如何在linkerd中禁用mTLS？

Question

我坐在一个公司防火墙后面，该防火墙只允许使用MITM证书拦截的https流量。不幸的是，linkerd和大多数其他服务网格在所有pod代理通信之间启用了mTLS。如何禁用mTLS，使linkerd pod不会在我的网络中被阻塞？

我尝试过的

$ linkerd install > linkerd.yaml
$ linkerd inject --ignore-cluster --manual --disable-identity --disable-tap linkerd.yaml >> afterInject.yaml
$ kubectl apply -f afterInject.yaml

有趣的是，使用以下命令收集linkerd指标是有效的：

linkerd metrics -n linkerd $(
  kubectl --namespace linkerd get pod \
    --selector linkerd.io/control-plane-component=controller \
    --output name
)

日志

Linkerd仍在使用这些日志在linkerd名称空间中部署tap

$ kubectl logs -n linkerd linkerd-tap-6c845f67cd-wzzp4 tap
time="2020-09-18T17:14:28Z" level=info msg="running version stable-2.8.1"
time="2020-09-18T17:14:28Z" level=info msg="Using trust domain: cluster.local"
time="2020-09-18T17:14:28Z" level=info msg="waiting for caches to sync"
time="2020-09-18T17:14:28Z" level=info msg="caches synced"
time="2020-09-18T17:14:28Z" level=info msg="starting admin server on :9998"
time="2020-09-18T17:14:28Z" level=info msg="starting APIServer on :8089"
2020/09/18 17:14:51 http: TLS handshake error from 127.0.0.1:58856: EOF
2020/09/18 17:14:51 http: TLS handshake error from 127.0.0.1:58860: EOF
2020/09/18 17:14:51 http: TLS handshake error from 127.0.0.1:58858: EOF
2020/09/18 17:14:51 http: TLS handshake error from 127.0.0.1:58864: EOF
2020/09/18 17:14:51 http: TLS handshake error from 127.0.0.1:58862: EOF

此外，我在kubeapi服务器上得到以下错误

controller.go:114] loading OpenAPI spec for "v1alpha1.tap.linkerd.io" failed with: failed to retrieve openAPI spec, http error: ResponseCode: 503, Body: Error trying to reach service: 'dial tcp 10.108.135.128:443: i/o timeout', Header: map[Content-Type:[text/plain; charset=utf-8] X-Content-Type-Options:[nosniff]]

更奇怪的是，我的链接器检查显示一切正常：

# linkerd check
kubernetes-api
--------------
√ can initialize the client
√ can query the Kubernetes API

kubernetes-version
------------------
√ is running the minimum Kubernetes API version
√ is running the minimum kubectl version

linkerd-existence
-----------------
√ 'linkerd-config' config map exists
√ heartbeat ServiceAccount exist
√ control plane replica sets are ready
√ no unschedulable pods
√ controller pod is running
√ can initialize the client
√ can query the control plane API

linkerd-config
--------------
√ control plane Namespace exists
√ control plane ClusterRoles exist
√ control plane ClusterRoleBindings exist
√ control plane ServiceAccounts exist
√ control plane CustomResourceDefinitions exist
√ control plane MutatingWebhookConfigurations exist
√ control plane ValidatingWebhookConfigurations exist
√ control plane PodSecurityPolicies exist

linkerd-identity
----------------
√ certificate config is valid
√ trust anchors are using supported crypto algorithm
√ trust anchors are within their validity period
√ trust anchors are valid for at least 60 days
√ issuer cert is using supported crypto algorithm
√ issuer cert is within its validity period
√ issuer cert is valid for at least 60 days
√ issuer cert is issued by the trust anchor

linkerd-api
-----------
√ control plane pods are ready
√ control plane self-check
√ [kubernetes] control plane can talk to Kubernetes
√ [prometheus] control plane can talk to Prometheus
√ tap api service is running

linkerd-version
---------------
√ can determine the latest version
√ cli is up-to-date

control-plane-version
---------------------
√ control plane is up-to-date
√ control plane and cli versions match

linkerd-addons
--------------
√ 'linkerd-config-addons' config map exists

linkerd-grafana
---------------
√ grafana add-on service account exists
√ grafana add-on config map exists
√ grafana pod is running

Status check results are √

我还向一个正常工作的集群添加了taefik入口规则，并且无法访问仪表板：

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: web-ingress-auth
  namespace: linkerd
data:
  auth: private value...
  # generated with htpassword
  # then base 64 encoded
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: linkerd
  annotations:
    kubernetes.io/ingress.class: 'traefik'
    ingress.kubernetes.io/custom-request-headers: l5d-dst-override:linkerd-web.linkerd.svc.cluster.local:8084
    traefik.ingress.kubernetes.io/auth-type: basic
    traefik.ingress.kubernetes.io/auth-secret: web-ingress-auth
spec:
  rules:
    - host: linkerd-dashboard.private.com
      http:
        paths:
          - backend:
              serviceName: linkerd-web
              servicePort: 8084

尽管它看起来应该是有效的：

$ kubectl get ing -n linkerd
NAME          CLASS    HOSTS                                ADDRESS         PORTS   AGE
web-ingress   <none>   linkerd-dashboard.private.com        x.x.x.x   80      42m

Answer 1

很高兴听到你把它整理好了@mikeLundquist。

为了回答最初的问题，您通过在安装时指定以下标志，正确地禁用了mTLS：

--disable-identity

--disable-tap

对于helm用户，您可以将disableIdentity: true和disableTap: true添加到proxy section下的Linkerd helm图表中。