这个任务展示了如何配置Istio暴露和访问集群的遥测以外的插件。
1. 配置远程访问
远程访问的遥测插件可以在许多不同的方式进行配置。这个任务包括两个基本的访问方法:安全(通过HTTPS)和安全(通过HTTP)。安全方法,强烈建议任何生产或敏感的环境。不安全的访问是简单的设置,但不能保护您的集群外的任何证书或数据传输。
针对这两个选项,首先遵循以下这些步骤:
- 在你的集群中安装Istio
另外安装遥测插件,使用以下安装选项:
- Grafana: —set values.grafana.enabled=true
- Kiali: —set values.kiali.enabled=true
- Prometheus: —set values.prometheus.enabled=true
- Tracing: —set values.tracing.enabled=true
- 使用一个域名去暴露组件,在该案例中,你可以在每个子域名中暴露组件,比如 grafana.example.com
- 假如你有一个已存在的域名指向你的istio-ingressgateway的外部IP地址
$ export INGRESS_DOMAIN=<your.desired.domain>
- 假如你没有一个域名,你可能使用nip.io,它会自动的解析提供的IP地址 ,这在生产环境中是不推荐的。
$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
$ export INGRESS_DOMAIN=${INGRESS_HOST}.nip.io
1.1 安全的访问 (HTTPS)
针对安全的访问,服务器证书必须的。 针对你控制域名,遵循下面步骤去安装和配置服务器证书。
- 构建证书,本案例使用Openssl去自签
$ CERT_DIR=/tmp/certs
$ mkdir -p ${CERT_DIR}
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=*.${INGRESS_DOMAIN}' -keyout ${CERT_DIR}/ca.key -out ${CERT_DIR}/ca.crt
$ openssl req -out ${CERT_DIR}/cert.csr -newkey rsa:2048 -nodes -keyout ${CERT_DIR}/tls.key -subj "/CN=*.${INGRESS_DOMAIN}/O=example organization"
$ openssl x509 -req -days 365 -CA ${CERT_DIR}/ca.crt -CAkey ${CERT_DIR}/ca.key -set_serial 0 -in ${CERT_DIR}/cert.csr -out ${CERT_DIR}/tls.crt
$ kubectl create -n istio-system secret tls telemetry-gw-cert --key=${CERT_DIR}/tls.key --cert=${CERT_DIR}/tls.crt
- 应用下面的配置去暴露Grafana
$ cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: grafana-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https-grafana
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: telemetry-gw-cert
hosts:
- "grafana.${INGRESS_DOMAIN}"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: grafana-vs
namespace: istio-system
spec:
hosts:
- "grafana.${INGRESS_DOMAIN}"
gateways:
- grafana-gateway
http:
- route:
- destination:
host: grafana
port:
number: 3000
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: grafana
namespace: istio-system
spec:
host: grafana
trafficPolicy:
tls:
mode: DISABLE
---
EOF
- 应用下面的配置去暴露Kiali
$ cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: kiali-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https-kiali
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: telemetry-gw-cert
hosts:
- "kiali.${INGRESS_DOMAIN}"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: kiali-vs
namespace: istio-system
spec:
hosts:
- "kiali.${INGRESS_DOMAIN}"
gateways:
- kiali-gateway
http:
- route:
- destination:
host: kiali
port:
number: 20001
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: kiali
namespace: istio-system
spec:
host: kiali
trafficPolicy:
tls:
mode: DISABLE
---
EOF
- 应用下面的配置去暴露prometheus
$ cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: prometheus-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https-prom
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: telemetry-gw-cert
hosts:
- "prometheus.${INGRESS_DOMAIN}"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: prometheus-vs
namespace: istio-system
spec:
hosts:
- "prometheus.${INGRESS_DOMAIN}"
gateways:
- prometheus-gateway
http:
- route:
- destination:
host: prometheus
port:
number: 9090
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: prometheus
namespace: istio-system
spec:
host: prometheus
trafficPolicy:
tls:
mode: DISABLE
---
EOF
- 利用下面的配置去暴露追踪服务
$ cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: tracing-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https-tracing
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: telemetry-gw-cert
hosts:
- "tracing.${INGRESS_DOMAIN}"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: tracing-vs
namespace: istio-system
spec:
hosts:
- "tracing.${INGRESS_DOMAIN}"
gateways:
- tracing-gateway
http:
- route:
- destination:
host: tracing
port:
number: 80
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: tracing
namespace: istio-system
spec:
host: tracing
trafficPolicy:
tls:
mode: DISABLE
---
EOF
- 在浏览器中访问遥测插件
- Kiali: https://kiali.${INGRESS_DOMAIN}
- Prometheus: https://prometheus.${INGRESS_DOMAIN}
- Grafana: https://grafana.${INGRESS_DOMAIN}
- Tracing: https://tracing.${INGRESS_DOMAIN}
1.2 不安全的访问 (HTTP)
- 针对遥测插件应该网络配置
- 应用下列配置去暴露Grafana
$ cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: grafana-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http-grafana
protocol: HTTP
hosts:
- "grafana.${INGRESS_DOMAIN}"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: grafana-vs
namespace: istio-system
spec:
hosts:
- "grafana.${INGRESS_DOMAIN}"
gateways:
- grafana-gateway
http:
- route:
- destination:
host: grafana
port:
number: 3000
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: grafana
namespace: istio-system
spec:
host: grafana
trafficPolicy:
tls:
mode: DISABLE
---
EOF
- 应用下列配置去暴露Kiali
$ cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: kiali-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http-kiali
protocol: HTTP
hosts:
- "kiali.${INGRESS_DOMAIN}"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: kiali-vs
namespace: istio-system
spec:
hosts:
- "kiali.${INGRESS_DOMAIN}"
gateways:
- kiali-gateway
http:
- route:
- destination:
host: kiali
port:
number: 20001
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: kiali
namespace: istio-system
spec:
host: kiali
trafficPolicy:
tls:
mode: DISABLE
---
EOF
- 应用下列配置去暴露prometheus
$ cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: prometheus-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http-prom
protocol: HTTP
hosts:
- "prometheus.${INGRESS_DOMAIN}"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: prometheus-vs
namespace: istio-system
spec:
hosts:
- "prometheus.${INGRESS_DOMAIN}"
gateways:
- prometheus-gateway
http:
- route:
- destination:
host: prometheus
port:
number: 9090
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: prometheus
namespace: istio-system
spec:
host: prometheus
trafficPolicy:
tls:
mode: DISABLE
---
EOF
- 利用下列配置去暴露追踪服务器
$ cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: tracing-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http-tracing
protocol: HTTP
hosts:
- "tracing.${INGRESS_DOMAIN}"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: tracing-vs
namespace: istio-system
spec:
hosts:
- "tracing.${INGRESS_DOMAIN}"
gateways:
- tracing-gateway
http:
- route:
- destination:
host: tracing
port:
number: 80
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: tracing
namespace: istio-system
spec:
host: tracing
trafficPolicy:
tls:
mode: DISABLE
---
EOF
- 在浏览器中访问遥测插件
- Kiali: http://kiali.${INGRESS_DOMAIN}
- Prometheus: http://prometheus.${INGRESS_DOMAIN}
- Grafana: http://grafana.${INGRESS_DOMAIN}
- Tracing: http://tracing.${INGRESS_DOMAIN}
2. 清除本实验
- 移除相关的Gateways
$ kubectl -n istio-system delete gateway grafana-gateway kiali-gateway prometheus-gateway tracing-gateway
- 移除相关的虚拟服务
$ kubectl -n istio-system delete virtualservice grafana-vs kiali-vs prometheus-vs tracing-vs