我有一些本地集群,一些后端服务在 http 中运行,一些在 https 中运行。 目前还没有配置 istio side car。
使用 http 后端流量调用正在工作.. 但是使用 https 后端时出现 503 错误。 网关:
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: istio-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: https
number: 8443
protocol: HTTPS
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
虚拟服务:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: metalk8s-ui-proxies-https
namespace: metalk8s-ui
spec:
gateways:
- istio-system/istio-gateway
hosts:
- '*'
http:
- match:
- uri:
prefix: /api/kubernetes/
route:
- destination:
host: kubernetes-api-ds
port:
number: 443
weight: 100
- match:
- uri:
prefix: /api/salt/
route:
- destination:
host: salt-api
port:
number: 4507
weight: 100
目的地规则:
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: kubernetes-api-ds
namespace: metalk8s-ui
spec:
host: kubernetes-api
trafficPolicy:
portLevelSettings:
- loadBalancer:
simple: ROUND_ROBIN
port:
number: 443
tls:
caCertificates: /etc/istio/ingressgateway-certs/tls.crt
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
没有配置目标规则,它给出了 400 错误(客户端向 https 服务器发送了 http 请求)。
基本上后端服务与 nginx ingress 一起工作.. 我们正在尝试用 istio 替换 nginx.. 对于这个特定的 uri 路径,nginx 入口是:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-control-plane
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/use-regex: "true"
labels:
app: metalk8s-ui
app.kubernetes.io/managed-by: salt
app.kubernetes.io/name: metalk8s-ui
app.kubernetes.io/part-of: metalk8s
heritage: salt
metalk8s.scality.com/version: 2.6.0-dev
name: metalk8s-ui-proxies-https
namespace: metalk8s-ui
spec:
rules:
- http:
paths:
- backend:
serviceName: kubernetes-api
servicePort: 443
path: /api/kubernetes(/|$)(.*)
- backend:
serviceName: salt-api
servicePort: 4507
path: /api/salt(/|$)(.*)
status:
loadBalancer:
ingress:
- ip: 10.105.58.133
nginx.ingress.kubernetes.io/backend-protocol: HTTPS --> 这是定义后端协议的注解..
有人可以帮忙吗,如何在 istio 中实现相同的..