服务网格支持托管您的证书并下发到网关数据面，实现TLS加密通信，本文介绍网关管理相关操作。

操作

进入服务网格控制台 -> 网关 -> 证书管理，您可以创建、查看、更新、删除证书配置，证书相关配置说明如下

使用证书管理实现网关mTLS访问

1. 首先使用以下脚本生成客户端和服务端证书

   #!/bin/bash
   
   domain=$1
   
   openssl genpkey -algorithm RSA -out ca.key
   openssl req -new -x509 -key ca.key -out ca.crt -subj "/C=CN/ST=GD/L=GZ/O=DX/OU=TYY" -days 3650
   
   openssl genpkey -algorithm RSA -out server.key
   openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=GD/L=GZ/O=TYY/OU=MS/CN=$domain"
   openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650
   openssl genpkey -algorithm RSA -out client.key
   openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=GD/L=GZ/O=TYY/OU=MS/CN=$domain"
   openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650
   

   将生成的server.crt填入公钥证书，server.key填入私钥，开启mTLS开关，将ca.crt填入CA证书

2. 创建ingress网关，部署httpbin测试服务并通过网关访问httpbin服务

   httpbin服务部署（华南2资源池）

   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: httpbin
   ---
   apiVersion: v1
   kind: Service
   metadata:
     name: httpbin
     labels:
       app: httpbin
       service: httpbin
   spec:
     ports:
     - name: http
       port: 8000
       targetPort: 80
     selector:
       app: httpbin
   ---
   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: httpbin
   spec:
     replicas: 1
     selector:
       matchLabels:
         app: httpbin
         version: v1
     template:
       metadata:
         labels:
           app: httpbin
           version: v1
       spec:
         serviceAccountName: httpbin
         containers:
         - image: registry-vpc-crs-huanan2.cnsp-internal.ctyun.cn/library/httpbin:stable
           imagePullPolicy: IfNotPresent
           name: httpbin
           ports:
           - containerPort: 80
   

   创建Ingress网关并配置VirtualService资源

   

   apiVersion: networking.istio.io/v1beta1
   kind: VirtualService
   metadata:
     name: httpbin
     namespace: demo
   spec:
     gateways:
     - cce-for-csm-default-ingressgateway-testgw
     hosts:
     - foo.com
     http:
     - route:
       - destination:
           host: httpbin
           port:
             number: 8000
   
   

   访问HTTP端口验证

   # curl http://192.168.0.3:18080/headers -sv -H 'host: foo.com'
   *   Trying 192.168.0.3:18080...
   * Connected to 192.168.0.3 (192.168.0.3) port 18080 (#0)
   > GET /headers HTTP/1.1
   > Host: foo.com
   > User-Agent: curl/7.71.1
   > Accept: */*
   > 
   * Mark bundle as not supporting multiuse
   < HTTP/1.1 200 OK
   < server: istio-envoy
   < date: Thu, 13 Feb 2025 06:41:41 GMT
   < content-type: application/json
   < content-length: 485
   < access-control-allow-origin: *
   < access-control-allow-credentials: true
   < x-envoy-upstream-service-time: 21
   < 
   {"headers":{"Accept":"*/*","Host":"foo.com","User-Agent":"curl/7.71.1","X-B3-Parentspanid":"c50ea300154378db","X-B3-Sampled":"0","X-B3-Spanid":"3ded5df9f43fdea9","X-B3-Traceid":"6d9319ee5ded87fbc50ea300154378db","X-Envoy-Attempt-Count":"1","X-Envoy-Internal":"true","X-Forwarded-Client-Cert":"By=spiffe://cluster.local/ns/demo/sa/httpbin;Hash=b9b934cf12d7d8eb0c62e8a5c2374b86d3a8eb98e0101eb3ff75796cdcb3345b;Subject=\"\";URI=spiffe://cluster.local/ns/demo/sa/testgw-service-account"}}
   * Connection #0 to host 192.168.0.3 left intact
   

3. 配置TLS端口和证书

   进入网关管理 -> 网关规则 菜单，修改网关规则配置，将证书配置生成的K8s Secret填入

   apiVersion: networking.istio.io/v1beta1
   kind: Gateway
   metadata:
     name: cce-for-csm-default-ingressgateway-testgw
     namespace: demo
   spec:
     selector:
       gateway-unique-name: cce-for-csm.demo.ingressgateway.testgw
     servers:
     - hosts:
       - '*'
       port:
         name: http-18080
         number: 18080
         protocol: HTTP
     - hosts:
       - '*'
       port:
         name: https-18443
         number: 18443
         protocol: HTTPS
       tls:
         mode: MUTUAL
         credentialName: foo.com
   
   

指定客户端证书、key以及CA证书发起HTTPS访问

# curl https://foo.com:18443/headers -sv --resolve 'foo.com:18443:192.168.0.3' --cert client.crt --key client.key --cacert ca.crt 
* Added foo.com:18443:192.168.0.3 to DNS cache
* Hostname foo.com was found in DNS cache
*   Trying 192.168.0.3:18443...
* Connected to foo.com (192.168.0.3) port 18443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: ca.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=CN; ST=GD; L=GZ; O=TYY; OU=MS; CN=foo.com
*  start date: Feb 13 03:09:52 2025 GMT
*  expire date: Feb 11 03:09:52 2035 GMT
*  common name: foo.com (matched)
*  issuer: C=CN; ST=GD; L=GZ; O=DX; OU=TYY
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55696bbf2690)
> GET /headers HTTP/2
> Host: foo.com:18443
> user-agent: curl/7.71.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
< HTTP/2 200 
< server: istio-envoy
< date: Thu, 13 Feb 2025 07:01:54 GMT
< content-type: application/json
< content-length: 1854
< access-control-allow-origin: *
< access-control-allow-credentials: true
< x-envoy-upstream-service-time: 4
< 
{"headers":{"Accept":"*/*","Host":"foo.com:18443","User-Agent":"curl/7.71.1","X-B3-Parentspanid":"69de88af50fc781c","X-B3-Sampled":"0","X-B3-Spanid":"9fd5daba6fa5657c","X-B3-Traceid":"cdcc12b950c3d1ca69de88af50fc781c","X-Envoy-Attempt-Count":"1","X-Envoy-Internal":"true","X-Forwarded-Client-Cert":"Hash=304002d17f8665ab020c67e59c56958708c89e622d0cde1893cddc1c2c7d1315;Cert=\"-----BEGIN%20CERTIFICATE-----%0AMIIDHTCCAgUCFHMQj5mjMwsw%2FqrnJtfOXdq0NSGtMA0GCSqGSIb3DQEBCwUAMEIx%0ACzAJBgNVBAYTAkNOMQswCQYDVQQIDAJHRDELMAkGA1UEBwwCR1oxCzAJBgNVBAoM%0AAkRYMQwwCgYDVQQLDANUWVkwHhcNMjUwMjEzMDMwOTUyWhcNMzUwMjExMDMwOTUy%0AWjBUMQswCQYDVQQGEwJDTjELMAkGA1UECAwCR0QxCzAJBgNVBAcMAkdaMQwwCgYD%0AVQQKDANUWVkxCzAJBgNVBAsMAk1TMRAwDgYDVQQDDAdmb28uY29tMIIBIjANBgkq%0AhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvQ61G7G0aBCd7iYWmQKTf5%2BvlgnCuhdk%0ApkQlW%2B3oaxRqTmFqGj44kA0ZygE5FDcgL%2BTXVE2qaS5u21WkpoHOMhGrHxl2Chzl%0ANBcUbVJUliOX%2F9oeKyjC1JEQ%2BxGld0kYpbDeWd85OqRVoebdxOfVHO2ggSbl%2Blxy%0Adqy6Flndfp0Cqs2HfZk4dUsViNjQvewm3NH%2F8HAzcYui7w3aNrBwa%2FeEH0S3evhc%0AtASqSK7CKs6UMn%2FYvheTHe5o0N0Mwo6MDt0U2ox88oKrBkjPDMhFdM3PEfQqwv8V%0AC0AsDQ0CCZiNk9uiE28hEZMXaVhqJ2Nvju6n8JpiZ1M1WD%2B%2FDVC1HwIDAQABMA0G%0ACSqGSIb3DQEBCwUAA4IBAQAn%2B9qchCGymG2nhOGKaThASBj4Au65IqsVo6SHobOt%0AfiVULb3px6N6wlJWKzoT0M%2FwSI3%2Fw3aYQCaDC5uBt7EjvKFTF%2BpwX0uwqtF25F13%0AVHJER%2FEtqRG27EcLLEJuYGuFAxxTsZVnlnfn3Ky%2FPzD8oyzj7IucCb30CE42FXKq%0A6jjRpqDTXEtTxxp%2B8w787QLoel6eEsdZiEwOzRlIhQw9c1uIiyV%2BjCJtcGTTEufE%0AXWofM5kjg8%2B%2Bcc8KlU6WrfHujzV01T1ANAhGIGFG9lK4n%2FtYAMCk5ReMJIZVKy5G%0AE9ZdDv5f128dskKxgbG7LfqDylN9W4U6rByWbtr5k2lG%0A-----END%20CERTIFICATE-----%0A\";Subject=\"CN=foo.com,OU=MS,O=TYY,L=GZ,ST=GD,C=CN\";URI=,By=spiffe://cluster.local/ns/demo/sa/httpbin;Hash=b9b934cf12d7d8eb0c62e8a5c2374b86d3a8eb98e0101eb3ff75796cdcb3345b;Subject=\"\";URI=spiffe://cluster.local/ns/demo/sa/testgw-service-account"}}
* Connection #0 to host foo.com left intact