istio.io/content/zh/docs/tasks/observability/gateways/index.md

19 KiB
Raw Permalink Blame History

title description weight keywords aliases
远程访问遥测插件 此任务向您展示如何配置从外部访问 Istio 遥测插件。 99
telemetry
gateway
jaeger
zipkin
tracing
kiali
prometheus
addons
/zh/docs/tasks/telemetry/gateways/

此任务说明如何配置 Istio 以显示和访问集群外部的遥测插件。

配置远程访问

远程访问遥测插件的方式有很多种。 该任务涵盖了两种基本访问方式:安全的(通过 HTTPS和不安全的通过 HTTP。 对于任何生产或敏感环境,强烈建议 通过安全方式访问。 不安全访问易于设置,但是无法保护在集群外传输的任何凭据或数据。

方式 1安全访问HTTPS

安全访问需要一个服务器证书。按照这些步骤来为您的域名安装并配置服务器证书。

您也可以使用自签名证书。访问配置使用 SDS 通过 HTTPS 访问的安全网关任务以了解使用自签名证书访问集群内服务的详情。

{{< warning >}} 本方式 涵盖了传输层的安全。您还应该配置遥测插件,使其暴露在外部时需要身份验证。 {{< /warning >}}

  1. 安装 cert-manager 以自动管理证书。

  2. 安装 Istio 到您的集群并启用 cert-manager 标志且配置 istio-ingressgateway 使用 Secret Discovery Service

    要安装相应的 Istio使用下列安装选项

    • --set values.gateways.enabled=true
    • --set values.gateways.istio-ingressgateway.enabled=true
    • --set values.gateways.istio-ingressgateway.sds.enabled=true

    要额外安装遥测插件,使用下列安装选项:

    • Grafana: --set values.grafana.enabled=true
    • Kiali: --set values.kiali.enabled=true
    • Prometheus: --set values.prometheus.enabled=true
    • Tracing: --set values.tracing.enabled=true
  3. 为您的域名配置 DNS 记录。

    1. 获取 istio-ingressgateway 的外部 IP 地址。

      {{< text bash >}} $ kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}' {{< /text >}}

    2. 设置环境变量保存目标域名:

      {{< text bash >}} $ TELEMETRY_DOMAIN=<your.desired.domain> {{< /text >}}

    3. 通过您的域名提供商将所需的域名指向该外部 IP 地址。

      实现此步骤的机制因提供商而异。以下是一些示例文档链接:

    4. 验证 DNS 记录无误。

      {{< text bash >}} $ dig +short $TELEMETRY_DOMAIN {{< /text >}}

  4. 生成服务器证书

    {{< text bash >}} $ cat <<EOF | kubectl apply -f - apiVersion: certmanager.k8s.io/v1alpha1 kind: Certificate metadata: name: telemetry-gw-cert namespace: istio-system spec: secretName: telemetry-gw-cert issuerRef: name: letsencrypt kind: ClusterIssuer commonName: $TELEMETRY_DOMAIN dnsNames:

    • $TELEMETRY_DOMAIN acme: config:
      • http01: ingressClass: istio domains:
        • $TELEMETRY_DOMAIN

    EOF certificate.certmanager.k8s.io "telemetry-gw-cert" created {{< /text >}}

  5. 等待服务器证书准备就绪。

    {{< text syntax="bash" expandlinks="false" >}} $ JSONPATH='{range .items[]}{@.metadata.name}:{range @.status.conditions[]}{@.type}={@.status}{end}{end}' && kubectl -n istio-system get certificates -o jsonpath="$JSONPATH" telemetry-gw-cert:Ready=True {{< /text >}}

  6. 应用遥测插件的网络配置。

    1. 应用以下配置以暴露 Grafana

      {{< text bash >}} $ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: grafana-gateway namespace: istio-system spec: selector: istio: ingressgateway servers:

      • port: number: 15031 name: https-grafana protocol: HTTPS tls: mode: SIMPLE serverCertificate: sds privateKey: sds credentialName: telemetry-gw-cert hosts:
        • "$TELEMETRY_DOMAIN"

      apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: grafana-vs namespace: istio-system spec: hosts:

      • "$TELEMETRY_DOMAIN" gateways:
      • grafana-gateway http:
      • match:
        • port: 15031 route:
        • destination: host: grafana port: number: 3000

      apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: grafana namespace: istio-system spec: host: grafana trafficPolicy: tls: mode: DISABLE

      EOF gateway.networking.istio.io "grafana-gateway" configured virtualservice.networking.istio.io "grafana-vs" configured destinationrule.networking.istio.io "grafana" configured {{< /text >}}

    2. 应用以下配置以暴露 Kiali

      {{< text bash >}} $ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: kiali-gateway namespace: istio-system spec: selector: istio: ingressgateway servers:

      • port: number: 15029 name: https-kiali protocol: HTTPS tls: mode: SIMPLE serverCertificate: sds privateKey: sds credentialName: telemetry-gw-cert hosts:
        • "$TELEMETRY_DOMAIN"

      apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: kiali-vs namespace: istio-system spec: hosts:

      • "$TELEMETRY_DOMAIN" gateways:
      • kiali-gateway http:
      • match:
        • port: 15029 route:
        • destination: host: kiali port: number: 20001

      apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: kiali namespace: istio-system spec: host: kiali trafficPolicy: tls: mode: DISABLE

      EOF gateway.networking.istio.io "kiali-gateway" configured virtualservice.networking.istio.io "kiali-vs" configured destinationrule.networking.istio.io "kiali" configured {{< /text >}}

    3. 应用以下配置以暴露 Prometheus

      {{< text bash >}} $ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: prometheus-gateway namespace: istio-system spec: selector: istio: ingressgateway servers:

      • port: number: 15030 name: https-prom protocol: HTTPS tls: mode: SIMPLE serverCertificate: sds privateKey: sds credentialName: telemetry-gw-cert hosts:
        • "$TELEMETRY_DOMAIN"

      apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: prometheus-vs namespace: istio-system spec: hosts:

      • "$TELEMETRY_DOMAIN" gateways:
      • prometheus-gateway http:
      • match:
        • port: 15030 route:
        • destination: host: prometheus port: number: 9090

      apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: prometheus namespace: istio-system spec: host: prometheus trafficPolicy: tls: mode: DISABLE

      EOF gateway.networking.istio.io "prometheus-gateway" configured virtualservice.networking.istio.io "prometheus-vs" configured destinationrule.networking.istio.io "prometheus" configured {{< /text >}}

    4. 应用以下配置以暴露跟踪服务:

      {{< text bash >}} $ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: tracing-gateway namespace: istio-system spec: selector: istio: ingressgateway servers:

      • port: number: 15032 name: https-tracing protocol: HTTPS tls: mode: SIMPLE serverCertificate: sds privateKey: sds credentialName: telemetry-gw-cert hosts:
        • "$TELEMETRY_DOMAIN"

      apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: tracing-vs namespace: istio-system spec: hosts:

      • "$TELEMETRY_DOMAIN" gateways:
      • tracing-gateway http:
      • match:
        • port: 15032 route:
        • destination: host: tracing port: number: 80

      apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: tracing namespace: istio-system spec: host: tracing trafficPolicy: tls: mode: DISABLE

      EOF gateway.networking.istio.io "tracing-gateway" configured virtualservice.networking.istio.io "tracing-vs" configured destinationrule.networking.istio.io "tracing" configured {{< /text >}}

  7. 通过浏览器访问这些遥测插件。

    • Kiali: https://$TELEMETRY_DOMAIN:15029/
    • Prometheus: https://$TELEMETRY_DOMAIN:15030/
    • Grafana: https://$TELEMETRY_DOMAIN:15031/
    • Tracing: https://$TELEMETRY_DOMAIN:15032/

方式 2不安全访问HTTP

  1. 安装 Istio 到您的集群并启用您所需要的遥测插件。

    要额外安装这些遥测插件,使用下列安装选项:

    • Grafana: --set values.grafana.enabled=true
    • Kiali: --set values.kiali.enabled=true
    • Prometheus: --set values.prometheus.enabled=true
    • Tracing: --set values.tracing.enabled=true
  2. 应用遥测插件的网络配置。

    1. 应用以下配置以暴露 Grafana

      {{< text bash >}} $ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: grafana-gateway namespace: istio-system spec: selector: istio: ingressgateway servers:

      • port: number: 15031 name: http-grafana protocol: HTTP hosts:
        • "*"

      apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: grafana-vs namespace: istio-system spec: hosts:

      • "*" gateways:
      • grafana-gateway http:
      • match:
        • port: 15031 route:
        • destination: host: grafana port: number: 3000

      apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: grafana namespace: istio-system spec: host: grafana trafficPolicy: tls: mode: DISABLE

      EOF gateway.networking.istio.io "grafana-gateway" configured virtualservice.networking.istio.io "grafana-vs" configured destinationrule.networking.istio.io "grafana" configured {{< /text >}}

    2. 应用以下配置以暴露 Kiali

      {{< text bash >}} $ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: kiali-gateway namespace: istio-system spec: selector: istio: ingressgateway servers:

      • port: number: 15029 name: http-kiali protocol: HTTP hosts:
        • "*"

      apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: kiali-vs namespace: istio-system spec: hosts:

      • "*" gateways:
      • kiali-gateway http:
      • match:
        • port: 15029 route:
        • destination: host: kiali port: number: 20001

      apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: kiali namespace: istio-system spec: host: kiali trafficPolicy: tls: mode: DISABLE

      EOF gateway.networking.istio.io "kiali-gateway" configured virtualservice.networking.istio.io "kiali-vs" configured destinationrule.networking.istio.io "kiali" configured {{< /text >}}

    3. 应用以下配置以暴露 Prometheus

      {{< text bash >}} $ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: prometheus-gateway namespace: istio-system spec: selector: istio: ingressgateway servers:

      • port: number: 15030 name: http-prom protocol: HTTP hosts:
        • "*"

      apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: prometheus-vs namespace: istio-system spec: hosts:

      • "*" gateways:
      • prometheus-gateway http:
      • match:
        • port: 15030 route:
        • destination: host: prometheus port: number: 9090

      apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: prometheus namespace: istio-system spec: host: prometheus trafficPolicy: tls: mode: DISABLE

      EOF gateway.networking.istio.io "prometheus-gateway" configured virtualservice.networking.istio.io "prometheus-vs" configured destinationrule.networking.istio.io "prometheus" configured {{< /text >}}

    4. 应用以下配置以暴露跟踪服务:

      {{< text bash >}} $ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: tracing-gateway namespace: istio-system spec: selector: istio: ingressgateway servers:

      • port: number: 15032 name: http-tracing protocol: HTTP hosts:
        • "*"

      apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: tracing-vs namespace: istio-system spec: hosts:

      • "*" gateways:
      • tracing-gateway http:
      • match:
        • port: 15032 route:
        • destination: host: tracing port: number: 80

      apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: tracing namespace: istio-system spec: host: tracing trafficPolicy: tls: mode: DISABLE

      EOF gateway.networking.istio.io "tracing-gateway" configured virtualservice.networking.istio.io "tracing-vs" configured destinationrule.networking.istio.io "tracing" configured {{< /text >}}

  3. 通过浏览器访问这些遥测插件。

    • Kiali: http://<IP ADDRESS OF CLUSTER INGRESS>:15029/
    • Prometheus: http://<IP ADDRESS OF CLUSTER INGRESS>:15030/
    • Grafana: http://<IP ADDRESS OF CLUSTER INGRESS>:15031/
    • Tracing: http://<IP ADDRESS OF CLUSTER INGRESS>:15032/

清除

  • 移除所有相关的网关:

    {{< text bash >}} $ kubectl -n istio-system delete gateway grafana-gateway kiali-gateway prometheus-gateway tracing-gateway gateway.networking.istio.io "grafana-gateway" deleted gateway.networking.istio.io "kiali-gateway" deleted gateway.networking.istio.io "prometheus-gateway" deleted gateway.networking.istio.io "tracing-gateway" deleted {{< /text >}}

  • 移除所有相关的 Virtual Services

    {{< text bash >}} $ kubectl -n istio-system delete virtualservice grafana-vs kiali-vs prometheus-vs tracing-vs virtualservice.networking.istio.io "grafana-vs" deleted virtualservice.networking.istio.io "kiali-vs" deleted virtualservice.networking.istio.io "prometheus-vs" deleted virtualservice.networking.istio.io "tracing-vs" deleted {{< /text >}}

  • 如果安装了网关证书,移除它:

    {{< text bash >}} $ kubectl -n istio-system delete certificate telemetry-gw-cert certificate.certmanager.k8s.io "telemetry-gw-cert" deleted {{< /text >}}