Envoy TLS
来源:原创
时间:2019-11-17
作者:脚本小站
分类:云原生
TLS:listener中的证书可静态配置,也可通过SDS动态获取。
listeners:
filter_chains:
- filters:
tls_context:
common_tls_context: {} # 定义tls的上下文
tls_params: {} # 证书版本,加密套件等
tls_certificates: [] # 证书
- certificate_chain: {} # 证书链
filename: # 证书文件位置
private_key: {} # 私钥
filename: # 私钥文件路径
password: {} # 私钥口令
filename: # 口令文件位置
tls_certificate_sda_secret_configs: [] # 基于SDS API获取TLS会话的相关信息时的配置
require_client_certificate: # 是否验证客户端实验清单:
生成证书:
openssl req -nodes -new -x509 -keyout certs/server.key -out certs/server.crt -days 365 -subj '/CN=ik8s.io/O=qiyang LTD./C=CN'
fron-envoy.yaml
static_resources:
listeners:
- name: http_listener
address:
socket_address:
address: 0.0.0.0
port_value: 80
filter_chains:
- filters:
- name: envoy.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
- match:
prefix: "/"
redirect:
https_redirect: true
port_redirect: 443
http_filters:
- name: envoy.router
typed_config: {}
- name: https_listener
address:
socket_address:
address: 0.0.0.0
port_value: 443
filter_chains:
- filters:
- name: envoy.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
route_config:
name: https_route
virtual_hosts:
- name: https_route
domains: ["*"]
routes:
- match:
prefix: "/service/1"
route:
cluster: service1
- match:
prefix: "/service/2"
route:
cluster: service2
http_filters:
- name: envoy.router
typed_config: {}
tls_context:
common_tls_context:
tls_certificates:
- certificate_chain:
filename: "/etc/envoy/certs/server.crt"
private_key:
filename: "/etc/envoy/certs/server.key"
clusters:
- name: service1
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
http2_protocol_options: {}
load_assignment:
cluster_name: service1
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: service1
port_value: 80
- name: service2
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
http2_protocol_options: {}
load_assignment:
cluster_name: service2
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: service2
port_value: 80
admin:
access_log_path: "/dev/null"
address:
socket_address:
address: 0.0.0.0
port_value: 9901docker-compose.yaml
version: "3.7"
services:
front-envoy:
build:
context: .
dockerfile: Dockerfile-frontenvoy
volumes:
- ./front-envoy.yaml:/etc/front-envoy.yaml
- ./certs/:/etc/envoy/certs/
networks:
- envoymesh
expose:
- "80"
- "443"
- "9901"
ports:
- "80:80"
- "443:443"
- "9901:9901"
service1:
build:
context: .
dockerfile: Dockerfile-service
volumes:
- ./service-envoy.yaml:/etc/service-envoy.yaml
networks:
envoymesh:
aliases:
- service1
environment:
- SERVICE_NAME=1
expose:
- "80"
service2:
build:
context: .
dockerfile: Dockerfile-service
volumes:
- ./service-envoy.yaml:/etc/service-envoy.yaml
networks:
envoymesh:
aliases:
- service2
environment:
- SERVICE_NAME=2
expose:
- "80"
networks:
envoymesh: {}其他文件在 https://github.com/envoyproxy/envoy 的 envoy/examples/front-proxy 中。
https://192.168.69/service/1