如何通过istio将自定义客户端证书用于外部服务? [英] How can I use custom client certificate for external service with istio?
问题描述
我需要设置从kubernetes pod到外部服务的双向tls通信.我的系统正在与istio系统一起运行.
I need to setup mutual tls communication from kubernetes pod to external service. My system is running with istio system.
我找到了与此有关的参考.
I found reference about this.
https://istio.io/docs/reference/config/networking/v1alpha3/destination-rule/#TLSSettings
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: external-mtls
spec:
host: *.external.com
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/client_private_key.pem
caCertificates: /etc/certs/rootcacerts.pem
根据此文档,我要做的只是设置模式MUTUAL(不是ISTIO_MUTUAL)并设置证书文件.如您所见, clientCertificate , privateKey , caCertificates 是本地文件路径.
According to this document, All I need to do is set mode MUTUAL (not ISTIO_MUTUAL) and set certificate files. As you can see, clientCertificate, privateKey, caCertificates is local file path.
我认为它们应该在特使代理服务器的磁盘中.但是我找不到将证书文件放入特使代理卷中的方法.
I think they should be in envoy proxy's disk. But I couldn't find a way to put my certificate files into envoy proxy's volume.
我该怎么做?
推荐答案
我找到了解决方法.
- 创建机密或配置映射
kubectl create secret generic my-cert --from-file=cert1.crt --from-file=cert2.crt
- 使用 sidecar.istio.io/userVolumeMount , sidecar.istio.io/userVolume 批注pod或部署
- annotate pod or deployment with sidecar.istio.io/userVolumeMount, sidecar.istio.io/userVolume
annotations:
sidecar.istio.io/userVolumeMount: '[{"name":"my-cert", "mountPath":"/etc/my-cert", "readonly":true}]'
sidecar.istio.io/userVolume: '[{"name":"my-cert", "secret":{"secretName":"my-cert"}}]'
这些注释和其他注释的文档: https://preliminary.istio.io /docs/reference/config/annotations/
Documentation on these and other annotations: https://preliminary.istio.io/docs/reference/config/annotations/
完成.它已安装到特使代理吊舱.
Done. It's mounted to envoy proxy pod.
这篇关于如何通过istio将自定义客户端证书用于外部服务?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!