如何在Istio中配置Azure App Gateway [英] How to configure Azure App Gateway in Istio
问题描述
我在AKS(Azure Kubernetes服务)上安装了应用程序,并且我目前正在使用Azure应用程序网关作为我在AKS上运行的应用程序的入口资源.
I have an application setup on AKS (Azure Kubernetes Service) and I’m currently using Azure Application gateway as ingress resource for my application running on AKS.
现在,在为我的集群设置ISTIO之后,除了一部分以外,其他所有图表都可以正常显示.由于ISTIO不知道Azure APP网关,因此它将资源显示为未知".我什至尝试启动虚拟服务并将其指向入口资源,但这对图形没有任何影响.我应该如何向ISTIO确认它是Azure应用程序网关,而不是未知"资源.
Now after setting up ISTIO for my cluster the graphs are coming up fine except one part. Since the Azure APP gateway is unknown to ISTIO it is showing the resource as "unknown". I even tried launching a virtual service and pointed it to the ingress resource but that didn’t have any effect on the graph. How shall I establish to ISTIO that it is Azure app gateway and not "unknown" resource.
推荐答案
这是因为Azure应用程序网关不是Istio Mesh的一部分.根据您配置Azure应用程序网关的方式,甚至可能无法获得使用istio的任何好处.
This is because Azure Application gateway is not part of Istio Mesh. Depending on how You have Your Azure Application Gateway configured You might not even get any benefits of using istio.
让istio与Azure应用程序网关一起使用要比看起来复杂得多.
Getting istio to work with Azure Application Gateway is lot more complicated than it seems.
存在一个使用istio和 Github 的问题.同时使用Azure应用程序网关.
There is a Github issue that uses istio and Azure Application Gateway at the same time.
具有以下语句:
您可能想知道为什么我选择将入口资源放入istio-system名称空间中.我这样做是因为据我所知,女服务员必须是每个应用程序网关重定向的终结点.如果我将其重定向到echo-server服务,则AGKI(application-gateway-kubernetes-ingress)将指向已部署的pod的ip地址,这将完全忽略istios servicemesh.
You may wonder why I chose to put the ingress resource into the istio-system namespace. Im doing so because in my understanding the istio-ingress must be the endpoint for each app-gateway redirect. If I would let it redirect to the echo-server service, AGKI(application-gateway-kubernetes-ingress) would point to the ip-address of the deployed pod, which would completely disregard istios servicemesh.
因此,如果还没有这样的配置,并且您想使用Istio,我建议将Istio Ingress Gateway设置为Azure Application Gateway的终结点,并将其视为来自外部网格的流量.
So if don't already have configuration like that and You want to use Istio I suggest setting Istio Ingress Gateway as an endpoint for Your Azure Application Gateway and treat it as traffic comming from outside mesh.
这里是为什么Azure应用程序网关是未知"的解释.资源.
Here is an explanation why Azure Application gateway is "unknown" resource.
在此中文章中,您可以找到以下语句:
In an this article you can find the following statement:
入口流量
Istio希望流量通过入口网关.当您看到未知"流量时,可能只是您使用标准的Kubernetes Ingress或OpenShift路由将流量从外部发送到Istio.
Istio expects traffic to go via the the Ingress Gateway. When you see ‘unknown’ traffic it can simply be the case that you use the standard Kubernetes Ingress or an OpenShift route to send traffic from the outside to Istio.
Azure应用程序网关使用自定义入口控制器:
Azure Application gateway uses custom ingress controller:
应用程序网关入口控制器(AGIC)允许您将应用程序网关用作Azure Kubernetes服务(AKS)群集的入口.
Application Gateway Ingress Controller (AGIC) allows you to use Application Gateway as the ingress for an Azure Kubernetes Service (AKS) cluster.
入口控制器在AKS集群中作为Pod运行,并使用Kubernetes Ingress资源并将其转换为Application Gateway配置,该配置使网关可以负载均衡Kubernetes Pod的流量.入口控制器仅支持Application Gateway V2 SKU.
The ingress controller runs as a pod within the AKS cluster and consumes Kubernetes Ingress Resources and converts them to an Application Gateway configuration which allows the gateway to load-balance traffic to the Kubernetes pods. The ingress controller only supports Application Gateway V2 SKU.
有关更多信息,请参阅应用程序网关入口控制器(AGIC).
For more information, see Application Gateway Ingress Controller (AGIC).
根据 Kiali 文档:
在某些情况下,您可以看到来自未知"网站的许多连接.图中服务的一个节点,因为网格外部的某些软件可能会定期ping或获取数据.当您设置Kubernetes活动度探针,或者将某些应用程序指标推送到或暴露于Prometheus等监控系统时,通常会发生这种情况.也许您不希望看到这些连接,因为它们使图形更难以阅读.
In some situations you can see a lot of connections from an "Unknown" node to your services in the graph, because some software external to your mesh might be periodically pinging or fetching data. This is typically the case when you setup Kubernetes liveness probes, or have some application metrics pushed or exposed to a monitoring system such as Prometheus. Perhaps you wouldn’t like to see these connections because they make the graph harder to read.
要解决您的其他问题:
To address Your additional question:
我应如何向ISTIO确认它是Azure应用程序网关,而不是未知"资源.
How shall I establish to ISTIO that it is Azure app gateway and not "unknown" resource.
据我所知,没有办法使自定义(非istio)入口网关成为istio网格的一部分.将Azure Application Gateway标记为未知".
As far as I know there is no way to make Custom (non-istio) Ingress Gateway be part of istio mesh. Leaving Azure Application Gateway labelled as "unknown".
希望这会有所帮助.
这篇关于如何在Istio中配置Azure App Gateway的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
