Kubernetes-Gateway-API安装
说明:
1.istio生产环境安装选择default即可,以下在istioctl install -f samples/bookinfo/demo-profile-no-gateways.yaml -y环境下测试
2.Gateway对应的service 拿不到EXTERNAL-IP 需要设置在Gateway annotations设置 networking.istio.io/service-type: NodePort
3.gateway方式为自动部署,会自动生成gateway对应的service和deployment 关键参数是 gatewayClassName: istio
1.首先部署一个 httpbin 测试应用:
kubectl apply -f samples/httpbin/httpbin.yaml
2.部署 Gateway API 配置
kubectl create namespace istio-ingress
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: gateway
namespace: istio-ingress
spec:
gatewayClassName: istio #定义gateway使用的类型,自动生成service和deployment
listeners:
- name: default
hostname: "*.dosavingsnow.com"
port: 80
protocol: HTTP
allowedRoutes: #允许所有的namespace
namespaces:
from: All
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http
namespace: default
spec:
parentRefs:
- name: gateway
namespace: istio-ingress
hostnames: ["httpbin.dosavingsnow.com"]
rules:
- matches:
- path:
type: PathPrefix
value: /get
backendRefs:
- name: httpbin
port: 8000
EOF
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http
namespace: default
spec:
parentRefs:
- name: gateway #绑定的gateway
namespace: istio-ingress
hostnames: ["httpbin.dosavingsnow.com"] #域名
rules:
- matches:
- path:
type: PathPrefix #允许访问的url地址,不设置默认为/
value: /get
- path:
type: PathPrefix
value: /headers
filters:
- type: RequestHeaderModifier #自定义增加http头
requestHeaderModifier:
add:
- name: my-added-header
value: added-value
backendRefs:
- name: httpbin # service名字
port: 8000 # service端口
EOF###设置同时支持http和https的gateway
注意:cert-manager 自动生成的tls域名证书 secrets必须在gateway所在的 istio-ingress namespace
确保证书在gateway所在的 istio-ingress namespace
cat <<EOF | kubectl apply -f - -n istio-ingress > /dev/null
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: infrastars-top
spec:
secretName: infrastars-top #定义保存证书的secret名称
issuerRef:
name: cloudflare-acme-cluster-issuer
kind: ClusterIssuer
dnsNames:
- "infrastars.top"
- "*.infrastars.top"
EOF
cat <<EOF | kubectl apply -f - > /dev/null
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: gateway
namespace: istio-ingress
spec:
gatewayClassName: istio #定义gateway使用的类型,自动生成service和deployment
listeners:
- name: default
hostname: "*.dosavingsnow.com"
port: 80 #http
protocol: HTTP
allowedRoutes: #允许所有的namespace
namespaces:
from: All
- name: https
hostname: "*.dosavingsnow.com" #定义允许哪些域名
port: 443
protocol: HTTPS
tls:
mode: Terminate
certificateRefs:
- name: dosavingsnow-com #cert-manager 自动生成的tls域名证书 secrets名称
allowedRoutes: #只允许default namespace
namespaces:
from: Selector
selector:
matchLabels:
kubernetes.io/metadata.name: default
EOF其他:
1.安装servciemonitor
kubectl apply -f prometheus-operator.yaml https://github.com/istio/istio/blob/master/samples/addons/extras/prometheus-operator.yaml
2.安装kiali
https://istio.io/latest/zh/docs/setup/getting-started/#dashboard
只安装kiali.yaml即可
kubectl apply -f samples/addons/kiali.yaml
最简单的kiali httproute模板
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: kiali
namespace: istio-system
spec:
parentRefs:
- name: gateway #绑定的gateway
namespace: istio-ingress
hostnames: ["kiali.dosavingsnow.com"] #域名
rules:
- backendRefs:
- name: kiali # service名字
port: 20001 # service端口
EOF参考:
https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
https://istio.io/latest/zh/docs/tasks/traffic-management/tcp-traffic-shifting/ #有 实验版本 的 Gateway API CRD安装指令
https://gateway-api.sigs.k8s.io/guides/tls/ #TLS相关参数
https://istio.io/latest/zh/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment #包含HorizontalPodAutoscaler和PodDisruptionBudget示例
https://istio.io/latest/zh/docs/setup/getting-started/