[英]Integrating Azure Application Gateway, AGIC and Istio
Was anyone able to integrate the three in the subject to achive end-2-end TLS?有没有人能够将主题中的三个集成起来以实现端到端 TLS? To clarify, I'm talking about TLS between Application Gateway and Istio ingress.澄清一下,我说的是应用程序网关和 Istio 入口之间的 TLS。 There are some threads on StackOverflow and there is an old issue on AGIC Github repo but i was not able to find any evidence it's really working. StackOverflow 上有一些线程, AGIC Github 存储库上有一个旧问题,但我找不到任何证据表明它确实有效。 If someone have it working, can you share the setup?如果有人让它工作,你能分享设置吗?
• According to the Istio documentation, any request to the gateway will have two connections, viz., client downstream inbound connection to the gateway and client outbound connection to the destination as shown in the figure below: - • 根据Istio 文档,任何对网关的请求都会有两个连接,即客户端下游入站连接到网关和客户端出站连接到目的地,如下图所示: -
Thus, in the above scenario, consider the gateway as the Azure application gateway and the Istio ingress as the destination, as a result both these connections are independent TLS connections.因此,在上述场景中,将网关视为 Azure 应用程序网关,将 Istio ingress 视为目的地,因此这两个连接都是独立的 TLS 连接。
For TLS connections, there are a few more options:对于 TLS 连接,还有几个选项:
a) What protocol is encapsulated? a) 封装了什么协议? If the connection is HTTPS , the server protocol should be configured as HTTPS. Otherwise, for a raw TCP connection encapsulated with TLS, the protocol should be set to TLS.如果连接是HTTPS ,则服务器协议应配置为 HTTPS。否则,对于使用 TLS 封装的原始 TCP 连接,协议应设置为 TLS。
b) Is the TLS connection terminated or passed through? b) TLS 连接是终止还是通过? For passthrough traffic , configure the TLS mode field to PASSTHROUGH : -对于直通流量,将 TLS 模式字段配置为PASSTHROUGH :-
apiVersion: networking.istio.io/v1beta1
kind: Gateway
...
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: PASSTHROUGH
In this mode, Istio will route based on SNI information and forward the connection as-is to the destination.在这种模式下,Istio 将根据SNI 信息进行路由,并将连接原样转发到目的地。 Mutual TLS can be configured through the TLS mode MUTUAL .可以通过 TLS 模式MUTUAL配置相互 TLS。 When this is configured, a client certificate will be requested and verified against the configured caCertificates or credentialName : -配置后,将根据配置的caCertificates或credentialName请求并验证客户端证书:-
apiVersion: networking.istio.io/v1beta1
kind: Gateway
...
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: MUTUAL
caCertificates: ... ’
The only difference is that you should be careful to consider the Gateway settings when configuring this.唯一的区别是您在配置时应该仔细考虑网关设置。 For example, if the Gateway is configured with TLS PASSTHROUGH while the DestinationRule configures TLS origination, you will end up with double encryption .例如,如果 Gateway 配置了 TLS PASSTHROUGH ,而DestinationRule配置了 TLS origination,那么您将得到双重加密。 This works but is often not the desired behavior.这可行,但通常不是所需的行为。
A VirtualService bound to the gateway needs care as well to ensure it is consistent with the Gateway definition.绑定到网关的VirtualService也需要小心以确保它与网关定义一致。 In this scenario, consider the gateway as an Azure application gateway in that sense the TLS settings are configured correctly.在这种情况下,将网关视为 Azure 应用程序网关,从这个意义上讲,TLS 设置已正确配置。 For more information, kindly refer to the Istio documentation below: -有关更多信息,请参阅下面的 Istio 文档:-
https://istio.io/latest/docs/ops/configuration/traffic-management/tls-configuration/ https://istio.io/latest/docs/ops/configuration/traffic-management/tls-configuration/
https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/ https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.