红帽全球峰会OpenShift Service Mesh 3.0 is a Technology Preview feature only
Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. This documentation is a work in progress and might not be complete or fully tested.3.2. 使用 Istio API 通过网关直接出口流量
使用 Istio API 通过使用网关注入安装的网关直接出站 HTTP 流量。
先决条件
- 您已使用网关注入安装网关。
流程
运行以下命令,创建一个名为
curl的命名空间:$ oc create namespace curl
根据您使用的更新策略,运行适当的命令在命名空间中启用 sidecar 注入:
如果您使用
InPlace更新策略,请运行以下命令:$ oc label namespace curl istio-injection=enabled
如果使用
RevisionBasedupdate 策略,请运行以下命令:运行以下命令来显示修订名称:
$ oc get istiorevisions.sailoperator.io
输出示例
NAME TYPE READY STATUS IN USE VERSION AGE default-v1-23-0 Local True Healthy True v1.23.0 3m33s
运行以下命令,使用修订名称标记命名空间以启用 sidecar 注入:
$ oc label namespace curl istio.io/rev=default-v1-23-0
运行以下命令来部署
curl应用程序:$ oc apply -n curl -f https://raw.githubusercontent.com/openshift-service-mesh/istio/refs/heads/master/samples/curl/curl.yaml
导出使用 curl pod 初始化的
CURL_POD环境变量:$ export CURL_POD=$(oc get pod -n curl -l app=curl -o jsonpath='{.items[0].metadata.name}')创建名为
http-se.yaml的 YAML 文件,该文件将来自网格的流量定向到外部服务。以下示例定义了 URL 的ServiceEntry。配置示例
apiVersion: networking.istio.io/v1 kind: ServiceEntry metadata: name: egress-se namespace: curl spec: hosts: - docs.redhat.com ports: - number: 80 name: http-port protocol: HTTP location: MESH_EXTERNAL resolution: DNS运行以下命令来应用 YAML 文件:
$ oc apply -f http-se.yaml
确保正确应用
ServiceEntry配置。运行以下命令,向您在上一步中指定的主机发送 HTTP 请求:$ oc exec "$CURL_POD" -n curl -c curl -- curl -sSL -o /dev/null -D - http://docs.redhat.com
此命令应该返回 HTTP 状态代码,如
301(redirect)或200(success),表示连接正常工作。创建名为
http-gtw.yaml的 YAML 文件,该文件会创建一个出口网关,并将流量从网格路由到为外部服务指定的主机。配置示例
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: egress-gw namespace: <gateway_namespace> # Namespace where the egress gateway is deployed spec: selector: istio: <gateway_name> # Selects the egress-gateway instance to handle this traffic servers: - port: number: 80 name: http protocol: HTTP hosts: - docs.redhat.com # External service host, not a full URL. --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: egress-dr namespace: <gateway_namespace> # Namespace where the egress gateway is deployed spec: host: <gateway_name>.<gateway_namespace>.svc.cluster.local subsets: - name: rh-docs运行以下命令来应用 YAML 文件:
$ oc apply -f http-gtw.yaml
创建一个名为
http-vs.yaml的 YAML 文件,它设置一个VirtualService,以通过出口网关到外部主机从应用程序 sidecar 的流量流。配置示例
apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: egress-vs namespace: curl # Namespace where the curl pod is running spec: hosts: - docs.redhat.com # External service host, not a full URL. gateways: - mesh - <gateway_namespace>/egress-gw # Egress gateway name defined in the file that you used in the previous step. http: - match: - gateways: - mesh port: 80 route: - destination: host: <gateway_name>.<gateway_namespace>.svc.cluster.local subset: rh-docs port: number: 80 weight: 100 - match: - gateways: - <gateway_namespace>/egress-gw # Egress gateway name defined in the file that you used in the previous step. port: 80 route: - destination: host: docs.redhat.com port: number: 80 weight: 100运行以下命令来应用 YAML 文件:
$ oc apply -f http-vs.yaml
将 HTTP 请求重新发送到 URL:
$ oc exec "$CURL_POD" -n curl -c curl -- curl -sSL -o /dev/null -D - http://docs.redhat.com
终端应该显示类似以下输出的信息:
输出示例
... HTTP/1.1 301 Moved Permanently ... location: <example_url> ... HTTP/2 200 Content-Type: text/html; charset=utf-8
运行以下命令,确保请求通过网关路由:
$ oc logs deployment/<gateway_name> -n <gateway_namespace> | tail -1
注意必须启用访问日志记录才能使此验证步骤正常工作。您可以通过将 Istio 资源中的
spec.values.meshConfig.accessLogFile字段设置为/dev/stdout来启用对标准输出的访问日志。终端应该显示类似以下输出的信息:
输出示例
[2024-11-07T14:35:52.428Z] "GET / HTTP/2" 301 - via_upstream - "-" 0 0 24 24 "10.128.2.30" "curl/8.11.0" "79551af2-341b-456d-b414-9220b487a03b" "docs.redhat.com" "23.55.176.201:80" outbound|80||docs.redhat.com 10.128.2.29:49766 10.128.2.29:80 10.128.2.30:38296 -
