[英]Using Istio, is there a way to route ingress to a k8s cluster service that is not running an envoy sidecar?
I'm running a Azure AKS cluster with both Windows and Linux VMs.我正在使用 Windows 和 Linux VM 运行 Azure AKS 集群。
I can curl the cluster service by name from a pod in the Istio namespace, so I know TCP to the pod works.我可以从 Istio 命名空间中的 pod 按名称卷曲集群服务,所以我知道到 pod 的 TCP 是有效的。 I believe I need to inform my Virtual Service in some way to not route through the envoy proxy, but just forward requests directly to the k8s service endpoint - similar to as if it were a VM external to the mesh.
我相信我需要以某种方式通知我的虚拟服务不要通过特使代理进行路由,而只是将请求直接转发到 k8s 服务端点——就像它是网格外部的虚拟机一样。 I do have TLS terminating at the gateway - the k8s service itself is just exposed inside the cluster on port 80.
我确实有 TLS 在网关处终止——k8s 服务本身只是暴露在集群内部的端口 80 上。
Currently, there is no envoy sidecar for Windows containers, but from k8s perspective, this is just another service in the same cluster Istio is running in.目前,没有用于 Windows 容器的 envoy sidecar,但从 k8s 的角度来看,这只是运行 Istio 的同一集群中的另一个服务。
http-gateway.yaml http-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
annotations:
name: http-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- "*.myapp.com"
port:
number: 80
name: http-80-gateway
protocol: HTTP
tls:
httpsRedirect: true # sends 301 redirect for http requests
- hosts:
- "*.myapp.com"
port:
number: 443
name: https-443-gateway
protocol: HTTPS
tls:
credentialName: cert-azure-dns
privateKey: sds
serverCertificate: sds
mode: SIMPLE
virtual-service.yaml虚拟服务.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: myapp-vsvc
namespace: myapp-ns
spec:
hosts:
- foo #external DNS name is foo.myapp.com; gateway host for HTTPS is '*.myapp.com'
gateways:
- istio-system/http-gateway
http:
- route:
- destination:
host: myapp-svc.myapp-ns.svc.cluster.local
port:
number: 80
Attempting an Envoy Passthrough I've added a ServiceEntry like the following:尝试Envoy Passthrough我添加了一个 ServiceEntry,如下所示:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: myapp-se
namespace: myapp-ns
spec:
hosts:
- myapp-svc.myapp-ns.svc.cluster.local
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
The server response is a 404 with a "server" header value of "istio-envoy".服务器响应是 404,其中“服务器”标头值为“istio-envoy”。
DNS is resolving to the gateway correctly and the acme cert is valid - so this error usually indicates I've made it to the Virtual Service, but haven't been routed to a cluster service. DNS 正确解析到网关并且 acme 证书有效 - 所以这个错误通常表明我已经进入虚拟服务,但还没有路由到集群服务。 In Kiali, there are no Istio validation errors on any of my yaml definitions: virtual service, service entry or gateway.
在 Kiali 中,我的任何 yaml 定义都没有 Istio 验证错误:虚拟服务、服务入口或网关。
My global.outboundTrafficPolicy.mode is set to "ALLOW_ANY".我的 global.outboundTrafficPolicy.mode 设置为“ALLOW_ANY”。
I wonder if declaring "EXTERNAL_MESH" for a cluster service is a problem?我想知道为集群服务声明“EXTERNAL_MESH”是否有问题? Istio knows the k8s service exists, so is it trying to give priority to routing to the envoy sidecar and ignoring my service entry registration?
Istio 知道 k8s 服务存在,那么它是否试图优先路由到 envoy sidecar 而忽略我的服务入口注册?
There is an option to bypass envoy altogether for specific IP ranges, which would be an option if I could somehow set a static IP on this particular cluster service.有一个选项可以针对特定的 IP 范围完全绕过 envoy ,如果我能以某种方式在这个特定的集群服务上设置一个静态 IP,这将是一个选项。 I want to bypass envoy for ingress to this one cluster service.
我想绕过特使进入这个集群服务。
you would use the serviceentry
to do that:你会使用
serviceentry
来做到这一点:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin-ext
spec:
hosts:
- httpbin.org
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
https://istio.io/docs/tasks/traffic-management/egress/egress-control/ https://istio.io/docs/tasks/traffic-management/egress/egress-control/
I could have sworn I tried this before, but apparently all I needed to provide was a simple Virtual Service without any Destination Rule or Service Entry.我本可以发誓我以前试过这个,但显然我需要提供的只是一个没有任何目标规则或服务条目的简单虚拟服务。
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: myapp-vsvc
namespace: myapp-ns
spec:
hosts:
- foo.myapp.com
gateways:
- istio-system/http-gateway
http:
- route:
- destination:
host: myapp-svc.myapp-ns.svc.cluster.local
port:
number: 80
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.