Istio 网关:api.example.com 不起作用。 blaapi.example.com 确实有效。为什么?
问题描述 投票:0回答:1
编辑
根本问题并不是我最初想象的那样。如果我将后端主机名重命名为
blaapi.example.comapi.example.com什么可能导致 istio 找不到想要的
api.example.comblaapi.example.com我找不到任何有关如何获取 istio dns 解析器日志的文档...
k8s version
curl http://localhost:8001/version -k
{
"major": "1",
"minor": "18",
"gitVersion": "v1.18.3",
"gitCommit": "2e7996e3e2712684bc73f0dec0200d64eec7fe40",
"gitTreeState": "clean",
"buildDate": "2020-05-20T12:43:34Z",
"goVersion": "go1.13.9",
"compiler": "gc",
"platform": "linux/amd64"
}
istioctl version
client version: 1.6.3
control plane version: 1.6.3
data plane version: 1.6.3 (13 proxies)
我有一个 jenkins 构建管道,可以构建 docker 镜像并将其自动部署到 minikube 集群。我有一个多分支管道,将为每个分支部署完整的环境。我有一个简单的 javascript 文件,它输出通过管道传输到 kubectl 的 k8s 模板。
我使用 istio 作为服务网格和证书管理器。
我正在尝试部署 2 个简单的容器,frontend 和 backend
这是创建的资源
- 部署的命名空间(启用 istio 注入)
- 发行人(类型为自签名)
- 证书(用于前端应用程序)
- 证书(用于后端应用程序)
- Istio Gateway(用于前端应用程序)
- Istio Gateway(用于后端应用程序)
- 部署(针对前端应用程序)
- 部署(针对后端应用程序)
- 服务(用于前端应用程序)
- 服务(用于后端应用程序)
- VirtualService(用于前端应用程序)
- VirtualService(用于后端应用程序)
kubectl get all -l=project=myproject --all-namespaces
(Istio Gateway)
NAMESPACE NAME AGE
istio-system master-gateway-backend 3h52m
istio-system master-gateway-frontend 3h52m
(Istio VirtualService)
NAMESPACE NAME GATEWAYS HOSTS AGE
master myproject-backend [istio-system/master-gateway-backend] [api.example.com] 25h
master myproject-frontend [istio-system/master-gateway-frontend] [example.com] 25h
NAMESPACE NAME READY STATUS RESTARTS AGE
master pod/myproject-backend-54d55c5795-b9st2 2/2 Running 0 13m
master pod/myproject-frontend-85dfbdc48f-mdxqh 2/2 Running 0 13m
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
master service/myproject-backend ClusterIP 10.98.114.81 <none> 80/TCP 23h
master service/myproject-frontend ClusterIP 10.109.78.55 <none> 80/TCP 23h
NAMESPACE NAME READY UP-TO-DATE AVAILABLE AGE
master deployment.apps/myproject-backend 1/1 1 1 23h
master deployment.apps/myproject-frontend 1/1 1 1 23h
NAMESPACE NAME DESIRED CURRENT READY AGE
master replicaset.apps/myproject-backend-54d55c5795 1 1 1 13m
master replicaset.apps/myproject-frontend-85dfbdc48f 1 1 1 13m
(Secrets)
NAMESPACE NAME TYPE DATA AGE
istio-system ingress-cert-master-frontend kubernetes.io/tls 2 24h
istio-system ingress-cert-master-backend kubernetes.io/tls 2 24h
(Certificates)
NAMESPACE NAME READY SECRET AGE
istio-system ingress-cert-master-backend True ingress-cert-master-backend 152m
istio-system ingress-cert-master-frontend True ingress-cert-master-frontend 152m
(CertificateRequests)
NAMESPACE NAME READY AGE
istio-system ingress-cert-master-backend-563723203 True 147m
istio-system ingress-cert-master-frontend-556751135 True 147m
从 jenkins 部署模板时没有验证错误。
前端应用程序主机定义为
example.comapi.example.com问题是,前端应用程序部署成功,并且可以通过位于
https://example.comhttps://api.example.comwget --no-check-certificate -O- https://example.com -> 200 OK
wget --no-check-certificate -O- https://api.example.com -> TIMEOUT
kubectl exec -it -n admin network-multitool-659588b964-d5zfc -- wget -O- myproject-backend.master.svc.cluster.local -> 200 OK
INGRESS=$(kubectl get svc -n istio-system istio-ingressgateway -o json | jq -r .status.loadBalancer.ingress[0].ip)
wget --no-check-certificate --header="Host: api.example.com" http://${INGRESS} -> TIMEOUT
wget --no-check-certificate --header="Host: example.com" http://${INGRESS} -> 200 OK
getent hosts example.com api.example.com
10.99.153.121 example.com
19.99.153.121 api.example.com
最初,我认为这与我有多个具有相同名称的端口的
Gateways我知道服务和部署部分可以工作,因为我可以从任何 Pod
wget myproject-backend.master.svc.cluster.localwget myproject-frontend.master.svc.cluster.local奇怪的是,如果我禁用
backendhttpsRedirectwget --header='Host: api.example.com' -O- http://10.99.153.121wget -O- api.commonpoo.lab以下是网关、虚拟服务、颁发者、证书的配置
apiVersion: cert-manager.io/v1alpha3
kind: Issuer
metadata:
labels:
branch: master
project: myproject
name: ca-issuer-master
namespace: istio-system
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1alpha3
kind: Certificate
metadata:
labels:
branch: master
project: myproject
name: ingress-cert-master-backend
namespace: istio-system
spec:
commonName: api.example.com
dnsNames:
- api.example.com
issuerRef:
name: ca-issuer-master
secretName: ingress-cert-master-backend
subject:
organizations:
- myproject
---
apiVersion: cert-manager.io/v1alpha3
kind: Certificate
metadata:
labels:
branch: master
project: myproject
name: ingress-cert-master-frontend
namespace: istio-system
spec:
commonName: example.com
dnsNames:
- example.com
issuerRef:
name: ca-issuer-master
secretName: ingress-cert-master-frontend
subject:
organizations:
- myproject
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
labels:
branch: master
project: myproject
name: master-gateway-frontend
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- example.com
port:
name: http-master-frontend
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- example.com
port:
name: https-master-frontend
number: 443
protocol: HTTPS
tls:
credentialName: ingress-cert-master-frontend
mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
labels:
branch: master
project: myproject
name: master-gateway-backend
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- api.example.com
port:
name: http-master-backend
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- api.example.com
port:
name: https-master-backend
number: 443
protocol: HTTPS
tls:
credentialName: ingress-cert-master-backend
mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
labels:
app: myproject-backend
branch: master
commit: 49cf75c4d79bd1987aea2a753481d94133f99cc6
project: myproject
name: myproject-backend
namespace: master
spec:
gateways:
- istio-system/master-gateway-backend
hosts:
- api.example.com
http:
- route:
- destination:
host: myproject-backend.master.svc.cluster.local
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
labels:
app: myproject-frontend
branch: master
commit: 49cf75c4d79bd1987aea2a753481d94133f99cc6
project: myproject
name: myproject-frontend
namespace: master
spec:
gateways:
- istio-system/master-gateway-frontend
hosts:
- example.com
http:
- route:
- destination:
host: myproject-frontend.master.svc.cluster.local
这是我的主机 /etc/hosts 文件
# 10.99.153.121 is the istio-ingressgateway external IP
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 host.minikube.internal
10.8.0.12 control-plane.minikube.internal
10.99.153.121 keycloak.example.com
10.99.153.121 pgadmin.example.com
10.99.153.121 registry.example.com
10.99.153.121 jenkins.example.com
10.99.153.121 frontend.example.com
10.99.153.121 sonarqube.example.com
19.99.153.121 api.example.com
10.99.153.121 example.com
甚至 istioctl 也认识到有一条通往后端 pod 的路由
istioctl x describe pod myproject-backend-54d55c5795-b9st2.master
Pod: myproject-backend-54d55c5795-b9st2.master
Pod Ports: 80 (myproject-backend), 15090 (istio-proxy)
Suggestion: add 'version' label to pod for Istio telemetry.
--------------------
Service: myproject-backend.master
Port: http 80/HTTP targets pod port 80
Exposed on Ingress Gateway http://10.99.153.121
VirtualService: myproject-backend.master
1 HTTP route(s)
---
istioctl x describe pod myproject-frontend-85dfbdc48f-mdxqh.master
Pod: myproject-frontend-85dfbdc48f-mdxqh.master
Pod Ports: 80 (myproject-frontend), 15090 (istio-proxy)
Suggestion: add 'version' label to pod for Istio telemetry.
--------------------
Service: myproject-frontend.master
Port: http 80/HTTP targets pod port 80
Exposed on Ingress Gateway http://10.99.153.121
VirtualService: myproject-frontend.master
1 HTTP route(s)
Istioctl 代理状态:
istioctl proxy-status
NAME CDS LDS EDS RDS PILOT VERSION
myproject-backend-54d55c5795-b9st2.master SYNCED SYNCED SYNCED SYNCED istiod-7b69ff6f8c-2jdpx 1.6.3
myproject-frontend-85dfbdc48f-mdxqh.master SYNCED SYNCED SYNCED SYNCED istiod-7b69ff6f8c-2jdpx 1.6.3
istio-egressgateway-77c7d594c5-2nsz5.istio-system SYNCED SYNCED SYNCED NOT SENT istiod-7b69ff6f8c-2jdpx 1.6.3
istio-ingressgateway-766c84dfdc-dmmd8.istio-system SYNCED SYNCED SYNCED SYNCED istiod-7b69ff6f8c-2jdpx 1.6.3
keycloak-0.admin SYNCED SYNCED SYNCED SYNCED istiod-7b69ff6f8c-2jdpx 1.6.3
network-multitool-659588b964-d5zfc.admin SYNCED SYNCED SYNCED SYNCED istiod-7b69ff6f8c-2jdpx 1.6.3
pgadmin-549db8c6fb-bjpn9.admin SYNCED SYNCED SYNCED SYNCED istiod-7b69ff6f8c-2jdpx 1.6.3
postgres-postgresql-master-0.admin SYNCED SYNCED SYNCED SYNCED istiod-7b69ff6f8c-2jdpx 1.6.3
postgres-postgresql-slave-0.admin SYNCED SYNCED SYNCED SYNCED istiod-7b69ff6f8c-2jdpx 1.6.3
postgres-postgresql-slave-1.admin SYNCED SYNCED SYNCED SYNCED istiod-7b69ff6f8c-2jdpx 1.6.3
prometheus-5fdfc44fb7-kkm8h.istio-system SYNCED SYNCED SYNCED SYNCED istiod-7b69ff6f8c-2jdpx 1.6.3
sonarqube-sonarqube-5b99564cb6-khccq.admin SYNCED SYNCED SYNCED SYNCED istiod-7b69ff6f8c-2jdpx 1.6.3
istioctl analyze --all-namespaces
Warn [IST0102] (Namespace default) The namespace is not enabled for Istio injection. Run 'kubectl label namespace default istio-injection=enabled' to enable it, or 'kubectl label namespace default istio-injection=disabled' to explicitly mark it as not needing injection
Warn [IST0102] (Namespace flux-system) The namespace is not enabled for Istio injection. Run 'kubectl label namespace flux-system istio-injection=enabled' to enable it, or 'kubectl label namespace flux-system istio-injection=disabled' to explicitly mark it as not needing injection
Warn [IST0102] (Namespace istio-system) The namespace is not enabled for Istio injection. Run 'kubectl label namespace istio-system istio-injection=enabled' to enable it, or 'kubectl label namespace istio-system istio-injection=disabled' to explicitly mark it as not needing injection
Warn [IST0102] (Namespace kube-node-lease) The namespace is not enabled for Istio injection. Run 'kubectl label namespace kube-node-lease istio-injection=enabled' to enable it, or 'kubectl label namespace kube-node-lease istio-injection=disabled' to explicitly mark it as not needing injection
Info [IST0118] (Service cert-manager.cert-manager) Port name (port: 9402, targetPort: 9402) doesn't follow the naming convention of Istio port.
Info [IST0118] (Service flux-memcached.flux-system) Port name memcached (port: 11211, targetPort: memcached) doesn't follow the naming convention of Istio port.
Info [IST0118] (Service jenkins-agent.jenkins-system) Port name slavelistener (port: 50000, targetPort: 50000) doesn't follow the naming convention of Istio port.
Error: Analyzers found issues when analyzing all namespaces.
See https://istio.io/docs/reference/config/analysis for more information about causes and resolutions.
我对如何解决这个问题没有想法。任何帮助将不胜感激。
1个回答
0
投票
投票
最新问题
- 快速视线连接是重复线条
- Android Studio Ladybug 与 AGP 8.7.2 的兼容性
- 忽略来自 `PYTHONWARNINGS="error::Warning` 的 Python 语法错误?
- Quarkus ManagedExecutor vs WorkerExecutor vs VirtualThreads 用于阻塞代码
- 为什么稳定扩散webui不能正确生成图片?
- IAP 强制负载均衡器到单个后端到 NGINX 到应用程序,或负载均衡器到多个后端到应用程序?
- RestTemplate 如何从请求中删除 utf8?
- PowerShell:如何将字符串限制为 N 个字符?
- Sphinx 版本未显示阅读文档主题
- MySQL 列值不存在于同一个表的其他列中
- 我可以查看我在 GitHub Copilot 中索引了哪些存储库的列表吗?
- 如何获取 BigQuery 中运行的所有查询的计数
- 在较新的 Visual Studio 上编译 emWin 模拟
- C 编程基础:为什么用 gcc 编译 .c 文件后看不到 .o 文件
- ARM 的 gcc 中是否使用了分支预测?我们如何禁用它?
- 移植gcc而不移植Binutils?
- 两个不同流之间的相同负载未通过 Spring Cloud Stream 正确映射
- 如何使用GCC编译器以图形形式显示.cfg文件
- _WIN32、__linux__...预处理器宏如何工作?
- 同步父子之间的状态
© www.soinside.com 2019 - 2024. All rights reserved.