Envoy学习笔记
一、基本概念
XDS、CDS、EDS、LDS、SDS、ADS、RDS、HDS
二、安装
三、动态文件配置
还没找到好的控制平面,为了解决动态更新CDS、LDS配置所以就采用了动态文件配置。
admin: access_log_path: /home/logs/envoy/admin.access.log address: socket_address: { address: 0.0.0.0, port_value: 9001} node: cluster: test-cluster id: test-id dynamic_resources: cds_config: path: /home/envoy/cds.yaml lds_config: path: /home/envoy/lds.yaml
上面的配置文件定义动态资源的位置。cds_config 指定 cds配置文件存放位置。lds_config 指定lds配置文件存放位置。
当我们修改了其中某个配置项后可以通过 mv 命令 使envoy进行热更新 。例如: mv cds.yaml cds.yaml1 然后再mv cds.yaml1 cds.yaml。envoy 提供热启动器,但是还是建议使用mv 文件的方式来更新文件,热启动器是完全重新加载配置项,一旦某项配置不小心配置错误会导致整个监听失败。使用mv 热更新的好处是 当envoy检测到有错误配置项时它不会更新配置,这就保证了envoy不会因错误的配置导致整个监听不可用。
四、CDS
cds.yaml 文件中定义一组或多组Cluster。
resources: - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster connect_timeout: 1s name: k8s.proxy type: STATIC http2_protocol_options: {} load_assignment: cluster_name: k8s.proxy endpoints: - lb_endpoints: - endpoint: address: socket_address: address: xxx.xxx.xxx.xxx port_value: 31080 - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster connect_timeout: 1s name: k8shttp1.proxy type: STATIC load_assignment: cluster_name: k8shttp1.proxy endpoints: - lb_endpoints: - endpoint: address: socket_address: address: xxx.xxx.xxx.xx port_value: 31080 - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster connect_timeout: 1s name: ActivityService type: STATIC circuit_breakers: thresholds: - priority: "DEFAULT" max_connections: 100000 max_pending_requests: 100000 max_requests: 100000 - priority: "HIGH" max_connections: 100000 max_pending_requests: 100000 max_requests: 100000 health_checks: timeout: 1s interval: 2s unhealthy_threshold: 1 healthy_threshold: 1 grpc_health_check: {} http2_protocol_options: {} load_assignment: cluster_name: ActivityService endpoints: - lb_endpoints: - endpoint: address: socket_address: address: xxx.xxx.xxx.xxx port_value: 10099 - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster connect_timeout: 1s name: bigdata type: STRICT_DNS circuit_breakers: thresholds: - priority: "DEFAULT" max_connections: 100000 max_pending_requests: 100000 max_requests: 100000 - priority: "HIGH" max_connections: 100000 max_pending_requests: 100000 max_requests: 100000 health_checks: timeout: 1s interval: 2s unhealthy_threshold: 1 healthy_threshold: 1 grpc_health_check: {} http2_protocol_options: {} load_assignment: cluster_name: bigdata endpoints: - lb_endpoints: - endpoint: address: socket_address: address:a.service.consul port_value: 10030
上面的配置中定义了两种不同的cluster,一种是STATIC 表明这种Cluster是指定静态的IP表示上游服务,一种是STRICT_DNS表明这种Cluster通过域名解析出具体的endpoint。
envoy 启动后可以通过curl localhost:9001/clusters 来查看指定的域名有几个Endpoint。
配置中还定义了健康检查、熔断。也可以通过 curl localhost:9001/clusters |grep xxx 来查看EndPoint是否健康,对于不健康的服务envoy不会将流量转发过去。健康检查只有在第一次访问该cluster才开始运行,如果没有流量则不开启健康检查。
五、LDS
lds.yaml 文件中定义了一组或多组监听配置项。
resources: - "@type": type.googleapis.com/envoy.config.listener.v3.Listener name: k8shttps.proxy address: socket_address: address: 0.0.0.0 port_value: 443 filter_chains: - transport_socket: name: "a.com" typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: certificate_chain: filename: /home/envoy/x.com-crt.pem private_key: filename: /home/envoy/x.com-key.pem filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: ingress_http access_log: - name: envoy.access_loggers.file typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog path: /home/logs/envoy/k8s.https.access.log http_filters: - name: envoy.filters.http.router route_config: name: local_route virtual_hosts: - name: local_service domains: - a.com - a.com:* routes: - match: prefix: "/com.activity.server" route: cluster: ActivityService - match: prefix: "/AppGL" route: cluster: k8sqahttp1.proxy upgrade_configs: - upgrade_type: "websocket" enabled: true - match: prefix: "/" route: cluster: abc timeout: 1200s - name: local_service domains: ["*"] routes: - match: prefix: "/" headers: - name: ":method" exact_match: "HEAD" direct_response: status: 200 body: inline_string: "heihei" - match: prefix: "/abc." headers: name: abc exact_match: abc1 case_sensitive: false route: cluster: abc1 - match: prefix: "/abc." case_sensitive: false headers: name: abc exact_match: abc2 route: cluster: abc2 - match: prefix: "/hostrewrite" case_sensitive: false route: cluster: pcwang host_rewrite_literal: wangpengchong.com - match: prefix: "/AppGL" route: cluster: k8shttp1.proxy upgrade_configs: - upgrade_type: "websocket" enabled: true - match: prefix: "/" route: cluster: k8s.proxy timeout: 1200s - "@type": type.googleapis.com/envoy.config.listener.v3.Listener name: k8s.proxy address: socket_address: address: 0.0.0.0 port_value: 80 filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: ingress_http access_log: - name: envoy.access_loggers.file typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog path: /home/logs/envoy/k8s.access.log http_filters: - name: envoy.filters.http.router route_config: name: local_route virtual_hosts: - name: local_service domains: - b.com - b.com:* routes: - match: prefix: "/AppGL" route: cluster: k8sqahttp1.proxy upgrade_configs: - upgrade_type: "websocket" enabled: true - match: prefix: "/" route: cluster: k8sqa.proxy timeout: 1200s - name: local_service domains: ["*"] routes: - match: prefix: "/" headers: - name: ":method" exact_match: "HEAD" direct_response: status: 200 body: inline_string: "heihei" - match: prefix: "/" route: cluster: k8s.proxy timeout: 1200s
上面的配置中定义了两组监听分别是443、80 ,443端口有配置https证书,提供https服务。
配置文件中还定义了预发布机制,根据特定域名,将该域名的所有请求都转发到预发布的Cluster中去。该机制还可以用作其他用途,可根据实际情况进行操作
还配置了较为复杂的流量转发,根据请求头中的值将流量转发到不同的Cluster中。
还配置了websocket升级机制,可将http1.1 升级为websocket,这需要客户端发送正确的升级请求。
还配置了host重写机制、超时,特定请求(健康检查)返回固定值,有需要的童鞋可以参考。
六、TCP监听
- "@type": type.googleapis.com/envoy.config.listener.v3.Listener name: AlertService address: socket_address: address: 0.0.0.0 port_value: 20010 filter_chains: - filters: name: envoy.filters.network.tcp typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy stat_prefix: ingress_tcp max_connect_attempts: 5 cluster: AlertService
七、jwk认证鉴权
- "@type": type.googleapis.com/envoy.config.listener.v3.Listener name: k8s.proxy address: socket_address: address: 0.0.0.0 port_value: 10021 filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: ingress_http access_log: - name: envoy.access_loggers.file typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog path: /home/logs/envoy/beta.grpc.access.log http_filters: - name: envoy.filters.http.jwt_authn typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication providers: identityserver: issuer: http://xxxx audiences: - grpc1 remote_jwks: http_uri: uri: http://xxxx/.well-known/openid-configuration/jwks cluster: identityserver timeout: 5s cache_duration: 600s rules: - match: prefix: / requires: provider_name: identityserver
这里展示较为简单的配置,更复杂的请参考官方文档:
https://www.envoyproxy.io/docs/envoy/v1.18.3/api-v3/extensions/filters/http/jwt_authn/v3/config.proto#extension-envoy-filters-http-jwt-authn
八、监控
直接使用 prometheus 收集信息通grafana 展示即可