如何使用 Istio Service Entry 对象连接不同命名空间中的两个服务?
How to use Istio Service Entry object to connect two services in different namespace?
我有两个服务,比如 svcA 和 svcB,它们可能位于不同的命名空间甚至不同的 k8s 集群中。我想配置服务,以便 svcA 可以使用一些常量地址引用 svcB,然后根据环境部署一个 Istio Service Entry 对象来路由要求。我将使用 Helm 进行部署,因此使用条件选择要部署的对象很容易。
如果svcB在一个完全不同的集群中,它就像任何外部服务器一样,很容易配置。
但是当它在同一个集群的不同命名空间中时,我无法让 Service Entry 工作。也许我不明白它提供的所有选项。
Istio 对象
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: demo-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: svcB-se
spec:
hosts:
- svcB.alias
ports:
- number: 80
name: http
protocol: HTTP2
location: MESH_INTERNAL
resolution: svcB.svcb-ns.svc.cluster.local
更新
经过一些random/crazy测试,我发现别名域名必须以众所周知的后缀结尾,如.com、.org, 任意后缀, 如 .svc, .alias, 将不起作用。
如果我将上面的 ServiceEntry 对象更新为这样。我的应用程序有效。
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: svcB-se
spec:
hosts:
- svcB.com
ports:
- number: 80
name: http
protocol: HTTP2
location: MESH_INTERNAL
resolution: svcB.svcb-ns.svc.cluster.local
我找了一段时间,查了Istio的文档,没有找到任何关于域名后缀限制的参考。
只有 .com 和 .org 这样的域名才有效是隐含的知识吗?离开学校好久了
我已经发布了社区维基答案来总结主题并粘贴问题的解释:
经过一些random/crazy测试,我发现别名域名必须以众所周知的后缀结尾,如.com、.org, 任意后缀, 如 .svc, .alias, 将不起作用.
如果我将上面的 ServiceEntry 对象更新为这样。我的应用程序有效。
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: svcB-se
spec:
hosts:
- svcB.com
ports:
- number: 80
name: http
protocol: HTTP2
location: MESH_INTERNAL
resolution: svcB.svcb-ns.svc.cluster.local
我搜索了一段时间,查看了Istio的文档,没有找到任何关于域名后缀限制的参考。
只有 .com 和 .org 这样的域名才有效是隐性知识吗?离开学校好久了
解释:
您可以在官方文档中找到 ServiceEntry 要求。您可以找到有关如何正确设置此值的说明:
The hosts associated with the ServiceEntry. Could be a DNS name with wildcard prefix.
- The hosts field is used to select matching hosts in VirtualServices and DestinationRules.
- For HTTP traffic the HTTP Host/Authority header will be matched against the hosts field.
- For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value will be matched against the hosts field.
NOTE 1: When resolution is set to type DNS and no endpoints are specified, the host field will be used as the DNS name of the endpoint to route traffic to.
NOTE 2: If the hostname matches with the name of a service from another service registry such as Kubernetes that also supplies its own set of endpoints, the ServiceEntry will be treated as a decorator of the existing Kubernetes service. Properties in the service entry will be added to the Kubernetes service if applicable. Currently, the only the following additional properties will be considered by istiod:
- subjectAltNames: In addition to verifying the SANs of the service accounts associated with the pods of the service, the SANs specified here will also be verified.
基于 this issue,您不必在 hosts 字段中使用 FQDN,但您需要为 select VirtualServices 和 DestinationRules 中匹配的主机设置适当的值。
我有两个服务,比如 svcA 和 svcB,它们可能位于不同的命名空间甚至不同的 k8s 集群中。我想配置服务,以便 svcA 可以使用一些常量地址引用 svcB,然后根据环境部署一个 Istio Service Entry 对象来路由要求。我将使用 Helm 进行部署,因此使用条件选择要部署的对象很容易。
如果svcB在一个完全不同的集群中,它就像任何外部服务器一样,很容易配置。
但是当它在同一个集群的不同命名空间中时,我无法让 Service Entry 工作。也许我不明白它提供的所有选项。
Istio 对象
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: demo-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: svcB-se
spec:
hosts:
- svcB.alias
ports:
- number: 80
name: http
protocol: HTTP2
location: MESH_INTERNAL
resolution: svcB.svcb-ns.svc.cluster.local
更新
经过一些random/crazy测试,我发现别名域名必须以众所周知的后缀结尾,如.com、.org, 任意后缀, 如 .svc, .alias, 将不起作用。
如果我将上面的 ServiceEntry 对象更新为这样。我的应用程序有效。
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: svcB-se
spec:
hosts:
- svcB.com
ports:
- number: 80
name: http
protocol: HTTP2
location: MESH_INTERNAL
resolution: svcB.svcb-ns.svc.cluster.local
我找了一段时间,查了Istio的文档,没有找到任何关于域名后缀限制的参考。
只有 .com 和 .org 这样的域名才有效是隐含的知识吗?离开学校好久了
我已经发布了社区维基答案来总结主题并粘贴问题的解释:
经过一些random/crazy测试,我发现别名域名必须以众所周知的后缀结尾,如.com、.org, 任意后缀, 如 .svc, .alias, 将不起作用.
如果我将上面的 ServiceEntry 对象更新为这样。我的应用程序有效。
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: svcB-se
spec:
hosts:
- svcB.com
ports:
- number: 80
name: http
protocol: HTTP2
location: MESH_INTERNAL
resolution: svcB.svcb-ns.svc.cluster.local
我搜索了一段时间,查看了Istio的文档,没有找到任何关于域名后缀限制的参考。
只有 .com 和 .org 这样的域名才有效是隐性知识吗?离开学校好久了
解释: 您可以在官方文档中找到 ServiceEntry 要求。您可以找到有关如何正确设置此值的说明:
The hosts associated with the ServiceEntry. Could be a DNS name with wildcard prefix.
- The hosts field is used to select matching hosts in VirtualServices and DestinationRules.
- For HTTP traffic the HTTP Host/Authority header will be matched against the hosts field.
- For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value will be matched against the hosts field.
NOTE 1: When resolution is set to type DNS and no endpoints are specified, the host field will be used as the DNS name of the endpoint to route traffic to.
NOTE 2: If the hostname matches with the name of a service from another service registry such as Kubernetes that also supplies its own set of endpoints, the ServiceEntry will be treated as a decorator of the existing Kubernetes service. Properties in the service entry will be added to the Kubernetes service if applicable. Currently, the only the following additional properties will be considered by
istiod:
- subjectAltNames: In addition to verifying the SANs of the service accounts associated with the pods of the service, the SANs specified here will also be verified.
基于 this issue,您不必在 hosts 字段中使用 FQDN,但您需要为 select VirtualServices 和 DestinationRules 中匹配的主机设置适当的值。