更新Istio-IngressGateway TLS证书 [英] Updating Istio-IngressGateway TLS Cert
问题描述
我有一个场景,我需要每24小时更新一次Ingress网关tls cert (/etc/istio/ingressgateway-certs/tls.crt)和密钥.我能够使用C#Kubernetes客户端获取原始字节并创建机密,但但是除非Ingress Gateway重新启动,否则它不会获取更新的证书.是否可以通过代码来实现重新启动入口网关部署?
I have a scenario where I need to update the Ingress gateway tls cert (/etc/istio/ingressgateway-certs/tls.crt) and key every 24 hours. I am able to fetch the raw bytes and create the secret using C# Kubernetes client, but unless the Ingress Gateway restarts, it does not pick up the updated certs. Is there a way to do that through code without restarting the ingress-gateway deployment?
任何其他建议也将受到高度赞赏.
Any other suggestions is also highly appreciated.
推荐答案
您正在通过文件引用来安装证书/密钥. Istio现在支持SDS,因此您可以通过credentialName 挂载证书.此模式将检测到新证书,而无需重新启动.来自文档:
You are mounting your cert/key by file reference. Istio supports SDS now, so you can mount the cert by credentialName . This mode will detect a new cert without restarting. From docs:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mygateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: httpbin-credential # must be the same as secret
hosts:
- httpbin.example.com
顺便说一句:文档指出...
Btw: docs state that...
秘密名称不应以istio 或prometheus开头,并且秘密不应包含令牌字段.
The secret name should not begin with istio or prometheus, and the secret should not contain a token field.
