创建新的tls secret
创建新的秘密以保存xiaotaozi.mobi的证书:
$ kubectl create -n istio-system secret tls istio-ingressgateway-xinchao-mobi-certs --key xiaotaozi.mobi.key --cert xiaotaozi.mobi.pem
secret "istio-ingressgateway-xinchao-mobi-certs" created
修改IngressGateway部署配置
第一种方法 使用helm上成yaml
使用Helm装载的卷生成ISTIO IngressGateway部署。使用与生成isito.yaml相同的选项:
$ helm template install/kubernetes/helm/istio/ --name istio-ingressgateway --namespace istio-system -x charts/gateways/templates/deployment.yaml --set gateways.istio-egressgateway.enabled=false \
--set gateways.istio-ingressgateway.secretVolumes[0].name=ingressgateway-certs \
--set gateways.istio-ingressgateway.secretVolumes[0].secretName=istio-ingressgateway-certs \
--set gateways.istio-ingressgateway.secretVolumes[0].mountPath=/etc/istio/ingressgateway-certs \
--set gateways.istio-ingressgateway.secretVolumes[1].name=ingressgateway-ca-certs \
--set gateways.istio-ingressgateway.secretVolumes[1].secretName=istio-ingressgateway-ca-certs \
--set gateways.istio-ingressgateway.secretVolumes[1].mountPath=/etc/istio/ingressgateway-ca-certs \
--set gateways.istio-ingressgateway.secretVolumes[2].name=ingressgateway-xinchao-mobi-certs \
--set gateways.istio-ingressgateway.secretVolumes[2].secretName=istio-ingressgateway-xinchao-mobi-certs \
--set gateways.istio-ingressgateway.secretVolumes[2].mountPath=/etc/istio/ingressgateway-xinchao-mobi-certs > \
$HOME/istio-ingressgateway.yaml
应用istio-ingressgateway.yaml:
$ kubectl apply -f $HOME/istio-ingressgateway.yaml
deployment "istio-ingressgateway" configured
第二种方法 手动修改istio-ingressgateway部署
创建新的秘密以保存xiaotaozi.mobi的证书:
$ kubectl create -n istio-system secret tls istio-ingressgateway-xinchao-mobi-certs --key xiaotaozi.mobi.key --cert xiaotaozi.mobi.pem
secret "istio-ingressgateway-xinchao-mobi-certs" created
修改istio-ingressgateway部署
$ kubectl edit deployment/istio-ingressgateway -n istio-system
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: ingressgateway-certs
mountPath: "/etc/istio/ingressgateway-certs"
readOnly: true
- name: ingressgateway-ca-certs
mountPath: "/etc/istio/ingressgateway-ca-certs"
readOnly: true
+ - name: ingressgateway-xinchao-mobi-certs
+ mountPath: "/etc/istio/ingressgateway-xinchao-mobi-certs"
+ readOnly: true
volumes:
- name: istio-certs
secret:
secretName: istio.istio-ingressgateway-service-account
optional: true
- name: ingressgateway-certs
secret:
secretName: "istio-ingressgateway-certs"
optional: true
- name: ingressgateway-ca-certs
secret:
secretName: "istio-ingressgateway-ca-certs"
optional: true
+ - name: ingressgateway-xinchao-mobi-certs
+ secret:
+ secretName: "istio-ingressgateway-xinchao-mobi-certs"
+ optional: true
验证
验证新的证书是后已经加载到新的istio-ingressgateway pod:
$ kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-xinchao-mobi-certs
使用
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mygateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: https-httpbin
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "httpbin.example.com"
- port:
number: 443
name: https-xinchao-mobi
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-xinchao-mobi-certs/tls.crt
privateKey: /etc/istio/ingressgateway-xinchao-mobi-certs/tls.key
hosts:
- "xiaotaozi.xxx.com"
EOF