一. gateway
- 在
Kubernetes环境中,Kubernetes Ingress用于配置需要在集群外部公开的服务。但是在Istio服务网格中,更好的方法是使用新的配置模型,即Istio Gateway,Gateway 允许将Istio流量管理的功能应用于进入集群的流量,gateway 分为两种,分别是Ingress-gateway和Egress-gateway
如下
Istio部署过程,可以得到/root/istio-1.13.2/samples/multicluster目录信息
# 生成生成东西向网关
cd /root/istio-1.13.2/samples/multicluster
./gen-eastwest-gateway.sh --mesh mesh1 --cluster cluster1 --network network1 | istioctl install -y -f -[root@lonely ~/istio-1.13.2/samples/multicluster]# kubectl -n istio-system get po |grep eastwestgateway
istio-eastwestgateway-56dcd6468d-nhbbc 1/1 Running 0 40m
1. hosts
根据上面的案例, bookinfo
[root@lonely ~/istio-1.13.2/samples/multicluster]# kubectl explain gw.spec.serversKIND: Gateway
VERSION: networking.istio.io/v1beta1RESOURCE: servers <[]Object>DESCRIPTION:A list of server specifications.FIELDS:bind <string>defaultEndpoint <string>hosts <[]string>One or more hosts exposed by this gateway.name <string>An optional name of the server, when set must be unique across all servers.port <Object>tls <Object>Set of TLS related options that govern the server's behavior.
案例,hosts,可以配置多个
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gatewaynamespace: istio
spec:selector:istio: ingressgatewayservers:- hosts:- '*'port:name: httpnumber: 80protocol: HTTP
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- istio-system/bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
# 利用 Kubernetes 把 istio-ingressgateway 暴露 15000 端口
kubectl port-forward --address 0.0.0.0 -n istio-system istio-ingressgateway-77968dbd74-fslsz 15000:15000
http://172.164.100.44:15000/config_dump
如上是 gateway 和 VirtualService 的配置清单,将 istio namespace 下的 vs 和 gw 删除掉并将他们创建在
istio-systemNamespace 中,看是否可以访问到页面
kubectl -n istio-system -f .## 都可以访问到
# vs 和 gw 都在 istio-system 名称空间
# gw 在 istio-system vs 在 istio Namespace 中
vs 和 gateway 都在 istio-system 名称空间中
vs 的 host 没有指定名称空间
访问不成功,host指定名称空间:
productpage.istio.svc.cluster.local
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- istio-system/bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage # host 没指定名称空间port:number: 9080
kubectl -n istio-system delete gw bookinfo-gateway
- gw 和 vs 的 host 是一样的情况,需要提前将该域名做好 host 解析,
http://bookinfo.com:31111/productpage成功
kubectl apply -f gateway-server-hosts-bookinfo-com.yaml -n istio-system
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "bookinfo.com"
kubectl apply -f vs-bookinfo-hosts-star-gw-host-same.yaml -n istio-system
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "bookinfo.com"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
- gw 和 vs 的 host 是具体值,但是不一样,
http://bookinfo.com:31111/productpage和http://bookinfo.demo:31111/productpage都失败
kubectl apply -f vs-bookinfo-hosts-star-gw-host-diff.yaml -n istio-system
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "bookinfo.demo"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
- vs 的host包含 gw,host 使用的是
*.com,http://bookinfo.com:31111/productpage成功
kubectl -n istio-system apply -f vs-bookinfo-hosts-star-host-contain-gw.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*.com"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
- vs host为任意,
http://bookinfo.com:31111/productpage成功
kubectl apply -f vs-bookinfo-hosts-star.yaml -n istio-system
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
- vs host 为
bookinfo.*,创建失败,host 不可以这样使用
kubectl apply -f vs-bookinfo-hosts-star-mix-error.yaml -n istio-system
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "bookinfo.*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
2. 多个host
- 同样 2个host都要做解析
http://bookinfo.com:31111/productpage和http://bookinfo.demo:31111/productpage都成功
kubectl apply -f gateway-server-hosts-multi.yaml -n istio-system
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "bookinfo.com"- "bookinfo.demo"
kubectl apply -f vs-bookinfo-hosts-star.yaml -n istio-system
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
3. 混合host
kubectl apply -f gateway-server-hosts-mix.yaml -n istio-system虽然gw中使用
*.com,但是 vs 中只指定了 bookinfo.com ,所有只有这个域名才可以访问
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "*.com" # gw 使用*
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "bookinfo.com"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
kubectl apply -f vs-bookinfo-hosts-mix.yaml -n istio-system
http://bookinfo.com:31111/productpage失败,端口问题
http://mydemo.com/productpage成功,但是要用Service的externalIp和 80 端口
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*.com"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080
[root@lonely ~/istio-1.13.2/samples/bookinfo/networking]# kubectl -n istio-system get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-eastwestgateway LoadBalancer 10.109.117.190 <pending> 15021:30533/TCP,15443:30659/TCP,15012:31399/TCP,15017:31687/TCP 4d
istio-egressgateway ClusterIP 10.103.156.78 <none> 80/TCP,443/TCP 4d
istio-ingressgateway LoadBalancer 10.97.209.189 <pending> 15021:30376/TCP,80:31111/TCP,443:32297/TCP,31400:30357/TCP,15443:32535/TCP 4d
istiod ClusterIP 10.101.78.119 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 4d#
kubectl -n istio-system edit svc istio-ingressgateway
4. name
http://bookinfo.com:31111/productpage和http://bookinfo.demo:31111/productpage都成功,这个作用不大
kubectl apply -f gateway-server-name.yaml -n istio-system
kubectl apply -f vs-bookinfo-hosts-star.yaml -n istio-system(上面已有这个yaml)
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "*"name: bookinfo-gateway # 增加了这个 name 配置项
| Field | Type | Description | Required |
|---|---|---|---|
| number | uint32 | 一个有效的端口号 | 是 |
| protocol | string | 所使用的协议,支持HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. | 是 |
| name | string | 给端口分配一个名称 | 是 |
istio支持的协议:
grpcgrpc-webhttphttp2httpsmongomysql*redis*tcptlsudp
- These protocols are disabled by default to avoid accidentally enabling experimental features. To enable them, configure the corresponding Pilot environment variables.
2. HTTPS
- 默认的就是http,前面的案例已经说明
openssl.conf
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no[req_distinguished_name]
C = CN
ST = zhejiang
L = ningbo
O = mkb
OU = IT
CN = bookinfo.com[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names[alt_names]
DNS.1 = 8.8.8.8
# 签发证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout cert.key -out cert.crt -config openssl.conf# 创建 secret
kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ./cert.key --cert=./cert.crt# 查看容器中是否引用了
kubectl exec deploy/istio-ingressgateway -n istio-system -- ls /etc/istio/ingressgateway-certs
- 浏览器访问三个域名:
https://${domain}:32297/productpage都是可以访问到,同时端口记得是443映射出来的端口,域名也要提前做解析
kubectl -n istio-system apply -f gateway-https.yaml
kubectl -n istio-system apply -f vs-bookinfo-hosts-star.yaml这个上面已有
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "bookinfo.demo"- "ratings.demo"- "nginx.example.com"tls:mode: SIMPLEserverCertificate: /etc/istio/ingressgateway-certs/tls.crtprivateKey: /etc/istio/ingressgateway-certs/tls.key
3.TCP
# 还是使用官网的案例
cd /root/istio-1.13.2/samples/tcp-echo
kubectl apply -f tcp-echo-services.yaml -n istio
kubectl -n istio apply -f gateway-tcp.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: tcp-echo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 31400name: tcpprotocol: TCPhosts:- "*"
kubectl -n istio apply -f vs-dr-tcp-echo.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:name: tcp-echo-destination
spec:host: tcp-echosubsets:- name: v1labels:version: v1- name: v2labels:version: v2
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: tcp-echo
spec:hosts:- "*"gateways:- tcp-echo-gatewaytcp:- match:- port: 31400route:- destination:host: tcp-echoport:number: 9000subset: v1
[root@lonely /apps/istio]# kubectl -n istio-system get svc istio-ingressgateway
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.209.189 <pending> 15021:30376/TCP,80:31111/TCP,443:32297/TCP,31400:30357/TCP,15443:32535/TCP 5d2h
测试:
telnet 10.97.209.189 31400可以看到telnet进去后,打印的都是 one
kubectl -n istio edit vs tcp-echo,直接改变为 v2,如下为改后的yaml,也可以直接apply
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: tcp-echo
spec:hosts:- "*"gateways:- tcp-echo-gatewaytcp:- match:- port: 31400route:- destination:host: tcp-echoport:number: 9000subset: v2 # 修改此处
打印的是 two 了
