如何使 istio ingress 后面的 harbor 可达?
How to make harbor reachable behind istio ingress?
我安装的Harbor如下:
helm install hub harbor/harbor \
--version 1.3.2 \
--namespace tool \
--set expose.ingress.hosts.core=hub.service.example.io \
--set expose.ingress.annotations.'kubernetes\.io/ingress\.class'=istio \
--set expose.ingress.annotations.'cert-manager\.io/cluster-issuer'=letsencrypt-prod \
--set externalURL=https://hub.service.example.io \
--set notary.enabled=false \
--set secretkey=secret \
--set harborAdminPassword=pw
一切正常,运行 但无法通过 https://hub.service.example.io 访问该页面。这里出现同样的问题 但是如何在 Helm 中设置通配符 *?
更新
Istio 支持入口网关。这例如在没有 Gateway 和 VirtualService 定义的情况下工作:
apiVersion: v1
kind: Service
metadata:
name: hello-kubernetes-first
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 8080
selector:
app: hello-kubernetes-first
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-kubernetes-first
spec:
replicas: 3
selector:
matchLabels:
app: hello-kubernetes-first
template:
metadata:
labels:
app: hello-kubernetes-first
spec:
containers:
- name: hello-kubernetes
image: paulbouwer/hello-kubernetes:1.8
ports:
- containerPort: 8080
env:
- name: MESSAGE
value: Hello from the first deployment!
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: istio
name: helloworld-ingress
spec:
rules:
- host: "hw.service.example.io"
http:
paths:
- path: "/*"
backend:
serviceName: hello-kubernetes-first
servicePort: 80
---
https://github.com/goharbor/harbor-helm/blob/master/templates/ingress/ingress.yaml#L5
如果你看这里,他们将路径硬编码到几个入口选项。 Envoy/istio 不是其中之一。但是,您可能很幸运- expose.ingress.controller 设置为 "gce" 似乎可以按照您需要的方式设置路径。 (我从来没有用过gce,也许他们甚至使用istio?)
编辑 - 原答案如下。显然,您可以在 istio 中启用一个入口控制器。它绝对没有文档,但我应该期待什么?
但在你的情况下,helm 不是你的问题。 istio 不使用 ingress 个对象,它使用 'Gateways' 和 'VirtualServices'。您无法使用 kubernetes 配置应用程序以使用 istio 入口系统。io/ingress。class 注释。
(至少,这是我的经验,我在他们的文档中找不到任何与之相矛盾的东西,但完全有可能有一个 istio 入口控制器
我会说它不适用于 ingress 和 istio。
如前所述here
Simple ingress specifications, with host, TLS, and exact path based matches will work out of the box without the need for route rules. However, note that the path used in the ingress resource should not have any . characters.
For example, the following ingress resource matches requests for the example.com host, with /helloworld as the URL.
$ kubectl create -f - <<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: simple-ingress
annotations:
kubernetes.io/ingress.class: istio
spec:
rules:
- host: example.com
http:
paths:
- path: /helloworld
backend:
serviceName: myservice
servicePort: grpc
EOF
However, the following rules will not work because they use regular expressions in the path and ingress.kubernetes.io annotations:
$ kubectl create -f - <<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: this-will-not-work
annotations:
kubernetes.io/ingress.class: istio
# Ingress annotations other than ingress class will not be honored
ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: example.com
http:
paths:
- path: /hello(.*?)world/
backend:
serviceName: myservice
servicePort: grpc
EOF
我假设您的 hello-world 正在运行,因为只有 1 个注解是入口 class。
如果你看一下 harbor here 的注解,当你想使用 istio 时可能是问题所在。
but how to set wildcard * in Helm?
通配符与此处无关。正如我在 you can use either wildcard or additional paths, which is done well. Take a look at the ingress paths here.
中提到的
我安装的Harbor如下:
helm install hub harbor/harbor \
--version 1.3.2 \
--namespace tool \
--set expose.ingress.hosts.core=hub.service.example.io \
--set expose.ingress.annotations.'kubernetes\.io/ingress\.class'=istio \
--set expose.ingress.annotations.'cert-manager\.io/cluster-issuer'=letsencrypt-prod \
--set externalURL=https://hub.service.example.io \
--set notary.enabled=false \
--set secretkey=secret \
--set harborAdminPassword=pw
一切正常,运行 但无法通过 https://hub.service.example.io 访问该页面。这里出现同样的问题 *?
更新
Istio 支持入口网关。这例如在没有 Gateway 和 VirtualService 定义的情况下工作:
apiVersion: v1
kind: Service
metadata:
name: hello-kubernetes-first
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 8080
selector:
app: hello-kubernetes-first
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-kubernetes-first
spec:
replicas: 3
selector:
matchLabels:
app: hello-kubernetes-first
template:
metadata:
labels:
app: hello-kubernetes-first
spec:
containers:
- name: hello-kubernetes
image: paulbouwer/hello-kubernetes:1.8
ports:
- containerPort: 8080
env:
- name: MESSAGE
value: Hello from the first deployment!
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: istio
name: helloworld-ingress
spec:
rules:
- host: "hw.service.example.io"
http:
paths:
- path: "/*"
backend:
serviceName: hello-kubernetes-first
servicePort: 80
---
https://github.com/goharbor/harbor-helm/blob/master/templates/ingress/ingress.yaml#L5
如果你看这里,他们将路径硬编码到几个入口选项。 Envoy/istio 不是其中之一。但是,您可能很幸运- expose.ingress.controller 设置为 "gce" 似乎可以按照您需要的方式设置路径。 (我从来没有用过gce,也许他们甚至使用istio?)
编辑 - 原答案如下。显然,您可以在 istio 中启用一个入口控制器。它绝对没有文档,但我应该期待什么?
但在你的情况下,helm 不是你的问题。 istio 不使用 ingress 个对象,它使用 'Gateways' 和 'VirtualServices'。您无法使用 kubernetes 配置应用程序以使用 istio 入口系统。io/ingress。class 注释。
(至少,这是我的经验,我在他们的文档中找不到任何与之相矛盾的东西,但完全有可能有一个 istio 入口控制器
我会说它不适用于 ingress 和 istio。
如前所述here
Simple ingress specifications, with host, TLS, and exact path based matches will work out of the box without the need for route rules. However, note that the path used in the ingress resource should not have any . characters.
For example, the following ingress resource matches requests for the example.com host, with /helloworld as the URL.
$ kubectl create -f - <<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: simple-ingress
annotations:
kubernetes.io/ingress.class: istio
spec:
rules:
- host: example.com
http:
paths:
- path: /helloworld
backend:
serviceName: myservice
servicePort: grpc
EOF
However, the following rules will not work because they use regular expressions in the path and ingress.kubernetes.io annotations:
$ kubectl create -f - <<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: this-will-not-work
annotations:
kubernetes.io/ingress.class: istio
# Ingress annotations other than ingress class will not be honored
ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: example.com
http:
paths:
- path: /hello(.*?)world/
backend:
serviceName: myservice
servicePort: grpc
EOF
我假设您的 hello-world 正在运行,因为只有 1 个注解是入口 class。
如果你看一下 harbor here 的注解,当你想使用 istio 时可能是问题所在。
but how to set wildcard * in Helm?
通配符与此处无关。正如我在