istio-流量管理-服務網格外的流量管理

這個也一知半解，暫時沒用到，放這吧

為了控制服務網格外的服務的流量訪問，外部的服務必須首先使用一個ServiceEntry物件加入到 istio 的內部 service registry 中，服務網格才會知道如何導向這些外部服務的流量。

為了測試這個功能，我們使用 istio 樣例中的 sleep 應用來驗證改功能，檢視 samples/sleep/sleep.yaml 檔案內容：

# cat samples/sleep/sleep.yaml
# Copyright 2017 Istio Authors
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

##################################################################################################
# Sleep service
##################################################################################################
apiVersion: v1
kind: ServiceAccount
metadata:
  name: sleep
---
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: governmentpaas/curl-ssl
        command: ["/bin/sleep", "3650d"]
        imagePullPolicy: IfNotPresent
---

這其實就是一個簡單的應用，通過 Deployment 進行控制，通過 Service 暴露服務，現在我們來部署該應用：

[root@k8s-master istio-1.3.1]#  kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml)
serviceaccount/sleep created
service/sleep created
deployment.apps/sleep created
[root@k8s-master istio-1.3.1]#
[root@k8s-master istio-1.3.1]# kubectl get pod
NAME                                      READY   STATUS    RESTARTS   AGE
details-v1-74f858558f-qnbfx               2/2     Running   0          3d4h
dig                                       2/2     Running   0          10m
nfs-client-provisioner-74bcb5d897-nx8fb   1/1     Running   0          5d3h
productpage-v1-8554d58bff-2cng5           2/2     Running   0          3d4h
ratings-v1-7855f5bcb9-8lzb5               2/2     Running   0          3d4h
reviews-v1-59fd8b965b-fxxxn               2/2     Running   0          3d4h
reviews-v2-d6cfdb7d6-rf6nh                2/2     Running   0          3d4h
reviews-v3-75699b5cfb-qn4db               2/2     Running   0          3d4h
sleep-75c858dc6b-n7k79                    2/2     Running   0          38s

待應用部署完成後，我們進入該應用容器內部執行一些測試操作：

[root@k8s-master istio-1.3.1]# export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
[root@k8s-master istio-1.3.1]# kubectl exec -it $SLEEP_POD -c sleep -- curl -sL -o /dev/null -D - http://edition.cnn.com/politics
HTTP/1.1 503 Service Unavailable
content-length: 91
content-type: text/plain
date: Mon, 11 Nov 2019 08:24:58 GMT
server: envoy

可以看到會返回上面的404的資訊(我的返回503)，因為該域名不在當前的服務網格中，預設情況下 istio 不允許訪問服務網格外部的 URL，即服務網格中對未知的服務請求會被丟棄。這就需要我們來建立一個 ServiceEntry 物件，將外部的訪問服務引入到服務網格中來。

例如下面的規則定義了一個訪問 edition.cnn.com 的服務的 ServiceEntry:（cnn-service-entry.yaml）

例如下面的規則定義了一個訪問 edition.cnn.com 的服務的 ServiceEntry:（cnn-service-entry.yaml）

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: cnn
spec:
  hosts:
  - edition.cnn.com
  ports:
  - number: 80
    name: http-port
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS

現在我們來部署上面的 ServiceEntry 資源：

$ istioctl create -f cnn-service-entry.yaml
Created config service-entry/default/cnn at revision 32149308
$ istioctl get serviceentry
SERVICE-ENTRY NAME   HOSTS             PORTS               NAMESPACE   AGE
cnn                  edition.cnn.com   HTTP/80,HTTPS/443   default     1m

現在我們再去上面的 sleep 容器中執行上面的測試請求：

[root@k8s-master istio-1.3.1]#  kubectl exec -it $SLEEP_POD -c sleep -- curl -sL -o /dev/null -D - http://edition.cnn.com/politics
HTTP/1.1 301 Moved Permanently
server: envoy
retry-after: 0
content-length: 0
cache-control: public, max-age=600
location: https://edition.cnn.com/politics
accept-ranges: bytes
date: Mon, 11 Nov 2019 08:27:05 GMT
via: 1.1 varnish
set-cookie: countryCode=CN; Domain=.cnn.com; Path=/
set-cookie: geoData=fengtai|BJ|100036|CN|AS|800|broadband; Domain=.cnn.com; Path=/
x-served-by: cache-hnd18723-HND
x-cache: HIT
x-cache-hits: 0
x-envoy-upstream-service-time: 250

HTTP/2 200
content-type: text/html; charset=utf-8
x-servedbyhost: ::ffff:127.0.0.1
access-control-allow-origin: *
cache-control: max-age=60
content-security-policy: default-src 'self' blob: https://*.cnn.com:* http://*.cnn.com:* *.cnn.io:* *.cnn.net:* *.turner.com:* *.turner.io:* *.ugdturner.com:* courageousstudio.com *.vgtf.net:*; script-src 'unsafe-eval' 'unsafe-inline' 'self' *; style-src 'unsafe-inline' 'self' blob: *; child-src 'self' blob: *; frame-src 'self' *; object-src 'self' *; img-src 'self' data:blob: *; media-src 'self' data: blob: *; font-src 'self' data: *; connect-src 'self' *; frame-ancestors 'self' https://*.cnn.com:* http://*.cnn.com https://*.cnn.io:* http://*.cnn.io:* *.turner.com:* courageousstudio.com;
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
via: 1.1 varnish
accept-ranges: bytes
date: Mon, 11 Nov 2019 08:27:07 GMT
via: 1.1 varnish
age: 45
set-cookie: countryCode=CN; Domain=.cnn.com; Path=/
set-cookie: geoData=beijing|BJ|100000|CN|AS|800|broadband; Domain=.cnn.com; Path=/
set-cookie: FastAB=0=1029,1=7669,2=2963,3=3546,4=7780,5=6467,6=4575,7=2654,8=4365,9=7238; Domain=.cnn.com; Path=/; Expires=Thu Jul 01 2021 00:00:00 GMT
set-cookie: tryThing00=0488; Domain=.cnn.com; Path=/; Expires=Mon Jul 01 2019 00:00:00 GMT
set-cookie: tryThing01=4810; Domain=.cnn.com; Path=/; Expires=Sun Mar 01 2020 00:00:00 GMT
set-cookie: tryThing02=3753; Domain=.cnn.com; Path=/; Expires=Wed Jan 01 2020 00:00:00 GMT
x-served-by: cache-iad2148-IAD, cache-tyo19934-TYO
x-cache: HIT, MISS
x-cache-hits: 1, 0
x-timer: S1573460826.227224,VS0,VE913
vary: Accept-Encoding
content-length: 1298588

現在我們發現可以正常返回內容了，返回200，證明請求成功了。

說明：-L讓 curl 跟隨連線進行重定向。這裡伺服器直接返回的 301 重定向響應，要求客戶端再使用HTTPS的方式對https://edition.cnn.com/politics地址進行訪問，第二次訪問才返回了200的成功碼。

除此之外，我們還可以進一步配置egress gateway，使這些對外部的流量訪問經由egress去到外部。

現在我們在 istio 中定義一個egress gateway物件來註冊允許從服務網格出去的服務，建立一個用於edition.cnn.com 的 egress gateway 物件:(cnn-egress-gateway.yaml)

[root@k8s-master istio-1.3.1]# vim cnn-egress-gateway.yaml
[root@k8s-master istio-1.3.1]# cat cnn-egress-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-egressgateway
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - edition.cnn.com
[root@k8s-master istio-1.3.1]# kubectl apply -f cnn-egress-gateway.yaml
gateway.networking.istio.io/istio-egressgateway created
[root@k8s-master istio-1.3.1]#

除了上面的 engress gateway 物件之外，我們還需要建立 VirtualService 和 DestinationRule 這兩個資源物件:（cnn-virtual-rule.yaml）

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-cnn-through-egress-gateway
spec:
  hosts:
  - edition.cnn.com
  gateways:
  - istio-egressgateway
  - mesh
  http:
  - match:
    - gateways:
      - mesh
      port: 80
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: cnn
        port:
          number: 80
      weight: 100
  - match:
    - gateways:
      - istio-egressgateway
      port: 80
    route:
    - destination:
        host: edition.cnn.com
        port:
          number: 80
      weight: 100

---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: egressgateway-for-cnn
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: cnn

https://www.qikqiak.com/istio-book/traffic-control/3.%E5%9F%BA%E4%BA%8EBookinfo%E7%9A%84%E6%B5%81%E9%87%8F%E6%8E%A7%E5%88%B6%E9%85%8D%E7%BD%AE.html

下面是一知半解了 程式碼一直通不過 放這吧