1.4. 将 Service Mesh 与 OpenShift Serverless 集成
1.4.1. 验证安装先决条件
在安装和配置 Service Mesh 与 Serverless 集成前,请验证是否满足先决条件。
流程
检查冲突网关:
示例命令
$ oc get gateway -A -o jsonpath='{range .items[*]}{@.metadata.namespace}{"/"}{@.metadata.name}{" "}{@.spec.servers}{"\n"}{end}' | column -t
输出示例
knative-serving/knative-ingress-gateway [{"hosts":["*"],"port":{"name":"https","number":443,"protocol":"HTTPS"},"tls":{"credentialName":"wildcard-certs","mode":"SIMPLE"}}] knative-serving/knative-local-gateway [{"hosts":["*"],"port":{"name":"http","number":8081,"protocol":"HTTP"}}]
这个命令不应该返回绑定端口
的网关
:443
和hosts: ["*"]
,除了作为另一个 Service Mesh 实例一部分的knative-serving
和Gateways
注意Serverless 是 Serverless 一部分的网格必须不同,最好只为 Serverless 工作负载保留。这是因为额外的配置(如
Gateways
)可能会影响 Serverless 网关knative-local-gateway
和knative-ingress-gateway
。Red Hat OpenShift Service Mesh 只允许一个网关在同一端口(端口:443 )上声明通配符主机绑定(
)。如果另一个网关已绑定此配置,则必须为 Serverless 工作负载创建一个单独的网格。hosts:
["*"]检查 Red Hat OpenShift Service Mesh
istio-ingressgateway
是否作为类型NodePort
或LoadBalancer
公开:示例命令
$ oc get svc -A | grep istio-ingressgateway
输出示例
istio-system istio-ingressgateway ClusterIP 172.30.46.146 none> 15021/TCP,80/TCP,443/TCP 9m50s
此命令不应返回
NodePort
或LoadBalancer
类型的Service
对象。注意应该使用 OpenShift 路由通过 OpenShift Ingress 调用集群外部 Knative 服务。不支持直接访问 Service Mesh,比如使用类型为
NodePort
或LoadBalancer
的Service
对象公开istio-ingressgateway
。
1.4.2. 安装和配置 Service Mesh
要将 Serverless 与 Service Mesh 集成,您需要使用特定的配置安装 Service Mesh。
流程
使用以下配置在
istio-system
命名空间中创建ServiceMeshControlPlane
资源:重要如果您有一个现有的
ServiceMeshControlPlane
对象,请确保应用了相同的配置。apiVersion: maistra.io/v2 kind: ServiceMeshControlPlane metadata: name: basic namespace: istio-system spec: profiles: - default security: dataPlane: mtls: true 1 techPreview: meshConfig: defaultConfig: terminationDrainDuration: 35s 2 gateways: ingress: service: metadata: labels: knative: ingressgateway 3 proxy: networking: trafficControl: inbound: excludedPorts: 4 - 8444 # metrics - 8022 # serving: wait-for-drain k8s pre-stop hook
将您要与 Service Mesh 集成的命名空间作为成员添加到
ServiceMeshMemberRoll
对象中:servicemesh-member-roll.yaml
配置文件示例apiVersion: maistra.io/v1 kind: ServiceMeshMemberRoll metadata: name: default namespace: istio-system spec: members: 1 - knative-serving - knative-eventing - your-OpenShift-projects
- 1
- 要与 Service Mesh 集成的命名空间列表。
重要此命名空间列表必须包含
knative-serving
和knative-eventing
命名空间。应用
ServiceMeshMemberRoll
资源:$ oc apply -f servicemesh-member-roll.yaml
创建必要的网关,以便 Service Mesh 可以接受流量。以下示例使用带有
ISTIO_MUTUAL
模式(mTLS)的knative-local-gateway
对象:istio-knative-gateways.yaml
配置文件示例apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: knative-ingress-gateway namespace: knative-serving spec: selector: knative: ingressgateway servers: - port: number: 443 name: https protocol: HTTPS hosts: - "*" tls: mode: SIMPLE credentialName: <wildcard_certs> 1 --- apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: knative-local-gateway namespace: knative-serving spec: selector: knative: ingressgateway servers: - port: number: 8081 name: https protocol: HTTPS 2 tls: mode: ISTIO_MUTUAL 3 hosts: - "*" --- apiVersion: v1 kind: Service metadata: name: knative-local-gateway namespace: istio-system labels: experimental.istio.io/disable-gateway-port-translation: "true" spec: type: ClusterIP selector: istio: ingressgateway ports: - name: http2 port: 80 targetPort: 8081
应用
Gateway
资源:$ oc apply -f istio-knative-gateways.yaml
1.4.3. 安装和配置 Serverless
安装 Service Mesh 后,您需要使用特定的配置安装 Serverless。
流程
使用以下
KnativeServing
自定义资源安装 Knative Serving,该资源启用 Istio 集成:knative-serving-config.yaml
配置文件示例apiVersion: operator.knative.dev/v1beta1 kind: KnativeServing metadata: name: knative-serving namespace: knative-serving spec: ingress: istio: enabled: true 1 deployments: 2 - name: activator labels: "sidecar.istio.io/inject": "true" annotations: "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: autoscaler labels: "sidecar.istio.io/inject": "true" annotations: "sidecar.istio.io/rewriteAppHTTPProbers": "true" config: istio: 3 gateway.knative-serving.knative-ingress-gateway: istio-ingressgateway.<your-istio-namespace>.svc.cluster.local local-gateway.knative-serving.knative-local-gateway: knative-local-gateway.<your-istio-namespace>.svc.cluster.local
应用
KnativeServing
资源:$ oc apply -f knative-serving-config.yaml
使用以下 KnativeEventing 对象安装
Knative Eventing
,它启用了 Istio 集成:knative-eventing-config.yaml
配置文件示例apiVersion: operator.knative.dev/v1beta1 kind: KnativeEventing metadata: name: knative-eventing namespace: knative-eventing spec: config: features: istio: enabled 1 workloads: 2 - name: pingsource-mt-adapter labels: "sidecar.istio.io/inject": "true" annotations: "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: imc-dispatcher labels: "sidecar.istio.io/inject": "true" annotations: "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: mt-broker-ingress labels: "sidecar.istio.io/inject": "true" annotations: "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: mt-broker-filter labels: "sidecar.istio.io/inject": "true" annotations: "sidecar.istio.io/rewriteAppHTTPProbers": "true"
应用
KnativeEventing
资源:$ oc apply -f knative-eventing-config.yaml
使用以下 KnativeKafka 自定义资源安装
Knative Kafka
,该资源启用 Istio 集成:knative-kafka-config.yaml
配置文件示例apiVersion: operator.serverless.openshift.io/v1alpha1 kind: KnativeKafka metadata: name: knative-kafka namespace: knative-eventing spec: channel: enabled: true bootstrapServers: <bootstrap_servers> 1 source: enabled: true broker: enabled: true defaultConfig: bootstrapServers: <bootstrap_servers> 2 numPartitions: <num_partitions> replicationFactor: <replication_factor> sink: enabled: true workloads: 3 - name: kafka-controller labels: "sidecar.istio.io/inject": "true" annotations: "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: kafka-broker-receiver labels: "sidecar.istio.io/inject": "true" annotations: "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: kafka-broker-dispatcher labels: "sidecar.istio.io/inject": "true" annotations: "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: kafka-channel-receiver labels: "sidecar.istio.io/inject": "true" annotations: "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: kafka-channel-dispatcher labels: "sidecar.istio.io/inject": "true" annotations: "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: kafka-source-dispatcher labels: "sidecar.istio.io/inject": "true" annotations: "sidecar.istio.io/rewriteAppHTTPProbers": "true" - name: kafka-sink-receiver labels: "sidecar.istio.io/inject": "true" annotations: "sidecar.istio.io/rewriteAppHTTPProbers": "true"
应用
KnativeEventing
对象:$ oc apply -f knative-kafka-config.yaml
安装
ServiceEntry
以告知 Service MeshKnativeKafka
组件和 Apache Kafka 集群之间的通信:kafka-cluster-serviceentry.yaml
配置文件示例apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: kafka-cluster namespace: knative-eventing spec: hosts: 1 - <bootstrap_servers_without_port> exportTo: - "." ports: 2 - number: 9092 name: tcp-plain protocol: TCP - number: 9093 name: tcp-tls protocol: TCP - number: 9094 name: tcp-sasl-tls protocol: TCP - number: 9095 name: tcp-sasl-tls protocol: TCP - number: 9096 name: tcp-tls protocol: TCP location: MESH_EXTERNAL resolution: NONE
注意spec.ports
中列出的端口是 examplecategories 端口。实际值取决于 Apache Kafka 集群的配置方式。应用
ServiceEntry
资源:$ oc apply -f kafka-cluster-serviceentry.yaml
1.4.4. 验证集成
安装启用了 Istio 的 Service Mesh 和 Serverless 后,您可以验证集成是否正常工作。
流程
创建一个启用了 sidecar 注入并使用 pass-through 路由的 Knative Service:
knative-service.yaml
配置文件示例apiVersion: serving.knative.dev/v1 kind: Service metadata: name: <service_name> namespace: <namespace> 1 annotations: serving.knative.openshift.io/enablePassthrough: "true" 2 spec: template: metadata: annotations: sidecar.istio.io/inject: "true" 3 sidecar.istio.io/rewriteAppHTTPProbers: "true" spec: containers: - image: <image_url>
重要始终将来自此示例中的注解添加到所有 Knative Service 中,以使它们与 Service Mesh 一起工作。
应用
Service
资源:$ oc apply -f knative-service.yaml
使用 CA 信任的安全连接访问无服务器应用程序:
$ curl --cacert root.crt <service_url>
例如,运行:
示例命令
$ curl --cacert root.crt https://hello-default.apps.openshift.example.com
输出示例
Hello Openshift!