1、前言
在安裝完成istio後,默認狀態下,集羣外用戶不能直接訪問istio集羣內的grafana等管理、監控服務。
有兩種方法可以將集羣內服務開放出來。一種是使用port-forward方式將本地端口流量轉發到pod端口,實現集羣內服務的訪問;另一種方式是採用istio gateway方式,將集羣內服務暴露到外網。
第二種方式需要將集羣的默認網關服務ingressgateway的網絡模式設置爲nodeport模式,作爲代理實現對外服務。
2、啓用ingressgateway的NodePort模式
(1)設置ingress gateway的工作模式
istio安裝時,可以通過參數 --set
gateways.istio-ingressgateway.type=NodePort設置ingress gateway組件的工作模式。
--創建istio並安裝grafana、kiali、tracing等組件,並設置ingress gateway模式爲NodePort
helm install istio.io/istio --name istio --namespace=istio-system --set gateways.istio-ingressgateway.type=NodePort --set grafana.enabled=true --set kiali.enabled=true --set tracing.enabled=true
如果Istio安裝時沒有指定該參數,可以通過以下方式更改
helm upgrade istio istio.io/istio --set gateways.istio-ingressgateway.type=NodePort --set grafana.enabled=true --set kiali.enabled=true --set tracing.enabled=true
或
kubectl patch service istio-ingressgateway -n istio-system -p '{"spec":{"type":"NodePort"}}'
(2)驗證ingress gateway的網絡模式
kubectl get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
grafana ClusterIP 172.18.87.213 <none> 3000/TCP 3m45s
istio-citadel ClusterIP 172.18.62.138 <none> 8060/TCP,15014/TCP 4h56m
istio-galley ClusterIP 172.18.108.232 <none> 443/TCP,15014/TCP,9901/TCP 4h56m
-----------
istio-ingressgateway NodePort 172.18.24.214 <none> 15020:31970/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:32365/TCP,15030:30818/TCP,15031:30828/TCP,15032:31036/TCP,15443:30309/TCP 4h56m
-----------可以看到istio-ingressgateway當前是NodePort模式
istio-pilot ClusterIP 172.18.249.193 <none> 15010/TCP,15011/TCP,8080/TCP,15014/TCP 4h56m
istio-policy ClusterIP 172.18.236.243 <none> 9091/TCP,15004/TCP,15014/TCP 4h56m
istio-sidecar-injector ClusterIP 172.18.41.244 <none> 443/TCP,15014/TCP 4h56m
istio-telemetry ClusterIP 172.18.199.225 <none> 9091/TCP,15004/TCP,15014/TCP,42422/TCP 4h56m
jaeger-agent ClusterIP None <none> 5775/UDP,6831/UDP,6832/UDP 3m45s
jaeger-collector ClusterIP 172.18.252.169 <none> 14267/TCP,14268/TCP 3m45s
jaeger-query ClusterIP 172.18.112.84 <none> 16686/TCP 3m45s
kiali ClusterIP 172.18.27.228 <none> 20001/TCP 3m45s
prometheus ClusterIP 172.18.67.104 <none> 9090/TCP 4h56m
tracing ClusterIP 172.18.118.65 <none> 80/TCP 3m45s
zipkin ClusterIP 172.18.105.196 <none> 9411/TCP 3m45s
[root@centos75 istio-ui]#
(3)查看作爲邊界代理的ingress-gateway的端口映射情況
[root@centos75 istio-ui]# kubectl describe svc istio-ingressgateway -n istio-system
Name: istio-ingressgateway
Namespace: istio-system
Labels: app=istio-ingressgateway
chart=gateways
heritage=Tiller
istio=ingressgateway
release=istio
Annotations: <none>
Selector: app=istio-ingressgateway,istio=ingressgateway,release=istio
Type: NodePort
IP: 172.18.24.214
Port: status-port 15020/TCP
TargetPort: 15020/TCP
NodePort: status-port 31970/TCP
Endpoints: 192.168.148.92:15020
Port: http2 80/TCP
TargetPort: 80/TCP
NodePort: http2 31380/TCP
Endpoints: 192.168.148.92:80
Port: https 443/TCP
TargetPort: 443/TCP
NodePort: https 31390/TCP
Endpoints: 192.168.148.92:443
Port: tcp 31400/TCP
TargetPort: 31400/TCP
NodePort: tcp 31400/TCP
Endpoints: 192.168.148.92:31400
Port: https-kiali 15029/TCP
TargetPort: 15029/TCP
NodePort: https-kiali 32365/TCP
Endpoints: 192.168.148.92:15029
Port: https-prometheus 15030/TCP
TargetPort: 15030/TCP
NodePort: https-prometheus 30818/TCP
Endpoints: 192.168.148.92:15030
--------- https-grafana的15301端口映射到node的30828端口,我們需要將15031端口關聯到grafana上
Port: https-grafana 15031/TCP
TargetPort: 15031/TCP
NodePort: https-grafana 30828/TCP
Endpoints: 192.168.148.92:15031
--------- 集羣外用戶通過訪問網關所在機器的30828端口就可以訪問到grafana服務
Port: https-tracing 15032/TCP
TargetPort: 15032/TCP
NodePort: https-tracing 31036/TCP
Endpoints: 192.168.148.92:15032
Port: tls 15443/TCP
TargetPort: 15443/TCP
NodePort: tls 30309/TCP
Endpoints: 192.168.148.92:15443
Session Affinity: None
External Traffic Policy: Cluster
Events: <none>
[root@centos75 istio-ui]#
上圖所示,ingressgateway創建時,自動預設了一些端口映射,其中https-grafana的15301端口映射到node的30828端口,我們將15031端口關聯到grafana上,集羣外就用戶通過訪問網關所在機器的30828端口訪問到grafana服務
4、gateway方式暴露集羣內服務
需要創建服務的gateway和virtual service資源如下
(1)創建grafana的gateway
gateway的服務端口是15031,正好對應ingressgateway的nodetype端口30828。
[root@centos75 istio-ui]# cat grafana-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: grafana-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 15031
name: http
protocol: HTTP
hosts:
- "*"
[root@centos75 istio-ui]# kubectl apply -f grafana-gateway.yaml -n istio-system
gateway.networking.istio.io/grafana-gateway created
[root@centos75 istio-ui]#
(2)創建grafana的virtual service
設置virtual service與grafana-gateway綁定,將來自gateway的流量路由到內部grafana服務3000端口
[root@centos75 istio-ui]# cat grafana-vs.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: grafana-vs
spec:
hosts:
- "*"
gateways:
- grafana-gateway
http:
- route:
- destination:
host: grafana
port:
number: 3000
[root@centos75 istio-ui]# kubectl apply -f grafana-vs.yaml -n istio-system
virtualservice.networking.istio.io/grafana-vs unchanged
[root@centos75 istio-ui]#
(3)測試grafana的連通性
[root@centos75 istio-ui]# curl -I http://10.0.135.30:30828
HTTP/1.1 200 OK
content-type: text/html; charset=UTF-8
date: Sat, 14 Sep 2019 11:22:50 GMT
x-envoy-upstream-service-time: 1
server: istio-envoy
transfer-encoding: chunked
[root@centos75 istio-ui]#
測試成功
5 總結
本方式利用istio 邊界gateway來實現內部服務的對外映射,可以發揮istio gateway流量管理的能力,比port-forward更適用。
