为同一端口上的不同路径匹配Istio虚拟服务路由 [英] Match Istio Virtual Services routes for different paths on same port

问题描述

我想知道如何在同一端口上匹配gRPC路由.这是我希望通过VirtualService完成的示例:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: istio-ingress
spec:
  hosts:
  - "*"
  gateways:
  - istio-gateway
  http:
  - match:
    - uri:
      prefix: "/custom.api/stream"
    - port: 31400
    route:
    - destination:
        host: stream-handler.default.svc.cluster.local
        port:
          number: 8444
    timeout: 60s
    retries:
      attempts: 3
      perTryTimeout: 2s
  - match:
    - port: 31400
    route:
    - destination:
        host: api.default.svc.cluster.local
        port:
          number: 8443
    timeout: 60s
    retries:
      attempts: 3
      perTryTimeout: 2s

所以基本上:对于31400中的所有请求，第一个匹配项都在"/custom.api/stream"中查找要流式传输的请求，该流具有我的流服务器的目的地.

第二条通则是进入我的主要API.

我的目标是使所有连接都通过31400，然后将请求分解为专用的内部服务.将来，我可能会进一步拆分服务(不仅用于流媒体). IE.端点的整个组可能由单独的群集处理.

当我部署此规则时，尽管整个VS似乎都失败了，但没有任何反应.

解决方案

端口在Ingressgateway中对外公开，​​应使用Gateway在内部进行配置. VirtualService仅用于第7层路由(一旦连接到Gateway).

在您的 match 配置中，您指定要寻址的主机应在端口31400中接收请求，而不是该服务正在此处侦听.从文档:

端口:指定要寻址的主机上的端口.许多服务仅使用支持的协议公开单个端口或标记端口，在这种情况下，不需要显式选择端口.

在您的情况下，您可能需要创建一个新的Gateway来处理暴露端口的配置，然后使用VirtualService附加路由部分:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: grpc-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 31400
      name: grpc
      protocol: GRPC
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: grpc-virtualservice
spec:
  hosts:
  - "*"
  gateways:
  - grcp-gateway
  http:
  - match:
    - uri:
      exact: "/custom.api/stream"
    route:
    - destination:
        host: stream-handler.default.svc.cluster.local
        port:
          number: 8444
    timeout: 60s
    retries:
      attempts: 3
      perTryTimeout: 2s
  - match:
    - uri:
      prefix: "/"
    route:
    - destination:
        host: api.default.svc.cluster.local
        port:
          number: 8443
    timeout: 60s
    retries:
      attempts: 3
      perTryTimeout: 2s

由于match 不能为空，您需要为其添加前缀，以获取除先前的URI exact 匹配项之外的所有内容.

I'm wondering how I can match gRPC routes on the same port. Here's an example of what I was hoping to accomplish with my VirtualService:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: istio-ingress
spec:
  hosts:
  - "*"
  gateways:
  - istio-gateway
  http:
  - match:
    - uri:
      prefix: "/custom.api/stream"
    - port: 31400
    route:
    - destination:
        host: stream-handler.default.svc.cluster.local
        port:
          number: 8444
    timeout: 60s
    retries:
      attempts: 3
      perTryTimeout: 2s
  - match:
    - port: 31400
    route:
    - destination:
        host: api.default.svc.cluster.local
        port:
          number: 8443
    timeout: 60s
    retries:
      attempts: 3
      perTryTimeout: 2s

So basically: for all requests into 31400 the first match looks for requests to stream at "/custom.api/stream" which has a destination of my stream server.

The second rule as a catch all to gain entry to my main API.

My goal is to have all connections coming through 31400 and then splinter off the request to a dedicated internal service. In the future I'll likely split off services even further (not just for streaming). ie. entire groups of the endpoint might be handled by separate clusters.

When I deploy this rule though the whole VS seems to fail and nothing responds.

解决方案

Ports are externally exposed in the Ingressgateway and should be internally configured using a Gateway. The VirtualService is intended for layer 7 routing only (once attached to a Gateway).

In your match configuration, you're specifying that the addressed host should receive requests in the port 31400, not that the service is listening there. From the documentation:

port: Specifies the ports on the host that is being addressed. Many services only expose a single port or label ports with the protocols they support, in these cases it is not required to explicitly select the port.

In your case, you might want to create a new Gateway to take care of the exposed port's configuration and then, attach the routing part using your VirtualService:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: grpc-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 31400
      name: grpc
      protocol: GRPC
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: grpc-virtualservice
spec:
  hosts:
  - "*"
  gateways:
  - grcp-gateway
  http:
  - match:
    - uri:
      exact: "/custom.api/stream"
    route:
    - destination:
        host: stream-handler.default.svc.cluster.local
        port:
          number: 8444
    timeout: 60s
    retries:
      attempts: 3
      perTryTimeout: 2s
  - match:
    - uri:
      prefix: "/"
    route:
    - destination:
        host: api.default.svc.cluster.local
        port:
          number: 8443
    timeout: 60s
    retries:
      attempts: 3
      perTryTimeout: 2s

Since match cannot be empty, you need to prefix it to pick up whatever is coming except for the previous URI exact match.

这篇关于为同一端口上的不同路径匹配Istio虚拟服务路由的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！