我在服务网格上具有此配置:
这里是gw和yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: http-gateway
spec:
selector:
istio: ingressgateway # Specify the ingressgateway created for us
servers:
- port:
number: 80 # Service port to watch
name: http-gateway
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: simple-web
spec:
gateways:
- http-gateway
hosts:
- '*'
http:
- match:
- uri:
prefix: /simple-web
rewrite:
uri: /
route:
- destination:
host: simple-web
port:
number: 8080
vs和gw都在同一个命名空间中。部署已创建,并使用以下命令公开:
k create deployment --image=yeasy/simple-web:latest simple-web
k expose deployment simple-web --port=8080 --target-port=80 --name=simple-web
并且有k个豆荚,我收到这个:
pod/simple-web-9ffc59b4b-n9f85 2/2 Running
发生的事情是从外部指向入口网关负载平衡器,我收到503 HTTP错误。如果我尝试从Ingressgateway Pod卷曲,则可以访问简单Web服务。为什么启用了mTLS的网站无法访问网站?什么是正确的配置?
我刚刚安装istio-1.3.2来重现您的问题,它无需任何修改即可工作。这就是我所做的:
0.-创建一个称为istio并自动启用边车注入。
1.- $ kubectl run nginx --image nginx -n istio
2.- $ kubectl expose deploy nginx --port 8080 --target-port 80 --name simple-web -n istio
3.- $kubectl craete -f gw.yaml -f vs.yaml
注意:这些是您的文件。
测试:
$ curl a.b.c.d:31380/simple-web -I
HTTP/1.1 200 OK
server: istio-envoy
date: Fri, 11 Oct 2019 10:04:26 GMT
content-type: text/html
content-length: 612
last-modified: Tue, 24 Sep 2019 14:49:10 GMT
etag: "5d8a2ce6-264"
accept-ranges: bytes
x-envoy-upstream-service-time: 4
[2019-10-11T10:04:26.101Z] "HEAD /simple-web HTTP/1.1" 200 - "-" "-" 0 0 6 4 "10.132.0.36" "curl/7.52.1" "4bbc2609-a928-9f79-9ae8-d6a3e32217d7" "a.b.c.d:31380" "192.168.171.73:80" outbound|8080||simple-web.istio.svc.cluster.local - 192.168.171.86:80 10.132.0.36:37078 - -
并且要确保启用了mTLS,这是从ingress-gateway describe命令:
--controlPlaneAuthPolicy
MUTUAL_TLS
所以,我不知道出什么问题了,但是您可能需要执行以下步骤并丢弃东西。
注:之所以要在端口31380上攻击istio网关,是因为我的k8目前在VM上,并且我不想启动GKE集群进行测试。
编辑
只需使用您的映像部署另一个部署,将其公开为simple-web-2,然后再次工作。也许我对istio很幸运:
$ curl a.b.c.d:31380/simple-web -I
HTTP/1.1 200 OK
server: istio-envoy
date: Fri, 11 Oct 2019 10:28:45 GMT
content-type: text/html
content-length: 354
last-modified: Fri, 11 Oct 2019 10:28:46 GMT
x-envoy-upstream-service-time: 4
[2019-10-11T10:28:46.400Z] "HEAD /simple-web HTTP/1.1" 200 - "-" "-" 0 0 5 4 "10.132.0.36" "curl/7.52.1" "df0dd00a-875a-9ae6-bd48-acd8be1cc784" "a.b.c.d:31380" "192.168.171.65:80" outbound|8080||simple-web-2.istio.svc.cluster.local - 192.168.171.86:80 10.132.0.36:42980 - -
您的k8s环境如何?