使用AWS ACM证书配置Gloo虚拟服务SSL

Question

https://gloo.solo.io/advanced_configuration/tls_setup/上的Gloo文档介绍了为Gloo虚拟服务设置SSL的过程。但是，它仅使用自签名证书执行此操作。我们使用Gloo基于路径在两个服务之间切换(例如: api.example.com/指向Elastic Beanstalk应用程序，api.example.com/service指向Kubernetes集群应用程序)。

以下是两个上游：

开发人员-api-上游

apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
  name: dev-api-upstream
  namespace: gloo-system
spec:
  upstreamSpec:
    static:
      hosts:
        - addr: api-dev.example.com
          port: 80

kube-upstream.yaml

apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
  name: kube-upstream
  namespace: gloo-system
spec:
  upstreamSpec:
    static:
      hosts:
        - addr: api-dev.example.com
          port: 80

最后是虚拟服务：

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: api-prefix
  namespace: gloo-system
spec:
  virtualHost:
    domains:
      - '*'
    routes:
      - matcher:
          prefix: /service2
        routeAction:
          single:
            upstream:
              name: kube-upstream
              namespace: gloo-system
      - matcher:
          prefix: /
        routeAction:
          single:
            upstream:
              name: dev-api-upstream
              namespace: gloo-system

这对HTTP请求很有效，但对HTTPS超时。

如何使用AWS ACM创建的证书在Gloo接收请求的负载均衡器上启用SSL？

Answer 1

如果您希望您的VirtualService终止SSL，则需要按照您所链接的文档中的说明向其添加SSLConfig：

# create a secret containing the cert you want to serve
kubectl create secret tls my-tls-cert --key <path to private key> \
   --cert <path to ca cert> --namespace gloo-system

然后使用sslConfig更新您的vs，如下所示：

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: api-prefix
  namespace: gloo-system
spec:
  virtualHost:
    domains:
      - '*'
    routes:
      - matcher:
          prefix: /service2
        routeAction:
          single:
            upstream:
              name: kube-upstream
              namespace: gloo-system
      - matcher:
          prefix: /
        routeAction:
          single:
            upstream:
              name: dev-api-upstream
              namespace: gloo-system
  sslConfig:
    secretRef:
      name: my-tls-cert
      namespace: gloo-system

请注意，这将更改提供虚拟服务的代理上的端口(从80更改为443)。