Kubernetes 如何创建自定义istio入口网关控制器?
我们的GKE集群共享给公司的多个团队。每个团队可以有不同的公共域(因此希望有不同的CA证书设置和不同的入口网关控制器)。在Istio中如何做到这一点?Istio网站上的所有教程/介绍文章都使用共享入口网关。请参阅istio-1.0.0安装的共享入口网关示例:Kubernetes 如何创建自定义istio入口网关控制器?,kubernetes,istio,Kubernetes,Istio,我们的GKE集群共享给公司的多个团队。每个团队可以有不同的公共域(因此希望有不同的CA证书设置和不同的入口网关控制器)。在Istio中如何做到这一点?Istio网站上的所有教程/介绍文章都使用共享入口网关。请参阅istio-1.0.0安装的共享入口网关示例: 我猜,我还没有试过: 使用不同的Internet标签创建多个istio ingressgateway部署,如:istio:ingressgateway1、istio:ingressgateway2、…,以及不同的tls密钥 创建多个网关以
我猜,我还没有试过:
好的,我通过helm查看了Istio安装代码后找到了答案。因此,基本上istio有一个官方的方式(但实际上没有在他们的readme.md文件中记录)来添加额外的网关(入口和出口网关)。我知道这一点,因为我在他们的github repo中找到了这一点,并阅读了评论(还查看了规范及其逻辑的
gateway
图表模板代码)
例如,我通过定义values-custom-gateway.yaml文件解决了这个问题:
# Gateways Configuration
# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh.
# You can add more gateways in addition to the defaults but make sure those are uniquely named
# and that NodePorts are not conflicting.
# Disable specifc gateway by setting the `enabled` to false.
#
gateways:
enabled: true
agung-ingressgateway:
namespace: agung-ns
enabled: true
labels:
app: agung-istio-ingressgateway
istio: agung-ingressgateway
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 2
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
#requests:
# cpu: 1800m
# memory: 256Mi
loadBalancerIP: ""
serviceAnnotations: {}
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
ports:
## You can add custom gateway ports
- port: 80
targetPort: 80
name: http2
# nodePort: 31380
- port: 443
name: https
# nodePort: 31390
- port: 31400
name: tcp
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs
如果您查看上面的yaml文件,我指定了名称空间
,而不是istio系统
ns。在这种情况下,我们可以有一种方法来定制定制网关使用的TLS和ca证书。
此外,作为自定义网关控制器规范持有人的agung-ingresgateway
也被用作网关控制器的名称
然后,我只需通过helm-upgrade安装istio——安装,这样helm就可以通过额外的网关智能地升级istio
helm upgrade my-istio-release-name <istio-chart-folder> --install
事实上,这很简单。Istio的ingress只是“负载平衡器”类型的常规Kubernetes服务。因此,如果您想创建额外的入口网关,只需应用您的服务(您可以放置任何您想要的端口):
考虑到您在名为“customingres.yaml”的文件中有此文件,请使用以下命令应用此命令:
kubectl apply -f customingress.yaml
我试过了,并且成功了:
---
# Source: istio/charts/gateways/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: beta-ingressgateway-service-account
namespace: beta
labels:
app: ingressgateway-beta
---
---
# Source: istio/charts/gateways/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: gateways
name: ingressgateway-beta
rules:
- apiGroups: ["extensions"]
resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"]
verbs: ["get", "watch", "list", "update"]
---
---
# Source: istio/charts/gateways/templates/clusterrolebindings.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: ingressgateway-beta
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingressgateway-beta
subjects:
- kind: ServiceAccount
name: beta-ingressgateway-service-account
namespace: beta
---
---
# Source: istio/charts/gateways/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: ingressgateway-beta
namespace: beta
annotations:
labels:
istio: ingressgateway-beta
spec:
type: LoadBalancer
selector:
istio: ingressgateway-beta
ports:
-
name: http
port: 80
targetPort: 80
-
name: https
port: 443
targetPort: 443
---
---
# Source: istio/charts/gateways/templates/deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: ingressgateway-beta
namespace: beta
labels:
istio: ingressgateway-beta
spec:
replicas: 1
template:
metadata:
labels:
istio: ingressgateway-beta
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: beta-ingressgateway-service-account
tolerations:
- key: "env"
operator: "Equal"
value: "beta"
effect: "NoSchedule"
nodeSelector:
env: beta
containers:
- name: istio-proxy
image: "ISTIO_PROXY_IMAGE"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443
args:
- proxy
- router
- -v
- "2"
- --discoveryRefreshDelay
- '1s' #discoveryRefreshDelay
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- ingressgateway-beta
- --zipkinAddress
- zipkin.istio-system:9411
- --proxyAdminPort
- "15000"
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- istio-pilot.istio-system:8080
resources:
requests:
cpu: 10m
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: ingressgateway-beta-certs
mountPath: "/etc/istio/ingressgateway-beta-certs"
readOnly: true
- name: ingressgateway-beta-ca-certs
mountPath: "/etc/istio/ingressgateway-beta-ca-certs"
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: istio.beta-ingressgateway-service-account
optional: true
- name: ingressgateway-beta-certs
secret:
secretName: "istio-ingressgateway-beta-certs"
optional: true
- name: ingressgateway-beta-ca-certs
secret:
secretName: "istio-ingressgateway-beta-ca-certs"
optional: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
---
---
# Source: istio/charts/gateways/templates/autoscale.yaml
# Source: istio/charts/gateways/templates/autoscale.yaml
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: ingressgateway-beta
namespace: beta
spec:
maxReplicas: 5
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1beta1
kind: Deployment
name: ingressgateway-beta
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
---
记得要替换ISTIO\u PROXY\u IMAGE
,节点选择器
和容差
这是我在ISTIO 1.4中使用的
要在您自己的命名空间中生成新的istio ingressgateway部署、服务和ServiceAccount(本例中为bookinfo)
然后,应用生成的文件:
kubectl apply -f customingress.yaml
现在,您可以从网关资源中引用以下内容:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: custom-ingressgateway # use the CUSTOM istio controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
通过将自定义服务注释添加到helm template命令中,可以设置自定义服务注释,如下所示:
--set gateways.istio-ingressgateway.serviceAnnotations.'service\.kubernetes\.io/ibm-load-balancer-cloud-provider-ip-type'=private \
不,istio入口网关不是kube服务/LB,它基本上是一个运行istio服务的部署(一个istio容器,没有侧车),可以通过kube服务/LB向公众公开。它类似于nginx入口控制器istio“入口网关”,至少在版本1.0.5中是这样。是K8s的常规服务。我个人尝试了上面的yaml,它完全符合预期:它为我创建了额外的ELB(在专用IP上公开),我能够将流量从两个ELB路由到同一个网关。是的,这是因为您正在istio系统中使用标签为istio:ingressgateway
的共享网关部署。关于如何创建专用证书的问题,即您可以自定义TLS机密的证书等。实际上,我在这里@4c74356b41找到了答案,答案来自安装在该卷上的机密ingressgateway ca证书。请参阅我提供网关的代码片段。这里有secretVolumes
definition嘿,它从哪里获得ca证书?另外,我真的不明白,如果我升级现有的istio版本,它会删除pilot\mixer\etc,如果我试图从自定义网关创建一个新版本,它就会崩溃。是的,我看到了,但是是什么创造了这个秘密?它不在任何名称空间中(包括istio系统)是的,我看到istio默认安装没有执行滚动升级的机制。这意味着,当您更改istio图像版本时,它将终止现有的控制平面并生成一个新的控制平面。我自己目前正在准备定制helm安装,以便进行升级准备,而不需要停机(strill尝试),正如我所说,它将删除istio系统中的PODnamespace@4c74356b41也许为了更好地理解您的问题,请为这是个好主意而创建一个SO问题:)
helm template install/kubernetes/helm/istio/ \
--namespace bookinfo \
--set global.istioNamespace=istio-system \
-x charts/gateways/templates/deployment.yaml \
-x charts/gateways/templates/service.yaml \
-x charts/gateways/templates/serviceaccount.yaml \
--set gateways.istio-ingressgateway.enabled=true \
--set gateways.istio-egressgateway.enabled=false \
--set gateways.istio-ingressgateway.labels.app=custom-istio-ingressgateway \
--set gateways.istio-ingressgateway.labels.istio=custom-ingressgateway \
> customingress.yaml
kubectl apply -f customingress.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: custom-ingressgateway # use the CUSTOM istio controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
--set gateways.istio-ingressgateway.serviceAnnotations.'service\.kubernetes\.io/ibm-load-balancer-cloud-provider-ip-type'=private \