远程访问遥测插件
- 配置远程访问
  - 方式 1：安全访问（HTTPS）
  - 方式 2：不安全访问（HTTP）
- 清除

远程访问遥测插件

此任务说明如何配置 Istio 以显示和访问集群外部的遥测插件。

配置远程访问

远程访问遥测插件的方式有很多种。该任务涵盖了两种基本访问方式：安全的（通过 HTTPS）和不安全的（通过 HTTP）。对于任何生产或敏感环境，强烈建议 通过安全方式访问。不安全访问易于设置，但是无法保护在集群外传输的任何凭据或数据。

方式 1：安全访问（HTTPS）

安全访问需要一个服务器证书。按照这些步骤来为您的域名安装并配置服务器证书。

您也可以使用自签名证书。访问配置使用 SDS 通过 HTTPS 访问的安全网关任务以了解使用自签名证书访问集群内服务的详情。

本方式只涵盖了传输层的安全。您还应该配置遥测插件，使其暴露在外部时需要身份验证。

安装 cert-manager 以自动管理证书。
安装 Istio 到您的集群并启用 cert-manager 标志且配置 istio-ingressgateway 使用 Secret Discovery Service。

要安装相应的 Istio，使用下列安装选项：
- --set values.gateways.enabled=true
- --set values.gateways.istio-ingressgateway.enabled=true
- --set values.gateways.istio-ingressgateway.sds.enabled=true
要额外安装遥测插件，使用下列安装选项：
- Grafana: --set values.grafana.enabled=true
- Kiali: --set values.kiali.enabled=true
- Prometheus: --set values.prometheus.enabled=true
- Tracing: --set values.tracing.enabled=true
为您的域名配置 DNS 记录。
1. 获取 istio-ingressgateway 的外部 IP 地址。
```
$ kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
<IP ADDRESS OF CLUSTER INGRESS>
```
2. 设置环境变量保存目标域名：
```
$ TELEMETRY_DOMAIN=<your.desired.domain>
```
3. 通过您的域名提供商将所需的域名指向该外部 IP 地址。
  
  实现此步骤的机制因提供商而异。以下是一些示例文档链接：
  - Bluehost: DNS 管理增改删 DNS 条目
  - GoDaddy: 添加 A 记录
  - Google Domains: 资源记录
  - Name.com: 添加 A 记录
4. 验证 DNS 记录无误。
```
$ dig +short $TELEMETRY_DOMAIN
<IP ADDRESS OF CLUSTER INGRESS>
```

生成服务器证书

$ cat <<EOF | kubectl apply -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: telemetry-gw-cert
  namespace: istio-system
spec:
  secretName: telemetry-gw-cert
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  commonName: $TELEMETRY_DOMAIN
  dnsNames:
  - $TELEMETRY_DOMAIN
  acme:
    config:
    - http01:
        ingressClass: istio
      domains:
      - $TELEMETRY_DOMAIN
---
EOF
certificate.certmanager.k8s.io "telemetry-gw-cert" created

等待服务器证书准备就绪。

$ JSONPATH='{range .items[*]}{@.metadata.name}:{range @.status.conditions[*]}{@.type}={@.status}{end}{end}' && kubectl -n istio-system get certificates -o jsonpath="$JSONPATH"
telemetry-gw-cert:Ready=True

应用遥测插件的网络配置。

应用以下配置以暴露 Grafana：

$ cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: grafana-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 15031
      name: https-grafana
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: sds
      privateKey: sds
      credentialName: telemetry-gw-cert
    hosts:
    - "$TELEMETRY_DOMAIN"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: grafana-vs
  namespace: istio-system
spec:
  hosts:
  - "$TELEMETRY_DOMAIN"
  gateways:
  - grafana-gateway
  http:
  - match:
    - port: 15031
    route:
    - destination:
        host: grafana
        port:
          number: 3000
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: grafana
  namespace: istio-system
spec:
  host: grafana
  trafficPolicy:
    tls:
      mode: DISABLE
---
EOF
gateway.networking.istio.io "grafana-gateway" configured
virtualservice.networking.istio.io "grafana-vs" configured
destinationrule.networking.istio.io "grafana" configured

应用以下配置以暴露 Kiali：

$ cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: kiali-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 15029
      name: https-kiali
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: sds
      privateKey: sds
      credentialName: telemetry-gw-cert
    hosts:
    - "$TELEMETRY_DOMAIN"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: kiali-vs
  namespace: istio-system
spec:
  hosts:
  - "$TELEMETRY_DOMAIN"
  gateways:
  - kiali-gateway
  http:
  - match:
    - port: 15029
    route:
    - destination:
        host: kiali
        port:
          number: 20001
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: kiali
  namespace: istio-system
spec:
  host: kiali
  trafficPolicy:
    tls:
      mode: DISABLE
---
EOF
gateway.networking.istio.io "kiali-gateway" configured
virtualservice.networking.istio.io "kiali-vs" configured
destinationrule.networking.istio.io "kiali" configured

应用以下配置以暴露 Prometheus：

$ cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: prometheus-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 15030
      name: https-prom
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: sds
      privateKey: sds
      credentialName: telemetry-gw-cert
    hosts:
    - "$TELEMETRY_DOMAIN"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: prometheus-vs
  namespace: istio-system
spec:
  hosts:
  - "$TELEMETRY_DOMAIN"
  gateways:
  - prometheus-gateway
  http:
  - match:
    - port: 15030
    route:
    - destination:
        host: prometheus
        port:
          number: 9090
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: prometheus
  namespace: istio-system
spec:
  host: prometheus
  trafficPolicy:
    tls:
      mode: DISABLE
---
EOF
gateway.networking.istio.io "prometheus-gateway" configured
virtualservice.networking.istio.io "prometheus-vs" configured
destinationrule.networking.istio.io "prometheus" configured

应用以下配置以暴露跟踪服务：

$ cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: tracing-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 15032
      name: https-tracing
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: sds
      privateKey: sds
      credentialName: telemetry-gw-cert
    hosts:
    - "$TELEMETRY_DOMAIN"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: tracing-vs
  namespace: istio-system
spec:
  hosts:
  - "$TELEMETRY_DOMAIN"
  gateways:
  - tracing-gateway
  http:
  - match:
    - port: 15032
    route:
    - destination:
        host: tracing
        port:
          number: 80
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: tracing
  namespace: istio-system
spec:
  host: tracing
  trafficPolicy:
    tls:
      mode: DISABLE
---
EOF
gateway.networking.istio.io "tracing-gateway" configured
virtualservice.networking.istio.io "tracing-vs" configured
destinationrule.networking.istio.io "tracing" configured

通过浏览器访问这些遥测插件。
- Kiali: https://$TELEMETRY_DOMAIN:15029/
- Prometheus: https://$TELEMETRY_DOMAIN:15030/
- Grafana: https://$TELEMETRY_DOMAIN:15031/
- Tracing: https://$TELEMETRY_DOMAIN:15032/

方式 2：不安全访问（HTTP）

安装 Istio 到您的集群并启用您所需要的遥测插件。

要额外安装这些遥测插件，使用下列安装选项：
- Grafana: --set values.grafana.enabled=true
- Kiali: --set values.kiali.enabled=true
- Prometheus: --set values.prometheus.enabled=true
- Tracing: --set values.tracing.enabled=true

应用遥测插件的网络配置。

应用以下配置以暴露 Grafana：

$ cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: grafana-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 15031
      name: http-grafana
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: grafana-vs
  namespace: istio-system
spec:
  hosts:
  - "*"
  gateways:
  - grafana-gateway
  http:
  - match:
    - port: 15031
    route:
    - destination:
        host: grafana
        port:
          number: 3000
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: grafana
  namespace: istio-system
spec:
  host: grafana
  trafficPolicy:
    tls:
      mode: DISABLE
---
EOF
gateway.networking.istio.io "grafana-gateway" configured
virtualservice.networking.istio.io "grafana-vs" configured
destinationrule.networking.istio.io "grafana" configured

应用以下配置以暴露 Kiali：

$ cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: kiali-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 15029
      name: http-kiali
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: kiali-vs
  namespace: istio-system
spec:
  hosts:
  - "*"
  gateways:
  - kiali-gateway
  http:
  - match:
    - port: 15029
    route:
    - destination:
        host: kiali
        port:
          number: 20001
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: kiali
  namespace: istio-system
spec:
  host: kiali
  trafficPolicy:
    tls:
      mode: DISABLE
---
EOF
gateway.networking.istio.io "kiali-gateway" configured
virtualservice.networking.istio.io "kiali-vs" configured
destinationrule.networking.istio.io "kiali" configured

应用以下配置以暴露 Prometheus：

$ cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: prometheus-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 15030
      name: http-prom
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: prometheus-vs
  namespace: istio-system
spec:
  hosts:
  - "*"
  gateways:
  - prometheus-gateway
  http:
  - match:
    - port: 15030
    route:
    - destination:
        host: prometheus
        port:
          number: 9090
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: prometheus
  namespace: istio-system
spec:
  host: prometheus
  trafficPolicy:
    tls:
      mode: DISABLE
---
EOF
gateway.networking.istio.io "prometheus-gateway" configured
virtualservice.networking.istio.io "prometheus-vs" configured
destinationrule.networking.istio.io "prometheus" configured

应用以下配置以暴露跟踪服务：

$ cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: tracing-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 15032
      name: http-tracing
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: tracing-vs
  namespace: istio-system
spec:
  hosts:
  - "*"
  gateways:
  - tracing-gateway
  http:
  - match:
    - port: 15032
    route:
    - destination:
        host: tracing
        port:
          number: 80
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: tracing
  namespace: istio-system
spec:
  host: tracing
  trafficPolicy:
    tls:
      mode: DISABLE
---
EOF
gateway.networking.istio.io "tracing-gateway" configured
virtualservice.networking.istio.io "tracing-vs" configured
destinationrule.networking.istio.io "tracing" configured

通过浏览器访问这些遥测插件。
- Kiali: http://<IP ADDRESS OF CLUSTER INGRESS>:15029/
- Prometheus: http://<IP ADDRESS OF CLUSTER INGRESS>:15030/
- Grafana: http://<IP ADDRESS OF CLUSTER INGRESS>:15031/
- Tracing: http://<IP ADDRESS OF CLUSTER INGRESS>:15032/

清除

移除所有相关的网关：

$ kubectl -n istio-system delete gateway grafana-gateway kiali-gateway prometheus-gateway tracing-gateway
gateway.networking.istio.io "grafana-gateway" deleted
gateway.networking.istio.io "kiali-gateway" deleted
gateway.networking.istio.io "prometheus-gateway" deleted
gateway.networking.istio.io "tracing-gateway" deleted

移除所有相关的 Virtual Services：

$ kubectl -n istio-system delete virtualservice grafana-vs kiali-vs prometheus-vs tracing-vs
virtualservice.networking.istio.io "grafana-vs" deleted
virtualservice.networking.istio.io "kiali-vs" deleted
virtualservice.networking.istio.io "prometheus-vs" deleted
virtualservice.networking.istio.io "tracing-vs" deleted

如果安装了网关证书，移除它：

$ kubectl -n istio-system delete certificate telemetry-gw-cert
certificate.certmanager.k8s.io "telemetry-gw-cert" deleted