做网站就找喇叭人,什么是wordpress后台,佛山网上办事大厅官网,移动互联网站开发工程师一. gateway
在 Kubernetes 环境中#xff0c;Kubernetes Ingress用于配置需要在集群外部公开的服务。但是在 Istio 服务网格中#xff0c;更好的方法是使用新的配置模型#xff0c;即 Istio Gateway#xff0c;Gateway 允许将 Istio 流量管理的功能应用于进入集群的流量Kubernetes Ingress用于配置需要在集群外部公开的服务。但是在 Istio 服务网格中更好的方法是使用新的配置模型即 Istio GatewayGateway 允许将 Istio 流量管理的功能应用于进入集群的流量gateway 分为两种分别是 Ingress-gateway 和 Egress-gateway 如下 Istio 部署过程可以得到 /root/istio-1.13.2/samples/multicluster 目录信息 # 生成生成东西向网关
cd /root/istio-1.13.2/samples/multicluster
./gen-eastwest-gateway.sh --mesh mesh1 --cluster cluster1 --network network1 | istioctl install -y -f -[rootlonely ~/istio-1.13.2/samples/multicluster]# kubectl -n istio-system get po |grep eastwestgateway
istio-eastwestgateway-56dcd6468d-nhbbc 1/1 Running 0 40m1. hosts 根据上面的案例 bookinfo [rootlonely ~/istio-1.13.2/samples/multicluster]# kubectl explain gw.spec.serversKIND: Gateway
VERSION: networking.istio.io/v1beta1RESOURCE: servers []ObjectDESCRIPTION:A list of server specifications.FIELDS:bind stringdefaultEndpoint stringhosts []stringOne or more hosts exposed by this gateway.name stringAn optional name of the server, when set must be unique across all servers.port Objecttls ObjectSet of TLS related options that govern the servers behavior.案例hosts可以配置多个 apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gatewaynamespace: istio
spec:selector:istio: ingressgatewayservers:- hosts:- *port:name: httpnumber: 80protocol: HTTPapiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- *gateways:- istio-system/bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080# 利用 Kubernetes 把 istio-ingressgateway 暴露 15000 端口
kubectl port-forward --address 0.0.0.0 -n istio-system istio-ingressgateway-77968dbd74-fslsz 15000:15000http://172.164.100.44:15000/config_dump如上是 gateway 和 VirtualService 的配置清单将 istio namespace 下的 vs 和 gw 删除掉并将他们创建在 istio-system Namespace 中看是否可以访问到页面 kubectl -n istio-system -f .## 都可以访问到
# vs 和 gw 都在 istio-system 名称空间
# gw 在 istio-system vs 在 istio Namespace 中vs 和 gateway 都在 istio-system 名称空间中 vs 的 host 没有指定名称空间 访问不成功host指定名称空间productpage.istio.svc.cluster.local apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- *gateways:- istio-system/bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage # host 没指定名称空间port:number: 9080kubectl -n istio-system delete gw bookinfo-gatewaygw 和 vs 的 host 是一样的情况需要提前将该域名做好 host 解析 http://bookinfo.com:31111/productpage 成功 kubectl apply -f gateway-server-hosts-bookinfo-com.yaml -n istio-system apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- bookinfo.comkubectl apply -f vs-bookinfo-hosts-star-gw-host-same.yaml -n istio-system apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- bookinfo.comgateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080gw 和 vs 的 host 是具体值但是不一样 http://bookinfo.com:31111/productpage 和 http://bookinfo.demo:31111/productpage 都失败 kubectl apply -f vs-bookinfo-hosts-star-gw-host-diff.yaml -n istio-system apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- bookinfo.demogateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080vs 的host包含 gwhost 使用的是 *.com http://bookinfo.com:31111/productpage 成功 kubectl -n istio-system apply -f vs-bookinfo-hosts-star-host-contain-gw.yaml apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- *.comgateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080vs host为任意http://bookinfo.com:31111/productpage 成功 kubectl apply -f vs-bookinfo-hosts-star.yaml -n istio-system apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- *gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080vs host 为 bookinfo.*创建失败host 不可以这样使用 kubectl apply -f vs-bookinfo-hosts-star-mix-error.yaml -n istio-system apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- bookinfo.*gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 90802. 多个host
同样 2个host都要做解析http://bookinfo.com:31111/productpage 和 http://bookinfo.demo:31111/productpage 都成功 kubectl apply -f gateway-server-hosts-multi.yaml -n istio-system apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- bookinfo.com- bookinfo.demokubectl apply -f vs-bookinfo-hosts-star.yaml -n istio-system apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- *gateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 90803. 混合host kubectl apply -f gateway-server-hosts-mix.yaml -n istio-system 虽然gw中使用 *.com 但是 vs 中只指定了 bookinfo.com 所有只有这个域名才可以访问 apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- *.com # gw 使用*
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- bookinfo.comgateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080kubectl apply -f vs-bookinfo-hosts-mix.yaml -n istio-system http://bookinfo.com:31111/productpage 失败端口问题 http://mydemo.com/productpage 成功但是要用 Service 的 externalIp和 80 端口 apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: bookinfo
spec:hosts:- *.comgateways:- bookinfo-gatewayhttp:- match:- uri:exact: /productpage- uri:prefix: /static- uri:exact: /login- uri:exact: /logout- uri:prefix: /api/v1/productsroute:- destination:host: productpage.istio.svc.cluster.localport:number: 9080[rootlonely ~/istio-1.13.2/samples/bookinfo/networking]# kubectl -n istio-system get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-eastwestgateway LoadBalancer 10.109.117.190 pending 15021:30533/TCP,15443:30659/TCP,15012:31399/TCP,15017:31687/TCP 4d
istio-egressgateway ClusterIP 10.103.156.78 none 80/TCP,443/TCP 4d
istio-ingressgateway LoadBalancer 10.97.209.189 pending 15021:30376/TCP,80:31111/TCP,443:32297/TCP,31400:30357/TCP,15443:32535/TCP 4d
istiod ClusterIP 10.101.78.119 none 15010/TCP,15012/TCP,443/TCP,15014/TCP 4d#
kubectl -n istio-system edit svc istio-ingressgateway 4. name
http://bookinfo.com:31111/productpage 和 http://bookinfo.demo:31111/productpage 都成功这个作用不大 kubectl apply -f gateway-server-name.yaml -n istio-system kubectl apply -f vs-bookinfo-hosts-star.yaml -n istio-system 上面已有这个yaml apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 80name: httpprotocol: HTTPhosts:- *name: bookinfo-gateway # 增加了这个 name 配置项FieldTypeDescriptionRequirednumberuint32一个有效的端口号是protocolstring所使用的协议支持HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.是namestring给端口分配一个名称是
istio支持的协议
grpcgrpc-webhttphttp2httpsmongomysql*redis*tcptlsudp
These protocols are disabled by default to avoid accidentally enabling experimental features. To enable them, configure the corresponding Pilot environment variables.
2. HTTPS
默认的就是http前面的案例已经说明 openssl.conf [req]
default_bits 2048
distinguished_name req_distinguished_name
req_extensions v3_req
prompt no[req_distinguished_name]
C CN
ST zhejiang
L ningbo
O mkb
OU IT
CN bookinfo.com[v3_req]
keyUsage nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage serverAuth
subjectAltName alt_names[alt_names]
DNS.1 8.8.8.8# 签发证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout cert.key -out cert.crt -config openssl.conf# 创建 secret
kubectl create -n istio-system secret tls istio-ingressgateway-certs --key ./cert.key --cert./cert.crt# 查看容器中是否引用了
kubectl exec deploy/istio-ingressgateway -n istio-system -- ls /etc/istio/ingressgateway-certs浏览器访问三个域名 https://${domain}:32297/productpage 都是可以访问到同时端口记得是443映射出来的端口域名也要提前做解析 kubectl -n istio-system apply -f gateway-https.yaml kubectl -n istio-system apply -f vs-bookinfo-hosts-star.yaml 这个上面已有 apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: bookinfo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 443name: httpsprotocol: HTTPShosts:- bookinfo.demo- ratings.demo- nginx.example.comtls:mode: SIMPLEserverCertificate: /etc/istio/ingressgateway-certs/tls.crtprivateKey: /etc/istio/ingressgateway-certs/tls.key3.TCP
# 还是使用官网的案例
cd /root/istio-1.13.2/samples/tcp-echo
kubectl apply -f tcp-echo-services.yaml -n istio kubectl -n istio apply -f gateway-tcp.yaml apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:name: tcp-echo-gateway
spec:selector:istio: ingressgatewayservers:- port:number: 31400name: tcpprotocol: TCPhosts:- *kubectl -n istio apply -f vs-dr-tcp-echo.yaml apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:name: tcp-echo-destination
spec:host: tcp-echosubsets:- name: v1labels:version: v1- name: v2labels:version: v2
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: tcp-echo
spec:hosts:- *gateways:- tcp-echo-gatewaytcp:- match:- port: 31400route:- destination:host: tcp-echoport:number: 9000subset: v1[rootlonely /apps/istio]# kubectl -n istio-system get svc istio-ingressgateway
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.97.209.189 pending 15021:30376/TCP,80:31111/TCP,443:32297/TCP,31400:30357/TCP,15443:32535/TCP 5d2h测试 telnet 10.97.209.189 31400 可以看到telnet进去后打印的都是 one kubectl -n istio edit vs tcp-echo直接改变为 v2如下为改后的yaml也可以直接apply apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:name: tcp-echo
spec:hosts:- *gateways:- tcp-echo-gatewaytcp:- match:- port: 31400route:- destination:host: tcp-echoport:number: 9000subset: v2 # 修改此处打印的是 two 了
