如何在 Istio 中配置 Azure App Gateway

How to configure Azure App Gateway in Istio

我在 AKS(Azure Kubernetes 服务)上设置了一个应用程序,我目前正在使用 Azure 应用程序网关作为我在 AKS 上的应用程序 运行 的入口资源。

现在,在为我的集群设置 ISTIO 之后,除了一部分之外,图表都很好。由于 Azure APP 网关对于 ISTIO 是未知的,因此它显示资源为“未知”。我什至尝试启动虚拟服务并将其指向入口资源,但这对图表没有任何影响。我应该如何向 ISTIO 确定它是 Azure 应用程序网关而不是“未知”资源。

据我所知,istio 需要它自己的 应用入口网关。

创建一个 istio VirtualService 并将其指向 istio's ingress gateway. The steps to do it are here and here.

应用程序的 Istio 入口网关可以在 kubectl get gateway 的输出中看到:

$ kubectl get gateway
NAME               AGE
bookinfo-gateway   32s

这是因为 Azure 应用程序网关不是 Istio Mesh 的一部分。取决于您如何配置 Azure 应用程序网关您甚至可能无法从使用 istio 中获得任何好处。

让 istio 与 Azure 应用程序网关一起工作比看起来要复杂得多。

同时使用 istio 和 Azure 应用程序网关存在 Github 问题。

用下面的语句:

You may wonder why I chose to put the ingress resource into the istio-system namespace. Im doing so because in my understanding the istio-ingress must be the endpoint for each app-gateway redirect. If I would let it redirect to the echo-server service, AGKI(application-gateway-kubernetes-ingress) would point to the ip-address of the deployed pod, which would completely disregard istios servicemesh.

因此,如果还没有这样的配置并且您想使用 Istio,我建议将 Istio Ingress Gateway 设置为您的 Azure 应用程序网关的端点,并将其视为来自外部网格的流量。


这里解释了为什么 Azure 应用程序网关是“未知”资源。

在一篇 this 文章中,您可以找到以下语句:

Ingress traffic

Istio expects traffic to go via the the Ingress Gateway. When you see ‘unknown’ traffic it can simply be the case that you use the standard Kubernetes Ingress or an OpenShift route to send traffic from the outside to Istio.

Azure Application gateway 使用自定义入口控制器:

Application Gateway Ingress Controller (AGIC) allows you to use Application Gateway as the ingress for an Azure Kubernetes Service (AKS) cluster.

The ingress controller runs as a pod within the AKS cluster and consumes Kubernetes Ingress Resources and converts them to an Application Gateway configuration which allows the gateway to load-balance traffic to the Kubernetes pods. The ingress controller only supports Application Gateway V2 SKU.

For more information, see Application Gateway Ingress Controller (AGIC).

根据 Kiali 文档:

In some situations you can see a lot of connections from an "Unknown" node to your services in the graph, because some software external to your mesh might be periodically pinging or fetching data. This is typically the case when you setup Kubernetes liveness probes, or have some application metrics pushed or exposed to a monitoring system such as Prometheus. Perhaps you wouldn’t like to see these connections because they make the graph harder to read.


解决您的附加问题:

How shall I establish to ISTIO that it is Azure app gateway and not “unknown” resource.

据我所知,没有办法让自定义(非 istio)Ingress Gateway 成为 istio 网格的一部分。将 Azure 应用程序网关标记为“未知”。

希望这对您有所帮助。