这个任务展示了如何配置Istio暴露和访问集群的遥测以外的插件。

1. 配置远程访问

远程访问的遥测插件可以在许多不同的方式进行配置。这个任务包括两个基本的访问方法:安全(通过HTTPS)和安全(通过HTTP)。安全方法,强烈建议任何生产或敏感的环境。不安全的访问是简单的设置,但不能保护您的集群外的任何证书或数据传输。

针对这两个选项,首先遵循以下这些步骤:

  1. 在你的集群中安装Istio

另外安装遥测插件,使用以下安装选项:

  • Grafana: —set values.grafana.enabled=true
  • Kiali: —set values.kiali.enabled=true
  • Prometheus: —set values.prometheus.enabled=true
  • Tracing: —set values.tracing.enabled=true
  1. 使用一个域名去暴露组件,在该案例中,你可以在每个子域名中暴露组件,比如 grafana.example.com
  • 假如你有一个已存在的域名指向你的istio-ingressgateway的外部IP地址
  1. $ export INGRESS_DOMAIN=<your.desired.domain>
  • 假如你没有一个域名,你可能使用nip.io,它会自动的解析提供的IP地址 ,这在生产环境中是不推荐的。
  1. $ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
  2. $ export INGRESS_DOMAIN=${INGRESS_HOST}.nip.io

1.1 安全的访问 (HTTPS)

针对安全的访问,服务器证书必须的。 针对你控制域名,遵循下面步骤去安装和配置服务器证书。

  1. 构建证书,本案例使用Openssl去自签
  1. $ CERT_DIR=/tmp/certs
  2. $ mkdir -p ${CERT_DIR}
  3. $ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=*.${INGRESS_DOMAIN}' -keyout ${CERT_DIR}/ca.key -out ${CERT_DIR}/ca.crt
  4. $ openssl req -out ${CERT_DIR}/cert.csr -newkey rsa:2048 -nodes -keyout ${CERT_DIR}/tls.key -subj "/CN=*.${INGRESS_DOMAIN}/O=example organization"
  5. $ openssl x509 -req -days 365 -CA ${CERT_DIR}/ca.crt -CAkey ${CERT_DIR}/ca.key -set_serial 0 -in ${CERT_DIR}/cert.csr -out ${CERT_DIR}/tls.crt
  6. $ kubectl create -n istio-system secret tls telemetry-gw-cert --key=${CERT_DIR}/tls.key --cert=${CERT_DIR}/tls.crt
  • 应用下面的配置去暴露Grafana
  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: grafana-gateway
  6. namespace: istio-system
  7. spec:
  8. selector:
  9. istio: ingressgateway
  10. servers:
  11. - port:
  12. number: 443
  13. name: https-grafana
  14. protocol: HTTPS
  15. tls:
  16. mode: SIMPLE
  17. credentialName: telemetry-gw-cert
  18. hosts:
  19. - "grafana.${INGRESS_DOMAIN}"
  20. ---
  21. apiVersion: networking.istio.io/v1alpha3
  22. kind: VirtualService
  23. metadata:
  24. name: grafana-vs
  25. namespace: istio-system
  26. spec:
  27. hosts:
  28. - "grafana.${INGRESS_DOMAIN}"
  29. gateways:
  30. - grafana-gateway
  31. http:
  32. - route:
  33. - destination:
  34. host: grafana
  35. port:
  36. number: 3000
  37. ---
  38. apiVersion: networking.istio.io/v1alpha3
  39. kind: DestinationRule
  40. metadata:
  41. name: grafana
  42. namespace: istio-system
  43. spec:
  44. host: grafana
  45. trafficPolicy:
  46. tls:
  47. mode: DISABLE
  48. ---
  49. EOF
  • 应用下面的配置去暴露Kiali
  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: kiali-gateway
  6. namespace: istio-system
  7. spec:
  8. selector:
  9. istio: ingressgateway
  10. servers:
  11. - port:
  12. number: 443
  13. name: https-kiali
  14. protocol: HTTPS
  15. tls:
  16. mode: SIMPLE
  17. credentialName: telemetry-gw-cert
  18. hosts:
  19. - "kiali.${INGRESS_DOMAIN}"
  20. ---
  21. apiVersion: networking.istio.io/v1alpha3
  22. kind: VirtualService
  23. metadata:
  24. name: kiali-vs
  25. namespace: istio-system
  26. spec:
  27. hosts:
  28. - "kiali.${INGRESS_DOMAIN}"
  29. gateways:
  30. - kiali-gateway
  31. http:
  32. - route:
  33. - destination:
  34. host: kiali
  35. port:
  36. number: 20001
  37. ---
  38. apiVersion: networking.istio.io/v1alpha3
  39. kind: DestinationRule
  40. metadata:
  41. name: kiali
  42. namespace: istio-system
  43. spec:
  44. host: kiali
  45. trafficPolicy:
  46. tls:
  47. mode: DISABLE
  48. ---
  49. EOF
  • 应用下面的配置去暴露prometheus
  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: prometheus-gateway
  6. namespace: istio-system
  7. spec:
  8. selector:
  9. istio: ingressgateway
  10. servers:
  11. - port:
  12. number: 443
  13. name: https-prom
  14. protocol: HTTPS
  15. tls:
  16. mode: SIMPLE
  17. credentialName: telemetry-gw-cert
  18. hosts:
  19. - "prometheus.${INGRESS_DOMAIN}"
  20. ---
  21. apiVersion: networking.istio.io/v1alpha3
  22. kind: VirtualService
  23. metadata:
  24. name: prometheus-vs
  25. namespace: istio-system
  26. spec:
  27. hosts:
  28. - "prometheus.${INGRESS_DOMAIN}"
  29. gateways:
  30. - prometheus-gateway
  31. http:
  32. - route:
  33. - destination:
  34. host: prometheus
  35. port:
  36. number: 9090
  37. ---
  38. apiVersion: networking.istio.io/v1alpha3
  39. kind: DestinationRule
  40. metadata:
  41. name: prometheus
  42. namespace: istio-system
  43. spec:
  44. host: prometheus
  45. trafficPolicy:
  46. tls:
  47. mode: DISABLE
  48. ---
  49. EOF
  • 利用下面的配置去暴露追踪服务
  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: tracing-gateway
  6. namespace: istio-system
  7. spec:
  8. selector:
  9. istio: ingressgateway
  10. servers:
  11. - port:
  12. number: 443
  13. name: https-tracing
  14. protocol: HTTPS
  15. tls:
  16. mode: SIMPLE
  17. credentialName: telemetry-gw-cert
  18. hosts:
  19. - "tracing.${INGRESS_DOMAIN}"
  20. ---
  21. apiVersion: networking.istio.io/v1alpha3
  22. kind: VirtualService
  23. metadata:
  24. name: tracing-vs
  25. namespace: istio-system
  26. spec:
  27. hosts:
  28. - "tracing.${INGRESS_DOMAIN}"
  29. gateways:
  30. - tracing-gateway
  31. http:
  32. - route:
  33. - destination:
  34. host: tracing
  35. port:
  36. number: 80
  37. ---
  38. apiVersion: networking.istio.io/v1alpha3
  39. kind: DestinationRule
  40. metadata:
  41. name: tracing
  42. namespace: istio-system
  43. spec:
  44. host: tracing
  45. trafficPolicy:
  46. tls:
  47. mode: DISABLE
  48. ---
  49. EOF
  1. 在浏览器中访问遥测插件

1.2 不安全的访问 (HTTP)
  1. 针对遥测插件应该网络配置
  • 应用下列配置去暴露Grafana
  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: grafana-gateway
  6. namespace: istio-system
  7. spec:
  8. selector:
  9. istio: ingressgateway
  10. servers:
  11. - port:
  12. number: 80
  13. name: http-grafana
  14. protocol: HTTP
  15. hosts:
  16. - "grafana.${INGRESS_DOMAIN}"
  17. ---
  18. apiVersion: networking.istio.io/v1alpha3
  19. kind: VirtualService
  20. metadata:
  21. name: grafana-vs
  22. namespace: istio-system
  23. spec:
  24. hosts:
  25. - "grafana.${INGRESS_DOMAIN}"
  26. gateways:
  27. - grafana-gateway
  28. http:
  29. - route:
  30. - destination:
  31. host: grafana
  32. port:
  33. number: 3000
  34. ---
  35. apiVersion: networking.istio.io/v1alpha3
  36. kind: DestinationRule
  37. metadata:
  38. name: grafana
  39. namespace: istio-system
  40. spec:
  41. host: grafana
  42. trafficPolicy:
  43. tls:
  44. mode: DISABLE
  45. ---
  46. EOF
  • 应用下列配置去暴露Kiali
  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: kiali-gateway
  6. namespace: istio-system
  7. spec:
  8. selector:
  9. istio: ingressgateway
  10. servers:
  11. - port:
  12. number: 80
  13. name: http-kiali
  14. protocol: HTTP
  15. hosts:
  16. - "kiali.${INGRESS_DOMAIN}"
  17. ---
  18. apiVersion: networking.istio.io/v1alpha3
  19. kind: VirtualService
  20. metadata:
  21. name: kiali-vs
  22. namespace: istio-system
  23. spec:
  24. hosts:
  25. - "kiali.${INGRESS_DOMAIN}"
  26. gateways:
  27. - kiali-gateway
  28. http:
  29. - route:
  30. - destination:
  31. host: kiali
  32. port:
  33. number: 20001
  34. ---
  35. apiVersion: networking.istio.io/v1alpha3
  36. kind: DestinationRule
  37. metadata:
  38. name: kiali
  39. namespace: istio-system
  40. spec:
  41. host: kiali
  42. trafficPolicy:
  43. tls:
  44. mode: DISABLE
  45. ---
  46. EOF
  • 应用下列配置去暴露prometheus
  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: prometheus-gateway
  6. namespace: istio-system
  7. spec:
  8. selector:
  9. istio: ingressgateway
  10. servers:
  11. - port:
  12. number: 80
  13. name: http-prom
  14. protocol: HTTP
  15. hosts:
  16. - "prometheus.${INGRESS_DOMAIN}"
  17. ---
  18. apiVersion: networking.istio.io/v1alpha3
  19. kind: VirtualService
  20. metadata:
  21. name: prometheus-vs
  22. namespace: istio-system
  23. spec:
  24. hosts:
  25. - "prometheus.${INGRESS_DOMAIN}"
  26. gateways:
  27. - prometheus-gateway
  28. http:
  29. - route:
  30. - destination:
  31. host: prometheus
  32. port:
  33. number: 9090
  34. ---
  35. apiVersion: networking.istio.io/v1alpha3
  36. kind: DestinationRule
  37. metadata:
  38. name: prometheus
  39. namespace: istio-system
  40. spec:
  41. host: prometheus
  42. trafficPolicy:
  43. tls:
  44. mode: DISABLE
  45. ---
  46. EOF
  • 利用下列配置去暴露追踪服务器
  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: tracing-gateway
  6. namespace: istio-system
  7. spec:
  8. selector:
  9. istio: ingressgateway
  10. servers:
  11. - port:
  12. number: 80
  13. name: http-tracing
  14. protocol: HTTP
  15. hosts:
  16. - "tracing.${INGRESS_DOMAIN}"
  17. ---
  18. apiVersion: networking.istio.io/v1alpha3
  19. kind: VirtualService
  20. metadata:
  21. name: tracing-vs
  22. namespace: istio-system
  23. spec:
  24. hosts:
  25. - "tracing.${INGRESS_DOMAIN}"
  26. gateways:
  27. - tracing-gateway
  28. http:
  29. - route:
  30. - destination:
  31. host: tracing
  32. port:
  33. number: 80
  34. ---
  35. apiVersion: networking.istio.io/v1alpha3
  36. kind: DestinationRule
  37. metadata:
  38. name: tracing
  39. namespace: istio-system
  40. spec:
  41. host: tracing
  42. trafficPolicy:
  43. tls:
  44. mode: DISABLE
  45. ---
  46. EOF
  1. 在浏览器中访问遥测插件

2. 清除本实验

  1. 移除相关的Gateways
  1. $ kubectl -n istio-system delete gateway grafana-gateway kiali-gateway prometheus-gateway tracing-gateway
  1. 移除相关的虚拟服务
  1. $ kubectl -n istio-system delete virtualservice grafana-vs kiali-vs prometheus-vs tracing-vs