我目前正在将IT环境从Nginx入口网关迁移到Kubernetes上的IstIO入口网关。
我需要迁移以下Nginx注释:
nginx.ingress.kubernetes.io/proxy-buffer-size
nginx.ingress.kubernetes.io/proxy-read-timeout
nginx.ingress.kubernetes.io/proxy-send-timeout
nginx.ingress.kubernetes.io/proxy-body-size
nginx.ingress.kubernetes.io/upstream-vhost
对于Nginx,注释记录在这里:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
在IstIO的Nginx注释文档中找不到IstIO Ingress Gateway的使用方式。
有人知道如何在IstIO Ingress Gateway中实现上述注释吗?
谢谢。
最好的问候, rforberger
答案 0 :(得分:2)
我想我找到了在Istio中设置nginx.ingress.kubernetes.io/proxy-body-size
的方法。
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: reviews-lua
namespace: bookinfo
spec:
workloadSelector:
labels:
app: reviews
configPatches:
# The first patch adds the lua filter to the listener/http connection manager
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 8080
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value: # lua filter specification
name: envoy.lua
config:
inlineCode: |
function envoy_on_request(request_handle)
request_handle:headers():add("request_body_size", request_handle:body():length())
end
还有TLS密码:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-tls-ingress
spec:
selector:
app: my-tls-ingress-gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
serverCertificate: /etc/certs/server.pem
privateKey: /etc/certs/privatekey.pem
cipherSuites: "<tls-ciphers>"
答案 1 :(得分:1)
如果收到413实体太大作为响应,则这种情况的主要问题是链中的Envoy过滤器之一具有缓冲。
有关该主题的讨论,您可以在这里找到:https://github.com/envoyproxy/envoy/issues/2919
Envoy上的该缓冲的初始值由以下属性设置:
http2_protocol_options:
initial_stream_window_size: 65536 # 64 KiB
initial_connection_window_size: 1048576 # 1 MiB
来源:https://www.bookstack.cn/read/envoyproxy-1.13/9a624d80e56eceef.md
您可以为给定的工作负载(或全局)覆盖该缓冲区,但是您必须记住,如果增加过多,则存在内存不足攻击的风险。
重新配置它的示例过滤器:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: my-service
spec:
workloadSelector:
labels:
app: my-service
configPatches:
- applyTo: NETWORK_FILTER
match:
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
http2_protocol_options:
initial_stream_window_size: 65536
initial_connection_window_size: 10485760 # 10 MB
您将在Istio文档中找到有关Envoy Filers的更多信息:https://istio.io/latest/docs/reference/config/networking/envoy-filter/
其他示例:https://github.com/istio/istio/wiki/EnvoyFilter-Samples
答案 2 :(得分:0)
Nginx入口注释等效项可以在Istio中使用Envoy Filter来实现。
更具体地说,使用HTTP Lua filter。
具有HTTP Lua过滤器的特使过滤器的示例:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: reviews-lua
namespace: bookinfo
spec:
workloadSelector:
labels:
app: reviews
configPatches:
# The first patch adds the lua filter to the listener/http connection manager
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 8080
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value: # lua filter specification
name: envoy.lua
config:
inlineCode: |
function envoy_on_request(request_handle)
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
"lua_cluster",
{
[":method"] = "POST",
[":path"] = "/acl",
[":authority"] = "internal.org.net"
},
"authorize call",
5000)
end
# The second patch adds the cluster that is referenced by the lua code
# cds match is omitted as a new cluster is being added
- applyTo: CLUSTER
match:
context: SIDECAR_OUTBOUND
patch:
operation: ADD
value: # cluster specification
name: "lua_cluster"
type: STRICT_DNS
connect_timeout: 0.5s
lb_policy: ROUND_ROBIN
hosts:
- socket_address:
protocol: TCP
address: "internal.org.net"
port_value: 8888
例如:
nginx.ingress.kubernetes.io/proxy-body-size
可以通过size = buffer:length()
实现。
nginx.ingress.kubernetes.io/proxy-read-timeout
或
nginx.ingress.kubernetes.io/proxy-send-timeout
是自定义超时,可以通过httpCall(5000)
实现。
完整的方法列表可以在here中找到。
希望这会有所帮助。
更新:
重新读取nginx注释后,getBytes()
的{{1}}比nginx.ingress.kubernetes.io/proxy-buffer-size
更好。
getBytes()
buffer:getBytes(索引,长度)
从缓冲区获取字节。默认情况下,Envoy不会复制所有缓冲区 字节到Lua。这将导致缓冲区段被复制。 索引 是一个整数,并提供要复制的缓冲区起始索引。 长度 是一个整数,提供要复制的缓冲区长度。 索引 + length 必须小于缓冲区长度。
因此,buffer:lenght()
应该从类似于buffer:getBytes(0, 8000)
的缓冲区中加载8k字节。