4

我有一个监听两个端口的服务;一个是http,另一个是grpc。我想设置一个入口,可以使用同一主机路由到这两个端口。

如果使用 http/1.1,负载均衡器将重定向到 http 端口,如果使用 h2,则重定向到 grpc 端口。

有没有办法用 istio 做到这一点?

我做了一个 hello world 来展示我想要实现的目标:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: hello-world
  namespace: dev
spec:
  replicas: 1
  template:
    metadata:
      annotations:
        alpha.istio.io/sidecar: injected
        pod.beta.kubernetes.io/init-containers: '[{"args":["-p","15001","-u","1337","-i","172.20.0.0/16"],"image":"docker.io/istio/init:0.1","imagePullPolicy":"Always","name":"init","securityContext":{"capabilities":{"add":["NET_ADMIN"]}}}]'
      labels:
        app: hello-world
    spec:
      containers:
      - name: grpc-server
        image: aguilbau/hello-world-grpc:latest
        ports:
        - name: grpc
          containerPort: 50051
      - name: http-server
        image: nginx:1.7.9
        ports:
        - name: http
          containerPort: 80
      - name: istio-proxy
        args:
        - proxy
        - sidecar
        - -v
        - "2"
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        image: docker.io/istio/proxy:0.1
        imagePullPolicy: Always
        resources: {}
        securityContext:
          runAsUser: 1337
---
apiVersion: v1
kind: Service
metadata:
  name: hello-world
  namespace: dev
spec:
  ports:
  - name: grpc
    port: 50051
  - name: http
    port: 80
  selector:
    app: hello-world
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: hello-world-http
  namespace: dev
  annotations:
    kubernetes.io/ingress.class: "istio"
spec:
  rules:
  - host: hello-world
    http:
      paths:
      - backend:
          serviceName: hello-world
          servicePort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: hello-world-grpc
  namespace: dev
  annotations:
    kubernetes.io/ingress.class: "istio"
spec:
  rules:
  - host: hello-world
    http:
      paths:
      - backend:
          serviceName: hello-world
          servicePort: 50051
---
4

2 回答 2

5

我参加聚会有点晚了,但是对于那些在这篇文章中磕磕绊绊的人,我认为你可以轻松做到这一点。我假设你已经在 kubernetes 集群上安装了 istio,并且很乐意使用默认的 istio-ingressgateway:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: hello-world
  namespace: dev
spec:
  replicas: 1
  template:
    metadata:
      annotations:
        alpha.istio.io/sidecar: injected
        pod.beta.kubernetes.io/init-containers: '[{"args":["-p","15001","-u","1337","-i","172.20.0.0/16"],"image":"docker.io/istio/init:0.1","imagePullPolicy":"Always","name":"init","securityContext":{"capabilities":{"add":["NET_ADMIN"]}}}]'
      labels:
        app: hello-world
    spec:
      containers:
      - name: grpc-server
        image: aguilbau/hello-world-grpc:latest
        ports:
        - name: grpc
          containerPort: 50051
      - name: http-server
        image: nginx:1.7.9
        ports:
        - name: http
          containerPort: 80
      - name: istio-proxy
        args:
        - proxy
        - sidecar
        - -v
        - "2"
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        image: docker.io/istio/proxy:0.1
        imagePullPolicy: Always
        resources: {}
        securityContext:
          runAsUser: 1337

---

apiVersion: v1
kind: Service
metadata:
  name: hello-world
  namespace: dev
spec:
  ports:
  - name: grpc
    port: 50051
  - name: http
    port: 80
  selector:
    app: hello-world

---

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: hello-world-istio-gate
  namespace: dev
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
  - port:
      number: 50051
      name: grpc
      protocol: GRPC
    hosts:
    - "*"

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: hello-world-istio-vsvc
  namespace: dev
spec:
  hosts:
  - "*"
  gateways:
  - hello-world-istio-gate
  http:
  - match:
    - port: 80
    route:
    - destination:
        host: hello-world
        port:
          number: 80
  tcp:
  - match:
    - port: 50051
    route:
    - destination:
        host: hello-world
        port:
          number: 50051

上面的配置省略了你的两个入口,而是包括:

  1. 您的部署
  2. 您的服务
  3. 一个 istio 网关
  4. 一个 istio 虚拟服务

有一个重要的额外部分没有显示,我之前在谈论使用默认入口网关时提到了它。在“hello-world-istio-gateway”中找到的以下行提供了一个线索:

istio: ingressgateway

这指的是 'istio-system' 命名空间中的一个 pod,通常默认安装称为 'istio-ingressgateway' - 这个 pod 由一个也称为 'istio-ingressgateway' 的服务公开。 您需要在“istio-ingressgateway”服务上打开端口。

例如,我编辑了我的(默认)入口网关,并为 HTTP 和 GRPC 添加了一个端口开放。结果是以下(针对长度进行了编辑)yaml 代码:

dampersand@kubetest1:~/k8s$ kubectl get service istio-ingressgateway -n istio-system -o yaml
apiVersion: v1
kind: Service
metadata:

<omitted for length>

  labels:
    app: istio-ingressgateway
    chart: gateways-1.0.3
    heritage: Tiller
    istio: ingressgateway
    release: istio
  name: istio-ingressgateway
  namespace: istio-system

  <omitted for length>

  ports:
  - name: http2
    nodePort: 31380
    port: 80
    protocol: TCP
    targetPort: 80

  <omitted for length>

  - name: grpc
    nodePort: 30000
    port: 50051
    protocol: TCP
    targetPort: 50051
  selector:
    app: istio-ingressgateway
    istio: ingressgateway
  type: NodePort

进行上述更改(出于测试目的)的最简单方法是使用:

kubectl edit svc -n istio-system istio-ingressgateway

出于生产目的,最好编辑 helm chart 或 istio.yaml 文件或最初用于设置 ingressgateway 的任何文件。

顺便说一句,请注意我的测试集群将 istio-ingressgateway 设置为 NodePort,所以上面的 yaml 文件说我的集群是端口转发 31380 -> 80 和 30000 -> 50051。你可能(可能)有istio-ingressgateway 设置为 LoadBalancer,这将是不同的......所以相应地计划。

最后,以下博客文章是我在本文中概述的工具的一些非常出色的背景阅读!https://blog.jayway.com/2018/10/22/understanding-istio-ingress-gateway-in-kubernetes/

于 2018-11-30T19:48:52.417 回答
1

grpc-server如果您将和http-server容器移动到具有唯一标签的不同 pod 中(即,可以说是服务的不同版本),然后在 Ingress 后面使用 Istio 路由规则分割流量,您也许可以做类似的事情。与标头匹配的规则Upgrade: h2可以将流量发送到 grpc 版本,默认规则会将其余流量发送到 http 版本。

于 2017-07-06T21:58:51.090 回答