配置上游 TLS:
static_resources:
listeners:
- name: listener_0
address:
socket_address: { address: 0.0.0.0, port_value: 8080 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
- match: { prefix: "/" }
route: { cluster: external_api }
http_filters:
- name: envoy.filters.http.router
clusters:
- name: external_api
type: LOGICAL_DNS
connect_timeout: 1s
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: external_api
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address: { address: api.example.com, port_value: 443 }
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: api.example.com
common_tls_context:
validation_context:
trusted_ca:
filename: /etc/envoy/ca.pem
发表评论 取消回复