Istio ingress已被弃用,您可以将Ingress Gateway与DNS挑战一起使用。
定义通用公共入口网关:
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: public-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "*" tls: httpsRedirect: true - port: number: 443 name: https protocol: HTTPS hosts: - "*" tls: mode: SIMPLE privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
使用cert-manager支持的DNS提供程序之一创建颁发者。以下是GCP CloudDNS的配置:
apiVersion: certmanager.k8s.io/v1alpha1 kind: Issuer metadata: name: letsencrypt-prod namespace: istio-system spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: email@example.com privateKeySecretRef: name: letsencrypt-prod dns01: providers: - name: cloud-dns clouddns: serviceAccountSecretRef: name: cert-manager-credentials key: gcp-dns-admin.json project: my-gcp-project
使用以下命令创建通配符证书:
apiVersion: certmanager.k8s.io/v1alpha1 kind: Certificate metadata: name: istio-gateway namespace: istio-system spec: secretname: istio-ingressgateway-certs issuerRef: name: letsencrypt-prod commonName: "*.example.com" acme: config: - dns01: provider: cloud-dns domains: - "*.example.com" - "example.com"
颁发证书需要几分钟时间才能颁发证书:
kubectl -n istio-system describe certificate istio-gateway Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal CertIssued 1m52s cert-manager Certificate issued successfully
您可以在此处找到有关在GKE上使用Let的加密设置Istio ingress的分步指南 https://docs.flagger.app/install/flagger-install-on-google-cloud#cloud-dns-setup
解决方案是将DNS移至azure并使用dns验证生成证书。我还使用了istio-1.1.0-rc.3并按以下方式配置了网关:
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: mygateway spec: selector: istio: ingressgateway # use istio default ingress gateway servers: - hosts: - 'mydomain.com' port: name: http-bookinfo number: 80 protocol: HTTP tls: httpsRedirect: true - hosts: - 'mydomain.com' port: name: https-bookinfo number: 443 protocol: HTTPS tls: mode: SIMPLE serverCertificate: "use sds" #random string, because serverCertificate and #privateKey are required for tls.mode=SIMPLE privateKey: "use sds" credentialName: "istio-bookinfo-certs-staging" #this must match the secret name #from the certificate
helm template install/kubernetes/helm/istio/ --name istio ` --namespace istio-system -x charts/gateways/templates/deployment.yaml ` --set gateways.istio-egressgateway.enabled=false ` --set gateways.istio-ingressgateway.sds.enabled=true > ` $HOME/istio-ingressgateway.yaml kubectl apply -f $HOME/istio-ingressgateway.yaml