我有一个应用程序,下面显示了一个Ingress资源。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ $fullName }}-stateful
labels:
app: oxauth
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.org/ssl-services: "oxtrust"
nginx.ingress.kubernetes.io/app-root: "/identity"
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/session-cookie-name: "route"
nginx.ingress.kubernetes.io/session-cookie-hash: "sha1"
nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504"
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ . | quote }}
http:
paths:
- path: /identity
backend:
serviceName: oxtrust
servicePort: 8080
- path: /idp
backend:
serviceName: oxshibboleth
servicePort: 8080
- path: /passport
backend:
serviceName: oxpassport
servicePort: 8090
我想把它翻译成一个供Istio网关使用的VirtualService。但一旦我这样做了,服务oxpassport总是在日志中返回一个503错误。这意味着无法进行部署。
以下是Service定义
apiVersion: v1
kind: Service
metadata:
creationTimestamp: "2020-04-15T18:21:12Z"
labels:
app: oxpassport
app.kubernetes.io/instance: kk
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/version: 4.1.0_01
helm.sh/chart: oxpassport-1.0.0
name: oxpassport
namespace: test
spec:
clusterIP: 10.111.71.120
ports:
- name: tcp-oxpassport
port: 8090
protocol: TCP
targetPort: 8090
selector:
app: oxpassport
release: kk
type: ClusterIP
status:
loadBalancer: {}
最后是我尝试使用的VS:
VirtualService
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: {{ include "istio.fullname" . }}-oxpassport
namespace: {{ .Release.Namespace }}
spec:
hosts:
- oxpassport.{{ .Release.Namespace }}.svc.cluster.local
gateways:
- {{ .Release.Name }}-global-gtw
http:
- match:
- uri:
prefix: /passport
rewrite:
uri: /identity
route:
- destination:
host: oxpassport.{{ .Release.Namespace }}.svc.cluster.local
port:
number: 8090
Gateway片段:
- port:
number: 8090
name: tcp-oxpassport
protocol: HTTP
hosts:
- oxpassport.{{ .Release.Namespace }}.svc.cluster.local
需要注意的事项:
有一个带有这些标签的后端应用程序。它有自己的VS,并且正在运行:
labels: app: oxauthOxpassport部署了标签
labels: app: oxpassport
我知道这是一个很长的帖子,但它已经被屏蔽了好几天了。如果可能的话,请解释。
感谢
Gateway应该与虚拟服务在同一个命名空间中,如果它与虚拟服务不在同一命名空间中,则应该像下面的示例中那样添加它。
检查spec.gateways段
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo-Mongo
namespace: bookinfo-namespace
spec:
gateways:
- some-namespace/my-gateway
在您的入口中,您有3条路径,然后基于该入口的虚拟服务应该看起来像
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: {{ include "istio.fullname" . }}-oxpassport
namespace: {{ .Release.Namespace }}
spec:
hosts:
- oxpassport.{{ .Release.Namespace }}.svc.cluster.local
gateways:
- {{ .Release.Name }}-global-gtw
http:
- name: a
match:
- uri:
prefix: /identity
route:
- destination:
host: oxtrust.{{ .Release.Namespace }}.svc.cluster.local
port:
number: 8080
- name: b
match:
- uri:
prefix: /idp
route:
- destination:
host: oxshibboleth.{{ .Release.Namespace }}.svc.cluster.local
port:
number: 8080
- name: c
match:
- uri:
prefix: /passport
route:
- destination:
host: oxpassport.{{ .Release.Namespace }}.svc.cluster.local
port:
number: 8090
当问题503出现时,有答案的案例值得检查。
https://istio.io/docs/ops/common-problems/network-issues/#503-设置目标规则后出现错误
当启用mTLS 时,使用istio-ingress访问服务会出现503错误
https://istio.io/docs/ops/best-practices/traffic-management/#avoid-503在重新配置服务路由时出错
如何在istio中终止ingress网关的ssl?
Kubernetes Istio入口网关响应503总是
编辑
你考虑过这个nginx.ingress.kubernetes.io/app-root:"/identity"吗?
错过了/identity应用程序根目录,您可以像以前一样重写所有应用程序。
此外,我们可以将整个big-vs分离到不同的vs文件中,有什么特殊的原因吗?
不,你应该能够创建单独的较小的虚拟服务,而不是大的,我只是复制了你提供的入口。