静态挂载模式
ingressgateway的deployment中默认将名为istio-ingressgateway-certs的secret mount到/etc/istio/ingressgateway-certs下 ,然后在gateway中指明对应的crt及key的文件路径
pod volume来源:
|
1 2 3 4 5 6 7 8 9 10 |
- name: ingressgateway-certs secret: defaultMode: 420 optional: true secretName: istio-ingressgateway-certs - name: ingressgateway-ca-certs secret: defaultMode: 420 optional: true secretName: istio-ingressgateway-ca-certs |
mount到目录:
|
1 2 3 4 5 6 |
- mountPath: /etc/istio/ingressgateway-certs name: ingressgateway-certs readOnly: true - mountPath: /etc/istio/ingressgateway-ca-certs name: ingressgateway-ca-certs readOnly: true |
gateway中指定:
|
1 2 3 4 |
tls: mode: SIMPLE serverCertificate: /etc/istio/ingressgateway-certs/tls.crt privateKey: /etc/istio/ingressgateway-certs/tls.key |
最终产生的envoy配置如下:
|
1 2 3 4 5 6 7 8 9 10 |
"tlsCertificates": [ { "certificateChain": { "filename": "/etc/istio/ingressgateway-certs/tls.crt" }, "privateKey": { "filename": "[redacted]" } } ], |
动态SDS发现模式
此模式,采用sds从 “unix:/var/run/ingress_gateway/sds” 发现证书。具体做法为,创建一个secret,然后在gateway里直接指定secret名字即可,无需额外mount。
istio-system namespace下的secret:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[root@k8s-master-v1-16 ~]# kubectl get secrets httpbin-credential -n istio-system -o yaml apiVersion: v1 data: cert: *** key: **** kind: Secret metadata: creationTimestamp: "2020-07-10T14:40:26Z" name: httpbin-credential namespace: istio-system resourceVersion: "32803482" selfLink: /api/v1/namespaces/istio-system/secrets/httpbin-credential uid: bc543747-7366-4661-9f2e-39ae62e7808a type: Opaque |
gateway里指定credentialName为对应的secret
|
1 2 3 |
tls: credentialName: httpbin-credential mode: SIMPLE |
envoy产生的配置:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
"commonTlsContext": { "tlsCertificateSdsSecretConfigs": [ { "name": "httpbin-credential", "sdsConfig": { "apiConfigSource": { "apiType": "GRPC", "grpcServices": [ { "googleGrpc": { "targetUri": "unix:/var/run/ingress_gateway/sds", "statPrefix": "sdsstat" } |
文章评论