istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove $ sign in command since it breaks the copy button (#1143)

This commit is contained in:
Tao Li 2018-04-03 15:16:20 -07:00 committed by GitHub
parent 9e36999841
commit e60a355d12
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 53 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
_docs/tasks/security/https-overlay.md
View File

@ -31,18 +31,22 @@ original https traffic. And this is the reason Istio can work on https services.
You need to have openssl installed to run this command You need to have openssl installed to run this command
```bash ```bash
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/nginx.key -out /tmp/nginx.crt -subj "/CN=my-nginx/O=my-nginx" openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/nginx.key -out /tmp/nginx.crt -subj "/CN=my-nginx/O=my-nginx"
``` ```
```bash ```bash
$ kubectl create secret tls nginxsecret --key /tmp/nginx.key --cert /tmp/nginx.crt kubectl create secret tls nginxsecret --key /tmp/nginx.key --cert /tmp/nginx.crt
```
```bash
secret "nginxsecret" created secret "nginxsecret" created
``` ```
Create a configmap used for the https service Create a configmap used for the https service
```bash ```bash
$ kubectl create configmap nginxconfigmap --from-file=samples/https/default.conf kubectl create configmap nginxconfigmap --from-file=samples/https/default.conf
```
```bash
configmap "nginxconfigmap" created configmap "nginxconfigmap" created
``` ```
@ -51,7 +55,9 @@ configmap "nginxconfigmap" created
This section creates a nginx-based https service. This section creates a nginx-based https service.
```bash ```bash
$ kubectl apply -f samples/https/nginx-app.yaml kubectl apply -f samples/https/nginx-app.yaml
```
```bash
... ...
service "my-nginx" created service "my-nginx" created
replicationcontroller "my-nginx" created replicationcontroller "my-nginx" created
@ -60,13 +66,15 @@ replicationcontroller "my-nginx" created
Then, create another pod to call this service. Then, create another pod to call this service.
```bash ```bash
$ kubectl apply -f <(bin/istioctl kube-inject --debug -f samples/sleep/sleep.yaml) kubectl apply -f <(bin/istioctl kube-inject --debug -f samples/sleep/sleep.yaml)
``` ```
Get the pods Get the pods
```bash ```bash
$ kubectl get pod kubectl get pod
```
```bash
NAME READY STATUS RESTARTS AGE NAME READY STATUS RESTARTS AGE
my-nginx-jwwck 2/2 Running 0 1h my-nginx-jwwck 2/2 Running 0 1h
sleep-847544bbfc-d27jg 2/2 Running 0 18h sleep-847544bbfc-d27jg 2/2 Running 0 18h
@ -74,12 +82,14 @@ sleep-847544bbfc-d27jg 2/2 Running 0 18h
Ssh into the istio-proxy container of sleep pod. Ssh into the istio-proxy container of sleep pod.
```bash ```bash
$ kubectl exec -it sleep-847544bbfc-d27jg -c istio-proxy /bin/bash kubectl exec -it sleep-847544bbfc-d27jg -c istio-proxy /bin/bash
``` ```
Call my-nginx Call my-nginx
```bash ```bash
# curl https://my-nginx -k curl https://my-nginx -k
```
```bash
... ...
<h1>Welcome to nginx!</h1> <h1>Welcome to nginx!</h1>
... ...
@ -88,7 +98,9 @@ Call my-nginx
You can actually combine the above three command into one: You can actually combine the above three command into one:
```bash ```bash
$ kubectl exec $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) -c istio-proxy -- curl https://my-nginx -k kubectl exec $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) -c istio-proxy -- curl https://my-nginx -k
```
```bash
... ...
<h1>Welcome to nginx!</h1> <h1>Welcome to nginx!</h1>
... ...
@ -101,19 +113,21 @@ disabled. So you only need to redeploy the nginx https service with sidecar.
Delete the https service. Delete the https service.
```bash ```bash
$ kubectl delete -f nginx-app.yaml kubectl delete -f nginx-app.yaml
``` ```
Deploy it with sidecar Deploy it with sidecar
```bash ```bash
$ kubectl apply -f <(bin/istioctl kube-inject --debug -f samples/https/nginx-app.yaml) kubectl apply -f <(bin/istioctl kube-inject --debug -f samples/https/nginx-app.yaml)
``` ```
Make sure the pod is up and running Make sure the pod is up and running
```bash ```bash
$ kubectl get pod kubectl get pod
```
```bash
NAME READY STATUS RESTARTS AGE NAME READY STATUS RESTARTS AGE
my-nginx-6svcc 2/2 Running 0 1h my-nginx-6svcc 2/2 Running 0 1h
sleep-847544bbfc-d27jg 2/2 Running 0 18h sleep-847544bbfc-d27jg 2/2 Running 0 18h
@ -121,7 +135,9 @@ sleep-847544bbfc-d27jg 2/2 Running 0 18h
And run And run
```bash ```bash
$ kubectl exec sleep-847544bbfc-d27jg -c sleep -- curl https://my-nginx -k kubectl exec sleep-847544bbfc-d27jg -c sleep -- curl https://my-nginx -k
```
```bash
... ...
<h1>Welcome to nginx!</h1> <h1>Welcome to nginx!</h1>
... ...
@ -129,7 +145,9 @@ $ kubectl exec sleep-847544bbfc-d27jg -c sleep -- curl https://my-nginx -k
If you run from istio-proxy container, it should work as well If you run from istio-proxy container, it should work as well
```bash ```bash
$ kubectl exec sleep-847544bbfc-d27jg -c istio-proxy -- curl https://my-nginx -k kubectl exec sleep-847544bbfc-d27jg -c istio-proxy -- curl https://my-nginx -k
```
```bash
... ...
<h1>Welcome to nginx!</h1> <h1>Welcome to nginx!</h1>
... ...
@ -143,25 +161,29 @@ You need to deploy Istio control plane with mTLS enabled. If you have istio
control plane with mTLS disabled installed, please delete it: control plane with mTLS disabled installed, please delete it:
```bash ```bash
$ kubectl delete -f install/kubernetes/istio.yaml kubectl delete -f install/kubernetes/istio.yaml
``` ```
And wait for everything is down, i.e., there is no pod in control plane namespace (istio-system). And wait for everything is down, i.e., there is no pod in control plane namespace (istio-system).
```bash ```bash
$ kubectl get pod -n istio-system kubectl get pod -n istio-system
```
```bash
No resources found. No resources found.
``` ```
Then deploy the Istio control plane with mTLS enabled: Then deploy the Istio control plane with mTLS enabled:
```bash ```bash
$ kubectl apply -f install/kubernetes/istio-auth.yaml kubectl apply -f install/kubernetes/istio-auth.yaml
``` ```
Make sure everything is up and running: Make sure everything is up and running:
```bash ```bash
$ kubectl get po -n istio-system kubectl get po -n istio-system
```
```bash
NAME READY STATUS RESTARTS AGE NAME READY STATUS RESTARTS AGE
istio-ca-58c5856966-k6nm4 1/1 Running 0 2m istio-ca-58c5856966-k6nm4 1/1 Running 0 2m
istio-ingress-5789d889bc-xzdg2 1/1 Running 0 2m istio-ingress-5789d889bc-xzdg2 1/1 Running 0 2m
@ -172,16 +194,18 @@ istio-pilot-6954dcd96d-phh5z 2/2 Running 0 2m
Then redeploy the https service and sleep service Then redeploy the https service and sleep service
```bash ```bash
$ kubectl delete -f <(bin/istioctl kube-inject --debug -f samples/sleep/sleep.yaml) kubectl delete -f <(bin/istioctl kube-inject --debug -f samples/sleep/sleep.yaml)
$ kubectl apply -f <(bin/istioctl kube-inject --debug -f samples/sleep/sleep.yaml) kubectl apply -f <(bin/istioctl kube-inject --debug -f samples/sleep/sleep.yaml)
$ kubectl delete -f <(bin/istioctl kube-inject --debug -f samples/https/nginx-app.yaml) kubectl delete -f <(bin/istioctl kube-inject --debug -f samples/https/nginx-app.yaml)
$ kubectl apply -f <(bin/istioctl kube-inject --debug -f samples/https/nginx-app.yaml) kubectl apply -f <(bin/istioctl kube-inject --debug -f samples/https/nginx-app.yaml)
``` ```
Make sure the pod is up and running Make sure the pod is up and running
```bash ```bash
$ kubectl get pod kubectl get pod
```
```bash
NAME READY STATUS RESTARTS AGE NAME READY STATUS RESTARTS AGE
my-nginx-9dvet 2/2 Running 0 1h my-nginx-9dvet 2/2 Running 0 1h
sleep-77f457bfdd-hdknx 2/2 Running 0 18h sleep-77f457bfdd-hdknx 2/2 Running 0 18h
@ -189,7 +213,9 @@ sleep-77f457bfdd-hdknx 2/2 Running 0 18h
And run And run
```bash ```bash
$ kubectl exec sleep-77f457bfdd-hdknx -c sleep -- curl https://my-nginx -k kubectl exec sleep-77f457bfdd-hdknx -c sleep -- curl https://my-nginx -k
```
```bash
... ...
<h1>Welcome to nginx!</h1> <h1>Welcome to nginx!</h1>
... ...
@ -200,7 +226,9 @@ and nginx-proxy. In this case, everthing works fine.
However, if you run this command from istio-proxy container, it will not work. However, if you run this command from istio-proxy container, it will not work.
```bash ```bash
$ kubectl exec sleep-77f457bfdd-hdknx -c istio-proxy -- curl https://my-nginx -k kubectl exec sleep-77f457bfdd-hdknx -c istio-proxy -- curl https://my-nginx -k
```
```bash
... ...
curl: (35) gnutls_handshake() failed: Handshake failed curl: (35) gnutls_handshake() failed: Handshake failed
command terminated with exit code 35 command terminated with exit code 35