证书的有效期也会影响整个系统的稳定性,Istio自签名证书之前的版本中设置了1年的默认生命周期。如果使用的是Istio自签名证书,则需要在过期之前安排定期根证书轮转。根证书到期可能会导致意外的集群范围中断。请注意,重新启动Envoy实例以重新加载新的根证书,这可能会影响长连接。
如果当前没有使用Istio中的双向TLS功能,并且将来不会使用它,则不会受到影响,也不需要采取任何措施。此外,可以选择升级到1.1.8或更高版本以避免将来出现此证书有效期问题。如果当前没有在Istio中使用双向TLS功能并且将来可能会使用它,建议按照下面列出的步骤进行升级。如果当前正在使用Istio中的双向TLS功能和自签名证书,请按照该过程检查是否会受到影响。
首先,要评估根证书的剩余寿命,检查根证书何时到期。可以在本书的代码库中找到目录root-transition,下载该目录下的脚本root-transition.sh,如下所示:
chmod +x root-transition.sh ./root-transition.sh check
在根证书过期之前执行其余步骤以避免系统中断。
在过渡期间,Envoy的Sidecar可能会重新启动以重新加载新证书。这可能会对你的流量产生一些影响。如果你的Pilot没有Sidecar代理Envoy,请考虑为你的Pilot安装Sidecar代理Envoy。因为Pilot使用旧的根证书来验证新的工作负载证书存在问题,这可能会导致Pilot和Envoy之间断开连接。默认情况下,Istio升级指南会安装带有Sidecar代理的Pilot:
./root-transition.sh transition
Create new ca cert, with trust domain as cluster.local
Sun Aug 11 23:02:48 CST 2019 delete old CA secret
secret "istio-ca-secret" deleted
Sun Aug 11 23:02:48 CST 2019 create new CA secret
secret/istio-ca-secret created
Sun Aug 11 23:02:48 CST 2019 Restarting Citadel ...
pod "istio-citadel-8455b8d867-jjbtz" deleted
Sun Aug 11 23:02:59 CST 2019 restarted Citadel, checking status
NAME READY STATUS RESTARTS AGE
istio-citadel-8455b8d867-xdl7q 1/1 Running 0 11s
New root certificate:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 12087458590407451702 (0xa7bf478bbe7ae436)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=cluster.local
Validity
Not Before: Aug 11 15:02:48 2019 GMT
Not After : Aug 8 15:02:48 2029 GMT
Subject: O=cluster.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ba:79:72:c0:32:8a:54:99:fe:b5:41:c8:5d:d1:
d7:91:52:c4:31:d1:42:83:e2:89:e7:d7:21:64:15:
ca:f9:8c:27:be:13:ff:8f:69:10:2c:54:c1:0c:aa:
85:3b:5e:09:e8:ce:ab:ce:a4:47:9c:2e:6d:2a:c6:
8a:36:82:96:b1:9c:20:07:bc:40:99:bd:36:c5:82:
c5:18:a3:cf:78:1a:40:e9:35:5f:82:41:1e:09:2b:
3b:50:69:03:7d:a9:24:81:99:c2:7a:48:aa:ae:4f:
df:70:51:3f:8c:bf:16:14:7b:29:06:7a:91:91:6d:
00:ee:66:ca:4c:78:08:54:98:13:ac:78:ba:74:5f:
65:1a:83:e9:52:78:f0:ad:77:53:f1:16:14:9b:43:
4d:7d:3b:6e:02:fa:64:f2:40:e4:49:6b:9e:d2:45:
a3:89:21:07:44:cf:9a:ba:e1:f5:f3:7a:02:c4:fe:
48:91:a8:2e:d3:22:b7:96:98:64:c5:55:18:74:ff:
ca:b6:52:03:6b:2b:62:a3:6a:f4:4a:17:e0:d8:d0:
14:23:ef:c5:55:e1:56:c6:94:7a:06:c4:55:97:7f:
b7:91:dd:7d:de:ca:19:08:a3:96:50:b3:0f:c8:2f:
66:57:37:70:26:fc:cf:8e:82:ff:b9:98:19:2e:7f:
5b:a1
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
84:f4:bb:86:1c:d5:c2:28:b3:01:96:db:89:fa:da:c8:96:e2:
78:74:b4:72:1e:60:ae:6c:7a:0c:31:3f:81:cf:63:8c:db:cc:
f6:5b:0a:06:03:97:b7:7b:ad:26:a7:c9:be:6e:f7:75:d9:e1:
13:78:80:09:20:0b:ad:71:7f:de:9f:4d:96:36:93:a3:f7:1c:
19:9a:6b:f2:6d:e5:00:8d:1b:5d:38:bc:b4:ba:32:32:ed:ac:
3c:6c:a2:19:30:4a:9a:4d:23:3d:b7:41:0c:8d:e5:ad:75:3b:
43:85:c8:89:73:25:32:8b:ea:7e:53:4d:47:5d:38:93:ff:30:
24:83:6f:b7:1d:ce:bf:bb:0d:d9:ce:5c:ee:36:84:f5:75:ce:
c8:0c:d6:c5:78:90:3e:81:ac:3b:0f:db:11:15:85:d0:f8:40:
91:ed:1a:53:c9:fb:b8:ca:aa:52:52:4a:33:de:9d:2e:66:cd:
a6:c0:35:16:f7:dc:c8:32:44:87:f8:ab:6d:37:f6:92:e0:54:
b8:05:12:b5:02:10:98:35:e1:89:3b:29:07:32:a3:a3:63:76:
71:0b:e8:d8:95:ad:c4:8f:05:fd:67:4a:19:33:a2:38:e5:7c:
06:19:f4:77:eb:13:dc:62:21:c1:82:df:bc:3c:70:fb:94:fa:
70:8b:6d:76
Your old certificate is stored as old-ca-cert.pem, and your private key is stored as ca-key.pem
Please save them safely and privately.
验证是否生成了新的工作负载证书:
./root-transition.sh verify This script checks the current root CA certificate is propagated to all the Istio-managed workload secrets in the cluster. Root cert MD5 is 33f9d1eae5dbbdb18e7be4613d99e2af Checking namespace: ack-system Secret ack-system.istio.ack is matches current root. Secret ack-system.istio.default is matches current root. Checking namespace: authorizationsample Secret authorizationsample.istio.default is matches current root. Checking namespace: default Secret default.istio.bookinfo-details is matches current root. Secret default.istio.bookinfo-productpage is matches current root. Secret default.istio.bookinfo-ratings is matches current root. Secret default.istio.bookinfo-reviews is matches current root. Secret default.istio.default is matches current root. Secret default.istio.sleep is matches current root. Checking namespace: istio-system Secret istio-system.istio.certmanager is matches current root. Secret istio-system.istio.default is matches current root. Secret istio-system.istio.istio-citadel-service-account is matches current root. Secret istio-system.istio.istio-galley-service-account is matches current root. Secret istio-system.istio.istio-ingressgateway-service-account is matches current root. Secret istio-system.istio.istio-init-operator is matches current root. Secret istio-system.istio.istio-mixer-service-account is matches current root. Secret istio-system.istio.istio-pilot-service-account is matches current root. Secret istio-system.istio.istio-sidecar-injector-service-account is matches current root. Secret istio-system.istio.kiali-service-account is matches current root. Secret istio-system.istio.prometheus is matches current root. Checking namespace: nosidecar Secret nosidecar.istio.default is matches current root. Checking namespace: ns1 Secret ns1.istio.default is matches current root. Checking namespace: ns2 Secret ns2.istio.default is matches current root. ------All Istio mutual TLS keys and certificates match with current root!
如果此命令失败,请等待一分钟再次运行该命令。Citadel传播证书需要一些时间。
为确保控制平面组件和Envoy全部加载新证书和密钥,要升级到Istio 1.1.8或更高版本:验证Envoy是否加载了新的工作负载证书,以下命令显示了一个示例,用于检查在命名空间栏中运行的pod foo的Envoy证书。
kubectl exec -it sleep-57f9d6fd6b-n4ftq -c istio-proxy -n default -- curl http://localhost:15000/certs | head -c 1000
{
"certificates": [
{
"ca_cert": [
{
"path": "/etc/certs/root-cert.pem",
"serial_number": "a7bf478bbe7ae436",
"subject_alt_names": [],
"days_until_expiration": "3649",
"valid_from": "2019-08-11T15:02:48Z",
"expiration_time": "2029-08-08T15:02:48Z"
}
],
....
请检查一下ca_cert的valid_from值,如果与前面步骤中运行命令./root-transition.sh tran sition时新证书中的值匹配,则你的Envoy已加载新的根证书。