Руководство прикладного разработчика#
Термины и определения#
Термин/аббревиатура |
Определение |
|---|---|
HTTP |
HyperText Transfer Protocol, протокол передачи гипертекста |
HTTPS |
Расширение протокола HTTP для поддержки шифрования в целях повышения безопасности |
mTLS |
Mutual TLS, протокол взаимной TLS-аутентификации |
TCP |
Transmission Control Protocol, протокол управления передачей |
TLS |
Transport Layer Security, протокол защиты транспортного уровня |
Деплоймент |
набор инструкций для запуска приложения в OpenShift |
Системные требования#
Для использования компонента Граничный прокси необходимы OpenShift и проект, подключенный к Synapse.
Подключение и конфигурирование#
Граничные прокси в Service Mesh 2.x и Service Mesh 1.x отличаются конфигурациями Деплоймента (Deployment.yml) и configmap (ConfigMap.yml).
IngressGateway#
IngressGateway — это полноценный сервис (прокси-сервис), через который будет осуществляться проксирование входящего трафика приложению. Данный сервис, как и приложение, состоит из артефактов Deployment, Service, Route, а также ConfigMap и Secret.
Граничные прокси в Service Mesh 2.x и Service Mesh 1.x отличаются конфигурациями Деплоймента (kind: Deployment) и configmap (kind: ConfigMap).
Ниже приведены шаблоны Ingress для Service Mesh версий 1.x:
HTTP-протокол Ingress.
Code Block 3 Ingress-http-template-for-RHSM-1.x.yaml
apiVersion: v1 kind: Template labels: app: ${APP_NAME} template: ${APP_NAME} message: ${APP_NAME} metadata: annotations: description: ${APP_NAME}. openshift.io/display-name: ${APP_NAME} version: 1.0.0 name: ingress objects: - apiVersion: apps/v1 kind: Deployment metadata: labels: app: ingressgateway-${PROJECT_NAME} app.kubernetes.io/component: gateways app.kubernetes.io/instance: ${ISTIO_CONTROL_PLANE} app.kubernetes.io/managed-by: maistra-istio-operator app.kubernetes.io/name: gateways app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.0.2-7.el8-1 chart: gateways heritage: Tiller istio: ingressgateway-${PROJECT_NAME} maistra.io/owner: ${ISTIO_CONTROL_PLANE} release: istio name: ingressgateway-${PROJECT_NAME} spec: progressDeadlineSeconds: 1200 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app: ingressgateway-${PROJECT_NAME} istio: ingressgateway-${PROJECT_NAME} strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate template: metadata: annotations: sidecar.istio.io/inject: "false" creationTimestamp: null labels: app: ingressgateway-${PROJECT_NAME} chart: gateways heritage: Tiller istio: ingressgateway-${PROJECT_NAME} release: istio spec: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x weight: 2 requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x containers: - args: - proxy - router - --domain - $(POD_NAMESPACE).svc.cluster.local - --log_output_level=default:info - --drainDuration - 45s - --parentShutdownDuration - 1m0s - --connectTimeout - 10s - --serviceCluster - ingressgateway-${PROJECT_NAME} - --zipkinAddress - zipkin.${ISTIO_CONTROL_PLANE}:9411 - --proxyAdminPort - "15000" - --statusPort - "15020" - --controlPlaneAuthPolicy - NONE - --discoveryAddress - istio-pilot.${ISTIO_CONTROL_PLANE}:15010 env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: ISTIO_META_POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: ISTIO_META_CONFIG_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: ISTIO_META_ROUTER_MODE value: sni-dnat image: ${PROXY_IMAGE} imagePullPolicy: IfNotPresent name: istio-proxy ports: - containerPort: 15020 name: status-port protocol: TCP - containerPort: 8080 name: http protocol: TCP - containerPort: 5443 name: https protocol: TCP readinessProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15020 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 resources: limits: cpu: 600m memory: 900Mi requests: cpu: 400m memory: 700Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /etc/certs/ name: istio-certs readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: {} terminationGracePeriodSeconds: 60 volumes: - emptyDir: medium: Memory name: istio-envoy - name: istio-certs secret: defaultMode: 400 optional: true secretName: istio.default - apiVersion: v1 kind: Service metadata: labels: app: ingressgateway-${PROJECT_NAME} istio: ingressgateway-${PROJECT_NAME} name: ingressgateway-svc spec: ports: - name: status-port port: 15020 protocol: TCP targetPort: 15020 - name: http-${INGRESS_PORT} port: ${{INGRESS_PORT}} selector: app: ingressgateway-${PROJECT_NAME} istio: ingressgateway-${PROJECT_NAME} - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: ingressgateway-gw spec: selector: istio: ingressgateway-${PROJECT_NAME} servers: - hosts: - ingress-${PROJECT_NAME}.apps.${OPENSHIFT_HOST} port: name: http-${INGRESS_PORT} number: ${{INGRESS_PORT}} protocol: HTTP - apiVersion: route.openshift.io/v1 kind: Route metadata: labels: app: ingressgateway-${PROJECT_NAME} istio: ingressgateway-${PROJECT_NAME} name: ingressgateway-http spec: host: ingress-${PROJECT_NAME}.apps.${OPENSHIFT_HOST} port: targetPort: http-${INGRESS_PORT} to: kind: Service name: ingressgateway-svc - apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: internal-host-vs spec: exportTo: - . gateways: - ingressgateway-gw hosts: - ingress-${PROJECT_NAME}.apps.${OPENSHIFT_HOST} http: - match: - uri: prefix: /${INTERNAL_PREFIX} route: - destination: host: ${INTERNAL_HOST} port: number: ${{INTERNAL_PORT}} parameters: - name: PROJECT_NAME required: true - name: APP_NAME required: true - name: ISTIO_CONTROL_PLANE required: true - name: PROXY_IMAGE required: true - name: OPENSHIFT_HOST required: true - name: INGRESS_PORT required: true - name: INTERNAL_HOST required: true - name: INTERNAL_PORT required: true - name: INTERNAL_PREFIX required: trueHTTPS-протокол Ingress.
Code Block 4 Ingress-https-template-for-RHSM-1.x.yaml
apiVersion: v1 kind: Template labels: app: ${APP_NAME} template: ${APP_NAME} message: ${APP_NAME} metadata: annotations: description: ${APP_NAME}. openshift.io/display-name: ${APP_NAME} version: 1.0.0 name: ingress objects: - apiVersion: apps/v1 kind: Deployment metadata: labels: app: ingressgateway-${PROJECT_NAME} app.kubernetes.io/component: gateways app.kubernetes.io/instance: ${ISTIO_CONTROL_PLANE} app.kubernetes.io/managed-by: maistra-istio-operator app.kubernetes.io/name: gateways app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.0.2-7.el8-1 chart: gateways heritage: Tiller istio: ingressgateway-${PROJECT_NAME} maistra.io/owner: ${ISTIO_CONTROL_PLANE} release: istio name: ingressgateway-${PROJECT_NAME} spec: progressDeadlineSeconds: 1200 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app: ingressgateway-${PROJECT_NAME} istio: ingressgateway-${PROJECT_NAME} strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate template: metadata: annotations: sidecar.istio.io/inject: "false" creationTimestamp: null labels: app: ingressgateway-${PROJECT_NAME} chart: gateways heritage: Tiller istio: ingressgateway-${PROJECT_NAME} release: istio spec: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x weight: 2 requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x containers: - args: - proxy - router - --domain - $(POD_NAMESPACE).svc.cluster.local - --log_output_level=default:info - --drainDuration - 45s - --parentShutdownDuration - 1m0s - --connectTimeout - 10s - --serviceCluster - ingressgateway-${PROJECT_NAME} - --zipkinAddress - zipkin.${ISTIO_CONTROL_PLANE}:9411 - --proxyAdminPort - "15000" - --statusPort - "15020" - --controlPlaneAuthPolicy - NONE - --discoveryAddress - istio-pilot.${ISTIO_CONTROL_PLANE}:15010 env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: ISTIO_META_POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: ISTIO_META_CONFIG_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: ISTIO_META_ROUTER_MODE value: sni-dnat image: ${PROXY_IMAGE} imagePullPolicy: IfNotPresent name: istio-proxy ports: - containerPort: 15020 name: status-port protocol: TCP - containerPort: 8080 name: http protocol: TCP - containerPort: 5443 name: https protocol: TCP readinessProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15020 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 resources: limits: cpu: 600m memory: 900Mi requests: cpu: 400m memory: 700Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /etc/certs/ name: istio-certs readOnly: true - mountPath: /etc/istio/ingressgateway-certs name: ingressgateway-certs readOnly: true - mountPath: /etc/istio/ingressgateway-ca-certs name: ingressgateway-ca-certs readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: {} terminationGracePeriodSeconds: 60 volumes: - emptyDir: medium: Memory name: istio-envoy - name: istio-certs secret: defaultMode: 400 optional: true secretName: istio.default - name: ingressgateway-certs secret: defaultMode: 400 optional: true secretName: ingressgateway-certs - name: ingressgateway-ca-certs secret: defaultMode: 400 optional: true secretName: ingressgateway-ca-certs - apiVersion: v1 kind: Service metadata: labels: app: ingressgateway-${PROJECT_NAME} istio: ingressgateway-${PROJECT_NAME} name: ingressgateway-svc spec: ports: - name: status-port port: 15020 protocol: TCP targetPort: 15020 - name: https-${INGRESS_PORT} port: ${{INGRESS_PORT}} selector: app: ingressgateway-${PROJECT_NAME} istio: ingressgateway-${PROJECT_NAME} - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: ingressgateway-gw spec: selector: istio: ingressgateway-${PROJECT_NAME} servers: - hosts: - ingress-${PROJECT_NAME}.ingress.apps.${OPENSHIFT_HOST} port: name: https-${INGRESS_PORT} number: ${{INGRESS_PORT}} protocol: HTTPS tls: caCertificates: /etc/istio/ingressgateway-ca-certs/ca-chain.cert.pem mode: MUTUAL privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt - apiVersion: route.openshift.io/v1 kind: Route metadata: labels: app: ingressgateway-${PROJECT_NAME} istio: ingressgateway-${PROJECT_NAME} name: ingressgateway-https spec: host: ingress-${PROJECT_NAME}.ingress.apps.${OPENSHIFT_HOST} port: targetPort: https-${INGRESS_PORT} tls: termination: passthrough to: kind: Service name: ingressgateway-svc - apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: internal-host-vs spec: exportTo: - . gateways: - ingressgateway-gw hosts: - ingress-${PROJECT_NAME}.ingress.apps.${OPENSHIFT_HOST} http: - match: - uri: prefix: /${INTERNAL_PREFIX} route: - destination: host: ${INTERNAL_HOST} port: number: ${{INTERNAL_PORT}} - apiVersion: v1 data: ca-chain.cert.pem: ${INGRESS_CA_CERT} kind: Secret metadata: name: ingressgateway-ca-certs type: Opaque - apiVersion: v1 data: tls.crt: ${INGRESS_CERTS_CRT} tls.key: ${INGRESS_CERTS_KEY} kind: Secret metadata: name: ingressgateway-certs type: Opaque parameters: - name: PROJECT_NAME required: true - name: APP_NAME required: true - name: ISTIO_CONTROL_PLANE required: true - name: PROXY_IMAGE required: true - name: INGRESS_PORT required: true - name: OPENSHIFT_HOST required: true - name: INGRESS_CA_CERT required: true - name: INGRESS_CERTS_CRT required: true - name: INGRESS_CERTS_KEY required: true - name: INTERNAL_HOST required: true - name: INTERNAL_PORT required: true - name: INTERNAL_PREFIX required: true
Ниже приведен шаблон Ingress для Service Mesh 2.x:
Code Block 5 IngressGateway-template for ServiceMesh 2.x.yaml
apiVersion: v1
kind: Template
metadata:
name: ingressgateway-template
labels:
type: services
objects:
- kind: Deployment
apiVersion: apps/v1
metadata:
name: ${INGRESSGATEWAY_NAME}
labels:
app: ${INGRESSGATEWAY_NAME}
app.kubernetes.io/part-of: istio
app.kubernetes.io/instance: ${ISTIO_CONTROL_PLANE}
release: istio
app.kubernetes.io/version: 2.0.1-6.el8-75
app.kubernetes.io/component: gateways
istio: ${INGRESSGATEWAY_NAME}
app.kubernetes.io/managed-by: maistra-istio-operator
maistra.io/owner: ${ISTIO_CONTROL_PLANE}
app.kubernetes.io/name: gateways
chart: gateways
heritage: Tiller
maistra.io/gateway: ${INGRESSGATEWAY_NAME}
maistra-version: 2.0.1.1
spec:
replicas: 1
selector:
matchLabels:
app: ${INGRESSGATEWAY_NAME}
istio: ${INGRESSGATEWAY_NAME}
template:
metadata:
labels:
app: ${INGRESSGATEWAY_NAME}
chart: gateways
heritage: Tiller
istio: ${INGRESSGATEWAY_NAME}
release: istio
annotations:
sidecar.istio.io/inject: 'false'
spec:
restartPolicy: Always
serviceAccountName: default
schedulerName: default-scheduler
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
terminationGracePeriodSeconds: 60
securityContext: {}
containers:
- resources:
limits:
cpu: 600m
memory: 900Mi
requests:
cpu: 400m
memory: 700Mi
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
timeoutSeconds: 5
periodSeconds: 2
successThreshold: 1
failureThreshold: 30
terminationMessagePath: /dev/termination-log
name: istio-proxy
env:
- name: ISTIO_META_UNPRIVILEGED_POD
value: 'true'
- name: JWT_POLICY
value: first-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: CA_ADDR
value: 'istiod-basic.${ISTIO_CONTROL_PLANE}.svc:15012'
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: 'metadata.labels[''service.istio.io/canonical-name'']'
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: 'metadata.labels[''service.istio.io/canonical-revision'']'
- name: ISTIO_META_WORKLOAD_NAME
value: ${INGRESSGATEWAY_NAME}
- name: ISTIO_META_OWNER
value: >-
kubernetes://apis/apps/v1/namespaces/${PROJECT_NAME}/deployments/${INGRESSGATEWAY_NAME}
- name: ISTIO_META_MESH_ID
value: cluster.local
- name: ISTIO_META_ROUTER_MODE
value: sni-dnat
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
ports:
- name: status-port
containerPort: 15021
protocol: TCP
- name: http
containerPort: 8080
protocol: TCP
- name: https
containerPort: 5443
protocol: TCP
- name: tls
containerPort: 15443
protocol: TCP
- containerPort: 15012
protocol: TCP
- containerPort: 853
protocol: TCP
- name: http-envoy-prom
containerPort: 15090
protocol: TCP
imagePullPolicy: IfNotPresent
volumeMounts:
- name: istio-envoy
mountPath: /etc/istio/proxy
- name: config-volume
mountPath: /etc/istio/config
- name: istiod-ca-cert
mountPath: /var/run/secrets/istio
- name: podinfo
mountPath: /etc/istio/pod
- name: ingressgateway-certs
readOnly: true
mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-ca-certs
readOnly: true
mountPath: /etc/istio/ingressgateway-ca-certs
terminationMessagePolicy: File
image: ${PROXY_IMAGE}
args:
- proxy
- router
- '--domain'
- $(POD_NAMESPACE).svc.cluster.local
- '--proxyLogLevel=warning'
- '--proxyComponentLogLevel=misc:error'
- '--log_output_level=default:info'
- '--serviceCluster'
- ${INGRESSGATEWAY_NAME}
- '--trust-domain=cluster.local'
serviceAccount: default
volumes:
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
defaultMode: 420
- name: podinfo
downwardAPI:
items:
- path: labels
fieldRef:
apiVersion: v1
fieldPath: metadata.labels
- path: annotations
fieldRef:
apiVersion: v1
fieldPath: metadata.annotations
defaultMode: 420
- name: istio-envoy
emptyDir: {}
- name: config-volume
configMap:
name: istio-basic
defaultMode: 420
optional: true
- name: ingressgateway-certs
secret:
secretName: istio-ingressgateway-certs
defaultMode: 420
optional: true
- name: ingressgateway-ca-certs
secret:
secretName: istio-ingressgateway-ca-certs
defaultMode: 420
optional: true
dnsPolicy: ClusterFirst
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
maxSurge: 1
revisionHistoryLimit: 10
progressDeadlineSeconds: 1200
- kind: ConfigMap
apiVersion: v1
metadata:
name: istio-basic
labels:
app.kubernetes.io/part-of: istio
app.kubernetes.io/instance: ${ISTIO_CONTROL_PLANE}
release: istio
app.kubernetes.io/version: 2.0.1-6.el8-75
app.kubernetes.io/component: istio-discovery
maistra-version: 2.0.1.1
app.kubernetes.io/managed-by: maistra-istio-operator
maistra.io/owner: ${ISTIO_CONTROL_PLANE}
istio.io/rev: basic
app.kubernetes.io/name: istio-discovery
data:
mesh: |-
accessLogEncoding: TEXT
accessLogFile: /dev/stdout
accessLogFormat: ""
defaultConfig:
concurrency: 2
configPath: ./etc/istio/proxy
controlPlaneAuthPolicy: NONE
discoveryAddress: istiod-basic.${ISTIO_CONTROL_PLANE}.svc:15012
drainDuration: 45s
parentShutdownDuration: 1m0s
proxyAdminPort: 15000
proxyMetadata:
DNS_AGENT: ""
serviceCluster: istio-proxy
tracing:
tlsSettings:
caCertificates: null
clientCertificate: null
mode: DISABLE
privateKey: null
sni: null
subjectAltNames: []
zipkin:
address: jaeger-collector.${ISTIO_CONTROL_PLANE}.svc:9411
disableMixerHttpReports: true
disablePolicyChecks: true
enableAutoMtls: true
enableEnvoyAccessLogService: false
enablePrometheusMerge: false
enableTracing: true
ingressClass: istio
ingressControllerMode: STRICT
ingressService: istio-ingressgateway
localityLbSetting:
enabled: true
outboundTrafficPolicy:
mode: ALLOW_ANY
protocolDetectionTimeout: 5000ms
reportBatchMaxEntries: 100
reportBatchMaxTime: 1s
rootNamespace: ${ISTIO_CONTROL_PLANE}
sdsUdsPath: unix:/etc/istio/proxy/SDS
trustDomain: cluster.local
trustDomainAliases: null
meshNetworks: 'networks: {}'
parameters:
- name: PROJECT_NAME
required: true
- name: ISTIO_CONTROL_PLANE
required: true
- name: PROXY_IMAGE
required: true
- name: INGRESSGATEWAY_NAME
required: true
EgressGateway#
EgressGateway — это полноценный сервис (прокси-сервис), через который будет выходить трафик из приложения в сеть во вне кластера OpenShift. Настраивается по аналогии с IngressGateway.
Граничные прокси в Service Mesh 2.x и Service Mesh 1.x отличаются Деплойментами (kind: Deployment) и configmap (kind: ConfigMap).
Ниже приведены шаблоны EgressGateway для Service Mesh 1.x в виде двух YAML-файлов. В первом содержатся артефакты: Service, Gateway, ServiceEntry, VirtualService, во втором: Deployment, Secret.
HTTP-протокол.
Code Block 6 EgressGateway-template-for-service-mesh-1.x.yaml
apiVersion: v1 kind: Template labels: app: ${APP_NAME} template: ${APP_NAME} message: ${APP_NAME} metadata: annotations: description: ${APP_NAME}. openshift.io/display-name: ${APP_NAME} version: 1.0.0 name: egress objects: - apiVersion: v1 kind: Service metadata: name: egressgateway${EXTERNAL_HOST_NUMBER}-svc spec: ports: - name: http-${EGRESS_PORT} port: ${{EGRESS_PORT}} selector: app: egressgateway-${PROJECT_NAME} istio: egressgateway-${PROJECT_NAME} - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: egressgateway${EXTERNAL_HOST_NUMBER}-gw spec: selector: istio: egressgateway-${PROJECT_NAME} servers: - hosts: - ${EXTERNAL_HOST} port: name: http-${EGRESS_PORT} number: ${{EGRESS_PORT}} protocol: HTTP - apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: external-host${EXTERNAL_HOST_NUMBER}-se spec: addresses: - ${EXTERNAL_IP} endpoints: - address: ${EXTERNAL_IP} exportTo: - . hosts: - ${EXTERNAL_HOST} ports: - name: http-${EXTERNAL_PORT} number: ${{EXTERNAL_PORT}} protocol: HTTP resolution: DNS - apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: external-host${EXTERNAL_HOST_NUMBER}-vs spec: exportTo: - . gateways: - egressgateway${EXTERNAL_HOST_NUMBER}-gw - mesh hosts: - ${EXTERNAL_HOST} http: - match: - gateways: - mesh port: ${{EXTERNAL_PORT}} rewrite: authority: ${EXTERNAL_HOST} route: - destination: host: egressgateway${EXTERNAL_HOST_NUMBER}-svc port: number: ${{EGRESS_PORT}} - match: - gateways: - egressgateway${EXTERNAL_HOST_NUMBER}-gw port: ${{EGRESS_PORT}} rewrite: authority: ${EXTERNAL_HOST} route: - destination: host: ${EXTERNAL_HOST} port: number: ${{EXTERNAL_PORT}} parameters: - name: PROJECT_NAME required: true - name: APP_NAME required: true - name: EXTERNAL_IP required: true - name: EXTERNAL_HOST required: true - name: EXTERNAL_PORT required: true - name: EGRESS_PORT required: true - name: EXTERNAL_HOST_NUMBER value: nullCode Block 7 deployment-secret-http.yaml
apiVersion: v1 kind: Template labels: app: ${APP_NAME} template: ${APP_NAME} message: ${APP_NAME} metadata: annotations: description: ${APP_NAME}. openshift.io/display-name: ${APP_NAME} version: 1.0.0 name: egress objects: - apiVersion: apps/v1 kind: Deployment metadata: labels: app: egressgateway-${PROJECT_NAME} app.kubernetes.io/component: gateways app.kubernetes.io/instance: ${ISTIO_CONTROL_PLANE} app.kubernetes.io/managed-by: maistra-istio-operator app.kubernetes.io/name: gateways app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.0.2-7.el8-1 chart: gateways heritage: Tiller istio: egressgateway-${PROJECT_NAME} maistra.io/owner: ${ISTIO_CONTROL_PLANE} release: istio name: egressgateway-${PROJECT_NAME} spec: progressDeadlineSeconds: 1200 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app: egressgateway-${PROJECT_NAME} istio: egressgateway-${PROJECT_NAME} strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate template: metadata: annotations: sidecar.istio.io/inject: "false" creationTimestamp: null labels: app: egressgateway-${PROJECT_NAME} chart: gateways heritage: Tiller istio: egressgateway-${PROJECT_NAME} release: istio spec: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x weight: 2 requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x containers: - args: - proxy - router - --domain - $(POD_NAMESPACE).svc.cluster.local - --log_output_level=default:info - --drainDuration - 45s - --parentShutdownDuration - 1m0s - --connectTimeout - 10s - --serviceCluster - egressgateway-${PROJECT_NAME} - --zipkinAddress - zipkin.${ISTIO_CONTROL_PLANE}:9411 - --proxyAdminPort - "15000" - --statusPort - "15020" - --controlPlaneAuthPolicy - NONE - --discoveryAddress - istio-pilot.${ISTIO_CONTROL_PLANE}:15010 env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: ISTIO_META_POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: ISTIO_META_CONFIG_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: ISTIO_META_ROUTER_MODE value: sni-dnat image: ${PROXY_IMAGE} imagePullPolicy: IfNotPresent name: istio-proxy ports: - containerPort: 15020 name: status-port - containerPort: 8080 name: http readinessProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15020 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 resources: limits: cpu: 600m memory: 900Mi requests: cpu: 400m memory: 700Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /etc/certs/ name: istio-certs readOnly: true - mountPath: /etc/istio/egressgateway-certs-host1 name: egressgateway-certs-host1 readOnly: true - mountPath: /etc/istio/egressgateway-ca-certs-host1 name: egressgateway-ca-certs-host1 readOnly: true - mountPath: /etc/istio/egressgateway-certs-host2 name: egressgateway-certs-host2 readOnly: true - mountPath: /etc/istio/egressgateway-ca-certs-host2 name: egressgateway-ca-certs-host2 readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: {} terminationGracePeriodSeconds: 60 volumes: - emptyDir: medium: Memory name: istio-envoy - name: istio-certs secret: defaultMode: 400 optional: true secretName: istio.default - name: egressgateway-certs-host1 secret: defaultMode: 400 optional: true secretName: egressgateway-certs-host1 - name: egressgateway-ca-certs-host1 secret: defaultMode: 400 optional: true secretName: egressgateway-ca-certs-host1 - name: egressgateway-certs-host2 secret: defaultMode: 400 optional: true secretName: egressgateway-certs-host2 - name: egressgateway-ca-certs-host2 secret: defaultMode: 400 optional: true secretName: egressgateway-ca-certs-host2 - apiVersion: v1 data: ca-chain.cert.pem: ${EGRESS_CA_CERT_HOST1} kind: Secret metadata: name: egressgateway-ca-certs-host1 type: Opaque - apiVersion: v1 data: tls.crt: ${EGRESS_CERTS_CRT_HOST1} tls.key: ${EGRESS_CERTS_KEY_HOST1} kind: Secret metadata: name: egressgateway-certs-host1 type: Opaque - apiVersion: v1 data: ca-chain.cert.pem: ${EGRESS_CA_CERT_HOST2} kind: Secret metadata: name: egressgateway-ca-certs-host2 type: Opaque - apiVersion: v1 data: tls.crt: ${EGRESS_CERTS_CRT_HOST2} tls.key: ${EGRESS_CERTS_KEY_HOST2} kind: Secret metadata: name: egressgateway-certs-host2 type: Opaque parameters: - name: PROJECT_NAME required: true - name: APP_NAME required: true - name: ISTIO_CONTROL_PLANE required: true - name: PROXY_IMAGE required: true - name: EGRESS_CA_CERT_HOST1 value: null - name: EGRESS_CERTS_CRT_HOST1 value: null - name: EGRESS_CERTS_KEY_HOST1 value: null - name: EGRESS_CA_CERT_HOST2 value: null - name: EGRESS_CERTS_CRT_HOST2 value: null - name: EGRESS_CERTS_KEY_HOST2 value: nullHTTPS-протокол.
Code Block 8 Egress-https-template-wo-depl-and-secret.yaml
apiVersion: v1 kind: Template labels: app: ${APP_NAME} template: ${APP_NAME} message: ${APP_NAME} metadata: annotations: description: ${APP_NAME}. openshift.io/display-name: ${APP_NAME} version: 1.0.0 name: egress objects: - apiVersion: v1 kind: Service metadata: name: egressgateway${EXTERNAL_HOST_NUMBER}-svc spec: ports: - name: http-${EGRESS_PORT} port: ${{EGRESS_PORT}} selector: app: egressgateway-${PROJECT_NAME} istio: egressgateway-${PROJECT_NAME} - apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: external-host${EXTERNAL_HOST_NUMBER}-se spec: addresses: - ${EXTERNAL_IP} endpoints: - address: ${EXTERNAL_IP} exportTo: - . hosts: - ${EXTERNAL_HOST} ports: - name: tls-${EXTERNAL_PORT} number: ${{EXTERNAL_PORT}} protocol: TLS - name: http-${EXTERNAL_PORT_MESH} number: ${{EXTERNAL_PORT_MESH}} protocol: HTTP resolution: DNS - apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: external-host${EXTERNAL_HOST_NUMBER}-dr spec: host: ${EXTERNAL_HOST} trafficPolicy: loadBalancer: simple: ROUND_ROBIN portLevelSettings: - port: number: ${{EXTERNAL_PORT}} tls: caCertificates: /etc/istio/egressgateway-ca-certs-host${EXTERNAL_HOST_NUMBER}/ca-chain.cert.pem clientCertificate: /etc/istio/egressgateway-certs-host${EXTERNAL_HOST_NUMBER}/tls.crt mode: MUTUAL privateKey: /etc/istio/egressgateway-certs-host${EXTERNAL_HOST_NUMBER}/tls.key sni: ${EXTERNAL_HOST} - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: egressgateway${EXTERNAL_HOST_NUMBER}-gw spec: selector: istio: egressgateway-${PROJECT_NAME} servers: - hosts: - ${EXTERNAL_HOST} port: name: http-${EGRESS_PORT} number: ${{EGRESS_PORT}} protocol: HTTP - apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: external-host${EXTERNAL_HOST_NUMBER}-vs spec: exportTo: - . gateways: - egressgateway${EXTERNAL_HOST_NUMBER}-gw - mesh hosts: - ${EXTERNAL_HOST} http: - match: - gateways: - mesh port: ${{EXTERNAL_PORT_MESH}} rewrite: authority: ${EXTERNAL_HOST} route: - destination: host: egressgateway${EXTERNAL_HOST_NUMBER}-svc port: number: ${{EGRESS_PORT}} - match: - gateways: - egressgateway${EXTERNAL_HOST_NUMBER}-gw port: ${{EGRESS_PORT}} rewrite: authority: ${EXTERNAL_HOST} route: - destination: host: ${EXTERNAL_HOST} port: number: ${{EXTERNAL_PORT}} parameters: - name: PROJECT_NAME required: true - name: APP_NAME required: true - name: EXTERNAL_IP required: true - name: EXTERNAL_HOST required: true - name: EXTERNAL_PORT required: true - name: EXTERNAL_PORT_MESH required: true - name: EGRESS_PORT required: true - name: EXTERNAL_HOST_NUMBER value: nullCode Block 9 Egress-https-depl-and-secret-template.yaml
apiVersion: v1 kind: Template labels: app: ${APP_NAME} template: ${APP_NAME} message: ${APP_NAME} metadata: annotations: description: ${APP_NAME}. openshift.io/display-name: ${APP_NAME} version: 1.0.0 name: egress objects: - apiVersion: apps/v1 kind: Deployment metadata: labels: app: egressgateway-${PROJECT_NAME} app.kubernetes.io/component: gateways app.kubernetes.io/instance: ${ISTIO_CONTROL_PLANE} app.kubernetes.io/managed-by: maistra-istio-operator app.kubernetes.io/name: gateways app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.0.2-7.el8-1 chart: gateways heritage: Tiller istio: egressgateway-${PROJECT_NAME} maistra.io/owner: ${ISTIO_CONTROL_PLANE} release: istio name: egressgateway-${PROJECT_NAME} spec: progressDeadlineSeconds: 1200 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app: egressgateway-${PROJECT_NAME} istio: egressgateway-${PROJECT_NAME} strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate template: metadata: annotations: sidecar.istio.io/inject: "false" creationTimestamp: null labels: app: egressgateway-${PROJECT_NAME} chart: gateways heritage: Tiller istio: egressgateway-${PROJECT_NAME} release: istio spec: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x weight: 2 requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x containers: - args: - proxy - router - --domain - $(POD_NAMESPACE).svc.cluster.local - --log_output_level=default:info - --drainDuration - 45s - --parentShutdownDuration - 1m0s - --connectTimeout - 10s - --serviceCluster - egressgateway-${PROJECT_NAME} - --zipkinAddress - zipkin.${ISTIO_CONTROL_PLANE}:9411 - --proxyAdminPort - "15000" - --statusPort - "15020" - --controlPlaneAuthPolicy - NONE - --discoveryAddress - istio-pilot.${ISTIO_CONTROL_PLANE}:15010 env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: ISTIO_META_POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: ISTIO_META_CONFIG_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: ISTIO_META_ROUTER_MODE value: sni-dnat image: ${PROXY_IMAGE} imagePullPolicy: IfNotPresent name: istio-proxy ports: - containerPort: 15020 name: status-port - containerPort: 8080 name: http readinessProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15020 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 resources: limits: cpu: 600m memory: 900Mi requests: cpu: 400m memory: 700Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /etc/certs/ name: istio-certs readOnly: true - mountPath: /etc/istio/egressgateway-certs-host1 name: egressgateway-certs-host1 readOnly: true - mountPath: /etc/istio/egressgateway-ca-certs-host1 name: egressgateway-ca-certs-host1 readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: {} terminationGracePeriodSeconds: 60 volumes: - emptyDir: medium: Memory name: istio-envoy - name: istio-certs secret: defaultMode: 400 optional: true secretName: istio.default - name: egressgateway-certs-host1 secret: defaultMode: 400 optional: true secretName: egressgateway-certs-host1 - name: egressgateway-ca-certs-host1 secret: defaultMode: 400 optional: true secretName: egressgateway-ca-certs-host1 - apiVersion: v1 data: ca-chain.cert.pem: ${EGRESS_CA_CERT_HOST1} kind: Secret metadata: name: egressgateway-ca-certs-host1 type: Opaque - apiVersion: v1 data: tls.crt: ${EGRESS_CERTS_CRT_HOST1} tls.key: ${EGRESS_CERTS_KEY_HOST1} kind: Secret metadata: name: egressgateway-certs-host1 type: Opaque parameters: - name: PROJECT_NAME required: true - name: APP_NAME required: true - name: ISTIO_CONTROL_PLANE required: true - name: PROXY_IMAGE required: true - name: EGRESS_CA_CERT_HOST1 value: null - name: EGRESS_CERTS_CRT_HOST1 value: null - name: EGRESS_CERTS_KEY_HOST1 value: null
Другие виды протоколов настраиваются по аналогии с HTTPS. Имеют свою специфику, описанную в документации для Red Hat OpenShift:
HTTPS со встроенным mTLS — трафик шифруется везде;
TLS — сертификаты в бизнес-приложении, Egress пропускает шифрованный трафик;
TCP;
TCP с внешним mTLS — трафик шифруется после Egress;
TCP с полным mTLS — трафик шифруется везде.
Ниже приведен шаблон EgressGateway для Service Mesh 2.x:
Code Block 10 EgressGateway-template-for-service-mesh-2.x.yaml
apiVersion: v1
kind: Template
metadata:
name: egressgateway-template
labels:
type: services
objects:
- kind: Deployment
apiVersion: apps/v1
metadata:
name: ${EGRESSGATEWAY_NAME}
labels:
app: ${EGRESSGATEWAY_NAME}
app.kubernetes.io/component: gateways
app.kubernetes.io/instance: ${ISTIO_CONTROL_PLANE}
app.kubernetes.io/managed-by: maistra-istio-operator
app.kubernetes.io/name: gateways
app.kubernetes.io/part-of: istio
app.kubernetes.io/version: 2.0.1-6.el8-75
chart: gateways
heritage: Tiller
istio: ${EGRESSGATEWAY_NAME}
maistra.io/owner: ${ISTIO_CONTROL_PLANE}
release: istio
spec:
replicas: 1
selector:
matchLabels:
app: ${EGRESSGATEWAY_NAME}
istio: ${EGRESSGATEWAY_NAME}
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
creationTimestamp: null
labels:
app: ${EGRESSGATEWAY_NAME}
chart: gateways
heritage: Tiller
istio: ${EGRESSGATEWAY_NAME}
release: istio
spec:
restartPolicy: Always
schedulerName: default-scheduler
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
terminationGracePeriodSeconds: 30
securityContext: {}
containers:
- resources:
limits:
cpu: 400m
memory: 512Mi
requests:
cpu: 200m
memory: 256Mi
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
timeoutSeconds: 1
periodSeconds: 2
successThreshold: 1
failureThreshold: 30
terminationMessagePath: /dev/termination-log
name: istio-proxy
env:
- name: JWT_POLICY
value: first-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: CA_ADDR
value: 'istiod-basic.${ISTIO_CONTROL_PLANE}.svc:15012'
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: 'metadata.labels[''service.istio.io/canonical-name'']'
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: 'metadata.labels[''service.istio.io/canonical-revision'']'
- name: ISTIO_META_WORKLOAD_NAME
value: ${EGRESSGATEWAY_NAME}
- name: ISTIO_META_OWNER
value: >-
kubernetes://apis/apps/v1/namespaces/${PROJECT_NAME}/deployments/${EGRESSGATEWAY_NAME}
- name: ISTIO_META_MESH_ID
value: cluster.local
- name: ISTIO_META_ROUTER_MODE
value: sni-dnat
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
ports:
- name: http2
containerPort: 8080
protocol: TCP
- name: https
containerPort: 8443
protocol: TCP
- name: tls
containerPort: 15443
protocol: TCP
- name: http-envoy-prom
containerPort: 15090
protocol: TCP
imagePullPolicy: IfNotPresent
volumeMounts:
- name: istio-envoy
mountPath: /etc/istio/proxy
- name: config-volume
mountPath: /etc/istio/config
- name: istiod-ca-cert
mountPath: /var/run/secrets/istio
- name: podinfo
mountPath: /etc/istio/pod
- name: egressgateway-certs
readOnly: true
mountPath: /etc/istio/egressgateway-certs
- name: egressgateway-ca-certs
readOnly: true
mountPath: /etc/istio/egressgateway-ca-certs
terminationMessagePolicy: File
image: ${PROXY_IMAGE}
args:
- proxy
- router
- '--domain'
- $(POD_NAMESPACE).svc.cluster.local
- '--proxyLogLevel=warning'
- '--proxyComponentLogLevel=misc:error'
- '--log_output_level=default:info'
- '--serviceCluster'
- ${EGRESSGATEWAY_NAME}
- '--trust-domain=cluster.local'
volumes:
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
defaultMode: 420
- name: podinfo
downwardAPI:
items:
- path: labels
fieldRef:
apiVersion: v1
fieldPath: metadata.labels
- path: annotations
fieldRef:
apiVersion: v1
fieldPath: metadata.annotations
defaultMode: 420
- name: istio-envoy
emptyDir: {}
- name: config-volume
configMap:
name: istio-basic
defaultMode: 420
optional: true
- name: egressgateway-certs
secret:
secretName: istio-egressgateway-certs
defaultMode: 420
optional: true
- name: egressgateway-ca-certs
secret:
secretName: istio-egressgateway-ca-certs
defaultMode: 420
optional: true
dnsPolicy: ClusterFirst
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 100%
revisionHistoryLimit: 10
progressDeadlineSeconds: 600
parameters:
- name: PROJECT_NAME
required: true
- name: ISTIO_CONTROL_PLANE
required: true
- name: PROXY_IMAGE
required: true
- name: EGRESSGATEWAY_NAME
required: true
Миграция на текущую версию#
Для миграции на различные версии обновите образ в Деплойменте прокси.
Разработка первого приложения с использованием программного продукта#
Этот раздел не применим к данному компоненту, так как относится не к разработке приложения напрямую, а обеспечивает взаимодействие между узлами кластера.
Использование программного продукта#
Граничный прокси используется как для входа в проект, так и для выхода из него.
Часто встречающиеся проблемы и пути их устранения#
Общие флаги ошибок:
NR (No route configured): Нет маршрута. Проверьте свой
DestinationRuleилиVirtualService.UO (Upstream overflow with circuit breaking): Поставщик перегружен запросами. Проверьте конфигурацию автоматического выключателя в
DestinationRule.UF (Failed to connect to upstream): Поставщик сбросил соединение. Если вы используете аутентификацию Istio, проверьте наличие взаимного конфликта конфигурации TLS.
UH (No healthy upstream): Поставщик неработоспособен. Проверьте конфигурацию пода или обратитесь к администраторам Synapse.