3.3. 使用 Kubernetes 网关 API 通过网关直接出口流量

流程

1. 可选：启用 {k8} Gateway API 自定义资源定义(CRD)。

   注意

   从 Kubernetes 1.28 和 OpenShift Container Platform 4.18 或更早版本 Red Hat OpenShift Service Mesh 开始，Kubernetes 网关 API CRD 默认不可用，且您必须在使用 CRD 前启用 CRD。OpenShift Container Platform 4.19 及更新的版本默认启用 CRD。

   1. 创建名为 gateway-cr.yaml 的 YAML 文件，该文件启用 Kubernetes 网关 API CRD。

      Kubernetes 网关自定义资源(CR)文件示例

      apiVersion: gateway.networking.k8s.io/v1
      kind: Gateway
      metadata:
        name: info-gateway
      spec:
        gatewayClassName: istio
        listeners:
        - name: http
          port: 80
          protocol: HTTP
          allowedRoutes:
            namespaces:
              from: Same
      ---
      apiVersion: gateway.networking.k8s.io/v1
      kind: HTTPRoute
      metadata:
        name: info
      spec:
        parentRefs:
        - name: info-gateway
        rules:
        - matches:
          - path:
              type: Exact
              value: /productpage
          - path:
              type: PathPrefix
              value: /static
          - path:
              type: Exact
              value: /login
          - path:
              type: Exact
              value: /logout
          - path:
              type: PathPrefix
              value: /api/v1/products
          backendRefs:
          - name: productpage
            port: 9080

      Copy to Clipboard Toggle word wrap

   2. 运行以下命令来应用 YAML 文件：

      $ oc apply -f gateway-cr.yaml

      Copy to Clipboard Toggle word wrap

2. 运行以下命令，创建一个名为 egress-gateway 的命名空间：

   $ oc create namespace egress-gateway

   Copy to Clipboard Toggle word wrap

3. 运行以下命令，将 istio-injection 标签应用到命名空间：

   $ oc label namespace egress-gateway istio-injection=enabled

   Copy to Clipboard Toggle word wrap

4. 创建名为 egress-gateway-cr.yaml 的 YAML 文件，用于定义出口网关。

   出口网关 CR 文件示例

   # ServiceEntry to allow traffic to httpbin.org
   apiVersion: networking.istio.io/v1
   kind: ServiceEntry
   metadata:
     name: httpbin-ext
   spec:
     hosts:
     - httpbin.org
     ports:
     - number: 80
       name: http
       protocol: HTTP
     location: MESH_EXTERNAL
     resolution: DNS
   ---
   # Gateway API Gateway for egress
   apiVersion: gateway.networking.k8s.io/v1
   kind: Gateway
   metadata:
     name: httpbin-egress-gateway
     annotations:
       networking.istio.io/service-type: ClusterIP
   spec:
     gatewayClassName: istio
     listeners:
     - name: http
       hostname: httpbin.org
       port: 80
       protocol: HTTP
       allowedRoutes:
         namespaces:
           from: Same
   ---
   # HTTPRoute to direct traffic from sidecars to the egress gateway
   apiVersion: gateway.networking.k8s.io/v1
   kind: HTTPRoute
   metadata:
     name: direct-httpbin-to-egress-gateway
   spec:
     parentRefs:
     - kind: ServiceEntry
       group: networking.istio.io
       name: httpbin-ext
     rules:
     - backendRefs:
       - name: httpbin-egress-gateway-istio
         port: 80
   ---
   # HTTPRoute to forward traffic from the egress gateway to httpbin.org
   apiVersion: gateway.networking.k8s.io/v1
   kind: HTTPRoute
   metadata:
     name: forward-httpbin-from-egress-gateway
   spec:
     parentRefs:
     - name: httpbin-egress-gateway
     hostnames:
     - httpbin.org
     rules:
     - backendRefs:
       - kind: Hostname
         group: networking.istio.io
         name: httpbin.org
         port: 80

   Copy to Clipboard Toggle word wrap

   1. 运行以下命令来应用 YAML 文件：

      $ oc apply -f egress-gateway-cr.yaml

      Copy to Clipboard Toggle word wrap

验证

1. 运行以下命令，验证网关配置的状态：

   $ oc describe gateway -n egress-gateway

   Copy to Clipboard Toggle word wrap

   所需输出由 Programmed 在 Status 列中显示。

2. 运行以下命令，在 egress-gateway 命名空间中创建 curl pod：

   $ oc run test-pod --image=curlimages/curl:latest -n egress-gateway --rm -it --restart=Never -- sh

   Copy to Clipboard Toggle word wrap

3. 通过使用 curl 客户端，输入以下命令验证您可以通过出口网关访问 httpbin.org ：

   $ curl -v http://httpbin.org/get

   Copy to Clipboard Toggle word wrap

   所需输出显示 httpbin.org 的响应，它表示通过配置的网关路由出口流量。