istio Egress Gateway 统一流量出口

1、下载istioctl

https://github.com/istio/istio/releases/download/1.9.0/istioctl-1.9.0-linux-amd64.tar.gz

2、安装istio

istioctl install --set profile=demo --set values.global.hub=192.168.2.88:5000/istio -y

3、注入sdicar到名称空间

kubectl label namespace default istio-injection=enabled

4、部署测试程序test.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: greenhouse
  labels:
    app: greenhouse
spec:
  spec:
  replicas: 2
  selector:
    matchLabels:
      app: greenhouse
  template:
    metadata:
      labels:
        app: greenhouse
    spec:
      containers:
      - name: maven
        image: ibmcom/curl:3.6
        args:
        - /bin/sh
        - -c
        - sleep 300000

5、查看注入是否成功(如果pod中有两个容器就绪,代表注入成功)

kubectl get pods

    greenhouse-6c79488485-zjkzw 2/2 Running 0 141m

6、egress gateway需要对外服务为域名,我这里再coreDns加入记录(应该还要其他实现方式)

  思路:

  • 将外部的服务封装成一个 ServiceEntry
  • 创建一个 Gateway,绑定 engress
  • 创建一个 VirtualService,将网格内对外部服务请求的转发到 engress
  • engress 将收到的请求转发到 ServiceEntry
kubectl edit configmap coredns -n kube-system

  添加hosts字段

  

7、定义 Egress gateway 并引导 HTTP 流量

  首先创建一个 ServiceEntry,允许流量直接访问一个外部服务,为 test.com 定义一个 ServiceEntry

kubectl apply -f ServiceEntry.yaml

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: cnn
spec:
  hosts:
  - test.com
  ports:
  - number: 8080
    name: http-port
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  - number: 80
    name: http-port1
    protocol: HTTP
  - number: 8088
    name: http-port2
    protocol: HTTP
  resolution: DNS

   为 test.com 端口 80 创建 egress Gateway。并为指向 egress gateway 的流量创建一个 destination rule。

kubectl apply -f gateway.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-egressgateway
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 8080
      name: http
      protocol: HTTP
    hosts:
    - test.com
  - port:
      number: 80
      name: http1
      protocol: HTTP
    hosts:
    - test.com
  - port:
      number: 8088
      name: http2
      protocol: HTTP
    hosts:
    - test.com
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: egressgateway-for-cnn
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: cnn

  定义一个 VirtualService,将流量从 sidecar 引导至 egress gateway,再从 egress gateway 引导至外部服务

kubectl apply -f vs.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-cnn-through-egress-gateway1
spec:
  hosts:
  - test.com
  gateways:
  - istio-egressgateway
  - mesh
  http:
  - match:
    - gateways:
      - mesh
      port: 80
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: cnn
        port:
          number: 80
      weight: 100
  - match:
    - gateways:
      - istio-egressgateway
      port: 80
    route:
    - destination:
        host: test.com
        port:
          number: 80
      weight: 100

  测试是否配置成功

    在测试容器中像外部程序发起访问

 kubectl  exec -it greenhouse-6c79488485-zjkzw sh
   curl -i http://test.com

  查看egress容器日志,发现有访问日志

kubectl  logs istio-egressgateway-56f74c7d66-ngm8j   -n istio-system  -f

 

   至此 egress gateway配置完成,还有不少疑问有待找寻答案。

   来日再叙。。。。。。。。。。

  

posted on 2022-01-19 18:22  改变就是好事  阅读(452)  评论(0编辑  收藏  举报

导航