1、Gateway资源配置Envoy监听80端口并等待HTTP流量。Route:由一个Service的Listener进入的所有流量(match /*)全部路由给该Service的各Pod生成的Cluster。
- 使用VirtualService资源,将流量从入口网关(Gateway监听IP:NodePort;监听端口:80)路由routes到特定的服务webapp。
- Istio对比K8s Ingress:Ingress规范只将80端口和443端口视为入口点,不支持TCP连接。Istio的Gateway处理第4层和第5层的问题,而VirtualService处理第7层的问题。
->External Client --> IngressGateway Service --> IngressGateway Pod(Listener(由Gateway定义) --> Route(由VirtualService定义)--> Cluster(可由控制平面通过发现的的Service自动配置) --> endpoint )
# istioctl -n istio-system proxy-config listener deploy/istio-ingressgateway
ADDRESS PORT MATCH DESTINATION
0.0.0.0 8080 ALL Route: http.8080
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
# istioctl -n istio-system proxy-config route deploy/istio-ingressgateway -o json --name http.8080
"name": "hiroakis.com:80",
"domains": [
"hiroakis.com"
],
"routes": [
{
"match": {
"prefix": "/"
},
"route": {
"cluster": "outbound|80||webapp.bookinfo.svc.cluster.local",
->Client --> Envoy Sidecar (outbound:egress listener --> route --> cluster --> endpoint (由目标生生成)) --> Server Pod Envoy Sidecar (inbound: ingress listener --> route --> local cluster --> localhost(业务容器)(自由所属的服务生成))
2、VirtualService定义规则适用于来自- bookinfo-gateway网关的流量,指定了虚拟主机hosts: - "hiroakis.com" ,匹配hiroakis.com规则,将其解析为Istio网关正在监听的IP地址(NodePort)。
- VirtualService在Istio网关中创建一个Envoy路由,将流量匹配域hiroakis.com路由到服务网格中的webapp。测试:客户端显示地将HTTP请求中的Host头设置为hiroakis.com,即在命令中覆盖Host头。
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: webapp-virtualservice
spec:
hosts:
- "hiroakis.com"
gateways:
- bookinfo-gateway
http:
- route:
- destination:
host: webapp
port:
number: 80
ok---># curl http://hiroakis.com:30933/api/catalog -H "Host: hiroakis.com"
ok---># curl http://10.16.96.141/api/catalog -H "Host: hiroakis.com"
nok--># curl http://10.16.96.141/api/catalog