使用 https 时 ALB 和 Istio 的 502 bad gateway 错误

Question

我有502 网关错误为了https使用时Istio和 AWS ALB。

出于某种原因，我必须在 Istio ingressgateway 之前使用 ALB ingress，并且我还需要使用 https 从我的 ingress 连接到 istio ingressgateway。但是我收到了 502 bad gateway 错误。如果我使用http，它工作正常。

我可以在 istio ingressgateway 的日志中找到以下信息： “response_code_details”：“filter_chain_not_found"

有人有什么想法吗？

以下是我的入口：

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-gateway
  namespace: istio-system
  annotations:
    alb.ingress.kubernetes.io/group.name: <group name>
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/ssl-redirect: '443'
    alb.ingress.kubernetes.io/certificate-arn: <my arn>
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/subnets: <my subnet>
    alb.ingress.kubernetes.io/backend-protocol: HTTPS
spec:
  ingressClassName: alb
  rules:
  - host: "my.hostname.com"
    http:
      paths:
      - path: /*
        pathType: ImplementationSpecific
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 443
  tls:
  - hosts:
    - "my.hostname.com"

以下是我的 istio-ingressgateway

...
          serviceAnnotations:
            alb.ingress.kubernetes.io/healthcheck-path: /healthz/ready
            alb.ingress.kubernetes.io/healthcheck-port: "30218"
          service:
            type: NodePort
            ports:
            - name: http
              port: 80
              protocol: TCP
              targetPort: 8080
            - name: https
              port: 443
              protocol: TCP
              targetPort: 8443
            - name: status-port
              nodePort: 30218
              port: 15021
              protocol: TCP
              targetPort: 15021
...

以下是我的 Istio 网关：

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: my-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - my.hostname.com
    port:
      name: http
      number: 80
      protocol: HTTP
  - hosts:
    - my.hostname.com
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: my-tls-cert
      mode: SIMPLE
      privateKey: sds
      serverCertificate: sds

如果我将入口更改为使用 http，它工作正常，如下所示：

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-gateway
  namespace: istio-system
  annotations:
    alb.ingress.kubernetes.io/group.name: <group name>
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/ssl-redirect: '443'
    alb.ingress.kubernetes.io/certificate-arn: <my arn>
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/subnets: <my subnet>
spec:
  ingressClassName: alb
  rules:
  - host: "my.hostname.com"
    http:
      paths:
      - path: /*
        pathType: ImplementationSpecific
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 80
  tls:
  - hosts:
    - "my.hostname.com"

Answer 1

与 Istio Ingress Gateway 执行 TLS 握手时，ALB 不包括 SNI。当您在网关资源中包含“主机”时，路由匹配需要 SNI。 解决方法是使用 -hosts: '*' 配置 Istio 443 侦听器，然后在 VirtualService 资源中指定主机。你也可以做一些标题匹配。