Istio 虚拟服务 - 外部 HTTPS 服务的代理

Question

Istio 虚拟服务 - 外部 HTTPS 服务的代理

Seb*_* A. 0 nexus istio npm-audit istio-gateway

我正在尝试将具有指定 URI 前缀的 HTTP 请求代理到外部 HTTPS 服务器。这个想法是使用 NPM 的内部 Nexus 存储库管理器，但不要像GitHub 项目那样放弃“npm 审计”的能力。应该使用 Istio 来完成，而不是部署额外的应用程序。

我配置了一个虚拟服务和一个服务条目以将流量路由到外部服务。到目前为止，还无法将 HTTP 请求转换为 HTTPS 请求。有机会这样做吗？

配置：

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: vs-nexus
spec:
  hosts:
  - "test.com"
  gateways:
  - gateway-xy
  http:
  - match:
    - uri:
        prefix: /-/npm/v1/security/audits/
    route:
      - destination:
          port:
            number: 443
          host: registry.npmjs.org
  - route:
    - destination:
        port:
          number: 80
        host: nexus


---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: npmjs-ext
spec:
  hosts:
    - registry.npmjs.org
  ports:
    - number: 443
      name: tls
      protocol: tls
  resolution: DNS
  location: MESH_EXTERNAL

Run Code Online (Sandbox Code Playgroud)

Answer 1

Seb*_* A. 5

找到了解决方案：您需要添加 TLS 模式“SIMPLE”的 DestinationRule 来连接到外部 HTTPS 服务。

如果您使用的是私有 Nexus 存储库，则将“npmaudit”请求转发到公共“registry.npmjs.org”的问题的整个配置是：

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: vs
spec:
  hosts:
  - "test.com"
  gateways:
  - gateway
  http:
  # Route to npm registry for audit
  # Like this: https://github.com/chovyy/npm-audit-proxy
  # See: https://istio.io/latest/blog/2019/proxy/
  - match:
    - uri:
        prefix: /-/npm/v1/security
    headers:
      request:
        set:
          host: "registry.npmjs.org"
    route:
      - destination:
          port:
            number: 443
          host: registry.npmjs.org

    # This is for custom Nexus repositories: You need to rewrite the route, that the prefix of the repository URL is not forwarded to registry.npmjs.org
  - match:
    - uri:
        prefix: /repository/npm-test-repo/-/npm/v1/security
    rewrite:
      uri: /-/npm/v1/security
    headers:
      request:
        set:
          host: "registry.npmjs.org"
    route:
      - destination:
          port:
            number: 443
          host: registry.npmjs.org

  - route:
    - destination:
        port:
          number: 80
        host: nexus

---

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: npmjs-ext
spec:
  hosts:
    - registry.npmjs.org
  ports:
    - number: 443
      name: tls
      protocol: TLS
  resolution: DNS
  location: MESH_EXTERNAL

---

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: npmjs-ext
spec:
  host: registry.npmjs.org
  trafficPolicy:
    tls:
      mode: SIMPLE

Run Code Online (Sandbox Code Playgroud)

归档时间：	3 年，7 月前
查看次数：	2028 次
最近记录：	3 年，7 月前