一、创建istio gateway
- 创建ssl证书的secret
- 创建*.dev.domain.cn域名的gateway,yaml文件如下
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: gw-dev-msl-cn
namespace: ns-istio-system-sit
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*.dev.domain.cn'
port:
name: https
number: 8443
protocol: HTTPS
tls:
credentialName: dev-msl-cn
minProtocolVersion: TLSV1_2
mode: SIMPLE
3、创建*.internal.domain.com域名的gateway,yaml文件如下
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: gw-internal-manulife-sinochem-com
namespace: ns-istio-system-sit
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*.internal.domain.com'
port:
name: https
number: 8443
protocol: HTTPS
tls:
credentialName: internal-manulife-sinochem-com
minProtocolVersion: TLSV1_2
mode: SIMPLE
- 创建完成后,当前集群仅应有如下两个gateway CRD资源
二、创建istio gateway的路由
1、为微服务vs-osi-nb-std-comp创建路由
此微服务的service名为osi-nb-std-comp
此微服务的域名为openapi-osi-core.dev.msl.cn
此微服务的端口为8090
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: vs-osi-nb-std-comp
namespace: ns-nb-application
spec:
gateways:
- ns-istio-system-sit/gw-dev-msl-cn
hosts:
- "*.dev.domain.cn"
http:
- match:
- uri:
prefix: /osi-nb-std-comp
route:
- destination:
host: osi-nb-std-comp
port:
number: 8090
2、创建完成后,查看ingress gateway对应service的负载均衡IP地址,为10.137.9.50
3、在一台可访问Istio ingress gateway的Linux客户机上配置/etc/hosts,内容如下:
10.137.9.50 openapi-osi-core.dev.msl.cn
4、在客户机上测试host解析,并访问此微服务的健康检查URL以测试是否正常,返回200即为正常
$ curl https://openapi-osi-core.dev.msl.cn/osi-nb-std-comp/actuator/health -k -v
* About to connect() to openapi-osi-core.dev.msl.cn port 443 (#0)
* Trying 10.137.9.50...
* Connected to openapi-osi-core.dev.msl.cn (10.137.9.50) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=*.dev.msl.cn,OU=IT,O=MSL,L=Shanghai,ST=Shanghai,C=CN
* start date: Sep 21 00:46:51 2020 GMT
* expire date: Sep 20 00:46:51 2025 GMT
* common name: *.dev.msl.cn
* issuer: CN=MSL-CA,DC=msl,DC=cn
> GET /osi-nb-std-comp/actuator/health HTTP/1.1
> User-Agent: curl/7.29.0
> Host: openapi-osi-core.dev.msl.cn
> Accept: */*
>
< HTTP/1.1 200 OK
< set-cookie: SessionId=S-2bd9ed568e594d3584bf9b9656a39c4b; Path=/; Max-Age=2592000; Expires=Tue, 22 Nov 2022 16:35:31 GMT;
HttpOnly
< server: istio-envoy
< content-type: application/vnd.spring-boot.actuator.v3+json
< date: Sun, 23 Oct 2022 16:35:31 GMT
< x-envoy-upstream-service-time: 18
< transfer-encoding: chunked
<
* Connection #0 to host openapi-osi-core.dev.msl.cn left intact
5、以下为挂在internal.domain.com域名下的webapi服务配置示例,后端微服务为osi-nb-std-app
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: vs-osi-nb-std-app
namespace: ns-nb-application
spec:
gateways:
- ns-istio-system-sit/gw-internal-manulife-sinochem-com
hosts:
- "*.internal.domain.com"
http:
- match:
- uri:
prefix: /osi-nb-std-app
route:
- destination:
host: osi-nb-std-app
port:
number: 8080
三、配置Istio Gateway的健康检查
这个健康检查是为MSE网关实例检测istio gateway是否正确而配置
- 使用istio ingress gateway的健康检查url,用于MSE的健康检查,为这个服务创建virtualservice,yaml文件如下,分别为domain.cn和domain.com两个网关创建健康检查VirtualService
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: vs-istio-ingressgateway-healthcheck
namespace: ns-istio-system-sit
spec:
gateways:
- gw-dev-msl-cn
- gw-internal-manulife-sinochem-com
hosts:
- '*'
http:
- match:
- uri:
prefix: /healthz/ready
route:
- destination:
host: istio-ingressgateway
port:
number: 15021
2.创建完成后,查看ingress gateway对应service的负载均衡IP地址,为10.137.9.50
$ kubectl get svc -n ns-istio-system-sit
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
AGE
istio-ingressgateway LoadBalancer 172.31.0.4 10.137.9.50
15021:32499/TCP,80:31065/TCP,443:30188/TCP,9091:32621/TCP 75d
istiod ClusterIP 172.31.0.199 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP
76d
3、在一台可访问 Istio ingress gateway的Linux客户机上配置/etc/hosts,内容如下:文章来源:https://www.toymoban.com/news/detail-723975.html
10.137.9.50 istio-dit-sh01.dev.domain.cn
10.137.9.50 istio-dit-sh01.internal.domain.com
4、在客户机上测试host解析,并访问健康检查URL以测试是否正常,返回200即为正常文章来源地址https://www.toymoban.com/news/detail-723975.html
$ ping istio-dit-sh01.dev.msl.cn
PING istio-dit-sh01.dev.msl.cn (10.137.9.50) 56(84) bytes of data.
64 bytes from istio-dit-sh01.dev.msl.cn (10.137.9.50): icmp_seq=1 ttl=101 time=1.21 ms
$ ping istio-dit-sh01.internal.domain.com
PING istio-dit-sh01.internal.domain.com (10.137.9.50) 56(84) bytes of data.
64 bytes from istio-dit-sh01.dev.msl.cn (10.137.9.50): icmp_seq=1 ttl=101 time=1.15 ms
## For istio-dit-sh01.dev.domain.cn
$ curl https://istio-dit-sh01.dev.domain.cn/healthz/ready -k -v
* About to connect() to istio-dit-sh01.dev.domain.cn port 443 (#0)
* Trying 10.137.9.50...
* Connected to istio-dit-sh01.dev.domain.cn (10.137.9.50) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=*.dev.msl.cn,OU=IT,O=MSL,L=Shanghai,ST=Shanghai,C=CN
* start date: Sep 21 00:46:51 2020 GMT
* expire date: Sep 20 00:46:51 2025 GMT
* common name: *.dev.msl.cn
* issuer: CN=MSL-CA,DC=msl,DC=cn
> GET /healthz/ready HTTP/1.1
> User-Agent: curl/7.29.0
> Host: istio-dit-sh01.dev.msl.cn
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Sun, 23 Oct 2022 16:07:50 GMT
< content-length: 0
< x-envoy-upstream-service-time: 0
< server: istio-envoy
<
* Connection #0 to host istio-dit-sh01.dev.domain.cn left intact
## For istio-dit-sh01.internal.domain.com
$ curl https://istio-dit-sh01.internal.domain.com/healthz/ready -k -v
* About to connect() to istio-dit-sh01.internal.domain.com port 443 (#0)
* Trying 10.137.9.50...
* Connected to istio-dit-sh01.internal.domain.com (10.137.9.50) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=*.internal.manulife-sinochem.com,O=有限公司,L=Shanghai,ST=Shanghai,C=CN
* start date: Aug 01 07:36:06 2022 GMT
* expire date: Sep 02 07:36:05 2023 GMT
* common name: *.internal.manulife-sinochem.com
* issuer: CN=GlobalSign RSA OV SSL CA 2018,O=GlobalSign nv-sa,C=BE
> GET /healthz/ready HTTP/1.1
> User-Agent: curl/7.29.0
> Host: istio-dit-sh01.internal.domain.com
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Sun, 23 Oct 2022 17:35:23 GMT
< content-length: 0
< x-envoy-upstream-service-time: 0
< server: istio-envoy
<
* Connection #0 to host istio-dit-sh01.internal.domain.com left intact
到了这里,关于阿里云全链路流量配置的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!