Istio

Adding custom cipher suite to Istio Gateway

和自甴很熟 提交于 2021-01-07 06:57:05
问题 I have added few custom cipher suites at the gateway like this : tls: mode: MUTUAL credentialName: sds minProtocolVersion: TLSV1_2 maxProtocolVersion: TLSV1_3 cipherSuites: [ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-AES256-CBC-SHA384|ECDHE-ECDSA-AES128-CBC-SHA256|ECDHE-RSA-AES256-CBC-SHA384|ECDHE-RSA-AES128-CBC-SHA256] Is there a way to validate if these cipher suites have actually been added? Does it order

TLSOption CipherSuites does not work on Istio Ingress Gateway

為{幸葍}努か 提交于 2021-01-05 07:26:36
问题 I have deployed a CipherSuite on an Istio Ingress Gateway object: apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: hello-istio-gateway spec: selector: istio: ingressgateway # use Istio default gateway implementation servers: - hosts: - "*" port: name: https-wildcard number: 444 protocol: HTTPS tls: mode: SIMPLE serverCertificate: /etc/istio/ingressgateway-certs/tls.crt privateKey: /etc/istio/ingressgateway-certs/tls.key cipherSuites: "[ECDHE-RSA-AES256-GCM-SHA384|ECDHE

TLSOption CipherSuites does not work on Istio Ingress Gateway

非 Y 不嫁゛ 提交于 2021-01-05 07:21:30
问题 I have deployed a CipherSuite on an Istio Ingress Gateway object: apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: hello-istio-gateway spec: selector: istio: ingressgateway # use Istio default gateway implementation servers: - hosts: - "*" port: name: https-wildcard number: 444 protocol: HTTPS tls: mode: SIMPLE serverCertificate: /etc/istio/ingressgateway-certs/tls.crt privateKey: /etc/istio/ingressgateway-certs/tls.key cipherSuites: "[ECDHE-RSA-AES256-GCM-SHA384|ECDHE

istio: VirtualService rewrite to the root url

↘锁芯ラ 提交于 2021-01-04 17:03:52
问题 I have an Istio 1.4.6 VirtualService with a match and a url rewrite defined as follows: match: - authority: prefix: example.com uri: prefix: /foo/bar rewrite: uri: / route: - destination: host: some-service port: number: 80 I would like a rewrite like follows: Traffic directed to /foo/bar or any subpath of that should be rewritten to / plus any subpath on some-service . i.e. example.com/foo/bar -> some-service example.com/foo/bar/subpath -> some-service/subpath example.com/foo/bar/subpath

Changing secrets of kiali in istio is not working

烈酒焚心 提交于 2021-01-04 03:10:26
问题 I have deployed istio in my eks cluster with demo profile. demo has kiali deployment with it. The access secret for kiali dashboard is ( username:admin , password:admin ).I was able to access my dashboard with this credentials. Then I created my own secrets. $ echo shajaltest | base64 $ c2hhamFsdGVzdAo= Deleted the secrets for kiali. $ kubectl delete secrets kiali -n istio-system Deployed the secrets again with this yaml apiVersion: v1 kind: Secret metadata: name: kiali namespace: istio

容器存储标准权威解读 | CSI白皮书(下)

五迷三道 提交于 2021-01-03 16:42:46
应用上云,怎能没有容器!点击上方 容器魔方 关注我 上篇文章我们主要对CSI出现的行业背景,设计要点以及架构等做了总体介绍,本篇我们将对CSI SPEC进行解析,详细介绍每个服务接口的功能。 注:本篇文章基于CSI SPEC 3.0版本编写。 CSI SPEC详解 在CSI SPEC中,总共有三组RPC集: Identity Service: Node Plugin和Controller Plugin都必须实现这些RPC集。 Controller Service: Controller插件必须实现这些RPC集。 Node Service: node插件必须实现这些RPC集。 接下来让我们逐一讲解每个RPC服务。 1.Identity Service RPC 身份服务RPC允许CO查询插件的功能 ,健康状况和其他元数据。 GetPluginInfo: 获取插件的版本和名字。 GetPluginCapabilities: 此方法返回插件所支持的功能。主要检测插件是否实现 Controller Service 和是否支持卷访问拓扑限制。插件的相同版本的所有实例,必须返回相同的功能集。 Probe: 主要用途是验证插件是否处于健康和就绪状态。 2.Controller Service RPC ● CreateVolume: 配置新的存储卷,主要请求参数包括:名字、卷容量、卷功能

How do I create an internal gateway using Istio?

﹥>﹥吖頭↗ 提交于 2021-01-03 06:07:25
问题 Currently, we successfully setup Istio to create a couple ingress-gateways like api.example.com and app.example.com, that route traffic to a variety of services with destination rules, etc. In addition to this, we would love to use Istio's features for internal-only APIs, but we are unsure of how to set something like this up. Is it possible to use Istio's Gateway and VirtualServices CRDs to route traffic without exiting the cluster? If so, how would we go about setting that up? 回答1: I would

TLS handshake through Istio ingress gateway fails (tlsMode=passthrough)

流过昼夜 提交于 2021-01-01 09:14:29
问题 A TLS handshake from an external client to a server inside a Kubernetes cluster fails. This is about understanding why. I've configured an Istio ingress gateway to pass through TLS received on port 15433, and route it to the server on port 433. The ingress gateway logs shows activity when the client attempts the TLS handshake, but not the server logs, nor the istio-proxy logs. TLS client : openssl s_client \ -connect [redacted]-[redacted].us-west-2.elb.amazonaws.com:15443 \ -servername

Is it possible to replace Cloud SQL proxy with Istio proxy?

感情迁移 提交于 2021-01-01 06:53:24
问题 Currently I am using Cloud proxy to connect to a Postgres Cloud SQL database as a sidecar. When using Istio, however it introduces its own sidecar, which lead to the result that there are two proxies in the pod. So I thougth, can the encrypted connection not also established using Istio? Basically, it is possible to connect to an external IP using Istio. It should also be possible to configure a DestinationRule which configures TLS. And it also be possible to create Client certificates for

How to set AWS ALB instead of ELB in Istio?

蹲街弑〆低调 提交于 2020-12-30 08:55:31
问题 I am trying to setup ALB load balancer instead of default ELB loadbalancer in Kubernetes AWS.The loadbalancer has to be connected to the istio ingressgateway.I looked for solutions and only found one. But the istio version mentioned is V1 and there has been so many changes in istio now.I tried to change service type to nodeport in the chart (according to the blog)but still the service comes as a Loadbalancer. Can someone mention steps how to configure ALB for istio ingressgateway? Thanks for
订阅 Istio