-
Notifications
You must be signed in to change notification settings - Fork 118
/
Copy pathegressgwy-proxy-https2https.yaml
75 lines (74 loc) · 1.95 KB
/
egressgwy-proxy-https2https.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# nonk8s
# ServiceEntry规范:https://istio.io/latest/docs/reference/config/networking/service-entry/
# 1. 首先使用ServiceEntry对象定义外部域名:istio.io(定义后才能在VirtualService中作为dst)
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: istio-io-https
spec:
hosts:
- istio.io
ports:
# - number: 80
# name: http
# protocol: HTTP
- number: 443
name: tls
protocol: TLS
resolution: DNS
location: MESH_EXTERNAL
---
# 2. 为 Host:istio.io 定义一个 egressGateway
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: egress-istio-io-https
spec:
selector:
istio: egressgateway
servers:
- port:
# 定义此网关要用于监听 去往 host:istio.io 流量的端口号(必须是egress网关Service已经暴露的端口号之一)
# 端口号错误会导致应用访问404/503
number: 443
name: tls
protocol: TLS
hosts:
- istio.io
tls:
mode: PASSTHROUGH # 透传tls流量
---
# 3. 定义VS将 istio.io 流量转发到 egressGateway,再从 egressGateway 转发到 istio.io
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: egressgateway-proxy-https-istio-io
spec:
hosts:
- istio.io
gateways:
- mesh
- egress-istio-io-https
tls: # 匹配HTTPS或TLS流量
- match:
- gateways:
- mesh
port: 443
sniHosts:
- istio.io
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
port: # 可省略(因为目标svc定义的ports[0].name是可读的“https”)
number: 443
- match:
- gateways:
- egress-istio-io-https
port: 443
sniHosts:
- istio.io
route:
- destination:
host: istio.io
port:
number: 443