不应用Istio虚拟服务标头规则 [英] Istio virtual service header rules are not applied
问题描述
所以我有一个非常独特的情况. 问题 虚拟服务路由规则不适用.我们的集群中有一个buzzfeed sso设置.我们想要将响应标头修改为即添加标头.匹配uri sign_in的每个请求. Buzzfeed sso具有其自己的名称空间. 现在,为了完成此任务,我创建了一个虚拟服务. 复制步骤: 我们使用此虚拟服务规范来创建路由规则.
So I have a very unique situation. Problem Virtual services route rules are not applied. We have a buzzfeed sso setup in our cluster. We wand to modify response headers to i.e Add header. to each request that matches the uri sign_in. Buzzfeed sso has its own namespace. Now To accomplish this I have created a virtual service. Steps to Reproduce: We used this virtual service spec to create the route rules.
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: sso-auth-injector
spec:
hosts:
- sso-auth
http:
- match:
- uri:
prefix: /sign_in
ignoreUriCase: true
route:
- destination:
host: sso-auth
headers:
response:
add:
foo: bar
request:
add:
hello: world
分析
Istioctk x describe有输出 吊舱:sso-auth-58744b56cd-lwqrh.sso 转接端口:4180(sso-auth),15090(istio-proxy) 建议:在Pod上添加应用"标签以进行Istio遥测. 建议:在Pod上添加版本"标签以进行Istio遥测. 服务:sso-auth.sso 连接埠:http 80/HTTP设定Pod连接埠4180 Pod为PERMISSIVE(强制使用HTTP/mTLS),客户端说HTTP 虚拟服务:sso-auth-injector.sso /sign_in不区分大小写 2)Istioctl.除了出站| 80 |
Istioctk x describe has output Pod: sso-auth-58744b56cd-lwqrh.sso Pod Ports: 4180 (sso-auth), 15090 (istio-proxy) Suggestion: add ‘app’ label to pod for Istio telemetry. Suggestion: add ‘version’ label to pod for Istio telemetry. Service: sso-auth.sso Port: http 80/HTTP targets pod port 4180 Pod is PERMISSIVE (enforces HTTP/mTLS) and clients speak HTTP VirtualService: sso-auth-injector.sso /sign_in uncased 2) Istioctl . Not attaching all the rules but for outbound|80|
"routes": [
{
"match": {
"prefix": "/sign_in",
"caseSensitive": false
},
"route": {
"cluster": "outbound|80||sso-auth.sso.svc.cluster.local",
"timeout": "0s",
"retryPolicy": {
"retryOn": "connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes",
"numRetries": 2,
"retryHostPredicate": [
{
"name": "envoy.retry_host_predicates.previous_hosts"
}
],
"hostSelectionRetryMaxAttempts": "5",
"retriableStatusCodes": [
503
]
},
"maxGrpcTimeout": "0s"
},
"metadata": {
"filterMetadata": {
"istio": {
"config": "/apis/networking/v1alpha3/namespaces/sso/virtual-service/sso-auth-injector"
}
}
},
"decorator": {
"operation": "sso-auth.sso.svc.cluster.local:80/sign_in*"
},
"typedPerFilterConfig": {
"mixer": {
"@type": "type.googleapis.com/istio.mixer.v1.config.client.ServiceConfig",
"disableCheckCalls": true,
"mixerAttributes": {
"attributes": {
"destination.service.host": {
"stringValue": "sso-auth.sso.svc.cluster.local"
},
"destination.service.name": {
"stringValue": "sso-auth"
},
"destination.service.namespace": {
"stringValue": "sso"
},
"destination.service.uid": {
"stringValue": "istio://sso/services/sso-auth"
}
}
},
"forwardAttributes": {
"attributes": {
"destination.service.host": {
"stringValue": "sso-auth.sso.svc.cluster.local"
},
"destination.service.name": {
"stringValue": "sso-auth"
},
"destination.service.namespace": {
"stringValue": "sso"
},
"destination.service.uid": {
"stringValue": "istio://sso/services/sso-auth"
}
}
}
}
},
"requestHeadersToAdd": [
{
"header": {
"key": "hello",
"value": "world"
},
"append": true
}
],
"responseHeadersToAdd": [
{
"header": {
"key": "foo",
"value": "bar"
},
"append": true
}
]
}
]
},
问题/问题
这些规则不起作用.每个请求都传递给服务,但标头不会被修改. 路由规则是否应该适用于入站请求而不是出站(如生成的配置中所示).
These rules dont take affect. Each request is passed to the service but headers are not modified. Shouldnt the route rules be applicable to inbound requests as opposed to outbound (as shown in config generated).
推荐答案
我们想将响应标头修改为添加标头".每个与uri sign_in匹配的请求
We want to modify response headers to i.e Add header. to each request that matches the uri sign_in
我举了一个例子,对其进行了测试,一切正常.
I made an example, tested it and everything works just fine.
检查以下vs,测试和整个示例.
Check below vs, tests and whole example.
虚拟服务
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginxvirt
spec:
gateways:
- mesh
hosts:
- nginx.default.svc.cluster.local
http:
- name: match
headers:
response:
add:
foo: "bar"
match:
- uri:
prefix: /sign_in
rewrite:
uri: /
route:
- destination:
host: nginx.default.svc.cluster.local
port:
number: 80
subset: v1
测试所需的一切
apiVersion: v1
kind: Pod
metadata:
name: ubu1
spec:
containers:
- name: ubu1
image: ubuntu
command: ["/bin/sh"]
args: ["-c", "apt-get update && apt-get install curl -y && sleep 3000"]
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx1
spec:
selector:
matchLabels:
run: nginx1
replicas: 1
template:
metadata:
labels:
run: nginx1
app: frontend
spec:
containers:
- name: nginx1
image: nginx
ports:
- containerPort: 80
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "echo Hello nginx1 > /usr/share/nginx/html/index.html"]
---
apiVersion: v1
kind: Service
metadata:
name: nginx
labels:
app: frontend
spec:
ports:
- port: 80
protocol: TCP
selector:
app: frontend
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginxvirt
spec:
gateways:
- mesh
hosts:
- nginx.default.svc.cluster.local
http:
- name: match
headers:
response:
add:
foo: "bar"
match:
- uri:
prefix: /sign_in
rewrite:
uri: /
route:
- destination:
host: nginx.default.svc.cluster.local
port:
number: 80
subset: v1
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: nginxdest
spec:
host: nginx.default.svc.cluster.local
subsets:
- name: v1
labels:
run: nginx1
从ubuntu连播中进行测试
我用curl -I
来显示响应头
curl -I nginx/sign_in
HTTP/1.1 200 OK
server: envoy
date: Tue, 24 Mar 2020 07:44:10 GMT
content-type: text/html
content-length: 13
last-modified: Thu, 12 Mar 2020 06:52:43 GMT
etag: "5e69dc3b-d"
accept-ranges: bytes
x-envoy-upstream-service-time: 3
foo: bar
如您所见,foo:bar标头已正确添加.
As you can see the foo:bar header is added correctly.
标题的附加链接
在您的istioctl分析中,我看到您可能会遇到503错误
In your istioctl analyze I see you might have an 503 error
"retriableStatusCodes": [
503
]
503错误的附加链接