== nil && certChain == nil && rootCert == nil { return fmt.Errorf( "the input private key, cert chain, and root cert are nil") } if privateKey != nil { if err := ioutil.WriteFile(path.Join(dir, "key nil { if err := ioutil.WriteFile(path.Join(dir, "cert-chain.pem"), certChain, 0777); err != nil { return fmt.Errorf( "failed to write cert chain to file: %v", err) } } if rootCert != nil { if err := man-in-the-middle attack against clients whose TLS-configured DestinationRules do not specify a CA certificate chain. Description As discussed in the istio/istio GitHub repository’s issue #25652,12 as part of its process

based on WASM and ORAS 王夕宁 | 阿里云服务网格ASM 2 Envoy’s Filter Chain Listener Downstre am Filter Filter Filter Cluster Upstrea m Filter Chain 扩展自定义Filter, 并通过xDS API动态配置 L4 Network Filters L7 Http Filters Listener Downst ream Filter Filter Filter Cluster Upstrea m Filter Chain Listener Downst ream Filter Filter Filter Cluster Upstrea m Filter Chain 4 实际示例中用到的Envoy Filters 端口9080 监听 envoy.filte rs.network network .metadata _exchange envoy.http _connectio n_manage r Cluster Productp age服务 Filter Chain envoy.filters.ht tp.wasm/envo y.wasm.metad ata_exchange Istio_authn kubectl exec -it [productpage-xxx] -c

能 ü方案二 • 使用主题订阅模式，减少阻塞问题Istio_Ca——安全证书管理（ICA） u证书生成 u证书挂载 u证书过期证书生成 ü生成root-cert.pem ü生成cert-chain.pem ü生成key.pem证书挂载 üICA以Name为istio.default在k8s创建Secrets对象 ü应用服务获取Secrets对象证书，并挂载到/etc/certs • volumeMounts: secret: • optional: true • secretName: istio.default证书过期 üroot-cert.pem 实际有效期1年，没有找到更新方式，手动更新？ ücert-chain.pem 和 key.pem 实际有效期90天，程序控制有效期45天 ü证书过期会被重新生成并挂载到/etc/certs ü触发envoy热启动ü方案一： • 把重新生成证书时间改为凌晨http://www

infrastructure: yes #IstioCon Drawbacks Contract header needs to be preserved all the way through the call chain #IstioCon Demo time #IstioCon Thank you ! ● Your laptop as part of the service mesh @ Medium

header “x-forwarded-for” • User Protocol #IstioCon LVS ① user send traffic to LVS ② PREROUTING chain intercept packet and send it to INPUT ③ LVS work on INPUT, modify the packet dest ip + port and