Istio Egress Gateway 外部服务访问控制与 TLS 直连配置实战

--- title: Istio Egress Gateway 外部服务访问控制与 TLS 直连配置实战 keywords: Egress Gateway, ServiceEntry, VirtualService, PASSTHROUGH, TLS origination description: 使用 Istio Egress Gateway 管控外部服务访问，配置 ServiceEntry、Gateway 与双段 VirtualService，实现 TLS 直连与可控出站流量。 categories: - 文章资讯 - 技术教程 --- ServiceEntry 定义外部主机： ``` apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata: name: external-api spec: hosts: - api.example.com ports: - number: 443 name: https protocol: TLS resolution: DNS location: MESH_EXTERNAL ``` Egress Gateway 定义： ``` apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: istio-egressgateway namespace: istio-system spec: selector: istio: egressgateway servers: - port: number: 443 name: tls protocol: TLS tls: mode: PASSTHROUGH hosts: - api.example.com ``` VirtualService（从 mesh 指向 Egress Gateway）： ``` apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: to-egress-gw spec: hosts: - api.example.com gateways: - mesh tls: - match: - sniHosts: - api.example.com route: - destination: host: istio-egressgateway.istio-system.svc.cluster.local port: number: 443 ``` VirtualService（在 Egress Gateway 上转发到外部）： ``` apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: egress-gw-forward namespace: istio-system spec: hosts: - api.example.com gateways: - istio-egressgateway tls: - match: - sniHosts: - api.example.com port: 443 route: - destination: host: api.example.com port: number: 443 ```