Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
422 views
in Technique[技术] by (71.8m points)

nginx - Access both https & http backend service from istio gw without sidecar

I have some onprem cluster , some backend service are running in http , some are running in https. as of now Do not have istio side car configured.

call with http backend traffic is working.. but with https backend it is giving 503 error. gateway:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: istio-gateway
  namespace: istio-system

spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: https
      number: 8443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/tls.key
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
  - hosts:
    - '*'
    port:
      name: http
      number: 80
      protocol: HTTP

virtual service:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: metalk8s-ui-proxies-https
  namespace: metalk8s-ui
spec:
  gateways:
  - istio-system/istio-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        prefix: /api/kubernetes/
    route:
    - destination:
        host: kubernetes-api-ds
        port:
          number: 443
      weight: 100
  - match:
    - uri:
        prefix: /api/salt/
    route:
    - destination:
        host: salt-api
        port:
          number: 4507
      weight: 100

destination rule :

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: kubernetes-api-ds
  namespace: metalk8s-ui
spec:
  host: kubernetes-api
  trafficPolicy:
    portLevelSettings:
    - loadBalancer:
        simple: ROUND_ROBIN
      port:
        number: 443
    tls:
      caCertificates: /etc/istio/ingressgateway-certs/tls.crt
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/tls.key

Without destination rule configured it was giving 400 error ( client sent http request to https server) .

basically the backend service works with nginx ingress .. we are trying to replace the nginx with istio.. For this particular uri path nginx ingress was :

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-control-plane
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/use-regex: "true"
  labels:
    app: metalk8s-ui
    app.kubernetes.io/managed-by: salt
    app.kubernetes.io/name: metalk8s-ui
    app.kubernetes.io/part-of: metalk8s
    heritage: salt
    metalk8s.scality.com/version: 2.6.0-dev
  name: metalk8s-ui-proxies-https
  namespace: metalk8s-ui
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: kubernetes-api
          servicePort: 443
        path: /api/kubernetes(/|$)(.*)
      - backend:
          serviceName: salt-api
          servicePort: 4507
        path: /api/salt(/|$)(.*)
status:
  loadBalancer:
    ingress:
    - ip: 10.105.58.133

nginx.ingress.kubernetes.io/backend-protocol: HTTPS --> this was the annotation to define the backend protocol..

could someone please help , how to achieve the same in istio ..

question from:https://stackoverflow.com/questions/65940324/access-both-https-http-backend-service-from-istio-gw-without-sidecar

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
Waitting for answers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...