按照预安装的入站流量网关的模板创建新的入站流量网关。您可以使用以下网关定义 YAML 来创建新网关。在网关定义 YAML 中,将
POD_NAMESPACE替换为您的命名空间,然后将 YAML 复制并粘贴到GATEWAY_DEFINITION_FILE文件中。请务必根据您的环境适当地修改PodDisruptionBudget和HorizontalPodAutoscaler等资源。网关定义 YAML
apiVersion: v1 kind: ServiceAccount metadata: name: user-ingressgateway-service-account namespace: istio-system labels: app: istio-ingressgateway chart: gateways heritage: Tiller release: istio --- apiVersion: v1 kind: Service metadata: name: user-ingressgateway namespace: istio-system annotations: labels: chart: gateways heritage: Tiller release: istio app: istio-ingressgateway istio: ingressgateway spec: type: LoadBalancer selector: release: istio app: istio-ingressgateway istio: ingressgateway ports: - name: status-port port: 15020 targetPort: 15020 - name: http2 nodePort: 31380 port: 80 targetPort: 80 - name: https nodePort: 31390 port: 443 - name: tcp nodePort: 31400 port: 31400 - name: https-kiali port: 15029 targetPort: 15029 - name: https-prometheus port: 15030 targetPort: 15030 - name: https-grafana port: 15031 targetPort: 15031 - name: https-tracing port: 15032 targetPort: 15032 - name: tls port: 15443 targetPort: 15443 --- apiVersion: apps/v1 kind: Deployment metadata: name: user-ingressgateway namespace: istio-system labels: app: istio-ingressgateway chart: gateways heritage: Tiller istio: ingressgateway release: istio spec: selector: matchLabels: app: istio-ingressgateway istio: ingressgateway strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 25% template: metadata: labels: app: istio-ingressgateway chart: gateways heritage: Tiller istio: ingressgateway release: istio annotations: sidecar.istio.io/inject: "false" spec: serviceAccountName: user-ingressgateway-service-account containers: - name: istio-proxy image: "gcr.io/istio-testing/proxyv2:1.4-dev" imagePullPolicy: IfNotPresent ports: - containerPort: 15020 - containerPort: 80 - containerPort: 443 - containerPort: 31400 - containerPort: 15029 - containerPort: 15030 - containerPort: 15031 - containerPort: 15032 - containerPort: 15443 - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - router - --domain - POD_NAMESPACE.svc.cluster.local - --log_output_level=default:info - --drainDuration - '45s' #drainDuration - --parentShutdownDuration - '1m0s' #parentShutdownDuration - --connectTimeout - '10s' #connectTimeout - --serviceCluster - user-ingressgateway - --zipkinAddress - zipkin:9411 - --proxyAdminPort - "15000" - --statusPort - "15020" - --controlPlaneAuthPolicy - NONE - --discoveryAddress - istio-pilot:15010 readinessProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15020 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 1 resources: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi env: - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: ISTIO_META_POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: ISTIO_META_CONFIG_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: ISTIO_METAJSON_LABELS value: | {"app":"istio-ingressgateway","chart":"gateways","heritage":"Tiller","istio":"ingressgateway","release":"istio"} - name: ISTIO_META_CLUSTER_ID value: "Kubernetes" - name: SDS_ENABLED value: "false" - name: ISTIO_META_WORKLOAD_NAME value: user-ingressgateway - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/user-ingressgateway - name: ISTIO_META_ROUTER_MODE value: sni-dnat volumeMounts: - name: istio-certs mountPath: /etc/certs readOnly: true - name: ingressgateway-certs mountPath: "/etc/istio/ingressgateway-certs" readOnly: true - name: ingressgateway-ca-certs mountPath: "/etc/istio/ingressgateway-ca-certs" readOnly: true volumes: - name: istio-certs secret: secretName: istio.user-ingressgateway-service-account optional: true - name: ingressgateway-certs secret: secretName: "istio-ingressgateway-certs" optional: true - name: ingressgateway-ca-certs secret: secretName: "istio-ingressgateway-ca-certs" optional: true affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - "amd64" - "ppc64le" - "s390x" preferredDuringSchedulingIgnoredDuringExecution: - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - "amd64" - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - "ppc64le" - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - "s390x" --- apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: user-ingressgateway namespace: istio-system labels: chart: gateways heritage: Tiller release: istio app: istio-ingressgateway istio: ingressgateway spec: minAvailable: 1 selector: matchLabels: release: istio app: istio-ingressgateway istio: ingressgateway — apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: name: user-ingressgateway namespace: istio-system labels: chart: gateways heritage: Tiller release: istio app: istio-ingressgateway istio: ingressgateway spec: maxReplicas: 5 minReplicas: 1 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: user-ingressgateway metrics: - type: Resource resource: name: cpu targetAverageUtilization: 80 ---将用户网关文件应用于集群:
kubectl apply -f GATEWAY_DEFINITION_FILE检查是否已为新网关分配外部 IP:
kubectl get svc -n istio-system输出类似于以下内容,其中包含内置
istio-ingressgateway和您刚刚创建的网关的 IP 地址。(为简洁起见,省略了其他 Istio 服务)。NAME TYPE CLUSTER-IP EXTERNAL-IP istio-ingressgateway LoadBalancer 10.103.245.98 35.225.130.192 ... user-ingressgateway LoadBalancer 10.103.240.33 104.198.174.26 ...
为新网关添加网关资源。如需了解有关网关的更多参考,请参阅 istio.io 参考文档。
kind: Gateway metadata: name: user-gateway spec: selector: app: user-ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "*"修改任何指向内置网关的
VirtualService,以同时指向新网关。以下是基于 Bookinfo 示例的修改后的VirtualService:apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: bookinfo spec: hosts: - "*" gateways: - bookinfo-gateway - user-gateway http: - match: - uri: exact: /productpage - uri: prefix: /static - uri: exact: /login - uri: exact: /logout - uri: prefix: /api/v1/products route: - destination: host: productpage port: number: 9080使用
kubectl apply将新的Gateway和VirtualService应用于集群。测试流量是否可以通过旧和新的外部 IP 地址访问您的应用。通过 Bookinfo 示例,可以使用 curl 对已分配的外部 IP 地址执行此操作:
curl http://35.225.130.192/productpage curl http://104.198.174.26/productpage更新 DNS 或负载平衡器以将流量路由到新的外部 IP 地址。
移除
VirtualServices中所有指向任何Gateways(指向内置入站流量)的引用。移除任何指向内置入站流量的
Gateways。
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2021-02-15 UTC.