一. gateway
- 在
Kubernetes环境中,Kubernetes Ingress用于配置需要在集群外部公开的服务。但是在Istio服务网格中,更好的方法是使用新的配置模型,即Istio Gateway,Gateway 允许将Istio流量管理的功能应用于进入集群的流量,gateway 分为两种,分别是Ingress-gateway和Egress-gateway
如下
Istio部署过程,可以得到/root/istio-1.13.2/samples/multicluster目录信息
# 生成生成东西向网关
cd /root/istio-1.13.2/samples/multicluster
./gen-eastwest-gateway.sh --mesh mesh1 --cluster cluster1 --network network1 | istioctl install -y -f -
[root@lonely ~/istio-1.13.2/samples/multicluster]# kubectl -n istio-system get po |grep eastwestgateway
istio-eastwestgateway-56dcd6468d-nhbbc 1/1 Running 0 40m
1. hosts
根据上面的案例, bookinfo
[root@lonely ~/istio-1.13.2/samples/multicluster]# kubectl explain gw.spec.servers
KIND: Gateway
VERSION: networking.istio.io/v1beta1
RESOURCE: servers <[]Object>
DESCRIPTION:
A list of server specifications.
FIELDS:
bind <string>
defaultEndpoint <string>
hosts <[]string>
One or more hosts exposed by this gateway.
name <string>
An optional name of the server, when set must be unique across all servers.
port <Object>
tls <Object>
Set of TLS related options that govern the server's behavior.
案例,hosts,可以配置多个
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: bookinfo-gateway
namespace: istio
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*"
gateways:
- istio-system/bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage.istio.svc.cluster.local
port:
number: 9080
# 利用 Kubernetes 把 istio-ingressgateway 暴露 15000 端口
kubectl port-forward --address 0.0.0.0 -n istio-system istio-ingressgateway-77968dbd74-fslsz 15000:15000
http://172.164.100.44:15000/config_dump
如上是 gateway 和 VirtualService 的配置清单,将 istio namespace 下的 vs 和 gw 删除掉并将他们创建在
istio-systemNamespace 中,看是否可以访问到页面
kubectl -n istio-system -f .
## 都可以访问到
# vs 和 gw 都在 istio-system 名称空间
# gw 在 istio-system vs 在 istio Namespace 中
vs 和 gateway 都在 istio-system 名称空间中
vs 的 host 没有指定名称空间
访问不成功,host指定名称空间:
productpage.istio.svc.cluster.local
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*"
gateways:
- istio-system/bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage # host 没指定名称空间
port:
number: 9080
kubectl -n istio-system delete gw bookinfo-gateway
- gw 和 vs 的 host 是一样的情况,需要提前将该域名做好 host 解析,
http://bookinfo.com:31111/productpage成功
kubectl apply -f gateway-server-hosts-bookinfo-com.yaml -n istio-system
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "bookinfo.com"
kubectl apply -f vs-bookinfo-hosts-star-gw-host-same.yaml -n istio-system
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "bookinfo.com"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage.istio.svc.cluster.local
port:
number: 9080
- gw 和 vs 的 host 是具体值,但是不一样,
http://bookinfo.com:31111/productpage和http://bookinfo.demo:31111/productpage都失败
kubectl apply -f vs-bookinfo-hosts-star-gw-host-diff.yaml -n istio-system
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "bookinfo.demo"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage.istio.svc.cluster.local
port:
number: 9080
- vs 的host包含 gw,host 使用的是
*.com,http://bookinfo.com:31111/productpage成功
kubectl -n istio-system apply -f vs-bookinfo-hosts-star-host-contain-gw.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*.com"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage.istio.svc.cluster.local
port:
number: 9080
- vs host为任意,
http://bookinfo.com:31111/productpage成功
kubectl apply -f vs-bookinfo-hosts-star.yaml -n istio-system
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage.istio.svc.cluster.local
port:
number: 9080
- vs host 为
bookinfo.*,创建失败,host 不可以这样使用
kubectl apply -f vs-bookinfo-hosts-star-mix-error.yaml -n istio-system
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "bookinfo.*"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage.istio.svc.cluster.local
port:
number: 9080
2. 多个host
- 同样 2个host都要做解析
-
http://bookinfo.com:31111/productpage和http://bookinfo.demo:31111/productpage都成功
kubectl apply -f gateway-server-hosts-multi.yaml -n istio-system
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "bookinfo.com"
- "bookinfo.demo"
kubectl apply -f vs-bookinfo-hosts-star.yaml -n istio-system
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage.istio.svc.cluster.local
port:
number: 9080
3. 混合host
kubectl apply -f gateway-server-hosts-mix.yaml -n istio-system虽然gw中使用
*.com,但是 vs 中只指定了 bookinfo.com ,所有只有这个域名才可以访问
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*.com" # gw 使用*
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "bookinfo.com"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage.istio.svc.cluster.local
port:
number: 9080
kubectl apply -f vs-bookinfo-hosts-mix.yaml -n istio-system
http://bookinfo.com:31111/productpage失败,端口问题
http://mydemo.com/productpage成功,但是要用Service的externalIp和 80 端口
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*.com"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage.istio.svc.cluster.local
port:
number: 9080
[root@lonely ~/istio-1.13.2/samples/bookinfo/networking]# kubectl -n istio-system get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-eastwestgateway LoadBalancer 10.109.117.190 <pending> 15021:30533/TCP,15443:30659/TCP,15012:31399/TCP,15017:31687/TCP 4d
istio-egressgateway ClusterIP 10.103.156.78 <none> 80/TCP,443/TCP 4d
istio-ingressgateway LoadBalancer 10.97.209.189 <pending> 15021:30376/TCP,80:31111/TCP,443:32297/TCP,31400:30357/TCP,15443:32535/TCP 4d
istiod ClusterIP 10.101.78.119 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 4d
#
kubectl -n istio-system edit svc istio-ingressgateway
4. name
-
http://bookinfo.com:31111/productpage和http://bookinfo.demo:31111/productpage都成功,这个作用不大
kubectl apply -f gateway-server-name.yaml -n istio-system
kubectl apply -f vs-bookinfo-hosts-star.yaml -n istio-system(上面已有这个yaml)
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
name: bookinfo-gateway # 增加了这个 name 配置项
| Field | Type | Description | Required |
|---|---|---|---|
| number | uint32 | 一个有效的端口号 | 是 |
| protocol | string | 所使用的协议,支持HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. | 是 |
| name | string | 给端口分配一个名称 | 是 |
istio支持的协议:
grpcgrpc-webhttphttp2httpsmongo-
mysql* -
redis* tcptlsudp
- These protocols are disabled by default to avoid accidentally enabling experimental features. To enable them, configure the corresponding Pilot environment variables.
2. HTTPS
- 默认的就是http,前面的案例已经说明
openssl.conf
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CN
ST = zhejiang
L = ningbo
O = mkb
OU = IT
CN = bookinfo.com
[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = 8.8.8.8
# 签发证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout cert.key -out cert.crt -config openssl.conf
# 创建 secret
kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ./cert.key --cert=./cert.crt
# 查看容器中是否引用了
kubectl exec deploy/istio-ingressgateway -n istio-system -- ls /etc/istio/ingressgateway-certs
- 浏览器访问三个域名:
https://${domain}:32297/productpage都是可以访问到,同时端口记得是443映射出来的端口,域名也要提前做解析
kubectl -n istio-system apply -f gateway-https.yaml
kubectl -n istio-system apply -f vs-bookinfo-hosts-star.yaml这个上面已有
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "bookinfo.demo"
- "ratings.demo"
- "nginx.example.com"
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
3.TCP
# 还是使用官网的案例
cd /root/istio-1.13.2/samples/tcp-echo
kubectl apply -f tcp-echo-services.yaml -n istio
kubectl -n istio apply -f gateway-tcp.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: tcp-echo-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 31400
name: tcp
protocol: TCP
hosts:
- "*"
kubectl -n istio apply -f vs-dr-tcp-echo.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: tcp-echo-destination
spec:
host: tcp-echo
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: tcp-echo
spec:
hosts:
- "*"
gateways:
- tcp-echo-gateway
tcp:
- match:
- port: 31400
route:
- destination:
host: tcp-echo
port:
number: 9000
subset: v1
[root@lonely /apps/istio]# kubectl -n istio-system get svc istio-ingressgateway
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.209.189 <pending> 15021:30376/TCP,80:31111/TCP,443:32297/TCP,31400:30357/TCP,15443:32535/TCP 5d2h
测试:
telnet 10.97.209.189 31400可以看到telnet进去后,打印的都是 one
kubectl -n istio edit vs tcp-echo,直接改变为 v2,如下为改后的yaml,也可以直接apply
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: tcp-echo
spec:
hosts:
- "*"
gateways:
- tcp-echo-gateway
tcp:
- match:
- port: 31400
route:
- destination:
host: tcp-echo
port:
number: 9000
subset: v2 # 修改此处
打印的是 two 了文章来源:https://www.toymoban.com/news/detail-819973.html
文章来源地址https://www.toymoban.com/news/detail-819973.html
到了这里,关于Istio-gateway的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
