Kubernetes Istio 暴露不适用于 Virtualservice 和 Gateway
Kubernetes Istio exposure not working with Virtualservice and Gateway
所以我们在 Istio 1.8.2/Kubernetes 1.18 上有以下用例 运行:
我们的集群通过 Azure 上的外部负载均衡器公开。当我们按以下方式公开应用程序时,它会起作用:
---
apiVersion: apps/v1
kind: ReplicaSet
metadata:
annotations:
...
name: frontend
namespace: frontend
spec:
replicas: 1
selector:
matchLabels:
app: applicationname
template:
metadata:
labels:
app: appname
name: frontend
customer: customername
spec:
imagePullSecrets:
- name: yadayada
containers:
- name: frontend
image: yadayada
imagePullPolicy: Always
ports:
- name: https
protocol: TCP
containerPort: 80
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
---
apiVersion: v1
kind: Service
metadata:
name: frontend-svc
namespace: frontend
labels:
name: frontend-svc
customer: customername
spec:
type: LoadBalancer
ports:
- name: http
port: 80
targetPort: 80
selector:
name: frontend
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: frontend
annotations:
kubernetes.io/ingress.class: istio
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
rules:
- host: "customer.domain.com"
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: frontend-svc
servicePort: 80
tls:
- hosts:
- "customer.domain.com"
secretName: certificate
当我们开始使用 Virtualservice 和 Gateway 时,由于某种原因我们无法使其工作。我们想使用 VSVC 和网关,因为它们提供了更多的灵活性和选项(比如 url 重写)。其他应用程序在 istio 上没有这个问题 运行(也更简单),我们还没有适当的网络策略(还)。我们根本无法访问该网页。有人有想法吗?下面的虚拟服务和网关。其他 2 个副本集没有提到,因为它们不是问题所在:
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
creationTimestamp: null
name: virtualservice-name
namespace: frontend
spec:
gateways:
- frontend
hosts:
- customer.domain.com
http:
- match:
- uri:
prefix: /
route:
- destination:
host: frontend
port:
number: 80
weight: 100
- match:
- uri:
prefix: /api/
route:
- destination:
host: backend
port:
number: 8080
weight: 100
- match:
- uri:
prefix: /auth/
route:
- destination:
host: keycloak
port:
number: 8080
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: frontend
namespace: frontend
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http2
protocol: HTTP
tls:
httpsRedirect: True
hosts:
- "customer.domain.com"
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: PASSTHROUGH
credentialName: customer-cert
hosts:
- "customer.domain.com"
您的网关指定 PASSTHROUGH,但是您的 VirtualService 提供 HttpRoute。这意味着 TLS 连接未被网关终止,但 VirtualService 期望终止 TLS。另请参阅这个有点类似的问题。
@user140547 正确,我们现在更改了它。但是我们仍然无法访问该应用程序。
我们发现其中一项重要服务未接收到网关流量,因为该服务设置不正确。这是我们第一次使用多个服务进行 istio 部署。所以我们认为他们每个人都需要自己的网关。我们几乎不知道 1 个网关就足够了...
所以我们在 Istio 1.8.2/Kubernetes 1.18 上有以下用例 运行:
我们的集群通过 Azure 上的外部负载均衡器公开。当我们按以下方式公开应用程序时,它会起作用:
---
apiVersion: apps/v1
kind: ReplicaSet
metadata:
annotations:
...
name: frontend
namespace: frontend
spec:
replicas: 1
selector:
matchLabels:
app: applicationname
template:
metadata:
labels:
app: appname
name: frontend
customer: customername
spec:
imagePullSecrets:
- name: yadayada
containers:
- name: frontend
image: yadayada
imagePullPolicy: Always
ports:
- name: https
protocol: TCP
containerPort: 80
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
---
apiVersion: v1
kind: Service
metadata:
name: frontend-svc
namespace: frontend
labels:
name: frontend-svc
customer: customername
spec:
type: LoadBalancer
ports:
- name: http
port: 80
targetPort: 80
selector:
name: frontend
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: frontend
annotations:
kubernetes.io/ingress.class: istio
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
rules:
- host: "customer.domain.com"
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: frontend-svc
servicePort: 80
tls:
- hosts:
- "customer.domain.com"
secretName: certificate
当我们开始使用 Virtualservice 和 Gateway 时,由于某种原因我们无法使其工作。我们想使用 VSVC 和网关,因为它们提供了更多的灵活性和选项(比如 url 重写)。其他应用程序在 istio 上没有这个问题 运行(也更简单),我们还没有适当的网络策略(还)。我们根本无法访问该网页。有人有想法吗?下面的虚拟服务和网关。其他 2 个副本集没有提到,因为它们不是问题所在:
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
creationTimestamp: null
name: virtualservice-name
namespace: frontend
spec:
gateways:
- frontend
hosts:
- customer.domain.com
http:
- match:
- uri:
prefix: /
route:
- destination:
host: frontend
port:
number: 80
weight: 100
- match:
- uri:
prefix: /api/
route:
- destination:
host: backend
port:
number: 8080
weight: 100
- match:
- uri:
prefix: /auth/
route:
- destination:
host: keycloak
port:
number: 8080
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: frontend
namespace: frontend
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http2
protocol: HTTP
tls:
httpsRedirect: True
hosts:
- "customer.domain.com"
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: PASSTHROUGH
credentialName: customer-cert
hosts:
- "customer.domain.com"
您的网关指定 PASSTHROUGH,但是您的 VirtualService 提供 HttpRoute。这意味着 TLS 连接未被网关终止,但 VirtualService 期望终止 TLS。另请参阅这个有点类似的问题。
@user140547 正确,我们现在更改了它。但是我们仍然无法访问该应用程序。
我们发现其中一项重要服务未接收到网关流量,因为该服务设置不正确。这是我们第一次使用多个服务进行 istio 部署。所以我们认为他们每个人都需要自己的网关。我们几乎不知道 1 个网关就足够了...