IstIO入口网关上的Nginx入口注释的等效项

时间:2019-11-27 12:51:15

标签: kubernetes istio nginx-ingress

我目前正在将IT环境从Nginx入口网关迁移到Kubernetes上的IstIO入口网关。

我需要迁移以下Nginx注释:

nginx.ingress.kubernetes.io/proxy-buffer-size
nginx.ingress.kubernetes.io/proxy-read-timeout
nginx.ingress.kubernetes.io/proxy-send-timeout
nginx.ingress.kubernetes.io/proxy-body-size
nginx.ingress.kubernetes.io/upstream-vhost

对于Nginx,注释记录在这里:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/

在IstIO的Nginx注释文档中找不到IstIO Ingress Gateway的使用方式。

有人知道如何在IstIO Ingress Gateway中实现上述注释吗?

谢谢。

最好的问候, rforberger

3 个答案:

答案 0 :(得分:2)

我想我找到了在Istio中设置nginx.ingress.kubernetes.io/proxy-body-size的方法。

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: reviews-lua
  namespace: bookinfo
spec:
  workloadSelector:
    labels:
      app: reviews
  configPatches:
    # The first patch adds the lua filter to the listener/http connection manager
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: INSERT_BEFORE
      value: # lua filter specification
       name: envoy.lua
       config:
         inlineCode: |
           function envoy_on_request(request_handle)
             request_handle:headers():add("request_body_size", request_handle:body():length())
           end

还有TLS密码:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-tls-ingress
spec:
  selector:
    app: my-tls-ingress-gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "*"
    tls:
      mode: SIMPLE
      serverCertificate: /etc/certs/server.pem
      privateKey: /etc/certs/privatekey.pem
      cipherSuites: "<tls-ciphers>"

答案 1 :(得分:1)

如果收到413实体太大作为响应,则这种情况的主要问题是链中的Envoy过滤器之一具有缓冲。

有关该主题的讨论,您可以在这里找到:https://github.com/envoyproxy/envoy/issues/2919

Envoy上的该缓冲的初始值由以下属性设置:

  http2_protocol_options:
    initial_stream_window_size: 65536 # 64 KiB
    initial_connection_window_size: 1048576 # 1 MiB

来源:https://www.bookstack.cn/read/envoyproxy-1.13/9a624d80e56eceef.md

您可以为给定的工作负载(或全局)覆盖该缓冲区,但是您必须记住,如果增加过多,则存在内存不足攻击的风险。

重新配置它的示例过滤器:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: my-service
spec:
  workloadSelector:
    labels:
      app: my-service
  configPatches:
    - applyTo: NETWORK_FILTER
      match:
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
      patch:
        operation: MERGE
        value:
          typed_config:
            "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
            http2_protocol_options:
              initial_stream_window_size: 65536
              initial_connection_window_size: 10485760 # 10 MB

您将在Istio文档中找到有关Envoy Filers的更多信息:https://istio.io/latest/docs/reference/config/networking/envoy-filter/

其他示例:https://github.com/istio/istio/wiki/EnvoyFilter-Samples

答案 2 :(得分:0)

Nginx入口注释等效项可以在Istio中使用Envoy Filter来实现。

更具体地说,使用HTTP Lua filter

具有HTTP Lua过滤器的特使过滤器的示例:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: reviews-lua
  namespace: bookinfo
spec:
  workloadSelector:
    labels:
      app: reviews
  configPatches:
    # The first patch adds the lua filter to the listener/http connection manager
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        portNumber: 8080
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
            subFilter:
              name: "envoy.router"
    patch:
      operation: INSERT_BEFORE
      value: # lua filter specification
       name: envoy.lua
       config:
         inlineCode: |
           function envoy_on_request(request_handle)
             -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
             local headers, body = request_handle:httpCall(
              "lua_cluster",
              {
               [":method"] = "POST",
               [":path"] = "/acl",
               [":authority"] = "internal.org.net"
              },
             "authorize call",
             5000)
           end
  # The second patch adds the cluster that is referenced by the lua code
  # cds match is omitted as a new cluster is being added
  - applyTo: CLUSTER
    match:
      context: SIDECAR_OUTBOUND
    patch:
      operation: ADD
      value: # cluster specification
        name: "lua_cluster"
        type: STRICT_DNS
        connect_timeout: 0.5s
        lb_policy: ROUND_ROBIN
        hosts:
        - socket_address:
            protocol: TCP
            address: "internal.org.net"
            port_value: 8888

例如:

nginx.ingress.kubernetes.io/proxy-body-size可以通过size = buffer:length()实现。

nginx.ingress.kubernetes.io/proxy-read-timeoutnginx.ingress.kubernetes.io/proxy-send-timeout是自定义超时,可以通过httpCall(5000)实现。

完整的方法列表可以在here中找到。

希望这会有所帮助。


更新:

重新读取nginx注释后,getBytes()的{​​{1}}比nginx.ingress.kubernetes.io/proxy-buffer-size更好。

  

getBytes()

     

buffer:getBytes(索引,长度)

     

从缓冲区获取字节。默认情况下,Envoy不会复制所有缓冲区   字节到Lua。这将导致缓冲区段被复制。 索引   是一个整数,并提供要复制的缓冲区起始索引。 长度   是一个整数,提供要复制的缓冲区长度。 索引 +    length 必须小于缓冲区长度。

因此,buffer:lenght()应该从类似于buffer:getBytes(0, 8000)的缓冲区中加载8k字节。