Istio Ingress gateway
Gateway配置要点
-
Gateway定义运行在网格边缘的负载均衡器,负责接收入站或出站的HTTP/TCP连接
-
主要定义应该暴露到网格外部的端口、要使用的协议类型、以及SNI配置等
-
-
Gateway的定义主要通过如下两个关键字段
-
selector:Pod标签选择器,用于指定当前Gateway配置要附加到的Ingress Gateway Pod实例
-
Pod标签选择器,负责在为Istio部署的一到多个Ingress Gateway实例中完成Pod筛选
-
仅符合选择器条件的Ingress Gateway实例才会添加该Gateway资源中定义的配置
-
-
server:开放的服务列表,即服务的访问入口,可通过port、hosts、defaultEndpoints和tls来定义;
-
port:服务对外发布的端口,即用于接收请求的端口;
-
hosts:Gateway发布的服务地址,通常是一个FQDN格式的域名,支持使用*通配符;
-
defaultEndpoint:默认后端;
-
tls:发布为HTTPS协议服务时与TLS相关的配置
-
-
- 提示:Gateway资源仅定义了要暴露的访问入口,但流量接入到网格内部之后的路由机制,仍然需要由VirtualService资源进行定义;
Gateway
1、hosts字段不接受非FQDN格式的字符串,但可以使 用“*”通配符
2、gateway资源应该定义在目标ingressgateway Pod运行在名称空间
Gateway配置示例
示例一
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: my-gateway
namespace: some-config-namespace
spec:
selector:
app: my-gateway-controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- uk.bookinfo.com
- eu.bookinfo.com
tls:
httpsRedirect: true # sends 301 redirect for http requests
- port:
number: 443
name: https-443
protocol: HTTPS
hosts:
- uk.bookinfo.com
- eu.bookinfo.com
tls:
mode: SIMPLE # enables HTTPS on this port
serverCertificate: /etc/certs/servercert.pem
privateKey: /etc/certs/privatekey.pem
- port:
number: 9443
name: https-9443
protocol: HTTPS
hosts:
- "bookinfo-namespace/*.bookinfo.com"
tls:
mode: SIMPLE # enables HTTPS on this port
credentialName: bookinfo-secret # fetches certs from Kubernetes secret
- port:
number: 9080
name: http-wildcard
protocol: HTTP
hosts:
- "*"
- port:
number: 2379 # to expose internal service via external port 2379
name: mongo
protocol: MONGO
hosts:
- "*"apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo-rule
namespace: bookinfo-namespace
spec:
hosts:
- reviews.prod.svc.cluster.local
- uk.bookinfo.com
- eu.bookinfo.com
gateways:
- some-config-namespace/my-gateway
- mesh # applies to all the sidecars in the mesh
http:
- match:
- headers:
cookie:
exact: "user=dev-123"
route:
- destination:
port:
number: 7777
host: reviews.qa.svc.cluster.local
- match:
- uri:
prefix: /reviews/
route:
- destination:
port:
number: 9080 # can be omitted if it's the only port for reviews
host: reviews.prod.svc.cluster.local
weight: 80
- destination:
host: reviews.qa.svc.cluster.local
weight: 20apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo-mongo
namespace: bookinfo-namespace
spec:
hosts:
- mongosvr.prod.svc.cluster.local # name of internal Mongo service
gateways:
- some-config-namespace/my-gateway # can omit the namespace if gateway is in same namespace as virtual service.
tcp:
- match:
- port: 27017
route:
- destination:
host: mongo.prod.svc.cluster.local
port:
number: 5555示例二
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: my-gateway
namespace: some-config-namespace
spec:
selector:
app: my-gateway-controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "ns1/*"
- "ns2/foo.bar.com"参考文档
https://istio.io/latest/zh/docs/reference/config/networking/gateway/
