Envoy TLS
来源:原创
时间:2019-11-17
作者:脚本小站
分类:云原生
TLS:listener中的证书可静态配置,也可通过SDS动态获取。
listeners: filter_chains: - filters: tls_context: common_tls_context: {} # 定义tls的上下文 tls_params: {} # 证书版本,加密套件等 tls_certificates: [] # 证书 - certificate_chain: {} # 证书链 filename: # 证书文件位置 private_key: {} # 私钥 filename: # 私钥文件路径 password: {} # 私钥口令 filename: # 口令文件位置 tls_certificate_sda_secret_configs: [] # 基于SDS API获取TLS会话的相关信息时的配置 require_client_certificate: # 是否验证客户端
实验清单:
生成证书:
openssl req -nodes -new -x509 -keyout certs/server.key -out certs/server.crt -days 365 -subj '/CN=ik8s.io/O=qiyang LTD./C=CN'
fron-envoy.yaml
static_resources: listeners: - name: http_listener address: socket_address: address: 0.0.0.0 port_value: 80 filter_chains: - filters: - name: envoy.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager codec_type: auto stat_prefix: ingress_http route_config: name: local_route virtual_hosts: - name: backend domains: ["*"] routes: - match: prefix: "/" redirect: https_redirect: true port_redirect: 443 http_filters: - name: envoy.router typed_config: {} - name: https_listener address: socket_address: address: 0.0.0.0 port_value: 443 filter_chains: - filters: - name: envoy.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager codec_type: auto stat_prefix: ingress_http route_config: name: https_route virtual_hosts: - name: https_route domains: ["*"] routes: - match: prefix: "/service/1" route: cluster: service1 - match: prefix: "/service/2" route: cluster: service2 http_filters: - name: envoy.router typed_config: {} tls_context: common_tls_context: tls_certificates: - certificate_chain: filename: "/etc/envoy/certs/server.crt" private_key: filename: "/etc/envoy/certs/server.key" clusters: - name: service1 connect_timeout: 0.25s type: strict_dns lb_policy: round_robin http2_protocol_options: {} load_assignment: cluster_name: service1 endpoints: - lb_endpoints: - endpoint: address: socket_address: address: service1 port_value: 80 - name: service2 connect_timeout: 0.25s type: strict_dns lb_policy: round_robin http2_protocol_options: {} load_assignment: cluster_name: service2 endpoints: - lb_endpoints: - endpoint: address: socket_address: address: service2 port_value: 80 admin: access_log_path: "/dev/null" address: socket_address: address: 0.0.0.0 port_value: 9901
docker-compose.yaml
version: "3.7" services: front-envoy: build: context: . dockerfile: Dockerfile-frontenvoy volumes: - ./front-envoy.yaml:/etc/front-envoy.yaml - ./certs/:/etc/envoy/certs/ networks: - envoymesh expose: - "80" - "443" - "9901" ports: - "80:80" - "443:443" - "9901:9901" service1: build: context: . dockerfile: Dockerfile-service volumes: - ./service-envoy.yaml:/etc/service-envoy.yaml networks: envoymesh: aliases: - service1 environment: - SERVICE_NAME=1 expose: - "80" service2: build: context: . dockerfile: Dockerfile-service volumes: - ./service-envoy.yaml:/etc/service-envoy.yaml networks: envoymesh: aliases: - service2 environment: - SERVICE_NAME=2 expose: - "80" networks: envoymesh: {}
其他文件在 https://github.com/envoyproxy/envoy 的 envoy/examples/front-proxy 中。
https://192.168.69/service/1