incfly · July 30, 2021 00:15 · incfly · Jul 30, 2021
diff --git a/istioapi.yaml b/istioapi.yaml
 apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
  name: nginx-se
 spec:
  hosts:
  - "my-nginx.bar.svc.cluster.local"
  ports:
  - number: 443
    name: http
    protocol: HTTP
  resolution: STATIC
  endpoints:
  - address: 10.32.5.5 # pod ip of nginx pod.
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
  name: nginx-dr
 spec:
  # host: nginx.example.com
  #httpbin.bar vs httpbin.bar.svc.cluster.local is different. first do not work...
  host: "my-nginx.bar.svc.cluster.local" 
  trafficPolicy:
    tls:
      mode: MUTUAL
      clientCertificate: /etc/certs/tls.crt
      privateKey: /etc/certs/tls.key
diff --git a/nginx-nosidecar.yaml b/nginx-nosidecar.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: my-nginx
  labels:
    run: my-nginx
 spec:
  ports:
  - port: 443
    protocol: TCP
  selector:
    run: my-nginx
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: my-nginx
 spec:
  selector:
    matchLabels:
      run: my-nginx
  replicas: 1
  template:
    metadata:
      labels:
        run: my-nginx
    spec:
      containers:
      - name: my-nginx
        image: nginx
        ports:
        - containerPort: 443
        volumeMounts:
        - name: nginx-config
          mountPath: /etc/nginx
          readOnly: true
        - name: nginx-server-certs
          mountPath: /etc/nginx-server-certs
          readOnly: true
      volumes:
      - name: nginx-config
        configMap:
          name: nginx-configmap
      - name: nginx-server-certs
        secret:
          secretName: nginx-server-certs
diff --git a/nginx.conf b/nginx.conf
 events {
 }

 http {
  log_format main '$remote_addr - $remote_user [$time_local]  $status '
  '"$request" $body_bytes_sent "$http_referer" '
  '"$http_user_agent" "$http_x_forwarded_for"';
  access_log /var/log/nginx/access.log main;
  error_log  /var/log/nginx/error.log;

  server {
    listen 443 ssl;

    root /usr/share/nginx/html;
    index index.html;

    server_name nginx.example.com;
    ssl_certificate /etc/nginx-server-certs/tls.crt;
    ssl_certificate_key /etc/nginx-server-certs/tls.key;
  }
 }
diff --git a/sleep-client-sidecared.yaml b/sleep-client-sidecared.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: sleep
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      annotations:
        # https://discuss.istio.io/t/where-to-mount-mtls-certs-referred-to-in-destinationrule/7159/2
        sidecar.istio.io/userVolumeMount: '[{"name":"nginx-server-certs", "mountPath":"/etc/certs", "readonly":true}]'
        sidecar.istio.io/userVolume: '[{"name":"nginx-server-certs", "secret":{"secretName":"nginx-server-certs"}}]'
      labels:
        app: sleep
    spec:
      terminationGracePeriodSeconds: 0
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: curlimages/curl
        command: ["/bin/sleep", "3650d"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true
	apiVersion: networking.istio.io/v1beta1
	kind: ServiceEntry
	metadata:
	name: nginx-se
	spec:
	hosts:
	- "my-nginx.bar.svc.cluster.local"
	ports:
	- number: 443
	name: http
	protocol: HTTP
	resolution: STATIC
	endpoints:
	- address: 10.32.5.5 # pod ip of nginx pod.
	---
	apiVersion: networking.istio.io/v1alpha3
	kind: DestinationRule
	metadata:
	name: nginx-dr
	spec:
	# host: nginx.example.com
	#httpbin.bar vs httpbin.bar.svc.cluster.local is different. first do not work...
	host: "my-nginx.bar.svc.cluster.local"
	trafficPolicy:
	tls:
	mode: MUTUAL
	clientCertificate: /etc/certs/tls.crt
	privateKey: /etc/certs/tls.key
	apiVersion: v1
	kind: Service
	metadata:
	name: my-nginx
	labels:
	run: my-nginx
	spec:
	ports:
	- port: 443
	protocol: TCP
	selector:
	run: my-nginx
	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: my-nginx
	spec:
	selector:
	matchLabels:
	run: my-nginx
	replicas: 1
	template:
	metadata:
	labels:
	run: my-nginx
	spec:
	containers:
	- name: my-nginx
	image: nginx
	ports:
	- containerPort: 443
	volumeMounts:
	- name: nginx-config
	mountPath: /etc/nginx
	readOnly: true
	- name: nginx-server-certs
	mountPath: /etc/nginx-server-certs
	readOnly: true
	volumes:
	- name: nginx-config
	configMap:
	name: nginx-configmap
	- name: nginx-server-certs
	secret:
	secretName: nginx-server-certs
	events {
	}

	http {
	log_format main '$remote_addr - $remote_user [$time_local] $status '
	'"$request" $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';
	access_log /var/log/nginx/access.log main;
	error_log /var/log/nginx/error.log;

	server {
	listen 443 ssl;

	root /usr/share/nginx/html;
	index index.html;

	server_name nginx.example.com;
	ssl_certificate /etc/nginx-server-certs/tls.crt;
	ssl_certificate_key /etc/nginx-server-certs/tls.key;
	}
	}