pka*_*mol 7 kubernetes tls1.2 istio mtls
我istio在 GKE 集群上部署了 2 个启用的服务。
istio版本是1.1.5并且 GKE 已开启v1.15.9-gke.24
istio 已安装 global.mtls.enabled=true
serviceA 正确沟通
serviceB 显然有 TLS 相关问题。
我启动了一个未istio启用的部署,仅用于测试并执行到这curl两个服务端点的测试 pod 。
/ # curl -v serviceA
* Rebuilt URL to: serviceA/
* Trying 10.8.61.75...
* TCP_NODELAY set
* Connected to serviceA (10.8.61.75) port 80 (#0)
> GET / HTTP/1.1
> Host: serviceA
> User-Agent: curl/7.57.0
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: application/json
< content-length: 130
< server: istio-envoy
< date: Sat, 25 Apr 2020 09:45:32 GMT
< x-envoy-upstream-service-time: 2
< x-envoy-decorator-operation: serviceA.mynamespace.svc.cluster.local:80/*
<
{"application":"Flask-Docker Container"}
* Connection #0 to host serviceA left intact
/ # curl -v serviceB
* Rebuilt URL to: serviceB/
* Trying 10.8.58.228...
* TCP_NODELAY set
* Connected to serviceB (10.8.58.228) port 80 (#0)
> GET / HTTP/1.1
> Host: serviceB
> User-Agent: curl/7.57.0
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
执行到envoy有问题的服务的代理并打开跟踪级别日志记录,我看到了这个错误
serviceB-758bc87dcf-jzjgj istio-proxy [2020-04-24 13:15:21.180][29][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C1484] handshake error: 1
serviceB-758bc87dcf-jzjgj istio-proxy [2020-04-24 13:15:21.180][29][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:201] [C1484] TLS error: 268435612:SSL routines:OPENSSL_internal:HTTP_REQUEST
两个容器的Envoy sidecar在调试证书时显示相似的信息。
我通过在两个istio容器中执行 cd-ing/etc/certs/..data并运行来验证这一点
openssl x509 -in root-cert.pem -noout -text
两者root-cert.pem一模一样!
由于这两个 istio 代理在证书方面具有完全相同的 tls 配置,为什么会出现这个神秘的 SSL 错误 serviceB?
FWIWserviceB与非 istio 启用的postgres服务通信。
这可能是导致问题的原因吗?
curling的容器的serviceB从内本身然而,返回一个响应健康。
| 归档时间: |
|
| 查看次数: |
486 次 |
| 最近记录: |