安装istiod,本文略

创建Ingress(这个是Ingress和Gateway都需要部署的)用来转发外部请求

创建ingress.yaml，参考文档地址： https://istio.io/latest/zh/docs/setup/additional-setup/gateway/#deploy-gateway

apiVersion: v1
kind: Service
metadata:
  name: istio-ingressgateway
  namespace: istio-ingress
spec:
  type: LoadBalancer
  selector:
    istio: ingressgateway
  ports:
  - port: 80
    name: http
  - port: 443
    name: https
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: istio-ingressgateway
  namespace: istio-ingress
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  template:
    metadata:
      annotations:
        # 选择网关注入模板（而不是默认的 Sidecar 模板）
        inject.istio.io/templates: gateway
      labels:
        # 为网关设置唯一标签。这是确保 Gateway 可以选择此工作负载所必需的
        istio: ingressgateway
        # 启用网关注入。如果后续连接到修订版的控制平面，请替换为 `istio.io/rev: revision-name`
        sidecar.istio.io/inject: "true"
    spec:
      # 允许绑定到所有端口（例如 80 和 443）
      securityContext:
        sysctls:
        - name: net.ipv4.ip_unprivileged_port_start
          value: "0"
      containers:
      - name: istio-proxy
        image: auto # 每次 Pod 启动时，该镜像都会自动更新。
        # 放弃所有 privilege 特权，允许以非 root 身份运行
        securityContext:
          capabilities:
            drop:
            - ALL
          runAsUser: 1337
          runAsGroup: 1337
---
# 设置 Role 以允许读取 TLS 凭据
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: istio-ingressgateway-sds
  namespace: istio-ingress
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: istio-ingressgateway-sds
  namespace: istio-ingress
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: istio-ingressgateway-sds
subjects:
- kind: ServiceAccount
  name: default

kubectl apply -f ingress.yaml

Ingress方式访问

创建ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-name
  namespace: your-ns # 你的命名空间
spec:
  ingressClassName: istio # 固定为istio
  rules:
  - host: demo.abc.com
    http:
      paths:
      - backend:
          service:
            name: xxx-svc # 换成你的后端svc
            port:
              number: 8080 # 换成你的后端svc的端口
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - demo.abc.com
    secretName: secret-tls # 换成你的证书，并且，这个证书要和`istio-ingressgateway`在同一个命名空间

使用Gateway api

参考文档： https://istio.io/latest/zh/docs/tasks/traffic-management/ingress/gateway-api/#manual-deployment

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway
  namespace: istio-ingress
spec:
  gatewayClassName: istio
  addresses:
  - value: istio-ingressgateway.istio-ingress.svc.cluster.local
    type: Hostname
  listeners:
  - name: default
    hostname: "*.abc.com"
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: All

创建HttpRoute

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: micro-identity
  namespace: your-ns # 你的命名空间
spec:
  parentRefs:
  - name: gateway
    namespace: istio-ingress
  hostnames: ["demo.abc.com"]
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /
    backendRefs:
    - name: xxx-svc
      port: 8080