Question

我有一个服务监听两个端口;一个是http，另一个是grpc。我想设置一个入口，可以使用相同的主机路由到这两个端口。

如果使用http / 1.1，负载均衡器将重定向到http端口，如果使用h2，则负载均衡器将重定向到grpc端口。

有没有办法用istio做到这一点？

我创造了一个问候世界，展示了我想要实现的目标：

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: hello-world
  namespace: dev
spec:
  replicas: 1
  template:
    metadata:
      annotations:
        alpha.istio.io/sidecar: injected
        pod.beta.kubernetes.io/init-containers: '[{"args":["-p","15001","-u","1337","-i","172.20.0.0/16"],"image":"docker.io/istio/init:0.1","imagePullPolicy":"Always","name":"init","securityContext":{"capabilities":{"add":["NET_ADMIN"]}}}]'
      labels:
        app: hello-world
    spec:
      containers:
      - name: grpc-server
        image: aguilbau/hello-world-grpc:latest
        ports:
        - name: grpc
          containerPort: 50051
      - name: http-server
        image: nginx:1.7.9
        ports:
        - name: http
          containerPort: 80
      - name: istio-proxy
        args:
        - proxy
        - sidecar
        - -v
        - "2"
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        image: docker.io/istio/proxy:0.1
        imagePullPolicy: Always
        resources: {}
        securityContext:
          runAsUser: 1337
---
apiVersion: v1
kind: Service
metadata:
  name: hello-world
  namespace: dev
spec:
  ports:
  - name: grpc
    port: 50051
  - name: http
    port: 80
  selector:
    app: hello-world
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: hello-world-http
  namespace: dev
  annotations:
    kubernetes.io/ingress.class: "istio"
spec:
  rules:
  - host: hello-world
    http:
      paths:
      - backend:
          serviceName: hello-world
          servicePort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: hello-world-grpc
  namespace: dev
  annotations:
    kubernetes.io/ingress.class: "istio"
spec:
  rules:
  - host: hello-world
    http:
      paths:
      - backend:
          serviceName: hello-world
          servicePort: 50051
---

Answer 1

我参加聚会有点晚了，但是对于那些在这篇文章上绊脚石的人来说，我认为您可以很轻松地做到这一点。我将假设您在kubernetes集群上安装了istio并很高兴使用默认的istio-ingressgateway：

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: hello-world
  namespace: dev
spec:
  replicas: 1
  template:
    metadata:
      annotations:
        alpha.istio.io/sidecar: injected
        pod.beta.kubernetes.io/init-containers: '[{"args":["-p","15001","-u","1337","-i","172.20.0.0/16"],"image":"docker.io/istio/init:0.1","imagePullPolicy":"Always","name":"init","securityContext":{"capabilities":{"add":["NET_ADMIN"]}}}]'
      labels:
        app: hello-world
    spec:
      containers:
      - name: grpc-server
        image: aguilbau/hello-world-grpc:latest
        ports:
        - name: grpc
          containerPort: 50051
      - name: http-server
        image: nginx:1.7.9
        ports:
        - name: http
          containerPort: 80
      - name: istio-proxy
        args:
        - proxy
        - sidecar
        - -v
        - "2"
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        image: docker.io/istio/proxy:0.1
        imagePullPolicy: Always
        resources: {}
        securityContext:
          runAsUser: 1337

---

apiVersion: v1
kind: Service
metadata:
  name: hello-world
  namespace: dev
spec:
  ports:
  - name: grpc
    port: 50051
  - name: http
    port: 80
  selector:
    app: hello-world

---

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: hello-world-istio-gate
  namespace: dev
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
  - port:
      number: 50051
      name: grpc
      protocol: GRPC
    hosts:
    - "*"

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: hello-world-istio-vsvc
  namespace: dev
spec:
  hosts:
  - "*"
  gateways:
  - hello-world-istio-gate
  http:
  - match:
    - port: 80
    route:
    - destination:
        host: hello-world
        port:
          number: 80
  tcp:
  - match:
    - port: 50051
    route:
    - destination:
        host: hello-world
        port:
          number: 50051

上面的配置省略了您的两个Ingress，而是包括：

您的部署
您的服务
istio网关
istio虚拟服务

还有一个重要的额外部分未显示，我在前面提到使用默认入口网关时提到了它。在“ hello-world-istio-gateway”中找到的以下行提供了线索：

istio: ingressgateway

这是指“ istio-system”命名空间中的一个容器，通常默认情况下安装该容器，称为“ istio-ingressgateway”-该容器由也称为“ istio-ingressgateway”的服务公开。 您将需要在“ istio-ingressgateway”服务上打开端口。

作为示例，我编辑了（默认）入口网关，并添加了HTTP和GRPC的端口开放。结果是以下（按长度编辑）yaml代码：

dampersand@kubetest1:~/k8s$ kubectl get service istio-ingressgateway -n istio-system -o yaml
apiVersion: v1
kind: Service
metadata:

<omitted for length>

  labels:
    app: istio-ingressgateway
    chart: gateways-1.0.3
    heritage: Tiller
    istio: ingressgateway
    release: istio
  name: istio-ingressgateway
  namespace: istio-system

  <omitted for length>

  ports:
  - name: http2
    nodePort: 31380
    port: 80
    protocol: TCP
    targetPort: 80

  <omitted for length>

  - name: grpc
    nodePort: 30000
    port: 50051
    protocol: TCP
    targetPort: 50051
  selector:
    app: istio-ingressgateway
    istio: ingressgateway
  type: NodePort

进行上述更改（出于测试目的）的最简单方法是使用：

kubectl edit svc -n istio-system istio-ingressgateway

出于生产目的，最好编辑头盔图表或istio.yaml文件或最初用于设置入口网关的任何文件。

作为一个简短的说明，请注意我的测试群集已将istio-ingressgateway设置为NodePort，因此上述yaml文件表示我的群集正在端口转发31380-> 80和30000->50051。您可以（可能）已将istio-ingressgateway设置为LoadBalancer，这将有所不同...因此请进行相应的计划。

最后，以下博客文章是我在这篇文章中概述的工具的一些非常出色的背景知识！ https://blog.jayway.com/2018/10/22/understanding-istio-ingress-gateway-in-kubernetes/

Answer 2

如果将grpc-server和http-server容器移动到具有唯一标签的不同容器（即服务的不同版本，可以这么说）然后使用，则可以执行类似的操作Ingress背后的Istio路线规则将流量分开。标头Upgrade: h2匹配的规则可以将流量发送到grpc版本，默认规则会将其余流量发送到http 1。

istio：使用grpc和http进入

2 个答案: