我的书签
添加书签
移除书签Egress Gateways with TLS Origination (SDS)
The TLS Origination for Egress Traffic example shows how to configure Istio to perform TLS origination for traffic to an external service. The Configure an Egress Gateway example shows how to configure Istio to direct egress traffic through a dedicated egress gateway service. This example combines the previous two by describing how to configure an egress gateway to perform TLS origination for traffic to external services.
The TLS required private key, server certificate, and root certificate, are configured using the Secret Discovery Service (SDS).
Before you begin
Setup Istio by following the instructions in the Installation guide.
Start the sleep sample which will be used as a test source for external calls.
If you have enabled automatic sidecar injection, do
$ kubectl apply -f @samples/sleep/sleep.yaml@
otherwise, you have to manually inject the sidecar before deploying the
sleepapplication:$ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@)
Note that any pod that you can
execandcurlfrom would do.For macOS users, verify that you are using
opensslversion 1.1 or later:$ openssl version -a | grep OpenSSLOpenSSL 1.1.1g 21 Apr 2020
If the previous command outputs a version
1.1or later, as shown, youropensslcommand should work correctly with the instructions in this task. Otherwise, upgrade youropensslor try a different implementation ofopenssl, for example on a Linux machine.
If you configured an egress gateway using the file-mount based approach, and you want to migrate your egress gateway to use the SDS approach, there are no extra steps required.
Perform TLS origination with an egress gateway using SDS
This section describes how to perform the same TLS origination as in the TLS Origination for Egress Traffic example, only this time using an egress gateway. Note that in this case the TLS origination will be done by the egress gateway, as opposed to by the sidecar in the previous example. The egress gateway will use SDS instead of the file-mount to provision client certificates.
Generate CA and server certificates and keys
For this task you can use your favorite tool to generate certificates and keys. The commands below use openssl.
Create a root certificate and private key to sign the certificate for your services:
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt
Create a certificate and a private key for
my-nginx.mesh-external.svc.cluster.local:$ openssl req -out my-nginx.mesh-external.svc.cluster.local.csr -newkey rsa:2048 -nodes -keyout my-nginx.mesh-external.svc.cluster.local.key -subj "/CN=my-nginx.mesh-external.svc.cluster.local/O=some organization"$ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in my-nginx.mesh-external.svc.cluster.local.csr -out my-nginx.mesh-external.svc.cluster.local.crt
Deploy a simple TLS server
To simulate an actual external service that supports the simple TLS protocol, deploy an NGINX server in your Kubernetes cluster, but running outside of the Istio service mesh, i.e., in a namespace without Istio sidecar proxy injection enabled.
Create a namespace to represent services outside the Istio mesh, namely
mesh-external. Note that the sidecar proxy will not be automatically injected into the pods in this namespace since the automatic sidecar injection was not enabled on it.$ kubectl create namespace mesh-external
Create Kubernetes Secrets to hold the server’s and CA certificates.
$ kubectl create -n mesh-external secret tls nginx-server-certs --key my-nginx.mesh-external.svc.cluster.local.key --cert my-nginx.mesh-external.svc.cluster.local.crt$ kubectl create -n mesh-external secret generic nginx-ca-certs --from-file=example.com.crt
Create a configuration file for the NGINX server:
$ cat <<\EOF > ./nginx.confevents {}http {log_format main '$remote_addr - $remote_user [$time_local] $status ''"$request" $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log /var/log/nginx/access.log main;error_log /var/log/nginx/error.log;server {listen 443 ssl;root /usr/share/nginx/html;index index.html;server_name my-nginx.mesh-external.svc.cluster.local;ssl_certificate /etc/nginx-server-certs/tls.crt;ssl_certificate_key /etc/nginx-server-certs/tls.key;ssl_client_certificate /etc/nginx-ca-certs/example.com.crt;ssl_verify_client off; # In simple TLS, server doesn't verify client's certificate}}EOF
Create a Kubernetes ConfigMap to hold the configuration of the NGINX server:
$ kubectl create configmap nginx-configmap -n mesh-external --from-file=nginx.conf=./nginx.conf
Deploy the NGINX server:
$ kubectl apply -f - <<EOFapiVersion: v1kind: Servicemetadata:name: my-nginxnamespace: mesh-externallabels:run: my-nginxspec:ports:- port: 443protocol: TCPselector:run: my-nginx---apiVersion: apps/v1kind: Deploymentmetadata:name: my-nginxnamespace: mesh-externalspec:selector:matchLabels:run: my-nginxreplicas: 1template:metadata:labels:run: my-nginxspec:containers:- name: my-nginximage: nginxports:- containerPort: 443volumeMounts:- name: nginx-configmountPath: /etc/nginxreadOnly: true- name: nginx-server-certsmountPath: /etc/nginx-server-certsreadOnly: true- name: nginx-ca-certsmountPath: /etc/nginx-ca-certsreadOnly: truevolumes:- name: nginx-configconfigMap:name: nginx-configmap- name: nginx-server-certssecret:secretName: nginx-server-certs- name: nginx-ca-certssecret:secretName: nginx-ca-certsEOF
Configure simple TLS origination for egress traffic
Create a Kubernetes Secret to hold the CA certificate used by egress gateway to originate TLS connections:
$ kubectl create secret generic client-credential-cacert --from-file=ca.crt=example.com.crt -n istio-system
Note that the secret name for an Istio CA-only certificate must end with
-cacertand the secret must be created in the same namespace as Istio is deployed in,istio-systemin this case.The secret name should not begin with
istioorprometheus, and the secret should not contain atokenfield.Create an egress
Gatewayformy-nginx.mesh-external.svc.cluster.local, port 443, and destination rules and virtual services to direct the traffic through the egress gateway and from the egress gateway to the external service.$ kubectl apply -f - <<EOFapiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: istio-egressgatewayspec:selector:istio: egressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- my-nginx.mesh-external.svc.cluster.localtls:mode: ISTIO_MUTUAL---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: egressgateway-for-nginxspec:host: istio-egressgateway.istio-system.svc.cluster.localsubsets:- name: nginxtrafficPolicy:loadBalancer:simple: ROUND_ROBINportLevelSettings:- port:number: 443tls:mode: ISTIO_MUTUALsni: my-nginx.mesh-external.svc.cluster.localEOF
Define a
VirtualServiceto direct the traffic through the egress gateway:$ kubectl apply -f - <<EOFapiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: direct-nginx-through-egress-gatewayspec:hosts:- my-nginx.mesh-external.svc.cluster.localgateways:- istio-egressgateway- meshhttp:- match:- gateways:- meshport: 80route:- destination:host: istio-egressgateway.istio-system.svc.cluster.localsubset: nginxport:number: 443weight: 100- match:- gateways:- istio-egressgatewayport: 443route:- destination:host: my-nginx.mesh-external.svc.cluster.localport:number: 443weight: 100EOF
Add a
DestinationRuleto perform simple TLS origination$ kubectl apply -n istio-system -f - <<EOFapiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: originate-tls-for-nginxspec:host: my-nginx.mesh-external.svc.cluster.localtrafficPolicy:loadBalancer:simple: ROUND_ROBINportLevelSettings:- port:number: 443tls:mode: SIMPLEcredentialName: client-credential # this must match the secret created earlier without the "-cacert" suffixsni: my-nginx.mesh-external.svc.cluster.localEOF
Send an HTTP request to
http://my-nginx.mesh-external.svc.cluster.local:$ kubectl exec "$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})" -c sleep -- curl -s http://my-nginx.mesh-external.svc.cluster.local<!DOCTYPE html><html><head><title>Welcome to nginx!</title>...
Check the log of the
istio-egressgatewaypod for a line corresponding to our request. If Istio is deployed in theistio-systemnamespace, the command to print the log is:$ kubectl logs -l istio=egressgateway -n istio-system | grep 'my-nginx.mesh-external.svc.cluster.local' | grep HTTP
You should see a line similar to the following:
[2018-08-19T18:20:40.096Z] "GET / HTTP/1.1" 200 - 0 612 7 5 "172.30.146.114" "curl/7.35.0" "b942b587-fac2-9756-8ec6-303561356204" "my-nginx.mesh-external.svc.cluster.local" "172.21.72.197:443"
Cleanup the TLS origination example
Remove the Istio configuration items you created:
$ kubectl delete destinationrule originate-tls-for-nginx -n istio-system$ kubectl delete virtualservice direct-nginx-through-egress-gateway$ kubectl delete destinationrule egressgateway-for-nginx$ kubectl delete gateway istio-egressgateway$ kubectl delete secret client-credential-cacert -n istio-system$ kubectl delete service my-nginx -n mesh-external$ kubectl delete deployment my-nginx -n mesh-external$ kubectl delete configmap nginx-configmap -n mesh-external$ kubectl delete secret nginx-server-certs nginx-ca-certs -n mesh-external$ kubectl delete namespace mesh-external
Delete the certificates and private keys:
$ rm example.com.crt example.com.key my-nginx.mesh-external.svc.cluster.local.crt my-nginx.mesh-external.svc.cluster.local.key my-nginx.mesh-external.svc.cluster.local.csr
Delete the generated configuration files used in this example:
$ rm ./nginx.conf
Perform mutual TLS origination with an egress gateway
Similar to the previous section, this section describes how to configure an egress gateway to perform TLS origination for an external service, only this time using a service that requires mutual TLS.
Egress Gateway will use SDS instead of the file-mount to provision client certificates.
Generate client and server certificates and keys
For this task you can use your favorite tool to generate certificates and keys. The commands below use openssl.
Create a root certificate and private key to sign the certificate for your services:
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt
Create a certificate and a private key for
my-nginx.mesh-external.svc.cluster.local:$ openssl req -out my-nginx.mesh-external.svc.cluster.local.csr -newkey rsa:2048 -nodes -keyout my-nginx.mesh-external.svc.cluster.local.key -subj "/CN=my-nginx.mesh-external.svc.cluster.local/O=some organization"$ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in my-nginx.mesh-external.svc.cluster.local.csr -out my-nginx.mesh-external.svc.cluster.local.crt
Generate client certificate and private key:
$ openssl req -out client.example.com.csr -newkey rsa:2048 -nodes -keyout client.example.com.key -subj "/CN=client.example.com/O=client organization"$ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 1 -in client.example.com.csr -out client.example.com.crt
Deploy a mutual TLS server
To simulate an actual external service that supports the mutual TLS protocol, deploy an NGINX server in your Kubernetes cluster, but running outside of the Istio service mesh, i.e., in a namespace without Istio sidecar proxy injection enabled.
Create a namespace to represent services outside the Istio mesh, namely
mesh-external. Note that the sidecar proxy will not be automatically injected into the pods in this namespace since the automatic sidecar injection was not enabled on it.$ kubectl create namespace mesh-external
Create Kubernetes Secrets to hold the server’s certificates.
$ kubectl create -n mesh-external secret tls nginx-server-certs --key my-nginx.mesh-external.svc.cluster.local.key --cert my-nginx.mesh-external.svc.cluster.local.crt$ kubectl create -n mesh-external secret generic nginx-ca-certs --from-file=example.com.crt
Create a configuration file for the NGINX server:
$ cat <<\EOF > ./nginx.confevents {}http {log_format main '$remote_addr - $remote_user [$time_local] $status ''"$request" $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log /var/log/nginx/access.log main;error_log /var/log/nginx/error.log;server {listen 443 ssl;root /usr/share/nginx/html;index index.html;server_name my-nginx.mesh-external.svc.cluster.local;ssl_certificate /etc/nginx-server-certs/tls.crt;ssl_certificate_key /etc/nginx-server-certs/tls.key;ssl_client_certificate /etc/nginx-ca-certs/example.com.crt;ssl_verify_client on; # In mutual TLS, server verifies client's certificate}}EOF
Create a Kubernetes ConfigMap to hold the configuration of the NGINX server:
$ kubectl create configmap nginx-configmap -n mesh-external --from-file=nginx.conf=./nginx.conf
Deploy the NGINX server:
$ kubectl apply -f - <<EOFapiVersion: v1kind: Servicemetadata:name: my-nginxnamespace: mesh-externallabels:run: my-nginxspec:ports:- port: 443protocol: TCPselector:run: my-nginx---apiVersion: apps/v1kind: Deploymentmetadata:name: my-nginxnamespace: mesh-externalspec:selector:matchLabels:run: my-nginxreplicas: 1template:metadata:labels:run: my-nginxspec:containers:- name: my-nginximage: nginxports:- containerPort: 443volumeMounts:- name: nginx-configmountPath: /etc/nginxreadOnly: true- name: nginx-server-certsmountPath: /etc/nginx-server-certsreadOnly: true- name: nginx-ca-certsmountPath: /etc/nginx-ca-certsreadOnly: truevolumes:- name: nginx-configconfigMap:name: nginx-configmap- name: nginx-server-certssecret:secretName: nginx-server-certs- name: nginx-ca-certssecret:secretName: nginx-ca-certsEOF
Configure mutual TLS origination for egress traffic using SDS
Create Kubernetes Secrets to hold the client’s certificates:
$ kubectl create secret -n istio-system generic client-credential --from-file=tls.key=client.example.com.key \--from-file=tls.crt=client.example.com.crt --from-file=ca.crt=example.com.crt
The secret must be created in the same namespace as Istio is deployed in,
istio-systemin this case.To support integration with various tools, Istio supports a few different Secret formats.
In this example. a single generic Secret with keys
tls.key,tls.crt, andca.crtis used.The secret name should not begin with
istioorprometheus, and the secret should not contain atokenfield.Create an egress
Gatewayformy-nginx.mesh-external.svc.cluster.local, port 443, and destination rules and virtual services to direct the traffic through the egress gateway and from the egress gateway to the external service.$ kubectl apply -f - <<EOFapiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: istio-egressgatewayspec:selector:istio: egressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- my-nginx.mesh-external.svc.cluster.localtls:mode: ISTIO_MUTUAL---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: egressgateway-for-nginxspec:host: istio-egressgateway.istio-system.svc.cluster.localsubsets:- name: nginxtrafficPolicy:loadBalancer:simple: ROUND_ROBINportLevelSettings:- port:number: 443tls:mode: ISTIO_MUTUALsni: my-nginx.mesh-external.svc.cluster.localEOF
Define a
VirtualServiceto direct the traffic through the egress gateway:$ kubectl apply -f - <<EOFapiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: direct-nginx-through-egress-gatewayspec:hosts:- my-nginx.mesh-external.svc.cluster.localgateways:- istio-egressgateway- meshhttp:- match:- gateways:- meshport: 80route:- destination:host: istio-egressgateway.istio-system.svc.cluster.localsubset: nginxport:number: 443weight: 100- match:- gateways:- istio-egressgatewayport: 443route:- destination:host: my-nginx.mesh-external.svc.cluster.localport:number: 443weight: 100EOF
Add a
DestinationRuleto perform mutual TLS origination$ kubectl apply -n istio-system -f - <<EOFapiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: originate-mtls-for-nginxspec:host: my-nginx.mesh-external.svc.cluster.localtrafficPolicy:loadBalancer:simple: ROUND_ROBINportLevelSettings:- port:number: 443tls:mode: MUTUALcredentialName: client-credential # this must match the secret created earlier to hold client certssni: my-nginx.mesh-external.svc.cluster.localEOF
Send an HTTP request to
http://my-nginx.mesh-external.svc.cluster.local:$ kubectl exec "$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})" -c sleep -- curl -s http://my-nginx.mesh-external.svc.cluster.local<!DOCTYPE html><html><head><title>Welcome to nginx!</title>...
Check the log of the
istio-egressgatewaypod for a line corresponding to our request. If Istio is deployed in theistio-systemnamespace, the command to print the log is:$ kubectl logs -l istio=egressgateway -n istio-system | grep 'my-nginx.mesh-external.svc.cluster.local' | grep HTTP
You should see a line similar to the following:
[2018-08-19T18:20:40.096Z] "GET / HTTP/1.1" 200 - 0 612 7 5 "172.30.146.114" "curl/7.35.0" "b942b587-fac2-9756-8ec6-303561356204" "my-nginx.mesh-external.svc.cluster.local" "172.21.72.197:443"
Cleanup the mutual TLS origination example
Remove created Kubernetes resources:
$ kubectl delete secret nginx-server-certs nginx-ca-certs -n mesh-external$ kubectl delete secret client-credential -n istio-system$ kubectl delete configmap nginx-configmap -n mesh-external$ kubectl delete service my-nginx -n mesh-external$ kubectl delete deployment my-nginx -n mesh-external$ kubectl delete namespace mesh-external$ kubectl delete gateway istio-egressgateway$ kubectl delete virtualservice direct-nginx-through-egress-gateway$ kubectl delete destinationrule -n istio-system originate-mtls-for-nginx$ kubectl delete destinationrule egressgateway-for-nginx
Delete the certificates and private keys:
$ rm example.com.crt example.com.key my-nginx.mesh-external.svc.cluster.local.crt my-nginx.mesh-external.svc.cluster.local.key my-nginx.mesh-external.svc.cluster.local.csr client.example.com.crt client.example.com.csr client.example.com.key
Delete the generated configuration files used in this example:
$ rm ./nginx.conf$ rm ./gateway-patch.json
Cleanup
Delete the sleep service and deployment:
$ kubectl delete service sleep$ kubectl delete deployment sleep
See also
Secure Control of Egress Traffic in Istio, part 3
Comparison of alternative solutions to control egress traffic including performance considerations.
Secure Control of Egress Traffic in Istio, part 2
Use Istio Egress Traffic Control to prevent attacks involving egress traffic.
Secure Control of Egress Traffic in Istio, part 1
Attacks involving egress traffic and requirements for egress traffic control.
Egress Gateway Performance Investigation
Verifies the performance impact of adding an egress gateway.
Consuming External MongoDB Services
Describes a simple scenario based on Istio’s Bookinfo example.
Monitoring and Access Policies for HTTP Egress Traffic
Describes how to configure Istio for monitoring and access policies of HTTP egress traffic.
