Egress Gateway逻辑示意图
Egress Gateway 配置要点
- 各Sidecar Envoy上访问特定外部主机的流量,要路由至Egress Gateway
- Egress Gateway要将相应的流量路由至相应的外部目标
服务说明
- 在网格外部运行有nginx服务,有两个实例
- Nginx2001:监听地址为 172.29.1.201:8091,Nginx版本为1.20
- Nginx2002:监听地址为 172.29.1.202:8091,Nginx版本为1.20
- Nginx2101:监听地址为 172.29.1.203:8091,Nginx版本为1.21
- 网格内部default名称空间中的pods/client作为客户端访问该服务
主机设置
添加IP地址
~# ip addr add 192.168.174.130/16 dev ens33
~# ip addr add 192.168.174.131/16 dev ens33
~# ip addr add 192.168.174.132/16 dev ens33
查看IP地址
~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UP group default qlen 1000
link/ether 00:0c:29:35:d9:64 brd ff:ff:ff:ff:ff:ff
inet 192.168.174.121/24 brd 192.168.174.255 scope global ens33
valid_lft forever preferred_lft forever
inet 192.168.174.130/16 scope global ens33
valid_lft forever preferred_lft forever
inet 192.168.174.131/16 scope global secondary ens33
valid_lft forever preferred_lft forever
inet 192.168.174.132/16 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe35:d964/64 scope link
valid_lft forever preferred_lft forever
部署nginx
docker-compose.yml
version: '3.3'
services:
nginx2001:
image: nginx:1.20-alpine
volumes:
- ./html/nginx2001:/usr/share/nginx/html/
networks:
envoymesh:
ipv4_address: 172.31.201.11
aliases:
- nginx
expose:
- "80"
ports:
- "192.168.174.130:8091:80"
nginx2002:
image: nginx:1.20-alpine
volumes:
- ./html/nginx2002:/usr/share/nginx/html/
networks:
envoymesh:
ipv4_address: 172.31.201.12
aliases:
- nginx
expose:
- "80"
ports:
- "192.168.174.131:8091:80"
nginx2101:
image: nginx:1.21-alpine
volumes:
- ./html/nginx2101:/usr/share/nginx/html/
networks:
envoymesh:
ipv4_address: 172.31.201.13
aliases:
- nginx
- canary
expose:
- "80"
ports:
- "192.168.174.132:8091:80"
networks:
envoymesh:
driver: bridge
ipam:
config:
- subnet: 172.31.201.0/24
运行nginx
# docker-compose up -d
[+] Running 4/4
⠿ Network wgs_envoymesh Created 0.1s
⠿ Container wgs-nginx2101-1 Started 1.5s
⠿ Container wgs-nginx2001-1 Started 1.6s
⠿ Container wgs-nginx2002-1 Started
访问nginx
~# curl 192.168.174.130:8091
nginx 2001
~# curl 192.168.174.131:8091
nginx 2002
~# curl 192.168.174.132:8091
nginx 2101
部署client
创建client
~# kubectl run client --image=ikubernetes/admin-box -it --rm --restart=Never --command -- /bin/sh
If you don't see a command prompt, try pressing enter.
root@client #
添加域名解析
root@client # echo "192.168.174.130 nginx.wgs.com" >> /etc/hosts访问nginx
root@client # while true;do curl nginx.wgs.com:8091; sleep 0.$RANDOM;done
nginx 2001
nginx 2001
nginx 2001
workloadentry
workloadentry-nginx.yaml
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
name: workload-nginx2001
spec:
address: "192.168.174.130"
ports:
http: 8091
labels:
app: nginx
version: "v1.20"
instance-id: Nginx2001
---
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
name: workload-nginx2002
spec:
address: "192.168.174.131"
ports:
http: 8091
labels:
app: nginx
version: "v1.20"
instance-id: Nginx2002
---
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
name: workload-nginx2101
spec:
address: "192.168.174.132"
ports:
http: 8091
labels:
app: nginx
version: "v1.21"
instance-id: Nginx2101
---
创建workloadentry资源
# kubectl apply -f workloadentry-nginx.yaml
workloadentry.networking.istio.io/workload-nginx2001 created
workloadentry.networking.istio.io/workload-nginx2002 created
workloadentry.networking.istio.io/workload-nginx2101 created
查看workloadentry资源
# kubectl get we
NAME AGE ADDRESS
workload-nginx2001 47s 192.168.174.130
workload-nginx2002 47s 192.168.174.131
workload-nginx2101 47s 192.168.174.132
serviceentry
serviceentry-nginx.yaml
---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: nginx
spec:
hosts:
- nginx.wgs.com
ports:
- number: 80
name: http
protocol: HTTP
location: MESH_EXTERNAL
resolution: STATIC
workloadSelector:
labels:
app: nginx
---
创建ServiceEntry资源
# kubectl apply -f serviceentry-nginx.yaml
serviceentry.networking.istio.io/nginx-external created
查看ServiceEntry资源
# kubectl get se
NAME HOSTS LOCATION RESOLUTION AGE
nginx-external ["nginx.wgs.com"] MESH_EXTERNAL STATIC 34s
egress gateway
查看egress gateway svc
# kubectl get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
grafana ClusterIP 10.100.162.68 <none> 3000/TCP 6d5h
istio-egressgateway ClusterIP 10.100.121.95 <none> 80/TCP,443/TCP # egress gateway 11d
istio-ingressgateway LoadBalancer 10.100.145.112 192.168.174.109 15021:32417/TCP,80:46683/TCP,443:37652/TCP,31400:59146/TCP,15443:30622/TCP 11d
istiod ClusterIP 10.100.149.76 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 11d
jaeger-collector ClusterIP 10.100.126.122 <none> 14268/TCP,14250/TCP,9411/TCP 6d5h
kiali ClusterIP 10.100.238.145 <none> 20001/TCP,9090/TCP 6d5h
prometheus ClusterIP 10.100.250.207 <none> 9090/TCP 6d5h
tracing ClusterIP 10.100.178.135 <none> 80/TCP,16685/TCP 6d5h
zipkin ClusterIP 10.100.119.139 <none> 9411/TCP 6d5h
gateway-egress.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: egress
namespace: istio-system
spec:
selector:
app: istio-egressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
创建egress gateway资源
# kubectl apply -f gateway-egress.yaml
gateway.networking.istio.io/egress created
查看egress gateway资源
# kubectl get gw -n istio-system
NAME AGE
egress 91s
高级流量治理-子集
destinationrule-nginx.yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: nginx-external
spec:
host: nginx.wgs.com
trafficPolicy:
loadBalancer:
simple: RANDOM
connectionPool:
tcp:
maxConnections: 10000
connectTimeout: 10ms
tcpKeepalive:
time: 7200s
interval: 75s
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 10
outlierDetection:
maxEjectionPercent: 50
consecutive5xxErrors: 5
interval: 2m
baseEjectionTime: 1m
minHealthPercent: 40
subsets:
- name: v20
labels:
version: "v1.20"
- name: v21
labels:
version: "v1.21"
---
virtualservice-wegit-based-routing.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: nginx-external
spec:
hosts:
- nginx.wgs.com
gateways:
- istio-system/egress
- mesh
http:
- match:
- gateways:
- mesh
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
- match:
- gateways:
- istio-system/egress
route:
- destination:
host: nginx.wgs.com
subset: v21
weight: 5
- destination:
host: nginx.wgs.com
subset: v20
weight: 95
创建资源
# kubectl apply -f destinationrule-subsets.yaml -f virtualservice-wegit-based-routing.yaml
destinationrule.networking.istio.io/nginx-external created
virtualservice.networking.istio.io/nginx-external created
访问nginx
root@client # while true;do curl nginx.wgs.com; sleep 0.$RANDOM;done
nginx 2002
nginx 2002
nginx 2001
nginx 2002
nginx 2002
nginx 2001
nginx 2001
nginx 2101
nginx 2001
nginx 2001
nginx 2001
nginx 2101
nginx 2001
查看kiali
参考文档
https://istio.io/latest/docs/reference/config/networking/gateway/
