使用Istio时，如何正确地通过HTTPS保护应用程序? [英] How do I properly HTTPS secure an application when using Istio?

问题描述

我目前正在尝试将结合Istio的kubernetes应用程序的典型应用程序的外观包起来.

I'm currently trying to wrap my head around how the typical application flow looks like for a kubernetes application in combination with Istio.

因此，对于我的应用程序，我在Kubernetes群集中托管了一个asp.net应用程序，并在顶部添加了Istio.这是我的网关&虚拟服务:

So, for my app I have an asp.net application hosted within a Kubernetes cluster, and I added Istio on top. Here is my gateway & VirtualService:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: appgateway
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "*"
      tls:
        httpsRedirect: true
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
        privateKey: /etc/istio/ingressgateway-certs/tls.key
      hosts:
        - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: appvservice
spec:
  hosts:
    - "*"
  gateways:
    - appgateway
  tls:
    - match:
        - port: 443
          sniHosts:
            - "*"
      route:
        - destination:
            host: frontendservice.default.svc.cluster.local
            port:
              number: 443

这是我阅读Istio文档后想到的.

This is what I came up with after reading through the Istio documentation.

请注意，我的frontendservice是路由到Asp.Net应用程序的非常基本的ClusterIP服务，该应用程序还提供标准的80/443端口.

Note that my frontendservice is a very basic ClusterIP service routing to an Asp.Net application which also offers standard 80 / 443 ports.

我现在有几个问题:

• 这是保护我的应用程序安全的正确方法吗?本质上，我想将端口80上的传入流量直接重定向到边缘的https启用443.但是，当我尝试此操作时，端口80上根本没有重定向.
• 此外，我的VirtualService上的tls路由不起作用.连我的豆荚上都没有流量
• 我还想知道，是否有必要手动向内部应用程序添加HTTP，还是Istios内部CA功能进入其中?

我已经想象它可以像这样工作:

I have imagined it to work like this:

1. 请求进入.如果在端口80上，则将重定向发送到客户端以发送https请求.如果在端口443上，则允许该请求.
2. VirtualService提供了有关在端口443上的请求应如何处理的说明，并将其转发给服务.
3. 该服务现在将请求转发到我的应用的443端口.

预先感谢-我只是在学习Istio，对于为什么我的看似正确的设置在这里不起作用，我有些困惑.

Thanks in advance - I'm just learning Istio, and I'm a bit baffled why my seemingly proper setup does not work here.

推荐答案

您的网关会终止TLS连接，但是您的VirtualService已配置为接受

Your Gateway terminates TLS connections, but your VirtualService is configured to accept unterminated TLS connections with TLSRoute.

比较没有TLS终止的示例和示例终止TLS .最有可能的是，默认"标记为默认".设置将是终止TLS连接并使用 HTTPRoute .

Compare the example without TLS termination and the example which terminates TLS. Most probably, the "default" setup would be to terminate the TLS connection and configure the VirtualService with a HTTPRoute.

这篇关于使用Istio时，如何正确地通过HTTPS保护应用程序?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！