Kubernetes Istio暴露不使用Virtualservice和Gateway
因此,我们在Istio 1.8.2/Kubernetes 1.18上运行了以下用例: 我们的集群通过Azure上的外部负载平衡器公开。当我们以以下方式公开应用程序时,它会起作用:Kubernetes Istio暴露不使用Virtualservice和Gateway,kubernetes,istio,gateway,Kubernetes,Istio,Gateway,因此,我们在Istio 1.8.2/Kubernetes 1.18上运行了以下用例: 我们的集群通过Azure上的外部负载平衡器公开。当我们以以下方式公开应用程序时,它会起作用: --- apiVersion: apps/v1 kind: ReplicaSet metadata: annotations: ... name: frontend namespace: frontend spec:
---
apiVersion: apps/v1
kind: ReplicaSet
metadata:
annotations:
...
name: frontend
namespace: frontend
spec:
replicas: 1
selector:
matchLabels:
app: applicationname
template:
metadata:
labels:
app: appname
name: frontend
customer: customername
spec:
imagePullSecrets:
- name: yadayada
containers:
- name: frontend
image: yadayada
imagePullPolicy: Always
ports:
- name: https
protocol: TCP
containerPort: 80
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
---
apiVersion: v1
kind: Service
metadata:
name: frontend-svc
namespace: frontend
labels:
name: frontend-svc
customer: customername
spec:
type: LoadBalancer
ports:
- name: http
port: 80
targetPort: 80
selector:
name: frontend
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: frontend
annotations:
kubernetes.io/ingress.class: istio
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
rules:
- host: "customer.domain.com"
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: frontend-svc
servicePort: 80
tls:
- hosts:
- "customer.domain.com"
secretName: certificate
当我们开始使用虚拟服务和网关时,由于某些原因,我们无法使其正常工作。我们希望使用VSVC和网关,因为它们提供了更多的灵活性和选项(如url重写)。其他应用程序在istio上没有这个问题(也简单得多),我们还没有网络策略。我们根本无法访问该网页。有人有主意吗?下面是Virtualservice和网关。对于未提及的其他2个复制集,原因是它们不是问题:
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
creationTimestamp: null
name: virtualservice-name
namespace: frontend
spec:
gateways:
- frontend
hosts:
- customer.domain.com
http:
- match:
- uri:
prefix: /
route:
- destination:
host: frontend
port:
number: 80
weight: 100
- match:
- uri:
prefix: /api/
route:
- destination:
host: backend
port:
number: 8080
weight: 100
- match:
- uri:
prefix: /auth/
route:
- destination:
host: keycloak
port:
number: 8080
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: frontend
namespace: frontend
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http2
protocol: HTTP
tls:
httpsRedirect: True
hosts:
- "customer.domain.com"
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: PASSTHROUGH
credentialName: customer-cert
hosts:
- "customer.domain.com"
您的网关指定了
PASSTHROUGH
,但是您的VirtualService提供了HttpRoute
。这意味着TLS连接不会被网关终止,但VirtualService希望TLS终止。也可以看到这个有点类似的问题
@user140547正确,我们现在更改了。但我们仍然无法访问该应用程序 我们发现其中一个重要的服务没有接收网关流量,因为该服务的设置不正确。这是我们第一次使用多个服务进行istio部署。所以我们认为他们每个人都需要自己的门户。我们不知道一个网关就足够了