consul - Envoy sidecar-proxy 公共监听器

Question

我正在尝试设置一个 Service Mesh PoC，我有三个微服务，每个微服务都使用它们的 sidecar-proxy（通过 envoy）运行。我运行以下命令来启动代理：

consul connect envoy -sidecar-for <CONSUL_SERVICE_ID> -admin-bind 127.0.0.1:19000 -http-addr http://127.0.0.1:8500 -grpc-addr 127.0.0.1:8502

问题是我的 sidecar-proxy 在端口 21002 上启动了一个公共监听器（不知道这个端口名称来自哪里，envoy 的配置文件无处可寻）并且无法访问。这会导致我的边车运行状况检查失败，从而导致我的服务重定向失败。

[2020-06-16 15:02:30.672][24383][debug][config] [external/envoy/source/server/filter_chain_manager_impl.cc:214] new fc_contexts has 1 filter chains, including 1 newly built
[2020-06-16 15:02:30.672][24383][debug][init] [external/envoy/source/common/init/target_impl.cc:15] init manager Server initializing target Listener-init-target public_listener:10.26.57.59:21000
[2020-06-16 15:02:30.672][24383][debug][init] [external/envoy/source/common/init/manager_impl.cc:45] init manager Listener-local-init-manager public_listener:10.26.57.59:21000 5712408582249607733 contains no targets
[2020-06-16 15:02:30.672][24383][debug][init] [external/envoy/source/common/init/watcher_impl.cc:14] init manager Listener-local-init-manager public_listener:10.26.57.59:21000 5712408582249607733 initialized, notifying Listener-local-init-watcher public_listener:10.26.57.59:21000
[2020-06-16 15:02:30.672][24383][debug][init] [external/envoy/source/common/init/watcher_impl.cc:14] target Listener-init-target public_listener:10.26.57.59:21000 initialized, notifying init manager Server
[2020-06-16 15:02:30.672][24383][debug][config] [external/envoy/source/server/listener_impl.cc:80] Create listen socket for listener public_listener:10.26.57.59:21000 on address 10.26.57.59:21000
[2020-06-16 15:02:30.672][24383][debug][config] [external/envoy/source/server/listener_impl.cc:70] Set listener public_listener:10.26.57.59:21000 socket factory local address to 10.26.57.59:21000
[2020-06-16 15:02:30.672][24383][debug][config] [external/envoy/source/server/listener_impl.cc:508] add active listener: name=public_listener:10.26.57.59:21000, hash=5712408582249607733, address=10.26.57.59:21000
[2020-06-16 15:02:30.672][24383][info][upstream] [external/envoy/source/server/lds_api.cc:76] lds: add/update listener 'public_listener:10.26.57.59:21000'
[2020-06-16 15:02:30.672][24383][warning][misc] [external/envoy/source/common/protobuf/utility.cc:198] Using deprecated option 'envoy.api.v2.listener.Filter.config' from file listener_components.proto. This configuration will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/intro/deprecated for details.
[2020-06-16 15:02:30.672][24383][debug][config] [external/envoy/source/server/listener_manager_impl.cc:386] begin add/update listener: name=javatestrs-microc-cicdev:127.0.0.1:6610 hash=14335360969741422718

您对访问此特使公共侦听器有任何想法吗？

边车日志：

[2020-06-16 15:02:30.672][24383][debug][config] [external/envoy/source/server/filter_chain_manager_impl.cc:214] new fc_contexts has 1 filter chains, including 1 newly built
[2020-06-16 15:02:30.672][24383][debug][init] [external/envoy/source/common/init/target_impl.cc:15] init manager Server initializing target Listener-init-target public_listener:10.26.57.59:21000
[2020-06-16 15:02:30.672][24383][debug][init] [external/envoy/source/common/init/manager_impl.cc:45] init manager Listener-local-init-manager public_listener:10.26.57.59:21000 5712408582249607733 contains no targets
[2020-06-16 15:02:30.672][24383][debug][init] [external/envoy/source/common/init/watcher_impl.cc:14] init manager Listener-local-init-manager public_listener:10.26.57.59:21000 5712408582249607733 initialized, notifying Listener-local-init-watcher public_listener:10.26.57.59:21000
[2020-06-16 15:02:30.672][24383][debug][init] [external/envoy/source/common/init/watcher_impl.cc:14] target Listener-init-target public_listener:10.26.57.59:21000 initialized, notifying init manager Server
[2020-06-16 15:02:30.672][24383][debug][config] [external/envoy/source/server/listener_impl.cc:80] Create listen socket for listener public_listener:10.26.57.59:21000 on address 10.26.57.59:21000
[2020-06-16 15:02:30.672][24383][debug][config] [external/envoy/source/server/listener_impl.cc:70] Set listener public_listener:10.26.57.59:21000 socket factory local address to 10.26.57.59:21000
[2020-06-16 15:02:30.672][24383][debug][config] [external/envoy/source/server/listener_impl.cc:508] add active listener: name=public_listener:10.26.57.59:21000, hash=5712408582249607733, address=10.26.57.59:21000
[2020-06-16 15:02:30.672][24383][info][upstream] [external/envoy/source/server/lds_api.cc:76] lds: add/update listener 'public_listener:10.26.57.59:21000'
[2020-06-16 15:02:30.672][24383][warning][misc] [external/envoy/source/common/protobuf/utility.cc:198] Using deprecated option 'envoy.api.v2.listener.Filter.config' from file listener_components.proto. This configuration will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/intro/deprecated for details.
[2020-06-16 15:02:30.672][24383][debug][config] [external/envoy/source/server/listener_manager_impl.cc:386] begin add/update listener: name=javatestrs-microc-cicdev:127.0.0.1:6610 hash=14335360969741422718

Answer 1

对调试 Envoy 代理非常有帮助的一件事是管理端口。您可以从中获取活动的侦听器、集群，甚至是完整的配置转储。如果不使用 consul-connect，我只能从您的输出中猜测一下，但我将从端口 19000 开始。

执行到运行代理的任何主机，并尝试curl localhost:19000/listeners查看它是否响应（或任何其他管理路径）。如果它响应，您可以获得完整的/config_dump信息，它将描述该 sidecar 的整个设置：它正在侦听的端口、它们是否启用了 TLS、它们匹配的路径等。

Answer 2

公共侦听器端口由 Consul 从默认范围（21000 - 21255）自动分配给 sidecar。它用于从网格中的其他代理接收 mTLS 连接。范围可以在 Consul 代理的配置中定义ports {}。

ports {
  sidecar_min_port = 30000
  sidecar_max_port = 31000
}

有关特定文档，请参阅https://www.consul.io/docs/agent/options#sidecar_min_port。

port您可以使用sidecar 服务定义中的参数选择特定端口。

{
  "service": {
    "name": "web",
    "port": 8080,
    "connect": {
      "sidecar_service": {
        "port": 31000
      }
    }
  }
}