遠端存取遙測附加元件
此任務示範如何設定 Istio 以便在叢集外部公開和存取遙測附加元件。
設定遠端存取
可以通過多種不同的方式設定對遙測附加元件的遠端存取。此任務涵蓋兩種基本存取方法:安全(透過 HTTPS)和不安全(透過 HTTP)。對於任何生產或敏感環境,強烈建議使用安全方法。不安全存取設定較簡單,但不會保護在叢集外部傳輸的任何憑證或資料。
對於這兩種選項,請先按照以下步驟操作
若要額外安裝遙測附加元件,請參閱整合文件。
設定網域以公開附加元件。在此範例中,您會在子網域上公開每個附加元件,例如
grafana.example.com。- 如果您有指向
istio-ingressgateway外部 IP 位址的現有網域(例如 example.com)
$ export INGRESS_DOMAIN="example.com"- 如果您沒有網域,可以使用
nip.io,它會自動解析為提供的 IP 位址。不建議在生產環境中使用。
$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}') $ export INGRESS_DOMAIN=${INGRESS_HOST}.nip.io- 如果您有指向
選項 1:安全存取 (HTTPS)
安全存取需要伺服器憑證。請按照以下步驟操作,為您控制的網域安裝和設定伺服器憑證。
此範例使用自我簽署憑證,這可能不適用於生產環境。對於這些情況,請考慮使用 cert-manager 或其他工具來佈建憑證。您也可以瀏覽使用 HTTPS 保護閘道任務,以取得在閘道上使用 HTTPS 的一般資訊。
設定憑證。此範例使用
openssl進行自我簽署。$ CERT_DIR=/tmp/certs $ mkdir -p ${CERT_DIR} $ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj "/O=example Inc./CN=*.${INGRESS_DOMAIN}" -keyout ${CERT_DIR}/ca.key -out ${CERT_DIR}/ca.crt $ openssl req -out ${CERT_DIR}/cert.csr -newkey rsa:2048 -nodes -keyout ${CERT_DIR}/tls.key -subj "/CN=*.${INGRESS_DOMAIN}/O=example organization" $ openssl x509 -req -sha256 -days 365 -CA ${CERT_DIR}/ca.crt -CAkey ${CERT_DIR}/ca.key -set_serial 0 -in ${CERT_DIR}/cert.csr -out ${CERT_DIR}/tls.crt $ kubectl create -n istio-system secret tls telemetry-gw-cert --key=${CERT_DIR}/tls.key --cert=${CERT_DIR}/tls.crt為遙測附加元件套用網路設定。
套用以下設定以公開 Grafana
$ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: grafana-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 443 name: https-grafana protocol: HTTPS tls: mode: SIMPLE credentialName: telemetry-gw-cert hosts: - "grafana.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: grafana-vs namespace: istio-system spec: hosts: - "grafana.${INGRESS_DOMAIN}" gateways: - grafana-gateway http: - route: - destination: host: grafana port: number: 3000 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: grafana namespace: istio-system spec: host: grafana trafficPolicy: tls: mode: DISABLE --- EOF gateway.networking.istio.io/grafana-gateway created virtualservice.networking.istio.io/grafana-vs created destinationrule.networking.istio.io/grafana created套用以下設定以公開 Kiali
$ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: kiali-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 443 name: https-kiali protocol: HTTPS tls: mode: SIMPLE credentialName: telemetry-gw-cert hosts: - "kiali.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: kiali-vs namespace: istio-system spec: hosts: - "kiali.${INGRESS_DOMAIN}" gateways: - kiali-gateway http: - route: - destination: host: kiali port: number: 20001 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: kiali namespace: istio-system spec: host: kiali trafficPolicy: tls: mode: DISABLE --- EOF gateway.networking.istio.io/kiali-gateway created virtualservice.networking.istio.io/kiali-vs created destinationrule.networking.istio.io/kiali created套用以下設定以公開 Prometheus
$ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: prometheus-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 443 name: https-prom protocol: HTTPS tls: mode: SIMPLE credentialName: telemetry-gw-cert hosts: - "prometheus.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: prometheus-vs namespace: istio-system spec: hosts: - "prometheus.${INGRESS_DOMAIN}" gateways: - prometheus-gateway http: - route: - destination: host: prometheus port: number: 9090 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: prometheus namespace: istio-system spec: host: prometheus trafficPolicy: tls: mode: DISABLE --- EOF gateway.networking.istio.io/prometheus-gateway created virtualservice.networking.istio.io/prometheus-vs created destinationrule.networking.istio.io/prometheus created套用以下設定以公開追蹤服務
$ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: tracing-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 443 name: https-tracing protocol: HTTPS tls: mode: SIMPLE credentialName: telemetry-gw-cert hosts: - "tracing.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: tracing-vs namespace: istio-system spec: hosts: - "tracing.${INGRESS_DOMAIN}" gateways: - tracing-gateway http: - route: - destination: host: tracing port: number: 80 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: tracing namespace: istio-system spec: host: tracing trafficPolicy: tls: mode: DISABLE --- EOF gateway.networking.istio.io/tracing-gateway created virtualservice.networking.istio.io/tracing-vs created destinationrule.networking.istio.io/tracing created
透過您的瀏覽器訪問遙測附加元件。
- Kiali:
https://kiali.${INGRESS_DOMAIN} - Prometheus:
https://prometheus.${INGRESS_DOMAIN} - Grafana:
https://grafana.${INGRESS_DOMAIN} - 追蹤:
https://tracing.${INGRESS_DOMAIN}
- Kiali:
選項 2:不安全存取 (HTTP)
為遙測附加元件套用網路設定。
套用以下設定以公開 Grafana
$ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: grafana-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 80 name: http-grafana protocol: HTTP hosts: - "grafana.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: grafana-vs namespace: istio-system spec: hosts: - "grafana.${INGRESS_DOMAIN}" gateways: - grafana-gateway http: - route: - destination: host: grafana port: number: 3000 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: grafana namespace: istio-system spec: host: grafana trafficPolicy: tls: mode: DISABLE --- EOF gateway.networking.istio.io/grafana-gateway created virtualservice.networking.istio.io/grafana-vs created destinationrule.networking.istio.io/grafana created套用以下設定以公開 Kiali
$ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: kiali-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 80 name: http-kiali protocol: HTTP hosts: - "kiali.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: kiali-vs namespace: istio-system spec: hosts: - "kiali.${INGRESS_DOMAIN}" gateways: - kiali-gateway http: - route: - destination: host: kiali port: number: 20001 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: kiali namespace: istio-system spec: host: kiali trafficPolicy: tls: mode: DISABLE --- EOF gateway.networking.istio.io/kiali-gateway created virtualservice.networking.istio.io/kiali-vs created destinationrule.networking.istio.io/kiali created套用以下設定以公開 Prometheus
$ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: prometheus-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 80 name: http-prom protocol: HTTP hosts: - "prometheus.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: prometheus-vs namespace: istio-system spec: hosts: - "prometheus.${INGRESS_DOMAIN}" gateways: - prometheus-gateway http: - route: - destination: host: prometheus port: number: 9090 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: prometheus namespace: istio-system spec: host: prometheus trafficPolicy: tls: mode: DISABLE --- EOF gateway.networking.istio.io/prometheus-gateway created virtualservice.networking.istio.io/prometheus-vs created destinationrule.networking.istio.io/prometheus created套用以下設定以公開追蹤服務
$ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: tracing-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 80 name: http-tracing protocol: HTTP hosts: - "tracing.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: tracing-vs namespace: istio-system spec: hosts: - "tracing.${INGRESS_DOMAIN}" gateways: - tracing-gateway http: - route: - destination: host: tracing port: number: 80 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: tracing namespace: istio-system spec: host: tracing trafficPolicy: tls: mode: DISABLE --- EOF gateway.networking.istio.io/tracing-gateway created virtualservice.networking.istio.io/tracing-vs created destinationrule.networking.istio.io/tracing created
透過您的瀏覽器訪問遙測附加元件。
- Kiali:
http://kiali.${INGRESS_DOMAIN} - Prometheus:
http://prometheus.${INGRESS_DOMAIN} - Grafana:
http://grafana.${INGRESS_DOMAIN} - 追蹤:
http://tracing.${INGRESS_DOMAIN}
- Kiali:
清除
移除所有相關的閘道
$ kubectl -n istio-system delete gateway grafana-gateway kiali-gateway prometheus-gateway tracing-gateway gateway.networking.istio.io "grafana-gateway" deleted gateway.networking.istio.io "kiali-gateway" deleted gateway.networking.istio.io "prometheus-gateway" deleted gateway.networking.istio.io "tracing-gateway" deleted移除所有相關的虛擬服務
$ kubectl -n istio-system delete virtualservice grafana-vs kiali-vs prometheus-vs tracing-vs virtualservice.networking.istio.io "grafana-vs" deleted virtualservice.networking.istio.io "kiali-vs" deleted virtualservice.networking.istio.io "prometheus-vs" deleted virtualservice.networking.istio.io "tracing-vs" deleted移除所有相關的目的地規則
$ kubectl -n istio-system delete destinationrule grafana kiali prometheus tracing destinationrule.networking.istio.io "grafana" deleted destinationrule.networking.istio.io "kiali" deleted destinationrule.networking.istio.io "prometheus" deleted destinationrule.networking.istio.io "tracing" deleted