Istio-gateway

在这里插入图片描述

一. gateway

在 Kubernetes 环境中，Kubernetes Ingress用于配置需要在集群外部公开的服务。但是在 Istio 服务网格中，更好的方法是使用新的配置模型，即 Istio Gateway，Gateway 允许将 Istio 流量管理的功能应用于进入集群的流量，gateway 分为两种，分别是 Ingress-gateway 和 Egress-gateway

如下 Istio 部署过程，可以得到 /root/istio-1.13.2/samples/multicluster 目录信息

# 生成生成东西向网关
cd /root/istio-1.13.2/samples/multicluster
./gen-eastwest-gateway.sh --mesh mesh1 --cluster cluster1 --network network1 | istioctl install -y -f -[root@lonely ~/istio-1.13.2/samples/multicluster]# kubectl  -n istio-system  get po |grep eastwestgateway
istio-eastwestgateway-56dcd6468d-nhbbc   1/1     Running   0          40m

1. hosts

根据上面的案例， bookinfo

[root@lonely ~/istio-1.13.2/samples/multicluster]# kubectl explain gw.spec.serversKIND:     Gateway
VERSION:  networking.istio.io/v1beta1RESOURCE: servers <[]Object>DESCRIPTION:A list of server specifications.FIELDS:bind	<string>defaultEndpoint	<string>hosts	<[]string>One or more hosts exposed by this gateway.name	<string>An optional name of the server, when set must be unique across all servers.port	<Object>tls	<Object>Set of TLS related options that govern the server's behavior.

案例，hosts，可以配置多个

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gatewaynamespace: istio
spec:selector:istio: ingressgatewayservers:- hosts:- '*'port:name: httpnumber: 80protocol: HTTP

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- istio-system/bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

# 利用 Kubernetes 把 istio-ingressgateway 暴露 15000 端口
kubectl  port-forward --address 0.0.0.0 -n istio-system  istio-ingressgateway-77968dbd74-fslsz  15000:15000

http://172.164.100.44:15000/config_dump

如上是 gateway 和 VirtualService 的配置清单，将 istio namespace 下的 vs 和 gw 删除掉并将他们创建在 istio-system Namespace 中，看是否可以访问到页面

kubectl  -n istio-system -f .## 都可以访问到
# vs 和 gw 都在 istio-system 名称空间
# gw 在 istio-system vs 在 istio Namespace 中

vs 和 gateway 都在 istio-system 名称空间中

vs 的 host 没有指定名称空间

访问不成功，host指定名称空间：productpage.istio.svc.cluster.local

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- istio-system/bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage		# host 没指定名称空间port:number: 9080

kubectl  -n istio-system delete gw bookinfo-gateway

gw 和 vs 的 host 是一样的情况，需要提前将该域名做好 host 解析， http://bookinfo.com:31111/productpage 成功

kubectl apply -f gateway-server-hosts-bookinfo-com.yaml -n istio-system

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "bookinfo.com"

kubectl apply -f vs-bookinfo-hosts-star-gw-host-same.yaml -n istio-system

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "bookinfo.com"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

gw 和 vs 的 host 是具体值，但是不一样， http://bookinfo.com:31111/productpage 和 http://bookinfo.demo:31111/productpage 都失败

kubectl apply -f vs-bookinfo-hosts-star-gw-host-diff.yaml -n istio-system

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "bookinfo.demo"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

vs 的host包含 gw，host 使用的是 *.com， http://bookinfo.com:31111/productpage 成功

kubectl -n istio-system apply -f vs-bookinfo-hosts-star-host-contain-gw.yaml

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*.com"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

vs host为任意，http://bookinfo.com:31111/productpage 成功

kubectl apply -f vs-bookinfo-hosts-star.yaml -n istio-system

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

vs host 为 bookinfo.*，创建失败，host 不可以这样使用

kubectl apply -f vs-bookinfo-hosts-star-mix-error.yaml -n istio-system

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "bookinfo.*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

2. 多个host

同样 2个host都要做解析
http://bookinfo.com:31111/productpage 和 http://bookinfo.demo:31111/productpage 都成功

kubectl apply -f gateway-server-hosts-multi.yaml -n istio-system

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "bookinfo.com"- "bookinfo.demo"

kubectl apply -f vs-bookinfo-hosts-star.yaml -n istio-system

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

3. 混合host

kubectl apply -f gateway-server-hosts-mix.yaml -n istio-system

虽然gw中使用 *.com ，但是 vs 中只指定了 bookinfo.com ，所有只有这个域名才可以访问

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "*.com"		# gw 使用*
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "bookinfo.com"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

kubectl apply -f vs-bookinfo-hosts-mix.yaml -n istio-system

http://bookinfo.com:31111/productpage 失败，端口问题

http://mydemo.com/productpage 成功，但是要用 Service 的 externalIp和 80 端口

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- "*.com"gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080

[root@lonely ~/istio-1.13.2/samples/bookinfo/networking]# kubectl  -n istio-system  get svc
NAME                    TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                                                                      AGE
istio-eastwestgateway   LoadBalancer   10.109.117.190   <pending>     15021:30533/TCP,15443:30659/TCP,15012:31399/TCP,15017:31687/TCP              4d
istio-egressgateway     ClusterIP      10.103.156.78    <none>        80/TCP,443/TCP                                                               4d
istio-ingressgateway    LoadBalancer   10.97.209.189    <pending>     15021:30376/TCP,80:31111/TCP,443:32297/TCP,31400:30357/TCP,15443:32535/TCP   4d
istiod                  ClusterIP      10.101.78.119    <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4d#
kubectl -n istio-system edit svc istio-ingressgateway

4. name

http://bookinfo.com:31111/productpage 和 http://bookinfo.demo:31111/productpage 都成功，这个作用不大

kubectl apply -f gateway-server-name.yaml -n istio-system

kubectl apply -f vs-bookinfo-hosts-star.yaml -n istio-system （上面已有这个yaml）

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- "*"name: bookinfo-gateway		# 增加了这个 name 配置项

Field	Type	Description	Required
number	uint32	一个有效的端口号	是
protocol	string	所使用的协议，支持HTTP\|HTTPS\|GRPC\|HTTP2\|MONGO\|TCP\|TLS.	是
name	string	给端口分配一个名称	是

istio支持的协议：

grpc
grpc-web
http
http2
https
mongo
mysql*
redis*
tcp
tls
udp

These protocols are disabled by default to avoid accidentally enabling experimental features. To enable them, configure the corresponding Pilot environment variables.

2. HTTPS

默认的就是http，前面的案例已经说明

openssl.conf

[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no[req_distinguished_name]
C  = CN
ST = zhejiang
L  = ningbo
O  = mkb
OU = IT
CN = bookinfo.com[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names[alt_names]
DNS.1 = 8.8.8.8

# 签发证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048  -keyout cert.key -out cert.crt  -config  openssl.conf# 创建 secret 
kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ./cert.key --cert=./cert.crt# 查看容器中是否引用了
kubectl exec deploy/istio-ingressgateway -n istio-system  -- ls /etc/istio/ingressgateway-certs

浏览器访问三个域名： https://${domain}:32297/productpage 都是可以访问到，同时端口记得是443映射出来的端口，域名也要提前做解析

kubectl -n istio-system apply -f gateway-https.yaml

kubectl -n istio-system apply -f vs-bookinfo-hosts-star.yaml 这个上面已有

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- "bookinfo.demo"- "ratings.demo"- "nginx.example.com"tls:mode: SIMPLEserverCertificate: /etc/istio/ingressgateway-certs/tls.crtprivateKey: /etc/istio/ingressgateway-certs/tls.key

3.TCP

# 还是使用官网的案例
cd /root/istio-1.13.2/samples/tcp-echo
kubectl apply -f tcp-echo-services.yaml -n istio

kubectl -n istio apply -f gateway-tcp.yaml

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: tcp-echo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 31400name: tcpprotocol: TCPhosts:- "*"

kubectl -n istio apply -f vs-dr-tcp-echo.yaml

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:name: tcp-echo-destination
spec:host: tcp-echosubsets:- name: v1labels:version: v1- name: v2labels:version: v2
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: tcp-echo
spec:hosts:- "*"gateways:- tcp-echo-gatewaytcp:- match:- port: 31400route:- destination:host: tcp-echoport:number: 9000subset: v1

[root@lonely /apps/istio]# kubectl -n istio-system get svc istio-ingressgateway
NAME                   TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                                                                      AGE
istio-ingressgateway   LoadBalancer   10.97.209.189   <pending>     15021:30376/TCP,80:31111/TCP,443:32297/TCP,31400:30357/TCP,15443:32535/TCP   5d2h

测试： telnet 10.97.209.189 31400

可以看到telnet进去后，打印的都是 one

kubectl -n istio edit vs tcp-echo，直接改变为 v2，如下为改后的yaml，也可以直接apply

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: tcp-echo
spec:hosts:- "*"gateways:- tcp-echo-gatewaytcp:- match:- port: 31400route:- destination:host: tcp-echoport:number: 9000subset: v2		# 修改此处