不能通过istio虚拟服务访问Sonar，但是可以在端口转发后在本地访问Sonar [英] Sonar cannot be access via istio virtual service but can be locally accessed after port forwarding

问题描述

我正在尝试在Kubernetes集群中实现SonarQube.部署运行正常，并且还通过虚拟服务公开.我可以通过localhost:port/sonar打开UI，但是无法通过外部ip访问它.我知道声纳绑定到本地主机，并且不允许从远程服务器外部进行访问.我在带有MYSQL数据库的GKE上运行此程序.这是我的YAML文件:

I am trying to implement SonarQube in a Kubernetes cluster. The deployment is running properly and is also exposed via a Virtual Service. I am able to open the UI via the localhost:port/sonar but I am not able to access it through my external ip. I understand that sonar binds to localhost and does not allow access from outside the remote server. I am running this on GKE with a MYSQL database. Here is my YAML file:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: sonarqube
  namespace: sonar
  labels:
    service: sonarqube
    version: v1
spec:
  replicas: 1
  template:
    metadata:
      name: sonarqube
      labels:
        name: sonarqube
    spec:
      terminationGracePeriodSeconds: 15
      initContainers:
        - name: volume-permission
          image: busybox
          command:
            - sh
            - -c
            - sysctl -w vm.max_map_count=262144
          securityContext:
            privileged: true
      containers:
        - name: sonarqube
          image: sonarqube:6.7
          resources:
            limits:
              memory: 4Gi
              cpu: 2
            requests:
              memory: 2Gi
              cpu: 1
          args:
            - -Dsonar.web.context=/sonar
            - -Dsonar.web.host=0.0.0.0
          env:
            - name: SONARQUBE_JDBC_USERNAME
              valueFrom:
                secretKeyRef:
                  name: cloudsql-db-credentials
                  key: username
            - name: SONARQUBE_JDBC_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: cloudsql-db-credentials
                  key: password
            - name: SONARQUBE_JDBC_URL
              value: jdbc:mysql://***.***.**.*:3306/sonar?useUnicode=true&characterEncoding=utf8
          ports:
            - containerPort: 9000
              name: sonarqube-port
---
apiVersion: v1
kind: Service
metadata:
  labels:
    service: sonarqube
    version: v1
  name: sonarqube
  namespace: sonar
spec:
  selector:
    name: sonarqube
  ports:
    - name: http
      port: 80
      targetPort: sonarqube-port
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: sonarqube-internal
  namespace: sonar
spec:
  hosts:
    - sonarqube.staging.jeet11.internal
    - sonarqube
  gateways:
    - default/ilb-gateway
    - mesh
  http:
    - route:
        - destination:
            host: sonarqube
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: sonarqube-external
  namespace: sonar
spec:
  hosts:
    - sonarqube.staging.jeet11.com
  gateways:
    - default/elb-gateway
  http:
    - route:
        - destination:
            host: sonarqube
---

部署成功完成.我的公开服务提供了已映射到主机URL的公共ip，但是我无法通过主机URL访问该服务.

The deployment completes successfully. My exposed services gives a public ip that has been mapped to the host url but I am unable to access the service at the host url.

我需要更改映射，以使声纳与服务器ip绑定，但是我不知道该怎么做.我无法将其绑定到群集ip，也无法绑定到内部或外部服务ip.

I need to change the mapping such that sonar binds with the server ip but I am unable to understand how to do that. I cannot bind it to my cluster ip, neither to my internal or external service ip.

我该怎么办?请帮忙！

推荐答案

我最近遇到了同样的问题，今天我设法解决了这个问题.

I had the same issue recently and I managed to get this resolved today.

我希望以下解决方案对遇到相同问题的任何人都有效！.

I hope the following solution will work for anyone facing the same issue!.

• 云提供商: Azure-AKS
  • 无论您使用什么提供商，它都应该起作用.
  • kubectl logs -n istio-system -l app=istiod
    • 来自Istiod的日志和在控制平面中发生的事件.
    • 这通常会为您提供给定命名空间的所有警告和错误.
    • 让您知道是否配置错误.
    • 查看您是否有入站流量.
    • 此外，还会向您显示任何错误的配置.
    • 查询指标-istio_requests_total.这会向您显示进入该服务的流量.
    • 如果配置有误，您会看到 destination_app 为未知.
    • query metric - istio_requests_total. This shows you the traffic going into the service.
    • If there's any misconfiguration you will see the destination_app as unknown.
    • 无法通过外部IP访问sonarqube UI，但可以通过localhost(端口转发)进行访问.
    • 无法通过Istio Ingressgateway路由流量.

    apiVersion: v1
    kind: Service
    metadata:
      name: sonarqube
      namespace: sonarqube
      labels:
        name: sonarqube
    spec:
      type: ClusterIP
      ports:
      - name: http
        port: 9000
        targetPort: 9000
      selector:
        app: sonarqube
    status:
      loadBalancer: {}
    

    • 您的 targetport 是容器端口.为避免混淆，只需为服务端口分配与服务 targetport 相同的号码即可.
    • 端口名称在这里非常重要. "Istio要求服务端口遵循'protocol-suffix'的命名形式，其中'-suffix'部分是可选的"-
      • Your targetport is the container port. To avoid any confusion just assign the service port number as same as the service targetport.
      • The port name is very important here. "Istio required the service ports to follow the naming form of ‘protocol-suffix’ where the ‘-suffix’ part is optional" - KIA0601 - Port name must follow [-suffix] form

      apiVersion: networking.istio.io/v1alpha3
      kind: Gateway
      metadata:
        name: sonarqube-gateway
        namespace: sonarqube
      spec:
        selector:
          istio: ingressgateway
        servers:
        - port:
            number: 9000
            name: http
            protocol: HTTP
          hosts:
          - "XXXX.XXXX.com.au"
      ---
      apiVersion: networking.istio.io/v1alpha3
      kind: VirtualService
      metadata:
        name: sonarqube
        namespace: sonarqube
      spec:
        hosts:
        - "XXXX.XXXX.com.au"
        gateways:
        - sonarqube-gateway
        http:
        - route:
          - destination:
              host: sonarqube
              port:
                number: 9000
      

      • 网关协议必须设置为 HTTP .
      • 网关服务器端口和 VirtualService目标端口是相同的.如果您有其他应用程序服务端口，则您的 VirtualService目标端口编号应与应用程序服务端口匹配. 网关服务器端口应与应用程序服务目标端口匹配.
      • 现在来找点乐子吧！ 主机.如果要访问群集外部的服务，则需要将主机名(要映射声纳服务器的任何主机名)作为 DNS A记录映射到 istio-ingressgateway 的外部公共IP地址.
      • 要获取入口网关的 EXTERNAL-IP 地址，请运行kubectl -n istio-system get service istio-ingressgateway.
      • 如果执行简单的nslookup(运行-nslookup <hostname>)，则获得的IP地址必须与分配给istio-ingressgateway服务的IP地址匹配.
      • Gateway protocol must be set to HTTP.
      • Gateway Server Port and VirtualService Destination Port is the same. If you have different app Service Port, then your VirtualService Destination Port number should match the app Service Port. The Gateway Server Port should match the app Service Targetport.
      • Now comes to the fun bit! The hosts. If you want to access the service outside of the cluster, then you need to have your host-name (whatever host-name that you want to map the sonarqube server) as an DNS A record mapped to the External Public IP address of the istio-ingressgateway.
      • To get the EXTERNAL-IP address of the ingressgateway, run kubectl -n istio-system get service istio-ingressgateway.
      • If you do a simple nslookup (run - nslookup <hostname>), The IP address you get must match with the IP address that is assigned to the istio-ingressgateway service.
      • 请注意，您的sonarqube网关端口是您要引入Kubernetes的新端口，并且告诉集群在该端口上侦听.但是您的负载均衡器不知道该端口.因此，您需要在kubernetes外部负载均衡器上打开指定的网关端口. Ref-信息
      • 您不需要手动更改负载均衡器服务.您只需要更新入口网关以包括新端口，即可自动更新负载均衡器.
      • 您可以通过运行istioctl analyze -n sonarqube来确定端口是否引起了问题.您应该收到以下警告；
      • Note that your sonarqube gateway port is a new port that you are introducing to Kubernetes and you’re telling the cluster to listen on that port. But your load balancer doesn’t know about this port. Therefore, you need to open the specified gateway port on your kubernetes external load balancer. Ref - Info
      • You don’t need to manually change your load balancer service. You just need to update the ingress gateway to include the new port, which will update the load balancer automatically.
      • You can identify if the port is causing issues by running istioctl analyze -n sonarqube. You should get the following warning;

      [33mWarn[0m [IST0104] (Gateway sonarqube-gateway.sonarqube) The gateway refers to a port that is not exposed on the workload (pod selector istio=ingressgateway; port 9000) Error: Analyzers found issues when analyzing namespace: sonarqube. See https://istio.io/docs/reference/config/analysis for more information about causes and resolutions.

      • 您应该在控制平面中得到相应的错误.运行kubectl logs -n istio-system -l app=istiod.
      • 此时，您需要更新Istio ingressgateway服务以公开新端口.运行kubectl edit svc istio-ingressgateway -n istio-system并将以下部分添加到端口.
      • You should get the corresponding error in the control plane. Run kubectl logs -n istio-system -l app=istiod.
      • At this point you need to update the Istio ingressgateway service to expose the new port. Run kubectl edit svc istio-ingressgateway -n istio-system and add the following section to the ports.
      • 在上一节中，您了解了如何公开一个新端口.这是可选的，具体取决于您的用例.
      • 在本节中，您将看到如何使用已经暴露的端口.
      • 如果您查看istio-ingressgateway的服务.您可以看到有暴露的默认端口.在这里，我们将使用端口80.
      • 您的设置将如下所示；
      • Your setup will look like the following;
      • 要取消使用主机名指定端口，只需添加match uri前缀即可，如virtualservice清单所示.
      • 如果一切都按预期完成，那么您就可以了.
      • 在测试期间，我没有指定端口就犯了一个错误.如果您获得404状态(这仍然是一件好事)，则可以通过这种方式验证它正在使用的服务器.如果设置正确，则应使用 istio-envoy 服务器，而不是 nginx .
      • During testing I made one mistake by not specifying the port. If you get 404 status, Which is still a good thing, in this way you can verify what server it is using. If you setup things correctly, it should use the istio-envoy server, not the nginx.
      • 未指定端口.仅当您添加match uri前缀时，此方法才有效.

      这篇关于不能通过istio虚拟服务访问Sonar，但是可以在端口转发后在本地访问Sonar的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！