1: 確定入口IP和端口
執行以下命令以確定Kubernetes集群是否在支持外部負載均衡器的環境中運行:
kubectl get svc istio-ingressgateway -n istio-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 10.108.152.2 <pending> 15020:32736/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:32101/TCP,15030:32222/TCP,15031:30551/TCP,15032:31262/TCP,15443:30129/TCP 3d1h
如果EXTERNAL-IP設置了該值,則環境具有可用於入口網關的外部負載平衡器。如果EXTERNAL-IP值是<none>(或永久<pending>),則環境不為入口網關提供外部負載平衡器。在這種情況下,您可以使用服務的節點端口來訪問網關。
我的pending,使用服務的節點端口來訪問:
設置入口端口:
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
設置入口IP取決於群集提供者:
export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}')
2: 開啟一個服務, istio-a.yml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-a
spec:
selector:
matchLabels:
name: istio-a
replicas: 1
template:
metadata:
annotations:
sidecar.istio.io/inject: "true" # 開啟sidecar自動注入
labels:
name: istio-a
spec:
containers:
- name: istio-a
# 我自己的一個鏡像
image: registry.cn-shenzhen.aliyuncs.com/zsifan/istio-a:v1
imagePullPolicy: Always
ports:
- containerPort: 10001
---
apiVersion: v1
kind: Service
metadata:
name: istio-a
spec:
ports:
- port: 10001
# # ClusterIP, NodePort, LoadBalancer
type: ClusterIP
selector:
name: istio-a
3:使用Istio網關配置入口
1): 創建一個Istio Gateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "k8s.test.com"
2): 創建一個VirtualService,配置通過以下路徑進入的流量的路由Gateway
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin-a
spec:
hosts:
- "k8s.test.com" # 對應gateway 的hosts
gateways:
- httpbin-gateway # 對應gateway name
http:
- match:
- uri:
prefix: /a # 允許路徑/a的通過
rewrite:
uri: / # 重寫url
route:
- destination:
port:
number: 10001 # 服務端口號
host: istio-a # 對用的服務
timeout: 10s
3): 使用curl訪問istio-a服務:
curl -I -HHost:k8s.test.com http://$INGRESS_HOST:$INGRESS_PORT/a/test HTTP/1.1 200 OK content-type: text/plain;charset=UTF-8 content-length: 13 date: Wed, 13 Nov 2019 13:27:44 GMT x-envoy-upstream-service-time: 80 server: istio-envoy
我的istio-a服務中就寫了一個test:
如果訪問url不是/a開頭的而是未知的,將顯示404:
curl -I -HHost:k8s.test.com http://$INGRESS_HOST:$INGRESS_PORT/b HTTP/1.1 404 Not Found vary: Origin,Access-Control-Request-Method,Access-Control-Request-Headers content-type: application/json date: Wed, 13 Nov 2019 13:32:06 GMT x-envoy-upstream-service-time: 21 server: istio-envoy transfer-encoding: chunked
如果我們想使用瀏覽器訪問入口服務:
可以將gateway中的hosts修改為*,相應的VirtualService的hosts也要修改為*
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin-a
spec:
hosts:
- "*"
gateways:
- httpbin-gateway
http:
- match:
- uri:
prefix: /a
rewrite:
uri: /
route:
- destination:
port:
number: 10001
host: istio-a
timeout: 10s
先輸出ip和port確定請求地址:
echo $INGRESS_HOST:$INGRESS_PORT 192.168.17.210:31380
在瀏覽器請求<ip>:<port>/a/test
就搭建成功了