istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

zh-translation:/blog/2018/egress-mongo/index.md (#5972) 

* zh-translation:/blog/2018/egress-mongo/index.md

* fix

* fix point

* fix point

* try to fix

* fixed

* fixed spellomh errors

* try

* fixed

* fix ci

* fix ci

* fix spelling
This commit is contained in:
zzde 2019-12-12 14:18:02 +08:00 committed by Istio Automation
parent 33f9186337
commit 1b7e44af31
1 changed files with 149 additions and 236 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

385
content/zh/blog/2018/egress-mongo/index.md
View File

@ -1,6 +1,6 @@
---
title: Consuming External MongoDB Services
description: Describes a simple scenario based on Istio's Bookinfo example.
title: 使用外部 MongoDB 服务
description: 描述了一个基于 Istio 的 Bookinfo 示例的简单场景。
publishdate: 2018-11-16
last_update: 2019-11-12
subtitle: Istio Egress Control Options for MongoDB traffic
@ -9,42 +9,33 @@ keywords: [traffic-management,egress,tcp,mongo]
target_release: 1.1
---
In the [Consuming External TCP Services](/zh/blog/2018/egress-tcp/) blog post, I described how external services
can be consumed by in-mesh Istio applications via TCP. In this post, I demonstrate consuming external MongoDB services.
You use the [Istio Bookinfo sample application](/zh/docs/examples/bookinfo/), the version in which the book
ratings data is persisted in a MongoDB database. You deploy this database outside the cluster and configure the
_ratings_ microservice to use it. You will learn multiple options of controlling traffic to external MongoDB services and their
pros and cons.
在[使用外部 TCP 服务](/zh/blog/2018/egress-tcp/)博文中,我描述了网格内的 Istio 应用程序如何通过 TCP 使用外部服务。在本文中,我将演示如何使用外部 MongoDB
服务。您将使用 [Istio Bookinfo 示例应用程序](/zh/docs/examples/bookinfo/),它的书籍评级数据保存在 MongoDB 数据库中。您会将此数据库部署在集群外部,并配置 `ratings`
微服务使用它。您将学习控制到外部 MongoDB 服务流量的多种选择及其利弊。
## Bookinfo with external ratings database
## 使用外部 ratings 数据库的 Bookinfo {#Bookinfo-with-external-ratings-database}
First, you set up a MongoDB database instance to hold book ratings data outside of your Kubernetes cluster. Then you
modify the [Bookinfo sample application](/zh/docs/examples/bookinfo/) to use your database.
首先,在您的 Kubernetes 集群外部建立一个 MongoDB 数据库实例以保存书籍评级数据。然后修改 [Bookinfo 示例应用程序](/zh/docs/examples/bookinfo/)使用该数据库。
### Setting up the ratings database
### 建立 ratings 数据库{#setting-up-the-ratings-database}
For this task you set up an instance of [MongoDB](https://www.mongodb.com). You can use any MongoDB instance; I used
[Compose for MongoDB](https://www.ibm.com/cloud/compose/mongodb).
在这个任务中您将建立一个 [MongoDB](https://www.mongodb.com) 实例。您可以使用任何 MongoDB 实例;我使用 [Compose for MongoDB](https://www.ibm.com/cloud/compose/mongodb)。
1. Set an environment variable for the password of your `admin` user. To prevent the password from being preserved in
the Bash history, remove the command from the history immediately after running the command, using
[history -d](https://www.gnu.org/software/bash/manual/html_node/Bash-History-Builtins.html#Bash-History-Builtins).
1. 为 `admin` 用户的密码设置一个环境变量。为了避免密码被保存在 Bash 历史记录中,在运行命令之后,请立即使用 [history -d](https://www.gnu.org/software/bash/manual/html_node/Bash-History-Builtins.html#Bash-History-Builtins) 将其从历史记录中删除。
{{< text bash >}}
$ export MONGO_ADMIN_PASSWORD=<your MongoDB admin password>
{{< /text >}}
1. Set an environment variable for the password of the new user you will create, namely `bookinfo`.
Remove the command from the history using
[history -d](https://www.gnu.org/software/bash/manual/html_node/Bash-History-Builtins.html#Bash-History-Builtins).
1. 为需要创建的新用户(即 `bookinfo`)的密码设置环境变量,并使用 [history -d](https://www.gnu.org/software/bash/manual/html_node/Bash-History-Builtins.html#Bash-History-Builtins) 将其从历史记录中删除。
{{< text bash >}}
$ export BOOKINFO_PASSWORD=<password>
{{< /text >}}
1. Set environment variables for your MongoDB service, `MONGODB_HOST` and `MONGODB_PORT`.
1. 为您的 MongoDB 服务设置环境变量 `MONGODB_HOST``MONGODB_PORT`
1. Create the `bookinfo` user:
1. 创建 `bookinfo` 用户:
{{< text bash >}}
$ cat <<EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u admin -p $MONGO_ADMIN_PASSWORD --authenticationDatabase admin
@ -59,8 +50,8 @@ For this task you set up an instance of [MongoDB](https://www.mongodb.com). You
EOF
{{< /text >}}
1. Create a _collection_ to hold ratings. The following command sets both ratings to be equal `1` to provide a visual
clue when your database is used by the Bookinfo _ratings_ service (the default Bookinfo _ratings_ are `4` and `5`).
1. 创建一个 _collection_ 来保存评级数据。以下命令将两个评级都设置为 `1`,以便在 Bookinfo _ratings_ service 使用数据库时提供视觉验证(默认 Bookinfo _ratings_
`4``5`
{{< text bash >}}
$ cat <<EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u admin -p $MONGO_ADMIN_PASSWORD --authenticationDatabase admin
@ -73,7 +64,7 @@ For this task you set up an instance of [MongoDB](https://www.mongodb.com). You
EOF
{{< /text >}}
1. Check that `bookinfo` user can get ratings:
1. 检查 `bookinfo` 用户是否可以获取评级数据:
{{< text bash >}}
$ cat <<EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u bookinfo -p $BOOKINFO_PASSWORD --authenticationDatabase test
@ -82,7 +73,7 @@ For this task you set up an instance of [MongoDB](https://www.mongodb.com). You
EOF
{{< /text >}}
The output should be similar to:
输出应该类似于:
{{< text plain >}}
MongoDB server version: 3.4.10
@ -92,26 +83,23 @@ For this task you set up an instance of [MongoDB](https://www.mongodb.com). You
bye
{{< /text >}}
### Initial setting of Bookinfo application
### Bookinfo 应用程序的初始设置{#Initial-setting-of-Bookinfo-application}
To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with [Istio installed](/zh/docs/setup/getting-started/). Then you deploy the
[Istio Bookinfo sample application](/zh/docs/examples/bookinfo/), [apply the default destination rules](/zh/docs/examples/bookinfo/#apply-default-destination-rules), and
[change Istio to the blocking-egress-by-default policy](/zh/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy).
为了演示使用外部数据库的场景,请首先运行一个[安装了 Istio](/zh/docs/setup/getting-started/) 的 Kubernetes 集群。然后部署
[Istio Bookinfo 示例应用程序](/zh/docs/examples/bookinfo/)并[应用默认 destination rules](/zh/docs/examples/bookinfo/#apply-default-destination-rules)和[改变 Istio 到 blocking-egress-by-default 策略](/zh/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy)。
This application uses the `ratings` microservice to fetch book ratings, a number between 1 and 5. The ratings are
displayed as stars for each review. There are several versions of the `ratings` microservice. You will deploy the
version that uses [MongoDB](https://www.mongodb.com) as the ratings database in the next subsection.
此应用程序从 `ratings` 微服务获取书籍评级1 到 5 的数字)。评级以星标形式显示每条评论。`ratings` 微服务有几个版本。在下一小节中,请部署使用 [MongoDB](https://www.mongodb.com)
作为 ratings 数据库的版本。
The example commands in this blog post work with Istio 1.0.
本博文中的示例命令适用于 Istio 1.0。
As a reminder, here is the end-to-end architecture of the application from the
[Bookinfo sample application](/zh/docs/examples/bookinfo/).
作为提醒,这是 [Bookinfo 示例应用程序](/zh/docs/examples/bookinfo/) 的端到端架构。
{{< image width="80%" link="/zh/docs/examples/bookinfo/withistio.svg" caption="The original Bookinfo application" >}}
### Use the external database in Bookinfo application
### 在 Bookinfo 应用程序中使用外部数据库{#use-the-external-database-in-Bookinfo-application}
1. Deploy the spec of the _ratings_ microservice that uses a MongoDB database (_ratings v2_):
1.部署使用 MongoDB 数据库的 _ratings_ 微服务_ratings v2_
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml@
@ -119,80 +107,57 @@ As a reminder, here is the end-to-end architecture of the application from the
deployment "ratings-v2" created
{{< /text >}}
1. Update the `MONGO_DB_URL` environment variable to the value of your MongoDB:
1. 为你的 MongoDB 设置 `MONGO_DB_URL` 环境变量:
{{< text bash >}}
$ kubectl set env deployment/ratings-v2 "MONGO_DB_URL=mongodb://bookinfo:$BOOKINFO_PASSWORD@$MONGODB_HOST:$MONGODB_PORT/test?authSource=test&ssl=true"
deployment.extensions/ratings-v2 env updated
{{< /text >}}
1. Route all the traffic destined to the _reviews_ service to its _v3_ version. You do this to ensure that the
_reviews_ service always calls the _ratings_ service. In addition, route all the traffic destined to the _ratings_
service to _ratings v2_ that uses your database.
1. 将所有到 _reviews_ service 的流量路由到它的 _v3_ 版本,以确保 _reviews_ service 总是调用 _ratings_ service。此外将所有到 `ratings` service
的流量路由到使用外部数据库的 _ratings v2_
Specify the routing for both services above by adding two
[virtual services](/zh/docs/reference/config/networking/virtual-service/). These virtual services are
specified in `samples/bookinfo/networking/virtual-service-ratings-mongodb.yaml` of an Istio release archive.
***Important:*** make sure you
[applied the default destination rules](/zh/docs/examples/bookinfo/#apply-default-destination-rules) before running the
following command.
通过添加两个 [virtual services](/zh/docs/reference/config/networking/virtual-service/) 来为以上两个 services 指定路由。这些 virtual service
在 Istio 发布包中 `samples/bookinfo/networking/virtual-service-ratings-mongodb.yaml` 有指定 。
***重要:*** 请确保在运行以下命令之前[应用了默认的 destination rules](/zh/docs/examples/bookinfo/#apply-default-destination-rules)。
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/networking/virtual-service-ratings-db.yaml@
{{< /text >}}
The updated architecture appears below. Note that the blue arrows inside the mesh mark the traffic configured according
to the virtual services we added. According to the virtual services, the traffic is sent to _reviews v3_ and
_ratings v2_.
更新的架构如下所示。请注意,网格内的蓝色箭头标记对应于我们添加的 virtual service。根据 virtual service流量将被发送到 `reviews v3``ratings v2`
{{< image width="80%" link="./bookinfo-ratings-v2-mongodb-external.svg" caption="The Bookinfo application with ratings v2 and an external MongoDB database" >}}
Note that the MongoDB database is outside the Istio service mesh, or more precisely outside the Kubernetes cluster. The
boundary of the service mesh is marked by a dashed line.
请注意MongoDB 数据库位于 Istio 服务网格之外,或者更确切地说是在 Kubernetes 集群之外。服务网格的边界使用虚线标记。
### Access the webpage
### 访问网页{#access-the-webpage}
Access the webpage of the application, after
[determining the ingress IP and port](/zh/docs/examples/bookinfo/#determine-the-ingress-IP-and-port).
[确认 ingress IP 和端口之后](/zh/docs/examples/bookinfo/#determine-the-ingress-IP-and-port),访问应用程序的网页。
Since you did not configure the egress traffic control yet, the access to the MongoDB service is blocked by Istio.
This is why instead of the rating stars, the message _"Ratings service is currently unavailable"_ is currently
displayed below each review:
由于您尚未配置 egress 流量控制,所以 Istio 会阻止到 MongoDB 服务的访问。这就是为什么您当前不能看到评级的星标,只能看到 _"Ratings service is currently unavailable"_ 的信息:
{{< image width="80%" link="./errorFetchingBookRating.png" caption="The Ratings service error messages" >}}
In the following sections you will configure egress access to the external MongoDB service, using different options for
egress control in Istio.
在以下部分中,您将使用不同的 Istio egress 控制选项,配置对外部 MongoDB 服务的访问。
## Egress control for TCP
## TCP 的 egress 控制{#egress-control-for-TCP}
Since [MongoDB Wire Protocol](https://docs.mongodb.com/manual/reference/mongodb-wire-protocol/) runs on top of TCP, you
can control the egress traffic to your MongoDB as traffic to any other [external TCP service](/zh/blog/2018/egress-tcp/). To
control TCP traffic, a block of IPs in the [CIDR](https://tools.ietf.org/html/rfc2317) notation that includes the IP
address of your MongoDB host must be specified. The caveat here is that sometimes the IP of the MongoDB host is not
stable or known in advance.
由于 [MongoDB 协议](https://zh/docs.mongodb.com/manual/reference/mongodb-wire-protocol/)运行在 TCP 之上,您可以像控制到[其余 TCP 服务](/zh/blog/2018/egress-tcp/)的流量一样控制到 MongoDB 的 egress 流量。为了控制 TCP 流量,您必须指定一个 [CIDR](https://tools.ietf.org/html/rfc2317) 表示的 IP 块,该 IP 块包含 MongoDB 的地址。需要注意的是,有时候 MongoDB 主机的 IP 并不稳定或无法事先得知。
In the cases when the IP of the MongoDB host is not stable, the egress traffic can either be
[controlled as TLS traffic](#egress-control-for-tls), or the traffic can be routed
[directly](/zh/docs/tasks/traffic-management/egress/egress-control/#direct-access-to-external-services), bypassing the Istio sidecar
proxies.
在 MongoDB IP 不稳定的情况下,可以以 [TLS 方式控制](#egress-control-for-TLS) egress 流量,或绕过 Istio sidecar [直接](/zh/docs/tasks/traffic-management/egress/egress-control/#direct-access-to-external-services)路由流量。
Get the IP address of your MongoDB database instance. As an option, you can use the
[host](https://linux.die.net/man/1/host) command:
获取 MongoDB 数据库实例的 IP 地址。一种选择是使用 [host](https://linux.die.net/man/1/host) 命令。
{{< text bash >}}
$ export MONGODB_IP=$(host $MONGODB_HOST | grep " has address " | cut -d" " -f4)
{{< /text >}}
### Control TCP egress traffic without a gateway
### 在没有 gateway 的情况下控制 TCP egress 流量{#control-TCP-egress-traffic-without-a-gateway}
In case you do not need to direct the traffic through an
[egress gateway](/zh/docs/tasks/traffic-management/egress/egress-gateway/#use-case), for example if you do not have a
requirement that all the traffic that exists your mesh must exit through the gateway, follow the
instructions in this section. Alternatively, if you do want to direct your traffic through an egress gateway, proceed to
[Direct TCP egress traffic through an egress gateway](#direct-tcp-egress-traffic-through-an-egress-gateway).
如果您不用通过 [egress gateway](/zh/docs/tasks/traffic-management/egress/egress-gateway/#use-case) 定向流量,例如不要求所有流量都通过 gateway 流出网格时,请遵循以下部分的说明。或者,如果您确实希望通过 egress gateway 定向流量,请继续阅读[通过 egress gateway 定向 TCP egress 流量](#direct-tcp-egress-traffic-through-an-egress-gateway)。
1. Define a TCP mesh-external service entry:
1. 定义一个网格外 TCP service entry
{{< text bash >}}
$ kubectl apply -f - <<EOF
@ -216,63 +181,45 @@ instructions in this section. Alternatively, if you do want to direct your traff
EOF
{{< /text >}}
Note that the protocol `TCP` is specified instead of `MONGO` due to the fact that the traffic can be encrypted in
case [the MongoDB protocol runs on top of TLS](https://docs.mongodb.com/manual/tutorial/configure-ssl/).
If the traffic is encrypted, the encrypted MongoDB protocol cannot be parsed by the Istio proxy.
请注意protocol 被指定为 `TCP` 而不是 `MONGO`,因为如果 [MongoDB 协议运行在 TLS 之上时](https://zh/docs.mongodb.com/manual/tutorial/configure-ssl/),流量可以加密。如果加密了流量,该加密的 MongoDB 协议就不能被 Istio 代理解析。
If you know that the plain MongoDB protocol is used, without encryption, you can specify the protocol as `MONGO` and
let the Istio proxy produce
[MongoDB related statistics](https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/mongo_proxy_filter#statistics).
Also note that when the protocol `TCP` is specified, the configuration is not specific for MongoDB, but is the same
for any other database with the protocol on top of TCP.
如果您知道使用的是未加密的 MongoDB 协议,可以指定 protocol 为 `MONGO`,从而使 Istio 代理产生 [MongoDB 相关的统计数据](https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/mongo_proxy_filter#statistics)。还要注意,当指定 protocol `TCP` 时,配置不是特定于 MongoDB 的,对于其余使用基于 TCP 协议的数据库同样适用。
Note that the host of your MongoDB is not used in TCP routing, so you can use any host, for example `my-mongo.tcp.svc`. Notice the `STATIC` resolution and the endpoint with the IP of your MongoDB service. Once you define such an endpoint, you can access MongoDB services that do not have a domain name.
1. Refresh the web page of the application. Now the application should display the ratings without error:
1. 刷新应用程序的网页。应用程序现在应该显示评级数据而非错误:
{{< image width="80%" link="./externalDBRatings.png" caption="Book Ratings Displayed Correctly" >}}
Note that you see a one-star rating for both displayed reviews, as expected. You set the ratings to be one star to
provide yourself with a visual clue that your external database is indeed being used.
请注意,和预期的一样,您会看到两个显示评论的一星评级。您将评级设置为一星,以作为外部数据库确实被使用了的视觉证据。
1. If you want to direct the traffic through an egress gateway, proceed to the next section. Otherwise, perform
[cleanup](#cleanup-of-tcp-egress-traffic-control).
1. 如果要通过出口网关引导流量,请继续下一节。否则,请执行 [cleanup](#cleanup-of-TCP-egress-traffic-control).
### Direct TCP Egress traffic through an egress gateway
### 通过 egress gateway 定向 TCP Egress 流量{#direct-TCP-egress-traffic-through-an-egress-gateway}
In this section you handle the case when you need to direct the traffic through an
[egress gateway](/zh/docs/tasks/traffic-management/egress/egress-gateway/#use-case). The sidecar proxy routes TCP
connections from the MongoDB client to the egress gateway, by matching the IP of the MongoDB host (a CIDR block of
length 32). The egress gateway forwards the traffic to the MongoDB host, by its hostname.
在本节中,您将处理通过 [egress gateway](/zh/docs/tasks/traffic-management/egress/egress-gateway/#use-case) 定向流量的情况。Sidecar 代理通过匹配 MongoDB 主机的 IP 地址(一个 32 位长度的 CIDR 块),将 TCP 连接从 MongoDB 客户端路由到 egress gateway。Egress gateway 按照其 hostname转发流量到 MongoDB 主机。
1. [Deploy Istio egress gateway](/zh/docs/tasks/traffic-management/egress/egress-gateway/#deploy-Istio-egress-gateway).
1. [部署 Istio egress gateway](/zh/docs/tasks/traffic-management/egress/egress-gateway/#deploy-Istio-egress-gateway).
1. If you did not perform the steps in [the previous section](#control-tcp-egress-traffic-without-a-gateway), perform them now.
1. 如果您未执行 [上一节](#control-TCP-egress-traffic-without-a-gateway) 中的步骤,则立即执行这些步骤。
1. You may want to enable {{< gloss >}}mutual TLS Authentication{{< /gloss >}} between the sidecar proxies of
your MongoDB clients and the egress gateway to let the egress gateway monitor the identity of the source pods and to
enable Mixer policy enforcement based on that identity. By enabling mutual TLS you also encrypt the traffic.
If you do not want to enable mutual TLS, proceed to the [Mutual TLS between the sidecar proxies and the egress gateway](http://localhost:1313/blog/2018/egress-mongo/#mutual-tls-between-the-sidecar-proxies-and-the-egress-gateway) section.
Otherwise, proceed to the following section.
1. 您可能希望启用 sidecar 代理和 MongoDB 客户端之间以及 egress gateway 的 {{< gloss >}}mutual TLS Authentication{{< /gloss >}},以使 egress gateway 监控来源 pod 的身份并基于该 identity 启用 Mixer 策略。启用双向 TLS 时同样对流量进行了加密。
如果你不想开启双向 TLS参考 [Mutual TLS between the sidecar proxies and the egress gateway](#mutual-TLS-between-the-sidecar-proxies-and-the-egress-gateway) 小节
否则,请继续以下部分。
#### Configure TCP traffic from sidecars to the egress gateway
#### 配置从 sidecar 到 egress gateway 的 TCP 流量{#configure-TCP-traffic-from-sidecars-to-the-egress-gateway}
1. Define the `EGRESS_GATEWAY_MONGODB_PORT` environment variable to hold some port for directing traffic through
the egress gateway, e.g. `7777`. You must select a port that is not used for any other service in the mesh.
1. 定义 `EGRESS_GATEWAY_MONGODB_PORT` 环境变量来保存用于通过 egress gateway 定向流量的端口,例如 `7777`。必须选择没有被网格中其余 service 使用的端口。
{{< text bash >}}
$ export EGRESS_GATEWAY_MONGODB_PORT=7777
{{< /text >}}
1. Add the selected port to the `istio-egressgateway` service. You should use the same values you used for installing
Istio, in particular you have to specify all the ports of the `istio-egressgateway` service that you previously
configured.
1. 添加选择的端口到 `istio-egressgateway` service。您需要使用和安装 Istio 时一样的端口,特别是必须指定前面配置 `istio-egressgateway` 的所有端口。
{{< text bash >}}
$ helm template install/kubernetes/helm/istio/ --name istio-egressgateway --namespace istio-system -x charts/gateways/templates/deployment.yaml -x charts/gateways/templates/service.yaml --set gateways.istio-ingressgateway.enabled=false --set gateways.istio-egressgateway.enabled=true --set gateways.istio-egressgateway.ports[0].port=80 --set gateways.istio-egressgateway.ports[0].name=http --set gateways.istio-egressgateway.ports[1].port=443 --set gateways.istio-egressgateway.ports[1].name=https --set gateways.istio-egressgateway.ports[2].port=$EGRESS_GATEWAY_MONGODB_PORT --set gateways.istio-egressgateway.ports[2].name=mongo | kubectl apply -f -
{{< /text >}}
1. Check that the `istio-egressgateway` service indeed has the selected port:
1. 检查 `istio-egressgateway` service 确实有选择的端口:
{{< text bash >}}
$ kubectl get svc istio-egressgateway -n istio-system
@ -280,7 +227,7 @@ Otherwise, proceed to the following section.
istio-egressgateway ClusterIP 172.21.202.204 <none> 80/TCP,443/TCP,7777/TCP 34d
{{< /text >}}
1. Disable mutual TLS authentication for the `istio-egressgateway` service:
1. `istio-egressgateway` 服务 关闭双向 TLS 认证
{{< text bash >}}
$ kubectl apply -f - <<EOF
@ -295,8 +242,7 @@ Otherwise, proceed to the following section.
EOF
{{< /text >}}
1. Create an egress `Gateway` for your MongoDB service, and destination rules and a virtual service to direct the
traffic through the egress gateway and from the egress gateway to the external service.
1. 为您的 MongoDB service 创建一个 egress `Gateway`、一个 destination rules 和 virtual services以定向流量到 egress gateway并从 egress gateway 发送到外部服务。
{{< text bash >}}
$ kubectl apply -f - <<EOF
@ -367,11 +313,11 @@ Otherwise, proceed to the following section.
EOF
{{< /text >}}
1. [Verify that egress traffic is directed through the egress gateway](#verify-that-egress-traffic-is-directed-through-the-egress-gateway).
1. [验证 TCP egress 流量是否被定向到 egress gateway](#verify-that-egress-traffic-is-directed-through-the-egress-gateway).
#### Mutual TLS between the sidecar proxies and the egress gateway
#### Sidecar 代理和 egress gateway 之间的双向 TLS{#mutual-TLS-between-the-sidecar-proxies-and-the-egress-gateway}
1. Delete the previous configuration:
1. 删除前面小节中的配置:
{{< text bash >}}
$ kubectl delete gateway istio-egressgateway --ignore-not-found=true
@ -397,8 +343,7 @@ Otherwise, proceed to the following section.
EOF
{{< /text >}}
1. Create an egress `Gateway` for your MongoDB service, and destination rules and a virtual service
to direct the traffic through the egress gateway and from the egress gateway to the external service.
1. 为您的 MongoDB service 创建一个 egress `Gateway`、一个 destination rules 和 virtual services以定向流量到 egress gateway并从 egress gateway 发送到外部服务。
{{< text bash >}}
$ kubectl apply -f - <<EOF
@ -483,24 +428,22 @@ Otherwise, proceed to the following section.
EOF
{{< /text >}}
1. Proceed to the next section.
1. 继续下一节。
#### Verify that egress traffic is directed through the egress gateway
#### 验证 TCP egress 流量是否通过 egress gateway 定向{#verify-that-egress-traffic-is-directed-through-the-egress-gateway}
1. Refresh the web page of the application again and verify that the ratings are still displayed correctly.
1. 再次刷新应用程序的网页,并验证等级是否仍正确显示。
1. [Enable Envoys access logging](/zh/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging)
1. [开启 Envoy访问日志](/zh/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging)
1. Check the log of the egress gateway's Envoy and see a line that corresponds to your
requests to the MongoDB service. If Istio is deployed in the `istio-system` namespace, the command to print the
log is:
1. 检查 egress gateway 的 Envoy 的统计数据,找到对应请求 MongoDB service 的 counter。如果 Istio 步骤在 `istio-system` namespace 中,打印 counter 的命令为:
{{< text bash >}}
$ kubectl logs -l istio=egressgateway -n istio-system
[2019-04-14T06:12:07.636Z] "- - -" 0 - "-" 1591 4393 94 - "-" "-" "-" "-" "<Your MongoDB IP>:<your MongoDB port>" outbound|<your MongoDB port>||my-mongo.tcp.svc 172.30.146.119:59924 172.30.146.119:443 172.30.230.1:59206 -
{{< /text >}}
### Cleanup of TCP egress traffic control
### 清理通过 egress gateway 定向 TCP egress 流量的配置{#cleanup-of-TCP-egress-traffic-control}
{{< text bash >}}
$ kubectl delete serviceentry mongo
@ -510,34 +453,28 @@ $ kubectl delete destinationrule egressgateway-for-mongo mongo --ignore-not-foun
$ kubectl delete policy istio-egressgateway -n istio-system --ignore-not-found=true
{{< /text >}}
## Egress control for TLS
## TLS egress 控制{#egress-control-for-TLS}
In the real life, most of the communication to the external services must be encrypted and
[the MongoDB protocol runs on top of TLS](https://docs.mongodb.com/manual/tutorial/configure-ssl/).
Also, the TLS clients usually send
[Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication), SNI, as part of their handshake. If your
MongoDB server runs TLS and your MongoDB client sends SNI as part of the handshake, you can control your MongoDB egress
traffic as any other TLS-with-SNI traffic. With TLS and SNI, you do not need to specify the IP addresses of your MongoDB
servers. You specify their host names instead, which is more convenient since you do not have to rely on the stability of
the IP addresses. You can also specify wildcards as a prefix of the host names, for example allowing access to any
server from the `*.com` domain.
在现实生活中,绝大多数到外部服务的通信都必须被加密,而 [MongoDB 协议在 TLS 之上运行](https://zh/docs.mongodb.com/manual/tutorial/configure-ssl/)。
并且TLS 客户端经常发送[服务器名称指示](https://en.wikipedia.org/wiki/Server_Name_Indication)SNI作为握手的一部分。
如果您的 MongoDB 服务器运行 TLS 且 MongoDB 客户端发送 SNI 作为握手的一部分,您就可以像任何其余带有 SNI 的 TLS 流量一样控制 MongoDB egress 流量。
您不需要指定 MongoDB 服务器的 IP 地址,而只需指定他们的主机名称,这样会更加方便,因为您无需依赖 IP 地址的稳定性。
您还可以指定通配符为主机名的前缀,例如允许从 `*.com` 域访问任意服务器。
To check if your MongoDB server supports TLS, run:
要想检查您的 MongoDB 服务器是否支持 TLS请运行
{{< text bash >}}
$ openssl s_client -connect $MONGODB_HOST:$MONGODB_PORT -servername $MONGODB_HOST
{{< /text >}}
If the command above prints a certificate returned by the server, the server supports TLS. If not, you have to control
your MongoDB egress traffic on the TCP level, as described in the previous sections.
如果上述命令打印了一个服务器返回的证书,说明该服务器支持 TLS。如果没有您就需要像前面小节描述的一样在 TCP 层面控制 MongoDB egress 流量。
### Control TLS egress traffic without a gateway
### 无 gateway 情况下控制 TLS egress 流量{#control-TLS-egress-traffic-without-a-gateway}
In case you [do not need an egress gateway](/zh/docs/tasks/traffic-management/egress/egress-gateway/#use-case), follow the
instructions in this section. If you want to direct your traffic through an egress gateway, proceed to
[Direct TCP Egress traffic through an egress gateway](#direct-tcp-egress-traffic-through-an-egress-gateway).
如果您[不需要 egress gateway](/zh/docs/tasks/traffic-management/egress/egress-gateway/#use-case),请遵循本小节中的说明。
如果您需要通过 egress gateway 定向流量,请继续阅读[通过 egress gateway 定向 TCP Egress 流量](#direct-tcp-egress-traffic-through-an-egress-gateway)。
1. Create a `ServiceEntry` for the MongoDB service:
1. 为 MongoDB service 创建一个 `ServiceEntry`
{{< text bash >}}
$ kubectl apply -f - <<EOF
@ -556,26 +493,24 @@ instructions in this section. If you want to direct your traffic through an egre
EOF
{{< /text >}}
1. Refresh the web page of the application. The application should display the ratings without error.
1. 刷新应用程序的网页。应用程序应该正确显示评级数据。
#### Cleanup of the egress configuration for TLS
#### 清理 TLS 的 egress 配置{#cleanup-of-the-egress-configuration-for-TLS}
{{< text bash >}}
$ kubectl delete serviceentry mongo
{{< /text >}}
### Direct TLS Egress traffic through an egress gateway
### 通过 egress gateway 定向 TLS Egress 流量{#direct-tcp-egress-traffic-through-an-egress-gateway}
In this section you handle the case when you need to direct the traffic through an
[egress gateway](/zh/docs/tasks/traffic-management/egress/egress-gateway/#use-case). The sidecar proxy routes TLS
connections from the MongoDB client to the egress gateway, by matching the SNI of the MongoDB host.
The egress gateway forwards the traffic to the MongoDB host. Note that the sidecar proxy rewrites the destination port
to be 443. The egress gateway accepts the MongoDB traffic on the port 443, matches the MongoDB host by SNI, and rewrites
the port again to be the port of the MongoDB server.
在本小节中,您将处理通过 [egress gateway](/zh/docs/tasks/traffic-management/egress/egress-gateway/#use-case) 定向流量的情况。
Sidecar 代理通过匹配 MongoDB 主机的 SNI将 TLS 连接从 MongoDB 客户端路由到 egress gateway。
Egress gateway 再将流量转发到 MongoDB 主机。请注意sidecar 代理会将目的端口重写为 443。
Egress gateway 在 443 端口上接受 MongoDB 流量,按照 SNI 匹配 MongoDB 主机,并再次将端口重写为 MongoDB 服务器的端口。
1. [Deploy Istio egress gateway](/zh/docs/tasks/traffic-management/egress/egress-gateway/#deploy-Istio-egress-gateway).
1. [部署 Istio egress gateway](/zh/docs/tasks/traffic-management/egress/egress-gateway/#deploy-Istio-egress-gateway).
1. Create a `ServiceEntry` for the MongoDB service:
1. 为 MongoDB service 创建一个 `ServiceEntry`:
{{< text bash >}}
$ kubectl apply -f - <<EOF
@ -598,15 +533,11 @@ to be 443. The egress gateway accepts the MongoDB traffic on the port 443, match
EOF
{{< /text >}}
1. Refresh the web page of the application and verify that the ratings are displayed correctly.
1. 刷新应用程序的网页并验证评级数据是否显示正常。
1. Create an egress `Gateway` for your MongoDB service, and destination rules and virtual services
to direct the traffic through the egress gateway and from the egress gateway to the external service.
1. 为您的 MongoDB service 创建一个 egress `Gateway`、一个 destination rules 和 virtual services以将流量定向到 egress gateway并从 egress gateway 发送到外部服务。
If you want to enable [mutual TLS Authentication](/zh/docs/tasks/security/authentication/mutual-tls/) between the sidecar proxies of
your application pods and the egress gateway, use the following command. (You may want to enable mutual TLS to let
the egress gateway monitor the identity of the source pods and to enable Mixer policy enforcement based on that
identity.)
如果您希望启用 sidecar 代理和应用程序 pod 以及 egress gateway 之间的[双向 TLS 认证](/zh/docs/tasks/security/authentication/mutual-tls/),可以使用下面的命令。(您可能希望启用双向 TLS 以使 egress gateway 监控来源 pod 的身份并基于该 identity 启用 Mixer 策略。)
{{< tabset category-name="mtls" >}}
@ -763,9 +694,9 @@ to be 443. The egress gateway accepts the MongoDB traffic on the port 443, match
{{< /tabset >}}
1. [Verify that the traffic is directed though the egress gateway](#verify-that-egress-traffic-is-directed-through-the-egress-gateway)
1. [验证 TCP egress 流量是否通过 egress gateway 定向](#verify-that-egress-traffic-is-directed-through-the-egress-gateway)
#### Cleanup directing TLS egress traffic through an egress gateway
#### 清除通过 egress gateway 定向 TLS Egress 流量的配置{#cleanup-directing-TLS-Egress-traffic-through-an-egress-gateway}
{{< text bash >}}
$ kubectl delete serviceentry mongo
@ -774,30 +705,24 @@ $ kubectl delete virtualservice direct-mongo-through-egress-gateway
$ kubectl delete destinationrule egressgateway-for-mongo
{{< /text >}}
### Enable MongoDB TLS egress traffic to arbitrary wildcarded domains
### 启用到任意通配符域名的 MongoDB TLS egress 流量{#enable-MongoDB-TLS-egress-traffic-to-arbitrary-wildcarded-domains}
Sometimes you want to configure egress traffic to multiple hostnames from the same domain, for example traffic to all
MongoDB services from `*.<your company domain>.com`. You do not want to create multiple configuration items, one for
each and every MongoDB service in your company. To configure access to all the external services from the same domain by
a single configuration, you use *wildcarded* hosts.
有时,您希望将 egress 流量配置为来自同一域的多个主机名,例如到 `*.<your company domain>.com` 中的所有 MongoDB service。
您不希望创建多个配置项,而是一个用于公司中所有 MongoDB service 的通用配置项。
要想通过一个配置来控制到所有相同域中的外部服务的访问,您需要使用*通配符*主机。
In this section you configure egress traffic for a wildcarded domain. I used a MongoDB instance at `composedb.com`
domain, so configuring egress traffic for `*.com` worked for me (I could have used `*.composedb.com` as well).
You can pick a wildcarded domain according to your MongoDB host.
在本节中,您将为通配符域名配置 egress gateway。我在 `composedb.com` 处使用了 MongoDB instance
因此为 `*.com` 配置出口流量对我有效(我也可以使用`*.composedb.com`)。
您可以根据 MongoDB 主机选择通配符域名。
To configure egress gateway traffic for a wildcarded domain, you will first need to deploy a custom egress
gateway with
[an additional SNI proxy](/zh/docs/tasks/traffic-management/egress/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains).
This is needed due to current limitations of Envoy, the proxy used by the standard Istio egress gateway.
要为通配符域名配置 egress gateway 流量,
您需要使用[一个额外的 SNI 代理](/zh/docs/tasks/traffic-management/egress/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains)来部署一个自定义的 egress gateway。由于 EnvoyIstio egress gateway 使用的标准代理)目前的限制,这是必须的。
#### Prepare a new egress gateway with an SNI proxy
#### 准备一个 SNI 代理使用新的 egress gateway{#prepare-a-new-egress-gateway-with-an-SNI-proxy}
In this subsection you deploy an egress gateway with an SNI proxy, in addition to the standard Istio Envoy proxy. You
can use any SNI proxy that is capable of routing traffic according to arbitrary, not-preconfigured SNI values; we used
[Nginx](http://nginx.org) to achieve this functionality.
在本节中,除了标准的 Istio Envoy 代理之外,您还将部署具有 SNI 代理的 egress gateway。您可以使用任何能够根据任意未预先配置的 SNI 值路由流量的 SNI 代理;我们使用 [Nginx](http://nginx.org) 来实现这一功能。
1. Create a configuration file for the Nginx SNI proxy. You may want to edit the file to specify additional Nginx
settings, if required.
1. 为 Nginx SNI 代理创建配置文件。如果需要,您可以编辑该文件以指定其他 Nginx 设置。
{{< text bash >}}
$ cat <<EOF > ./sni-proxy.conf
@ -824,14 +749,13 @@ can use any SNI proxy that is capable of routing traffic according to arbitrary,
EOF
{{< /text >}}
1. Create a Kubernetes [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/)
to hold the configuration of the Nginx SNI proxy:
1. 创建一个 Kubernetes [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/) 来保存 Nginx SNI 代理的配置:
{{< text bash >}}
$ kubectl create configmap egress-sni-proxy-configmap -n istio-system --from-file=nginx.conf=./sni-proxy.conf
{{< /text >}}
1. The following command will generate `istio-egressgateway-with-sni-proxy.yaml` to edit and deploy.
1. 下面的命令将产生用于编辑和部署的 `istio-egressgateway-with-sni-proxy.yaml` 文件。
{{< text bash >}}
$ cat <<EOF | helm template install/kubernetes/helm/istio/ --name istio-egressgateway-with-sni-proxy --namespace istio-system -x charts/gateways/templates/deployment.yaml -x charts/gateways/templates/service.yaml -x charts/gateways/templates/serviceaccount.yaml -x charts/gateways/templates/autoscale.yaml -x charts/gateways/templates/role.yaml -x charts/gateways/templates/rolebindings.yaml --set global.mtls.enabled=true --set global.istioNamespace=istio-system -f - > ./istio-egressgateway-with-sni-proxy.yaml
@ -876,7 +800,7 @@ to hold the configuration of the Nginx SNI proxy:
EOF
{{< /text >}}
1. Deploy the new egress gateway:
1. 部署新的 egress gateway
{{< text bash >}}
$ kubectl apply -f ./istio-egressgateway-with-sni-proxy.yaml
@ -888,8 +812,7 @@ to hold the configuration of the Nginx SNI proxy:
horizontalpodautoscaler "istio-egressgateway-with-sni-proxy" created
{{< /text >}}
1. Verify that the new egress gateway is running. Note that the pod has two containers (one is the Envoy proxy and the
second one is the SNI proxy).
1. 验证新 egress gateway 是否工作正常。请注意 pod 有两个容器(一个是 Envoy 代理,另一个是 SNI 代理)。
{{< text bash >}}
$ kubectl get pod -l istio=egressgateway-with-sni-proxy -n istio-system
@ -897,8 +820,7 @@ to hold the configuration of the Nginx SNI proxy:
istio-egressgateway-with-sni-proxy-79f6744569-pf9t2 2/2 Running 0 17s
{{< /text >}}
1. Create a service entry with a static address equal to 127.0.0.1 (`localhost`), and disable mutual TLS on the traffic directed to the new
service entry:
1. 创建一个使用静态地址 127.0.0.1 (`localhost`) 的 service entry并对定向到新 service entry 的流量禁用双向 TLS
{{< text bash >}}
$ kubectl apply -f - <<EOF
@ -930,9 +852,9 @@ to hold the configuration of the Nginx SNI proxy:
EOF
{{< /text >}}
#### Configure access to `*.com` using the new egress gateway
#### 使用新 egress gateway 配置到 `*.com` 的访问{#configure-access-to-com-using-the-new-egress-gateway}
1. Define a `ServiceEntry` for `*.com`:
1. `*.com` 定义一个 `ServiceEntry`
{{< text bash >}}
$ cat <<EOF | kubectl create -f -
@ -954,10 +876,8 @@ to hold the configuration of the Nginx SNI proxy:
EOF
{{< /text >}}
1. Create an egress `Gateway` for _*.com_, port 443, protocol TLS, a destination rule to set the
[SNI](https://en.wikipedia.org/wiki/Server_Name_Indication) for the gateway, and Envoy filters to prevent tampering
with SNI by a malicious application (the filters verify that the SNI issued by the application is the SNI reported
to Mixer).
1. 为 *.com 创建一个 egress Gateway使用 443 端口和 TLS 协议。创建一个 destination rule 来为 gateway 设置 [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication)。
以及为 Envoy 过滤器以防止恶意应用程序篡改SNI (过滤器验证这个应用程序发布的 SNI与报告给 Mixer 的 SNI是否相同)
{{< text bash >}}
$ kubectl apply -f - <<EOF
@ -1036,7 +956,7 @@ to hold the configuration of the Nginx SNI proxy:
EOF
{{< /text >}}
1. Route the traffic destined for _*.com_ to the egress gateway and from the egress gateway to the SNI proxy.
1. 将目的为 _*.com_ 的流量路由到 egress gateway并从 egress gateway 路由到 SNI 代理.
{{< text bash >}}
$ kubectl apply -f - <<EOF
@ -1078,12 +998,11 @@ to hold the configuration of the Nginx SNI proxy:
EOF
{{< /text >}}
1. Refresh the web page of the application again and verify that the ratings are still displayed correctly.
1. 再次刷新应用程序的网页,验证评级数据仍然显示正确。
1. [Enable Envoys access logging](/zh/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging)
1. [开启 Envoy 访问日志](/zh/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging)
1. Check the log of the egress gateway's Envoy proxy. If Istio is deployed in the `istio-system` namespace, the command
to print the log is:
1. 检查 egress gateway 的 Envoy 的日志。如果 Istio 部署在 `istio-system` namespace 中,打印日志的的命令为:
{{< text bash >}}
$ kubectl logs -l istio=egressgateway-with-sni-proxy -c istio-proxy -n istio-system
@ -1096,8 +1015,7 @@ to hold the configuration of the Nginx SNI proxy:
[2019-01-02T17:22:04.713Z] "- - -" 0 - 1534 2590 85 - "-" "-" "-" "-" "127.0.0.1:28543" outbound|28543||sni-proxy.local 127.0.0.1:49988 172.30.146.115:443 172.30.146.118:58522 <your MongoDB host>
{{< /text >}}
1. Check the logs of the SNI proxy. If Istio is deployed in the `istio-system` namespace, the command to print the
log is:
1. 检查 SNI 代理的日志。如果 Istio 部署在 `istio-system` namespace 中,打印日志的命令为:
{{< text bash >}}
$ kubectl logs -l istio=egressgateway-with-sni-proxy -n istio-system -c sni-proxy
@ -1105,21 +1023,19 @@ to hold the configuration of the Nginx SNI proxy:
127.0.0.1 [23/Aug/2018:03:28:18 +0000] TCP [<your MongoDB host>]200 2590 1248 0.095
{{< /text >}}
#### Understanding what happened
#### 理解原理{#understanding-what-happened}
In this section you configured egress traffic to your MongoDB host using a wildcarded domain. While for a single MongoDB
host there is no gain in using wildcarded domains (an exact hostname can be specified), it could be beneficial for
cases when the applications in the cluster access multiple MongoDB hosts that match some wildcarded domain. For example,
if the applications access `mongodb1.composedb.com`, `mongodb2.composedb.com` and `mongodb3.composedb.com`, the egress
traffic can be configured by a single configuration for the wildcarded domain `*.composedb.com`.
在本节中,您使用通配符域名为您的 MongoDB 主机配置了 egress 流量。对于单个 MongoDB 主机使用通配符域名没有任何好处(可以指定确切的主机名),
而当集群中的应用程序需要访问多个匹配某个通配符域名的 MongoDB 主机时可能有用。
例如,如果应用程序需要访问 `mongodb1.composedb.com`、`mongodb2.composedb.com` 和 `mongodb3.composedb.com` 时,
egress 流量可以使用针对泛域名 `*.composedb.com` 的单个配置实现。
I will leave it as an exercise for the reader to verify that no additional Istio configuration is required when you
configure an app to use another instance of MongoDB with a hostname that matches the wildcarded domain used in this
section.
当配置一个应用使用另一个主机名匹配本小节中的通配符域名的 MongoDB 实例时,不需要额外的 Istio 配置。
我将这留作一个练习,让读者自行验证。
#### Cleanup of configuration for MongoDB TLS egress traffic to arbitrary wildcarded domains
#### 清理到任意通配符域名的 MongoDB TLS egress 流量的配置{#cleanup-of-configuration-for-MongoDB-TLS-egress-traffic-to-arbitrary-wildcarded-domains}
1. Delete the configuration items for _*.com_:
1. 删除针对 `*.com` 的配置项:
{{< text bash >}}
$ kubectl delete serviceentry mongo
@ -1129,7 +1045,7 @@ section.
$ kubectl delete envoyfilter forward-downstream-sni egress-gateway-sni-verifier
{{< /text >}}
1. Delete the configuration items for the `egressgateway-with-sni-proxy` `Deployment`:
1. 删除 `egressgateway-with-sni-proxy` `Deployment` 的配置项:
{{< text bash >}}
$ kubectl delete serviceentry sni-proxy
@ -1138,16 +1054,16 @@ section.
$ kubectl delete configmap egress-sni-proxy-configmap -n istio-system
{{< /text >}}
1. Remove the configuration files you created:
1. 删除您创建的配置文件:
{{< text bash >}}
$ rm ./istio-egressgateway-with-sni-proxy.yaml
$ rm ./nginx-sni-proxy.conf
{{< /text >}}
## Cleanup
## 清理{#cleanup}
1. Drop the `bookinfo` user:
1. 删除`bookinfo`用户:
{{< text bash >}}
$ cat <<EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u admin -p $MONGO_ADMIN_PASSWORD --authenticationDatabase admin
@ -1156,7 +1072,7 @@ section.
EOF
{{< /text >}}
1. Drop the _ratings_ collection:
1. 删除 `ratings` 集合:
{{< text bash >}}
$ cat <<EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u admin -p $MONGO_ADMIN_PASSWORD --authenticationDatabase admin
@ -1165,13 +1081,13 @@ section.
EOF
{{< /text >}}
1. Unset the environment variables you used:
1. 取消您使用的环境变量:
{{< text bash >}}
$ unset MONGO_ADMIN_PASSWORD BOOKINFO_PASSWORD MONGODB_HOST MONGODB_PORT MONGODB_IP
{{< /text >}}
1. Remove the virtual services:
1. 删除 virtual services
{{< text bash >}}
$ kubectl delete -f @samples/bookinfo/networking/virtual-service-ratings-db.yaml@
@ -1179,22 +1095,19 @@ section.
Deleted config: virtual-service/default/ratings
{{< /text >}}
1. Undeploy _ratings v2-mongodb_:
1. 删除 `ratings v2-mongodb` deployment
{{< text bash >}}
$ kubectl delete -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml@
deployment "ratings-v2" deleted
{{< /text >}}
## Conclusion
## 总结{#conclusion}
In this blog post I demonstrated various options for MongoDB egress traffic control. You can control the MongoDB egress
traffic on a TCP or TLS level where applicable. In both TCP and TLS cases, you can direct the traffic from the sidecar
proxies directly to the external MongoDB host, or direct the traffic through an egress gateway, according to your
organization's security requirements. In the latter case, you can also decide to apply or disable mutual TLS
authentication between the sidecar proxies and the egress gateway. If you want to control MongoDB egress traffic on the
TLS level by specifying wildcarded domains like `*.com` and you need to direct the traffic through the egress gateway,
you must deploy a custom egress gateway with an SNI proxy.
在这篇博文中,我演示了 MongoDB egress 流量控制的各种选项。您可以在 TCP 或 TLS 层面上控制 MongoDB egress 流量。
根据您的组织的安全需求,在 TCP 和 TLS 场景下您都可以将流量从 sidecar 代理定向到外部 MongoDB 主机
,或者通过一个 egress gateway 进行转发。在后面一种场景中,您还可以决定是否禁用 sidecar 代理到 egress gateway 的双向 TLS 认证。
如果您想要通过指定类似 `*.com` 的通配符域名来从 TLS 层面控制 MongoDB 的 egress 流量,并且通过 egress gateway 定向流量时,
您必须部署一个使用 SNI 代理的自定义 egress gateway。
Note that the configuration and considerations described in this blog post for MongoDB are rather the same for other
non-HTTP protocols on top of TCP/TLS.
请注意,本博客文章中描述的 MongoDB 配置和注意事项与 TCP/TLS 之上的其他非 HTTP 协议相同。