Istio 服务网格 TLS 配置
[英]Istio Service Mesh TLS Config
问题描述
I am trying to convert an Istio service mesh running on k8s from http to https but stumbled upon many problems.
我正在尝试将在 k8s 上运行的 Istio 服务网格从http为https但偶然发现了很多问题。 I don't really understand what are all the steps required to do that.我真的不明白这样做需要哪些步骤。
As I know, there are 2 kinds of traffic that requires TLS in a mesh:据我所知,有 2 种流量在网格中需要 TLS:
between internal services : scramming through Istio docs let me know that Istio will somehow automatically configure mTLS between services so all of them will communicate securely without any extra configuration.
内部服务之间:翻阅 Istio 文档让我知道 Istio 将以某种方式自动在服务之间配置 mTLS,因此所有服务都将安全地通信而无需任何额外配置。 However, I still don't understand deeply how they implement this mTLS.不过,我还是不太明白他们是如何实现这个mTLS的。 How does it differ from normal TLS and what is mTLS role in the other kind of traffic (client outside to service inside)?它与普通 TLS 有何不同,mTLS 在另一种流量(外部客户端到内部服务)中的作用是什么?from client outside to a service inside : this is where I don't know what to do.
从外部客户端到内部服务:这是我不知道该怎么做的地方。 I know that in order for a service to have TLS it needs TLS certificate by a trusted CA.我知道为了让服务拥有 TLS,它需要受信任的 CA 颁发的 TLS 证书。 However, as the outer client will not talk directly to the service inside but only through the Istio ingress gateway.然而,由于外部客户端不会直接与内部服务对话,而只能通过 Istio ingress 网关。 Do I need to provide cert for every service or only the ingress gateway?我是否需要为每项服务提供证书或仅为入口网关提供证书? All of my services are now exposing port 80 for HTTP.我所有的服务现在都为HTTP公开端口 80。 Do I need to convert all of them to port 443 andHTTPSor just the ingress gateway is enough?我需要将它们全部转换为端口 443 和HTTPS还是仅入口网关就足够了?
Regarding the certificates, if I just use self-signing certs for now, can I just create cert and key with openssl and create secrets from it (maybe sync between namespaces with kubed ), then all services use the same cert and key?关于证书,如果我现在只使用自签名证书,我可以只使用 openssl 创建证书和密钥并从中创建秘密(可能在命名空间之间与kubed同步),那么所有服务都使用相同的证书和密钥吗? Everywhere suggests me to use cert-manager .到处都建议我使用cert-manager 。 However, I don't know if it is worth the effort?然而,我不知道是否值得努力?
I would be really thankful if anyone can explain with some illustrations.如果有人能用一些插图来解释,我将非常感激。
1 个解决方案
解决方案1
1 2021-09-21 07:57:23
In general, if you need a good explanation of the issues related to Istio (also with pictures), I recommend that you check the documentation.一般来说,如果你需要对 Istio 相关的问题进行很好的解释(也有图片),我建议你查看文档。 You can find around 540 topics related to TLS in Istio.您可以在 Istio 中找到大约540 个与 TLS 相关的主题。
Istio is a very well documented service. Istio 是一个文档完善的服务。 Here you can find more information about Understanding TLS Configuration .您可以在此处找到有关了解 TLS 配置的更多信息。 You can also find good article about Mutual TLS Migration .您还可以找到有关Mutual TLS Migration的好文章。
However I still don't understand deeply how they implement this mTLS, how does it differ from normal TLS and what is mTLS role in the other kind of traffic (client outside to service inside).
Mutual TLS, or mTLS for short, is a method for mutual authentication . Mutual TLS,简称mTLS,是一种相互认证的方法。 mTLS ensures that the parties at each end of a.network connection are who they claim to be by verifying that they both have the correct private key . mTLS 通过验证他们都拥有正确的私钥来确保网络连接每一端的各方都是他们所声称的人。 The information within their respective TLS certificates provides additional verification.他们各自的TLS 证书中的信息提供了额外的验证。 You can read more about it here .您可以在此处阅读更多相关信息。 Additionally yo can also see page about HTTP Traffic (mTLS is required for this case).此外,您还可以查看有关HTTP 流量的页面(这种情况需要 mTLS)。
All of my services are now exposing port 80 for HTTP. Do I need to convert all of them to port 443 and HTTPS or just the ingress gateway is enough?
It is possible to create Ingress Gateway without TLS Termination :可以在没有 TLS 终止的情况下创建入口网关:
The Securing Gateways with HTTPS task describes how to configure HTTPS ingress access to an HTTP service.
EDIT (added more explanation and documentation links):编辑(添加更多解释和文档链接):
Service mesh uses a proxy to intercept all your.network traffic, allowing a broad set of application-aware features based on configuration you set.
Istio securely provisions strong identities to every workload with X.509 certificates.
Peer authentication : used for service-to-service authentication to verify the client making the connection.
Peer authentication modes that are supported: Permissive , Strict , and Disable .支持的对等身份验证模式: Permissive 、 Strict和Disable 。
In order to answer this question:为了回答这个问题:
All of my services are now exposing port 80 for HTTP. Do I need to convert all of them to port 443 and HTTPS or just the ingress gateway is enough?
fully we could have informed the customer that using Istio Gateway can expose services from Istio service mesh to the outside using plain HTTP, with TLS termination or in PASSTHROUGH TLS mode.我们完全可以告知客户,使用 Istio Gateway 可以使用纯 HTTP 将来自 Istio 服务网格的服务暴露给外部,使用 TLS 终止或 PASSTHROUGH TLS 模式。 Incoming TLS termination could be improved (using TLS certificate approved by a trusted CA or using cert-manger with Istio Gateway).可以改进传入的 TLS 终止(使用受信任的 CA 批准的 TLS 证书或将 cert-manger 与 Istio Gateway 一起使用)。 You can read more about this topic here .您可以在此处阅读有关此主题的更多信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.