问题
My Gateway file is as
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-gateway-secure
namespace: myapp
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
#caCertificates: /etc/istio/ingressgateway-ca-certs/kbundle.crt
hosts:
- "*"
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-gateway-service-secure
namespace:myapp
spec:
hosts:
- "sub.domaincom"
gateways:
- my-gateway-secure
http:
- route:
- destination:
host: my-mono
port:
number: 443
protocol: TCP
and my service file is
apiVersion: v1
kind: Service
metadata:
name: my-mono
namespace: myapp
labels:
tier: backend
spec:
selector:
app: my-mono
tier: backend
ports:
- port: 443
name: https
protocol: TCP
Deployment file is as
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-mono
namespace: myapp
spec:
replicas: 1
selector:
matchLabels:
app: my-mono
template:
metadata:
labels:
app: my-mono
spec:
containers:
- name: my-mono
image: myapacheimage
imagePullPolicy: Never
ports:
- containerPort: 443
when i access my service using gateway it says
Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache/2.4.38 (Debian) Server at 10.0.159.77 Port 443
i can confirm that apache is only listening on 443 and is properly configured
回答1:
Your configuration uses the TLS termination on istio gateway. So the HTTPS traffic entering the istio ingress is decrypted to plain HTTP traffic before reaching Your service endpoint.
To fix this You need to configure HTTPS ingress access to an HTTPS service, i.e., configure an ingress gateway to perform SNI passthrough, instead of TLS termination on incoming requests.
You can find an example of Ingress Gateway without TLS Termination in istio documentation guide here.
Your Gateway and VirtualService should look something like this:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-gateway-secure
namespace: myapp
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: PASSTHROUGH
hosts:
- "*"
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-gateway-service-secure
namespace:myapp
spec:
hosts:
- "sub.domaincom"
gateways:
- my-gateway-secure
tls:
- match:
- port: 443
sni_hosts:
- "sub.domaincom"
route:
- destination:
host: my-mono
port:
number: 443
Hope it helps.
来源:https://stackoverflow.com/questions/60655838/kubernets-youre-speaking-plain-http-to-an-ssl-enabled-server-port