本文发布于Cylon的收藏册,转载请著名原文链接~
方案架构
本次实例与官方Envoy front_proxy Example相似,首先会有一个Envoy单独运行。ingress的工作是给其他地方提供一个入口。来自外部的传入连接请求到这里,前端代理将会决定他们在内部的转发路径。
图源自Envoy官网文档 front_proxy
生成证书
openssl req -nodes -new -x509 -keyout certs/server.key -out certs/server.crt -days 365 -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=studyenvoy/OU=studyenvoy/CN=*.studyenvoy.cn"
envoy配置说明
v3 api中envoy去掉了tls_context的配置,配置tls首先需要熟悉envoy的如下两个术语
- Downstream:下游主机连接到 Envoy,发送请求并或获得响应。
- Upstream:上游主机获取来自 Envoy 的链接请求和响应。
本次使用的是ingress的代理,需要配置的即为 Downstream
v3api中使用的是transport_socket,transport_socket为 listeners 当中某一个 filter_chains 中上线文中的配置。
transport_socket 官方说明为:
(config.core.v3.TransportSocket) Optional custom transport socket implementation to use for downstream connections. To setup TLS, set a transport socket with name tls and DownstreamTlsContext in the typed_config. If no transport socket configuration is specified, new connections will be set up with plaintext.
查看官网的transport_socket配置说明
这里使用的类型为DownstreamTlsContext
transport_socket: # 设置tls
name: envoy.transport_sockets.tls # 定义名称,不能为空
typed_config: # 实现配置的类型
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context: # 设置tls上下文
tls_certificates:
certificate_chain: # 公钥设置 必须设置为,filename,inline_bytes
filename: "/etc/envoy/certs/server.crt"
private_key: # 私钥设置 必须设置为,filename,inline_bytes
filename: "/etc/envoy/certs/server.key"
准备envoy和后端服务运行环境
envoy配置文件
admin:
access_log_path: /dev/null
address:
socket_address: { address: 0.0.0.0, port_value: 9901 }
static_resources:
listeners:
- name: listeners_http
address:
socket_address: { address: 0.0.0.0, port_value: 80 }
filter_chains:
- filters:
- name: envoy.http_connenttion_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: [ "*" ]
routes:
- match: { prefix: "/" }
redirect:
path_redirect: "/"
https_redirect: true
http_filters:
- name: envoy.router
- name: listener_https
address:
socket_address: { address: 0.0.0.0, port_value: 443 }
filter_chains:
- filters:
- name: envoy.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: [ "*" ]
routes:
- match: { prefix: "/" }
route: { cluster: local_service }
http_filters:
- name: envoy.router
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
certificate_chain:
filename: "/etc/envoy/certs/server.crt"
private_key:
filename: "/etc/envoy/certs/server.key"
clusters:
- name: local_service
connect_timeout: 0.25s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: local_service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address: { address: webservice, port_value: 90 }
docker-compose文件示例
version: '3'
services:
envoy:
image: envoyproxy/envoy-alpine:v1.15-latest
environment:
- ENVOY_UID=0
ports:
- 80:80
- 443:443
- 82:9901
volumes:
- ./envoy.yaml:/etc/envoy/envoy.yaml
- ./certs:/etc/envoy/certs
networks:
envoymesh:
aliases:
- envoy
depends_on:
- webserver
webserver:
image: cylonchau/envoy-end:latest
environment:
- COLORFUL=blue
networks:
envoymesh:
aliases:
- myservice
- webservice
expose:
- 90
networks:
envoymesh: {}
容器启动正常
证书使用者也为生成证书的信息一致
本文发布于Cylon的收藏册,转载请著名原文链接~
链接:https://www.oomkill.com/2020/09/envoy-v3-api-tls/
版权:本作品采用「署名-非商业性使用-相同方式共享 4.0 国际」 许可协议进行许可。