欢迎关注我的公众号:
目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:
istio多集群探秘,部署了50次多集群后我得出的结论
istio多集群链路追踪,附实操视频
istio防故障利器,你知道几个,istio新手不要读,太难!
istio业务权限控制,原来可以这么玩
istio实现非侵入压缩,微服务之间如何实现压缩
不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限
不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs
不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了
不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization
不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs
不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs
不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr
不懂envoyfilter也敢说精通istio系列-08-连接池和断路器
不懂envoyfilter也敢说精通istio系列-09-http-route filter
不懂envoyfilter也敢说精通istio系列-network filter-redis proxy
不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager
不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册
学习目标
envoy架构
envoy基本概念
Host:能够进行网络通信的实体(在手机或服务器等上的应用程序)。在 Envoy 中主机是指逻辑网络应用程序。只要每台主机都可以独立寻址,一块物理硬件上就运行多个主机。
Downstream:下游(downstream)主机连接到 Envoy,发送请求并或获得响应。
Upstream:上游(upstream)主机获取来自 Envoy 的链接请求和响应。
Cluster: 集群(cluster)是 Envoy 连接到的一组逻辑上相似的上游主机。Envoy 通过[服务发现]发现集群中的成员。Envoy 可以通过[主动运行状况检查]来确定集群成员的健康状况。Envoy 如何将请求路由到集群成员由[负载均衡策略]确定。
Mesh:一组互相协调以提供一致网络拓扑的主机。Envoy mesh 是指一组 Envoy 代理,它们构成了由多种不同服务和应用程序平台组成的分布式系统的消息传递基础。
运行时配置:与 Envoy 一起部署的带外实时配置系统。可以在无需重启 Envoy 或 更改 Envoy 主配置的情况下,通过更改设置来影响操作。
Listener: 侦听器(listener)是可以由下游客户端连接的命名网络位置(例如,端口、unix域套接字等)。Envoy 公开一个或多个下游主机连接的侦听器。一般是每台主机运行一个 Envoy,使用单进程运行,但是每个进程中可以启动任意数量的 Listener(监听器),目前只监听 TCP,每个监听器都独立配置一定数量的(L3/L4)网络过滤器。Listenter 也可以通过 Listener Discovery Service(LDS)动态获取。
Listener filter:Listener 使用 listener filter(监听器过滤器)来操作链接的元数据。它的作用是在不更改 Envoy 的核心功能的情况下添加更多的集成功能。Listener filter 的 API 相对简单,因为这些过滤器最终是在新接受的套接字上运行。在链中可以互相衔接以支持更复杂的场景,例如调用速率限制。Envoy 已经包含了多个监听器过滤器。
Http Route Table:HTTP 的路由规则,例如请求的域名,Path 符合什么规则,转发给哪个 Cluster。
Health checking:健康检查会与SDS服务发现配合使用。但是,即使使用其他服务发现方式,也有相应需要进行主动健康检查的情况。
xds
xds 是lds,rds,cds,eds,sds的总称,即发现服务,也就是他后2个字母ds是discovery service
lds
l即envoy的监听端口,lds用于动态发现envoy需要监听哪些端口
rds
r即路由,rds用于发现路由配置
cds
c即cluster,cds用于动态发现cluster上游cluster信息
eds
e即endpoint,eds用于动态发现服务端点
sds
s即秘钥,sds用于动态发现tls证书
xDS以及各个资源之间的关系
filter种类
listener filter
envoy.filters.listener.http_inspector
envoy.filters.listener.original_dst
envoy.filters.listener.original_src
envoy.filters.listener.proxy_protocol
envoy.filters.listener.tls_inspector
envoy.filters.udp_listener.dns_filter
envoy.filters.udp_listener.udp_proxy
network filter
envoy.filters.network.client_ssl_auth
envoy.filters.network.direct_response
envoy.filters.network.dubbo_proxy
envoy.filters.network.echo
envoy.filters.network.ext_authz
envoy.filters.network.http_connection_manager
envoy.filters.network.kafka_broker
envoy.filters.network.local_ratelimit
envoy.filters.network.mongo_proxy
envoy.filters.network.mysql_proxy
envoy.filters.network.postgres_proxy
envoy.filters.network.ratelimit
envoy.filters.network.rbac
envoy.filters.network.redis_proxy
envoy.filters.network.rocketmq_proxy
envoy.filters.network.sni_cluster
envoy.filters.network.sni_dynamic_forward_proxy
envoy.filters.network.tcp_proxy
envoy.filters.network.thrift_proxy
envoy.filters.network.wasm
envoy.filters.network.zookeeper_proxy
http filter
envoy.filters.http.adaptive_concurrency
envoy.filters.http.admission_control
envoy.filters.http.aws_lambda
envoy.filters.http.aws_request_signing
envoy.filters.http.buffer
envoy.filters.http.cache
envoy.filters.http.cache.simple_http_cache
envoy.filters.http.cdn_loop
envoy.filters.http.composite
envoy.filters.http.compressor
envoy.filters.http.cors
envoy.filters.http.csrf
envoy.filters.http.decompressor
envoy.filters.http.dynamic_forward_proxy
envoy.filters.http.dynamo
envoy.filters.http.ext_authz
envoy.filters.http.ext_proc
envoy.filters.http.fault
envoy.filters.http.grpc_http1_bridge
envoy.filters.http.grpc_http1_reverse_bridge
envoy.filters.http.grpc_json_transcoder
envoy.filters.http.grpc_stats
envoy.filters.http.grpc_web
envoy.filters.http.gzip
envoy.filters.http.header_to_metadata
envoy.filters.http.health_check
envoy.filters.http.ip_tagging
envoy.filters.http.jwt_authn
envoy.filters.http.kill_request
envoy.filters.http.local_ratelimit
envoy.filters.http.lua
envoy.filters.http.oauth2
envoy.filters.http.on_demand
envoy.filters.http.original_src
envoy.filters.http.ratelimit
envoy.filters.http.rbac
envoy.filters.http.router
envoy.filters.http.squash
envoy.filters.http.tap
envoy.filters.http.wasm
envoy配置示例
envoy.yaml
# envoy.yaml
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address: { address: 0.0.0.0, port_value: 9901 }
static_resources:
listeners:
- name: listener_0
address:
socket_address: { address: 0.0.0.0, port_value: 8080 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
codec_type: auto
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match: { prefix: "/" }
route:
cluster: echo_service
max_grpc_timeout: 0s
cors:
allow_origin_string_match:
- prefix: "*"
allow_methods: GET, PUT, DELETE, POST, OPTIONS
allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
max_age: "1728000"
expose_headers: custom-header-1,grpc-status,grpc-message
http_filters:
- name: envoy.filters.http.grpc_web
- name: envoy.filters.http.cors
- name: envoy.filters.http.router
clusters:
- name: echo_service
connect_timeout: 0.25s
type: logical_dns
http2_protocol_options: {}
lb_policy: round_robin
load_assignment:
cluster_name: cluster_0
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: server
port_value: 50052
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address: { address: 0.0.0.0, port_value: 9901 }
static_resources:
listeners:
- name: listener1
address:
socket_address: { address: 0.0.0.0, port_value: 5858 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: grpc_json
codec_type: AUTO
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match: { prefix: "/wind_power.WindServer" }
route: { cluster: grpc, timeout: { seconds: 60 } }
http_filters:
- name: envoy.filters.http.grpc_json_transcoder
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.grpc_json_transcoder.v3.GrpcJsonTranscoder
proto_descriptor: "/etc/envoy/proto.pb"
services: ["wind_power.WindServer"]
print_options:
add_whitespace: true
always_print_primitive_fields: true
always_print_enums_as_ints: false
preserve_proto_field_names: false
- name: envoy.filters.http.router
clusters:
- name: grpc
connect_timeout: 1.25s
type: logical_dns
lb_policy: round_robin
dns_lookup_family: V4_ONLY
http2_protocol_options: {}
upstream_connection_options:
tcp_keepalive:
keepalive_time: 300
load_assignment:
cluster_name: grpc
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 0.0.0.0
port_value: 50052
配置简介
Bootstrap
{
"node": "{...}",
"static_resources": "{...}",
"dynamic_resources": "{...}",
"cluster_manager": "{...}",
"hds_config": "{...}",
"flags_path": "...",
"stats_sinks": [],
"stats_config": "{...}",
"stats_flush_interval": "{...}",
"stats_flush_on_admin": "...",
"watchdog": "{...}",
"watchdogs": "{...}",
"tracing": "{...}",
"layered_runtime": "{...}",
"admin": "{...}",
"overload_manager": "{...}",
"enable_dispatcher_stats": "...",
"header_prefix": "...",
"stats_server_version_override": "{...}",
"use_tcp_for_dns_lookups": "...",
"bootstrap_extensions": [],
"fatal_actions": [],
"default_socket_interface": "..."
}node : 节点标识,配置的是 Envoy 的标记信息,management server 利用它来标识不同的 Envoy 实例。参考 core.Node
static_resources : 定义静态配置,是 Envoy 核心工作需要的资源,由 Listener、Cluster 和 Secret 三部分组成。
dynamic_resources : 定义动态配置,通过 xDS 来获取配置。可以同时配置动态和静态。
cluster_manager : 管理所有的上游集群。它封装了连接后端服务的操作,当 Filter 认为可以建立连接时,便调用 cluster_manager 的 API 来建立连接。cluster_manager 负责处理负载均衡、健康检查等细节。
hds_config : 健康检查服务发现动态配置。
stats_sinks : 状态输出插件。可以将状态数据输出到多种采集系统中。一般通过 Envoy 的管理接口 /stats/prometheus 就可以获取 Prometheus 格式的指标,这里的配置应该是为了支持其他的监控系统。
stats_config : 状态指标配置。
stats_flush_interval : 状态指标刷新时间。
watchdog : 看门狗配置。Envoy 内置了一个看门狗系统,可以在 Envoy 没有响应时增加相应的计数器,并根据计数来决定是否关闭 Envoy 服务。
tracing : 分布式追踪相关配置。
layered_runtime : 层级化的运行时状态配置。可以静态配置,也可以通过 RTDS 动态加载配置。
admin : 管理接口。
overload_manager : 过载过滤器。
header_prefix : Header 字段前缀修改。例如,如果将该字段设为 X-Foo,那么 Header 中的 x-envoy-retry-on 将被会变成 x-foo-retry-on。
use_tcp_for_dns_lookups : 强制使用 TCP 查询 DNS。可以在 Cluster 的配置中覆盖此配置。
Listener
{
"name": "...",
"address": "{...}",
"stat_prefix": "...",
"filter_chains": [],
"use_original_dst": "{...}",
"default_filter_chain": "{...}",
"per_connection_buffer_limit_bytes": "{...}",
"metadata": "{...}",
"drain_type": "...",
"listener_filters": [],
"listener_filters_timeout": "{...}",
"continue_on_listener_filters_timeout": "...",
"transparent": "{...}",
"freebind": "{...}",
"socket_options": [],
"tcp_fast_open_queue_length": "{...}",
"traffic_direction": "...",
"udp_listener_config": "{...}",
"api_listener": "{...}",
"connection_balance_config": "{...}",
"reuse_port": "...",
"access_log": [],
"tcp_backlog_size": "{...}",
"bind_to_port": "{...}"
}Cluster
{
"transport_socket_matches": [],
"name": "...",
"alt_stat_name": "...",
"type": "...",
"cluster_type": "{...}",
"eds_cluster_config": "{...}",
"connect_timeout": "{...}",
"per_connection_buffer_limit_bytes": "{...}",
"lb_policy": "...",
"load_assignment": "{...}",
"health_checks": [],
"max_requests_per_connection": "{...}",
"circuit_breakers": "{...}",
"upstream_http_protocol_options": "{...}",
"common_http_protocol_options": "{...}",
"http_protocol_options": "{...}",
"http2_protocol_options": "{...}",
"typed_extension_protocol_options": "{...}",
"dns_refresh_rate": "{...}",
"dns_failure_refresh_rate": "{...}",
"respect_dns_ttl": "...",
"dns_lookup_family": "...",
"dns_resolvers": [],
"use_tcp_for_dns_lookups": "...",
"outlier_detection": "{...}",
"cleanup_interval": "{...}",
"upstream_bind_config": "{...}",
"lb_subset_config": "{...}",
"ring_hash_lb_config": "{...}",
"maglev_lb_config": "{...}",
"original_dst_lb_config": "{...}",
"least_request_lb_config": "{...}",
"common_lb_config": "{...}",
"transport_socket": "{...}",
"metadata": "{...}",
"protocol_selection": "...",
"upstream_connection_options": "{...}",
"close_connections_on_host_health_failure": "...",
"ignore_health_on_host_removal": "...",
"filters": [],
"track_timeout_budgets": "...",
"upstream_config": "{...}",
"track_cluster_stats": "{...}",
"preconnect_policy": "{...}",
"connection_pool_per_downstream_connection": "..."
}route configuration
{
"name": "...",
"virtual_hosts": [],
"vhds": "{...}",
"internal_only_headers": [],
"response_headers_to_add": [],
"response_headers_to_remove": [],
"request_headers_to_add": [],
"request_headers_to_remove": [],
"most_specific_header_mutations_wins": "...",
"validate_clusters": "{...}",
"max_direct_response_body_size_bytes": "{...}"
}
