• Ingress Gateway without TLS Termination
    • Generate client and server certificates and keys
    • Deploy an NGINX server
    • Configure an ingress gateway
    • Cleanup
    • 相关内容

    Ingress Gateway without TLS Termination

    The Securing Gateways with HTTPS task describes how to configure HTTPSingress access to an HTTP service. This example describes how to configure HTTPS ingress access to an HTTPS service,i.e., configure an ingress gateway to perform SNI passthrough, instead of TLS termination on incoming requests.

    The example HTTPS service used for this task is a simple NGINX server.In the following steps you first deploy the NGINX service in your Kubernetes cluster.Then you configure a gateway to provide ingress access to the service via host nginx.example.com.

    Generate client and server certificates and keys

    • Clone the https://github.com/nicholasjackson/mtls-go-example repository:
    1. $ git clone https://github.com/nicholasjackson/mtls-go-example
    • Change directory to the cloned repository:
    1. $ pushd mtls-go-example
    • Generate the certificates for nginx.example.com.Use any password with the following command:
    1. $ ./generate.sh nginx.example.com <password>

    When prompted, select y for all the questions.

    • Move the certificates into the nginx.example.com directory:
    1. $ mkdir ../nginx.example.com && mv 1_root 2_intermediate 3_application 4_client ../nginx.example.com
    • Return to the root directory:
    1. $ popd

    Deploy an NGINX server

    • Create a Kubernetes Secret to hold the server’scertificate.
    1. $ kubectl create secret tls nginx-server-certs --key nginx.example.com/3_application/private/nginx.example.com.key.pem --cert nginx.example.com/3_application/certs/nginx.example.com.cert.pem
    • Create a configuration file for the NGINX server:
    1. $ cat <<EOF > ./nginx.conf
    2. events {
    3. }
    4. http {
    5. log_format main '$remote_addr - $remote_user [$time_local] $status '
    6. '"$request" $body_bytes_sent "$http_referer" '
    7. '"$http_user_agent" "$http_x_forwarded_for"';
    8. access_log /var/log/nginx/access.log main;
    9. error_log /var/log/nginx/error.log;
    10. server {
    11. listen 443 ssl;
    12. root /usr/share/nginx/html;
    13. index index.html;
    14. server_name nginx.example.com;
    15. ssl_certificate /etc/nginx-server-certs/tls.crt;
    16. ssl_certificate_key /etc/nginx-server-certs/tls.key;
    17. }
    18. }
    19. EOF
    • Create a Kubernetes ConfigMapto hold the configuration of the NGINX server:
    1. $ kubectl create configmap nginx-configmap --from-file=nginx.conf=./nginx.conf
    • Deploy the NGINX server:
    1. $ cat <<EOF | istioctl kube-inject -f - | kubectl apply -f -
    2. apiVersion: v1
    3. kind: Service
    4. metadata:
    5. name: my-nginx
    6. labels:
    7. run: my-nginx
    8. spec:
    9. ports:
    10. - port: 443
    11. protocol: TCP
    12. selector:
    13. run: my-nginx
    14. ---
    15. apiVersion: apps/v1
    16. kind: Deployment
    17. metadata:
    18. name: my-nginx
    19. spec:
    20. selector:
    21. matchLabels:
    22. run: my-nginx
    23. replicas: 1
    24. template:
    25. metadata:
    26. labels:
    27. run: my-nginx
    28. spec:
    29. containers:
    30. - name: my-nginx
    31. image: nginx
    32. ports:
    33. - containerPort: 443
    34. volumeMounts:
    35. - name: nginx-config
    36. mountPath: /etc/nginx
    37. readOnly: true
    38. - name: nginx-server-certs
    39. mountPath: /etc/nginx-server-certs
    40. readOnly: true
    41. volumes:
    42. - name: nginx-config
    43. configMap:
    44. name: nginx-configmap
    45. - name: nginx-server-certs
    46. secret:
    47. secretName: nginx-server-certs
    48. EOF
    • To test that the NGINX server was deployed successfully, send a request to the server from its sidecar proxywithout checking the server’s certificate (use the -k option of curl). Ensure that the server’s certificate isprinted correctly, i.e., common name is equal to nginx.example.com.
    1. $ kubectl exec -it $(kubectl get pod -l run=my-nginx -o jsonpath={.items..metadata.name}) -c istio-proxy -- curl -v -k --resolve nginx.example.com:443:127.0.0.1 https://nginx.example.com
    2. ...
    3. SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
    4. server certificate verification SKIPPED
    5. server certificate status verification SKIPPED
    6. common name: nginx.example.com (matched)
    7. server certificate expiration date OK
    8. server certificate activation date OK
    9. certificate public key: RSA
    10. certificate version: #3
    11. subject: C=US,ST=Denial,L=Springfield,O=Dis,CN=nginx.example.com
    12. start date: Wed, 15 Aug 2018 07:29:07 GMT
    13. expire date: Sun, 25 Aug 2019 07:29:07 GMT
    14. issuer: C=US,ST=Denial,O=Dis,CN=nginx.example.com
    15. > GET / HTTP/1.1
    16. > User-Agent: curl/7.35.0
    17. > Host: nginx.example.com
    18. ...
    19. < HTTP/1.1 200 OK
    20. < Server: nginx/1.15.2
    21. ...
    22. <!DOCTYPE html>
    23. <html>
    24. <head>
    25. <title>Welcome to nginx!</title>
    26. ...

    Configure an ingress gateway

    • Define a Gateway with a server section for port 443. Note the PASSTHROUGH tls mode which instructsthe gateway to pass the ingress traffic AS IS, without terminating TLS.
    1. $ kubectl apply -f - <<EOF
    2. apiVersion: networking.istio.io/v1alpha3
    3. kind: Gateway
    4. metadata:
    5. name: mygateway
    6. spec:
    7. selector:
    8. istio: ingressgateway # use istio default ingress gateway
    9. servers:
    10. - port:
    11. number: 443
    12. name: https
    13. protocol: HTTPS
    14. tls:
    15. mode: PASSTHROUGH
    16. hosts:
    17. - nginx.example.com
    18. EOF
    • Configure routes for traffic entering via the Gateway:
    1. $ kubectl apply -f - <<EOF
    2. apiVersion: networking.istio.io/v1alpha3
    3. kind: VirtualService
    4. metadata:
    5. name: nginx
    6. spec:
    7. hosts:
    8. - nginx.example.com
    9. gateways:
    10. - mygateway
    11. tls:
    12. - match:
    13. - port: 443
    14. sni_hosts:
    15. - nginx.example.com
    16. route:
    17. - destination:
    18. host: my-nginx
    19. port:
    20. number: 443
    21. EOF
    • Follow the instructions inDetermining the ingress IP and portsto define the SECURE_INGRESS_PORT and INGRESS_HOST environment variables.

    • Access the NGINX service from outside the cluster. Note that the correct certificate is returned by the server andit is successfully verified (SSL certificate verify ok is printed).

    1. $ curl -v --resolve nginx.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST --cacert nginx.example.com/2_intermediate/certs/ca-chain.cert.pem https://nginx.example.com:$SECURE_INGRESS_PORT
    2. Server certificate:
    3. subject: C=US; ST=Denial; L=Springfield; O=Dis; CN=nginx.example.com
    4. start date: Aug 15 07:29:07 2018 GMT
    5. expire date: Aug 25 07:29:07 2019 GMT
    6. common name: nginx.example.com (matched)
    7. issuer: C=US; ST=Denial; O=Dis; CN=nginx.example.com
    8. SSL certificate verify ok.
    9. < HTTP/1.1 200 OK
    10. < Server: nginx/1.15.2
    11. ...
    12. <html>
    13. <head>
    14. <title>Welcome to nginx!</title>

    Cleanup

    • Remove created Kubernetes resources:
    1. $ kubectl delete secret nginx-server-certs
    2. $ kubectl delete configmap nginx-configmap
    3. $ kubectl delete service my-nginx
    4. $ kubectl delete deployment my-nginx
    5. $ kubectl delete gateway mygateway
    6. $ kubectl delete virtualservice nginx
    • Delete the directory containing the certificates and the repository used to generate them:
    1. $ rm -rf nginx.example.com mtls-go-example
    • Delete the generated configuration files used in this example:
    1. $ rm -f ./nginx.conf

    相关内容

    Istio as a Proxy for External Services

    Configure Istio ingress gateway to act as a proxy for external services.

    Kubernetes Ingress with Cert-Manager

    Demonstrates how to obtain Let's Encrypt TLS certificates for Kubernetes Ingress automatically using Cert-Manager.

    Deploy a Custom Ingress Gateway Using Cert-Manager

    Describes how to deploy a custom ingress gateway using cert-manager manually.

    Configuring Istio Ingress with AWS NLB

    Describes how to configure Istio ingress with a network load balancer on AWS.

    Consuming External Web Services

    Describes a simple scenario based on Istio's Bookinfo example.

    Ingress Gateways

    Describes how to configure an Istio gateway to expose a service outside of the service mesh.