我的书签
添加书签
移除书签- 遥测插件的远程访问
- 配置远程访问
- 选项 1:安全访问(HTTPS)
- 选项 2:不安全访问(HTTP)
- 清理
- 相关内容
- 配置远程访问
遥测插件的远程访问
本任务展示了对 Istio 进行配置,用于对集群外部开放访问遥测插件的方法。
配置远程访问
有很多种为遥测插件配置远程访问的方式。本文谈到了两种访问方式:安全的(HTTPS)和非安全的(HTTP)。强烈推荐为敏感环境配置安全的访问方式。非安全方式的配置很简单,但是无法为传输到集群之外的凭据和数据进行加密。
选项 1:安全访问(HTTPS)
要进行安全访问,就需要有个服务证书。下面的步骤可以用来为你控制的域名进行证书的安装和配置。
也可以使用一个自签发的证书。浏览使用 SDS 为 Gateway 提供 HTTPS 加密支持的任务内容,其中包含了使用自签发证书来访问集群内服务的一些介绍。
这一选项仅包含了对传输层的加密工作。要把服务进行公开,还应该为遥测插件配置认证功能。
- 在集群中安装 Istio,并启用
cert-manager,配置istio-ingressgateway,打开对 Secret Discovery Service 的支持。
使用下面的 Helm 参数来完成 Istio 部署:
—set gateways.enabled=true—set gateways.istio-ingressgateway.enabled=true—set gateways.istio-ingressgateway.sds.enabled=true—set certmanager.enabled=true—set certmanager.email=mailbox@donotuseexample.com要启用遥测插件,需要如下的 Helm 参数:Grafana:
—set grafana.enabled=true- Kiali:
—set kiali.enabled=true - Prometheus:
—set prometheus.enabled=true Tracing:
—set tracing.enabled=true- 为你的域名配置 DNS 记录。
获取
istio-ingressgateway的外部 IP 地址。
$ kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}'<IP ADDRESS OF CLUSTER INGRESS>
- 为目标域名设置一个环境变量。
$ TELEMETRY_DOMAIN=<your.desired.domain>
- 在域名提供商界面中,把域名映射到外部 IP 上。
不同域名提供商的配置步骤会有不同,这里提供一些简单的文档连接:
- Bluehost:[DNS Management Add Edit or Delete DNS Entries](https://my.bluehost.com/hosting/help/559)- GoDaddy:[Add an A record](https://www.godaddy.com/help/add-an-a-record-19238)- Google Domains:[Resource Records](https://support.google.com/domains/answer/3290350?hl=en)- Name.com:[Adding an A record](https://www.name.com/support/articles/115004893508-Adding-an-A-record)
- 检查域名是否成功映射:
$ dig +short $TELEMETRY_DOMAIN<IP ADDRESS OF CLUSTER INGRESS>
- 生成服务端证书:
$ cat <<EOF | kubectl apply -f -apiVersion: certmanager.k8s.io/v1alpha1kind: Certificatemetadata:name: telemetry-gw-certnamespace: istio-systemspec:secretName: telemetry-gw-certissuerRef:name: letsencryptkind: ClusterIssuercommonName: $TELEMETRY_DOMAINdnsNames:- $TELEMETRY_DOMAINacme:config:- http01:ingressClass: istiodomains:- $TELEMETRY_DOMAIN---EOFcertificate.certmanager.k8s.io "telemetry-gw-cert" created
- 等待服务证书准备就绪:
$ JSONPATH='{range .items[*]}{@.metadata.name}:{range @.status.conditions[*]}{@.type}={@.status}{end}{end}' && kubectl -n istio-system get certificates -o jsonpath="$JSONPATH"telemetry-gw-cert:Ready=True
为遥测插件提供网络配置:
- 用下列配置开放 Grafana 的访问:
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: grafana-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 15031name: https-grafanaprotocol: HTTPStls:mode: SIMPLEserverCertificate: sdsprivateKey: sdscredentialName: telemetry-gw-certhosts:- "$TELEMETRY_DOMAIN"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: grafana-vsnamespace: istio-systemspec:hosts:- "$TELEMETRY_DOMAIN"gateways:- grafana-gatewayhttp:- match:- port: 15031route:- destination:host: grafanaport:number: 3000---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: grafananamespace: istio-systemspec:host: grafanatrafficPolicy:tls:mode: DISABLE---EOFgateway.networking.istio.io "grafana-gateway" configuredvirtualservice.networking.istio.io "grafana-vs" configureddestinationrule.networking.istio.io "grafana" configured
- 用下列配置开放对 Kiali 的访问:
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: kiali-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 15029name: https-kialiprotocol: HTTPStls:mode: SIMPLEserverCertificate: sdsprivateKey: sdscredentialName: telemetry-gw-certhosts:- "$TELEMETRY_DOMAIN"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: kiali-vsnamespace: istio-systemspec:hosts:- "$TELEMETRY_DOMAIN"gateways:- kiali-gatewayhttp:- match:- port: 15029route:- destination:host: kialiport:number: 20001---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: kialinamespace: istio-systemspec:host: kialitrafficPolicy:tls:mode: DISABLE---EOFgateway.networking.istio.io "kiali-gateway" configuredvirtualservice.networking.istio.io "kiali-vs" configureddestinationrule.networking.istio.io "kiali" configured
- 用下面的配置开放对 Prometheus 的访问:
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: prometheus-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 15030name: https-promprotocol: HTTPStls:mode: SIMPLEserverCertificate: sdsprivateKey: sdscredentialName: telemetry-gw-certhosts:- "$TELEMETRY_DOMAIN"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: prometheus-vsnamespace: istio-systemspec:hosts:- "$TELEMETRY_DOMAIN"gateways:- prometheus-gatewayhttp:- match:- port: 15030route:- destination:host: prometheusport:number: 9090---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: prometheusnamespace: istio-systemspec:host: prometheustrafficPolicy:tls:mode: DISABLE---EOFgateway.networking.istio.io "prometheus-gateway" configuredvirtualservice.networking.istio.io "prometheus-vs" configureddestinationrule.networking.istio.io "prometheus" configured
- 用下面的配置开放对跟踪服务的访问:
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: tracing-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 15032name: https-tracingprotocol: HTTPStls:mode: SIMPLEserverCertificate: sdsprivateKey: sdscredentialName: telemetry-gw-certhosts:- "$TELEMETRY_DOMAIN"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: tracing-vsnamespace: istio-systemspec:hosts:- "$TELEMETRY_DOMAIN"gateways:- tracing-gatewayhttp:- match:- port: 15032route:- destination:host: tracingport:number: 80---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: tracingnamespace: istio-systemspec:host: tracingtrafficPolicy:tls:mode: DISABLE---EOFgateway.networking.istio.io "tracing-gateway" configuredvirtualservice.networking.istio.io "tracing-vs" configureddestinationrule.networking.istio.io "tracing" configured
使用浏览器访问遥测插件:
- Kiali:
https://$TELEMETRY_DOMAIN:15029/ - Prometheus:
https://$TELEMETRY_DOMAIN:15030/ - Grafana:
https://$TELEMETRY_DOMAIN:15031/ - Tracing:
https://$TELEMETRY_DOMAIN:15032/
- Kiali:
选项 2:不安全访问(HTTP)
- 在集群中安装 Istio,并启用需要的遥测插件。
可以用下面的 Helm 参数启用遥测插件:
- Grafana:
—set grafana.enabled=true - Kiali:
—set kiali.enabled=true - Prometheus:
—set prometheus.enabled=true Tracing:
—set tracing.enabled=true- 为遥测插件创建网络配置。
用下面的配置开放对 Grafana 的访问:
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: grafana-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 15031name: http-grafanaprotocol: HTTPhosts:- "*"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: grafana-vsnamespace: istio-systemspec:hosts:- "*"gateways:- grafana-gatewayhttp:- match:- port: 15031route:- destination:host: grafanaport:number: 3000---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: grafananamespace: istio-systemspec:host: grafanatrafficPolicy:tls:mode: DISABLE---EOFgateway.networking.istio.io "grafana-gateway" configuredvirtualservice.networking.istio.io "grafana-vs" configureddestinationrule.networking.istio.io "grafana" configured
- 用下面的配置开放对 Kiali 的访问:
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: kiali-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 15029name: http-kialiprotocol: HTTPhosts:- "*"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: kiali-vsnamespace: istio-systemspec:hosts:- "*"gateways:- kiali-gatewayhttp:- match:- port: 15029route:- destination:host: kialiport:number: 20001---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: kialinamespace: istio-systemspec:host: kialitrafficPolicy:tls:mode: DISABLE---EOFgateway.networking.istio.io "kiali-gateway" configuredvirtualservice.networking.istio.io "kiali-vs" configureddestinationrule.networking.istio.io "kiali" configured
- 用下面的配置开放对 Prometheus 的访问:
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: prometheus-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 15030name: http-promprotocol: HTTPhosts:- "*"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: prometheus-vsnamespace: istio-systemspec:hosts:- "*"gateways:- prometheus-gatewayhttp:- match:- port: 15030route:- destination:host: prometheusport:number: 9090---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: prometheusnamespace: istio-systemspec:host: prometheustrafficPolicy:tls:mode: DISABLE---EOFgateway.networking.istio.io "prometheus-gateway" configuredvirtualservice.networking.istio.io "prometheus-vs" configureddestinationrule.networking.istio.io "prometheus" configured
- 用下面的配置开放对跟踪服务的访问:
$ cat <<EOF | kubectl apply -f -apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata:name: tracing-gatewaynamespace: istio-systemspec:selector:istio: ingressgatewayservers:- port:number: 15032name: http-tracingprotocol: HTTPhosts:- "*"---apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata:name: tracing-vsnamespace: istio-systemspec:hosts:- "*"gateways:- tracing-gatewayhttp:- match:- port: 15032route:- destination:host: tracingport:number: 80---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata:name: tracingnamespace: istio-systemspec:host: tracingtrafficPolicy:tls:mode: DISABLE---EOFgateway.networking.istio.io "tracing-gateway" configuredvirtualservice.networking.istio.io "tracing-vs" configureddestinationrule.networking.istio.io "tracing" configured
使用浏览器访问遥测插件:
- Kiali:
http://<IP ADDRESS OF CLUSTER INGRESS>:15029/ - Prometheus:
http://<IP ADDRESS OF CLUSTER INGRESS>:15030/ - Grafana:
http://<IP ADDRESS OF CLUSTER INGRESS>:15031/ - Tracing:
http://<IP ADDRESS OF CLUSTER INGRESS>:15032/
- Kiali:
清理
- 删除相关的
Gateway:
$ kubectl -n istio-system delete gateway grafana-gateway kiali-gateway prometheus-gateway tracing-gatewaygateway.networking.istio.io "grafana-gateway" deletedgateway.networking.istio.io "kiali-gateway" deletedgateway.networking.istio.io "prometheus-gateway" deletedgateway.networking.istio.io "tracing-gateway" deleted
- 删除相关的
VirtualService:
$ kubectl -n istio-system delete virtualservice grafana-vs kiali-vs prometheus-vs tracing-vsvirtualservice.networking.istio.io "grafana-vs" deletedvirtualservice.networking.istio.io "kiali-vs" deletedvirtualservice.networking.istio.io "prometheus-vs" deletedvirtualservice.networking.istio.io "tracing-vs" deleted
- 如果使用了证书,也需要一并清理:
$ kubectl -n istio-system delete certificate telemetry-gw-certcertificate.certmanager.k8s.io "telemetry-gw-cert" deleted
相关内容
Jaeger
了解如何配置代理以向 Jaeger 发送追踪请求。
Zipkin
了解如何配置代理以向 Zipkin 发送追踪请求。
使用 LightStep [?]PM 进行分布式追踪
如何配置代理以发送请求至 LightStep [?]PM.
概述
Istio 分布式追踪概述。
深入遥测
演示如何使用 Istio Mixer 和 Istio sidecar 获取指标和日志,并在不同的服务间进行追踪。
增量式应用 Istio 第一部分,流量管理
如何在不部署 Sidecar 代理的情况下使用 Istio 进行流量管理。
