ingressgateway配置多个证书

ingressgateway配置多个证书 创建新的tls secret

创建新的秘密以保存xiaotaozi.mobi的证书:

$ kubectl create -n istio-system secret tls istio-ingressgateway-xinchao-mobi-certs --key xiaotaozi.mobi.key --cert xiaotaozi.mobi.pem
secret "istio-ingressgateway-xinchao-mobi-certs" created

修改IngressGateway部署配置 第一种方法 使用helm上成yaml

使用Helm装载的卷生成ISTIO IngressGateway部署。使用与生成isito.yaml相同的选项：

$ helm template install/kubernetes/helm/istio/ --name istio-ingressgateway --namespace istio-system -x charts/gateways/templates/deployment.yaml --set gateways.istio-egressgateway.enabled=false 
--set gateways.istio-ingressgateway.secretVolumes[0].name=ingressgateway-certs 
--set gateways.istio-ingressgateway.secretVolumes[0].secretName=istio-ingressgateway-certs 
--set gateways.istio-ingressgateway.secretVolumes[0].mountPath=/etc/istio/ingressgateway-certs 
--set gateways.istio-ingressgateway.secretVolumes[1].name=ingressgateway-ca-certs 
--set gateways.istio-ingressgateway.secretVolumes[1].secretName=istio-ingressgateway-ca-certs 
--set gateways.istio-ingressgateway.secretVolumes[1].mountPath=/etc/istio/ingressgateway-ca-certs 
--set gateways.istio-ingressgateway.secretVolumes[2].name=ingressgateway-xinchao-mobi-certs 
--set gateways.istio-ingressgateway.secretVolumes[2].secretName=istio-ingressgateway-xinchao-mobi-certs 
--set gateways.istio-ingressgateway.secretVolumes[2].mountPath=/etc/istio/ingressgateway-xinchao-mobi-certs > 
$HOME/istio-ingressgateway.yaml

应用istio-ingressgateway.yaml：

$ kubectl apply -f $HOME/istio-ingressgateway.yaml
deployment "istio-ingressgateway" configured

第二种方法 手动修改istio-ingressgateway部署

创建新的秘密以保存xiaotaozi.mobi的证书:

$ kubectl create -n istio-system secret tls istio-ingressgateway-xinchao-mobi-certs --key xiaotaozi.mobi.key --cert xiaotaozi.mobi.pem
secret "istio-ingressgateway-xinchao-mobi-certs" created

修改istio-ingressgateway部署

$ kubectl edit deployment/istio-ingressgateway -n istio-system

          volumeMounts:
          - name: istio-certs
            mountPath: /etc/certs
            readOnly: true
          - name: ingressgateway-certs
            mountPath: "/etc/istio/ingressgateway-certs"
            readOnly: true
          - name: ingressgateway-ca-certs
            mountPath: "/etc/istio/ingressgateway-ca-certs"
            readOnly: true
+         - name: ingressgateway-xinchao-mobi-certs
+           mountPath: "/etc/istio/ingressgateway-xinchao-mobi-certs"
+           readOnly: true
      volumes:
      - name: istio-certs
        secret:
          secretName: istio.istio-ingressgateway-service-account
          optional: true
      - name: ingressgateway-certs
        secret:
          secretName: "istio-ingressgateway-certs"
          optional: true
      - name: ingressgateway-ca-certs
        secret:
          secretName: "istio-ingressgateway-ca-certs"
          optional: true
+     - name: ingressgateway-xinchao-mobi-certs
+       secret:
+         secretName: "istio-ingressgateway-xinchao-mobi-certs"
+         optional: true

验证

验证新的证书是后已经加载到新的istio-ingressgateway pod：

$ kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-xinchao-mobi-certs

使用

$ kubectl apply -f - <					
										


					

						
欢迎分享，转载请注明来源：内存溢出
原文地址: http://outofmemory.cn/zaji/5682726.html