关于Istio-proxy中设置自己的证书例子问题

[huangweikuna]

我在istio-proxy中设置自己的证书。方法是把证书挂载到istio-proxy中，然后使用DestinationRule配置，就像例子中到那样。但是却始终连不通？
下面是我的一些操作已经背景：

首先把证书挂载到客户端和服务端

服务端

kubectl exec $(kubectl get pod -l app=mongo-client -o jsonpath={.items..metadata.name} -n mongo) -n mongo -c istio-proxy -- ls /pem
#输出：
ca.pem
client.key
client.pem

客户端

kubectl exec $(kubectl get pod -l app=mongo -o jsonpath={.items..metadata.name} -n mongo) -n mongo -- ls /pem
#输出：
ca.pem
server.pem

可以看到证书已经分别挂载到容器和代理容器内了。

然后设置规则
DestinationRule:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  namespace: mongo
  name: db-mtls
spec:
  host: "*.mongo.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: MUTUAL
      clientCertificate: /pem/client.pem
      privateKey: /pem/client.key
      caCertificates: /pem/ca.pem

之后用网格内的客户端访问网格外的服务端

kubectl exec  "$(kubectl get pod -l app=mongo-client -n mongo -o jsonpath={.items..metadata.name})" -n mongo  -- mongo --host mongo

out put

Defaulting container name to mongo-client.
Use 'kubectl describe pod/mongo-client-6d478988-jlxkj -n mongo' to see all of the containers in this pod.
MongoDB shell version v4.2.11
connecting to: mongodb://mongo:27017/?compressors=disabled&gssapiServiceName=mongodb
2020-12-28T09:45:47.247+0000 I  NETWORK  [js] DBClientConnection failed to receive message from mongo:27017 - HostUnreachable: Connection reset by peer
2020-12-28T09:45:47.247+0000 E  QUERY    [js] Error: network error while attempting to run command 'isMaster' on host 'mongo:27017'  :
connect@src/mongo/shell/mongo.js:353:17
@(connect):2:6
2020-12-28T09:45:47.249+0000 F  -        [main] exception: connect failed
2020-12-28T09:45:47.249+0000 E  -        [main] exiting with code 1
command terminated with exit code 1

之后查看istio-proxy的日志显示：

2020-12-29T01:29:38.567791Z	info	sds	resource:file-cert:/pem/client.pem~/pem/client.key new connection
2020-12-29T01:29:38.567963Z	info	sds	Skipping waiting for gateway secret
2020-12-29T01:29:38.568199Z	error	cache	failed to extract expiration time in the certificate loaded from file: failed to parse certificate: asn1: structure error: tags don't match (16 vs {class:0 tag:2 length:1 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} tbsCertificate @2
2020-12-29T01:29:38.568252Z	error	cache	resource:file-cert:/pem/client.pem~/pem/client.key failed to generate secret for proxy from file: failed to extract expiration time in the certificate loaded from file: failed to parse certificate: asn1: structure error: tags don't match (16 vs {class:0 tag:2 length:1 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} tbsCertificate @2
2020-12-29T01:29:38.568267Z	error	sds	resource:file-cert:/pem/client.pem~/pem/client.key Close connection. Failed to get secret for proxy "sidecar~10.1.0.84~mongo-client-6d478988-jlxkj.mongo~mongo.svc.cluster.local" from secret cache: failed to extract expiration time in the certificate loaded from file: failed to parse certificate: asn1: structure error: tags don't match (16 vs {class:0 tag:2 length:1 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} tbsCertificate @2

[sonnyhcl]

Any update?