Istio Egress Gateway 外部服务访问控制与 TLS 直连配置实战

ServiceEntry 定义外部主机：apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata: name: external-api spec: hosts: - api.example.com ports: - number: 443 name: https protocol: TLS resolution: DNS location: MESH_EXTERNAL Egress Gateway 定义：apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: istio-egressgateway namespace: istio-system spec: selector: istio: egressgateway servers: - port: number: 443 name: tls protocol: TLS tls: mode: PASSTHROUGH hosts: - api.example.com VirtualService（从 mesh 指向 Egress Gateway）：apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: to-egress-gw spec: hosts: - api.example.com gateways: - mesh tls: - match: - sniHosts: - api.example.com route: - destination: host: istio-egressgateway.istio-system.svc.cluster.local port: number: 443 VirtualService（在 Egress Gateway 上转发到外部）：apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: egress-gw-forward namespace: istio-system spec: hosts: - api.example.com gateways: - istio-egressgateway tls: - match: - sniHosts: - api.example.com port: 443 route: - destination: host: api.example.com port: number: 443