How can I use custom client certificate for extern

2019-08-17 17:07发布

站内问答 / Kubernetes
824 2 5

I need to setup mutual tls communication from kubernetes pod to external service. My system is running with istio system.

I found reference about this.

https://istio.io/docs/reference/config/networking/v1alpha3/destination-rule/#TLSSettings

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: external-mtls
spec:
  host: *.external.com
  trafficPolicy:
    tls:
      mode: MUTUAL
      clientCertificate: /etc/certs/myclientcert.pem
      privateKey: /etc/certs/client_private_key.pem
      caCertificates: /etc/certs/rootcacerts.pem

According to this document, All I need to do is set mode MUTUAL (not ISTIO_MUTUAL) and set certificate files. As you can see, clientCertificate, privateKey, caCertificates is local file path.

I think they should be in envoy proxy's disk. But I couldn't find a way to put my certificate files into envoy proxy's volume.

How can I do that?

2条回答
We Are One
2楼-- · 2019-08-17 18:01

I found solution.

  1. create secret or config map
kubectl create secret generic my-cert --from-file=cert1.crt --from-file=cert2.crt
  1. annotate pod or deployment with sidecar.istio.io/userVolumeMount, sidecar.istio.io/userVolume
annotations:                                                                                       
  sidecar.istio.io/userVolumeMount: '[{"name":"my-cert", "mountPath":"/etc/my-cert", "readonly":true}]'
  sidecar.istio.io/userVolume: '[{"name":"my-cert", "secret":{"secretName":"my-cert"}}]'

Done. It's mounted to envoy proxy pod.

查看更多
0人赞 添加讨论(0) 举报
该账号已被封号
3楼-- · 2019-08-17 18:02

You can run istioctl kube-inject -f your-deployment.yaml > your-deployment-with-istio-sidecar.yaml.

Then edit your-deployment-with-istio-sidecar.yaml and add mounting of the certificates from some secretes. Then create the secrets from your certificates.

Alternatively, create your sidecar injection template, see https://istio.io/blog/2019/data-plane-setup/#manual-injection.

Example of creating secrets for certificates: https://istio.io/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/#redeploy-the-egress-gateway-with-the-client-certificates

Mounting volumes from secretes described here https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)