[root@master istio-1.1.]# kubectl apply -f samples/httpbin/httpbin.yaml

service/httpbin created

deployment.extensions/httpbin created

[root@master istio-1.1.]#

[root@master istio-1.1.]# kubectl get svc

NAME           TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE

details        ClusterIP      10.106.209.133   <none>        /TCP       23h

httpbin        ClusterIP      10.104.20.107    <none>        /TCP       9s

kubernetes     ClusterIP      10.96.0.1        <none>        /TCP        14d

productpage    ClusterIP      10.96.27.39      <none>        /TCP       23h

ratings        ClusterIP      10.109.45.236    <none>        /TCP       23h

reviews        ClusterIP      10.102.249.50    <none>        /TCP       23h

[root@master istio-1.1.]# kubectl get pod -o wide

NAME                             READY   STATUS    RESTARTS   AGE     IP             NODE     NOMINATED NODE   READINESS GATES

details-v1-79c6548b59-d8448      /     Running             23h     10.244.3.186   node02   <none>           <none>

httpbin-5446f4d9b4-jtnzw         /     Running             3m38s   10.244.1.207   node01   <none>           <none>

ratings-v1-7665579b75-jjvv7      /     Running             23h     10.244.1.203   node01   <none>           <none>

reviews-v1-67446f7d9b-hrhbj      /     Running             23h     10.244.1.204   node01   <none>           <none>

reviews-v2-6bc7b4f678-vhjwh      /     Running             23h     10.244.1.206   node01   <none>           <none>

reviews-v3-59b5b6948-sxxhj       /     Running             23h     10.244.1.205   node01   <none>           <none>

[root@master istio-1.1.]# curl 10.104.20.107:/headers

{

  "headers": {

    "Accept": "*/*",

    "Host": "10.104.20.107:8000",

    "User-Agent": "curl/7.29.0"

  }

}

//只有集群内部可以访问,外部不行

//创建网关,让集群外部也可以访问

[root@master istio-1.1.]# kubectl apply -f samples/httpbin/httpbin-gateway.yaml

gateway.networking.istio.io/httpbin-gateway created

virtualservice.networking.istio.io/httpbin created

[root@master istio-1.1.]# kubectl get gateway

NAME               AGE

bookinfo-gateway   23h

httpbin-gateway    3m15s

[root@master istio-1.1.]# kubectl get virtualservice

NAME       GATEWAYS             HOSTS       AGE

bookinfo   [bookinfo-gateway]   [*]         23h

httpbin    [httpbin-gateway]    [*]         5m22s

reviews                         [reviews]   18h

生成证书

https://istio.io/docs/tasks/traffic-management/secure-ingress/#generate-clinet-and-server-certificates-and-keys

[root@master istio-1.1.]# wget https://github.com/nicholasjackson/mtls-go-example/archive/master.zip

[root@master istio-1.1.]# unzip master.zip

Archive:  master.zip

85f7453487e47c018961ca11f3526fd3e5d888d9

   creating: mtls-go-example-master/

  inflating: mtls-go-example-master/LICENSE

  inflating: mtls-go-example-master/README.md

  inflating: mtls-go-example-master/generate.sh

  inflating: mtls-go-example-master/intermediate_openssl.cnf

  inflating: mtls-go-example-master/main.go

  inflating: mtls-go-example-master/openssl.cnf

[root@master istio-1.1.]# ls

bin  install  istio.VERSION  LICENSE  master.zip  mtls-go-example-master  README.md  samples  tools

[root@master istio-1.1.]# cd mtls-go-example-master/

[root@master mtls-go-example-master]# ls

generate.sh  intermediate_openssl.cnf  LICENSE  main.go  openssl.cnf  README.md

[root@master mtls-go-example-master]# ./generate.sh httpbin.example.com

//出现提示时,选择y所有问题。该命令将产生四个目录:1_root, 2_intermediate,3_application,和4_client包含您在下面的程序使用客户端和服务器证书。

[root@master mtls-go-example-master]# ls

1_root  2_intermediate  3_application  4_client  generate.sh  intermediate_openssl.cnf  LICENSE  main.go  openssl.cnf  README.md

//将证书移动到名为的目录中httpbin.example.com

[root@master mtls-go-example-master]# mkdir ../httpbin.example.com && mv 1_root 2_intermediate 3_application 4_client ../httpbin.example.com

[root@master mtls-go-example-master]# ls ../

bin  httpbin.example.com  install  istio.VERSION  LICENSE  master.zip  mtls-go-example-master  README.md  samples  tools

创建证书

[root@master istio-1.1.]# kubectl create -n istio-system secret tls istio-ingressgateway-certs --key httpbin.example.com/3_application/private/httpbin.example.com.key.pem --cert httpbin.example.com/3_application/certs/httpbin.example.com.cert.pem

secret/istio-ingressgateway-certs created

//验证tls.crt并tls.key已安装在入口网关pod中:

[root@master istio-1.1.]# kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-certs

total

drwxrwxrwt  root root   May  : .

drwxr-xr-x  root root  May  : ..

drwxr-xr-x  root root    May  : ..2019_05_25_09_34_54.

lrwxrwxrwx  root root    May  : ..data -> ..2019_05_25_09_34_54.

lrwxrwxrwx  root root    May  : tls.crt -> ..data/tls.crt

lrwxrwxrwx  root root    May  : tls.key -> ..data/tls.key

//删掉之前创建的httpbin-gateway

[root@master istio-1.1.]# kubectl delete -f samples/httpbin/httpbin-gateway.yaml

gateway.networking.istio.io "httpbin-gateway" deleted

virtualservice.networking.istio.io "httpbin" deleted

//创建新的

[root@master istio-1.1.]# vim samples/httpbin/httpbin-gateway-https.yaml

apiVersion: networking.istio.io/v1alpha3

kind: Gateway

metadata:

  name: httpbin-gateway

spec:

  selector:

    istio: ingressgateway # use istio default ingress gateway

  servers:

  - port:

      number:

      name: https

      protocol: HTTPS

    tls:

      mode: SIMPLE

      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

      privateKey: /etc/istio/ingressgateway-certs/tls.key

    hosts:

    - "httpbin.example.com"

---

apiVersion: networking.istio.io/v1alpha3

kind: VirtualService

metadata:

  name: httpbin

spec:

  hosts:

  - "httpbin.example.com"

  gateways:

  - httpbin-gateway

  http:

  - match:

    - uri:

        prefix: /status

    - uri:

        prefix: /delay

    route:

    - destination:

        port:

          number:

        host: httpbin
[root@master istio-1.1.]# kubectl apply -f samples/httpbin/httpbin-gateway-https.yaml

gateway.networking.istio.io/httpbin-gateway created

virtualservice.networking.istio.io/httpbin created

[root@master istio-1.1.]# kubectl get gateway

NAME               AGE

bookinfo-gateway   24h

httpbin-gateway    58s

[root@master istio-1.1.]# kubectl get virtualservice

NAME       GATEWAYS             HOSTS                   AGE

bookinfo   [bookinfo-gateway]   [*]                     24h

httpbin    [httpbin-gateway]    [httpbin.example.com]   70s

reviews                         [reviews]               20h

[root@master istio-1.1.]# curl -v -HHost:httpbin.example.com --resolve httpbin.example.com::10.0.1.133 --cacert httpbin.example.com/2_intermediate/certs/ca-chain.cert.pem https://httpbin.example.com:31390/status/418

* Added httpbin.example.com::10.0.1.133 to DNS cache

* About to connect() to httpbin.example.com port  (#)

*   Trying 10.0.1.133...

* Connected to httpbin.example.com (10.0.1.133) port  (#)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

*   CAfile: httpbin.example.com/2_intermediate/certs/ca-chain.cert.pem

  CApath: none

* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

* Server certificate:

*     subject: CN=httpbin.example.com,O=Dis,L=Springfield,ST=Denial,C=US

*     start date: May  ::  GMT

*     expire date: Jun  ::  GMT

*     common name: httpbin.example.com

*     issuer: CN=httpbin.example.com,O=Dis,ST=Denial,C=US

> GET /status/ HTTP/1.1

> User-Agent: curl/7.29.

> Accept: */*

> Host:httpbin.example.com

>

< HTTP/1.1 418 Unknown

< server: istio-envoy

< date: Sat, 25 May 2019 10:12:24 GMT

< x-more-info: http://tools.ietf.org/html/rfc2324

< access-control-allow-origin: *

< access-control-allow-credentials: true

< content-length: 135

< x-envoy-upstream-service-time: 2

< 

    -=[ teapot ]=-

       _...._

     .'  _ _ `.

    | ."` ^ `". _,

    \_;`"---"`|//

      |       ;/

      \_     _/

        `"""`

* Connection #0 to host httpbin.example.com left intact

[root@master istio-1.1.5]#

kubernetes istio之gateway的更多相关文章

  1. 15分钟在笔记本上搭建 Kubernetes + Istio开发环境

    11月13~15日,KubeCon 上海大会召开,云原生是这个秋天最火热的技术.很多同学来问如何上手 Kubernetes和Istio 服务网格开发.本文将帮助你利用Docker CE桌面版,15分钟 ...

  2. kubernetes + istio进行流量管理

    实验目的: 本文介绍如何通过istio实现域名访问k8s部署的nginx服务 前提: 已经安装了kubernetes的服务器 了解 kubernetes 基本命令如何使用 (kubectl creat ...

  3. kubernetes istio的快速安装和使用例子

    安装 [root@master ~]# wget https://github.com/istio/istio/releases/download/1.1.5/istio-1.1.5-linux.ta ...

  4. Kubernetes+Istio

    Kubernetes+Istio   微服务.SpringCloud.k8s.Istio杂谈   一.微服务与SOA “微服务”是一个名词,没有这个名词之前也有“微服务”,一个朗朗上口的名词能让大家产 ...

  5. ambassador kubernetes native api gateway

    github 上的介绍: Ambassador is an open source Kubernetes-native API Gateway built on Envoy, designed for ...

  6. kubernetes istio之流量管理

    1.部署 Bookinfo 应用 要在 Istio 中运行这一应用,无需对应用自身做出任何改变.我们只要简单的在 Istio 环境中对服务进行配置和运行,具体一点说就是把 Envoy sidecar ...

  7. Kubernetes+Docker+Istio 容器云实践

    随着社会的进步与技术的发展,人们对资源的高效利用有了更为迫切的需求.近年来,互联网.移动互联网的高速发展与成熟,大应用的微服务化也引起了企业的热情关注,而基于Kubernetes+Docker的容器云 ...

  8. Istio Routing 实践掌握virtualservice/gateway/destinationrule/AB版本发布/金丝雀发布

    原文 在学习像 Istio 这样的新技术时,看一下示例应用程序总是一个好主意. Istio repo 有一些示例应用程序,但它们似乎有各种不足. 文档中的 BookInfo 是一个很好的示例. 但是, ...

  9. Istio Gateway网关

    Istio Ingress Gateway Istio 服务网格中的网关 使用网关为网格来管理入站和出站流量,可以让用户指定要进入或离开网格的流量. 使用网关为网格来管理入站和出站流量,可以让用户指定 ...

随机推荐

  1. 提供免费可商用的优秀背景视频素材——COVERR

    现在经常看到很多网站都是贴近更现代化的设计,首页都会放置跟网站内容相关的视频短片作为背景,不用按下播放按钮,就有动态显示效果,跟以往静态图片相较下更动态.更有活力,对网站的视觉体验有一定的提升作用.但 ...

  2. 转载:vs2010 问题 >LINK : fatal error LNK1123: 转换到 COFF 期间失败: 文件无效或损坏

    原文链接:http://www.cnblogs.com/newpanderking/articles/3372969.html >LINK : fatal error LNK1123: 转换到 ...

  3. C#实体类克隆

    public static T Clone<T>(T source) { if (!typeof(T).IsSerializable) { throw new ArgumentExcept ...

  4. Arrays 001

    1.1 Array Initalization First of all, we need know Java arrays is static. When the array is initiali ...

  5. Codeforces 1152D DP

    题意:有一颗由长度为2 * n的合法的括号序列构成的字典树,现在你需要在这颗字典树上选择一些不连接的边,问最多可以选择多少条边? 思路:不考虑题目条件的话,我们只考虑在随意的一棵树上选择边,这是一个贪 ...

  6. 常用Linux日志文件功能

    /var/log目录下的20个Linux日志文件功能详解 :   如果愿意在Linux环境方面花费些时间,首先就应该知道日志文件的所在位置以及它们包含的内容.在系统运行正常的情况下学习了解这些不同的日 ...

  7. 使用Process子类创建进程

    #_author:来童星#date:2019/12/17# 使用Process子类创建进程from multiprocessing import Processimport timeimport os ...

  8. 一张图看懂阿里云网络产品【十五】IPv6 解决方案

    摘要: 作为国内首家全面支持IPv6的云厂商,阿里云12月再次推出全栈IPv6解决方案,核心产品已全面支持,协助客户小时/天级即可完成IPv6 访问.方案成功历经优酷.淘宝.天猫.双十一考验.SLB ...

  9. vue.js 2.0 --- 安装node环境,webpack和脚手架(入门篇)

    1.环境搭建 1.1.安装node.js 1.2 安装过程很简单,一路“下一步”就可以了.安装完成之后,打开命令行工具(win+r,然后输入cmd),输入 node -v,如下图,如果出现相应的版本号 ...

  10. js简单图片切换

    <!DOCTYPE html> <html> <head> <meta charset="utf-8"/> <title> ...