阅读 1011

一篇文章看明白istio-ingressgateway控制器,gateway资源

上篇文章描述了,nginx-ingress控制器,接下来简单讲讲istio-ingressgateway。
传送门 juejin.im/post/5d9824…

如果看懂上图,基本不用往下看了

在istio 0.8版本之前使用的是上一篇中的ingress来描述服务访问入口的,因为ingress的七层限制,istio版本V1alpha3流量规则中引入了gateway资源对象,只定义接入点。那么和nginx-ingress有什么区别呢?
其实就是主要做了两件事:

  • 新增了gateway资源,这个gateway资源是什么玩意呢?也是用yaml描述文件管理的,nginx-ingress只暴漏了两个端口80443,现在istio-ingressgateway通过gateway可以暴漏多个端口了。gateway中配置的端口就为istio-ingressgateway这个pod暴漏的端口,就是对应的service的targetPort。
  • 把nginx换成了envoy

1、官方demo中的istio-ingressgateway的deploymentservice

deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: istio-ingressgateway
  namespace: istio-system
  labels:
    chart: gateways
    heritage: Tiller
    release: istio
    app: istio-ingressgateway
    istio: ingressgateway
spec:
  replicas: 1
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  strategy:
    rollingUpdate:
      maxSurge: 100%
      maxUnavailable: 25%
  template:
    metadata:
      labels:
        chart: gateways
        heritage: Tiller
        release: istio
        app: istio-ingressgateway
        istio: ingressgateway
      annotations:
        sidecar.istio.io/inject: "false"
    spec:
      serviceAccountName: istio-ingressgateway-service-account
      containers:
        - name: istio-proxy
          image: "docker.io/istio/proxyv2:1.3.0"
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 15020
            - containerPort: 80
            - containerPort: 443
            - containerPort: 31400
            - containerPort: 15029
            - containerPort: 15030
            - containerPort: 15031
            - containerPort: 15032
            - containerPort: 15443
            - containerPort: 15090
              protocol: TCP
              name: http-envoy-prom
          args:
          - proxy
          - router
          - --domain
          - $(POD_NAMESPACE).svc.cluster.local
          - --log_output_level=default:info
          - --drainDuration
          - '45s' #drainDuration
          - --parentShutdownDuration
          - '1m0s' #parentShutdownDuration
          - --connectTimeout
          - '10s' #connectTimeout
          - --serviceCluster
          - istio-ingressgateway
          - --zipkinAddress
          - zipkin:9411
          - --proxyAdminPort
          - "15000"
          - --statusPort
          - "15020"
          - --controlPlaneAuthPolicy
          - NONE
          - --discoveryAddress
          - istio-pilot:15010
          readinessProbe:
            failureThreshold: 30
            httpGet:
              path: /healthz/ready
              port: 15020
              scheme: HTTP
            initialDelaySeconds: 1
            periodSeconds: 2
            successThreshold: 1
            timeoutSeconds: 1
          resources:
            limits:
              cpu: 2000m
              memory: 1024Mi
            requests:
              cpu: 10m
              memory: 40Mi
            
          env:
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: spec.nodeName
          - name: POD_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
          - name: INSTANCE_IP
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: status.podIP
          - name: HOST_IP
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: status.hostIP
          - name: SERVICE_ACCOUNT
            valueFrom:
              fieldRef:
                fieldPath: spec.serviceAccountName
          - name: ISTIO_META_POD_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.name
          - name: ISTIO_META_CONFIG_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: SDS_ENABLED
            value: "false"
          - name: ISTIO_META_WORKLOAD_NAME
            value: istio-ingressgateway
          - name: ISTIO_META_OWNER
            value: kubernetes://api/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
          - name: ISTIO_META_ROUTER_MODE
            value: sni-dnat
          volumeMounts:
          - name: istio-certs
            mountPath: /etc/certs
            readOnly: true
          - name: ingressgateway-certs
            mountPath: "/etc/istio/ingressgateway-certs"
            readOnly: true
          - name: ingressgateway-ca-certs
            mountPath: "/etc/istio/ingressgateway-ca-certs"
            readOnly: true
      volumes:
      - name: istio-certs
        secret:
          secretName: istio.istio-ingressgateway-service-account
          optional: true
      - name: ingressgateway-certs
        secret:
          secretName: "istio-ingressgateway-certs"
          optional: true
      - name: ingressgateway-ca-certs
        secret:
          secretName: "istio-ingressgateway-ca-certs"
          optional: true
      affinity:      
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: beta.kubernetes.io/arch
                operator: In
                values:
                - "amd64"
                - "ppc64le"
                - "s390x"
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 2
            preference:
              matchExpressions:
              - key: beta.kubernetes.io/arch
                operator: In
                values:
                - "amd64"
          - weight: 2
            preference:
              matchExpressions:
              - key: beta.kubernetes.io/arch
                operator: In
                values:
                - "ppc64le"
          - weight: 2
            preference:
              matchExpressions:
              - key: beta.kubernetes.io/arch
                operator: In
                values:
                - "s390x"    
复制代码
service
apiVersion: v1
kind: Service
metadata:
  name: istio-ingressgateway
  namespace: istio-system
  annotations:
  labels:
    chart: gateways
    heritage: Tiller
    release: istio
    app: istio-ingressgateway
    istio: ingressgateway
spec:
  type: LoadBalancer
  selector:
    release: istio
    app: istio-ingressgateway
    istio: ingressgateway
  ports:
    -
      name: status-port
      port: 15020
      targetPort: 15020
    -
      name: http2
      nodePort: 31380
      port: 80
      targetPort: 80 # 官方已经帮我们映射好了80端口
    -
      name: https
      nodePort: 31390
      port: 443
    -
      name: tcp
      nodePort: 31400
      port: 31400
    -
      name: https-kiali
      port: 15029
      targetPort: 15029
    -
      name: https-prometheus
      port: 15030
      targetPort: 15030
    -
      name: https-grafana
      port: 15031
      targetPort: 15031
    -
      name: https-tracing
      port: 15032
      targetPort: 15032
    -
      name: tls
      port: 15443
      targetPort: 15443
复制代码

2、自定义service

首先apply gateway、VirtualService、DestinationRule
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: dk-shop
  namespace: dk-shop
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80 # 比如nginx监听的80端口,就是istio-ingressgateway pod暴漏的端口,对应的是service的targetPort,请看下边的service
      name: http
      protocol: HTTP
    hosts:
    - "*"
    - user.thanhoo.com
--- 
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: user
  namespace: dk-shop
spec:
  hosts:
  - "user.thanhoo.com"
  gateways:
  - dk-shop
  http:
  - route:
    - destination:
        host: user
        port:
          number: 80
        subset: v1
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: user
  namespace: dk-shop
spec:
  host: user
  trafficPolicy:
   loadBalancer:
     simple: RANDOM
  subsets:
  - name: v1
    labels:
      version: v1.0
  - name: v2
    labels:
      version: v2.0
复制代码
自定义service
apiVersion: v1
kind: Service
metadata:
  name: dk-shop-gateway
  namespace: istio-system # 注意命名空间
  annotations:
  labels:
    app: dk-shop-gateway
spec:
  type: NodePort
  selector:
    app: istio-ingressgateway
  ports:
    - name: http2
      nodePort: 30001 # 其实和官方就是端口不一样,labe简化一些
      port: 80
      targetPort: 80
复制代码
官方的service执行
curl -HHost:user.thanhoo.com http://127.0.0.1:31380
HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
server: istio-envoy
content-length: 5
x-envoy-upstream-service-time: 0
date: Sat, 05 Oct 2019 11:45:34 GMT
复制代码
自定义的service执行
curl -i -HHost:user.thanhoo.com http://127.0.0.1:30001
HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
server: istio-envoy
content-length: 5
x-envoy-upstream-service-time: 0
date: Sat, 05 Oct 2019 11:46:30 GMT
复制代码
关注下面的标签,发现更多相似文章
评论