13.9　在Gateway上使用HTTPS

在Istio Ingressgateway上配置TLS，实现以HTTPS的方式接收外部请求。

【实验一】 在Gateway上使用单个证书。

1）创建HTTPS证书：

---

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/httpbin.key -out /tmp/httpbin.crt -subj '/CN=*.httpbin.will/O=httpbin'
$ kubectl create -n istio-system secret tls istio-ingressgateway-certs --key /tmp/httpbin.key --cert /tmp/httpbin.crt
$ kubectl get secret istio-ingressgateway-certs -n istio-system
NAME                             TYPE                    DATA       AGE
istio-ingressgateway-certs       kubernetes.io/tls       2          39s

---

2）部署httpbin服务：

---

$ kubectl apply -f kubernetes/httpbin.yaml
$ kubectl get pod -l app=httpbin
NAME                          READY       STATUS        RESTARTS       AGE
httpbin-b67975b8f-mfxsk       2/2         Running       0              9s

---

3）创建Gateway暴露服务：

---

$ kubectl apply -f istio/route/gateway-httpbin-https.yaml

---

4）使用curl访问：

---

$ curl -k https://11.11.11.111:31390/get
{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Content-Length": "0", 
    "Host": "11.11.11.111:31390", 
    "User-Agent": "curl/7.29.0", 
    "X-B3-Sampled": "1", 
    "X-B3-Spanid": "238abb319357989f", 
    "X-B3-Traceid": "238abb319357989f", 
    "X-Envoy-Internal": "true", 
    "X-Request-Id": "a006cacd-5adb-90d6-9884-f43377562d10"
  }, 
  "origin": "10.244.0.0", 
  "url": "https://11.11.11.111:31390/get"
}

---

5）使用浏览器访问。

访问地址https://11.11.11.111:31390/get ，得到如图13-1所示的结果。

第一次访问时可能会遇到如图13-2所示的安全问题，点击“高级”，然后选择继续前往即可。

图13-1　使用浏览器访问

图13-2　安全问题

【实验二】　在Gateway上使用多个证书。在上面的实验基础上进行。

1）删除之前实验创建的Gateway：

---

$ kubectl delete -f istio/route/gateway-httpbin-https.yaml

---

2）创建service-go服务的HTTPS证书：

---

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/service-go.key -out /tmp/service-go.crt -subj '/CN=*.service-go.will/O=service-go'
$ kubectl create -n istio-system secret tls istio-ingressgateway-service-go-certs --key /tmp/service-go.key --cert /tmp/service-go.crt
$ kubectl get secret istio-ingressgateway-service-go-certs -n istio-system
NAME                                    TYPE                DATA   AGE
istio-ingressgateway-service-go-certs   kubernetes.io/tls   2      9s

---

3）部署service-go服务：

---

$ kubectl apply -f service/go/service-go.yaml
$ kubectl get pod -l app=service-go
NAME                             READY   STATUS    RESTARTS   AGE
service-go-v1-7cc5c6f574-hl4vn   2/2     Running   0          32s
service-go-v2-7656dcc478-nzwmb   2/2     Running   0          32s

---

4）使用Helm生成支持多证书的Ingressgateway部署文件：

---

helm template /usr/local/istio/install/kubernetes/helm/istio \
-x /usr/local/istio/install/kubernetes/helm/istio/charts/gateways/templates/deployment.yaml \
--name istio-ingressgateway --namespace istio-system \
--set gateways.istio-egressgateway.enabled=false \
--set gateways.istio-ingressgateway.secretVolumes[0].name=ingressgateway-certs \
--set gateways.istio-ingressgateway.secretVolumes[0].secretName=istio-ingressgateway-certs \
--set gateways.istio-ingressgateway.secretVolumes[0].mountPath=/etc/istio/ingressgateway-certs \
--set gateways.istio-ingressgateway.secretVolumes[1].name=ingressgateway-ca-certs \
--set gateways.istio-ingressgateway.secretVolumes[1].secretName=istio-ingressgateway-ca-certs \
--set gateways.istio-ingressgateway.secretVolumes[1].mountPath=/etc/istio/ingressgateway-ca-certs \
--set gateways.istio-ingressgateway.secretVolumes[2].name=ingressgateway-service-go-certs \
--set gateways.istio-ingressgateway.secretVolumes[2].secretName=istio-ingressgateway-service-go-certs \
--set gateways.istio-ingressgateway.secretVolumes[2].mountPath=/etc/istio/ingressgateway-service-go-certs \
> istio-ingressgateway.yaml

---

5）部署新的Ingressgateway：

---

$ kubectl apply -f istio-ingressgateway.yaml
$ kubectl get pod -n istio-system -l app=istio-ingressgateway
NAME                                   READY   STATUS    RESTARTS   AGE
istio-ingressgateway-85dbc5947-bfq5x   1/1     Running   0          49s

---

6）创建Gateway暴露服务：

---

$ kubectl apply -f istio/route/gateway-httpbin-service-go-https.yaml

---

7）服务访问测试：

---

$ curl -sk --resolve test.httpbin.will:31390:11.11.11.111 -H "Host: test.httpbin.will" https://test.httpbin.will:31390/get
{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Content-Length": "0", 
    "Host": "test.httpbin.will", 
    "User-Agent": "curl/7.29.0", 
    "X-B3-Sampled": "1", 
    "X-B3-Spanid": "7f4a96d1d3218cd3", 
    "X-B3-Traceid": "7f4a96d1d3218cd3", 
    "X-Envoy-Internal": "true", 
    "X-Request-Id": "d51dca60-5bb6-9e07-b69b-84e42297dfb5"
  }, 
  "origin": "10.244.0.0", 
  "url": "https://test.httpbin.will/get"
}
$ curl -sk --resolve test.service-go.will:31390:11.11.11.111 -H "Host: test.service-go.will" https://test.service-go.will:31390/env
{"message":"go v2"}

---

8）清理：

---

$ kubectl delete -f istio/route/gateway-httpbin-service-go-https.yaml
$ kubectl delete -f kubernetes/httpbin.yaml
$ kubectl delete secret istio-ingressgateway-certs -n istio-system
$ kubectl delete secret istio-ingressgateway-service-go-certs -n istio-system
$ kubectl delete -f service/go/service-go.yaml

---