• 密钥和证书

    密钥和证书

    如果您怀疑 Istio 使用的某些密钥或证书不正确,那么第一步是确保 Citadel 健康。

    然后,您可以验证 Citadel 是否实际生成密钥和证书:

    1. $ kubectl get secret istio.my-sa -n my-ns
    2. NAME TYPE DATA AGE
    3. istio.my-sa istio.io/key-and-cert 3 24d

    其中 my-nsmy-sa 是您的 pod 运行的命名空间和 Service Account 。

    如果要检查其他 Service Account 的密钥和证书,可以运行以下命令列出 Citadel为 其生成密钥和证书的所有的 secret:

    1. $ kubectl get secret --all-namespaces | grep istio.io/key-and-cert
    2. NAMESPACE NAME TYPE DATA AGE
    3. .....
    4. istio-system istio.istio-citadel-service-account istio.io/key-and-cert 3 14d
    5. istio-system istio.istio-cleanup-old-ca-service-account istio.io/key-and-cert 3 14d
    6. istio-system istio.istio-egressgateway-service-account istio.io/key-and-cert 3 14d
    7. istio-system istio.istio-ingressgateway-service-account istio.io/key-and-cert 3 14d
    8. istio-system istio.istio-mixer-post-install-account istio.io/key-and-cert 3 14d
    9. istio-system istio.istio-mixer-service-account istio.io/key-and-cert 3 14d
    10. istio-system istio.istio-pilot-service-account istio.io/key-and-cert 3 14d
    11. istio-system istio.istio-sidecar-injector-service-account istio.io/key-and-cert 3 14d
    12. istio-system istio.prometheus istio.io/key-and-cert 3 14d
    13. kube-public istio.default istio.io/key-and-cert 3 14d
    14. .....

    然后检查证书是否有效:

    1. $ kubectl get secret -o json istio.my-sa -n my-ns | jq -r '.data["cert-chain.pem"]' | base64 --decode | openssl x509 -noout -text
    2. Certificate:
    3. Data:
    4. Version: 3 (0x2)
    5. Serial Number:
    6. 99:59:6b:a2:5a:f4:20:f4:03:d7:f0:bc:59:f5:d8:40
    7. Signature Algorithm: sha256WithRSAEncryption
    8. Issuer: O = k8s.cluster.local
    9. Validity
    10. Not Before: Jun 4 20:38:20 2018 GMT
    11. Not After : Sep 2 20:38:20 2018 GMT
    12. Subject: O =
    13. Subject Public Key Info:
    14. Public Key Algorithm: rsaEncryption
    15. Public-Key: (2048 bit)
    16. Modulus:
    17. 00:c8:a0:08:24:61:af:c1:cb:81:21:90:cc:03:76:
    18. 01:25:bc:ff:ca:25:fc:81:d1:fa:b8:04:aa:d4:6b:
    19. 55:e9:48:f2:e4:ab:22:78:03:47:26:bb:8f:22:10:
    20. 66:47:47:c3:b2:9a:70:f1:12:f1:b3:de:d0:e9:2d:
    21. 28:52:21:4b:04:33:fa:3d:92:8c:ab:7f:cc:74:c9:
    22. c4:68:86:b0:4f:03:1b:06:33:48:e3:5b:8f:01:48:
    23. 6a:be:64:0e:01:f5:98:6f:57:e4:e7:b7:47:20:55:
    24. 98:35:f9:99:54:cf:a9:58:1e:1b:5a:0a:63:ce:cd:
    25. ed:d3:a4:88:2b:00:ee:b0:af:e8:09:f8:a8:36:b8:
    26. 55:32:80:21:8e:b5:19:c0:2f:e8:ca:4b:65:35:37:
    27. 2f:f1:9e:6f:09:d4:e0:b1:3d:aa:5f:fe:25:1a:7b:
    28. d4:dd:fe:d1:d3:b6:3c:78:1d:3b:12:c2:66:bd:95:
    29. a8:3b:64:19:c0:51:05:9f:74:3d:6e:86:1e:20:f5:
    30. ed:3a:ab:44:8d:7c:5b:11:14:83:ee:6b:a1:12:2e:
    31. 2a:0e:6b:be:02:ad:11:6a:ec:23:fe:55:d9:54:f3:
    32. 5c:20:bc:ec:bf:a6:99:9b:7a:2e:71:10:92:51:a7:
    33. cb:79:af:b4:12:4e:26:03:ab:35:e2:5b:00:45:54:
    34. fe:91
    35. Exponent: 65537 (0x10001)
    36. X509v3 extensions:
    37. X509v3 Key Usage: critical
    38. Digital Signature, Key Encipherment
    39. X509v3 Extended Key Usage:
    40. TLS Web Server Authentication, TLS Web Client Authentication
    41. X509v3 Basic Constraints: critical
    42. CA:FALSE
    43. X509v3 Subject Alternative Name:
    44. URI:spiffe://cluster.local/ns/my-ns/sa/my-sa
    45. Signature Algorithm: sha256WithRSAEncryption
    46. 78:77:7f:83:cc:fc:f4:30:12:57:78:62:e9:e2:48:d6:ea:76:
    47. 69:99:02:e9:62:d2:53:db:2c:13:fe:0f:00:56:2b:83:ca:d3:
    48. 4c:d2:01:f6:08:af:01:f2:e2:3e:bb:af:a3:bf:95:97:aa:de:
    49. 1e:e6:51:8c:21:ee:52:f0:d3:af:9c:fd:f7:f9:59:16:da:40:
    50. 4d:53:db:47:bb:9c:25:1a:6e:34:41:42:d9:26:f7:3a:a6:90:
    51. 2d:82:42:97:08:f4:6b:16:84:d1:ad:e3:82:2c:ce:1c:d6:cd:
    52. 68:e6:b0:5e:b5:63:55:3e:f1:ff:e1:a0:42:cd:88:25:56:f7:
    53. a8:88:a1:ec:53:f9:c1:2a:bb:5c:d7:f8:cb:0e:d9:f4:af:2e:
    54. eb:85:60:89:b3:d0:32:60:b4:a8:a1:ee:f3:3a:61:60:11:da:
    55. 2d:7f:2d:35:ce:6e:d4:eb:5c:82:cf:5c:9a:02:c0:31:33:35:
    56. 51:2b:91:79:8a:92:50:d9:e0:58:0a:78:9d:59:f4:d3:39:21:
    57. bb:b4:41:f9:f7:ec:ad:dd:76:be:28:58:c0:1f:e8:26:5a:9e:
    58. 7b:7f:14:a9:18:8d:61:d1:06:e3:9e:0f:05:9e:1b:66:0c:66:
    59. d1:27:13:6d:ab:59:46:00:77:6e:25:f6:e8:41:ef:49:58:73:
    60. b4:93:04:46

    确保显示的证书包含有效信息。特别是,Subject Alternative Name 字段应为 URI:spiffe://cluster.local/ns/my-ns/sa/my-sa。如果不是这种情况,您的 Citadel 可能会出现问题。尝试重新部署 Citadel 并再次检查。

    最后,您可以验证密钥和证书是否由 sidecar 代理正确安装在 /etc/certs 目录中。您可以使用此命令检查:

    1. $ kubectl exec -it my-pod-id -c istio-proxy -- ls /etc/certs
    2. cert-chain.pem key.pem root-cert.pem

    (可选)您可以使用以下命令检查其内容:

    1. $ kubectl exec -it my-pod-id -c istio-proxy -- cat /etc/certs/cert-chain.pem | openssl x509 -text -noout
    2. Certificate:
    3. Data:
    4. Version: 3 (0x2)
    5. Serial Number:
    6. 7e:b4:44:fe:d0:46:ba:27:47:5a:50:c8:f0:8e:8b:da
    7. Signature Algorithm: sha256WithRSAEncryption
    8. Issuer: O = k8s.cluster.local
    9. Validity
    10. Not Before: Jul 13 01:23:13 2018 GMT
    11. Not After : Oct 11 01:23:13 2018 GMT
    12. Subject: O =
    13. Subject Public Key Info:
    14. Public Key Algorithm: rsaEncryption
    15. Public-Key: (2048 bit)
    16. Modulus:
    17. 00:bb:c9:cd:f4:b8:b5:e4:3b:f2:35:aa:4c:67:cc:
    18. 1b:a9:30:c4:b7:fd:0a:f5:ac:94:05:b5:82:96:b2:
    19. c8:98:85:f9:fc:09:b3:28:34:5e:79:7e:a9:3c:58:
    20. 0a:14:43:c1:f4:d7:b8:76:ab:4e:1c:89:26:e8:55:
    21. cd:13:6b:45:e9:f1:67:e1:9b:69:46:b4:7e:8c:aa:
    22. fd:70:de:21:15:4f:f5:f3:0f:b7:d4:c6:b5:9d:56:
    23. ef:8a:91:d7:16:fa:db:6e:4c:24:71:1c:9c:f3:d9:
    24. 4b:83:f1:dd:98:5b:63:5c:98:5e:2f:15:29:0f:78:
    25. 31:04:bc:1d:c8:78:c3:53:4f:26:b2:61:86:53:39:
    26. 0a:3b:72:3e:3d:0d:22:61:d6:16:72:5d:64:e3:78:
    27. c8:23:9d:73:17:07:5a:6b:79:75:91:ce:71:4b:77:
    28. c5:1f:60:f1:da:ca:aa:85:56:5c:13:90:23:02:20:
    29. 12:66:3f:8f:58:b8:aa:72:9d:36:f1:f3:b7:2b:2d:
    30. 3e:bb:7c:f9:b5:44:b9:57:cf:fc:2f:4b:3c:e6:ee:
    31. 51:ba:23:be:09:7b:e2:02:6a:6e:e7:83:06:cd:6c:
    32. be:7a:90:f1:1f:2c:6d:12:9e:2f:0f:e4:8c:5f:31:
    33. b1:a2:fa:0b:71:fa:e1:6a:4a:0f:52:16:b4:11:73:
    34. 65:d9
    35. Exponent: 65537 (0x10001)
    36. X509v3 extensions:
    37. X509v3 Key Usage: critical
    38. Digital Signature, Key Encipherment
    39. X509v3 Extended Key Usage:
    40. TLS Web Server Authentication, TLS Web Client Authentication
    41. X509v3 Basic Constraints: critical
    42. CA:FALSE
    43. X509v3 Subject Alternative Name:
    44. URI:spiffe://cluster.local/ns/default/sa/bookinfo-productpage
    45. Signature Algorithm: sha256WithRSAEncryption
    46. 8f:be:af:a4:ee:f7:be:21:e9:c8:c9:e2:3b:d3:ac:41:18:5d:
    47. f8:9a:85:0f:98:f3:35:af:b7:e1:2d:58:5a:e0:50:70:98:cc:
    48. 75:f6:2e:55:25:ed:66:e7:a4:b9:4a:aa:23:3b:a6:ee:86:63:
    49. 9f:d8:f9:97:73:07:10:25:59:cc:d9:01:09:12:f9:ab:9e:54:
    50. 24:8a:29:38:74:3a:98:40:87:67:e4:96:d0:e6:c7:2d:59:3d:
    51. d3:ea:dd:6e:40:5f:63:bf:30:60:c1:85:16:83:66:66:0b:6a:
    52. f5:ab:60:7e:f5:3b:44:c6:11:5b:a1:99:0c:bd:53:b3:a7:cc:
    53. e2:4b:bd:10:eb:fb:f0:b0:e5:42:a4:b2:ab:0c:27:c8:c1:4c:
    54. 5b:b5:1b:93:25:9a:09:45:7c:28:31:13:a3:57:1c:63:86:5a:
    55. 55:ed:14:29:db:81:e3:34:47:14:ba:52:d6:3c:3d:3b:51:50:
    56. 89:a9:db:17:e4:c4:57:ec:f8:22:98:b7:e7:aa:8a:72:28:9a:
    57. a7:27:75:60:85:20:17:1d:30:df:78:40:74:ea:bc:ce:7b:e5:
    58. a5:57:32:da:6d:f2:64:fb:28:94:7d:28:37:6f:3c:97:0e:9c:
    59. 0c:33:42:f0:b6:f5:1c:0d:fb:70:65:aa:93:3e:ca:0e:58:ec:
    60. 8e:d5:d0:1e