tls-origination:导入tls时无效的路径istio [英] tls-origination: Invalid path istio when importing tls

问题描述

我正在端口389处拦截服务并应用tls-origination，所以我的目标规则如下:

I am intercepting a service at port 389 and applying tls-origination, so my destination rules is as follows:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: ldap
spec:
  host: ...
  subsets:
  - name: tls-origination
    trafficPolicy:
      loadBalancer:
        simple: ROUND_ROBIN
      portLevelSettings:
      - port:
          number: 636
        tls:
          mode: SIMPLE
          caCertificates: /path/to/certificate/ldap.pem

值/path/to/certificate/ldap.pem 是我的本地计算机中文件的路径.当查看istio代理日志时，应用目标规则后，出现以下错误:

The value /path/to/certificate/ldap.pem is the path in my local machine to the file. When I look at the istio proxy logs, after having applied the destination rules, I get the following error:

type.googleapis.com/envoy.api.v2.集群被拒绝:错误添加/更新出站群集| 636 | tls-origination | ...:无效路径:/path/to/certificate/ldap.pem

type.googleapis.com/envoy.api.v2.Cluster rejected: Error adding/updating cluster(s) outbound|636|tls-origination|...: Invalid path: /path/to/certificate/ldap.pem

我做错了什么?istio正在kubernetes内部署

What am I doing wrong? istio is being deployed inside kubernetes

推荐答案

就我而言，我必须将文件添加到与要拦截的服务相同的POD中.我使用了此处(使用注释的即)所述的相同方法代理人的小车.

In my case, I had to add the file into the same POD as the service being intercepted. I have used the same approach described here (i.e., using annotations) the certificate gets added to the Proxy side car.

这篇关于tls-origination:导入tls时无效的路径istio的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！