我的书签
添加书签
移除书签远程访问遥测插件
此任务说明如何配置 Istio 以暴露和访问集群外部的遥测插件。
配置远程访问
远程访问遥测插件的方式有很多种。 该任务涵盖了两种基本访问方式:安全的(通过 HTTPS)和不安全的(通过 HTTP)。 对于任何生产或敏感环境,强烈建议通过安全方式访问。 不安全访问易于设置,但是无法保护在集群外传输的任何凭据或数据。
对于这两种方式,首先请执行以下步骤:
在您的集群中安装 Istio。
要安装额外的遥测插件,请参考集成文档。
设置域名暴露这些插件。在此示例中,您将在子域名
grafana.example.com上暴露每个插件。如果您有一个域名(例如 example.com)指向
istio-ingressgateway的外部 IP 地址:$ export INGRESS_DOMAIN="example.com"
如果您没有域名,您可以使用 nip.io,它将自动解析为提供的 IP 地址,这种方式不建议用于生产用途。
$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')$ export INGRESS_DOMAIN=${INGRESS_HOST}.nip.io
方式 1:安全访问(HTTPS)
安全访问需要一个服务器证书。按照这些步骤来为您的域名安装并配置服务器证书。
本方式只涵盖了传输层的安全。您还应该配置遥测插件,使其暴露在外部时需要身份验证。
此示例使用自签名证书,这可能不适合生产用途。针对生产环境,请考虑使用 cert-manager 或其他工具来配置证书。 您还可以参阅使用 HTTPS 保护网关任务, 了解有关在网关上使用 HTTPS 的基本信息。
设置证书,此示例使用
openssl进行自签名。$ CERT_DIR=/tmp/certs$ mkdir -p ${CERT_DIR}$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj "/O=example Inc./CN=*.${INGRESS_DOMAIN}" -keyout ${CERT_DIR}/ca.key -out ${CERT_DIR}/ca.crt$ openssl req -out ${CERT_DIR}/cert.csr -newkey rsa:2048 -nodes -keyout ${CERT_DIR}/tls.key -subj "/CN=*.${INGRESS_DOMAIN}/O=example organization"$ openssl x509 -req -sha256 -days 365 -CA ${CERT_DIR}/ca.crt -CAkey ${CERT_DIR}/ca.key -set_serial 0 -in ${CERT_DIR}/cert.csr -out ${CERT_DIR}/tls.crt$ kubectl create -n istio-system secret tls telemetry-gw-cert --key=${CERT_DIR}/tls.key --cert=${CERT_DIR}/tls.crt
应用遥测插件的网络配置。
应用以下配置以暴露 Grafana:
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: grafana-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 443name: https-grafanaprotocol: HTTPStls:mode: SIMPLEcredentialName: telemetry-gw-certhosts:- "grafana.${INGRESS_DOMAIN}"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: grafana-vsnamespace: istio-systemspec:hosts:- "grafana.${INGRESS_DOMAIN}"gateways:- grafana-gatewayhttp:- route:- destination:host: grafanaport:number: 3000---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: grafananamespace: istio-systemspec:host: grafanatrafficPolicy:tls:mode: DISABLE---EOFgateway.networking.istio.io/grafana-gateway createdvirtualservice.networking.istio.io/grafana-vs createddestinationrule.networking.istio.io/grafana created
应用以下配置以暴露 Kiali:
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: kiali-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 443name: https-kialiprotocol: HTTPStls:mode: SIMPLEcredentialName: telemetry-gw-certhosts:- "kiali.${INGRESS_DOMAIN}"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: kiali-vsnamespace: istio-systemspec:hosts:- "kiali.${INGRESS_DOMAIN}"gateways:- kiali-gatewayhttp:- route:- destination:host: kialiport:number: 20001---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: kialinamespace: istio-systemspec:host: kialitrafficPolicy:tls:mode: DISABLE---EOFgateway.networking.istio.io/kiali-gateway createdvirtualservice.networking.istio.io/kiali-vs createddestinationrule.networking.istio.io/kiali created
应用以下配置以暴露 Prometheus:
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: prometheus-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 443name: https-promprotocol: HTTPStls:mode: SIMPLEcredentialName: telemetry-gw-certhosts:- "prometheus.${INGRESS_DOMAIN}"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: prometheus-vsnamespace: istio-systemspec:hosts:- "prometheus.${INGRESS_DOMAIN}"gateways:- prometheus-gatewayhttp:- route:- destination:host: prometheusport:number: 9090---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: prometheusnamespace: istio-systemspec:host: prometheustrafficPolicy:tls:mode: DISABLE---EOFgateway.networking.istio.io/prometheus-gateway createdvirtualservice.networking.istio.io/prometheus-vs createddestinationrule.networking.istio.io/prometheus created
应用以下配置以暴露跟踪服务:
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: tracing-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 443name: https-tracingprotocol: HTTPStls:mode: SIMPLEcredentialName: telemetry-gw-certhosts:- "tracing.${INGRESS_DOMAIN}"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: tracing-vsnamespace: istio-systemspec:hosts:- "tracing.${INGRESS_DOMAIN}"gateways:- tracing-gatewayhttp:- route:- destination:host: tracingport:number: 80---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: tracingnamespace: istio-systemspec:host: tracingtrafficPolicy:tls:mode: DISABLE---EOFgateway.networking.istio.io/tracing-gateway createdvirtualservice.networking.istio.io/tracing-vs createddestinationrule.networking.istio.io/tracing created
通过浏览器访问这些遥测插件。
如果您使用了自签名的证书,您的浏览器可能将其标记为不安全的。
- Kiali:
https://kiali.${INGRESS_DOMAIN} - Prometheus:
https://prometheus.${INGRESS_DOMAIN} - Grafana:
https://grafana.${INGRESS_DOMAIN} - Tracing:
https://tracing.${INGRESS_DOMAIN}
- Kiali:
方式 2:不安全访问(HTTP)
应用遥测插件的网络配置。
应用以下配置以暴露 Grafana:
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: grafana-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 80name: http-grafanaprotocol: HTTPhosts:- "grafana.${INGRESS_DOMAIN}"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: grafana-vsnamespace: istio-systemspec:hosts:- "grafana.${INGRESS_DOMAIN}"gateways:- grafana-gatewayhttp:- route:- destination:host: grafanaport:number: 3000---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: grafananamespace: istio-systemspec:host: grafanatrafficPolicy:tls:mode: DISABLE---EOFgateway.networking.istio.io/grafana-gateway createdvirtualservice.networking.istio.io/grafana-vs createddestinationrule.networking.istio.io/grafana created
应用以下配置以暴露 Kiali:
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: kiali-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 80name: http-kialiprotocol: HTTPhosts:- "kiali.${INGRESS_DOMAIN}"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: kiali-vsnamespace: istio-systemspec:hosts:- "kiali.${INGRESS_DOMAIN}"gateways:- kiali-gatewayhttp:- route:- destination:host: kialiport:number: 20001---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: kialinamespace: istio-systemspec:host: kialitrafficPolicy:tls:mode: DISABLE---EOFgateway.networking.istio.io/kiali-gateway createdvirtualservice.networking.istio.io/kiali-vs createddestinationrule.networking.istio.io/kiali created
应用以下配置以暴露 Prometheus:
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: prometheus-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 80name: http-promprotocol: HTTPhosts:- "prometheus.${INGRESS_DOMAIN}"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: prometheus-vsnamespace: istio-systemspec:hosts:- "prometheus.${INGRESS_DOMAIN}"gateways:- prometheus-gatewayhttp:- route:- destination:host: prometheusport:number: 9090---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: prometheusnamespace: istio-systemspec:host: prometheustrafficPolicy:tls:mode: DISABLE---EOFgateway.networking.istio.io/prometheus-gateway createdvirtualservice.networking.istio.io/prometheus-vs createddestinationrule.networking.istio.io/prometheus created
应用以下配置以暴露跟踪服务:
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: tracing-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 80name: http-tracingprotocol: HTTPhosts:- "tracing.${INGRESS_DOMAIN}"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: tracing-vsnamespace: istio-systemspec:hosts:- "tracing.${INGRESS_DOMAIN}"gateways:- tracing-gatewayhttp:- route:- destination:host: tracingport:number: 80---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: tracingnamespace: istio-systemspec:host: tracingtrafficPolicy:tls:mode: DISABLE---EOFgateway.networking.istio.io/tracing-gateway createdvirtualservice.networking.istio.io/tracing-vs createddestinationrule.networking.istio.io/tracing created
通过浏览器访问这些遥测插件。
- Kiali:
http://kiali.${INGRESS_DOMAIN} - Prometheus:
http://prometheus.${INGRESS_DOMAIN} - Grafana:
http://grafana.${INGRESS_DOMAIN} - Tracing:
http://tracing.${INGRESS_DOMAIN}
- Kiali:
清理
移除所有相关的 Gateway:
$ kubectl -n istio-system delete gateway grafana-gateway kiali-gateway prometheus-gateway tracing-gatewaygateway.networking.istio.io "grafana-gateway" deletedgateway.networking.istio.io "kiali-gateway" deletedgateway.networking.istio.io "prometheus-gateway" deletedgateway.networking.istio.io "tracing-gateway" deleted
移除所有相关的 Virtual Service:
$ kubectl -n istio-system delete virtualservice grafana-vs kiali-vs prometheus-vs tracing-vsvirtualservice.networking.istio.io "grafana-vs" deletedvirtualservice.networking.istio.io "kiali-vs" deletedvirtualservice.networking.istio.io "prometheus-vs" deletedvirtualservice.networking.istio.io "tracing-vs" deleted
移除所有相关的 Destination Rule:
$ kubectl -n istio-system delete destinationrule grafana kiali prometheus tracingdestinationrule.networking.istio.io "grafana" deleteddestinationrule.networking.istio.io "kiali" deleteddestinationrule.networking.istio.io "prometheus" deleteddestinationrule.networking.istio.io "tracing" deleted
