The nGINX-Ingress controller was described in the previous article, and the istio-Ingress Gateway is briefly discussed. Portal juejin. Im/post / 684490…
If you understand the picture above, you don’t need to look down
Before ISTIO 0.8, ingress in the previous article was used to describe the access point of services. Because of the seven-layer restriction of Ingress, THE gateway resource object was introduced in the traffic rule of ISTIO version V1alpha3 and only the access point was defined. What’s the difference between nginx-Ingress and nginx-Ingress? In fact, I did two main things:
- The gateway resource has been added. What is the gateway resource? Yaml is also used to describe file management, and nginx-ingress only leaked two ports
80and443Istio-ingressgateway can now leak multiple ports through the gateway. The port configured in gateway is istio-IngressGateway, which is the targetPort of the corresponding service. - I changed nginx to envoy
1. Istio-ingressgateway in the official demodeploymentandservice
deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-ingressgateway
namespace: istio-system
labels:
chart: gateways
heritage: Tiller
release: istio
app: istio-ingressgateway
istio: ingressgateway
spec:
replicas: 1
selector:
matchLabels:
app: istio-ingressgateway
istio: ingressgateway
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
template:
metadata:
labels:
chart: gateways
heritage: Tiller
release: istio
app: istio-ingressgateway
istio: ingressgateway
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-ingressgateway-service-account
containers:
- name: istio-proxy
image: "Docker. IO/istio/proxyv2:1.3.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 15020
- containerPort: 80
- containerPort: 443
- containerPort: 31400
- containerPort: 15029
- containerPort: 15030
- containerPort: 15031
- containerPort: 15032
- containerPort: 15443
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --log_output_level=default:info
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- istio-ingressgateway
- --zipkinAddress
- zipkin:9411
- --proxyAdminPort
- "15000"
- --statusPort
- "15020"
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- istio-pilot:15010
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15020
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 10m
memory: 40Mi
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SDS_ENABLED
value: "false"
- name: ISTIO_META_WORKLOAD_NAME
value: istio-ingressgateway
- name: ISTIO_META_OWNER
value: kubernetes://api/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
- name: ISTIO_META_ROUTER_MODE
value: sni-dnat
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: ingressgateway-certs
mountPath: "/etc/istio/ingressgateway-certs"
readOnly: true
- name: ingressgateway-ca-certs
mountPath: "/etc/istio/ingressgateway-ca-certs"
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: istio.istio-ingressgateway-service-account
optional: true
- name: ingressgateway-certs
secret:
secretName: "istio-ingressgateway-certs"
optional: true
- name: ingressgateway-ca-certs
secret:
secretName: "istio-ingressgateway-ca-certs"
optional: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- "amd64"
- "ppc64le"
- "s390x"
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- "amd64"
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- "ppc64le"
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- "s390x"
Copy the codeservice
apiVersion: v1
kind: Service
metadata:
name: istio-ingressgateway
namespace: istio-system
annotations:
labels:
chart: gateways
heritage: Tiller
release: istio
app: istio-ingressgateway
istio: ingressgateway
spec:
type: LoadBalancer
selector:
release: istio
app: istio-ingressgateway
istio: ingressgateway
ports:
-
name: status-port
port: 15020
targetPort: 15020
-
name: http2
nodePort: 31380
port: 80
targetPort: 80 # official has mapped port 80 for us
-
name: https
nodePort: 31390
port: 443
-
name: tcp
nodePort: 31400
port: 31400
-
name: https-kiali
port: 15029
targetPort: 15029
-
name: https-prometheus
port: 15030
targetPort: 15030
-
name: https-grafana
port: 15031
targetPort: 15031
-
name: https-tracing
port: 15032
targetPort: 15032
-
name: tls
port: 15443
targetPort: 15443
Copy the code2. Customize service
First apply Gateway, VirtualService, and DestinationRule
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: dk-shop
namespace: dk-shop
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80 For example, nginx listens on port 80, which is the port exposed by istio-ingressGateway pod, and corresponds to the service targetPort
name: http
protocol: HTTP
hosts:
- "*"
- user.thanhoo.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: user
namespace: dk-shop
spec:
hosts:
- "user.thanhoo.com"gateways: - dk-shop http: - route: - destination: host: user port: number: 80 subset: v1 --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: user namespace: dk-shop spec: host: User trafficPolicy: loadBalancer: simple: RANDOM Subsets: - name: v1 labels: version: v1.0-name: v2 labels: version: v2.0Copy the codeThe custom service
apiVersion: v1
kind: Service
metadata:
name: dk-shop-gateway
namespace: istio-system # Notice the namespace
annotations:
labels:
app: dk-shop-gateway
spec:
type: NodePort
selector:
app: istio-ingressgateway
ports:
- name: http2
nodePort: 30001 In fact, the port is different from the official one. Labe simplifies it
port: 80
targetPort: 80
Copy the codeOfficial service execution
Curl -host :user.thanhoo.com http://127.0.0.1:31380 HTTP/1.1 200 OK Content-type: application/json; charset=utf-8 server: istio-envoy content-length: 5 x-envoy-upstream-service-time: 0 date: Sat, 05 Oct 2019 11:45:34 GMTCopy the codeCustom service execution
Curl i-host :user.thanhoo.com http://127.0.0.1:30001 HTTP/1.1 200 OK Content-type: application/json; charset=utf-8 server: istio-envoy content-length: 5 x-envoy-upstream-service-time: 0 date: Sat, 05 Oct 2019 11:46:30 GMTCopy the code