如何使用Istio创建服务别名?

时间:2018-12-11 20:24:15

标签: kubernetes istio

根据Istio documentation,VirtualServices应该能够将请求路由到“与请求完全不同的服务”。我想使用此功能在不同的应用程序中为服务提供不同的别名。

我从这样的VirtualService定义开始:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: my-vs
spec:
  hosts:
  - my-alias
  http:
  - route:
    - destination:
        host: my-service

目的是使网格中的客户端容器能够将请求发送到http://my-alias,并将其路由到我的服务。将来,我将使用匹配规则对此进行扩展,以使别名在不同客户端上的行为有所不同,但即使是简单版本也无法使用。

在没有其他设置的情况下,客户端无法通过DNS解析我的别名。我可以通过添加一个名为my-alias的无选择器k8s服务来解决此问题,以便其DNS解析,但是VirtualService似乎不执行重定向。如果我将外部主机(如google.com)添加到VirtualService,则它将确实将对google.com的任何请求重定向到my-service。使用完整的主机名(my-alias.default.svc.cluster.local)没有帮助。

因此,似乎VirtualService不允许我重定向绑定到网格中另一个服务的流量。这是预料之中的,我有办法解决吗?

3 个答案:

答案 0 :(得分:3)

由于Istio中的HTTP路由是由HOST标头执行的,因此您必须重写请求的authority(HOST标头)。

http子句中添加HTTPRewrite子句:

apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: my-vs spec: hosts: - my-alias http: - route: - destination: host: my-service rewrite: authority: my-service

答案 1 :(得分:2)

问题最终导致我使用未命名的端口提供服务,因此流量从未进入网状网络。根据{{​​3}},HTTP端口必须命名为http

答案 2 :(得分:0)

我不确定这是否正确,但是将Istio1.7.4一起使用Minikube是有效的。

设置default名称空间以启用自动Istio注入:

export ISTIO_BASE_DIR=~/istio-1.7.4

kubectl label namespace default istio-injection=enabled

kubectl -n default apply -f ${ISTIO_BASE_DIR}/samples/sleep/sleep.yaml

kubectl -n default wait pod -l app=sleep --for condition=Ready

Istio对象:

---
apiVersion: v1
kind: Service
metadata:
  name: httpbin-alias
spec:
  type: ExternalName
  externalName: httpbin.org
  ports:
    - name: https
      protocol: TCP
      port: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: httpbin-org-se
spec:
  hosts:
  - httpbin.org
  ports:
  - number: 443
    name: https-port
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: httpbin-org-dr
spec:
  host: httpbin-alias.default.svc.cluster.local
  subsets:
  - name: tls-origination
    trafficPolicy:
      loadBalancer:
        simple: ROUND_ROBIN
      portLevelSettings:
      - port:
          number: 443
        tls:
          mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin-org-vs
spec:
  hosts:
  - httpbin-alias.default.svc.cluster.local
  http:
  - match:
    - port: 80
    rewrite:
      authority: httpbin.org
    route:
    - destination:
        host: httpbin-alias.default.svc.cluster.local
        subset: tls-origination
        port:
          number: 443

测试:

export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})

kubectl exec "${SOURCE_POD}" -c sleep -- curl -is http://httpbin-alias.default.svc.cluster.local/get

结果:

HTTP/1.1 200 OK
date: Sat, 31 Oct 2020 12:51:11 GMT
content-type: application/json
content-length: 1340
server: envoy
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 1096

{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Content-Length": "0", 
    "Host": "httpbin.org", 
    "User-Agent": "curl/7.69.1", 
    "X-Amzn-Trace-Id": "Root=1-5f9d5dbf-56498e4e1fb660062264a9ce", 
    "X-B3-Sampled": "0", 
    "X-B3-Spanid": "def6fd9e5a97df39", 
    "X-B3-Traceid": "88eeed562ce0c692def6fd9e5a97df39", 
    "X-Envoy-Attempt-Count": "1", 
    "X-Envoy-Decorator-Operation": "httpbin-alias.default.svc.cluster.local:443/*", 
    "X-Envoy-Peer-Metadata": "ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwocCgxJTlNUQU5DRV9JUFMSDBoKMTAuMzIuMC4xMArfAQoGTEFCRUxTEtQBKtEBCg4KA2FwcBIHGgVzbGVlcAoZCgxpc3Rpby5pby9yZXYSCRoHZGVmYXVsdAohChFwb2QtdGVtcGxhdGUtaGFzaBIMGgo4NTQ1NjVjYjc5CiQKGXNlY3VyaXR5LmlzdGlvLmlvL3Rsc01vZGUSBxoFaXN0aW8KKgofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIHGgVzbGVlcAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKGgoHTUVTSF9JRBIPGg1jbHVzdGVyLmxvY2FsCiAKBE5BTUUSGBoWc2xlZXAtODU0NTY1Y2I3OS1seDZudgoWCglOQU1FU1BBQ0USCRoHZGVmYXVsdApJCgVPV05FUhJAGj5rdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvZGVmYXVsdC9kZXBsb3ltZW50cy9zbGVlcAoaCg9TRVJWSUNFX0FDQ09VTlQSBxoFc2xlZXAKGAoNV09SS0xPQURfTkFNRRIHGgVzbGVlcA==", 
    "X-Envoy-Peer-Metadata-Id": "sidecar~10.32.0.10~sleep-854565cb79-lx6nv.default~default.svc.cluster.local"
  }, 
  "origin": "187.20.35.178", 
  "url": "https://httpbin.org/get"
}

istio-proxy容器登录到sleep POD:

[2020-10-31T13:18:23.261Z] "GET /get HTTP/1.1" 200 - "-" "-" 0 1340 811 810 "-" "curl/7.69.1" "a168f9d8-c9b4-4a5d-9312-715f47e220da" "httpbin.org" "35.170.225.136:443" outbound|443|tls-origination|httpbin-alias.default.svc.cluster.local 10.32.0.10:41666 54.156.97.186:80 10.32.0.10:55648 - -
相关问题
最新问题