遥测插件的远程访问

本任务展示了对 Istio 进行配置,用于对集群外部开放访问遥测插件的方法。

配置远程访问

有很多种为遥测插件配置远程访问的方式。本文谈到了两种访问方式:安全的(HTTPS)和非安全的(HTTP)。强烈推荐为敏感环境配置安全的访问方式。非安全方式的配置很简单,但是无法为传输到集群之外的凭据和数据进行加密。

选项 1:安全访问(HTTPS)

要进行安全访问,就需要有个服务证书。下面的步骤可以用来为你控制的域名进行证书的安装和配置。

也可以使用一个自签发的证书。浏览使用 SDS 为 Gateway 提供 HTTPS 加密支持的任务内容,其中包含了使用自签发证书来访问集群内服务的一些介绍。

这一选项仅包含了对传输层的加密工作。要把服务进行公开,还应该为遥测插件配置认证功能。

使用下面的 Helm 参数来完成 Istio 部署:

  • —set gateways.enabled=true
  • —set gateways.istio-ingressgateway.enabled=true
  • —set gateways.istio-ingressgateway.sds.enabled=true
  • —set certmanager.enabled=true
  • —set certmanager.email=mailbox@donotuseexample.com要启用遥测插件,需要如下的 Helm 参数:

  • Grafana: —set grafana.enabled=true

  • Kiali: —set kiali.enabled=true
  • Prometheus: —set prometheus.enabled=true
  • Tracing: —set tracing.enabled=true

    • 为你的域名配置 DNS 记录。
  • 获取 istio-ingressgateway 的外部 IP 地址。

  1. $ kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
  2. <IP ADDRESS OF CLUSTER INGRESS>
  • 为目标域名设置一个环境变量。
  1. $ TELEMETRY_DOMAIN=<your.desired.domain>
  • 在域名提供商界面中,把域名映射到外部 IP 上。

不同域名提供商的配置步骤会有不同,这里提供一些简单的文档连接:

  1. - Bluehost:[DNS Management Add Edit or Delete DNS Entries](https://my.bluehost.com/hosting/help/559)
  2. - GoDaddy:[Add an A record](https://www.godaddy.com/help/add-an-a-record-19238)
  3. - Google Domains:[Resource Records](https://support.google.com/domains/answer/3290350?hl=en)
  4. - Name.com:[Adding an A record](https://www.name.com/support/articles/115004893508-Adding-an-A-record)
  • 检查域名是否成功映射:
  1. $ dig +short $TELEMETRY_DOMAIN
  2. <IP ADDRESS OF CLUSTER INGRESS>
  • 生成服务端证书:
  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: certmanager.k8s.io/v1alpha1
  3. kind: Certificate
  4. metadata:
  5. name: telemetry-gw-cert
  6. namespace: istio-system
  7. spec:
  8. secretName: telemetry-gw-cert
  9. issuerRef:
  10. name: letsencrypt
  11. kind: ClusterIssuer
  12. commonName: $TELEMETRY_DOMAIN
  13. dnsNames:
  14. - $TELEMETRY_DOMAIN
  15. acme:
  16. config:
  17. - http01:
  18. ingressClass: istio
  19. domains:
  20. - $TELEMETRY_DOMAIN
  21. ---
  22. EOF
  23. certificate.certmanager.k8s.io "telemetry-gw-cert" created
  • 等待服务证书准备就绪:
  1. $ JSONPATH='{range .items[*]}{@.metadata.name}:{range @.status.conditions[*]}{@.type}={@.status}{end}{end}' && kubectl -n istio-system get certificates -o jsonpath="$JSONPATH"
  2. telemetry-gw-cert:Ready=True
  • 为遥测插件提供网络配置:

    • 用下列配置开放 Grafana 的访问:
  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: grafana-gateway
  6. namespace: istio-system
  7. spec:
  8. selector:
  9. istio: ingressgateway
  10. servers:
  11. - port:
  12. number: 15031
  13. name: https-grafana
  14. protocol: HTTPS
  15. tls:
  16. mode: SIMPLE
  17. serverCertificate: sds
  18. privateKey: sds
  19. credentialName: telemetry-gw-cert
  20. hosts:
  21. - "$TELEMETRY_DOMAIN"
  22. ---
  23. apiVersion: networking.istio.io/v1alpha3
  24. kind: VirtualService
  25. metadata:
  26. name: grafana-vs
  27. namespace: istio-system
  28. spec:
  29. hosts:
  30. - "$TELEMETRY_DOMAIN"
  31. gateways:
  32. - grafana-gateway
  33. http:
  34. - match:
  35. - port: 15031
  36. route:
  37. - destination:
  38. host: grafana
  39. port:
  40. number: 3000
  41. ---
  42. apiVersion: networking.istio.io/v1alpha3
  43. kind: DestinationRule
  44. metadata:
  45. name: grafana
  46. namespace: istio-system
  47. spec:
  48. host: grafana
  49. trafficPolicy:
  50. tls:
  51. mode: DISABLE
  52. ---
  53. EOF
  54. gateway.networking.istio.io "grafana-gateway" configured
  55. virtualservice.networking.istio.io "grafana-vs" configured
  56. destinationrule.networking.istio.io "grafana" configured
  • 用下列配置开放对 Kiali 的访问:
  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: kiali-gateway
  6. namespace: istio-system
  7. spec:
  8. selector:
  9. istio: ingressgateway
  10. servers:
  11. - port:
  12. number: 15029
  13. name: https-kiali
  14. protocol: HTTPS
  15. tls:
  16. mode: SIMPLE
  17. serverCertificate: sds
  18. privateKey: sds
  19. credentialName: telemetry-gw-cert
  20. hosts:
  21. - "$TELEMETRY_DOMAIN"
  22. ---
  23. apiVersion: networking.istio.io/v1alpha3
  24. kind: VirtualService
  25. metadata:
  26. name: kiali-vs
  27. namespace: istio-system
  28. spec:
  29. hosts:
  30. - "$TELEMETRY_DOMAIN"
  31. gateways:
  32. - kiali-gateway
  33. http:
  34. - match:
  35. - port: 15029
  36. route:
  37. - destination:
  38. host: kiali
  39. port:
  40. number: 20001
  41. ---
  42. apiVersion: networking.istio.io/v1alpha3
  43. kind: DestinationRule
  44. metadata:
  45. name: kiali
  46. namespace: istio-system
  47. spec:
  48. host: kiali
  49. trafficPolicy:
  50. tls:
  51. mode: DISABLE
  52. ---
  53. EOF
  54. gateway.networking.istio.io "kiali-gateway" configured
  55. virtualservice.networking.istio.io "kiali-vs" configured
  56. destinationrule.networking.istio.io "kiali" configured
  • 用下面的配置开放对 Prometheus 的访问:
  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: prometheus-gateway
  6. namespace: istio-system
  7. spec:
  8. selector:
  9. istio: ingressgateway
  10. servers:
  11. - port:
  12. number: 15030
  13. name: https-prom
  14. protocol: HTTPS
  15. tls:
  16. mode: SIMPLE
  17. serverCertificate: sds
  18. privateKey: sds
  19. credentialName: telemetry-gw-cert
  20. hosts:
  21. - "$TELEMETRY_DOMAIN"
  22. ---
  23. apiVersion: networking.istio.io/v1alpha3
  24. kind: VirtualService
  25. metadata:
  26. name: prometheus-vs
  27. namespace: istio-system
  28. spec:
  29. hosts:
  30. - "$TELEMETRY_DOMAIN"
  31. gateways:
  32. - prometheus-gateway
  33. http:
  34. - match:
  35. - port: 15030
  36. route:
  37. - destination:
  38. host: prometheus
  39. port:
  40. number: 9090
  41. ---
  42. apiVersion: networking.istio.io/v1alpha3
  43. kind: DestinationRule
  44. metadata:
  45. name: prometheus
  46. namespace: istio-system
  47. spec:
  48. host: prometheus
  49. trafficPolicy:
  50. tls:
  51. mode: DISABLE
  52. ---
  53. EOF
  54. gateway.networking.istio.io "prometheus-gateway" configured
  55. virtualservice.networking.istio.io "prometheus-vs" configured
  56. destinationrule.networking.istio.io "prometheus" configured
  • 用下面的配置开放对跟踪服务的访问:
  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: tracing-gateway
  6. namespace: istio-system
  7. spec:
  8. selector:
  9. istio: ingressgateway
  10. servers:
  11. - port:
  12. number: 15032
  13. name: https-tracing
  14. protocol: HTTPS
  15. tls:
  16. mode: SIMPLE
  17. serverCertificate: sds
  18. privateKey: sds
  19. credentialName: telemetry-gw-cert
  20. hosts:
  21. - "$TELEMETRY_DOMAIN"
  22. ---
  23. apiVersion: networking.istio.io/v1alpha3
  24. kind: VirtualService
  25. metadata:
  26. name: tracing-vs
  27. namespace: istio-system
  28. spec:
  29. hosts:
  30. - "$TELEMETRY_DOMAIN"
  31. gateways:
  32. - tracing-gateway
  33. http:
  34. - match:
  35. - port: 15032
  36. route:
  37. - destination:
  38. host: tracing
  39. port:
  40. number: 80
  41. ---
  42. apiVersion: networking.istio.io/v1alpha3
  43. kind: DestinationRule
  44. metadata:
  45. name: tracing
  46. namespace: istio-system
  47. spec:
  48. host: tracing
  49. trafficPolicy:
  50. tls:
  51. mode: DISABLE
  52. ---
  53. EOF
  54. gateway.networking.istio.io "tracing-gateway" configured
  55. virtualservice.networking.istio.io "tracing-vs" configured
  56. destinationrule.networking.istio.io "tracing" configured

选项 2:不安全访问(HTTP)

  • 在集群中安装 Istio,并启用需要的遥测插件。

可以用下面的 Helm 参数启用遥测插件:

  • Grafana:—set grafana.enabled=true
  • Kiali:—set kiali.enabled=true
  • Prometheus:—set prometheus.enabled=true
  • Tracing:—set tracing.enabled=true

    • 为遥测插件创建网络配置。
  • 用下面的配置开放对 Grafana 的访问:

  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: grafana-gateway
  6. namespace: istio-system
  7. spec:
  8. selector:
  9. istio: ingressgateway
  10. servers:
  11. - port:
  12. number: 15031
  13. name: http-grafana
  14. protocol: HTTP
  15. hosts:
  16. - "*"
  17. ---
  18. apiVersion: networking.istio.io/v1alpha3
  19. kind: VirtualService
  20. metadata:
  21. name: grafana-vs
  22. namespace: istio-system
  23. spec:
  24. hosts:
  25. - "*"
  26. gateways:
  27. - grafana-gateway
  28. http:
  29. - match:
  30. - port: 15031
  31. route:
  32. - destination:
  33. host: grafana
  34. port:
  35. number: 3000
  36. ---
  37. apiVersion: networking.istio.io/v1alpha3
  38. kind: DestinationRule
  39. metadata:
  40. name: grafana
  41. namespace: istio-system
  42. spec:
  43. host: grafana
  44. trafficPolicy:
  45. tls:
  46. mode: DISABLE
  47. ---
  48. EOF
  49. gateway.networking.istio.io "grafana-gateway" configured
  50. virtualservice.networking.istio.io "grafana-vs" configured
  51. destinationrule.networking.istio.io "grafana" configured
  • 用下面的配置开放对 Kiali 的访问:
  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: kiali-gateway
  6. namespace: istio-system
  7. spec:
  8. selector:
  9. istio: ingressgateway
  10. servers:
  11. - port:
  12. number: 15029
  13. name: http-kiali
  14. protocol: HTTP
  15. hosts:
  16. - "*"
  17. ---
  18. apiVersion: networking.istio.io/v1alpha3
  19. kind: VirtualService
  20. metadata:
  21. name: kiali-vs
  22. namespace: istio-system
  23. spec:
  24. hosts:
  25. - "*"
  26. gateways:
  27. - kiali-gateway
  28. http:
  29. - match:
  30. - port: 15029
  31. route:
  32. - destination:
  33. host: kiali
  34. port:
  35. number: 20001
  36. ---
  37. apiVersion: networking.istio.io/v1alpha3
  38. kind: DestinationRule
  39. metadata:
  40. name: kiali
  41. namespace: istio-system
  42. spec:
  43. host: kiali
  44. trafficPolicy:
  45. tls:
  46. mode: DISABLE
  47. ---
  48. EOF
  49. gateway.networking.istio.io "kiali-gateway" configured
  50. virtualservice.networking.istio.io "kiali-vs" configured
  51. destinationrule.networking.istio.io "kiali" configured
  • 用下面的配置开放对 Prometheus 的访问:
  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: prometheus-gateway
  6. namespace: istio-system
  7. spec:
  8. selector:
  9. istio: ingressgateway
  10. servers:
  11. - port:
  12. number: 15030
  13. name: http-prom
  14. protocol: HTTP
  15. hosts:
  16. - "*"
  17. ---
  18. apiVersion: networking.istio.io/v1alpha3
  19. kind: VirtualService
  20. metadata:
  21. name: prometheus-vs
  22. namespace: istio-system
  23. spec:
  24. hosts:
  25. - "*"
  26. gateways:
  27. - prometheus-gateway
  28. http:
  29. - match:
  30. - port: 15030
  31. route:
  32. - destination:
  33. host: prometheus
  34. port:
  35. number: 9090
  36. ---
  37. apiVersion: networking.istio.io/v1alpha3
  38. kind: DestinationRule
  39. metadata:
  40. name: prometheus
  41. namespace: istio-system
  42. spec:
  43. host: prometheus
  44. trafficPolicy:
  45. tls:
  46. mode: DISABLE
  47. ---
  48. EOF
  49. gateway.networking.istio.io "prometheus-gateway" configured
  50. virtualservice.networking.istio.io "prometheus-vs" configured
  51. destinationrule.networking.istio.io "prometheus" configured
  • 用下面的配置开放对跟踪服务的访问:
  1. $ cat <<EOF | kubectl apply -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: tracing-gateway
  6. namespace: istio-system
  7. spec:
  8. selector:
  9. istio: ingressgateway
  10. servers:
  11. - port:
  12. number: 15032
  13. name: http-tracing
  14. protocol: HTTP
  15. hosts:
  16. - "*"
  17. ---
  18. apiVersion: networking.istio.io/v1alpha3
  19. kind: VirtualService
  20. metadata:
  21. name: tracing-vs
  22. namespace: istio-system
  23. spec:
  24. hosts:
  25. - "*"
  26. gateways:
  27. - tracing-gateway
  28. http:
  29. - match:
  30. - port: 15032
  31. route:
  32. - destination:
  33. host: tracing
  34. port:
  35. number: 80
  36. ---
  37. apiVersion: networking.istio.io/v1alpha3
  38. kind: DestinationRule
  39. metadata:
  40. name: tracing
  41. namespace: istio-system
  42. spec:
  43. host: tracing
  44. trafficPolicy:
  45. tls:
  46. mode: DISABLE
  47. ---
  48. EOF
  49. gateway.networking.istio.io "tracing-gateway" configured
  50. virtualservice.networking.istio.io "tracing-vs" configured
  51. destinationrule.networking.istio.io "tracing" configured
  • 使用浏览器访问遥测插件:

    • Kiali:http://<IP ADDRESS OF CLUSTER INGRESS>:15029/
    • Prometheus:http://<IP ADDRESS OF CLUSTER INGRESS>:15030/
    • Grafana:http://<IP ADDRESS OF CLUSTER INGRESS>:15031/
    • Tracing:http://<IP ADDRESS OF CLUSTER INGRESS>:15032/

清理

  • 删除相关的 Gateway
  1. $ kubectl -n istio-system delete gateway grafana-gateway kiali-gateway prometheus-gateway tracing-gateway
  2. gateway.networking.istio.io "grafana-gateway" deleted
  3. gateway.networking.istio.io "kiali-gateway" deleted
  4. gateway.networking.istio.io "prometheus-gateway" deleted
  5. gateway.networking.istio.io "tracing-gateway" deleted
  • 删除相关的 VirtualService
  1. $ kubectl -n istio-system delete virtualservice grafana-vs kiali-vs prometheus-vs tracing-vs
  2. virtualservice.networking.istio.io "grafana-vs" deleted
  3. virtualservice.networking.istio.io "kiali-vs" deleted
  4. virtualservice.networking.istio.io "prometheus-vs" deleted
  5. virtualservice.networking.istio.io "tracing-vs" deleted
  • 如果使用了证书,也需要一并清理:
  1. $ kubectl -n istio-system delete certificate telemetry-gw-cert
  2. certificate.certmanager.k8s.io "telemetry-gw-cert" deleted

相关内容

Jaeger

了解如何配置代理以向 Jaeger 发送追踪请求。

Zipkin

了解如何配置代理以向 Zipkin 发送追踪请求。

使用 LightStep [𝑥]PM 进行分布式追踪

如何配置代理以发送请求至 LightStep [𝑥]PM.

概述

Istio 分布式追踪概述。

深入遥测

演示如何使用 Istio Mixer 和 Istio sidecar 获取指标和日志,并在不同的服务间进行追踪。

增量式应用 Istio 第一部分,流量管理

如何在不部署 Sidecar 代理的情况下使用 Istio 进行流量管理。