如何使用 istio 为外部服务使用自定义客户端证书? [英] How can I use custom client certificate for external service with istio?
问题描述
我需要设置从 kubernetes pod 到外部服务的相互 tls 通信.我的系统正在运行 istio 系统.
I need to setup mutual tls communication from kubernetes pod to external service. My system is running with istio system.
我找到了关于此的参考.
I found reference about this.
https://istio.io/docs/参考/config/networking/v1alpha3/destination-rule/#TLSSettings
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: external-mtls
spec:
host: *.external.com
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/client_private_key.pem
caCertificates: /etc/certs/rootcacerts.pem
根据这个文档,我需要做的就是设置模式 MUTUAL(不是 ISTIO_MUTUAL)并设置证书文件.如您所见,clientCertificate、privateKey、caCertificates 是本地文件路径.
According to this document, All I need to do is set mode MUTUAL (not ISTIO_MUTUAL) and set certificate files. As you can see, clientCertificate, privateKey, caCertificates is local file path.
我认为它们应该在特使代理的磁盘中.但是我找不到将我的证书文件放入 envoy 代理卷的方法.
I think they should be in envoy proxy's disk. But I couldn't find a way to put my certificate files into envoy proxy's volume.
我该怎么做?
推荐答案
我找到了解决方案.
- 创建机密或配置映射
kubectl create secret generic my-cert --from-file=cert1.crt --from-file=cert2.crt
- 使用sidecar.istio.io/userVolumeMount、sidecar.istio.io/userVolume 注释pod或部署
- annotate pod or deployment with sidecar.istio.io/userVolumeMount, sidecar.istio.io/userVolume
annotations:
sidecar.istio.io/userVolumeMount: '[{"name":"my-cert", "mountPath":"/etc/my-cert", "readonly":true}]'
sidecar.istio.io/userVolume: '[{"name":"my-cert", "secret":{"secretName":"my-cert"}}]'
关于这些和其他注释的文档:https://preliminary.istio.io/docs/reference/config/annotations/
Documentation on these and other annotations: https://preliminary.istio.io/docs/reference/config/annotations/
完成.它已挂载到 Envoy 代理 pod.
Done. It's mounted to envoy proxy pod.
这篇关于如何使用 istio 为外部服务使用自定义客户端证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!