istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

remove mtls destination rules, apply patch instead of redeploy (#6805)

This commit is contained in:
Gregory Hanson 2020-03-09 11:56:02 -04:00 committed by GitHub
parent ec20fa3215
commit 7f6ef186fc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 53 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md
View File

@ -93,65 +93,6 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam
1. Create an egress `Gateway` for _edition.cnn.com_, port 443, and a destination rule for 1. Create an egress `Gateway` for _edition.cnn.com_, port 443, and a destination rule for
sidecar requests that will be directed to the egress gateway. sidecar requests that will be directed to the egress gateway.
Choose the instructions corresponding to whether or not you want to enable
[mutual TLS Authentication](/docs/tasks/security/authentication/authn-policy/) between the source pod and the egress gateway.
{{< idea >}}
You may want to enable mutual TLS so the traffic between the source pod and the egress gateway will be encrypted.
In addition, mutual TLS will allow the egress gateway to monitor the identity of the source pods and enable Mixer
policy enforcement based on that identity.
{{< /idea >}}
{{< tabset category-name="mtls" >}}
{{< tab name="mutual TLS enabled" category-value="enabled" >}}
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 80
name: https
protocol: HTTPS
hosts:
- edition.cnn.com
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-cnn
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: cnn
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 80
tls:
mode: ISTIO_MUTUAL
sni: edition.cnn.com
EOF
{{< /text >}}
{{< /tab >}}
{{< tab name="mutual TLS disabled" category-value="disabled" >}}
{{< text bash >}} {{< text bash >}}
$ kubectl apply -f - <<EOF $ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
@ -180,10 +121,6 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam
EOF EOF
{{< /text >}} {{< /text >}}
{{< /tab >}}
{{< /tabset >}}
1. Define a `VirtualService` to direct the traffic through the egress gateway, and a `DestinationRule` 1. Define a `VirtualService` to direct the traffic through the egress gateway, and a `DestinationRule`
to perform TLS origination for requests to `edition.cnn.com`: to perform TLS origination for requests to `edition.cnn.com`:
@ -543,6 +480,9 @@ to hold the configuration of the NGINX server:
name: sleep name: sleep
spec: spec:
replicas: 1 replicas: 1
selector:
matchLabels:
app: sleep
template: template:
metadata: metadata:
labels: labels:
@ -631,38 +571,64 @@ to hold the configuration of the NGINX server:
$ kubectl create -n istio-system secret generic nginx-ca-certs --from-file=nginx.example.com/2_intermediate/certs/ca-chain.cert.pem $ kubectl create -n istio-system secret generic nginx-ca-certs --from-file=nginx.example.com/2_intermediate/certs/ca-chain.cert.pem
{{< /text >}} {{< /text >}}
1. Generate the `istio-egressgateway` deployment with a volume to be mounted from the new secrets. Use the same options 1. To include a volume mounted from the new created secret, update the `istio-egressgateway` deployment.
you used for generating your `istio.yaml`: To patch the `istio-egressgateway` deployment, create the following `gateway-patch.json` file:
{{< text bash >}} {{< text bash >}}
$ istioctl manifest generate --set values.gateways.istio-ingressgateway.enabled=false \ $ cat > gateway-patch.json <<EOF
--set values.gateways.istio-egressgateway.enabled=true \ [{
--set 'values.gateways.istio-egressgateway.secretVolumes[0].name'=egressgateway-certs \ "op": "add",
--set 'values.gateways.istio-egressgateway.secretVolumes[0].secretName'=istio-egressgateway-certs \ "path": "/spec/template/spec/containers/0/volumeMounts/0",
--set 'values.gateways.istio-egressgateway.secretVolumes[0].mountPath'=/etc/istio/egressgateway-certs \ "value": {
--set 'values.gateways.istio-egressgateway.secretVolumes[1].name'=egressgateway-ca-certs \ "mountPath": "/etc/istio/nginx-client-certs",
--set 'values.gateways.istio-egressgateway.secretVolumes[1].secretName'=istio-egressgateway-ca-certs \ "name": "nginx-client-certs",
--set 'values.gateways.istio-egressgateway.secretVolumes[1].mountPath'=/etc/istio/egressgateway-ca-certs \ "readOnly": true
--set 'values.gateways.istio-egressgateway.secretVolumes[2].name'=nginx-client-certs \ }
--set 'values.gateways.istio-egressgateway.secretVolumes[2].secretName'=nginx-client-certs \ },
--set 'values.gateways.istio-egressgateway.secretVolumes[2].mountPath'=/etc/nginx-client-certs \ {
--set 'values.gateways.istio-egressgateway.secretVolumes[3].name'=nginx-ca-certs \ "op": "add",
--set 'values.gateways.istio-egressgateway.secretVolumes[3].secretName'=nginx-ca-certs \ "path": "/spec/template/spec/volumes/0",
--set 'values.gateways.istio-egressgateway.secretVolumes[3].mountPath'=/etc/nginx-ca-certs > \ "value": {
./istio-egressgateway.yaml "name": "nginx-client-certs",
"secret": {
"secretName": "nginx-client-certs",
"optional": true
}
}
},
{
"op": "add",
"path": "/spec/template/spec/containers/0/volumeMounts/1",
"value": {
"mountPath": "/etc/istio/nginx-ca-certs",
"name": "nginx-ca-certs",
"readOnly": true
}
},
{
"op": "add",
"path": "/spec/template/spec/volumes/1",
"value": {
"name": "nginx-ca-certs",
"secret": {
"secretName": "nginx-ca-certs",
"optional": true
}
}
}]
EOF
{{< /text >}} {{< /text >}}
1. Redeploy `istio-egressgateway`: 1. Apply `istio-egressgateway` deployment patch with the following command:
{{< text bash >}} {{< text bash >}}
$ kubectl apply -f ./istio-egressgateway.yaml $ kubectl -n istio-system patch --type=json deploy istio-egressgateway -p "$(cat gateway-patch.json)"
deployment "istio-egressgateway" configured
{{< /text >}} {{< /text >}}
1. Verify that the key and the certificate are successfully loaded in the `istio-egressgateway` pod: 1. Verify that the key and the certificate are successfully loaded in the `istio-egressgateway` pod:
{{< text bash >}} {{< text bash >}}
$ kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=egressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/nginx-client-certs /etc/nginx-ca-certs $ kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=egressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/nginx-client-certs /etc/istio/nginx-ca-certs
{{< /text >}} {{< /text >}}
`tls.crt` and `tls.key` should exist in `/etc/istio/nginx-client-certs`, while `ca-chain.cert.pem` in `tls.crt` and `tls.key` should exist in `/etc/istio/nginx-client-certs`, while `ca-chain.cert.pem` in
@ -768,9 +734,9 @@ to hold the configuration of the NGINX server:
number: 443 number: 443
tls: tls:
mode: MUTUAL mode: MUTUAL
clientCertificate: /etc/nginx-client-certs/tls.crt clientCertificate: /etc/istio/nginx-client-certs/tls.crt
privateKey: /etc/nginx-client-certs/tls.key privateKey: /etc/istio/nginx-client-certs/tls.key
caCertificates: /etc/nginx-ca-certs/ca-chain.cert.pem caCertificates: /etc/istio/nginx-ca-certs/ca-chain.cert.pem
sni: nginx.example.com sni: nginx.example.com
EOF EOF
{{< /text >}} {{< /text >}}