这个任务展示了如何配置Istio暴露和访问集群的遥测以外的插件。
1. 配置远程访问
远程访问的遥测插件可以在许多不同的方式进行配置。这个任务包括两个基本的访问方法:安全(通过HTTPS)和安全(通过HTTP)。安全方法,强烈建议任何生产或敏感的环境。不安全的访问是简单的设置,但不能保护您的集群外的任何证书或数据传输。
针对这两个选项,首先遵循以下这些步骤:
- 在你的集群中安装Istio
另外安装遥测插件,使用以下安装选项:
- Grafana: —set values.grafana.enabled=true
- Kiali: —set values.kiali.enabled=true
- Prometheus: —set values.prometheus.enabled=true
- Tracing: —set values.tracing.enabled=true
- 使用一个域名去暴露组件,在该案例中,你可以在每个子域名中暴露组件,比如 grafana.example.com
- 假如你有一个已存在的域名指向你的istio-ingressgateway的外部IP地址
$ export INGRESS_DOMAIN=<your.desired.domain>
- 假如你没有一个域名,你可能使用nip.io,它会自动的解析提供的IP地址 ,这在生产环境中是不推荐的。
$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')$ export INGRESS_DOMAIN=${INGRESS_HOST}.nip.io
1.1 安全的访问 (HTTPS)
针对安全的访问,服务器证书必须的。 针对你控制域名,遵循下面步骤去安装和配置服务器证书。
- 构建证书,本案例使用Openssl去自签
$ CERT_DIR=/tmp/certs$ mkdir -p ${CERT_DIR}$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=*.${INGRESS_DOMAIN}' -keyout ${CERT_DIR}/ca.key -out ${CERT_DIR}/ca.crt$ openssl req -out ${CERT_DIR}/cert.csr -newkey rsa:2048 -nodes -keyout ${CERT_DIR}/tls.key -subj "/CN=*.${INGRESS_DOMAIN}/O=example organization"$ openssl x509 -req -days 365 -CA ${CERT_DIR}/ca.crt -CAkey ${CERT_DIR}/ca.key -set_serial 0 -in ${CERT_DIR}/cert.csr -out ${CERT_DIR}/tls.crt$ kubectl create -n istio-system secret tls telemetry-gw-cert --key=${CERT_DIR}/tls.key --cert=${CERT_DIR}/tls.crt
- 应用下面的配置去暴露Grafana
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: grafana-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 443name: https-grafanaprotocol: HTTPStls:mode: SIMPLEcredentialName: telemetry-gw-certhosts:- "grafana.${INGRESS_DOMAIN}"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: grafana-vsnamespace: istio-systemspec:hosts:- "grafana.${INGRESS_DOMAIN}"gateways:- grafana-gatewayhttp:- route:- destination:host: grafanaport:number: 3000---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: grafananamespace: istio-systemspec:host: grafanatrafficPolicy:tls:mode: DISABLE---EOF
- 应用下面的配置去暴露Kiali
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: kiali-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 443name: https-kialiprotocol: HTTPStls:mode: SIMPLEcredentialName: telemetry-gw-certhosts:- "kiali.${INGRESS_DOMAIN}"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: kiali-vsnamespace: istio-systemspec:hosts:- "kiali.${INGRESS_DOMAIN}"gateways:- kiali-gatewayhttp:- route:- destination:host: kialiport:number: 20001---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: kialinamespace: istio-systemspec:host: kialitrafficPolicy:tls:mode: DISABLE---EOF
- 应用下面的配置去暴露prometheus
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: prometheus-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 443name: https-promprotocol: HTTPStls:mode: SIMPLEcredentialName: telemetry-gw-certhosts:- "prometheus.${INGRESS_DOMAIN}"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: prometheus-vsnamespace: istio-systemspec:hosts:- "prometheus.${INGRESS_DOMAIN}"gateways:- prometheus-gatewayhttp:- route:- destination:host: prometheusport:number: 9090---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: prometheusnamespace: istio-systemspec:host: prometheustrafficPolicy:tls:mode: DISABLE---EOF
- 利用下面的配置去暴露追踪服务
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: tracing-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 443name: https-tracingprotocol: HTTPStls:mode: SIMPLEcredentialName: telemetry-gw-certhosts:- "tracing.${INGRESS_DOMAIN}"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: tracing-vsnamespace: istio-systemspec:hosts:- "tracing.${INGRESS_DOMAIN}"gateways:- tracing-gatewayhttp:- route:- destination:host: tracingport:number: 80---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: tracingnamespace: istio-systemspec:host: tracingtrafficPolicy:tls:mode: DISABLE---EOF
- 在浏览器中访问遥测插件
- Kiali: https://kiali.${INGRESS_DOMAIN}
- Prometheus: https://prometheus.${INGRESS_DOMAIN}
- Grafana: https://grafana.${INGRESS_DOMAIN}
- Tracing: https://tracing.${INGRESS_DOMAIN}
1.2 不安全的访问 (HTTP)
- 针对遥测插件应该网络配置
- 应用下列配置去暴露Grafana
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: grafana-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 80name: http-grafanaprotocol: HTTPhosts:- "grafana.${INGRESS_DOMAIN}"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: grafana-vsnamespace: istio-systemspec:hosts:- "grafana.${INGRESS_DOMAIN}"gateways:- grafana-gatewayhttp:- route:- destination:host: grafanaport:number: 3000---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: grafananamespace: istio-systemspec:host: grafanatrafficPolicy:tls:mode: DISABLE---EOF
- 应用下列配置去暴露Kiali
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: kiali-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 80name: http-kialiprotocol: HTTPhosts:- "kiali.${INGRESS_DOMAIN}"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: kiali-vsnamespace: istio-systemspec:hosts:- "kiali.${INGRESS_DOMAIN}"gateways:- kiali-gatewayhttp:- route:- destination:host: kialiport:number: 20001---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: kialinamespace: istio-systemspec:host: kialitrafficPolicy:tls:mode: DISABLE---EOF
- 应用下列配置去暴露prometheus
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: prometheus-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 80name: http-promprotocol: HTTPhosts:- "prometheus.${INGRESS_DOMAIN}"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: prometheus-vsnamespace: istio-systemspec:hosts:- "prometheus.${INGRESS_DOMAIN}"gateways:- prometheus-gatewayhttp:- route:- destination:host: prometheusport:number: 9090---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: prometheusnamespace: istio-systemspec:host: prometheustrafficPolicy:tls:mode: DISABLE---EOF
- 利用下列配置去暴露追踪服务器
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: tracing-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 80name: http-tracingprotocol: HTTPhosts:- "tracing.${INGRESS_DOMAIN}"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: tracing-vsnamespace: istio-systemspec:hosts:- "tracing.${INGRESS_DOMAIN}"gateways:- tracing-gatewayhttp:- route:- destination:host: tracingport:number: 80---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: tracingnamespace: istio-systemspec:host: tracingtrafficPolicy:tls:mode: DISABLE---EOF
- 在浏览器中访问遥测插件
- Kiali: http://kiali.${INGRESS_DOMAIN}
- Prometheus: http://prometheus.${INGRESS_DOMAIN}
- Grafana: http://grafana.${INGRESS_DOMAIN}
- Tracing: http://tracing.${INGRESS_DOMAIN}
2. 清除本实验
- 移除相关的Gateways
$ kubectl -n istio-system delete gateway grafana-gateway kiali-gateway prometheus-gateway tracing-gateway
- 移除相关的虚拟服务
$ kubectl -n istio-system delete virtualservice grafana-vs kiali-vs prometheus-vs tracing-vs
若有收获,就点个赞吧
0 人点赞
