亚欧色一区w666天堂,色情一区二区三区免费看,少妇特黄A片一区二区三区,亚洲人成网站999久久久综合,国产av熟女一区二区三区

文檔中心

應用服務網格

無相關產品

證書管理

更新時間 2025-02-21 10:13:34

最近更新時間: 2025-02-21 10:13:34

服務網格支持托管您的證書并下發到網關數據面，實現TLS加密通信，本文介紹網關管理相關操作。

操作

進入服務網格控制臺 -> 網關 -> 證書管理，您可以創建、查看、更新、刪除證書配置，證書相關配置說明如下

配置項	說明
名稱	證書的名稱
命名空間	證書存儲所在的命名空間
公鑰證書	證書內容，當前僅支持PEM格式
私鑰	證書私鑰
是否啟用mTLS	啟用mTLS的證書可用于配置實現mTLS通信
CA證書	mTLS通信時用于驗證客戶端證書有效性的CA證書

使用證書管理實現網關mTLS訪問

首先使用以下腳本生成客戶端和服務端證書

#!/bin/bash

domain=$1

openssl genpkey -algorithm RSA -out ca.key
openssl req -new -x509 -key ca.key -out ca.crt -subj "/C=CN/ST=GD/L=GZ/O=DX/OU=TYY" -days 3650

openssl genpkey -algorithm RSA -out server.key
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=GD/L=GZ/O=TYY/OU=MS/CN=$domain"
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650
openssl genpkey -algorithm RSA -out client.key
openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=GD/L=GZ/O=TYY/OU=MS/CN=$domain"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650

將生成的server.crt填入公鑰證書，server.key填入私鑰，開啟mTLS開關，將ca.crt填入CA證書

創建ingress網關，部署httpbin測試服務并通過網關訪問httpbin服務

httpbin服務部署（華南2資源池）

apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
    service: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: registry-vpc-crs-huanan2.cnsp-internal.daliqc.cn/library/httpbin:stable
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80

創建Ingress網關并配置VirtualService資源

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: httpbin
  namespace: demo
spec:
  gateways:
  - cce-for-csm-default-ingressgateway-testgw
  hosts:
  - foo.com
  http:
  - route:
    - destination:
        host: httpbin
        port:
          number: 8000

訪問HTTP端口驗證

# curl //192.168.0.3:18080/headers -sv -H 'host: foo.com'
*   Trying 192.168.0.3:18080...
* Connected to 192.168.0.3 (192.168.0.3) port 18080 (#0)
> GET /headers HTTP/1.1
> Host: foo.com
> User-Agent: curl/7.71.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< server: istio-envoy
< date: Thu, 13 Feb 2025 06:41:41 GMT
< content-type: application/json
< content-length: 485
< access-control-allow-origin: *
< access-control-allow-credentials: true
< x-envoy-upstream-service-time: 21
< 
{"headers":{"Accept":"*/*","Host":"foo.com","User-Agent":"curl/7.71.1","X-B3-Parentspanid":"c50ea300154378db","X-B3-Sampled":"0","X-B3-Spanid":"3ded5df9f43fdea9","X-B3-Traceid":"6d9319ee5ded87fbc50ea300154378db","X-Envoy-Attempt-Count":"1","X-Envoy-Internal":"true","X-Forwarded-Client-Cert":"By=spiffe://cluster.local/ns/demo/sa/httpbin;Hash=b9b934cf12d7d8eb0c62e8a5c2374b86d3a8eb98e0101eb3ff75796cdcb3345b;Subject=\"\";URI=spiffe://cluster.local/ns/demo/sa/testgw-service-account"}}
* Connection #0 to host 192.168.0.3 left intact

配置TLS端口和證書

進入網關管理 -> 網關規則菜單，修改網關規則配置，將證書配置生成的K8s Secret填入

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: cce-for-csm-default-ingressgateway-testgw
  namespace: demo
spec:
  selector:
    gateway-unique-name: cce-for-csm.demo.ingressgateway.testgw
  servers:
  - hosts:
    - '*'
    port:
      name: http-18080
      number: 18080
      protocol: HTTP
  - hosts:
    - '*'
    port:
      name: https-18443
      number: 18443
      protocol: HTTPS
    tls:
      mode: MUTUAL
      credentialName: foo.com

指定客戶端證書、key以及CA證書發起HTTPS訪問

# curl //foo.com:18443/headers -sv --resolve 'foo.com:18443:192.168.0.3' --cert client.crt --key client.key --cacert ca.crt 
* Added foo.com:18443:192.168.0.3 to DNS cache
* Hostname foo.com was found in DNS cache
*   Trying 192.168.0.3:18443...
* Connected to foo.com (192.168.0.3) port 18443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: ca.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=CN; ST=GD; L=GZ; O=TYY; OU=MS; CN=foo.com
*  start date: Feb 13 03:09:52 2025 GMT
*  expire date: Feb 11 03:09:52 2035 GMT
*  common name: foo.com (matched)
*  issuer: C=CN; ST=GD; L=GZ; O=DX; OU=TYY
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55696bbf2690)
> GET /headers HTTP/2
> Host: foo.com:18443
> user-agent: curl/7.71.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
< HTTP/2 200 
< server: istio-envoy
< date: Thu, 13 Feb 2025 07:01:54 GMT
< content-type: application/json
< content-length: 1854
< access-control-allow-origin: *
< access-control-allow-credentials: true
< x-envoy-upstream-service-time: 4
< 
{"headers":{"Accept":"*/*","Host":"foo.com:18443","User-Agent":"curl/7.71.1","X-B3-Parentspanid":"69de88af50fc781c","X-B3-Sampled":"0","X-B3-Spanid":"9fd5daba6fa5657c","X-B3-Traceid":"cdcc12b950c3d1ca69de88af50fc781c","X-Envoy-Attempt-Count":"1","X-Envoy-Internal":"true","X-Forwarded-Client-Cert":"Hash=304002d17f8665ab020c67e59c56958708c89e622d0cde1893cddc1c2c7d1315;Cert=\"-----BEGIN%20CERTIFICATE-----%0AMIIDHTCCAgUCFHMQj5mjMwsw%2FqrnJtfOXdq0NSGtMA0GCSqGSIb3DQEBCwUAMEIx%0ACzAJBgNVBAYTAkNOMQswCQYDVQQIDAJHRDELMAkGA1UEBwwCR1oxCzAJBgNVBAoM%0AAkRYMQwwCgYDVQQLDANUWVkwHhcNMjUwMjEzMDMwOTUyWhcNMzUwMjExMDMwOTUy%0AWjBUMQswCQYDVQQGEwJDTjELMAkGA1UECAwCR0QxCzAJBgNVBAcMAkdaMQwwCgYD%0AVQQKDANUWVkxCzAJBgNVBAsMAk1TMRAwDgYDVQQDDAdmb28uY29tMIIBIjANBgkq%0AhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvQ61G7G0aBCd7iYWmQKTf5%2BvlgnCuhdk%0ApkQlW%2B3oaxRqTmFqGj44kA0ZygE5FDcgL%2BTXVE2qaS5u21WkpoHOMhGrHxl2Chzl%0ANBcUbVJUliOX%2F9oeKyjC1JEQ%2BxGld0kYpbDeWd85OqRVoebdxOfVHO2ggSbl%2Blxy%0Adqy6Flndfp0Cqs2HfZk4dUsViNjQvewm3NH%2F8HAzcYui7w3aNrBwa%2FeEH0S3evhc%0AtASqSK7CKs6UMn%2FYvheTHe5o0N0Mwo6MDt0U2ox88oKrBkjPDMhFdM3PEfQqwv8V%0AC0AsDQ0CCZiNk9uiE28hEZMXaVhqJ2Nvju6n8JpiZ1M1WD%2B%2FDVC1HwIDAQABMA0G%0ACSqGSIb3DQEBCwUAA4IBAQAn%2B9qchCGymG2nhOGKaThASBj4Au65IqsVo6SHobOt%0AfiVULb3px6N6wlJWKzoT0M%2FwSI3%2Fw3aYQCaDC5uBt7EjvKFTF%2BpwX0uwqtF25F13%0AVHJER%2FEtqRG27EcLLEJuYGuFAxxTsZVnlnfn3Ky%2FPzD8oyzj7IucCb30CE42FXKq%0A6jjRpqDTXEtTxxp%2B8w787QLoel6eEsdZiEwOzRlIhQw9c1uIiyV%2BjCJtcGTTEufE%0AXWofM5kjg8%2B%2Bcc8KlU6WrfHujzV01T1ANAhGIGFG9lK4n%2FtYAMCk5ReMJIZVKy5G%0AE9ZdDv5f128dskKxgbG7LfqDylN9W4U6rByWbtr5k2lG%0A-----END%20CERTIFICATE-----%0A\";Subject=\"CN=foo.com,OU=MS,O=TYY,L=GZ,ST=GD,C=CN\";URI=,By=spiffe://cluster.local/ns/demo/sa/httpbin;Hash=b9b934cf12d7d8eb0c62e8a5c2374b86d3a8eb98e0101eb3ff75796cdcb3345b;Subject=\"\";URI=spiffe://cluster.local/ns/demo/sa/testgw-service-account"}}
* Connection #0 to host foo.com left intact

亚欧色一区w666天堂,色情一区二区三区免费看,少妇特黄A片一区二区三区,亚洲人成网站999久久久综合,国产av熟女一区二区三区

智算服務

應用商城

定價

合作伙伴

開發者

支持與服務

了解天翼云

應用服務網格

應用服務網格

操作

使用證書管理實現網關mTLS訪問

亚欧色一区w666天堂,色情一区二区三区免费看,少妇特黄A片一区二区三区,亚洲人成网站999久久久综合,国产av熟女一区二区三区

活動

智算服務

應用商城

定價

合作伙伴

開發者

支持與服務

了解天翼云

應用服務網格

應用服務網格

操作

使用證書管理實現網關mTLS訪問