具有SDS和相互TLS的Istio：上游連接錯誤或在標頭之前斷開連接/重置。 重置原因：連接失敗

Question

我正在嘗試建立一個具有Istio的群集，其中SSL流量在入口處終止。 我已經用SDS和Mutual TLS部署了Istio。 使用下面的yaml，我只會upstream connect error or disconnect/reset before headers. reset reason: connection failure錯誤消息upstream connect error or disconnect/reset before headers. reset reason: connection failure upstream connect error or disconnect/reset before headers. reset reason: connection failure在瀏覽器中訪問群集時upstream connect error or disconnect/reset before headers. reset reason: connection failure ：

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: default-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: http
      number: 80
      protocol: HTTP
---
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx1
  name: nginx1
spec:
  containers:
  - image: nginx
    name: nginx
    resources: {}
    ports:
    - containerPort: 80
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}
---
apiVersion: v1
kind: Service
metadata:
  labels:
    run: nginx1
  name: nginx1
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx1
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: nginx1
spec:
  hosts:
  - "*"
  gateways:
  - istio-system/default-gateway
  http:
  - match:
    - uri:
        prefix: /nginx1
    route:
    - destination:
        port:
          number: 80
        host: nginx1.default.svc.cluster.local

Ingressgateway日志顯示以下TLS錯誤：

[2019-07-09 09:07:24.907][29][debug][pool] [external/envoy/source/common/http/http1/conn_pool.cc:88] creating a new connection
[2019-07-09 09:07:24.907][29][debug][client] [external/envoy/source/common/http/codec_client.cc:26] [C4759] connecting
[2019-07-09 09:07:24.907][29][debug][connection] [external/envoy/source/common/network/connection_impl.cc:702] [C4759] connecting to 100.200.1.59:80
[2019-07-09 09:07:24.907][29][debug][connection] [external/envoy/source/common/network/connection_impl.cc:711] [C4759] connection in progress
[2019-07-09 09:07:24.907][29][debug][pool] [external/envoy/source/common/http/conn_pool_base.cc:20] queueing request due to no available connections
[2019-07-09 09:07:24.907][29][debug][connection] [external/envoy/source/common/network/connection_impl.cc:550] [C4759] connected
[2019-07-09 09:07:24.907][29][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C4759] handshake error: 2
[2019-07-09 09:07:24.907][29][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C4759] handshake error: 1
[2019-07-09 09:07:24.907][29][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:201] [C4759] TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
[2019-07-09 09:07:24.907][29][debug][connection] [external/envoy/source/common/network/connection_impl.cc:188] [C4759] closing socket: 0
[2019-07-09 09:07:24.907][29][debug][client] [external/envoy/source/common/http/codec_client.cc:82] [C4759] disconnect. resetting 0 pending requests
[2019-07-09 09:07:24.907][29][debug][pool] [external/envoy/source/common/http/http1/conn_pool.cc:129] [C4759] client disconnected, failure reason: TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
[2019-07-09 09:07:24.907][29][debug][pool] [external/envoy/source/common/http/http1/conn_pool.cc:164] [C4759] purge pending, failure reason: TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
[2019-07-09 09:07:24.907][29][debug][router] [external/envoy/source/common/router/router.cc:671] [C4753][S3527573287149425977] upstream reset: reset reason connection failure
[2019-07-09 09:07:24.907][29][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:1137] [C4753][S3527573287149425977] Sending local reply with details upstream_reset_before_response_started{connection failure,TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER}

通過閱讀此博客，我認為我可能需要添加

  - hosts:
    - '*'
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key

到ingressgateway配置。 但是，這並不能解決問題。 此外，由於我使用的是SDS，所以ingressgateway-certs中將沒有任何ingressgateway-certs （請參閱https://istio.io/docs/tasks/security/auth-sds/#verifying-no-secret-volume-mounted-文件生成的 ），如https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-mount/中所述

誰能指出我正確的配置？ 我在網上找到的大部分內容都指的是“舊的”文件安裝方法。

Answer 1

您可能必須指定最小或最大TLS版本。 這些選項記錄在minProtocolVersion和maxProtocolVersion ：

https://istio.io/docs/reference/config/networking/v1alpha3/gateway/#Server-TLSOptions

在后台，這些值映射到以下Envoy參數：

https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/auth/cert.proto#auth-tlsparameters

Answer 2

通過不使用istio-cni已經解決了該問題。 參見https://github.com/istio/istio/issues/15701