Envoy 上游 TLS 起源(TLS Origination) 与证书校验配置实战

配置上游 TLS：static_resources: listeners: - name: listener_0 address: socket_address: { address: 0.0.0.0, port_value: 8080 } filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: ingress_http route_config: name: local_route virtual_hosts: - name: backend domains: ["*"] routes: - match: { prefix: "/" } route: { cluster: external_api } http_filters: - name: envoy.filters.http.router clusters: - name: external_api type: LOGICAL_DNS connect_timeout: 1s lb_policy: ROUND_ROBIN load_assignment: cluster_name: external_api endpoints: - lb_endpoints: - endpoint: address: socket_address: { address: api.example.com, port_value: 443 } transport_socket: name: envoy.transport_sockets.tls typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext sni: api.example.com common_tls_context: validation_context: trusted_ca: filename: /etc/envoy/ca.pem