未应用 Istio 虚拟服务标头规则 [英] Istio virtual service header rules are not applied
问题描述
所以我有一个非常独特的情况.问题不应用虚拟服务路由规则.我们的集群中有一个buzzfeed sso 设置.我们想将响应头修改为即添加头.到与 uri sign_in 匹配的每个请求.Buzzfeed sso 有自己的命名空间.现在为了实现这一点,我创建了一个虚拟服务.复制步骤:我们使用这个虚拟服务规范来创建路由规则.
So I have a very unique situation. Problem Virtual services route rules are not applied. We have a buzzfeed sso setup in our cluster. We wand to modify response headers to i.e Add header. to each request that matches the uri sign_in. Buzzfeed sso has its own namespace. Now To accomplish this I have created a virtual service. Steps to Reproduce: We used this virtual service spec to create the route rules.
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: sso-auth-injector
spec:
hosts:
- sso-auth
http:
- match:
- uri:
prefix: /sign_in
ignoreUriCase: true
route:
- destination:
host: sso-auth
headers:
response:
add:
foo: bar
request:
add:
hello: world
分析
Istioctk x describe 有输出吊舱:sso-auth-58744b56cd-lwqrh.ssoPod 端口:4180(sso-auth)、15090(istio-proxy)建议:为 Istio 遥测添加app"标签.建议:为 Istio 遥测添加版本"标签.服务:sso-auth.sso端口:http 80/HTTP 目标 pod 端口 4180Pod 是 PERMISSIVE(强制执行 HTTP/mTLS)并且客户端使用 HTTP虚拟服务:sso-auth-injector.sso/sign_in 不加壳2)Istioctl.不附加所有规则,但用于出站|80|
Istioctk x describe has output Pod: sso-auth-58744b56cd-lwqrh.sso Pod Ports: 4180 (sso-auth), 15090 (istio-proxy) Suggestion: add ‘app’ label to pod for Istio telemetry. Suggestion: add ‘version’ label to pod for Istio telemetry. Service: sso-auth.sso Port: http 80/HTTP targets pod port 4180 Pod is PERMISSIVE (enforces HTTP/mTLS) and clients speak HTTP VirtualService: sso-auth-injector.sso /sign_in uncased 2) Istioctl . Not attaching all the rules but for outbound|80|
"routes": [
{
"match": {
"prefix": "/sign_in",
"caseSensitive": false
},
"route": {
"cluster": "outbound|80||sso-auth.sso.svc.cluster.local",
"timeout": "0s",
"retryPolicy": {
"retryOn": "connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes",
"numRetries": 2,
"retryHostPredicate": [
{
"name": "envoy.retry_host_predicates.previous_hosts"
}
],
"hostSelectionRetryMaxAttempts": "5",
"retriableStatusCodes": [
503
]
},
"maxGrpcTimeout": "0s"
},
"metadata": {
"filterMetadata": {
"istio": {
"config": "/apis/networking/v1alpha3/namespaces/sso/virtual-service/sso-auth-injector"
}
}
},
"decorator": {
"operation": "sso-auth.sso.svc.cluster.local:80/sign_in*"
},
"typedPerFilterConfig": {
"mixer": {
"@type": "type.googleapis.com/istio.mixer.v1.config.client.ServiceConfig",
"disableCheckCalls": true,
"mixerAttributes": {
"attributes": {
"destination.service.host": {
"stringValue": "sso-auth.sso.svc.cluster.local"
},
"destination.service.name": {
"stringValue": "sso-auth"
},
"destination.service.namespace": {
"stringValue": "sso"
},
"destination.service.uid": {
"stringValue": "istio://sso/services/sso-auth"
}
}
},
"forwardAttributes": {
"attributes": {
"destination.service.host": {
"stringValue": "sso-auth.sso.svc.cluster.local"
},
"destination.service.name": {
"stringValue": "sso-auth"
},
"destination.service.namespace": {
"stringValue": "sso"
},
"destination.service.uid": {
"stringValue": "istio://sso/services/sso-auth"
}
}
}
}
},
"requestHeadersToAdd": [
{
"header": {
"key": "hello",
"value": "world"
},
"append": true
}
],
"responseHeadersToAdd": [
{
"header": {
"key": "foo",
"value": "bar"
},
"append": true
}
]
}
]
},
问题/疑问
这些规则不生效.每个请求都传递给服务,但不修改标头.路由规则不应该适用于入站请求而不是出站请求(如生成的配置所示).
These rules dont take affect. Each request is passed to the service but headers are not modified. Shouldnt the route rules be applicable to inbound requests as opposed to outbound (as shown in config generated).
推荐答案
我们想修改响应头,即添加头.到与 uri sign_in 匹配的每个请求
We want to modify response headers to i.e Add header. to each request that matches the uri sign_in
我做了一个例子,测试了一下,一切正常.
I made an example, tested it and everything works just fine.
检查下面的对比、测试和整个示例.
Check below vs, tests and whole example.
虚拟服务
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginxvirt
spec:
gateways:
- mesh
hosts:
- nginx.default.svc.cluster.local
http:
- name: match
headers:
response:
add:
foo: "bar"
match:
- uri:
prefix: /sign_in
rewrite:
uri: /
route:
- destination:
host: nginx.default.svc.cluster.local
port:
number: 80
subset: v1
<小时>
测试所需的一切
apiVersion: v1
kind: Pod
metadata:
name: ubu1
spec:
containers:
- name: ubu1
image: ubuntu
command: ["/bin/sh"]
args: ["-c", "apt-get update && apt-get install curl -y && sleep 3000"]
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx1
spec:
selector:
matchLabels:
run: nginx1
replicas: 1
template:
metadata:
labels:
run: nginx1
app: frontend
spec:
containers:
- name: nginx1
image: nginx
ports:
- containerPort: 80
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "echo Hello nginx1 > /usr/share/nginx/html/index.html"]
---
apiVersion: v1
kind: Service
metadata:
name: nginx
labels:
app: frontend
spec:
ports:
- port: 80
protocol: TCP
selector:
app: frontend
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginxvirt
spec:
gateways:
- mesh
hosts:
- nginx.default.svc.cluster.local
http:
- name: match
headers:
response:
add:
foo: "bar"
match:
- uri:
prefix: /sign_in
rewrite:
uri: /
route:
- destination:
host: nginx.default.svc.cluster.local
port:
number: 80
subset: v1
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: nginxdest
spec:
host: nginx.default.svc.cluster.local
subsets:
- name: v1
labels:
run: nginx1
<小时>
从 ubuntu pod 测试
我使用 curl -I
来显示响应头
I used curl -I
for displaying response headers
curl -I nginx/sign_in
HTTP/1.1 200 OK
server: envoy
date: Tue, 24 Mar 2020 07:44:10 GMT
content-type: text/html
content-length: 13
last-modified: Thu, 12 Mar 2020 06:52:43 GMT
etag: "5e69dc3b-d"
accept-ranges: bytes
x-envoy-upstream-service-time: 3
foo: bar
如您所见,foo:bar 标头已正确添加.
As you can see the foo:bar header is added correctly.
标题的附加链接
在您的 istioctl 分析中,我看到您可能遇到 503 错误
In your istioctl analyze I see you might have an 503 error
"retriableStatusCodes": [
503
]
503 错误的附加链接
https://istio.io/docs/ops/common-problems/network-issues/#503-errors-after-setting-destination-rule
启用 mTLS 时使用 istio ingress 访问服务会出现 503 错误
这篇关于未应用 Istio 虚拟服务标头规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!