Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

关于Istio-proxy中设置自己的证书例子问题 #341

Open
huangweikuna opened this issue Dec 29, 2020 · 1 comment
Open

关于Istio-proxy中设置自己的证书例子问题 #341

huangweikuna opened this issue Dec 29, 2020 · 1 comment

Comments

@huangweikuna
Copy link

我在istio-proxy中设置自己的证书。方法是把证书挂载到istio-proxy中,然后使用DestinationRule配置,就像例子中到那样。但是却始终连不通?
下面是我的一些操作已经背景:
image

首先把证书挂载到客户端和服务端

服务端

kubectl exec $(kubectl get pod -l app=mongo-client -o jsonpath={.items..metadata.name} -n mongo) -n mongo -c istio-proxy -- ls /pem
#输出:
ca.pem
client.key
client.pem

客户端

kubectl exec $(kubectl get pod -l app=mongo -o jsonpath={.items..metadata.name} -n mongo) -n mongo -- ls /pem
#输出:
ca.pem
server.pem

可以看到证书已经分别挂载到容器和代理容器内了。

然后设置规则
DestinationRule:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  namespace: mongo
  name: db-mtls
spec:
  host: "*.mongo.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: MUTUAL
      clientCertificate: /pem/client.pem
      privateKey: /pem/client.key
      caCertificates: /pem/ca.pem

之后用网格内的客户端访问网格外的服务端

kubectl exec  "$(kubectl get pod -l app=mongo-client -n mongo -o jsonpath={.items..metadata.name})" -n mongo  -- mongo --host mongo

out put

Defaulting container name to mongo-client.
Use 'kubectl describe pod/mongo-client-6d478988-jlxkj -n mongo' to see all of the containers in this pod.
MongoDB shell version v4.2.11
connecting to: mongodb://mongo:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-12-28T09:45:47.247+0000 I  NETWORK  [js] DBClientConnection failed to receive message from mongo:27017 - HostUnreachable: Connection reset by peer
2020-12-28T09:45:47.247+0000 E  QUERY    [js] Error: network error while attempting to run command 'isMaster' on host 'mongo:27017'  :
connect@src/mongo/shell/mongo.js:353:17
@(connect):2:6
2020-12-28T09:45:47.249+0000 F  -        [main] exception: connect failed
2020-12-28T09:45:47.249+0000 E  -        [main] exiting with code 1
command terminated with exit code 1

之后查看istio-proxy的日志显示:

2020-12-29T01:29:38.567791Z	info	sds	resource:file-cert:/pem/client.pem~/pem/client.key new connection
2020-12-29T01:29:38.567963Z	info	sds	Skipping waiting for gateway secret
2020-12-29T01:29:38.568199Z	error	cache	failed to extract expiration time in the certificate loaded from file: failed to parse certificate: asn1: structure error: tags don't match (16 vs {class:0 tag:2 length:1 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} tbsCertificate @2
2020-12-29T01:29:38.568252Z	error	cache	resource:file-cert:/pem/client.pem~/pem/client.key failed to generate secret for proxy from file: failed to extract expiration time in the certificate loaded from file: failed to parse certificate: asn1: structure error: tags don't match (16 vs {class:0 tag:2 length:1 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} tbsCertificate @2
2020-12-29T01:29:38.568267Z	error	sds	resource:file-cert:/pem/client.pem~/pem/client.key Close connection. Failed to get secret for proxy "sidecar~10.1.0.84~mongo-client-6d478988-jlxkj.mongo~mongo.svc.cluster.local" from secret cache: failed to extract expiration time in the certificate loaded from file: failed to parse certificate: asn1: structure error: tags don't match (16 vs {class:0 tag:2 length:1 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} tbsCertificate @2
@sonnyhcl
Copy link

Any update?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants