修改网关资源定义并进行重新部署,注意tls mode值应当设定为PASSTHROUGH,表示网关按原样传递入口流量而不终止TLS,也就是说将到达mygateway网关443端口的TLS流量进行透传。具体代码可参见目录mtls-go-example/sni下的文件mygateway.yaml:
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mygateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: PASSTHROUGH
hosts:
- nginx.example.com
- nginx.api.com
EOF
下述虚拟服务定义了经过入口网关Gateway进入的流量路由规则,即将到达mygateway网关443端口的TLS流量进行透传后,根据SNI值nginx.example.com或nginx.api.com转发给网格内部的相应服务,即分别指向内部服务nginx或nginx2。具体代码可参见目录mtls-go-example/sni下的文件nginx-vs.yaml:
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginx
spec:
hosts:
- nginx.example.com
- nginx.api.com
gateways:
- mygateway
tls:
- match:
- port: 443
sni_hosts:
- nginx.example.com
route:
- destination:
host: nginx
port:
number: 443
- match:
- port: 443
sni_hosts:
- nginx.api.com
route:
- destination:
host: nginx2
port:
number: 443
EOF