> For the complete documentation index, see [llms.txt](https://rocdu.gitbook.io/deep-understanding-of-istio/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://rocdu.gitbook.io/deep-understanding-of-istio/3/6.md).

# gateway

网关描述了一个负载均衡器,该负载均衡器在网格的边缘运行,以接收传入或传出的HTTP/TCP连接。该规范描述了应公开的一组端口,要使用的协议类型,负载均衡器的SNI配置等.

例如,以下网关配置将代理设置为负载均衡器,以暴露端口80和9080(http),443(https),9443(https)和端口2379(TCP)进行入口。网关将应用于带有标签`app:my-gateway-controller`的Pod上运行的代理。虽然Istio将配置代理以监听这些端口,但用户有责任确保允许到这些端口的外部流量进入网状网络。

```yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
spec:
  selector:
    app: my-gateway-controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - uk.bookinfo.com
    - eu.bookinfo.com
    tls:
      httpsRedirect: true # sends 301 redirect for http requests
  - port:
      number: 443
      name: https-443
      protocol: HTTPS
    hosts:
    - uk.bookinfo.com
    - eu.bookinfo.com
    tls:
      mode: SIMPLE # enables HTTPS on this port
      serverCertificate: /etc/certs/servercert.pem
      privateKey: /etc/certs/privatekey.pem
  - port:
      number: 9443
      name: https-9443
      protocol: HTTPS
    hosts:
    - "bookinfo-namespace/*.bookinfo.com"
    tls:
      mode: SIMPLE # enables HTTPS on this port
      credentialName: bookinfo-secret # fetches certs from Kubernetes secret
  - port:
      number: 9080
      name: http-wildcard
      protocol: HTTP
    hosts:
    - "*"
  - port:
      number: 2379 # to expose internal service via external port 2379
      name: mongo
      protocol: MONGO
    hosts:
    - "*"
```

上面的网关规范描述了负载均衡器的L4-L6属性.然后,可以将VirtualService绑定到网关,以控制到达特定主机或网关端口的流量的转发。

例如,以下VirtualService为<https://uk.bookinfo.com/reviews、https://eu.bookinfo.com/reviews、http://uk.bookinfo.com:9080/reviews、http://eu.bookinfo.com:9080/reviews分为端口9080上的两个内部审核服务版本(prod和qa)。此外,包含Cookie>" user:dev-123"的请求将发送到专用端口7777中 qa版本.网格中的相同规则也适用于对" reviews.prod.svc.cluster.local"服务的请求.此规则适用于端口443、9080。请注意,<http://uk.bookinfo.com重定向到https://uk.bookinfo.com(即80重定向到443)。>

```yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookinfo-rule
  namespace: bookinfo-namespace
spec:
  hosts:
  - reviews.prod.svc.cluster.local
  - uk.bookinfo.com
  - eu.bookinfo.com
  gateways:
  - some-config-namespace/my-gateway
  - mesh # applies to all the sidecars in the mesh
  http:
  - match:
    - headers:
        cookie:
          exact: "user=dev-123"
    route:
    - destination:
        port:
          number: 7777
        host: reviews.qa.svc.cluster.local
  - match:
    - uri:
        prefix: /reviews/
    route:
    - destination:
        port:
          number: 9080 # can be omitted if it's the only port for reviews
        host: reviews.prod.svc.cluster.local
      weight: 80
    - destination:
        host: reviews.qa.svc.cluster.local
      weight: 20
```

以下VirtualService将到达(外部)端口27017的流量转发到端口5555上的内部Mongo服务器。此规则在网格内部不适用,因为网关列表省略了保留名称网格。

```yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookinfo-Mongo
  namespace: bookinfo-namespace
spec:
  hosts:
  - mongosvr.prod.svc.cluster.local # name of internal Mongo service
  gateways:
  - some-config-namespace/my-gateway # can omit the namespace if gateway is in same
                                       namespace as virtual service.
  tcp:
  - match:
    - port: 27017
    route:
    - destination:
        host: mongo.prod.svc.cluster.local
        port:
          number: 5555
```

可以使用hosts字段中的命名空间/主机名语法来限制可以绑定到网关服务器的虚拟服务集.例如,以下网关允许ns1名称空间中的任何虚拟服务绑定到该虚拟服务,同时仅限制ns2名称空间中的foo.bar.com主机与该虚拟服务绑定。

```
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
spec:
  selector:
    app: my-gateway-controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "ns1/*"
    - "ns2/foo.bar.com"
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rocdu.gitbook.io/deep-understanding-of-istio/3/6.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.