红帽全球峰会第 7 章 参考
7.1. 迁移参考
OpenShift Service Mesh 2 ServiceMeshControlPlane 资源的许多配置选项更改了 OpenShift Service Mesh 3 Istio 资源中的位置。下表提供了基于现有 OpenShift Service Mesh 2 ServiceMeshControlPlane 资源在 OpenShift Service Mesh 3 中创建新的 Istio 资源的指导。
7.1.1. Service Mesh 2 和 Service Mesh 3 之间的配置字段映射
OpenShift Service Mesh 2 ServiceMeshControlPlane 中的多个 spec 字段可以在 OpenShift Service Mesh 3 Istio 资源中配置。
下表提供了在 OpenShift Service Mesh 3 中配置 Istio 资源的指导。
7.1.1.1. 集群配置
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.cluster.multiCluster.enabled | spec.values.global.multiCluster.enabled |
| spec.cluster.multiCluster.meshNetworks | spec.values.global.meshNetworks |
| spec.cluster.multiCluster.meshNetworks.endpoints | spec.values.global.meshNetworks.endpoints |
| spec.cluster.multiCluster.meshNetworks.endpoints.fromCID | spec.values.global.meshNetworks.endpoints.fromCidr |
| spec.cluster.multiCluster.meshNetworks.endpoints.fromRegistry | spec.values.global.meshNetworks.endpoints.fromRegistry |
| spec.cluster.multiCluster.meshNetworks.gateways | spec.values.global.meshNetworks.gateways |
| spec.cluster.multiCluster.meshNetworks.gateways.address | spec.values.global.meshNetworks.gateways.address |
| spec.cluster.multiCluster.meshNetworks.gateways.port | spec.values.global.meshNetworks.gateways.port |
| spec.cluster.multiCluster.meshNetworks.gateways.registryServiceName | spec.values.global.meshNetworks.gateways.registryServiceName |
| spec.cluster.name | spec.values.global.multiCluster.clusterName |
| spec.cluster.network | spec.values.global.network |
7.1.1.2. 常规配置
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.general.logging.componentLevels | spec.values.global.logging.levels |
| spec.general.logging.logAsJSON | spec.values.global.logAsJson |
| spec.general.validationMessages | spec.values.global.istiod.enableAnalysis |
7.1.1.3. MeshConfig 配置
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.values.meshConfig.discoverySelectors | spec.values.meshConfig.discoverySelectors |
| spec.values.meshConfig.extensionProviders | spec.values.meshConfig.extensionProviders |
7.1.1.4. 模式配置
OpenShift Service Mesh 2 ServiceMeshControlPlane 资源中的模式配置有:
- 多租户
- 集群范围的
- federation
在 OpenShift Service Mesh 3 中,使用 Istio 资源中的单个字段没有配置模式。
默认情况下,OpenShift Service Mesh 3 control plane 可以访问所有相当于 OpenShift Service Mesh 2 中集群范围模式的命名空间。要在 OpenShift Service Mesh 3 中的 OpenShift Service Mesh 2 中与 MultiTenant 模式类似,您必须使用 discoverySelectors 字段。如需更多信息,请参阅"在单个集群中部署多个服务网格"。
7.1.1.5. 配置集配置
OpenShift Service Mesh 3 的配置集配置选项有:
-
ambient -
default -
demo -
empty -
openshift-ambient -
openshift -
预览 -
stable
7.1.1.6. 代理配置
7.1.1.6.1. 访问日志记录配置字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.proxy.accessLogging.envoyService.address | spec.values.meshConfig.defaultConfig.envoyAccessLogService.address |
| spec.proxy.accessLogging.envoyService.enabled | spec.values.meshConfig.enableEnvoyAccessLogService |
| spec.proxy.accessLogging.envoyService.tcpKeepalive | spec.values.meshConfig.defaultConfig.envoyAccessLogService.tcpKeepalive |
| spec.proxy.accessLogging.envoyService.tcpKeepalive.interval | spec.values.meshConfig.defaultConfig.envoyAccessLogService.tcpKeepalive.interval |
| spec.proxy.accessLogging.envoyService.tcpKeepalive.probes | spec.values.meshConfig.defaultConfig.envoyAccessLogService.tcpKeepalive.probes |
| spec.proxy.accessLogging.envoyService.tcpKeepalive.time | spec.values.meshConfig.defaultConfig.envoyAccessLogService.tcpKeepalive.time |
| spec.proxy.accessLogging.envoyService.tlsSettings | spec.values.meshConfig.defaultConfig.envoyAccessLogService.tlsSettings |
| spec.proxy.accessLogging.file.encoding | spec.values.meshConfig.accessLogEncoding |
| spec.proxy.accessLogging.file.format | spec.values.meshConfig.accessLogFormat |
| spec.proxy.accessLogging.file.name | spec.values.meshConfig.accessLogFile |
7.1.1.6.2. 基本代理配置字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.proxy.adminPort | spec.values.meshConfig.defaultConfig.proxyAdminPort |
| spec.proxy.concurrency | spec.values.meshConfig.defaultConfig.concurrency |
7.1.1.6.3. Envoy 指标服务字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.proxy.envoyMetricsService.address | spec.values.meshConfig.defaultConfig.envoyMetricsService.address |
| spec.proxy.envoyMetricsService.enabled | spec.values.meshConfig.enableEnvoyAccessLogService |
| spec.proxy.envoyMetricsService.tcpKeepalive | spec.values.meshConfig.defaultConfig.envoyMetricsService.tcpKeepalive |
| spec.proxy.envoyMetricsService.tlsSettings | spec.values.meshConfig.defaultConfig.envoyMetricsService.tlsSettings |
7.1.1.6.4. 注入配置字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.proxy.injection.alwaysInjectSelector | spec.values.sidecarInjectorWebhook.alwaysInjectSelector |
| spec.proxy.injection.neverInjectSelector | spec.values.sidecarInjectorWebhook.neverInjectSelector |
| spec.proxy.injection.injectedAnnotations | spec.values.sidecarInjectorWebhook.injectedAnnotations |
| spec.proxy.injection.autoInject | spec.values.global.proxy.autoInject |
7.1.1.6.5. 代理日志记录配置字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.proxy.logging.componentLevels | spec.values.global.proxy.componentLogLevel |
| spec.proxy.logging.level | spec.values.global.logging.level |
7.1.1.6.6. 代理网络配置字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.proxy.networking.clusterDomain | spec.values.global.proxy.clusterDomain |
| spec.proxy.networking.connectionTimeout | spec.values.meshConfig.connectTimeout |
| spec.proxy.networking.dns.refreshRate | spec.values.meshConfig.dnsRefreshRate |
| spec.proxy.networking.dns.searchSuffixes | spec.values.global.podDNSSearchNamespaces |
| spec.proxy.networking.initialization.initContainer.runtime.imageName | spec.values.global.proxy_init.image |
| spec.proxy.networking.initialization.initContainer.runtime.imagePullPolicy | spec.values.global.imagePullPolicy |
| spec.proxy.networking.initialization.initContainer.runtime.imagePullSecrets | spec.values.global.imagePullSecrets |
| spec.proxy.networking.initialization.initContainer.runtime.imageRegistry | spec.values.global.hub |
| spec.proxy.networking.initialization.initContainer.runtime.imageTag | spec.values.global.tag |
| spec.proxy.networking.initialization.initContainer.runtime.resources | spec.values.global.proxy_init.resources |
| spec.proxy.networking.maxConnectionAge | spec.values.pilot.keepaliveMaxServerConnectionAge |
| spec.proxy.networking.protocol.timeout | spec.values.meshConfig.protocolDetectionTimeout |
7.1.1.6.7. 流量控制配置字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.proxy.networking.trafficControl.inbound.excludedPorts | spec.values.global.proxy.excludeInboundPorts |
| spec.proxy.networking.trafficControl.inbound.includedPorts | spec.values.global.proxy.includeInboundPorts |
| spec.proxy.networking.trafficControl.inbound.interceptionMode | spec.values.meshConfig.defaultConfig.interceptionMode |
| spec.proxy.networking.trafficControl.outbound.excludedIPRanges | spec.values.global.proxy.excludeIPRanges |
| spec.proxy.networking.trafficControl.outbound.excludedPorts | spec.values.global.proxy.excludeOutboundPorts |
| spec.proxy.networking.trafficControl.outbound.includedIPRanges | spec.values.global.proxy.includeIPRanges |
| spec.proxy.networking.trafficControl.outbound.policy | spec.values.meshConfig.outboundTrafficPolicy.mode |
7.1.1.6.8. 代理运行时配置字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.proxy.runtime.container.env | spec.values.meshConfig.defaultConfig.proxyMetadata |
| spec.proxy.runtime.container.imageName | spec.values.global.proxy.image |
| spec.proxy.runtime.container.imagePullPolicy | spec.values.global.imagePullPolicy |
| spec.proxy.runtime.container.imagePullSecrets | spec.values.global.imagePullSecrets |
| spec.proxy.runtime.container.imageRegistry | spec.values.global.hub |
| spec.proxy.runtime.container.imageTag | spec.values.global.tag |
| spec.proxy.runtime.container.resources | spec.values.global.proxy.resources |
| spec.proxy.runtime.readiness.failureThreshold | spec.values.global.proxy.readinessFailureThreshold |
| spec.proxy.runtime.readiness.initialDelaySeconds | spec.values.global.proxy.readinessInitialDelaySeconds |
| spec.proxy.runtime.readiness.periodSeconds | spec.values.global.proxy.readinessPeriodSeconds |
| spec.proxy.runtime.readiness.rewriteApplicationProbes | spec.values.sidecarInjectorWebhook.rewriteAppHTTPProbe |
| spec.proxy.runtime.readiness.statusPort | spec.values.global.proxy.statusPort |
7.1.1.7. 运行时配置
7.1.1.7.1. 容器配置字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.runtime.components.container.env | spec.values.pilot.env |
| spec.runtime.components.container.imageName | spec.values.pilot.image |
| spec.runtime.components.container.imagePullPolicy | spec.values.global.imagePullPolicy |
| spec.runtime.components.container.imagePullSecrets | spec.values.global.imagePullSecrets |
| spec.runtime.components.container.imageRegistry | spec.values.global.hub |
| spec.runtime.components.container.imageTag | spec.values.pilot.tag |
| spec.runtime.components.container.resources | spec.values.pilot.resources |
7.1.1.7.2. 部署配置字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.runtime.components.deployment.autoScaling.enabled | spec.values.pilot.autoscaleEnabled |
| spec.runtime.components.deployment.autoScaling.maxReplicas | spec.values.pilot.autoscaleMax |
| spec.runtime.components.deployment.autoScaling.minReplicas | spec.values.pilot.autoscaleMin |
| spec.runtime.components.deployment.autoScaling.targetCPUUtilizationPercentage | spec.values.pilot.cpu.targetAverageUtilization |
| spec.runtime.components.deployment.replicas | spec.values.pilot.replicaCount |
| spec.runtime.components.deployment.strategy.rollingUpdate.maxSurge | spec.values.pilot.rollingMaxSurge |
| spec.runtime.components.deployment.strategy.rollingUpdate.maxUnavailable | spec.values.pilot.rollingMaxUnavailable |
7.1.1.7.3. Pod 配置字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.runtime.components.pod.affinity | spec.values.pilot.affinity |
| spec.runtime.components.pod.affinity.nodeAffinity | spec.values.pilot.affinity.nodeAffinity |
| spec.runtime.components.pod.affinity.podAffinity | spec.values.pilot.affinity.podAffinity |
| spec.runtime.components.pod.affinity.podAntiAffinity | spec.values.pilot.affinity.podAntiAffinity |
| spec.runtime.components.pod.metadata.annotations | spec.values.pilot.podAnnotations |
| spec.runtime.components.pod.metadata.labels | spec.values.pilot.podLabels |
| spec.runtime.components.pod.nodeSelector | spec.values.pilot.nodeSelector |
| spec.runtime.components.pod.tolerations | spec.values.pilot.tolerations |
7.1.1.7.4. 默认值配置字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.runtime.defaults.container.imagePullPolicy | spec.values.global.imagePullPolicy |
| spec.runtime.defaults.container.imagePullSecrets | spec.values.global.imagePullSecrets |
| spec.runtime.defaults.container.imageRegistry | spec.values.global.hub |
| spec.runtime.defaults.container.imageTag | spec.values.global.tag |
| spec.runtime.defaults.container.resources | spec.values.global.defaultResources |
| spec.runtime.defaults.deployment.podDisruption.enabled | spec.values.global.defaultPodDisruptionBudget.enabled |
| spec.runtime.defaults.pod.nodeSelector | spec.values.global.defaultNodeSelector |
| spec.runtime.defaults.pod.tolerations | spec.values.global.defaultTolerations |
7.1.1.8. 安全配置
7.1.1.8.1. 证书颁发机构(CA)字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.security.certificateAuthority.cert-manager | spec.values.meshConfig.ca AND spec.values.global.pilotCertProvider |
| spec.security.certificateAuthority.cert-manager.address | spec.values.meshConfig.ca.address |
| spec.security.certificateAuthority.custom.address | spec.values.meshConfig.ca.address |
7.1.1.8.2. Istiod CA 字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.security.certificateAuthority.istiod.type | spec.values.global.pilotCertProvider |
7.1.1.8.3. control plane 安全字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.security.controlPlane.certProvider | spec.values.global.pilotCertProvider |
| spec.security.controlPlane.mtls | spec.values.meshConfig.enableAutoMtls |
| spec.security.controlPlane.tls.cipherSuites | spec.values.meshConfig.tlsDefaults.cipherSuites |
| spec.security.controlPlane.tls.ecdhCurves | spec.values.meshConfig.tlsDefaults.ecdhCurves |
| spec.security.controlPlane.tls.minProtocolVersion | spec.values.meshConfig.tlsDefaults.minProtocolVersion |
7.1.1.8.4. data plane 安全字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.security.dataPlane.automtls | spec.values.meshConfig.enableAutoMtls |
| spec.security.dataPlane.mtls | spec.values.meshConfig.meshMTLS |
7.1.1.8.5. 身份配置字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.security.identity.thirdParty.audience | spec.values.global.sds.token.aud |
7.1.1.8.6. 其他安全字段
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.security.jwksResolverCA | spec.values.pilot.jwksResolverExtraRootCA |
| spec.security.trust.domain | spec.values.meshConfig.trustDomain |
| spec.security.trust.additionalDomains | spec.values.meshConfig.trustDomainAliases |
7.1.1.9. 追踪配置
| SMCP 2.6 配置 | Istio 3.0 配置 |
|---|---|
| spec.tracing.sampling | spec.values.pilot.traceSampling |
7.1.2. Service Mesh 3 中不支持的配置字段
下表列出了 Red Hat OpenShift Service Mesh 3 不支持的 OpenShift Service Mesh 2 ServiceMeshControlPlane 配置字段。这不一定意味着删除了功能。在某些情况下,如添加,您需要单独安装应用程序并单独配置它。
7.1.2.1. 不支持的附加组件配置
附加组件(如 Red Hat OpenShift distributed tracing platform、红帽提供的 Kiali Operator 等)在 OpenShift Service Mesh 3 中单独管理和配置。如需更多信息,请参阅"Observability 和 Service Mesh"。
| spec.addons.3scale |
| spec.addons.grafana |
| spec.addons.jaeger |
| spec.addons.kiali |
| spec.addons.prometheus |
| spec.addons.stackdriver |
7.1.2.2. 不支持的集群配置
| spec.cluster.meshExpansion.ilbGateway, |
| spec.cluster.multiCluster.meshNetworks.gateways.service |
7.1.2.3. 不支持的网关配置
网关在 OpenShift Service Mesh 3 中单独管理。
7.1.2.4. 不支持的策略配置
| spec.policy.type |
| spec.policy.mixer |
| spec.policy.remote |
7.1.2.5. 不支持的代理配置
7.1.2.5.1. 不支持的 Proxy 网络配置字段
| spec.proxy.networking.initialization.type |
| spec.proxy.networking.initialization.initContainer.runtime.env |
| spec.proxy.networking.protocol.autoDetect |
| spec.proxy.networking.protocol.inbound |
| spec.proxy.networking.protocol.outbound |
7.1.2.6. 不支持的运行时配置
7.1.2.6.1. 不支持的部署配置字段
| spec.runtime.components.deployment.strategy.type |
7.1.2.6.2. 不支持的默认值配置字段
| spec.runtime.defaults.deployment.podDisruption.maxUnavailable |
| spec.runtime.defaults.deployment.podDisruption.minAvailable |
7.1.2.7. 不支持的安全配置
7.1.2.7.1. 不支持的证书颁发机构(CA)字段
| spec.security.certificateAuthority.cert-manager.pilotSecretName |
| spec.security.certificateAuthority.cert-manager.rootCAConfigMapName |
7.1.2.7.2. 不支持的 Istiod CA 字段
| spec.security.certificateAuthority.istiod.privateKey.rootCADir |
| spec.security.certificateAuthority.istiod.selfSigned.checkPeriod |
| spec.security.certificateAuthority.istiod.selfSigned.enableJitter |
| spec.security.certificateAuthority.istiod.selfSigned.gracePeriod |
| spec.security.certificateAuthority.istiod.selfSigned.ttl |
| spec.security.certificateAuthority.istiod.workloadCertTTLDefault |
| spec.security.certificateAuthority.istiod.workloadCertTTLMax |
7.1.2.7.3. 不支持的 control plane 安全字段
| spec.security.controlPlane.tls.maxProtocolVersion |
7.1.2.7.4. 不支持的身份配置字段
| spec.security.identity.thirdParty.issuer |
| spec.security.identity.type |
7.1.2.8. 不支持的 Telemetry 配置
| spec.telemetry.type |
| spec.telemetry.mixer |
| spec.telemetry.remote |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}