在Istio上建立自定義的ingress-gateway

閘道器 Istio · 發表 2018-11-23 19:12:41

摘要：我們都知道，在istio中可以通過ingress gateway將服務暴露給外部使用，但是我們使用的ingress規則都是落在istio部署時預設建立的istio-ingressgateway上，如果我們希望建立自定義的ingressgateway該怎麼操作呢，本文就帶大家一步步操作，建立一個...

我們都知道，在istio中可以通過ingress gateway將服務暴露給外部使用，但是我們使用的ingress規則都是落在istio部署時預設建立的istio-ingressgateway上，如果我們希望建立自定義的ingressgateway該怎麼操作呢，本文就帶大家一步步操作，建立一個自定義的ingressgateway

環境準備

建立Kubernetes叢集

阿里雲容器服務Kubernetes 1.11.2目前已經上線，可以通過容器服務管理控制檯非常方便地快速建立 Kubernetes 叢集。具體過程可以參考這裡

部署istio

阿里雲容器服務通過叢集介面部署Istio，具體過程可以參考這裡

部署bookinfo

首先為default 名稱空間打上標籤 istio-injection=enabled

kubectl label namespace default istio-injection=enabled

使用Kubectl命令部署Bookinfo示例應用

kubectl apply -f https://raw.githubusercontent.com/istio/istio/1.0.2/samples/bookinfo/platform/kube/bookinfo.yaml

部署完成後效果如下圖：

$ kubectl get pod,svc
NAMEREADYSTATUSRESTARTSAGE
pod/details-v1-5d88f495b7-cvxk52/2Running019h
pod/productpage-v1-774fd75c99-5l8982/2Running019h
pod/ratings-v1-64664b6bcf-j7lzh2/2Running019h
pod/reviews-v1-fd7c6fdf5-4px4g2/2Running019h
pod/reviews-v2-56b67454cc-fmtl82/2Running019h
pod/reviews-v3-86878d875-6xztb2/2Running019h

NAMETYPECLUSTER-IPEXTERNAL-IPPORT(S)AGE
service/detailsClusterIP172.21.13.128<none>9080/TCP19h
service/kubernetesClusterIP172.21.0.1<none>443/TCP21h
service/productpageClusterIP172.21.7.104<none>9080/TCP19h
service/ratingsClusterIP172.21.7.176<none>9080/TCP19h
service/reviewsClusterIP172.21.1.207<none>9080/TCP19h

建立自定義ingressgateway

---
# Source: istio/charts/gateways/templates/serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
name: customgateway-service-account
namespace: default
labels:
app: customgateway
---

---
# Source: istio/charts/gateways/templates/clusterrole.yaml

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: gateways
name: customgateway-default # default should replaced by actual namespace
rules:
- apiGroups: ["extensions"]
resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"]
verbs: ["get", "watch", "list", "update"]
---

---
# Source: istio/charts/gateways/templates/clusterrolebindings.yaml

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: customgateway-default # default should replaced by actual namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: customgateway-default # default should replaced by actual namespace
subjects:
- kind: ServiceAccount
name: customgateway-service-account
namespace: default
---

---
# Source: istio/charts/gateways/templates/service.yaml

apiVersion: v1
kind: Service
metadata:
name: customgateway
namespace: default
annotations:
labels:
istio: customgateway
spec:
type: LoadBalancer
selector:
istio: customgateway
ports:
-
name: http
port: 80
targetPort: 80
-
name: https
port: 443
targetPort: 443
---

---
# Source: istio/charts/gateways/templates/deployment.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: customgateway
namespace: default
labels:
istio: customgateway
spec:
replicas: 1
template:
metadata:
labels:
istio: customgateway
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: customgateway-service-account
containers:
- name: istio-proxy
image: "registry.cn-beijing.aliyuncs.com/aliacs-app-catalog/proxyv2:1.0.3"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443

args:
- proxy
- router
- -v
- "2"
- --discoveryRefreshDelay
- '1s' #discoveryRefreshDelay
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- customgateway
- --zipkinAddress
- zipkin.istio-system:9411
- --proxyAdminPort
- "15000"
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- istio-pilot.istio-system:8080
resources:
requests:
cpu: 10m

env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: customgateway-certs
mountPath: "/etc/istio/customgateway-certs"
readOnly: true
- name: customgateway-ca-certs
mountPath: "/etc/istio/customgateway-ca-certs"
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: istio.customgateway-service-account
optional: true
- name: customgateway-certs
secret:
secretName: "istio-customgateway-certs"
optional: true
- name: customgateway-ca-certs
secret:
secretName: "istio-customgateway-ca-certs"
optional: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
---

---
# Source: istio/charts/gateways/templates/autoscale.yaml

apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: customgateway
namespace: default
spec:
maxReplicas: 5
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1beta1
kind: Deployment
name: customgateway
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
---

上面這段yaml在default namespace定義了一個名叫customgateway 的ingressgateway，併為他建立了serviceaccount，HPA等一系列相關的配置，如果我們需要定義多個，需要替換yaml裡的default和customgateway為自己想要的名字

定義入口路由

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: customgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage
port:
number: 9080

這裡最重要的是為Gateway指定規則落在哪個deploy上，這裡指定的是istio: customgateway

訪問應用

獲取自定義ingressgateway的入口然後訪問應用

export INGRESS_HOST=$(kubectl -n default get service customgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_PORT=$(kubectl -n default get service customgateway -o jsonpath='{.spec.ports[?(@.name=="http")].port}')
curl -o /dev/null -s -w "%{http_code}\n" http://${INGRESS_HOST}:${INGRESS_PORT}/productpage

如果返回200則說明配置正確

總結

上面通過示例演示了Istio如何建立一個自定義的ingress gateway

歡迎大家使用阿里雲上的容器服務，快速搭建微服務的開放治理平臺Istio，簡單地整合到自己專案的微服務開發中。