具有TLS终止功能的Istio Ingress Gateway返回503服务不可用 [英] Istio Ingress Gateway with TLS termination returning 503 service unavailable

问题描述

我们想使用Istio Ingress Gateway将https流量路由到https端点.

We want to to route https traffic to an https endpoint using Istio Ingress Gateway.

我们在Ingress网关处终止TLS流量，但我们的后端服务也使用https.

We terminate the TLS traffic at the Ingress Gateway, but our backend service uses https as well.

我有以下清单:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: datalake-dsodis-istio-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - "gw-hdfs-spark.dsodis.domain"
    - "spark-history.dsodis.domain"
    port:
      name: https-wildcard
      number: 443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: gw-spark-history-istio-vs
spec:
  gateways:
  - default/datalake-dsodis-istio-gateway
  hosts:
  - "spark-history.dsodis.domain"
  http:
    - match:
      - uri:
          prefix: /
      route:
        - destination:
            host: gateway-svc-clusterip.our_application_namespace.svc.cluster.local
            port:
              number: 8443

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: originate-tls-for-spark-history
spec:
  host: gateway-svc-clusterip.our_application_namespace.svc.cluster.local
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 8443 
      tls:
        mode: SIMPLE

问题很可能是，我们正在将TLS终止的流量(即HTTP流量)发送到HTTPS后端.因此，通过Istio访问服务时，我们可能会获得503服务不可用.

The problem is most likely, that we are sending TLS terminated traffic, (so to say) HTTP traffic, to the HTTPS backend. Therefore we might get 503 Service Unavailable when accessing the service through Istio.

访问它的命令是:

curl -vvvv -H"Host: spark-history.dsodis.domain" --resolve "spark-history.dsodis.domain:31390:IP" https://spark-history.dsodis.domain:31390/gateway/default/sparkhistory  -k

我的问题是，如何告诉Istio使用https将流量路由到后端服务?

My question is, how can I tell Istio to route traffic to the backend service using https?

谢谢.

最诚挚的问候， rforberger

Best regards, rforberger

推荐答案

正如RonnyForberger在他的评论中提到的那样，可以通过创建DestinationRule来实现，这可以告诉到目标服务的流量是TLS连接.

As RonnyForberger mentioned in his comment this can be achieved by creating DestinationRule that tells the traffic to the destination service to be TLS connection.

在这种情况下:

1. HTTPS请求将TLS终止于GateWay至HTTP.
2. 然后将HTTP请求转换为TLS，而DestinationRule转换为HTTPS.
3. HTTPS请求到达HTTPS后端.

1. HTTPS request gets TLS terminated at GateWay to HTTP.
2. Then the HTTP request is translated to TLS with DestinationRule to HTTPS.
3. HTTPS request reaches HTTPS backend.

这篇关于具有TLS终止功能的Istio Ingress Gateway返回503服务不可用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！