kubernetes istio之gateway
2024-08-28 22:22:45
[root@master istio-1.1.]# kubectl apply -f samples/httpbin/httpbin.yaml
service/httpbin created
deployment.extensions/httpbin created
[root@master istio-1.1.]#
[root@master istio-1.1.]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
details ClusterIP 10.106.209.133 <none> /TCP 23h
httpbin ClusterIP 10.104.20.107 <none> /TCP 9s
kubernetes ClusterIP 10.96.0.1 <none> /TCP 14d
productpage ClusterIP 10.96.27.39 <none> /TCP 23h
ratings ClusterIP 10.109.45.236 <none> /TCP 23h
reviews ClusterIP 10.102.249.50 <none> /TCP 23h [root@master istio-1.1.]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
details-v1-79c6548b59-d8448 / Running 23h 10.244.3.186 node02 <none> <none>
httpbin-5446f4d9b4-jtnzw / Running 3m38s 10.244.1.207 node01 <none> <none>
ratings-v1-7665579b75-jjvv7 / Running 23h 10.244.1.203 node01 <none> <none>
reviews-v1-67446f7d9b-hrhbj / Running 23h 10.244.1.204 node01 <none> <none>
reviews-v2-6bc7b4f678-vhjwh / Running 23h 10.244.1.206 node01 <none> <none>
reviews-v3-59b5b6948-sxxhj / Running 23h 10.244.1.205 node01 <none> <none>
[root@master istio-1.1.]# curl 10.104.20.107:/headers
{
"headers": {
"Accept": "*/*",
"Host": "10.104.20.107:8000",
"User-Agent": "curl/7.29.0"
}
}
//只有集群内部可以访问,外部不行 //创建网关,让集群外部也可以访问
[root@master istio-1.1.]# kubectl apply -f samples/httpbin/httpbin-gateway.yaml
gateway.networking.istio.io/httpbin-gateway created
virtualservice.networking.istio.io/httpbin created
[root@master istio-1.1.]# kubectl get gateway
NAME AGE
bookinfo-gateway 23h
httpbin-gateway 3m15s
[root@master istio-1.1.]# kubectl get virtualservice
NAME GATEWAYS HOSTS AGE
bookinfo [bookinfo-gateway] [*] 23h
httpbin [httpbin-gateway] [*] 5m22s
reviews [reviews] 18h
生成证书
https://istio.io/docs/tasks/traffic-management/secure-ingress/#generate-clinet-and-server-certificates-and-keys [root@master istio-1.1.]# wget https://github.com/nicholasjackson/mtls-go-example/archive/master.zip
[root@master istio-1.1.]# unzip master.zip
Archive: master.zip
85f7453487e47c018961ca11f3526fd3e5d888d9
creating: mtls-go-example-master/
inflating: mtls-go-example-master/LICENSE
inflating: mtls-go-example-master/README.md
inflating: mtls-go-example-master/generate.sh
inflating: mtls-go-example-master/intermediate_openssl.cnf
inflating: mtls-go-example-master/main.go
inflating: mtls-go-example-master/openssl.cnf
[root@master istio-1.1.]# ls
bin install istio.VERSION LICENSE master.zip mtls-go-example-master README.md samples tools
[root@master istio-1.1.]# cd mtls-go-example-master/
[root@master mtls-go-example-master]# ls
generate.sh intermediate_openssl.cnf LICENSE main.go openssl.cnf README.md
[root@master mtls-go-example-master]# ./generate.sh httpbin.example.com
//出现提示时,选择y所有问题。该命令将产生四个目录:1_root, 2_intermediate,3_application,和4_client包含您在下面的程序使用客户端和服务器证书。
[root@master mtls-go-example-master]# ls
1_root 2_intermediate 3_application 4_client generate.sh intermediate_openssl.cnf LICENSE main.go openssl.cnf README.md
//将证书移动到名为的目录中httpbin.example.com
[root@master mtls-go-example-master]# mkdir ../httpbin.example.com && mv 1_root 2_intermediate 3_application 4_client ../httpbin.example.com
[root@master mtls-go-example-master]# ls ../
bin httpbin.example.com install istio.VERSION LICENSE master.zip mtls-go-example-master README.md samples tools
创建证书
[root@master istio-1.1.]# kubectl create -n istio-system secret tls istio-ingressgateway-certs --key httpbin.example.com/3_application/private/httpbin.example.com.key.pem --cert httpbin.example.com/3_application/certs/httpbin.example.com.cert.pem
secret/istio-ingressgateway-certs created
//验证tls.crt并tls.key已安装在入口网关pod中:
[root@master istio-1.1.]# kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-certs
total
drwxrwxrwt root root May : .
drwxr-xr-x root root May : ..
drwxr-xr-x root root May : ..2019_05_25_09_34_54.
lrwxrwxrwx root root May : ..data -> ..2019_05_25_09_34_54.
lrwxrwxrwx root root May : tls.crt -> ..data/tls.crt
lrwxrwxrwx root root May : tls.key -> ..data/tls.key
//删掉之前创建的httpbin-gateway
[root@master istio-1.1.]# kubectl delete -f samples/httpbin/httpbin-gateway.yaml
gateway.networking.istio.io "httpbin-gateway" deleted
virtualservice.networking.istio.io "httpbin" deleted
//创建新的
[root@master istio-1.1.]# vim samples/httpbin/httpbin-gateway-https.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number:
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "httpbin.example.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- "httpbin.example.com"
gateways:
- httpbin-gateway
http:
- match:
- uri:
prefix: /status
- uri:
prefix: /delay
route:
- destination:
port:
number:
host: httpbin
[root@master istio-1.1.]# kubectl apply -f samples/httpbin/httpbin-gateway-https.yaml
gateway.networking.istio.io/httpbin-gateway created
virtualservice.networking.istio.io/httpbin created [root@master istio-1.1.]# kubectl get gateway
NAME AGE
bookinfo-gateway 24h
httpbin-gateway 58s
[root@master istio-1.1.]# kubectl get virtualservice
NAME GATEWAYS HOSTS AGE
bookinfo [bookinfo-gateway] [*] 24h
httpbin [httpbin-gateway] [httpbin.example.com] 70s
reviews [reviews] 20h [root@master istio-1.1.]# curl -v -HHost:httpbin.example.com --resolve httpbin.example.com::10.0.1.133 --cacert httpbin.example.com/2_intermediate/certs/ca-chain.cert.pem https://httpbin.example.com:31390/status/418
* Added httpbin.example.com::10.0.1.133 to DNS cache
* About to connect() to httpbin.example.com port (#)
* Trying 10.0.1.133...
* Connected to httpbin.example.com (10.0.1.133) port (#)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: httpbin.example.com/2_intermediate/certs/ca-chain.cert.pem
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=httpbin.example.com,O=Dis,L=Springfield,ST=Denial,C=US
* start date: May :: GMT
* expire date: Jun :: GMT
* common name: httpbin.example.com
* issuer: CN=httpbin.example.com,O=Dis,ST=Denial,C=US
> GET /status/ HTTP/1.1
> User-Agent: curl/7.29.
> Accept: */*
> Host:httpbin.example.com
>
< HTTP/1.1 418 Unknown
< server: istio-envoy
< date: Sat, 25 May 2019 10:12:24 GMT
< x-more-info: http://tools.ietf.org/html/rfc2324
< access-control-allow-origin: *
< access-control-allow-credentials: true
< content-length: 135
< x-envoy-upstream-service-time: 2
< -=[ teapot ]=- _...._
.' _ _ `.
| ."` ^ `". _,
\_;`"---"`|//
| ;/
\_ _/
`"""`
* Connection #0 to host httpbin.example.com left intact
[root@master istio-1.1.5]#
最新文章
- 利用HAProxy代理SQL Server的AlwaysOn辅助副本
- 读书笔记---PMBOK第五版官方中文版
- MySQL索引简述
- JS/JQ获取各种屏幕的高度和宽度
- WebApi系列~通过HttpClient来调用Web Api接口
- a byte of python (摘01)
- [LintCode] Flatten Binary Tree to Linked List 将二叉树展开成链表
- 每天一个linux命令(52):scp命令
- Intent Flag介绍 intent.addFlags()
- 《APUE》读书笔记第十二章-线程控制
- NuGet 自定义配置
- ios定义数组和字典快捷方式
- [C#] C# 知识回顾 - Lambda
- MySql cmd下的学习笔记 —— 有关表的操作(对表中数据的增,删,改,查)
- 【二】php 字符串操作及三大流程控制
- HTTP Status 405 - HTTP method GET is not supported by this URL
- day 81 天 ORM 操作复习总结
- Hibernate笔记④--一级二级缓存、N+1问题、saveorupdate、实例代码
- Beta Scrum Day 3 — 听说
- 不明白的sizeof(enum)数据结构存储问题