远程访问遥测附加组件
此任务展示了如何配置 Istio 以在集群之外公开和访问遥测附加组件。
配置远程访问
可以通过多种方式配置对遥测附加组件的远程访问。此任务涵盖两种基本访问方法:安全(通过 HTTPS)和不安全(通过 HTTP)。安全方法强烈推荐用于任何生产环境或敏感环境。不安全访问更易于设置,但不会保护任何在集群之外传输的凭据或数据。
对于这两种选项,首先执行以下步骤
要另外安装遥测插件,请遵循 集成 文档。
设置域以公开插件。在本例中,您在子域上公开每个插件,例如
grafana.example.com。- 如果您有一个指向
istio-ingressgateway的外部 IP 地址的现有域(例如 example.com)
$ export INGRESS_DOMAIN="example.com"- 如果您没有域,您可以使用
nip.io,它将自动解析为提供的 IP 地址。不建议在生产环境中使用此方法。
$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}') $ export INGRESS_DOMAIN=${INGRESS_HOST}.nip.io- 如果您有一个指向
选项 1:安全访问 (HTTPS)
安全访问需要服务器证书。请按照以下步骤安装和配置您控制的域的服务器证书。
此示例使用自签名证书,这可能不适合生产环境。对于这些情况,请考虑使用 cert-manager 或其他工具来配置证书。您也可以访问 使用 HTTPS 保护网关 任务,以获取有关在网关上使用 HTTPS 的一般信息。
设置证书。此示例使用
openssl进行自签名。$ CERT_DIR=/tmp/certs $ mkdir -p ${CERT_DIR} $ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj "/O=example Inc./CN=*.${INGRESS_DOMAIN}" -keyout ${CERT_DIR}/ca.key -out ${CERT_DIR}/ca.crt $ openssl req -out ${CERT_DIR}/cert.csr -newkey rsa:2048 -nodes -keyout ${CERT_DIR}/tls.key -subj "/CN=*.${INGRESS_DOMAIN}/O=example organization" $ openssl x509 -req -sha256 -days 365 -CA ${CERT_DIR}/ca.crt -CAkey ${CERT_DIR}/ca.key -set_serial 0 -in ${CERT_DIR}/cert.csr -out ${CERT_DIR}/tls.crt $ kubectl create -n istio-system secret tls telemetry-gw-cert --key=${CERT_DIR}/tls.key --cert=${CERT_DIR}/tls.crt为遥测插件应用网络配置。
应用以下配置以公开 Grafana
$ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: grafana-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 443 name: https-grafana protocol: HTTPS tls: mode: SIMPLE credentialName: telemetry-gw-cert hosts: - "grafana.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: grafana-vs namespace: istio-system spec: hosts: - "grafana.${INGRESS_DOMAIN}" gateways: - grafana-gateway http: - route: - destination: host: grafana port: number: 3000 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: grafana namespace: istio-system spec: host: grafana trafficPolicy: tls: mode: DISABLE --- EOF gateway.networking.istio.io/grafana-gateway created virtualservice.networking.istio.io/grafana-vs created destinationrule.networking.istio.io/grafana created应用以下配置以公开 Kiali
$ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: kiali-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 443 name: https-kiali protocol: HTTPS tls: mode: SIMPLE credentialName: telemetry-gw-cert hosts: - "kiali.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: kiali-vs namespace: istio-system spec: hosts: - "kiali.${INGRESS_DOMAIN}" gateways: - kiali-gateway http: - route: - destination: host: kiali port: number: 20001 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: kiali namespace: istio-system spec: host: kiali trafficPolicy: tls: mode: DISABLE --- EOF gateway.networking.istio.io/kiali-gateway created virtualservice.networking.istio.io/kiali-vs created destinationrule.networking.istio.io/kiali created应用以下配置以公开 Prometheus
$ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: prometheus-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 443 name: https-prom protocol: HTTPS tls: mode: SIMPLE credentialName: telemetry-gw-cert hosts: - "prometheus.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: prometheus-vs namespace: istio-system spec: hosts: - "prometheus.${INGRESS_DOMAIN}" gateways: - prometheus-gateway http: - route: - destination: host: prometheus port: number: 9090 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: prometheus namespace: istio-system spec: host: prometheus trafficPolicy: tls: mode: DISABLE --- EOF gateway.networking.istio.io/prometheus-gateway created virtualservice.networking.istio.io/prometheus-vs created destinationrule.networking.istio.io/prometheus created应用以下配置以公开跟踪服务
$ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: tracing-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 443 name: https-tracing protocol: HTTPS tls: mode: SIMPLE credentialName: telemetry-gw-cert hosts: - "tracing.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: tracing-vs namespace: istio-system spec: hosts: - "tracing.${INGRESS_DOMAIN}" gateways: - tracing-gateway http: - route: - destination: host: tracing port: number: 80 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: tracing namespace: istio-system spec: host: tracing trafficPolicy: tls: mode: DISABLE --- EOF gateway.networking.istio.io/tracing-gateway created virtualservice.networking.istio.io/tracing-vs created destinationrule.networking.istio.io/tracing created
通过浏览器访问遥测插件。
- Kiali:
https://kiali.${INGRESS_DOMAIN} - Prometheus:
https://prometheus.${INGRESS_DOMAIN} - Grafana:
https://grafana.${INGRESS_DOMAIN} - Tracing:
https://tracing.${INGRESS_DOMAIN}
- Kiali:
选项 2:不安全访问 (HTTP)
为遥测插件应用网络配置。
应用以下配置以公开 Grafana
$ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: grafana-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 80 name: http-grafana protocol: HTTP hosts: - "grafana.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: grafana-vs namespace: istio-system spec: hosts: - "grafana.${INGRESS_DOMAIN}" gateways: - grafana-gateway http: - route: - destination: host: grafana port: number: 3000 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: grafana namespace: istio-system spec: host: grafana trafficPolicy: tls: mode: DISABLE --- EOF gateway.networking.istio.io/grafana-gateway created virtualservice.networking.istio.io/grafana-vs created destinationrule.networking.istio.io/grafana created应用以下配置以公开 Kiali
$ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: kiali-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 80 name: http-kiali protocol: HTTP hosts: - "kiali.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: kiali-vs namespace: istio-system spec: hosts: - "kiali.${INGRESS_DOMAIN}" gateways: - kiali-gateway http: - route: - destination: host: kiali port: number: 20001 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: kiali namespace: istio-system spec: host: kiali trafficPolicy: tls: mode: DISABLE --- EOF gateway.networking.istio.io/kiali-gateway created virtualservice.networking.istio.io/kiali-vs created destinationrule.networking.istio.io/kiali created应用以下配置以公开 Prometheus
$ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: prometheus-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 80 name: http-prom protocol: HTTP hosts: - "prometheus.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: prometheus-vs namespace: istio-system spec: hosts: - "prometheus.${INGRESS_DOMAIN}" gateways: - prometheus-gateway http: - route: - destination: host: prometheus port: number: 9090 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: prometheus namespace: istio-system spec: host: prometheus trafficPolicy: tls: mode: DISABLE --- EOF gateway.networking.istio.io/prometheus-gateway created virtualservice.networking.istio.io/prometheus-vs created destinationrule.networking.istio.io/prometheus created应用以下配置以公开跟踪服务
$ cat <<EOF | kubectl apply -f - apiVersion: networking.istio.io/v1 kind: Gateway metadata: name: tracing-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - port: number: 80 name: http-tracing protocol: HTTP hosts: - "tracing.${INGRESS_DOMAIN}" --- apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: tracing-vs namespace: istio-system spec: hosts: - "tracing.${INGRESS_DOMAIN}" gateways: - tracing-gateway http: - route: - destination: host: tracing port: number: 80 --- apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: tracing namespace: istio-system spec: host: tracing trafficPolicy: tls: mode: DISABLE --- EOF gateway.networking.istio.io/tracing-gateway created virtualservice.networking.istio.io/tracing-vs created destinationrule.networking.istio.io/tracing created
通过浏览器访问遥测插件。
- Kiali:
http://kiali.${INGRESS_DOMAIN} - Prometheus:
http://prometheus.${INGRESS_DOMAIN} - Grafana:
http://grafana.${INGRESS_DOMAIN} - Tracing:
http://tracing.${INGRESS_DOMAIN}
- Kiali:
清理
删除所有相关的网关
$ kubectl -n istio-system delete gateway grafana-gateway kiali-gateway prometheus-gateway tracing-gateway gateway.networking.istio.io "grafana-gateway" deleted gateway.networking.istio.io "kiali-gateway" deleted gateway.networking.istio.io "prometheus-gateway" deleted gateway.networking.istio.io "tracing-gateway" deleted删除所有相关的虚拟服务
$ kubectl -n istio-system delete virtualservice grafana-vs kiali-vs prometheus-vs tracing-vs virtualservice.networking.istio.io "grafana-vs" deleted virtualservice.networking.istio.io "kiali-vs" deleted virtualservice.networking.istio.io "prometheus-vs" deleted virtualservice.networking.istio.io "tracing-vs" deleted删除所有相关的目标规则
$ kubectl -n istio-system delete destinationrule grafana kiali prometheus tracing destinationrule.networking.istio.io "grafana" deleted destinationrule.networking.istio.io "kiali" deleted destinationrule.networking.istio.io "prometheus" deleted destinationrule.networking.istio.io "tracing" deleted