未应用 Istio 虚拟服务标头规则
Posted
技术标签:
【中文标题】未应用 Istio 虚拟服务标头规则【英文标题】:Istio virtual service header rules are not applied 【发布时间】:2020-07-04 05:31:36 【问题描述】:所以我有一个非常独特的情况。 问题 不应用虚拟服务路由规则。我们的集群中有一个buzzfeed sso 设置。我们想将响应头修改为即添加头。到与 uri sign_in 匹配的每个请求。 Buzzfeed sso 有自己的命名空间。 现在为了实现这一点,我创建了一个虚拟服务。 复制步骤: 我们使用这个虚拟服务规范来创建路由规则。
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: sso-auth-injector
spec:
hosts:
- sso-auth
http:
- match:
- uri:
prefix: /sign_in
ignoreUriCase: true
route:
- destination:
host: sso-auth
headers:
response:
add:
foo: bar
request:
add:
hello: world
分析
Istioctk x describe 有输出 吊舱:sso-auth-58744b56cd-lwqrh.sso Pod 端口:4180(sso-auth)、15090(istio-proxy) 建议:为 Istio 遥测添加“app”标签。 建议:为 Istio 遥测添加“版本”标签。 服务:sso-auth.sso 端口:http 80/HTTP 目标 pod 端口 4180 Pod 是 PERMISSIVE(强制执行 HTTP/mTLS)并且客户端使用 HTTP 虚拟服务:sso-auth-injector.sso /sign_in 不加壳 2)Istioctl。不附加所有规则,但用于出站|80|
"routes": [
"match":
"prefix": "/sign_in",
"caseSensitive": false
,
"route":
"cluster": "outbound|80||sso-auth.sso.svc.cluster.local",
"timeout": "0s",
"retryPolicy":
"retryOn": "connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes",
"numRetries": 2,
"retryHostPredicate": [
"name": "envoy.retry_host_predicates.previous_hosts"
],
"hostSelectionRetryMaxAttempts": "5",
"retriableStatusCodes": [
503
]
,
"maxGrpcTimeout": "0s"
,
"metadata":
"filterMetadata":
"istio":
"config": "/apis/networking/v1alpha3/namespaces/sso/virtual-service/sso-auth-injector"
,
"decorator":
"operation": "sso-auth.sso.svc.cluster.local:80/sign_in*"
,
"typedPerFilterConfig":
"mixer":
"@type": "type.googleapis.com/istio.mixer.v1.config.client.ServiceConfig",
"disableCheckCalls": true,
"mixerAttributes":
"attributes":
"destination.service.host":
"stringValue": "sso-auth.sso.svc.cluster.local"
,
"destination.service.name":
"stringValue": "sso-auth"
,
"destination.service.namespace":
"stringValue": "sso"
,
"destination.service.uid":
"stringValue": "istio://sso/services/sso-auth"
,
"forwardAttributes":
"attributes":
"destination.service.host":
"stringValue": "sso-auth.sso.svc.cluster.local"
,
"destination.service.name":
"stringValue": "sso-auth"
,
"destination.service.namespace":
"stringValue": "sso"
,
"destination.service.uid":
"stringValue": "istio://sso/services/sso-auth"
,
"requestHeadersToAdd": [
"header":
"key": "hello",
"value": "world"
,
"append": true
],
"responseHeadersToAdd": [
"header":
"key": "foo",
"value": "bar"
,
"append": true
]
]
,
问题/疑问
这些规则不生效。每个请求都传递给服务,但不修改标头。 路由规则不应该适用于入站请求而不是出站请求(如生成的配置所示)。
【问题讨论】:
【参考方案1】:我们想修改响应头,即添加头。到与 uri sign_in 匹配的每个请求
我做了一个例子,测试了一下,一切正常。
检查下面的对比、测试和整个示例。
虚拟服务
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginxvirt
spec:
gateways:
- mesh
hosts:
- nginx.default.svc.cluster.local
http:
- name: match
headers:
response:
add:
foo: "bar"
match:
- uri:
prefix: /sign_in
rewrite:
uri: /
route:
- destination:
host: nginx.default.svc.cluster.local
port:
number: 80
subset: v1
测试所需的一切
apiVersion: v1
kind: Pod
metadata:
name: ubu1
spec:
containers:
- name: ubu1
image: ubuntu
command: ["/bin/sh"]
args: ["-c", "apt-get update && apt-get install curl -y && sleep 3000"]
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx1
spec:
selector:
matchLabels:
run: nginx1
replicas: 1
template:
metadata:
labels:
run: nginx1
app: frontend
spec:
containers:
- name: nginx1
image: nginx
ports:
- containerPort: 80
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "echo Hello nginx1 > /usr/share/nginx/html/index.html"]
---
apiVersion: v1
kind: Service
metadata:
name: nginx
labels:
app: frontend
spec:
ports:
- port: 80
protocol: TCP
selector:
app: frontend
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginxvirt
spec:
gateways:
- mesh
hosts:
- nginx.default.svc.cluster.local
http:
- name: match
headers:
response:
add:
foo: "bar"
match:
- uri:
prefix: /sign_in
rewrite:
uri: /
route:
- destination:
host: nginx.default.svc.cluster.local
port:
number: 80
subset: v1
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: nginxdest
spec:
host: nginx.default.svc.cluster.local
subsets:
- name: v1
labels:
run: nginx1
从 ubuntu pod 测试
我使用curl -I
来显示响应标头
curl -I nginx/sign_in
HTTP/1.1 200 OK
server: envoy
date: Tue, 24 Mar 2020 07:44:10 GMT
content-type: text/html
content-length: 13
last-modified: Thu, 12 Mar 2020 06:52:43 GMT
etag: "5e69dc3b-d"
accept-ranges: bytes
x-envoy-upstream-service-time: 3
foo: bar
如您所见,foo:bar 标头已正确添加。
标题的附加链接
https://istiobyexample.dev/response-headers/
Istio adds and removed headers, but doesn't overwrite
How to display request headers with command line curl
在您的 istioctl 分析中,我看到您可能遇到 503 错误
"retriableStatusCodes": [
503
]
503 错误的附加链接
https://istio.io/docs/ops/best-practices/traffic-management/#avoid-503-errors-while-reconfiguring-service-routes
https://istio.io/docs/ops/common-problems/network-issues/#503-errors-after-setting-destination-rule
Accessing service using istio ingress gives 503 error when mTLS is enabled
【讨论】:
以上是关于未应用 Istio 虚拟服务标头规则的主要内容,如果未能解决你的问题,请参考以下文章