在虚拟服务中使用子域时,istio 网关停止工作

问题描述 投票:0回答:2

在 GKE Ingress 中拥有此 GCP 负载均衡器:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: gcp-loadbalancer-ingress
  namespace: istio-ingress
spec:
  rules:
    - host: "*.foo.com"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: istio-ingressgateway
                port:
                  number: 80

istio 网关如下所示:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: gateway
  namespace: istio-ingress
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
    - "*.foo.com"

和虚拟服务:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: sample-app
  namespace: istio-ingress
spec:
  hosts:
  - "*"
  # - "app.foo.com" If replace above with this it stops working
  gateways:
  - gateway
  http:
  - match:
      - uri:
          prefix: /
    route:
      - destination:
          host: sample-app

当路线为 

sample-app
 时,如何限制
virtualservice
app.foo.com

仅限路线

更新

想知道这个问题是否与我的

istio-ingressgateway
有关:

kind: Service
apiVersion: v1
metadata:
  name: istio-ingressgateway
  namespace: istio-ingress
  labels:
    app: istio-ingressgateway
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: istio-ingressgateway
    app.kubernetes.io/version: 1.20.0
    helm.sh/chart: gateway-1.20.0
    istio: ingressgateway
  annotations:
    cloud.google.com/neg: '{"ingress":true}'
    meta.helm.sh/release-name: istio-ingressgateway
    meta.helm.sh/release-namespace: istio-ingress
spec:
  ports:
  - name: status-port
    protocol: TCP
    port: 15021
    targetPort: 15021
    nodePort: 30276
  - name: http-web
    protocol: TCP
    port: 80
    targetPort: 80
    nodePort: 31849
  - name: https-ssl
    protocol: TCP
    port: 443
    targetPort: 443
    nodePort: 30824
  selector:
    app: istio-ingressgateway
    istio: ingressgateway
  clusterIP: {IP}
  clusterIPs:
  - {IP}
  type: NodePort
  sessionAffinity: None
  externalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  internalTrafficPolicy: Cluster
status:
  loadBalancer: {}
kubernetes google-kubernetes-engine istio istio-gateway servicemesh
2个回答
1
投票

您可以尝试使用服务入口来访问外部服务或站点,请参阅下面的示例,您也可以在文档链接上看到这个:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-svc-site
spec:
  hosts:
  - external-site.com
  location: MESH_EXTERNAL
  ports:
  - number: 443
    name: example-https
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: my-external-site-rule
spec:
  hosts:
  - external-site.com
  http:
  - timeout: 5s
    route:
    - destination:
        host: external-site.com
0
投票

如果您使用 Ingress 资源,则不需要 Istio 的 Gateway 资源。你可以选一个。如果必须使用 Ingress 资源,可以在 Ingress 上使用 

kubernetes.io/ingress.class: istio
注解来使用 istio-ingressgateway 作为控制器。 (查看此处的文档:https://istio.io/latest/docs/tasks/traffic-management/ingress/kubernetes-ingress/

如果您不必使用 Ingress 资源,请使用 Istio 的 Gateway 资源。

如果您想通过网关“公开”示例应用程序,则必须确保以下几点:

  1. 您将网关名称添加到 
    gateways
    字段(您拥有)
  2. 将网关资源中的主机名与 VirtualService 中的主机名进行匹配(即将 
    app.foo.bar
    添加到 VirtualService 中的主机字段)。
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.