仅做个人问题记录使用。

参考文章： https://www.codercto.com/a/30981.html

环境：k8s 1.12.5  istio 1.0.6

成功部署istio环境，以及官方demo  bookinfo

kubectl get svc -n istio-system

istio-ingressgateway     LoadBalancer   10.68.127.105   <pending>     80:31380/TCP,443:31390/TCP,31400:31400/TCP,15011:25726/TCP,8060:36952/TCP,853:31262/TCP,15030:23502/TCP,15031:26498/TCP   83d

demo gateway 使用80端口，使用 集群ip + 31380/productpage 可以正常访问页面。

问题：

执行

 kubectl apply -f samples/bookinfo/networking/destination-rule-reviews.yaml  

添加 destination-rule 后，再次访问页面，报错：

Error fetching product reviews!    
Sorry, product reviews are currently unavailable for this book.

查看pod日志，首先查看 productpage 日志

kubectl logs -f --tail 50 -n default -c istio-proxy productpage-v1-8d69b45c-b6vwr

发现503报错

[2019-06-05T09:08:05.203Z] "GET /reviews/0HTTP/1.1" 503 UC 0 57 0 - "-" "python-requests/2.18.4" "8185c0b4-9992-9153-b9d9-50d43bb1fe48" "reviews:9080" "172.20.166.134:9080" outbound|9080|v3|reviews.default.svc.cluster.local - 10.68.241.202:9080 172.20.166.135:47110
[2019-06-05T09:08:05.208Z] "GET /reviews/0HTTP/1.1" 503 UC 0 57 0 - "-" "python-requests/2.18.4" "8185c0b4-9992-9153-b9d9-50d43bb1fe48" "reviews:9080" "172.20.166.134:9080" outbound|9080|v3|reviews.default.svc.cluster.local - 10.68.241.202:9080 172.20.166.135:47114

查看 reviews端pod日志。执行命令后发现后端没有日志输出。

执行如下命令，打开revrews-v3 sidecar  istio-proxy (Envroy)全部日志：

kubectl exec -it -c istio-proxy reviews-v3-748456d47b-nn86k  -- curl -X POST http://localhost:15000/logging?level=trace

再次查看日志，发现如下一条报错：

[2019-06-05 09:08:05.204][27][debug][connection] external/envoy/source/common/ssl/ssl_socket.cc:141] [C97] SSL error: 268435612:SSL routines:OPENSSL_internal:HTTP_REQUEST

报错原因与SSL认证有关。

解决方法：

修改 samples/bookinfo/networking/destination-rule-reviews.yaml  ，添加tls 配置:

trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

然后  重新 kubectl apply 问题解决。

 

问题原因：

部署的istio 环境 开启了全网格双向TLS认证（mtls），官网文档地址:https://istio.io/docs/tasks/security/authn-policy/#globally-enabling-istio-mutual-tls

验证：

[root@master1 networking]# kubectl get MeshPolicy default -o yaml
apiVersion: authentication.istio.io/v1alpha1
kind: MeshPolicy
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"authentication.istio.io/v1alpha1","kind":"MeshPolicy","metadata":{"annotations":{},"labels":{"app":"istio-security","chart":"security-1.0.6","heritage":"Tiller","release":"istio"},"name":"default","namespace":""},"spec":{"peers":[{"mtls":{}}]}}
  creationTimestamp: 2019-03-13T10:52:26Z
  generation: 1
  labels:
    app: istio-security
    chart: security-1.0.6
    heritage: Tiller
    release: istio
  name: default
  resourceVersion: "1856"
  selfLink: /apis/authentication.istio.io/v1alpha1/meshpolicies/default
  uid: 16c622f0-457e-11e9-acf2-005056a6096b
spec:
  peers:
  - mtls: {}

所以需要在创建 destination rule 时 添加tls 配置，其中配置项详情：

https://istio.io/docs/reference/config/networking/v1alpha3/destination-rule/

 

Name	Description
DISABLE	Do not setup a TLS connection to the upstream endpoint.
SIMPLE	Originate a TLS connection to the upstream endpoint.
MUTUAL	Secure connections to the upstream using mutual TLS by presenting client certificates for authentication.
ISTIO_MUTUAL	Secure connections to the upstream using mutual TLS by presenting client certificates for authentication. Compared to Mutual mode, this mode uses certificates generated automatically by Istio for mTLS authentication. When this mode is used, all other fields in TLSSettings should be empty.

ISTIO_MUTUAL 就是使用使用Istio自动生成的证书进行mTLS认证

 

扩展：

https://istio.io/docs/reference/config/istio.authentication.v1alpha1/#MutualTls

可以通过 policy 配置 mTLS，主要配置项有：

MutualTls.Mode

Name	Description
STRICT	Client cert must be presented, connection is in TLS.
PERMISSIVE	Connection can be either plaintext or TLS, and client cert can be omitted.

模式， 可以设置宽容模式，接收非 istio 管理的pod的流量

也可以通过 targets: 指定 namespace 或者pod。