Istio ServiceEntry，用于将多个外部数据库转到同一个数据库 [英] Istio ServiceEntry for multiple external databases going to the same database

问题描述

我们在群集中的同一个命名空间中有2个服务，每个服务都使用自己的数据库，如下所示:

We have 2 services in our cluster in the same namespace, each using their own database like below:

我们为每个数据库添加了2个ServiceEntry:

We added 2 ServiceEntry corresponding to each database:

---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: service-1
  namespace: mynamespace
spec:
  exportTo:
    - "."
  hosts:
    - service1-db.xxx.com
  ports:
    - number: 5432
      name: tcp
      protocol: tcp
  resolution: DNS
  location: MESH_EXTERNAL
...

---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: service-2
  namespace: mynamespace
spec:
  exportTo:
    - "."
  hosts:
    - service2-db.xxx.com
  ports:
    - number: 5432
      name: tcp
      protocol: tcp
  resolution: DNS
  location: MESH_EXTERNAL
...

最终的交互看起来像这样，这是不期望的:

The resulting interaction looks like this, which is not expected:

关于我们所缺少的任何线索吗?

Any clues on what we are missing?

推荐答案

因此，最后，碰巧ServiceEntry不能仅基于主机名运行，但是它也需要地址.

So, at the end, it happens that the ServiceEntry does not work just based on the host names, but it needs addresses too.

这是有效的方法:

---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: service-1
  namespace: mynamespace
spec:
  exportTo:
    - "."
  hosts:
    - service1-db.xxx.com
  addresses:
    - xx.xx.xx.xx/32
  ports:
    - number: 5432
      name: tcp
      protocol: tcp
  resolution: NONE
  location: MESH_EXTERNAL
...

---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: service-2
  namespace: mynamespace
spec:
  exportTo:
    - "."
  hosts:
    - service2-db.xxx.com
  addresses:
    - xx.xx.xx.yy/32
  ports:
    - number: 5432
      name: tcp
      protocol: tcp
  resolution: NONE
  location: MESH_EXTERNAL
...

以下是摘录自文档这个结论.

Here are the excerpts from the documentation that led us to this conclusion.

如果地址"字段为空，将仅根据目标端口来识别流量.在这种情况下，网格中的任何其他服务都不得共享正在访问服务的端口.

If the Addresses field is empty, traffic will be identified solely based on the destination port. In such scenarios, the port on which the service is being accessed must not be shared by any other service in the mesh.

请注意，如果将分辨率设置为DNS类型且未指定任何端点，则主机字段将用作将流量路由到的端点的DNS名称.

Note that when resolution is set to type DNS and no endpoints are specified, the host field will be used as the DNS name of the endpoint to route traffic to.

注意:虽然这有助于解决此特定实例，但它提出了另一个使用动态IP地址的问题，例如某些尝试访问AWS Secrets Manager的应用程序.此类服务的ip地址不断变化，无法将其绑定到服务条目.因此，我们仅针对已知的外部流量添加了服务条目，并允许其他条目未知.在Kiali(Istio的可视化工具)中，这些未知数"显示为PassThroughClusters，这很烦人，但问题只有一半.

NOTE: While this helped resolve this particular instance, it opens up another different question of working with dynamic ip addresses, like some app trying to access AWS secrets manager. The ip address of such services keep changing and there is no way to tie it down to a service entry. So, we added service entries only for the known external traffic and allowed others to be unknown. In Kiali (visualiser for Istio), these "unknowns" are displayed as PassThroughClusters, which is annoying, but only half the problem.

这篇关于Istio ServiceEntry，用于将多个外部数据库转到同一个数据库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！