未应用 Istio 虚拟服务标头规则

Posted

技术标签:

【中文标题】未应用 Istio 虚拟服务标头规则【英文标题】:Istio virtual service header rules are not applied 【发布时间】:2020-07-04 05:31:36 【问题描述】:

所以我有一个非常独特的情况。 问题 不应用虚拟服务路由规则。我们的集群中有一个buzzfeed sso 设置。我们想将响应头修改为即添加头。到与 uri sign_in 匹配的每个请求。 Buzzfeed sso 有自己的命名空间。 现在为了实现这一点,我创建了一个虚拟服务。 复制步骤: 我们使用这个虚拟服务规范来创建路由规则。

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: sso-auth-injector
spec:
  hosts:
  - sso-auth
  http:
  - match:
    - uri:
        prefix: /sign_in
      ignoreUriCase: true
    route:
    - destination:
        host: sso-auth
      headers:
        response:
          add: 
            foo: bar
        request:
          add:
            hello: world

分析

Istioctk x describe 有输出 吊舱:sso-auth-58744b56cd-lwqrh.sso Pod 端口:4180(sso-auth)、15090(istio-proxy) 建议:为 Istio 遥测添加“app”标签。 建议:为 Istio 遥测添加“版本”标签。 服务:sso-auth.sso 端口:http 80/HTTP 目标 pod 端口 4180 Pod 是 PERMISSIVE(强制执行 HTTP/mTLS)并且客户端使用 HTTP 虚拟服务:sso-auth-injector.sso /sign_in 不加壳 2)Istioctl。不附加所有规则,但用于出站|80|

"routes": [
                    
                        "match": 
                            "prefix": "/sign_in",
                            "caseSensitive": false
                        ,
                        "route": 
                            "cluster": "outbound|80||sso-auth.sso.svc.cluster.local",
                            "timeout": "0s",
                            "retryPolicy": 
                                "retryOn": "connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes",
                                "numRetries": 2,
                                "retryHostPredicate": [
                                    
                                        "name": "envoy.retry_host_predicates.previous_hosts"
                                    
                                ],
                                "hostSelectionRetryMaxAttempts": "5",
                                "retriableStatusCodes": [
                                    503
                                ]
                            ,
                            "maxGrpcTimeout": "0s"
                        ,
                        "metadata": 
                            "filterMetadata": 
                                "istio": 
                                    "config": "/apis/networking/v1alpha3/namespaces/sso/virtual-service/sso-auth-injector"
                                
                            
                        ,
                        "decorator": 
                            "operation": "sso-auth.sso.svc.cluster.local:80/sign_in*"
                        ,
                        "typedPerFilterConfig": 
                            "mixer": 
                                "@type": "type.googleapis.com/istio.mixer.v1.config.client.ServiceConfig",
                                "disableCheckCalls": true,
                                "mixerAttributes": 
                                    "attributes": 
                                        "destination.service.host": 
                                            "stringValue": "sso-auth.sso.svc.cluster.local"
                                        ,
                                        "destination.service.name": 
                                            "stringValue": "sso-auth"
                                        ,
                                        "destination.service.namespace": 
                                            "stringValue": "sso"
                                        ,
                                        "destination.service.uid": 
                                            "stringValue": "istio://sso/services/sso-auth"
                                        
                                    
                                ,
                                "forwardAttributes": 
                                    "attributes": 
                                        "destination.service.host": 
                                            "stringValue": "sso-auth.sso.svc.cluster.local"
                                        ,
                                        "destination.service.name": 
                                            "stringValue": "sso-auth"
                                        ,
                                        "destination.service.namespace": 
                                            "stringValue": "sso"
                                        ,
                                        "destination.service.uid": 
                                            "stringValue": "istio://sso/services/sso-auth"
                                        
                                    
                                
                            
                        ,
                        "requestHeadersToAdd": [
                            
                                "header": 
                                    "key": "hello",
                                    "value": "world"
                                ,
                                "append": true
                            
                        ],
                        "responseHeadersToAdd": [
                            
                                "header": 
                                    "key": "foo",
                                    "value": "bar"
                                ,
                                "append": true
                            
                        ]
                    
                ]
            ,

问题/疑问

这些规则不生效。每个请求都传递给服务,但不修改标头。 路由规则不应该适用于入站请求而不是出站请求(如生成的配置所示)。

【问题讨论】:

【参考方案1】:

我们想修改响应头,即添加头。到与 uri sign_in 匹配的每个请求

我做了一个例子,测试了一下,一切正常。

检查下面的对比、测试和整个示例。

虚拟服务

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: nginxvirt
spec:
  gateways:
  - mesh
  hosts:
  - nginx.default.svc.cluster.local
  http:
  - name: match
    headers:
      response:
        add:
          foo: "bar"
    match:
    - uri:
        prefix: /sign_in
    rewrite:
      uri: /
    route:
    - destination:
        host: nginx.default.svc.cluster.local
        port:
          number: 80
        subset: v1

测试所需的一切

apiVersion: v1
kind: Pod
metadata:
  name: ubu1
spec:
  containers:
  - name: ubu1
    image: ubuntu
    command: ["/bin/sh"]
    args: ["-c", "apt-get update && apt-get install curl -y && sleep 3000"]

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx1
spec:
  selector:
    matchLabels:
      run: nginx1
  replicas: 1
  template:
    metadata:
      labels:
        run: nginx1
        app: frontend
    spec:
      containers:
      - name: nginx1
        image: nginx
        ports:
        - containerPort: 80
        lifecycle:
          postStart:
            exec:
              command: ["/bin/sh", "-c", "echo Hello nginx1 > /usr/share/nginx/html/index.html"]

---

apiVersion: v1
kind: Service
metadata:
  name: nginx
  labels:
    app: frontend
spec:
  ports:
  - port: 80
    protocol: TCP
  selector:
    app: frontend   

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: nginxvirt
spec:
  gateways:
  - mesh
  hosts:
  - nginx.default.svc.cluster.local
  http:
  - name: match
      headers:
      response:
        add:
          foo: "bar"
    match:
    - uri:
        prefix: /sign_in
    rewrite:
      uri: /
    route:
    - destination:
        host: nginx.default.svc.cluster.local
        port:
          number: 80
        subset: v1

---  

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: nginxdest
spec:
  host: nginx.default.svc.cluster.local
  subsets:
  - name: v1
    labels:
      run: nginx1

从 ubuntu pod 测试

我使用curl -I 来显示响应标头

curl -I nginx/sign_in
HTTP/1.1 200 OK
server: envoy
date: Tue, 24 Mar 2020 07:44:10 GMT
content-type: text/html
content-length: 13
last-modified: Thu, 12 Mar 2020 06:52:43 GMT
etag: "5e69dc3b-d"
accept-ranges: bytes
x-envoy-upstream-service-time: 3
foo: bar

如您所见,foo:bar 标头已正确添加。


标题的附加链接

https://istiobyexample.dev/response-headers/

Istio adds and removed headers, but doesn't overwrite

How to display request headers with command line curl


在您的 istioctl 分析中,我看到您可能遇到 503 错误

"retriableStatusCodes": [
                                    503
                                ]

503 错误的附加链接

https://istio.io/docs/ops/best-practices/traffic-management/#avoid-503-errors-while-reconfiguring-service-routes

https://istio.io/docs/ops/common-problems/network-issues/#503-errors-after-setting-destination-rule

Accessing service using istio ingress gives 503 error when mTLS is enabled

【讨论】:

以上是关于未应用 Istio 虚拟服务标头规则的主要内容,如果未能解决你的问题,请参考以下文章

Istio VirtualService 虚拟服务

istio流量管理

Istio在虚拟机部署纳管

为什么你应该关心Istio gateway

教程|Istio1.1.0下的TCP流量控制

谷歌IBMLyft发布Istio,首先应用于Kubernetes