istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Wildcard configuration for arbitrary domains with non root user (#9350) 

* Wildcard configuration with non root user

* Generate snips.sh for wildcard-egress-hosts
This commit is contained in:
Meng Wang 2021-03-23 03:41:07 +08:00 committed by GitHub
parent f23fcb5fb0
commit 4ed801d0f8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 22 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md
View File

@ -297,7 +297,8 @@ The SNI proxy will forward the traffic to port `443`.
{{< text bash >}} {{< text bash >}}
$ cat <<EOF > ./sni-proxy.conf $ cat <<EOF > ./sni-proxy.conf
user www-data; # setup custom path that do not require root access
pid /tmp/nginx.pid;
events { events {
} }
@ -312,7 +313,7 @@ The SNI proxy will forward the traffic to port `443`.
# tcp forward proxy by SNI # tcp forward proxy by SNI
server { server {
resolver 8.8.8.8 ipv6=off; resolver 8.8.8.8 ipv6=off;
listen 127.0.0.1:8443; listen 127.0.0.1:18443;
proxy_pass \$ssl_preread_server_name:443; proxy_pass \$ssl_preread_server_name:443;
ssl_preread on; ssl_preread on;
} }
@ -349,6 +350,7 @@ The SNI proxy will forward the traffic to port `443`.
service: service:
ports: ports:
- port: 443 - port: 443
targetPort: 8443
name: https name: https
overlays: overlays:
- kind: Deployment - kind: Deployment
@ -363,18 +365,14 @@ The SNI proxy will forward the traffic to port `443`.
mountPath: /etc/nginx mountPath: /etc/nginx
readOnly: true readOnly: true
securityContext: securityContext:
runAsNonRoot: false runAsNonRoot: true
runAsUser: 0 runAsUser: 101
- path: spec.template.spec.volumes[-1] - path: spec.template.spec.volumes[-1]
value: | value: |
name: sni-proxy-config name: sni-proxy-config
configMap: configMap:
name: egress-sni-proxy-configmap name: egress-sni-proxy-configmap
defaultMode: 292 # 0444 defaultMode: 292 # 0444
values:
gateways:
istio-egressgateway:
runAsRoot: true
EOF EOF
{{< /text >}} {{< /text >}}
@ -407,7 +405,7 @@ The SNI proxy will forward the traffic to port `443`.
- sni-proxy.local - sni-proxy.local
location: MESH_EXTERNAL location: MESH_EXTERNAL
ports: ports:
- number: 8443 - number: 18443
name: tcp name: tcp
protocol: TCP protocol: TCP
resolution: STATIC resolution: STATIC
@ -518,7 +516,7 @@ The SNI proxy will forward the traffic to port `443`.
- destination: - destination:
host: sni-proxy.local host: sni-proxy.local
port: port:
number: 8443 number: 18443
weight: 100 weight: 100
--- ---
# The following filter is used to forward the original SNI (sent by the application) as the SNI of the # The following filter is used to forward the original SNI (sent by the application) as the SNI of the
@ -599,8 +597,8 @@ The SNI proxy will forward the traffic to port `443`.
You should see lines similar to the following: You should see lines similar to the following:
{{< text plain >}} {{< text plain >}}
[2019-01-02T16:34:23.312Z] "- - -" 0 - 578 79141 624 - "-" "-" "-" "-" "127.0.0.1:8443" outbound|8443||sni-proxy.local 127.0.0.1:55018 172.30.109.84:443 172.30.109.112:45346 en.wikipedia.org [2019-01-02T16:34:23.312Z] "- - -" 0 - 578 79141 624 - "-" "-" "-" "-" "127.0.0.1:18443" outbound|18443||sni-proxy.local 127.0.0.1:55018 172.30.109.84:443 172.30.109.112:45346 en.wikipedia.org
[2019-01-02T16:34:24.079Z] "- - -" 0 - 586 65770 638 - "-" "-" "-" "-" "127.0.0.1:8443" outbound|8443||sni-proxy.local 127.0.0.1:55034 172.30.109.84:443 172.30.109.112:45362 de.wikipedia.org [2019-01-02T16:34:24.079Z] "- - -" 0 - 586 65770 638 - "-" "-" "-" "-" "127.0.0.1:18443" outbound|18443||sni-proxy.local 127.0.0.1:55034 172.30.109.84:443 172.30.109.112:45362 de.wikipedia.org
{{< /text >}} {{< /text >}}
1. Check the logs of the SNI proxy. If Istio is deployed in the `istio-system` namespace, the command to print the 1. Check the logs of the SNI proxy. If Istio is deployed in the `istio-system` namespace, the command to print the

22
content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/snips.sh
View File

@ -175,7 +175,8 @@ kubectl delete destinationrule egressgateway-for-wikipedia
snip_setup_egress_gateway_with_sni_proxy_1() { snip_setup_egress_gateway_with_sni_proxy_1() {
cat <<EOF > ./sni-proxy.conf cat <<EOF > ./sni-proxy.conf
user www-data; # setup custom path that do not require root access
pid /tmp/nginx.pid;
events { events {
} }
@ -190,7 +191,7 @@ stream {
# tcp forward proxy by SNI # tcp forward proxy by SNI
server { server {
resolver 8.8.8.8 ipv6=off; resolver 8.8.8.8 ipv6=off;
listen 127.0.0.1:8443; listen 127.0.0.1:18443;
proxy_pass \$ssl_preread_server_name:443; proxy_pass \$ssl_preread_server_name:443;
ssl_preread on; ssl_preread on;
} }
@ -222,6 +223,7 @@ spec:
service: service:
ports: ports:
- port: 443 - port: 443
targetPort: 8443
name: https name: https
overlays: overlays:
- kind: Deployment - kind: Deployment
@ -236,18 +238,14 @@ spec:
mountPath: /etc/nginx mountPath: /etc/nginx
readOnly: true readOnly: true
securityContext: securityContext:
runAsNonRoot: false runAsNonRoot: true
runAsUser: 0 runAsUser: 101
- path: spec.template.spec.volumes[-1] - path: spec.template.spec.volumes[-1]
value: | value: |
name: sni-proxy-config name: sni-proxy-config
configMap: configMap:
name: egress-sni-proxy-configmap name: egress-sni-proxy-configmap
defaultMode: 292 # 0444 defaultMode: 292 # 0444
values:
gateways:
istio-egressgateway:
runAsRoot: true
EOF EOF
} }
@ -275,7 +273,7 @@ spec:
- sni-proxy.local - sni-proxy.local
location: MESH_EXTERNAL location: MESH_EXTERNAL
ports: ports:
- number: 8443 - number: 18443
name: tcp name: tcp
protocol: TCP protocol: TCP
resolution: STATIC resolution: STATIC
@ -379,7 +377,7 @@ spec:
- destination: - destination:
host: sni-proxy.local host: sni-proxy.local
port: port:
number: 8443 number: 18443
weight: 100 weight: 100
--- ---
# The following filter is used to forward the original SNI (sent by the application) as the SNI of the # The following filter is used to forward the original SNI (sent by the application) as the SNI of the
@ -453,8 +451,8 @@ kubectl logs -l istio=egressgateway-with-sni-proxy -c istio-proxy -n istio-syste
} }
! read -r -d '' snip_configure_traffic_through_egress_gateway_with_sni_proxy_6 <<\ENDSNIP ! read -r -d '' snip_configure_traffic_through_egress_gateway_with_sni_proxy_6 <<\ENDSNIP
[2019-01-02T16:34:23.312Z] "- - -" 0 - 578 79141 624 - "-" "-" "-" "-" "127.0.0.1:8443" outbound|8443||sni-proxy.local 127.0.0.1:55018 172.30.109.84:443 172.30.109.112:45346 en.wikipedia.org [2019-01-02T16:34:23.312Z] "- - -" 0 - 578 79141 624 - "-" "-" "-" "-" "127.0.0.1:18443" outbound|18443||sni-proxy.local 127.0.0.1:55018 172.30.109.84:443 172.30.109.112:45346 en.wikipedia.org
[2019-01-02T16:34:24.079Z] "- - -" 0 - 586 65770 638 - "-" "-" "-" "-" "127.0.0.1:8443" outbound|8443||sni-proxy.local 127.0.0.1:55034 172.30.109.84:443 172.30.109.112:45362 de.wikipedia.org [2019-01-02T16:34:24.079Z] "- - -" 0 - 586 65770 638 - "-" "-" "-" "-" "127.0.0.1:18443" outbound|18443||sni-proxy.local 127.0.0.1:55034 172.30.109.84:443 172.30.109.112:45362 de.wikipedia.org
ENDSNIP ENDSNIP
snip_configure_traffic_through_egress_gateway_with_sni_proxy_7() { snip_configure_traffic_through_egress_gateway_with_sni_proxy_7() {

4
content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/test.sh Normal file → Executable file
View File

@ -31,7 +31,7 @@ _wait_for_deployment default sleep
snip_before_you_begin_4 snip_before_you_begin_4
confirm_blocking() { confirm_blocking() {
kubectl exec "$SOURCE_POD" -c sleep -sS -I https://www.google.com | grep "HTTP/"; kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -I https://edition.cnn.com | grep "HTTP/" kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -I https://www.google.com | grep "HTTP/"; kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -I https://edition.cnn.com | grep "HTTP/"
} }
_verify_contains confirm_blocking "command terminated with exit code 35" _verify_contains confirm_blocking "command terminated with exit code 35"
@ -86,7 +86,7 @@ _wait_for_istio envoyfilter istio-system egress-gateway-sni-verifier
_verify_same snip_configure_traffic_through_egress_gateway_with_sni_proxy_4 "$snip_configure_traffic_through_egress_gateway_with_sni_proxy_4_out" _verify_same snip_configure_traffic_through_egress_gateway_with_sni_proxy_4 "$snip_configure_traffic_through_egress_gateway_with_sni_proxy_4_out"
_verify_lines snip_configure_traffic_through_egress_gateway_with_sni_proxy_5 " _verify_lines snip_configure_traffic_through_egress_gateway_with_sni_proxy_5 "
+ outbound|8443||sni-proxy.local + outbound|18443||sni-proxy.local
+ en.wikipedia.org + en.wikipedia.org
+ de.wikipedia.org + de.wikipedia.org
" "