我们都知道,在istio中可以通过ingress gateway将服务暴露给外部使用,但是我们使用的ingress规则都是落在istio部署时默认创建的istio-ingressgateway上,如果我们希望创建自定义的ingressgateway该怎么操作呢,本文就带大家一步步操作,创建一个自定义的ingressgateway
环境准备
创建Kubernetes集群
阿里云容器服务Kubernetes 1.11.2目前已经上线,可以通过容器服务管理控制台非常方便地快速创建 Kubernetes 集群。
部署istio
部署bookinfo
首先为default 命名空间打上标签 istio-injection=enabled
kubectl label namespace default istio-injection=enabled
使用Kubectl命令部署Bookinfo示例应用
kubectl apply -f https://raw.githubusercontent.com/istio/istio/1.0.2/samples/bookinfo/platform/kube/bookinfo.yaml
部署完成后效果如下图:
$ kubectl get pod,svc
NAME READY STATUS RESTARTS AGE
pod/details-v1-5d88f495b7-cvxk5 2/2 Running 0 19h
pod/productpage-v1-774fd75c99-5l898 2/2 Running 0 19h
pod/ratings-v1-64664b6bcf-j7lzh 2/2 Running 0 19h
pod/reviews-v1-fd7c6fdf5-4px4g 2/2 Running 0 19h
pod/reviews-v2-56b67454cc-fmtl8 2/2 Running 0 19h
pod/reviews-v3-86878d875-6xztb 2/2 Running 0 19h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/details ClusterIP 172.21.13.128 <none> 9080/TCP 19h
service/kubernetes ClusterIP 172.21.0.1 <none> 443/TCP 21h
service/productpage ClusterIP 172.21.7.104 <none> 9080/TCP 19h
service/ratings ClusterIP 172.21.7.176 <none> 9080/TCP 19h
service/reviews ClusterIP 172.21.1.207 <none> 9080/TCP 19h
创建自定义ingressgateway
---
# Source: istio/charts/gateways/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: customgateway-service-account
namespace: default
labels:
app: customgateway
---
---
# Source: istio/charts/gateways/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: gateways
name: customgateway-default # default should replaced by actual namespace
rules:
- apiGroups: ["extensions"]
resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"]
verbs: ["get", "watch", "list", "update"]
---
---
# Source: istio/charts/gateways/templates/clusterrolebindings.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: customgateway-default # default should replaced by actual namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: customgateway-default # default should replaced by actual namespace
subjects:
- kind: ServiceAccount
name: customgateway-service-account
namespace: default
---
---
# Source: istio/charts/gateways/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: customgateway
namespace: default
annotations:
labels:
istio: customgateway
spec:
type: LoadBalancer
selector:
istio: customgateway
ports:
-
name: http
port: 80
targetPort: 80
-
name: https
port: 443
targetPort: 443
---
---
# Source: istio/charts/gateways/templates/deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: customgateway
namespace: default
labels:
istio: customgateway
spec:
replicas: 1
template:
metadata:
labels:
istio: customgateway
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: customgateway-service-account
containers:
- name: istio-proxy
image: "registry.cn-beijing.aliyuncs.com/aliacs-app-catalog/proxyv2:1.0.3"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443
args:
- proxy
- router
- -v
- "2"
- --discoveryRefreshDelay
- '1s' #discoveryRefreshDelay
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- customgateway
- --zipkinAddress
- zipkin.istio-system:9411
- --proxyAdminPort
- "15000"
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- istio-pilot.istio-system:8080
resources:
requests:
cpu: 10m
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: customgateway-certs
mountPath: "/etc/istio/customgateway-certs"
readOnly: true
- name: customgateway-ca-certs
mountPath: "/etc/istio/customgateway-ca-certs"
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: istio.customgateway-service-account
optional: true
- name: customgateway-certs
secret:
secretName: "istio-customgateway-certs"
optional: true
- name: customgateway-ca-certs
secret:
secretName: "istio-customgateway-ca-certs"
optional: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
---
---
# Source: istio/charts/gateways/templates/autoscale.yaml
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: customgateway
namespace: default
spec:
maxReplicas: 5
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1beta1
kind: Deployment
name: customgateway
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
---
上面这段yaml在default namespace定义了一个名叫customgateway
的ingressgateway,并为他创建了serviceaccount,HPA等一系列相关的配置,如果我们需要定义多个,需要替换yaml里的default和customgateway为自己想要的名字
定义入口路由
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: customgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage
port:
number: 9080
这里最重要的是为Gateway指定规则落在哪个deploy上,这里指定的是istio: customgateway
访问应用
获取自定义ingressgateway的入口然后访问应用
export INGRESS_HOST=$(kubectl -n default get service customgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_PORT=$(kubectl -n default get service customgateway -o jsonpath='{.spec.ports[?(@.name=="http")].port}')
curl -o /dev/null -s -w "%{http_code}\n" http://${INGRESS_HOST}:${INGRESS_PORT}/productpage
如果返回200则说明配置正确
总结
上面通过示例演示了Istio如何创建一个自定义的ingress gateway
欢迎大家使用阿里云上的容器服务,快速搭建微服务的开放治理平台Istio,简单地集成到自己项目的微服务开发中。