Question

Я пытаюсь настроить мультикластерную топологию me sh с реплицированными плоскостями управления с помощью Istio, как описано в https://istio.io/docs/setup/install/multicluster/gateways/. Моя установка PKI имеет 3 уровня и выглядит следующим образом.

Иерархия PKI

A Root CA (root -ca.pem)
Промежуточный CA для подписи каждого кластера CA Citadel (промежуточный-ca.pem)
CA Citadel каждого кластера (ca-cert.pem)

Следуя инструкциям по установке Я устанавливаю сертификаты в пространство имен istio-system с помощью следующей команды:

kubectl create secret generic cacerts -n istio-system --from-file=./ca-cert.pem \
--from-file=./ca-key.pem --from-file=./root-cert.pem \
--from-file=./cert-chain.pem

В этой команде ca-cert.pem является сертификатом CA кластера. ca-key.pem - это закрытый ключ для ca-cert. cert-chain.pem - это полная цепочка ca-cert.pem ie. cert-chain.pem=$(cat ca-cert.pem intermediate-ca.pem root-ca.pem)

Когда я устанавливаю эту настройку в кластер, mTLS отлично работает в кластере, используя мой собственный ЦС, как и ожидалось. Однако когда я go настраиваю многокластерную среду, вызовы из кластера А в кластер b не проходят проверку сертификата root.

Кто-нибудь знает, почему этим сертификатам нельзя доверять, если они имеют одинаковую структуру root CA?

Обновление: я полагаю, что это может быть связано со сбоем входного шлюза целевого кластера, когда он пытается прокси подключиться к бэкэнд-службе.

[Envoy (Epoch 0)] [2020-04-07 15:58:34.193][22][debug][filter] [external/envoy/source/common/tcp_proxy/tcp_proxy.cc:232] [C2] new tcp proxy session
[Envoy (Epoch 0)] [2020-04-07 15:58:34.193][22][trace][connection] [external/envoy/source/common/network/connection_impl.cc:294] [C2] readDisable: enabled=true disable=true state=0
[Envoy (Epoch 0)] [2020-04-07 15:58:34.194][22][trace][filter] [external/envoy/source/extensions/filters/network/sni_cluster/sni_cluster.cc:16] [C2] sni_cluster: new connection with server name outbound_.80_._.nginx.istio-fkt.global
[Envoy (Epoch 0)] [2020-04-07 15:58:34.194][22][trace][filter] [src/envoy/tcp/tcp_cluster_rewrite/tcp_cluster_rewrite.cc:55] [C2] tcp_cluster_rewrite: new connection with server name outbound_.80_._.nginx.istio-fkt.global
[Envoy (Epoch 0)] [2020-04-07 15:58:34.194][22][trace][filter] [src/envoy/tcp/tcp_cluster_rewrite/tcp_cluster_rewrite.cc:64] [C2] tcp_cluster_rewrite: final tcp proxy cluster name outbound_.80_._.nginx.istio-fkt.svc.cluster.local
[Envoy (Epoch 0)] [2020-04-07 15:58:34.194][22][critical][main] [external/envoy/source/exe/terminate_handler.cc:13] std::terminate called! (possible uncaught exception, see trace)
[Envoy (Epoch 0)] [2020-04-07 15:58:34.194][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:70] Backtrace (use tools/stack_decode.py to get line numbers):
[Envoy (Epoch 0)] [2020-04-07 15:58:34.194][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:71] Envoy version: 73f240a29bece92a8882a36893ccce07b4a54664/1.13.1-dev/Clean/RELEASE/BoringSSL
[Envoy (Epoch 0)] [2020-04-07 15:58:34.205][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #0: Envoy::TerminateHandler::logOnTerminate()::$_0::operator()() [0x562ba8ae7dae]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.216][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:77] #1: [0x562ba8ae7cb9]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.225][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #2: std::__terminate() [0x562ba904aa73]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.234][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #3: Envoy::Tcp::TcpClusterRewrite::TcpClusterRewriteFilter::onNewConnection() [0x562ba7209c4d]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.244][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #4: Envoy::Network::FilterManagerImpl::onContinueReading() [0x562ba862a582]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.256][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #5: Envoy::Network::FilterManagerImpl::initializeReadFilters() [0x562ba862a4e5]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.267][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #6: Envoy::Server::ConnectionHandlerImpl::ActiveTcpListener::newConnection() [0x562ba861a547]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.278][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #7: Envoy::Server::ConnectionHandlerImpl::ActiveTcpSocket::continueFilterChain() [0x562ba861a1fb]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.287][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #8: Envoy::Server::ConnectionHandlerImpl::ActiveTcpListener::onAcceptWorker() [0x562ba861a2f1]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.295][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #9: Envoy::Network::ListenerImpl::listenCallback() [0x562ba862dd4c]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.306][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #10: listener_read_cb [0x562ba89547c3]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.317][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #11: event_process_active_single_queue [0x562ba89529ab]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.329][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #12: event_base_loop [0x562ba895123e]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.341][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #13: Envoy::Server::WorkerImpl::threadRoutine() [0x562ba8617278]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.352][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #14: Envoy::Thread::ThreadImplPosix::ThreadImplPosix()::$_0::__invoke() [0x562ba8b1d953]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.352][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #15: start_thread [0x7ff80cbd16db]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.352][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:83] Caught Aborted, suspect faulting address 0x10
[Envoy (Epoch 0)] [2020-04-07 15:58:34.352][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:70] Backtrace (use tools/stack_decode.py to get line numbers):
[Envoy (Epoch 0)] [2020-04-07 15:58:34.352][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:71] Envoy version: 73f240a29bece92a8882a36893ccce07b4a54664/1.13.1-dev/Clean/RELEASE/BoringSSL
[Envoy (Epoch 0)] [2020-04-07 15:58:34.352][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #0: __restore_rt [0x7ff80cbdc890]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:77] #1: [0x562ba8ae7cb9]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #2: std::__terminate() [0x562ba904aa73]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #3: Envoy::Tcp::TcpClusterRewrite::TcpClusterRewriteFilter::onNewConnection() [0x562ba7209c4d]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #4: Envoy::Network::FilterManagerImpl::onContinueReading() [0x562ba862a582]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #5: Envoy::Network::FilterManagerImpl::initializeReadFilters() [0x562ba862a4e5]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #6: Envoy::Server::ConnectionHandlerImpl::ActiveTcpListener::newConnection() [0x562ba861a547]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #7: Envoy::Server::ConnectionHandlerImpl::ActiveTcpSocket::continueFilterChain() [0x562ba861a1fb]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #8: Envoy::Server::ConnectionHandlerImpl::ActiveTcpListener::onAcceptWorker() [0x562ba861a2f1]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #9: Envoy::Network::ListenerImpl::listenCallback() [0x562ba862dd4c]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #10: listener_read_cb [0x562ba89547c3]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #11: event_process_active_single_queue [0x562ba89529ab]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #12: event_base_loop [0x562ba895123e]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #13: Envoy::Server::WorkerImpl::threadRoutine() [0x562ba8617278]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #14: Envoy::Thread::ThreadImplPosix::ThreadImplPosix()::$_0::__invoke() [0x562ba8b1d953]
[Envoy (Epoch 0)] [2020-04-07 15:58:34.363][22][critical][backtrace] [bazel-out/k8-opt/bin/external/envoy/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #15: start_thread [0x7ff80cbd16db]
2020-04-07T15:58:34.392193Z error   Epoch 0 exited with error: signal: aborted (core dumped)
2020-04-07T15:58:34.392220Z info    No more active epochs, terminating

Как настроить PKI для Multicluster Istio Mesh

Пожалуйста, войдите или зарегистрируйтесь чтобы ответить на этот вопрос.

Ответы [ 0 ]

Как настроить PKI для Multicluster Istio Mesh

Пожалуйста, войдите или зарегистрируйтесь чтобы ответить на этот вопрос.

Ответы [ 0 ]

Похожие темы