Gateway配置要點
- Gateway定義運作在網格邊緣的負載均衡器,負責接收入站或出站的HTTP/TCP連接配接
- 主要定義應該暴露到網格外部的端口、要使用的協定類型、以及SNI配置等
- Gateway的定義主要通過如下兩個關鍵字段
- selector:Pod标簽選擇器,用于指定目前Gateway配置要附加到的Ingress Gateway Pod執行個體
- Pod标簽選擇器,負責在為Istio部署的一到多個Ingress Gateway執行個體中完成Pod篩選
- 僅符合選擇器條件的Ingress Gateway執行個體才會添加該Gateway資源中定義的配置
- server:開放的服務清單,即服務的通路入口,可通過port、hosts、defaultEndpoints和tls來定義;
- port:服務對外釋出的端口,即用于接收請求的端口;
- hosts:Gateway釋出的服務位址,通常是一個FQDN格式的域名,支援使用*通配符;
- defaultEndpoint:預設後端;
- tls:釋出為HTTPS協定服務時與TLS相關的配置
- 提示:Gateway資源僅定義了要暴露的通路入口,但流量接入到網格内部之後的路由機制,仍然需要由VirtualService資源進行定義;
Gateway
1、hosts字段不接受非FQDN格式的字元串,但可以使 用“*”通配符
2、gateway資源應該定義在目标ingressgateway Pod運作在名稱空間
Gateway配置示例
示例一
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: my-gateway
namespace: some-config-namespace
spec:
selector:
app: my-gateway-controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- uk.bookinfo.com
- eu.bookinfo.com
tls:
httpsRedirect: true # sends 301 redirect for http requests
- port:
number: 443
name: https-443
protocol: HTTPS
hosts:
- uk.bookinfo.com
- eu.bookinfo.com
tls:
mode: SIMPLE # enables HTTPS on this port
serverCertificate: /etc/certs/servercert.pem
privateKey: /etc/certs/privatekey.pem
- port:
number: 9443
name: https-9443
protocol: HTTPS
hosts:
- "bookinfo-namespace/*.bookinfo.com"
tls:
mode: SIMPLE # enables HTTPS on this port
credentialName: bookinfo-secret # fetches certs from Kubernetes secret
- port:
number: 9080
name: http-wildcard
protocol: HTTP
hosts:
- "*"
- port:
number: 2379 # to expose internal service via external port 2379
name: mongo
protocol: MONGO
hosts:
- "*" apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo-rule
namespace: bookinfo-namespace
spec:
hosts:
- reviews.prod.svc.cluster.local
- uk.bookinfo.com
- eu.bookinfo.com
gateways:
- some-config-namespace/my-gateway
- mesh # applies to all the sidecars in the mesh
http:
- match:
- headers:
cookie:
exact: "user=dev-123"
route:
- destination:
port:
number: 7777
host: reviews.qa.svc.cluster.local
- match:
- uri:
prefix: /reviews/
route:
- destination:
port:
number: 9080 # can be omitted if it's the only port for reviews
host: reviews.prod.svc.cluster.local
weight: 80
- destination:
host: reviews.qa.svc.cluster.local
weight: 20 apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo-mongo
namespace: bookinfo-namespace
spec:
hosts:
- mongosvr.prod.svc.cluster.local # name of internal Mongo service
gateways:
- some-config-namespace/my-gateway # can omit the namespace if gateway is in same namespace as virtual service.
tcp:
- match:
- port: 27017
route:
- destination:
host: mongo.prod.svc.cluster.local
port:
number: 5555 示例二
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: my-gateway
namespace: some-config-namespace
spec:
selector:
app: my-gateway-controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "ns1/*"
- "ns2/foo.bar.com"