gateway

网关描述了一个负载均衡器,该负载均衡器在网格的边缘运行,以接收传入或传出的HTTP/TCP连接。该规范描述了应公开的一组端口,要使用的协议类型,负载均衡器的SNI配置等.

例如,以下网关配置将代理设置为负载均衡器,以暴露端口80和9080(http),443(https),9443(https)和端口2379(TCP)进行入口。网关将应用于带有标签app:my-gateway-controller的Pod上运行的代理。虽然Istio将配置代理以监听这些端口,但用户有责任确保允许到这些端口的外部流量进入网状网络。

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
spec:
  selector:
    app: my-gateway-controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - uk.bookinfo.com
    - eu.bookinfo.com
    tls:
      httpsRedirect: true # sends 301 redirect for http requests
  - port:
      number: 443
      name: https-443
      protocol: HTTPS
    hosts:
    - uk.bookinfo.com
    - eu.bookinfo.com
    tls:
      mode: SIMPLE # enables HTTPS on this port
      serverCertificate: /etc/certs/servercert.pem
      privateKey: /etc/certs/privatekey.pem
  - port:
      number: 9443
      name: https-9443
      protocol: HTTPS
    hosts:
    - "bookinfo-namespace/*.bookinfo.com"
    tls:
      mode: SIMPLE # enables HTTPS on this port
      credentialName: bookinfo-secret # fetches certs from Kubernetes secret
  - port:
      number: 9080
      name: http-wildcard
      protocol: HTTP
    hosts:
    - "*"
  - port:
      number: 2379 # to expose internal service via external port 2379
      name: mongo
      protocol: MONGO
    hosts:
    - "*"

上面的网关规范描述了负载均衡器的L4-L6属性.然后,可以将VirtualService绑定到网关,以控制到达特定主机或网关端口的流量的转发。

例如,以下VirtualService为https://uk.bookinfo.com/reviews、https://eu.bookinfo.com/reviews、http://uk.bookinfo.com:9080/reviews、http://eu.bookinfo.com:9080/reviews分为端口9080上的两个内部审核服务版本(prod和qa)。此外,包含Cookie" user:dev-123"的请求将发送到专用端口7777中 qa版本.网格中的相同规则也适用于对" reviews.prod.svc.cluster.local"服务的请求.此规则适用于端口443、9080。请注意,http://uk.bookinfo.com重定向到https://uk.bookinfo.com(即80重定向到443)。

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookinfo-rule
  namespace: bookinfo-namespace
spec:
  hosts:
  - reviews.prod.svc.cluster.local
  - uk.bookinfo.com
  - eu.bookinfo.com
  gateways:
  - some-config-namespace/my-gateway
  - mesh # applies to all the sidecars in the mesh
  http:
  - match:
    - headers:
        cookie:
          exact: "user=dev-123"
    route:
    - destination:
        port:
          number: 7777
        host: reviews.qa.svc.cluster.local
  - match:
    - uri:
        prefix: /reviews/
    route:
    - destination:
        port:
          number: 9080 # can be omitted if it's the only port for reviews
        host: reviews.prod.svc.cluster.local
      weight: 80
    - destination:
        host: reviews.qa.svc.cluster.local
      weight: 20

以下VirtualService将到达(外部)端口27017的流量转发到端口5555上的内部Mongo服务器。此规则在网格内部不适用,因为网关列表省略了保留名称网格。

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookinfo-Mongo
  namespace: bookinfo-namespace
spec:
  hosts:
  - mongosvr.prod.svc.cluster.local # name of internal Mongo service
  gateways:
  - some-config-namespace/my-gateway # can omit the namespace if gateway is in same
                                       namespace as virtual service.
  tcp:
  - match:
    - port: 27017
    route:
    - destination:
        host: mongo.prod.svc.cluster.local
        port:
          number: 5555

可以使用hosts字段中的命名空间/主机名语法来限制可以绑定到网关服务器的虚拟服务集.例如,以下网关允许ns1名称空间中的任何虚拟服务绑定到该虚拟服务,同时仅限制ns2名称空间中的foo.bar.com主机与该虚拟服务绑定。

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
spec:
  selector:
    app: my-gateway-controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "ns1/*"
    - "ns2/foo.bar.com"

Previouspeerauthentication Nextistio实战

Last updated 3 years ago