为什么我被istio侧面汽车喷油器拒绝连接? [英] Why i am getting connection refused by istio side car injector?
问题描述
我已经在启用了istio-injection的命名空间中使用crunchydata pgo运算符创建了PostgreSQL集群,但是现在拒绝api服务器连接.
i have created PostgreSQL cluster using crunchydata pgo operator in a namespace with istio-injection enabled.but now getting api server connection refused.
level=error msg="Get https://100.xx.xx.xx:443/apis/batch/v1/namespaces/project/jobs?labelSelector=pg-cluster%3Dmilkr7%2Cpgdump%3Dtrue: dial tcp 100.xx.xx.xx:443: connect: connection refused".
api服务器日志:
W0603 03:04:21.373083 1 dispatcher.go:180] Failed calling webhook, failing closed sidecar-injector.istio.io: failed calling webhook "sidecar-injector.istio.io": Post https://istio-sidecar-injector.istio-system.svc:443/inject?timeout=30s: dial tcp 100.65.xx.xx:443: connect: connection refused
I0603 03:18:59.654964 1 log.go:172] http: TLS handshake error from 172.20.xx.xx:44638: remote error: tls: bad certificate
推荐答案
To add Your Database to istio service mesh You can use ServiceEntry object.
ServiceEntry允许将其他条目添加到Istio的内部服务注册表中,以便网格中自动发现的服务可以访问/路由到这些手动指定的服务.服务条目描述了服务的属性(DNS名称,VIP,端口,协议,端点).这些服务可能在网状网络外部(例如,Web API)或不在网状网络服务注册表中的网状内部内部服务(例如,一组与Kubernetes中的服务进行对话的VM).此外,还可以使用workloadSelector字段动态选择服务条目的端点.这些端点可以是使用WorkloadEntry对象或Kubernetes容器声明的VM工作负载.在单一服务下同时选择Pod和VM的能力允许将服务从VM迁移到Kubernetes,而无需更改与服务相关联的现有DNS名称.
ServiceEntryenables adding additional entries into Istio’s internal service registry, so that auto-discovered services in the mesh can access/route to these manually specified services. A service entry describes the properties of a service (DNS name, VIPs, ports, protocols, endpoints). These services could be external to the mesh (e.g., web APIs) or mesh-internal services that are not part of the platform’s service registry (e.g., a set of VMs talking to services in Kubernetes). In addition, the endpoints of a service entry can also be dynamically selected by using theworkloadSelectorfield. These endpoints can be VM workloads declared using theWorkloadEntryobject or Kubernetes pods. The ability to select both pods and VMs under a single service allows for migration of services from VMs to Kubernetes without having to change the existing DNS names associated with the services.
数据库的ServiceEntry yaml清单示例:
Example of ServiceEntry yaml manifest for database:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: db-service
namespace: databasens
spec:
exportTo:
- "."
hosts:
- db-service.xxx.com
ports:
- number: 5443
name: tcp
protocol: tcp
resolution: DNS
location: MESH_EXTERNAL
如果启用了mTLS强制,则还需要DestinationRule来定义如何与外部服务进行通信.
If You have mTLS enforcement enabled You will also need DestinationRule that will define how to communicate with the external service.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: mtls-db-service
spec:
host: db-service.xxx.com
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/client_private_key.pem
caCertificates: /etc/certs/rootcacerts.pem
有关更多信息和更多示例,请访问istio 文档页表示ServiceEntry.
For more information and more examples visit istio documentation page for ServiceEntry.
希望有帮助.
这篇关于为什么我被istio侧面汽车喷油器拒绝连接?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
