istio 中 Gateway 如何选择 ingressgateway 呢?

GatewayServiceselector 字段作用原理一样, 通过 Deploymenttemplate 的 labels 来进行筛选.

比如现在有一个部署和服务的定义如下:

apiVersion: v1
kind: Service
metadata:
  name: istio-ingressgateway
spec:
  selector:
    istio: ingressgateway-a
    [......]
    
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: istio-ingressgateway
spec:
  template:
    metadata:
      labels:
        istio: ingressgateway-a
    [......]

则可以被以下网关选中:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: preview
  namespace: service-a
spec:
  selector:
    istio: ingressgateway-a
  servers:
  - port:
      name: http
      number: 80
      protocol: HTTP
    hosts:
      - "*"

另外需要注意的是, istio-ingressgateway 需要连接到 istio-pilot, 部署时启动参数需要改正确

比如完整示例就有所改动,改动如下:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: istio-ingressgateway
spec:
  template:
    spec:
      containers:
          args:
          [......]
          - --zipkinAddress
          - zipkin.istio-system:9411
          - --discoveryAddress
          - istio-pilot.istio-system:15010

完整的 istio-ingressgateway 定义示例(部署到命名空间 service-a)

部署

---
# Source: istio/charts/gateways/templates/deployment.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: istio-ingressgateway
  namespace: service-a
  labels:
    chart: gateways
    heritage: Tiller
    release: istio
    app: istio-ingressgateway
    istio: ingressgateway
spec:
  template:
    metadata:
      labels:
        chart: gateways
        heritage: Tiller
        release: istio
        app: istio-ingressgateway
        istio: ingressgateway-a
      annotations:
        sidecar.istio.io/inject: "false"
        scheduler.alpha.kubernetes.io/critical-pod: ""
    spec:
      serviceAccountName: istio-ingressgateway-service-account
      containers:
        - name: istio-proxy
          image: "docker.io/istio/proxyv2:1.1.0"
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 80
            - containerPort: 443
            - containerPort: 31400
            - containerPort: 15029
            - containerPort: 15030
            - containerPort: 15031
            - containerPort: 15032
            - containerPort: 15443
            - containerPort: 15020
            - containerPort: 15090
              protocol: TCP
              name: http-envoy-prom
          args:
          - proxy
          - router
          - --domain
          - $(POD_NAMESPACE).svc.cluster.local
          - --log_output_level
          - 'info'
          - --drainDuration
          - '45s' #drainDuration
          - --parentShutdownDuration
          - '1m0s' #parentShutdownDuration
          - --connectTimeout
          - '10s' #connectTimeout
          - --serviceCluster
          - istio-ingressgateway
          - --zipkinAddress
          - zipkin.istio-system:9411
          - --proxyAdminPort
          - "15000"
          - --statusPort
          - "15020"
          - --controlPlaneAuthPolicy
          - NONE
          - --discoveryAddress
          - istio-pilot.istio-system:15010
          readinessProbe:
            failureThreshold: 30
            httpGet:
              path: /healthz/ready
              port: 15020
              scheme: HTTP
            initialDelaySeconds: 1
            periodSeconds: 2
            successThreshold: 1
            timeoutSeconds: 1
          resources:
            requests:
              cpu: 10m
            
          env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
          - name: INSTANCE_IP
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: status.podIP
          - name: ISTIO_META_POD_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.name
          - name: ISTIO_META_CONFIG_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: ISTIO_META_ROUTER_MODE
            value: sni-dnat
          volumeMounts:
          - name: istio-certs
            mountPath: /etc/certs
            readOnly: true
          - name: ingressgateway-certs
            mountPath: "/etc/istio/ingressgateway-certs"
            readOnly: true
          - name: ingressgateway-ca-certs
            mountPath: "/etc/istio/ingressgateway-ca-certs"
            readOnly: true
      volumes:
      - name: istio-certs
        secret:
          secretName: istio.istio-ingressgateway-service-account
          optional: true
      - name: ingressgateway-certs
        secret:
          secretName: "istio-ingressgateway-certs"
          optional: true
      - name: ingressgateway-ca-certs
        secret:
          secretName: "istio-ingressgateway-ca-certs"
          optional: true
      affinity:      
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: beta.kubernetes.io/arch
                operator: In
                values:
                - amd64
                - ppc64le
                - s390x
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 2
            preference:
              matchExpressions:
              - key: beta.kubernetes.io/arch
                operator: In
                values:
                - amd64
          - weight: 2
            preference:
              matchExpressions:
              - key: beta.kubernetes.io/arch
                operator: In
                values:
                - ppc64le
          - weight: 2
            preference:
              matchExpressions:
              - key: beta.kubernetes.io/arch
                operator: In
                values:
                - s390x
---

服务

---
# Source: istio/charts/gateways/templates/service.yaml

apiVersion: v1
kind: Service
metadata:
  name: istio-ingressgateway
  namespace: service-a
  annotations:
  labels:
    chart: gateways
    heritage: Tiller
    release: istio
    app: istio-ingressgateway
    istio: ingressgateway
spec:
  type: LoadBalancer
  selector:
    release: istio
    app: istio-ingressgateway
    istio: ingressgateway-a
  externalIPs:
    - 172.21.91.30
  ports:
    - name: http2
      port: 80
      targetPort: 80
    - name: https
      port: 443
    - name: tcp
      port: 31400
    - name: https-kiali
      port: 15029
      targetPort: 15029
    - name: https-prometheus
      port: 15030
      targetPort: 15030
    - name: https-grafana
      port: 15031
      targetPort: 15031
    - name: https-tracing
      port: 15032
      targetPort: 15032
    - name: tls
      port: 15443
      targetPort: 15443
    - name: status-port
      port: 15020
      targetPort: 15020
      
---

授权


---
# Source: istio/charts/gateways/templates/serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: istio-ingressgateway-service-account
  namespace: service-a
  labels:
    app: istio-ingressgateway
    chart: gateways
    heritage: Tiller
    release: istio
---


---
# Source: istio/charts/gateways/templates/clusterrole.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: istio-ingressgateway-istio-system
  labels:
    app: ingressgateway
    chart: gateways
    heritage: Tiller
    release: istio
rules:
- apiGroups: ["networking.istio.io"]
  resources: ["virtualservices", "destinationrules", "gateways"]
  verbs: ["get", "watch", "list", "update"]
---

---
# Source: istio/charts/gateways/templates/clusterrolebindings.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: istio-ingressgateway-huoys
  labels:
    app: ingressgateway
    chart: gateways
    heritage: Tiller
    release: istio
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: istio-ingressgateway-istio-system
subjects:
- kind: ServiceAccount
  name: istio-ingressgateway-service-account
  namespace: service-a
---

---
# Source: istio/charts/gateways/templates/role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: istio-ingressgateway-sds
  namespace: service-a
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
---

---
# Source: istio/charts/gateways/templates/rolebindings.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: istio-ingressgateway-sds
  namespace: service-a
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: istio-ingressgateway-sds
subjects:
- kind: ServiceAccount
  name: istio-ingressgateway-service-account
---

可选

自动伸缩

---
# Source: istio/charts/gateways/templates/autoscale.yaml

apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
  name: istio-ingressgateway
  namespace: service-a
  labels:
    app: ingressgateway
    chart: gateways
    heritage: Tiller
    release: istio
spec:
  maxReplicas: 5
  minReplicas: 1
  scaleTargetRef:
    apiVersion: apps/v1beta1
    kind: Deployment
    name: istio-ingressgateway
  metrics:
    - type: Resource
      resource:
        name: cpu
        targetAverageUtilization: 80
---

---
# Source: istio/charts/gateways/templates/poddisruptionbudget.yaml

apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
  name: istio-ingressgateway
  namespace: service-a
  labels:
    chart: gateways
    heritage: Tiller
    release: istio
    app: istio-ingressgateway
    istio: ingressgateway
spec:

  minAvailable: 1
  selector:
    matchLabels:
      release: istio
      app: istio-ingressgateway
      istio: ingressgateway
---

Logo

权威|前沿|技术|干货|国内首个API全生命周期开发者社区

更多推荐