istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use port 80 for TLS origination by egress gateway (#3200) 

* use port 80 with protocol HTTPS for mTLS on egress gateway

* rewrite the instructions about why to apply mutual TLS

* make the protocol of 443 HTTPS

* allow monitor -> allow to monitor
This commit is contained in:
Vadim Eisenberg 2019-02-07 22:06:24 +02:00 committed by istio-bot
parent 2606b1f522
commit 0529d549bf
1 changed files with 16 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
content/docs/examples/advanced-gateways/egress-gateway-tls-origination/index.md
View File

@ -60,11 +60,11 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam
- edition.cnn.com - edition.cnn.com
ports: ports:
- number: 80 - number: 80
name: http-port name: http
protocol: HTTP protocol: HTTP
- number: 443 - number: 443
name: http-port-for-tls-origination name: https
protocol: HTTP protocol: HTTPS
resolution: DNS resolution: DNS
EOF EOF
{{< /text >}} {{< /text >}}
@ -86,8 +86,14 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam
1. Create an egress `Gateway` for _edition.cnn.com_, port 443, and a destination rule for 1. Create an egress `Gateway` for _edition.cnn.com_, port 443, and a destination rule for
sidecar requests that will be directed to the egress gateway. sidecar requests that will be directed to the egress gateway.
Choose the instructions corresponding to whether or not you have Choose the instructions corresponding to whether or not you want to enable
[mutual TLS authentication](/docs/tasks/security/mutual-tls/) enabled in Istio. [mutual TLS Authentication](/docs/tasks/security/mutual-tls/) between the source pod and the egress gateway.
{{< idea >}}
You may want to enable mutual TLS so the traffic between the source pod and the egress gateway will be encrypted.
In addition, mutual TLS will allow the egress gateway to monitor the identity of the source pods and enable Mixer
policy enforcement based on that identity.
{{< /idea >}}
{{< tabset cookie-name="mtls" >}} {{< tabset cookie-name="mtls" >}}
@ -104,7 +110,7 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam
istio: egressgateway istio: egressgateway
servers: servers:
- port: - port:
number: 443 number: 80
name: https name: https
protocol: HTTPS protocol: HTTPS
hosts: hosts:
@ -128,7 +134,7 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam
simple: ROUND_ROBIN simple: ROUND_ROBIN
portLevelSettings: portLevelSettings:
- port: - port:
number: 443 number: 80
tls: tls:
mode: ISTIO_MUTUAL mode: ISTIO_MUTUAL
sni: edition.cnn.com sni: edition.cnn.com
@ -150,7 +156,7 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam
istio: egressgateway istio: egressgateway
servers: servers:
- port: - port:
number: 443 number: 80
name: http-port-for-tls-origination name: http-port-for-tls-origination
protocol: HTTP protocol: HTTP
hosts: hosts:
@ -196,12 +202,12 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam
host: istio-egressgateway.istio-system.svc.cluster.local host: istio-egressgateway.istio-system.svc.cluster.local
subset: cnn subset: cnn
port: port:
number: 443 number: 80
weight: 100 weight: 100
- match: - match:
- gateways: - gateways:
- istio-egressgateway - istio-egressgateway
port: 443 port: 80
route: route:
- destination: - destination:
host: edition.cnn.com host: edition.cnn.com