tls-origination:导入tls时无效的路径istio [英] tls-origination: Invalid path istio when importing tls
问题描述
我正在端口389处拦截服务并应用tls-origination,所以我的目标规则如下:
I am intercepting a service at port 389 and applying tls-origination, so my destination rules is as follows:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ldap
spec:
host: ...
subsets:
- name: tls-origination
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 636
tls:
mode: SIMPLE
caCertificates: /path/to/certificate/ldap.pem
值/path/to/certificate/ldap.pem
是我的本地计算机中文件的路径.当查看istio代理日志时,应用目标规则后,出现以下错误:
The value /path/to/certificate/ldap.pem
is the path in my local machine to the file. When I look at the istio proxy logs, after having applied the destination rules, I get the following error:
type.googleapis.com/envoy.api.v2.集群被拒绝:错误添加/更新出站群集| 636 | tls-origination | ...:无效路径:/path/to/certificate/ldap.pem
type.googleapis.com/envoy.api.v2.Cluster rejected: Error adding/updating cluster(s) outbound|636|tls-origination|...: Invalid path: /path/to/certificate/ldap.pem
我做错了什么?istio正在kubernetes内部署
What am I doing wrong? istio is being deployed inside kubernetes
推荐答案
就我而言,我必须将文件添加到与要拦截的服务相同的POD中.我使用了此处(使用注释的即)所述的相同方法代理人的小车.
In my case, I had to add the file into the same POD as the service being intercepted. I have used the same approach described here (i.e., using annotations) the certificate gets added to the Proxy side car.
这篇关于tls-origination:导入tls时无效的路径istio的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!