mirror of https://github.com/istio/istio.io.git
parent
4d70e1c44c
commit
7bf89ace1a
|
@ -13,7 +13,7 @@ test: yes
|
|||
This example does not work in Minikube.
|
||||
{{</warning>}}
|
||||
|
||||
The [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task shows how to configure
|
||||
The [Accessing External Services](/docs/tasks/traffic-management/egress/egress-control) task shows how to configure
|
||||
Istio to allow access to external HTTP and HTTPS services from applications inside the mesh.
|
||||
There, the external services are called directly from the client sidecar.
|
||||
This example also shows how to configure Istio to call external services, although this time
|
||||
|
|
|
@ -9,9 +9,9 @@ aliases:
|
|||
- /docs/examples/advanced-gateways/egress-tls-origination/
|
||||
---
|
||||
|
||||
The [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task demonstrates how external, i.e., outside of the
|
||||
service mesh, HTTP and HTTPS services can be accessed from applications inside the mesh. As described in that task,
|
||||
a [`ServiceEntry`](/docs/reference/config/networking/service-entry/) is used to configure Istio
|
||||
The [Accessing External Services](/docs/tasks/traffic-management/egress/egress-control) task demonstrates how external,
|
||||
i.e., outside of the service mesh, HTTP and HTTPS services can be accessed from applications inside the mesh. As described
|
||||
in that task, a [`ServiceEntry`](/docs/reference/config/networking/service-entry/) is used to configure Istio
|
||||
to access external services in a controlled way.
|
||||
This example shows how to configure Istio to perform {{< gloss >}}TLS origination{{< /gloss >}}
|
||||
for traffic to an external service. Istio will open HTTPS connections to the external service while the original
|
||||
|
@ -57,10 +57,10 @@ is that Istio can produce better telemetry and provide more routing control for
|
|||
## Configuring access to an external service
|
||||
|
||||
First start by configuring access to an external service, `edition.cnn.com`,
|
||||
using the same technique shown in the [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task.
|
||||
using the same technique shown in the [Accessing External Services](/docs/tasks/traffic-management/egress/egress-control) task.
|
||||
This time, however, use a single `ServiceEntry` to enable both HTTP and HTTPS access to the service.
|
||||
|
||||
1. Create a `ServiceEntry` and `VirtualService` to enable access to `edition.cnn.com`:
|
||||
1. Create a `ServiceEntry` to enable access to `edition.cnn.com`:
|
||||
|
||||
{{< text syntax=bash snip_id=apply_simple >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
|
@ -79,25 +79,6 @@ This time, however, use a single `ServiceEntry` to enable both HTTP and HTTPS ac
|
|||
name: https-port
|
||||
protocol: HTTPS
|
||||
resolution: DNS
|
||||
---
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: edition-cnn-com
|
||||
spec:
|
||||
hosts:
|
||||
- edition.cnn.com
|
||||
tls:
|
||||
- match:
|
||||
- port: 443
|
||||
sniHosts:
|
||||
- edition.cnn.com
|
||||
route:
|
||||
- destination:
|
||||
host: edition.cnn.com
|
||||
port:
|
||||
number: 443
|
||||
weight: 100
|
||||
EOF
|
||||
{{< /text >}}
|
||||
|
||||
|
@ -133,27 +114,27 @@ Both of these issues can be resolved by configuring Istio to perform TLS origina
|
|||
|
||||
## TLS origination for egress traffic
|
||||
|
||||
1. Redefine your `VirtualService` from the previous section to rewrite the HTTP request port
|
||||
and add a `DestinationRule` to perform TLS origination.
|
||||
1. Redefine your `ServiceEntry` from the previous section to redirect HTTP requests to port 443
|
||||
and add a `DestinationRule` to perform TLS origination:
|
||||
|
||||
{{< text syntax=bash snip_id=apply_origination >}}
|
||||
$ kubectl apply -f - <<EOF
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: VirtualService
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: edition-cnn-com
|
||||
spec:
|
||||
hosts:
|
||||
- edition.cnn.com
|
||||
http:
|
||||
- match:
|
||||
- port: 80
|
||||
route:
|
||||
- destination:
|
||||
host: edition.cnn.com
|
||||
subset: tls-origination
|
||||
port:
|
||||
number: 443
|
||||
ports:
|
||||
- number: 80
|
||||
name: http-port
|
||||
protocol: HTTP
|
||||
targetPort: 443
|
||||
- number: 443
|
||||
name: https-port
|
||||
protocol: HTTPS
|
||||
resolution: DNS
|
||||
---
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
|
@ -161,21 +142,17 @@ Both of these issues can be resolved by configuring Istio to perform TLS origina
|
|||
name: edition-cnn-com
|
||||
spec:
|
||||
host: edition.cnn.com
|
||||
subsets:
|
||||
- name: tls-origination
|
||||
trafficPolicy:
|
||||
loadBalancer:
|
||||
simple: ROUND_ROBIN
|
||||
portLevelSettings:
|
||||
- port:
|
||||
number: 443
|
||||
tls:
|
||||
mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
|
||||
trafficPolicy:
|
||||
portLevelSettings:
|
||||
- port:
|
||||
number: 80
|
||||
tls:
|
||||
mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
|
||||
EOF
|
||||
{{< /text >}}
|
||||
|
||||
As you can see, the `VirtualService` redirects HTTP requests on port 80 to port 443 where the corresponding
|
||||
`DestinationRule` then performs the TLS origination.
|
||||
The above `DestinationRule` will perform TLS origination for HTTP requests on port 80 and the `ServiceEntry`
|
||||
will then redirect the requests on port 80 to target port 443.
|
||||
|
||||
1. Send an HTTP request to `http://edition.cnn.com/politics`, as in the previous section:
|
||||
|
||||
|
|
|
@ -49,25 +49,6 @@ spec:
|
|||
name: https-port
|
||||
protocol: HTTPS
|
||||
resolution: DNS
|
||||
---
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: edition-cnn-com
|
||||
spec:
|
||||
hosts:
|
||||
- edition.cnn.com
|
||||
tls:
|
||||
- match:
|
||||
- port: 443
|
||||
sniHosts:
|
||||
- edition.cnn.com
|
||||
route:
|
||||
- destination:
|
||||
host: edition.cnn.com
|
||||
port:
|
||||
number: 443
|
||||
weight: 100
|
||||
EOF
|
||||
}
|
||||
|
||||
|
@ -88,21 +69,21 @@ ENDSNIP
|
|||
snip_apply_origination() {
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: VirtualService
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: edition-cnn-com
|
||||
spec:
|
||||
hosts:
|
||||
- edition.cnn.com
|
||||
http:
|
||||
- match:
|
||||
- port: 80
|
||||
route:
|
||||
- destination:
|
||||
host: edition.cnn.com
|
||||
subset: tls-origination
|
||||
port:
|
||||
number: 443
|
||||
ports:
|
||||
- number: 80
|
||||
name: http-port
|
||||
protocol: HTTP
|
||||
targetPort: 443
|
||||
- number: 443
|
||||
name: https-port
|
||||
protocol: HTTPS
|
||||
resolution: DNS
|
||||
---
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
|
@ -110,16 +91,12 @@ metadata:
|
|||
name: edition-cnn-com
|
||||
spec:
|
||||
host: edition.cnn.com
|
||||
subsets:
|
||||
- name: tls-origination
|
||||
trafficPolicy:
|
||||
loadBalancer:
|
||||
simple: ROUND_ROBIN
|
||||
portLevelSettings:
|
||||
- port:
|
||||
number: 443
|
||||
tls:
|
||||
mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
|
||||
trafficPolicy:
|
||||
portLevelSettings:
|
||||
- port:
|
||||
number: 80
|
||||
tls:
|
||||
mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
|
||||
EOF
|
||||
}
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ owner: istio/wg-networking-maintainers
|
|||
test: yes
|
||||
---
|
||||
|
||||
The [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task and
|
||||
The [Accessing External Services](/docs/tasks/traffic-management/egress/egress-control) task and
|
||||
the [Configure an Egress Gateway](/docs/tasks/traffic-management/egress/egress-gateway/) example
|
||||
describe how to configure egress traffic for specific hostnames, like `edition.cnn.com`.
|
||||
This example shows how to enable egress traffic for a set of hosts in a common domain, for
|
||||
|
|
Loading…
Reference in New Issue