在Istio上建立自定義的ingress-gateway
我們都知道,在istio中可以通過ingress gateway將服務暴露給外部使用,但是我們使用的ingress規則都是落在istio部署時預設建立的istio-ingressgateway上,如果我們希望建立自定義的ingressgateway該怎麼操作呢,本文就帶大家一步步操作,建立一個自定義的ingressgateway
環境準備
建立Kubernetes叢集
阿里雲容器服務Kubernetes 1.11.2目前已經上線,可以通過容器服務管理控制檯非常方便地快速建立 Kubernetes 叢集。具體過程可以參考這裡
部署istio
阿里雲容器服務通過叢集介面部署Istio,具體過程可以參考這裡
部署bookinfo
首先為default 名稱空間打上標籤 istio-injection=enabled
kubectl label namespace default istio-injection=enabled
使用Kubectl命令部署Bookinfo示例應用
kubectl apply -f https://raw.githubusercontent.com/istio/istio/1.0.2/samples/bookinfo/platform/kube/bookinfo.yaml
部署完成後效果如下圖:
$ kubectl get pod,svc NAMEREADYSTATUSRESTARTSAGE pod/details-v1-5d88f495b7-cvxk52/2Running019h pod/productpage-v1-774fd75c99-5l8982/2Running019h pod/ratings-v1-64664b6bcf-j7lzh2/2Running019h pod/reviews-v1-fd7c6fdf5-4px4g2/2Running019h pod/reviews-v2-56b67454cc-fmtl82/2Running019h pod/reviews-v3-86878d875-6xztb2/2Running019h NAMETYPECLUSTER-IPEXTERNAL-IPPORT(S)AGE service/detailsClusterIP172.21.13.128<none>9080/TCP19h service/kubernetesClusterIP172.21.0.1<none>443/TCP21h service/productpageClusterIP172.21.7.104<none>9080/TCP19h service/ratingsClusterIP172.21.7.176<none>9080/TCP19h service/reviewsClusterIP172.21.1.207<none>9080/TCP19h
建立自定義ingressgateway
--- # Source: istio/charts/gateways/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: customgateway-service-account namespace: default labels: app: customgateway --- --- # Source: istio/charts/gateways/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: app: gateways name: customgateway-default # default should replaced by actual namespace rules: - apiGroups: ["extensions"] resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"] verbs: ["get", "watch", "list", "update"] --- --- # Source: istio/charts/gateways/templates/clusterrolebindings.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: customgateway-default # default should replaced by actual namespace roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: customgateway-default # default should replaced by actual namespace subjects: - kind: ServiceAccount name: customgateway-service-account namespace: default --- --- # Source: istio/charts/gateways/templates/service.yaml apiVersion: v1 kind: Service metadata: name: customgateway namespace: default annotations: labels: istio: customgateway spec: type: LoadBalancer selector: istio: customgateway ports: - name: http port: 80 targetPort: 80 - name: https port: 443 targetPort: 443 --- --- # Source: istio/charts/gateways/templates/deployment.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: customgateway namespace: default labels: istio: customgateway spec: replicas: 1 template: metadata: labels: istio: customgateway annotations: sidecar.istio.io/inject: "false" scheduler.alpha.kubernetes.io/critical-pod: "" spec: serviceAccountName: customgateway-service-account containers: - name: istio-proxy image: "registry.cn-beijing.aliyuncs.com/aliacs-app-catalog/proxyv2:1.0.3" imagePullPolicy: IfNotPresent ports: - containerPort: 80 - containerPort: 443 args: - proxy - router - -v - "2" - --discoveryRefreshDelay - '1s' #discoveryRefreshDelay - --drainDuration - '45s' #drainDuration - --parentShutdownDuration - '1m0s' #parentShutdownDuration - --connectTimeout - '10s' #connectTimeout - --serviceCluster - customgateway - --zipkinAddress - zipkin.istio-system:9411 - --proxyAdminPort - "15000" - --controlPlaneAuthPolicy - NONE - --discoveryAddress - istio-pilot.istio-system:8080 resources: requests: cpu: 10m env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: ISTIO_META_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name volumeMounts: - name: istio-certs mountPath: /etc/certs readOnly: true - name: customgateway-certs mountPath: "/etc/istio/customgateway-certs" readOnly: true - name: customgateway-ca-certs mountPath: "/etc/istio/customgateway-ca-certs" readOnly: true volumes: - name: istio-certs secret: secretName: istio.customgateway-service-account optional: true - name: customgateway-certs secret: secretName: "istio-customgateway-certs" optional: true - name: customgateway-ca-certs secret: secretName: "istio-customgateway-ca-certs" optional: true affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x preferredDuringSchedulingIgnoredDuringExecution: - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x --- --- # Source: istio/charts/gateways/templates/autoscale.yaml apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: name: customgateway namespace: default spec: maxReplicas: 5 minReplicas: 1 scaleTargetRef: apiVersion: apps/v1beta1 kind: Deployment name: customgateway metrics: - type: Resource resource: name: cpu targetAverageUtilization: 80 ---
上面這段yaml在default namespace定義了一個名叫customgateway
的ingressgateway,併為他建立了serviceaccount,HPA等一系列相關的配置,如果我們需要定義多個,需要替換yaml裡的default和customgateway為自己想要的名字
定義入口路由
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: bookinfo-gateway spec: selector: istio: customgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "*" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: bookinfo spec: hosts: - "*" gateways: - bookinfo-gateway http: - match: - uri: exact: /productpage - uri: exact: /login - uri: exact: /logout - uri: prefix: /api/v1/products route: - destination: host: productpage port: number: 9080
這裡最重要的是為Gateway指定規則落在哪個deploy上,這裡指定的是istio: customgateway
訪問應用
獲取自定義ingressgateway的入口然後訪問應用
export INGRESS_HOST=$(kubectl -n default get service customgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}') export INGRESS_PORT=$(kubectl -n default get service customgateway -o jsonpath='{.spec.ports[?(@.name=="http")].port}') curl -o /dev/null -s -w "%{http_code}\n" http://${INGRESS_HOST}:${INGRESS_PORT}/productpage
如果返回200則說明配置正確
總結
上面通過示例演示了Istio如何建立一個自定義的ingress gateway
歡迎大家使用阿里雲上的容器服務,快速搭建微服務的開放治理平臺Istio,簡單地整合到自己專案的微服務開發中。