[英]How to configure ssl for ldap/opendj while using ISTIO service mesh
I have a couple of microservices and our backend is opendj/ldap.我有几个微服务,我们的后端是 opendj/ldap。 It has been configured to use SSL.它已配置为使用 SSL。 Now we are trying to use ISTIO as our k8s service mesh.现在我们正在尝试使用 ISTIO 作为我们的 k8s 服务网格。 Every other service works fine but the ldap server - opendj - is not.其他所有服务都可以正常工作,但 ldap 服务器 - opendj - 不是。 My gues is it's because of the ssl configuration.我猜这是因为 ssl 配置。 It's meant to use self-signed cert.它旨在使用自签名证书。
I have a script that creates a self-signed cert in istio namespace and I have tried to use it like this on the gateway.yaml
我有一个在 istio 命名空间中创建自签名证书的脚本,我尝试在网关上像这样使用它gateway.yaml
- port:
number: 4444
name: tcp-admin
protocol: TCP
hosts:
- "*"
tls:
mode: SIMPLE # enable https on this port
credentialName: tls-certificate # fetch cert from k8s secret
I also have tried to use我也尝试过使用
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: opendj-istio-mtls
spec:
host: opendj.{{.Release.Namespace }}.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
credentialName: tls-certificate
---
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: opendj-receive-tls
spec:
targets:
- name: opendj
peers:
- mtls: {}
For the ldap server but it's not connecting.对于 ldap 服务器,但它没有连接。 While trying to use the tls
spec in gateway.yaml
I am getting this error尝试在gateway.yaml
中使用tls
规范时出现此错误
Error: admission webhook "pilot.validation.istio.io" denied the request: configuration is invalid: server cannot have TLS settings for non HTTPS/TLS ports
And the logs from opendj server以及来自 opendj 服务器的日志
INFO - entrypoint - 2020-06-17 12:49:44,768 - Configuring OpenDJ.
WARNING - entrypoint - 2020-06-17 12:49:48,987 -
Unable to connect to the server at
"oj-opendj-0.opendj.default.svc.cluster.local" on port 4444
WARNING - entrypoint - 2020-06-17 12:49:53,293 -
Unable to connect to the server at
"oj-opendj-0.opendj.default.svc.cluster.local" on port 4444
Can someone please help me out how I should approach this.有人可以帮我解决这个问题。
To Enable non-https traffic over TLS connections you have to use Protocol TLS.要通过 TLS 连接启用非 https 流量,您必须使用协议 TLS。 TLS implies the connection will be routed based on the SNI header to the destination without terminating the TLS connection. TLS 意味着连接将根据SNI header路由到目的地,而不终止 TLS 连接。 You can check this .你可以检查这个。
- port:
number: 4444
name: tls
protocol: TLS
hosts:
- "*"
tls:
mode: SIMPLE # enable https on this port
credentialName: tls-certificate # fetch cert from k8s secret
Please check this istio documentation also.也请查看这个 istio 文档。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.