将入口引入istio网格

时间:2019-01-04 06:37:01

标签: kubernetes istio

我有一个Istio网格,并使用以下Pod和服务禁用了Mtl。我正在使用kubeadm。

pasan@ubuntu:~$ kubectl get pods --all-namespaces
NAMESPACE       NAME                                                       READY     STATUS      RESTARTS   AGE
default         debug-tools                                                2/2       Running     0          2h
default         employee--debug-deployment-57947cf67-gwpjq                 2/2       Running     0          2h
default         employee--employee-deployment-5f4d7c9d78-sfmtx             2/2       Running     0          2h
default         employee--gateway-deployment-bc646bd84-wnqwq               2/2       Running     0          2h
default         employee--salary-deployment-d4969d6c8-lz7n7                2/2       Running     0          2h
default         employee--sts-deployment-7bb9b44bf7-lthc8                  1/1       Running     0          2h
default         hr--debug-deployment-86575cffb6-6wrlf                      2/2       Running     0          2h
default         hr--gateway-deployment-8c488ff6-827pf                      2/2       Running     0          2h
default         hr--hr-deployment-596946948d-rzc7z                         2/2       Running     0          2h
default         hr--sts-deployment-694d7cff97-4nz29                        1/1       Running     0          2h
default         stock-options--debug-deployment-68b8fccb97-4znlc           2/2       Running     0          2h
default         stock-options--gateway-deployment-64974b5fbb-rjrwq         2/2       Running     0          2h
default         stock-options--stock-deployment-d5c9d4bc8-dqtrr            2/2       Running     0          2h
default         stock-options--sts-deployment-66c4799599-xx9d4             1/1       Running     0          2h

pasan@ubuntu:~$ kubectl get services
NAME                             TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)             AGE
employee--debug-service          ClusterIP   10.104.23.141    <none>        80/TCP              2h
employee--employee-service       ClusterIP   10.96.203.80     <none>        80/TCP              2h
employee--gateway-service        ClusterIP   10.97.145.188    <none>        80/TCP              2h
employee--salary-service         ClusterIP   10.110.167.162   <none>        80/TCP              2h
employee--sts-service            ClusterIP   10.100.145.102   <none>        8080/TCP,8081/TCP   2h
hr--debug-service                ClusterIP   10.103.81.158    <none>        80/TCP              2h
hr--gateway-service              ClusterIP   10.106.183.101   <none>        80/TCP              2h
hr--hr-service                   ClusterIP   10.107.136.178   <none>        80/TCP              2h
hr--sts-service                  ClusterIP   10.105.184.100   <none>        8080/TCP,8081/TCP   2h
kubernetes                       ClusterIP   10.96.0.1        <none>        443/TCP             2h
stock-options--debug-service     ClusterIP   10.111.51.88     <none>        80/TCP              2h
stock-options--gateway-service   ClusterIP   10.100.81.254    <none>        80/TCP              2h
stock-options--stock-service     ClusterIP   10.96.189.100    <none>        80/TCP              2h
stock-options--sts-service       ClusterIP   10.108.59.68     <none>        8080/TCP,8081/TCP   2h

我使用以下命令使用调试窗格访问了此服务:

curl -X GET http://hr--gateway-service.default:80/info -H "Authorization: Bearer $token" -v

下一步,我在网格中启用了mtls。不出所料,上述curl命令失败。

现在我想设置一个入口控制器,以便可以像以前一样访问服务网格。

因此,我如下设置了Gateway和VirtualService:

cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: hr-ingress-gateway
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "hr--gateway-service.default"
EOF


cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: hr-ingress-virtual-service
spec:
  hosts:
  - "*"
  gateways:
  - hr-ingress-gateway
  http:
  - match:
    - uri:
        prefix: /info/
    route:
    - destination:
        port:
          number: 80
        host: hr--gateway-service
EOF

但是我仍然得到以下输出

wso2carbon@gateway-5bd88fd679-l8jn5:~$ curl -X GET http://hr--gateway-service.default:80/info -H "Authorization: Bearer $token" -v
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 10.106.183.101...
* Connected to hr--gateway-service.default (10.106.183.101) port 80 (#0)
> GET /info HTTP/1.1
> Host: hr--gateway-service.default
> User-Agent: curl/7.47.0
> Accept: */*
...
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

能否让我知道我的入口设置是否正确以及设置后如何使用curl访问服务。 我的Ingress服务如下:

ingress-nginx   default-http-backend                    ClusterIP   10.105.46.168    <none>         80TCP                                                                                                                    3h
ingress-nginx   ingress-nginx                           NodePort    10.110.75.131    172.17.17.100   80:30770/TCP,443:32478/TCP
istio-ingressgateway       NodePort    10.98.243.205    <none>        80:31380/TCP,443:31390/TCP,31400:31400/TCP,15011:31775/TCP,8060:32436/TCP,853:31351/TCP,15030:32149/TCP,15031:32653/TCP   3h

1 个答案:

答案 0 :(得分:3)

@Pasan将Istio CRD(虚拟服务)应用于传入流量,您需要使用Istio的Ingress Gateway作为入口点,如此处所示:https://istio.io/docs/tasks/traffic-management/ingress/

入口网关是使者的包装,可以使用Istio的CRD对其进行配置。

基本上,您不需要第二个入口控制器,并且在安装istio期间,将安装默认入口控制器,并执行以下命令找出该问题:

kubectl get services -n istio-system -l app=istio-ingressgateway

并使用Ingress Gateway ip执行:

curl -X GET http://{INGRESSGATEWAY_IP}/info -H "Authorization: Bearer $token" -H "Host: hr--gateway-service.default"

我添加了主机作为网关中定义的标头,这意味着仅允许该主机进入。