1.4. 将 Service Mesh 与 OpenShift Serverless 集成
1.4.1. 验证安装先决条件
在安装和配置 Service Mesh 与 Serverless 集成前,请验证是否已满足先决条件。
流程
检查冲突网关:
示例命令
$ oc get gateway -A -o jsonpath='{range .items[*]}{@.metadata.namespace}{"/"}{@.metadata.name}{" "}{@.spec.servers}{"\n"}{end}' | column -t输出示例
knative-serving/knative-ingress-gateway [{"hosts":["*"],"port":{"name":"https","number":443,"protocol":"HTTPS"},"tls":{"credentialName":"wildcard-certs","mode":"SIMPLE"}}] knative-serving/knative-local-gateway [{"hosts":["*"],"port":{"name":"http","number":8081,"protocol":"HTTP"}}]此命令不应返回绑定
port和:443hosts: ["*"]的网关,除了作为另一个 Service Mesh 实例一部分的knative-serving和Gateways注意Serverless 的网格必须是不同的,最好只为 Serverless 工作负载保留。这是因为额外的配置(如
Gateways)可能会影响 Serverless 网关knative-local-gateway和knative-ingress-gateway。Red Hat OpenShift Service Mesh 只允许一个网关声明同一端口(端口: 443)上的通配符主机绑定(hosts: ["*"])。如果另一个网关已绑定此配置,必须为 Serverless 工作负载创建单独的网格。检查 Red Hat OpenShift Service Mesh
istio-ingressgateway是否作为NodePort或LoadBalancer公开:示例命令
$ oc get svc -A | grep istio-ingressgateway
输出示例
istio-system istio-ingressgateway ClusterIP 172.30.46.146 none> 15021/TCP,80/TCP,443/TCP 9m50s
此命令不应返回类型为
NodePort或LoadBalancer的Service对象。注意集群外部 Knative Services 期望使用 OpenShift 路由通过 OpenShift Ingress 调用。不支持直接访问 Service Mesh,比如使用类型为
NodePort或LoadBalancer的Service对象公开istio-ingressgateway。
1.4.2. 安装和配置 Service Mesh
要将 Serverless 与 Service Mesh 集成,您需要使用特定的配置安装 Service Mesh。
流程
使用以下配置在
istio-system命名空间中创建ServiceMeshControlPlane资源:重要如果您有一个现有的
ServiceMeshControlPlane对象,请确保应用了相同的配置。apiVersion: maistra.io/v2 kind: ServiceMeshControlPlane metadata: name: basic namespace: istio-system spec: profiles: - default security: dataPlane: mtls: true 1 techPreview: meshConfig: defaultConfig: terminationDrainDuration: 35s 2 gateways: ingress: service: metadata: labels: knative: ingressgateway 3 proxy: networking: trafficControl: inbound: excludedPorts: 4 - 8444 # metrics - 8022 # serving: wait-for-drain k8s pre-stop hook将您要与 Service Mesh 集成的命名空间作为成员添加到
ServiceMeshMemberRoll对象中:servicemesh-member-roll.yaml配置文件示例apiVersion: maistra.io/v1 kind: ServiceMeshMemberRoll metadata: name: default namespace: istio-system spec: members: 1 - knative-serving - knative-eventing - your-OpenShift-projects- 1
- 要与 Service Mesh 集成的命名空间列表。
重要此命名空间列表必须包含
knative-serving和knative-eventing命名空间。应用
ServiceMeshMemberRoll资源:$ oc apply -f servicemesh-member-roll.yaml
创建必要的网关,以便 Service Mesh 可以接受流量。以下示例使用带有
ISTIO_MUTUAL模式的knative-local-gateway对象(mTLS):istio-knative-gateways.yaml配置文件示例apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: knative-ingress-gateway namespace: knative-serving spec: selector: knative: ingressgateway servers: - port: number: 443 name: https protocol: HTTPS hosts: - "*" tls: mode: SIMPLE credentialName: <wildcard_certs> 1 --- apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: knative-local-gateway namespace: knative-serving spec: selector: knative: ingressgateway servers: - port: number: 8081 name: https protocol: HTTPS 2 tls: mode: ISTIO_MUTUAL 3 hosts: - "*" --- apiVersion: v1 kind: Service metadata: name: knative-local-gateway namespace: istio-system labels: experimental.istio.io/disable-gateway-port-translation: "true" spec: type: ClusterIP selector: istio: ingressgateway ports: - name: http2 port: 80 targetPort: 8081应用
Gateway资源:$ oc apply -f istio-knative-gateways.yaml
1.4.3. 安装和配置 Serverless
安装 Service Mesh 后,您需要使用特定的配置安装 Serverless。
流程
使用以下
KnativeServing自定义资源安装 Knative Serving,这样可启用 Istio 集成:knative-serving-config.yaml配置文件示例apiVersion: operator.knative.dev/v1beta1 kind: KnativeServing metadata: name: knative-serving namespace: knative-serving spec: ingress: istio: enabled: true 1 deployments: 2 - name: activator annotations: "sidecar.istio.io/inject": "true" "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: autoscaler annotations: "sidecar.istio.io/inject": "true" "sidecar.istio.io/rewriteAppHTTPProbers": "true" config: istio: 3 gateway.knative-serving.knative-ingress-gateway: istio-ingressgateway.<your-istio-namespace>.svc.cluster.local local-gateway.knative-serving.knative-local-gateway: knative-local-gateway.<your-istio-namespace>.svc.cluster.local应用
KnativeServing资源:$ oc apply -f knative-serving-config.yaml
使用以下 KnativeEventing 对象安装
Knative Eventing,它启用了 Istio 集成:knative-eventing-config.yaml配置文件示例apiVersion: operator.knative.dev/v1beta1 kind: KnativeEventing metadata: name: knative-eventing namespace: knative-eventing spec: config: features: istio: enabled 1 workloads: 2 - name: pingsource-mt-adapter annotations: "sidecar.istio.io/inject": "true" "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: imc-dispatcher annotations: "sidecar.istio.io/inject": "true" "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: mt-broker-ingress annotations: "sidecar.istio.io/inject": "true" "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: mt-broker-filter annotations: "sidecar.istio.io/inject": "true" "sidecar.istio.io/rewriteAppHTTPProbers": "true"应用
KnativeEventing资源:$ oc apply -f knative-eventing-config.yaml
使用以下 KnativeKafka 自定义资源安装
Knative Kafka,它启用了 Istio 集成:knative-kafka-config.yaml配置文件示例apiVersion: operator.serverless.openshift.io/v1alpha1 kind: KnativeKafka metadata: name: knative-kafka namespace: knative-eventing spec: channel: enabled: true bootstrapServers: <bootstrap_servers> 1 source: enabled: true broker: enabled: true defaultConfig: bootstrapServers: <bootstrap_servers> 2 numPartitions: <num_partitions> replicationFactor: <replication_factor> sink: enabled: true workloads: 3 - name: kafka-controller annotations: "sidecar.istio.io/inject": "true" "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: kafka-broker-receiver annotations: "sidecar.istio.io/inject": "true" "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: kafka-broker-dispatcher annotations: "sidecar.istio.io/inject": "true" "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: kafka-channel-receiver annotations: "sidecar.istio.io/inject": "true" "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: kafka-channel-dispatcher annotations: "sidecar.istio.io/inject": "true" "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: kafka-source-dispatcher annotations: "sidecar.istio.io/inject": "true" "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: kafka-sink-receiver annotations: "sidecar.istio.io/inject": "true" "sidecar.istio.io/rewriteAppHTTPProbers": "true"应用
KnativeEventing对象:$ oc apply -f knative-kafka-config.yaml
安装
ServiceEntry以告知 Service MeshKnativeKafka组件和 Apache Kafka 集群之间的通信:kafka-cluster-serviceentry.yaml配置文件示例apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: kafka-cluster namespace: knative-eventing spec: hosts: 1 - <bootstrap_servers_without_port> exportTo: - "." ports: 2 - number: 9092 name: tcp-plain protocol: TCP - number: 9093 name: tcp-tls protocol: TCP - number: 9094 name: tcp-sasl-tls protocol: TCP - number: 9095 name: tcp-sasl-tls protocol: TCP - number: 9096 name: tcp-tls protocol: TCP location: MESH_EXTERNAL resolution: NONE
注意spec.ports中列出的端口为 example requirement 端口。实际值取决于 Apache Kafka 集群的配置方式。应用
ServiceEntry资源:$ oc apply -f kafka-cluster-serviceentry.yaml
1.4.4. 验证集成
安装 Service Mesh 和启用了 Istio 的 Serverless 后,您可以验证集成是否正常工作。
流程
创建一个启用了 sidecar 注入并使用 pass-through 路由的 Knative Service:
knative-service.yaml配置文件示例apiVersion: serving.knative.dev/v1 kind: Service metadata: name: <service_name> namespace: <namespace> 1 annotations: serving.knative.openshift.io/enablePassthrough: "true" 2 spec: template: metadata: annotations: sidecar.istio.io/inject: "true" 3 sidecar.istio.io/rewriteAppHTTPProbers: "true" spec: containers: - image: <image_url>
重要始终将注解添加到所有 Knative Service 中,使其可用于 Service Mesh。
应用
Service资源:$ oc apply -f knative-service.yaml
使用 CA 信任的安全连接访问无服务器应用程序:
$ curl --cacert root.crt <service_url>
例如,运行:
示例命令
$ curl --cacert root.crt https://hello-default.apps.openshift.example.com
输出示例
Hello Openshift!
