创建一个ServiceEntry允许直接流量到外部服务,例如为istio.io定义ServiceEntry:
kubectl apply -f egressgateway/serviceentry.yaml
验证ServiceEntry是否已正确应用。发送HTTP请求到https://istio.io:
kubectl exec -it $SOURCE_POD -c sleep -- curl -sL -o /dev/null -D - http://istio.io HTTP/1.1 301 Moved Permanently Cache-Control: public, max-age=0, must-revalidate Content-Length: 33 Content-Type: text/plain Date: Mon, 21 Jan 2019 15:15:41 GMT Location: https://istio.io/ X-Nf-Srv-Version: 45aaffea081549dd03a2dfff644cc25cf522edbd Age: 129340 Connection: keep-alive Server: Netlify X-NF-Request-ID: f6a3e5cf-9f20-4983-9a91-d0e319e89bcd-8911456 HTTP/2 200 cache-control: public, max-age=0, must-revalidate content-type: text/html; charset=UTF-8 date: Mon, 21 Jan 2019 20:22:55 GMT etag: "660e4bd7ded5a3a85a24118433d3f4b2-ssl" strict-transport-security: max-age=31536000 x-nf-srv-version: 45aaffea081549dd03a2dfff644cc25cf522edbd age: 110909 content-length: 25833 server: Netlify x-nf-request-id: f6a3e5cf-9f20-4983-9a91-d0e319e89bcd-8911657
为istio.io端口80创建Egress gateway。除此之外还要创建一个DestinationRule和VirtualService来引导流量通过Egress gateway与外部服务通信。
如果在Istio中启用了双向TLS认证,请使用以下命令:
kubectl apply -f egressgateway/gw-dr-mtls.yaml
如果没有启用双向TLS认证:
kubectl apply -f egressgateway/gw-dr.yaml
定义VirtualService来引导流量通过Egress gateway:
kubectl apply -f egressgateway/vs.yaml
将HTTP请求重新发送到https://istio.io:
kubectl exec -it $SOURCE_POD -c sleep -- curl -sL -o /dev/null -D - http://istio.io HTTP/1.1 301 Moved Permanently Cache-Control: public, max-age=0, must-revalidate Content-Length: 33 Content-Type: text/plain Date: Mon, 21 Jan 2019 15:15:41 GMT Location: https://istio.io/ X-Nf-Srv-Version: 45aaffea081549dd03a2dfff644cc25cf522edbd Age: 130234 Connection: keep-alive Server: Netlify X-NF-Request-ID: f6a3e5cf-9f20-4983-9a91-d0e319e89bcd-8980278 HTTP/2 200 cache-control: public, max-age=0, must-revalidate content-type: text/html; charset=UTF-8 date: Mon, 21 Jan 2019 20:22:55 GMT etag: "660e4bd7ded5a3a85a24118433d3f4b2-ssl" strict-transport-security: max-age=31536000 x-nf-srv-version: 45aaffea081549dd03a2dfff644cc25cf522edbd age: 111802 content-length: 25833 server: Netlify x-nf-request-id: f6a3e5cf-9f20-4983-9a91-d0e319e89bcd-8980407
输出应与前面的步骤中的输出相同。
检查istio-egressgateway pod的日志,并查看与我们的请求对应的行。如果Istio部署在istio-system命名空间中,则打印日志的命令是:
kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail [2019-01-23T05:05:58.269Z] "GET /HTTP/2" 301 - 0 33 519 514 "172.16.1.158" "curl/ 7.60.0" "55e7118b-b932-9bd3-ad2a-2d18586e03df" "istio.io" "104.198.14.52:80" outbound |80||istio.io - 172.16.2.23:80 172.16.1.158:54376
请注意,当前情况下,只将流量从端口80重定向到出口网关,到端口443的HTTPS流量直接进入istio.io。接下来,进行配置支持HTTPS流量网关。