istio 0.8 TLS 简单测试

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了istio 0.8 TLS 简单测试相关的知识,希望对你有一定的参考价值。

技术分享图片
0.8版本采用了新的流量管理配置模型v1alpha3 Route API。新版本的模型添加了一些新的特性,并改善了之前版本模型:
1.Gateway
2.Virtualservice
3.DestinationRule
4.ServiceEntry
技术分享图片

测试环境:
svc: nginx
deployment: nginx-web-de1 nginx-web-de2
gateway: nginx-gateway
Virtualservice: nginx-virtual
DestinationRule: nginx

一、先可以访问,正常工作(访问gateway的时候能够跳转到nginx的POD)
1.创建svc和deployment,一个svc引用两个deployment,规则在virtualservice配置,比如v1百分之20,v2百分之80,或者根据cookie、user、ip等访问v1或者v2

apiVersion: v1
kind: Service
metadata:
  name: nginx
  labels:
    app: nginx
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: nginx-web-de
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-web-de1
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx-web-de
        version: v1
    spec:
      containers:
      - name: nginx
        image: nginx:v1
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-web-de2
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx-web-de
        version: v2
    spec:
      containers:
      - name: nginx
        image: nginx:v2
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80

2.创建的gateway是通过api到etcd中,然后istio-ingressgateway的实例获取,这个就相当于treafic或者nginx-ingress,然后直接访问istio-ingressgateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: nginx-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"

2.创建virtualservice,绑定到gateway,可以想像成nginx的虚拟主机,访问的ip地址想象成istio-gateway

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: nginx-virtual
spec:
  hosts:
  - "*"
  gateways:
  - nginx-gateway
  http:
  - match:
    - uri:
        exact: /nginx/
    route:
    - destination:
        host: nginx.default.svc.cluster.local
        port:
          number: 80

3.修改ingressgateway的访问吧方式
kubectl edit svc/istio-ingressgateway -n istio-system 改成NodePort
curl 192.168.99.100:31380/nginx/ 这样的话就是nginx-web-de1和nginx-web-de2 负载均衡,一次111一次222
docker镜像就是简单的 创建 nginx/index.html目录,然后v1是"111",v2是"222",

----------------------------------------------------PS:功能实现只是能够访问-------------------------------------------------------------------------
我学习istio的主要要求就是 A/B test或者金丝雀发布
(1)金丝雀:利用分流 ,比如新上v2之后,我只把百分之5的流量给v2,其余还是访问v1,根据数据分析,用户反馈在加大流量访问
(2)AB 根据cookie、ip、user等引流,访问定义的版本

二、利用istio把v1百分之20 v2百分之80
1.添加DestinationRule
iapiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: nginx
spec:
host: nginx.default.svc.cluster.local
subsets:

  • name: v1
    labels:
    version: v1
  • name: v2
    labels:
    version: v2
    2.更改virtualservice
    
    apiVersion: networking.istio.io/v1alpha3
    kind: Gateway
    metadata:
    name: nginx-gateway
    spec:
    selector:
    istio: ingressgateway # use istio default controller
    servers:
  • port:
    number: 80
    name: http
    protocol: HTTP
    hosts:
    • "*"

      apiVersion: networking.istio.io/v1alpha3
      kind: VirtualService
      metadata:
      name: nginx-virtual
      spec:
      hosts:

  • "*"
    "nginxgateway.yaml" 41L, 753C
    hosts:
    apiVersion: networking.istio.io/v1alpha3
    kind: Gateway
    metadata:
    name: nginx-gateway
    spec:
    selector:
    istio: ingressgateway # use istio default controller
    servers:
  • port:
    number: 80
    name: http
    protocol: HTTP
    hosts:
    • "*"

      apiVersion: networking.istio.io/v1alpha3
      kind: VirtualService
      metadata:
      name: nginx-virtual
      spec:
      hosts:

  • "*"
    "nginxgateway.yaml" 41L, 753C
    spec:
    hosts:
  • "*"
    gateways:
  • nginx-gateway
    http:
  • match:
    • uri:
      exact: /nginx/
      route:
    • destination:
      host: nginx.default.svc.cluster.local
      port:
      number: 80
      subset: v1
      weight: 30
    • destination:
      host: nginx.default.svc.cluster.local
      port:
      number: 80
      subset: v2
      weight: 70
      
      3.更改replace的配置
      istioctl replace -f nginxgateway.yaml

4.再次访问的时候就是十次只有两次到v1,virtualserver的规则可以自己随便修改,证明配置是否生效

以上是关于istio 0.8 TLS 简单测试的主要内容,如果未能解决你的问题,请参考以下文章

(译)Istio 的橘色警告

来自Istio的儿童节礼物: 0.8 Release发布

idou老师教你学Istio 15:Istio实现双向TLS的迁移

idou老师教你学Istio 15:Istio实现双向TLS的迁移

idou老师教你学Istio 17 : 通过HTTPS进行双向TLS传输

是否可以在 Istio 网关上启用带有 TLS 终止的 HTTP/2?