如何在不使用kubectl端口转发的情况下在生产中部署Istio Jaeger UI跟踪

时间:2019-11-05 05:20:26

标签: kubernetes istio jaeger distributed-tracing

我正在尝试部署Istio Jaeger UI进行分布式跟踪。当前,我正在使用命令kubectl port-forward -n monitoring prometheus-prometheus-operator-prometheus-0 9090使用kubectl端口转发。但是它运行在http://localhost:port上,那么我该如何在生产中进行呢?还有其他任何方式可以在生产中进行部署。还有如何使它在https上运行?

1 个答案:

答案 0 :(得分:0)

根据文档Remotely Accessing Telemetry Addons。如何使用遥测技术。

推荐的方法是使用https而不是http创建安全访问。

两种方法的注意事项:

  

此选项仅包括保护传输层。您还应该配置遥测插件,使其在外部公开时需要身份验证。

请注意,jaeger本身不支持身份验证方法github和使用Apache httpd服务器here的解决方法。

  1. 通过招募,您可以使用网关(SDS)with self-signed certificates

    a 。)请确保您在istio安装期间已出于入口目的在入口网关--set gateways.istio-ingressgateway.sds.enabled=true--set tracing.enabled=true上启用了SDS。

    b 。)创建用于测试目的的自签名证书,您可以使用此example and repository

    c 。)请遵循Generate client and server certificates and keysConfigure a TLS ingress gateway using SDS

  2. 创建虚拟服务和网关:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: "httpbin-credential" # must be the same as secret crated in the step 2.
    hosts:
    - "httpbin.example.com" ## You can apply "*" for all hosts

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: tracing
spec:
  hosts:
  - "httpbin.example.com" ## You can apply "*" for all hosts
  gateways:
  - mygateway
  http:
  - match:
    - port: 443
    route:
    - destination:
        port:
          number: 80
        host: tracing.istio-system.svc.cluster.local

curl -kvI https ://xx.xx.xx.xx/
*   Trying xx.xx.xx.xx...
* TCP_NODELAY set
* Connected to xx.xx.xx.xx (xx.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

* ALPN, server accepted to use h2
> HEAD / HTTP/1.1
> Host: xx.xx.xx.xx
> User-Agent: curl/7.52.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< date: Thu, 07 Nov 2019 10:01:33 GMT
date: Thu, 07 Nov 2019 10:01:33 GMT
< x-envoy-upstream-service-time: 1
x-envoy-upstream-service-time: 1
< server: istio-envoy
server: istio-envoy

希望获得帮助

相关问题
最新问题