rancher istio ingress config

--- tags: rancher, kubernetes, istio --- # rancher istio ingress config :::info - 筆記內關於 host 相關的名稱請自行依據實際狀況進行調整!! - 此筆記內使用的 istio ingress 為預設安裝的 ingress，如果有自訂 ingress gateway 的話請自行調整 istio gateway 設定 ::: ## use cert-manager Certificate ### cert-manager Certificate :::info 把這資料從自己的電腦整理出來給公司同事使用之後發現有問題，應該是不需要這個 ::: ```yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: ingress-cert namespace: istio-system spec: secretName: ingress-cert commonName: k8s-ubuntu-containerd.mshome.net dnsNames: - k8s-ubuntu-containerd.mshome.net # Issuer references are always required. issuerRef: name: ca-issuer # We can reference ClusterIssuers by changing the kind here. # The default value is Issuer (i.e. a locally namespaced Issuer) kind: Issuer # This is optional since cert-manager will default to this value however # if you are using an external issuer, change this to that issuer group. group: cert-manager.io ``` ### istio Gateway :::info 2023-05-21 修正，rancher 安裝時如果沒有下 --set external-tls 的話會自動建立一個 tls-rancher-ingress 的 secret ，直接使用該 secret 作為 TLS 憑證即可 ::: ```yaml apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: rancher-gateway namespace: cattle-system spec: selector: istio: ingressgateway servers: - hosts: - k8s-ubuntu-containerd.mshome.net port: name: http number: 80 protocol: HTTP - port: number: 443 name: https-443 protocol: HTTPS hosts: - k8s-ubuntu-containerd.mshome.net tls: # mode: PASSTHROUGH mode: SIMPLE credentialName: cattle-system/tls-rancher-ingress # credentialName: ingress-cert ``` ### istio virtual service ```yaml apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: rancher-vs namespace: cattle-system spec: gateways: - rancher-gateway hosts: - "*.mshome.net" http: - headers: request: set: x-forwarded-proto: https route: - destination: host: rancher.cattle-system.svc.cluster.local port: number: 80 tls: - match: - port: 443 sniHosts: - k8s-ubuntu-containerd.mshome.net route: - destination: host: rancher.cattle-system.svc.cluster.local port: number: 443 ``` ## Use External TLS ### istio Gateway ```yaml apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: rancher-gateway namespace: cattle-system spec: selector: istio: rancher-ingressgateway servers: - port: number: 80 name: http-rancher protocol: HTTP hosts: - "k8s-ubuntu-containerd.mshome.net" ``` ### istio virtual service ```yaml apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: rancher-vs namespace: cattle-system spec: hosts: - "k8s-ubuntu-containerd.mshome.net" gateways: - rancher-gateway http: - route: - headers: request: set: x-forwarded-proto: https destination: host: rancher.cattle-system.svc.cluster.local port: number: 80 ``` ### istio DestinationRule ```yaml apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: rancher namespace: cattle-system spec: host: rancher.cattle-system.svc.cluster.local trafficPolicy: tls: mode: DISABLE ```