本文发布于Cylon的收藏册,转载请著名原文链接~

方案架构

本次实例与官方Envoy front_proxy Example相似,首先会有一个Envoy单独运行。ingress的工作是给其他地方提供一个入口。来自外部的传入连接请求到这里,前端代理将会决定他们在内部的转发路径。

图源自Envoy官网文档 front_proxy

生成证书

1
openssl req -nodes -new -x509 -keyout certs/server.key -out certs/server.crt -days 365 -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=studyenvoy/OU=studyenvoy/CN=*.studyenvoy.cn"

envoy配置说明

v3 api中envoy去掉了tls_context的配置,配置tls首先需要熟悉envoy的如下两个术语

  • Downstream:下游主机连接到 Envoy,发送请求并或获得响应。
  • Upstream:上游主机获取来自 Envoy 的链接请求和响应。

本次使用的是ingress的代理,需要配置的即为 Downstream

v3api中使用的是transport_socket,transport_socket为 listeners 当中某一个 filter_chains 中上线文中的配置。

transport_socket 官方说明为: (config.core.v3.TransportSocket) Optional custom transport socket implementation to use for downstream connections. To setup TLS, set a transport socket with name tls and DownstreamTlsContext in the typed_config. If no transport socket configuration is specified, new connections will be set up with plaintext.

查看官网的transport_socket配置说明

这里使用的类型为DownstreamTlsContext

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
 transport_socket: # 设置tls
        name: envoy.transport_sockets.tls # 定义名称,不能为空
        typed_config: # 实现配置的类型
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          common_tls_context: # 设置tls上下文
            tls_certificates:
              certificate_chain: # 公钥设置 必须设置为,filename,inline_bytes
                filename: "/etc/envoy/certs/server.crt"
              private_key: # 私钥设置 必须设置为,filename,inline_bytes
                filename: "/etc/envoy/certs/server.key"         

准备envoy和后端服务运行环境

envoy配置文件

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
admin:
  access_log_path: /dev/null
  address:
    socket_address: { address: 0.0.0.0, port_value: 9901 }

static_resources:
  listeners:
  - name: listeners_http
    address:
      socket_address: { address: 0.0.0.0, port_value: 80 }
    filter_chains:
    - filters:
      - name: envoy.http_connenttion_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          codec_type: AUTO
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: [ "*" ]
              routes:
              - match: { prefix: "/" }
                redirect:
                  path_redirect: "/"
                  https_redirect: true
          http_filters:
          - name: envoy.router
  - name: listener_https
    address:
      socket_address: { address: 0.0.0.0, port_value: 443 }
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          codec_type: AUTO
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: [ "*" ]
              routes:
              - match: { prefix: "/" }
                route: { cluster: local_service }
          http_filters:
          - name: envoy.router
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          common_tls_context:
            tls_certificates:
              certificate_chain:
                filename: "/etc/envoy/certs/server.crt"
              private_key:
                filename: "/etc/envoy/certs/server.key"

  clusters:
  - name: local_service
    connect_timeout: 0.25s
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: local_service
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address: { address: webservice, port_value: 90 }

docker-compose文件示例

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
version: '3'
services:
  envoy:
    image: envoyproxy/envoy-alpine:v1.15-latest
    environment: 
    - ENVOY_UID=0
    ports:
    - 80:80
    - 443:443
    - 82:9901
    volumes:
    - ./envoy.yaml:/etc/envoy/envoy.yaml
    - ./certs:/etc/envoy/certs
    networks:
      envoymesh:
        aliases:
        - envoy
    depends_on:
    - webserver
  
  webserver:
    image: cylonchau/envoy-end:latest
    environment: 
    - COLORFUL=blue
    networks:
      envoymesh:
        aliases:
        - myservice
        - webservice
    expose:
    - 90
     
networks:
  envoymesh: {}

容器启动正常

证书使用者也为生成证书的信息一致

本文发布于Cylon的收藏册,转载请著名原文链接~

链接:https://www.oomkill.com/2020/09/envoy-v3-api-tls/

版权:本作品采用「署名-非商业性使用-相同方式共享 4.0 国际」 许可协议进行许可。