访问HTTPS服务出口,istio v1.0

时间:2018-09-20 22:39:43

标签: kubernetes istio

我正在尝试启用网关名称空间中的部署,以将指标发送到engine-report.apollodata.com的外部服务

我已经按照Istio documentation编写了以下服务条目和虚拟服务规则,但没有流量能够访问端点。

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: apollo-engine-ext
  namespace: {{ .Release.Namespace }}
  labels:
      chart: {{ .Chart.Name }}
      release: {{ .Release.Name }}
      heritage: {{ .Release.Service }}
spec:
  hosts:
  - '*.apollodata.com'
  ports:
  - number: 80
    name: http
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: apollo-engine-ext
  namespace: {{ .Release.Namespace }}
  labels:
      chart: {{ .Chart.Name }}
      release: {{ .Release.Name }}
      heritage: {{ .Release.Service }}
spec:
  hosts:
  - '*.apollodata.com'
  tls:
  - match:
    - port: 443
      sni_hosts:
      - '*.apollodata.com'
    route:
    - destination:
        host: '*.apollodata.com'
        port:
          number: 443
      weight: 100

什么可能导致此问题

2 个答案:

答案 0 :(得分:3)

我认为问题在于您在带有通配符主机的ServiceEntry中使用DNS解析。根据{{​​3}},如果ServiceEntry中没有端点,则DNS解析仅在主机不是通配符的情况下起作用。

如果应用程序可以解析端点,则将分辨率设置为NONE即可正常工作。

答案 1 :(得分:2)

使用以下配置,此问题已解决。我仍然不确定是什么原因引起的。为了澄清对我的原始问题的一些评论。使用原始配置,可以卷曲http://engine-report.apollodata.comhttps://engine-report.apollodata.com端点,但是按照istio服务网格的意图,像http://www.google.com这样的外部端点不可用。

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: "apollo-engine-ext"
  namespace: {{ .Release.Namespace }}
  labels:
      chart: {{ .Chart.Name }}
      release: {{ .Release.Name }}
      heritage: {{ .Release.Service }}
spec:
  hosts:
  - apollodata.com
  - engine-report.apollodata.com
  - apollographql.com
  location: MESH_EXTERNAL
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  - number: 80
    name: http
    protocol: HTTP
  resolution: DNS

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: "apollo-engine-ext"
  namespace: {{ .Release.Namespace }}
  labels:
      chart: {{ .Chart.Name }}
      release: {{ .Release.Name }}
      heritage: {{ .Release.Service }}
spec:
  hosts:
  - apollodata.com
  - engine-report.apollodata.com
  - apollographql.com
  tls:
  - match:
    - port: 443
      sniHosts:
      - apollodata.com
    route:
    - destination:
        host: apollodata.com
  - match:
    - port: 443
      sniHosts:
      - engine-report.apollodata.com
    route:
    - destination:
        host: engine-report.apollodata.com
  - match:
    - port: 443
      sniHosts:
      - apollographql.com
    route:
    - destination:
        host: apollographql.com
相关问题
最新问题