app=smartapigw-httpd" in pod
        port:
          number: 18443         # node port 

# kubectl apply -f istio-smartapigw-virtualservice.yml

istio网关和虚拟服务的应用如下。

# kubectl get gateway -n smartapigw
NAME                 AGE
smartagigw-gateway   138m

# kubectl get virtualservice -n smartapigw
NAME         GATEWAYS                 HOSTS   AGE
smartapigw   ["smartagigw-gateway"]   ["*"]   131m
kubernetes istio gateway
1个回答
0
投票

我根据https://preliminary.istio.io/latest/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/

解决问题

VirtualService 定义更改如下。 VirtualService 协议应更改为 tls 而不是 http。

apiVersion: networking.istio.io/v1alpha3

kind: VirtualService
metadata:
  name: smartapigw
  namespace: smartapigw
spec:
  hosts:
  - "*"
  gateways:
  - smartagigw-gateway
  tls:
  - match:
    - port: 443
      sniHosts:
      - "*"
    route:
    - destination:
        host: smartapigw-httpd.smartapigw.svc.cluster.local
        port:
          number: 18443
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.