λ‘œμΌ“πŸΎ
article thumbnail

 

 

μΏ λ²„λ„€ν‹°μŠ€ 내뢀끼리 톡신을 ν•  λ•Œ 보톡 μ„œλΉ„μŠ€μ˜ 도메인 svc.cluster.local 을 μ΄μš©ν•˜μ—¬ ν†΅μ‹ ν•˜κ²Œ λ©λ‹ˆλ‹€.

 

μ™ΈλΆ€μ—μ„œ λ‚΄λΆ€λ‘œ λ“€μ–΄μ˜€λŠ” 톡신에 λŒ€ν•΄μ„œλŠ” Ingress λ₯Ό μ΄μš©ν•΄ https 톡신을 ν•˜κ²Œλ˜μ£ .

 

ν•˜μ§€λ§Œ Ingress λŠ” λ‚΄λΆ€ 톡신에 λŒ€ν•΄μ„œλŠ” https 톡신을 보μž₯해주진 μ•Šμ£ . 이 뢀뢄에 λŒ€ν•΄μ„œλŠ” Istio 의 mTLS λ₯Ό μ΄μš©ν•΄μ„œ νŒŒλ“œμ™€μ˜ 톡신은 λͺ¨λ‘ https 톡신을 ν•˜κ²Œ ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

Istio 의 mTLS κ°€ κΆκΈˆν•˜λ‹€λ©΄?
[Istio] μ‰Ώ! 우리만의 비밀이야 - mTLS (ν™•μΈνŽΈ)
[Istio] μ‰Ώ! μš°λ¦¬λ§Œμ˜ λΉ„밀이야 - mTLS (κ²€μ¦νŽΈ)

 

κ·Έλ ‡λ‹€λ©΄ mTLS λ₯Ό μ΄μš©ν•˜μ§€ μ•Šκ³  λ‚΄λΆ€ 톡신은 μ–΄λ–»κ²Œ https 톡신을 ν•  수 μžˆμ„κΉŒμš”?

 

정닡은 κ°„λ‹¨ν•©λ‹ˆλ‹€. νŒŒλ“œ λ§ˆλ‹€ certificate λ₯Ό 가지고 있으면 λ©λ‹ˆλ‹€. 

 

이번 κΈ€μ—μ„œλŠ” μ„œλΉ„μŠ€λ₯Ό 생성할 λ•Œ coreDNS 에 λ“±λ‘λ˜λŠ” svc.cluster.local 도메인에 https 톡신을 ν•΄λ³΄κ³ μž ν•©λ‹ˆλ‹€.

 

λ ›μΈ λ‘λ”μ½”λ“œ~

 

 

Cert Manager λ₯Ό μ΄μš©ν•΄μ„œ certificate λ₯Ό μƒμ„±ν•©λ‹ˆλ‹€.

Cert Manager κ°€ κΆκΈˆν•˜λ‹€λ©΄ μ—¬κΈ° μ°Έκ³ !

 

Issuer 와 Certificate λ₯Ό μ•„λž˜μ™€ κ°™μ•„μš”.

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: service-https-test
  namespace: default
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: service-https-test
  namespace: default
spec:
  dnsNames:
    - service-https-test.default.svc
    - service-https-test.default.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: service-https-test
  secretName: service-https-test

 

svc.cluster.local 의 μ†Œμœ μžκ°€ μ•„λ‹ˆλ‹ˆ selfSigned λ₯Ό 톡해 Certificate λ₯Ό μƒμ„±ν•©λ‹ˆλ‹€.

 

μ΅œμ’…μ μœΌλ‘œ Certificate λŠ” Secret 으둜 μƒμ„±λ©λ‹ˆλ‹€.

Certificate 둜 μƒμ„±λœ Secret

 

ca.crt, tls.crt, tls.key κ°€ μƒμ„±λ©λ‹ˆλ‹€. λ””μ½”λ”© 해보면 μ•„λž˜μ™€ κ°™μ£ .

ca.crt

 

 

Cert Manager λ₯Ό μ΄μš©ν•˜λ‹ˆ ν™•μ‹€νžˆ νŽΈν•©λ‹ˆλ‹€. 없이 ν•œλ‹€λ©΄ ssh-keygen 둜 μƒμ„±ν•΄μ„œ ν•˜λ‚˜ν•˜λ‚˜ Secret κ°’μœΌλ‘œ 넣어쀬어야 ν–ˆμ„ κ²λ‹ˆλ‹€.

 

κ·Έ λ‹€μŒμœΌλ‘œ nginx μ—μ„œ μ‚¬μš©ν•  config λ₯Ό configmap 을 μ΄μš©ν•΄ μƒμ„±ν•©λ‹ˆλ‹€.

apiVersion: v1
kind: ConfigMap
metadata:
  name: service-https-test
  namespace: default
data:
  nginx-tls.conf: |
    server {
      listen              80;
      server_name         _;
      return 301 https://$host$request_uri;
    }
    
    server {
      listen              443 ssl;
      server_name         _;
    
      ssl_certificate     /etc/nginx/ssl/tls.crt;
      ssl_certificate_key /etc/nginx/ssl/tls.key;
    
      location / {
        root   /usr/share/nginx/html;
        index  index.html;
      }
    }

 

80 포트둜 μ ‘κ·Όν•˜κ²Œ 되면, 443 포트둜 λ¦¬λ‹€μ΄λ ‰μ…˜ λ˜κ²Œλ” κ΅¬μ„±ν•˜μ˜€κ³ , server_name 을  _; 으둜 μ„€μ •ν•¨μœΌλ‘œμ¨ 아무 λ„λ©”μΈμ΄λ‚˜ λ‹€ μˆ˜μš©ν•©λ‹ˆλ‹€.

 

그리고 이제 μ„œλΉ„μŠ€μ™€ νŒŒλ“œλ₯Ό μƒμ„±ν•©λ‹ˆλ‹€.

apiVersion: v1
kind: Service
metadata:
  name: service-https-test
  namespace: default
spec:
  ports:
    - name: http
      port: 80
      targetPort: 80
    - name: https
      port: 443
      targetPort: 443
  selector:
    app: service-https-test
  sessionAffinity: None
  type: ClusterIP
  ---
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: service-https-test
  name: nginx
  namespace: default
spec:
  containers:
    - image: nginx
      name: nginx
      volumeMounts:
        - name: nginx-config
          mountPath: /etc/nginx/conf.d
        - name: nginx-certs
          mountPath: /etc/nginx/ssl
  volumes:
    - name: nginx-config
      configMap:
        name: service-https-test
    - name: nginx-certs
      secret:
        secretName: service-https-test

 

μ–΄λ €μš΄ 뢀뢄이 μ—†μœΌλ‹ˆ λ”°λ‘œ μ„€λͺ…은 ν•˜μ§€ μ•Šκ² μŠ΅λ‹ˆλ‹€.

 

그럼 이제 ν•œλ²ˆ 확인해보죠!

 

μ„œλΉ„μŠ€μ˜ 도메인인 http://service-https-test:80 으둜 μ ‘κ·Όν•˜λ‹ˆ λ¦¬λ‹€μ΄λ ‰μ…˜ 된 것을 확인 ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

http://service-https-test:80

 

Nginx κ°€ μ‚¬μš©ν•˜λŠ” μΈμ¦μ„œλŠ” 자체 μ‚¬μΈν•œ μΈμ¦μ„œμ΄κΈ° λ•Œλ¬Έμ— curl λͺ…λ Ήμ–΄λ₯Ό μ‚¬μš©ν•  λ•Œ -k λ₯Ό λΆ™μ—¬μ€˜μ•Ό ν•©λ‹ˆλ‹€.

 

 

μ΄λ²ˆμ—λŠ” https://service-https-test:443 둜 μ ‘κ·Όν•΄μ„œ https 톡신을 ν•˜λŠ” 지 ν™•μΈν•΄λ³΄κ² μŠ΅λ‹ˆλ‹€.

TLS handshake 과정이 μžˆλŠ” κ±Έ λ³΄λ‹ˆ μ•„μ£Ό 잘 λ™μž‘ν•©λ‹ˆλ‹€. 

https://service-https-test:443

 

 

뿐만 μ•„λ‹ˆλΌ, νŒŒλ“œμ˜ IP μ£Όμ†ŒμΈ https://10.42.0.10:443 λ‘œλ„ κ°€λŠ₯ν•©λ‹ˆλ‹€. 

https://10.42.0.10:443

 

그리고 λ‹Ήμ—°ν•˜κ² μ§€λ§Œ, 포트 ν¬μ›Œλ”©μœΌλ‘œ 접근해도 κ°€λŠ₯ν•©λ‹ˆλ‹€.

localhost

 

주의 μš”ν•¨μ΄ λœ¨λŠ”λ°, 그건 μΈμ¦μ„œκ°€ 정식 CA κ°€ μ•„λ‹Œ 자체 μ‚¬μΈν•œ μΈμ¦μ„œμ΄κΈ° λ•Œλ¬Έμž…λ‹ˆλ‹€.

μΈμ¦μ„œ

 

mTLS λ₯Ό μ΄μš©ν•˜κΈ° λ•Œλ¬Έμ— svc.cluster.local 에 λŒ€ν•œ https 톡신이 ν•„μš”λŠ” μ—†μ—ˆμ§€λ§Œ, 항상 κΆκΈˆν–ˆλ˜ λΆ€λΆ„μ΄μ˜€λŠ”λ° 이번 μ‹€μŠ΅μœΌλ‘œ 톡해 κΆκΈˆμ¦μ„ ν•΄κ²°ν•  수 μžˆμ—ˆμŠ΅λ‹ˆλ‹€.

 

그럼 μ˜€λŠ˜μ€ μ—¬κΈ°κΉŒμ§€~

profile on loading

Loading...