Istio Ingress-Gateway单双向https认证配置

bookinfo部署

# svc信息
╰─ kubectl get svc -n istio-system                                                                                                                                           ─╯
NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                                                                      AGE
istio-egressgateway    NodePort    10.96.84.46     <none>        80:31202/TCP,443:32718/TCP                                                   20h
istio-ingressgateway   NodePort    10.96.127.8     <none>        15021:32673/TCP,80:31128/TCP,443:31898/TCP,31400:31253/TCP,15443:30355/TCP   20h
istiod                 ClusterIP   10.96.237.146   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP

https单向配置

配置 TLS ingress gateway

1. 创建一个 Kubernetes sceret 对象，用于保存服务器的证书和私钥。具体说来就是使用 kubectl 命令在命名空间 istio-system 中创建一个 secret 对象，命名为 istio-ingressgateway-certs。Istio 网关会自动载入这个 secret
2. 这里的 secret 必须 在 istio-system 命名空间中，并且命名为 istio-ingressgateway-certs，否则就不会被正确载入，也就无法在 Istio gateway 中使用了

#生成证书，以下是通过参数只定证书需要的信息, only RSA certificates with 2048-bit or larger keys are supported，如果位数过小ingress会报错
	openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=jiayu98/CN=*/CN=*' -keyout server.key -out server.crt

# 生成secret
	kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ./server.key --cert=./server.crt

# 查看是否生成证书(自动生成的)
[root@k8s-master-1 https]# kubectl exec deploy/istio-ingressgateway -n istio-system  -- ls /etc/istio/ingressgateway-certs
tls.crt
tls.ke

# gw和vs配置
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443            # 使用gw-ingress的443端口
      name: https_test_name  # 这个名称可以随意写
      protocol: HTTPS
    hosts:
    - "bookinfo.com"
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo
spec:
  hosts:
  - "*"
  gateways:
  - bookinfo-gateway
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage.istio.svc.cluster.local
        port:
          number: 9080

# 设置pod端口转发(用于查看envoy相关配置)
	kubectl port-forward --address 0.0.0.0 istio-ingressgateway-69499dc-crh9z -n istio-system 15000:15000

https双向配置

# 创建用于服务签名的根证书和私钥：
	openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=jiayau/CN=*' -keyout ca.key -out ca.crt

# 为服务端生成证书和私钥(需要保证与客户端使用同一个CA机构)
	openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key -subj "/CN=bookinfo.com/O=jiayu"
	openssl x509 -req -sha256 -days 365 -CA ca.crt -CAkey ca.key -set_serial 0 -in server.csr -out server.crt

# 生成客户端证书和私钥
	openssl req -out client.csr -newkey rsa:2048 -nodes -keyout client.key -subj "/CN=client.com/O=jiayu"
	openssl x509 -req -sha256 -days 365 -CA ca.crt -CAkey ca.key -set_serial 1 -in client.csr -out client.crt

# 创建secret,
# kubectl create -n istio-system secret tls,不支持把CA也创建
	kubectl create -n istio-system secret generic gw-credential --from-file=tls.key=server.key --from-file=tls.crt=server.crt --from-file=ca.crt=ca.crt

# gw和vs配置如下
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: https_test_name
      protocol: HTTPS
    hosts:
    - "bookinfo.com"
    tls:
      mode: MUTUAL
      credentialName: gw-credential # must be the same as secret
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo
spec:
  hosts:
  - "*"
  gateways:
  - bookinfo-gateway
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage.istio.svc.cluster.local
        port:
          number: 9080
          
          
# 访问(通过下面报错可以发现，服务端需要客户端提供证书，否则无法访问)
[root@k8s-master-1 mtls]# curl -v -H "Host:bookinfo.com" --resolve "bookinfo.com:31898:192.168.0.10" https://bookinfo.com:31898/productpage --cacert ./ca.crt
* Added bookinfo.com:31898:192.168.0.10 to DNS cache
* Hostname bookinfo.com was found in DNS cache
*   Trying 192.168.0.10:31898...
* Connected to bookinfo.com (192.168.0.10) port 31898 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: ./ca.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=bookinfo.com; O=jiayu
*  start date: Mar 26 08:06:20 2023 GMT
*  expire date: Mar 25 08:06:20 2024 GMT
*  common name: bookinfo.com (matched)
*  issuer: O=jiayau; CN=*
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* Using Stream ID: 1 (easy handle 0xaaaadd08d5c0)
* TLSv1.2 (OUT), TLS header, Unknown (23):
> GET /productpage HTTP/2
> Host:bookinfo.com
> user-agent: curl/7.76.1
> accept: */*
>
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS alert, unknown (628):
* OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0
* Failed receiving HTTP2 data
* OpenSSL SSL_write: SSL_ERROR_ZERO_RETURN, errno 0
* Failed sending HTTP2 data
* Connection #0 to host bookinfo.com left intact
curl: (56) OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0

# 客户端携带证书访问,可以发现此时客户端是可以正常访问的
[root@k8s-master-1 mtls]# curl -I -H "Host:bookinfo.com" --resolve "bookinfo.com:31898:192.168.0.10" https://bookinfo.com:31898/productpage --cacert ./ca.crt --cert client.crt  --key client.key
HTTP/2 200
content-type: text/html; charset=utf-8
content-length: 4294
server: istio-envoy
date: Sun, 26 Mar 2023 08:24:05 GMT
x-envoy-upstream-service-time: 15