Como adicionar gateways

  1. Crie um novo gateway de entrada seguindo o modelo para o gateway de entrada pré-instalado. Use o seguinte YAML de definição de gateway (em inglês) para criar um novo gateway. Na YAML de definição do gateway, substitua POD_NAMESPACE pelo seu namespace. Em seguida, copie e cole o YAML em um arquivo, GATEWAY_DEFINITION_FILE. Certifique-se de editar recursos como PodDisruptionBudget e HorizontalPodAutoscaler conforme apropriado para seu ambiente.

    YAML de definição de gateway

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: user-ingressgateway-service-account
  namespace: istio-system
  labels:
    app: istio-ingressgateway
    chart: gateways
    heritage: Tiller
    release: istio
---
apiVersion: v1
kind: Service
metadata:
  name: user-ingressgateway
  namespace: istio-system
  annotations:
  labels:
    chart: gateways
    heritage: Tiller
    release: istio
    app: istio-ingressgateway
    istio: ingressgateway
spec:
  type: LoadBalancer
  selector:
    release: istio
    app: istio-ingressgateway
    istio: ingressgateway
  ports:
    -
      name: status-port
      port: 15020
      targetPort: 15020
    -
      name: http2
      nodePort: 31380
      port: 80
      targetPort: 80
    -
      name: https
      nodePort: 31390
      port: 443
    -
      name: tcp
      nodePort: 31400
      port: 31400
    -
      name: https-kiali
      port: 15029
      targetPort: 15029
    -
      name: https-prometheus
      port: 15030
      targetPort: 15030
    -
      name: https-grafana
      port: 15031
      targetPort: 15031
    -
      name: https-tracing
      port: 15032
      targetPort: 15032
    -
      name: tls
      port: 15443
      targetPort: 15443
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: user-ingressgateway
  namespace: istio-system
  labels:
    app: istio-ingressgateway
    chart: gateways
    heritage: Tiller
    istio: ingressgateway
    release: istio
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
      istio: ingressgateway
  strategy:
    rollingUpdate:
      maxSurge: 100%
      maxUnavailable: 25%
  template:
    metadata:
      labels:
        app: istio-ingressgateway
        chart: gateways
        heritage: Tiller
        istio: ingressgateway
        release: istio
      annotations:
        sidecar.istio.io/inject: "false"
    spec:
      serviceAccountName: user-ingressgateway-service-account
      containers:
        - name: istio-proxy
          image: "gcr.io/istio-testing/proxyv2:1.4-dev"
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 15020
            - containerPort: 80
            - containerPort: 443
            - containerPort: 31400
            - containerPort: 15029
            - containerPort: 15030
            - containerPort: 15031
            - containerPort: 15032
            - containerPort: 15443
            - containerPort: 15090
              protocol: TCP
              name: http-envoy-prom
          args:
          - proxy
          - router
          - --domain
          - POD_NAMESPACE.svc.cluster.local
          - --log_output_level=default:info
          - --drainDuration
          - '45s' #drainDuration
          - --parentShutdownDuration
          - '1m0s' #parentShutdownDuration
          - --connectTimeout
          - '10s' #connectTimeout
          - --serviceCluster
          - user-ingressgateway
          - --zipkinAddress
          - zipkin:9411
          - --proxyAdminPort
          - "15000"
          - --statusPort
          - "15020"
          - --controlPlaneAuthPolicy
          - NONE
          - --discoveryAddress
          - istio-pilot:15010
          readinessProbe:
            failureThreshold: 30
            httpGet:
              path: /healthz/ready
              port: 15020
              scheme: HTTP
            initialDelaySeconds: 1
            periodSeconds: 2
            successThreshold: 1
            timeoutSeconds: 1
          resources:
            limits:
              cpu: 2000m
              memory: 1024Mi
            requests:
              cpu: 100m
              memory: 128Mi
          env:
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: spec.nodeName
          - name: POD_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
          - name: INSTANCE_IP
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: status.podIP
          - name: HOST_IP
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: status.hostIP
          - name: SERVICE_ACCOUNT
            valueFrom:
              fieldRef:
                fieldPath: spec.serviceAccountName
          - name: ISTIO_META_POD_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.name
          - name: ISTIO_META_CONFIG_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: ISTIO_METAJSON_LABELS
            value: |
              {"app":"istio-ingressgateway","chart":"gateways","heritage":"Tiller","istio":"ingressgateway","release":"istio"}
          - name: ISTIO_META_CLUSTER_ID
            value: "Kubernetes"
          - name: SDS_ENABLED
            value: "false"
          - name: ISTIO_META_WORKLOAD_NAME
            value: user-ingressgateway
          - name: ISTIO_META_OWNER
            value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/user-ingressgateway
          - name: ISTIO_META_ROUTER_MODE
            value: sni-dnat
          volumeMounts:
          - name: istio-certs
            mountPath: /etc/certs
            readOnly: true
          - name: ingressgateway-certs
            mountPath: "/etc/istio/ingressgateway-certs"
            readOnly: true
          - name: ingressgateway-ca-certs
            mountPath: "/etc/istio/ingressgateway-ca-certs"
            readOnly: true
      volumes:
      - name: istio-certs
        secret:
          secretName: istio.user-ingressgateway-service-account
          optional: true
      - name: ingressgateway-certs
        secret:
          secretName: "istio-ingressgateway-certs"
          optional: true
      - name: ingressgateway-ca-certs
        secret:
          secretName: "istio-ingressgateway-ca-certs"
          optional: true
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: beta.kubernetes.io/arch
                operator: In
                values:
                - "amd64"
                - "ppc64le"
                - "s390x"
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 2
            preference:
              matchExpressions:
              - key: beta.kubernetes.io/arch
                operator: In
                values:
                - "amd64"
          - weight: 2
            preference:
              matchExpressions:
              - key: beta.kubernetes.io/arch
                operator: In
                values:
                - "ppc64le"
          - weight: 2
            preference:
              matchExpressions:
              - key: beta.kubernetes.io/arch
                operator: In
                values:
                - "s390x"
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
  name: user-ingressgateway
  namespace: istio-system
  labels:
    chart: gateways
    heritage: Tiller
    release: istio
    app: istio-ingressgateway
    istio: ingressgateway
spec:
  minAvailable: 1
  selector:
    matchLabels:
      release: istio
      app: istio-ingressgateway
      istio: ingressgateway
—
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
  name: user-ingressgateway
  namespace: istio-system
  labels:
    chart: gateways
    heritage: Tiller
    release: istio
    app: istio-ingressgateway
    istio: ingressgateway
spec:
  maxReplicas: 5
  minReplicas: 1
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: user-ingressgateway
  metrics:
    - type: Resource
      resource:
        name: cpu
        targetAverageUtilization: 80
---

  2. Aplique o arquivo de gateway de usuário ao cluster:

    kubectl apply -f GATEWAY_DEFINITION_FILE

  3. Verifique se um IP externo foi atribuído ao novo gateway:

    kubectl get svc -n istio-system

    A saída é semelhante à seguinte, com endereços IP para o istio-ingressgateway integrado e ao gateway que você acabou de criar. Outros serviços do Istio são omitidos por questões de brevidade.

    NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP
istio-ingressgateway   LoadBalancer   10.103.245.98    35.225.130.192 ...
user-ingressgateway    LoadBalancer   10.103.240.33    104.198.174.26 ...

  4. Adicione um recurso de gateway para o novo gateway. Para mais informações sobre gateways, consulte a referência do istio.io.

    kind: Gateway
metadata:
  name: user-gateway
spec:
  selector:
    app: user-ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"

  5. Modifique qualquer VirtualService que aponte para o gateway integrado para que também aponte para o novo gateway. Veja a seguir o VirtualService modificado com base no exemplo do Bookinfo:

    apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo
spec:
  hosts:
  - "*"
  gateways:
    - bookinfo-gateway
    - user-gateway
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage
        port:
          number: 9080

  6. Aplique os novos Gateway e VirtualService ao cluster usando kubectl apply.

  7. Teste se o tráfego pode alcançar seus aplicativos por meio do endereço IP externo antigo e do novo. No exemplo do Bookinfo, isso pode ser feito com curl para os endereços IP externos atribuídos:

    curl http://35.225.130.192/productpage
curl http://104.198.174.26/productpage

  8. Atualize o DNS ou o balanceador de carga para rotear o tráfego para o novo endereço IP externo.

  9. Remova todas as referências em VirtualServices a qualquer Gateways que aponte para a entrada integrada.

  10. Remova qualquer Gateways que aponte para a entrada integrada.