01-入口网关

该任务演示使用Istio Gateway如何配置暴露服务到service mesh外。

1. 部署httpbin服务

  • 注意是否开启了自动sidecar注入
1
2
3
4
5
# 开启自动注入
kubectl apply -f httpbin.yaml

# 未开启自动注入
kubectl apply -f <(istioctl kube-inject -f httpbin.yaml)
  • httpbin.yaml文件内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
apiVersion: v1
kind: Service
metadata:
name: httpbin
labels:
app: httpbin
spec:
ports:
- name: http
port: 8000
selector:
app: httpbin
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: httpbin
spec:
replicas: 1
template:
metadata:
labels:
app: httpbin
version: v1
spec:
containers:
- image: docker.io/citizenstig/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 8000

2. 配置入站Gateway

  • 创建gateway
1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "httpbin.example.com"
  • 配置通过gateway进入的流量路由
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- "httpbin.example.com"
gateways:
- httpbin-gateway
http:
- match:
- uri:
prefix: /status
- uri:
prefix: /delay
route:
- destination:
port:
number: 8000
host: httpbin

上面spec.gateways字段指出了仅通过httpbin-gateway来的请求,才被允许路由,其他的会报404。

来自网格中其他服务的内部请求不受这些规则的约束,而是默认为轮询路由。要将这些规则也应用于内部调用,可以将特殊值mesh添加到spec.gateways列表中。由于该服务的内部主机名可能与外部主机名不同(例如,httpbin.default.svc.cluster.local),因此您还需要将其添加到gateway中的sepc.servers.hosts列表中。

3. 访问测试

  • 获取访问端口和主机名
1
2
3
4
5
## 获取ingress端口,并设置为INGRESS_PORT变量
$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')

## 获取ingress主机名,并设置为INGRESS_HOST变量
$ export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}')
  • curl访问
1
2
3
4
5
6
7
8
9
10
11
$ curl -I -H Host:httpbin.example.com http://$INGRESS_HOST:$INGRESS_PORT/status/200

### 响应
HTTP/1.1 200 OK
server: envoy
date: Mon, 29 Jan 2018 04:45:49 GMT
content-type: text/html; charset=utf-8
access-control-allow-origin: *
access-control-allow-credentials: true
content-length: 0
x-envoy-upstream-service-time: 48
  • 浏览器访问(需要配置hosts域名映射)
1
2
3
正常返回:http://httpbin.example.com/status/200

延时返回:http://httpbin.example.com/delay/200

参考资料