我有一个禁用mtls的Istio网格,其中包含以下pod和服务。我正在使用kubeadm。
pasan@ubuntu:~$ kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default debug-tools 2/2 Running 0 2h
default employee--debug-deployment-57947cf67-gwpjq 2/2 Running 0 2h
default employee--employee-deployment-5f4d7c9d78-sfmtx 2/2 Running 0 2h
default employee--gateway-deployment-bc646bd84-wnqwq 2/2 Running 0 2h
default employee--salary-deployment-d4969d6c8-lz7n7 2/2 Running 0 2h
default employee--sts-deployment-7bb9b44bf7-lthc8 1/1 Running 0 2h
default hr--debug-deployment-86575cffb6-6wrlf 2/2 Running 0 2h
default hr--gateway-deployment-8c488ff6-827pf 2/2 Running 0 2h
default hr--hr-deployment-596946948d-rzc7z 2/2 Running 0 2h
default hr--sts-deployment-694d7cff97-4nz29 1/1 Running 0 2h
default stock-options--debug-deployment-68b8fccb97-4znlc 2/2 Running 0 2h
default stock-options--gateway-deployment-64974b5fbb-rjrwq 2/2 Running 0 2h
default stock-options--stock-deployment-d5c9d4bc8-dqtrr 2/2 Running 0 2h
default stock-options--sts-deployment-66c4799599-xx9d4 1/1 Running 0 2h
pasan@ubuntu:~$ kubectl get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
employee--debug-service ClusterIP 10.104.23.141 80/TCP 2h
employee--employee-service ClusterIP 10.96.203.80 80/TCP 2h
employee--gateway-service ClusterIP 10.97.145.188 80/TCP 2h
employee--salary-service ClusterIP 10.110.167.162 80/TCP 2h
employee--sts-service ClusterIP 10.100.145.102 8080/TCP,8081/TCP 2h
hr--debug-service ClusterIP 10.103.81.158 80/TCP 2h
hr--gateway-service ClusterIP 10.106.183.101 80/TCP 2h
hr--hr-service ClusterIP 10.107.136.178 80/TCP 2h
hr--sts-service ClusterIP 10.105.184.100 8080/TCP,8081/TCP 2h
kubernetes ClusterIP 10.96.0.1 443/TCP 2h
stock-options--debug-service ClusterIP 10.111.51.88 80/TCP 2h
stock-options--gateway-service ClusterIP 10.100.81.254 80/TCP 2h
stock-options--stock-service ClusterIP 10.96.189.100 80/TCP 2h
stock-options--sts-service ClusterIP 10.108.59.68 8080/TCP,8081/TCP 2h
我使用以下命令使用调试pod访问此服务:
curl -X GET http://hr--gateway-service.default:80/info -H "Authorization: Bearer $token" -v
下一步,我在网格中启用了mtls。正如所料,上面的curl命令失败了。
现在我想设置一个入口控制器,这样我就可以像以前一样访问服务网格了。
所以我设置了Gateway和VirtualService,如下所示:
cat <apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: hr-ingress-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
port:
number: 80
name: http
protocol: HTTP
hosts:
cat <apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: hr-ingress-virtual-service
spec:
hosts:
match:
uri:
prefix: /info/
route:
destination:
port:
number: 80
host: hr--gateway-service
EOF
但我仍然得到以下输出
wso2carbon@gateway-5bd88fd679-l8jn5:~$ curl -X GET http://hr--gateway-service.default:80/info -H "Authorization: Bearer $token" -v
Note: Unnecessary use of -X or --request, GET is already inferred.
GET /info HTTP/1.1
Host: hr--gateway-service.default
User-Agent: curl/7.47.0
Accept: /
...
如果我的入口设置正确以及如何在设置后使用curl访问服务,请告诉我。我的Ingress服务如下:
ingress-nginx default-http-backend ClusterIP 10.105.46.168 80TCP 3h
ingress-nginx ingress-nginx NodePort 10.110.75.131 172.17.17.100 80:30770/TCP,443:32478/TCP
istio-ingressgateway NodePort 10.98.243.205 80:31380/TCP,443:31390/TCP,31400:31400/TCP,15011:31775/TCP,8060:32436/TCP,853:31351/TCP,15030:32149/TCP,15031:32653/TCP 3h
将Istio CRD(VirtualServices)应用于您需要使用Istio的Ingress Gateway作为入口点的传入流量,如下所示:https://istio.io/docs/tasks/traffic-management/ingress/
ingressgateway是围绕特使的包装器,可以使用Istio的CRD进行配置。
基本上,您不需要第二个入口控制器,并且在安装过程中,安装了默认控制器,通过执行以下命令查找:
kubectl get services -n istio-system -l app=istio-ingressgateway
并使用Ingress Gateway ip执行:
curl -X GET http://{INGRESSGATEWAY_IP}/info -H "Authorization: Bearer $token" -H "Host: hr--gateway-service.default"
我将主机添加为在网关中定义的标头,这意味着仅允许此主机入口。
版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。