我想在 Istio 中将所有传入的 http 1.1 连接升级到 http2。我了解如何通过特定命名空间和 pod 的目标规则来实现这一点。
但是,我也想从 http1.1 升级服务网格中的所有连接 http2。甚至文档也建议这样做,如果 Istio sidecar 是自动注入的。
如果 sidecar 安装在网格中的所有 Pod 上,则应将其设置为升级。
我可以更新 "Istio-system" 命名空间下的 "istio" ConfigMap 吗?
如果是,条目会是什么样子?
如果没有,请建议如何以最小的努力实现这一目标?
事实上,您将在 TheconfigMapistio 中设置它,它会像这样:
apiVersion: v1
data:
mesh: |-
accessLogEncoding: TEXT
accessLogFile: /dev/stdout
accessLogFormat: ""
h2UpgradePolicy: UPGRADE #<- here
defaultConfig:
concurrency: 2
configPath: ./etc/istio/proxy
现在,看到它起作用有点棘手。我发送了四个请求;其中两个没有h2UpgradePolicy参数,其中两个带有h2UpgradePolicy: UPGRADE.但是我从客户那里提出的所有四个请求都是这样的:
$ kubectl exec -it curler -- curl -I demo.istio
Defaulting container name to curler.
Use 'kubectl describe pod/curler -n default' to see all of the containers in this pod.
HTTP/1.1 200 OK
server: envoy
date: Mon, 22 Jun 2020 13:05:53 GMT
content-type: text/html
content-length: 612
last-modified: Tue, 26 May 2020 15:00:20 GMT
etag: "5ecd2f04-264"
accept-ranges: bytes
x-envoy-upstream-service-time: 1
我从网格外部发送请求,因为默认情况下我从内部获得HTTP2。所以,在我的情况下,mTLS 被禁用了,但这无关紧要。
要查看它是否有效,您需要检查下游代理的日志:
...
[2020-06-22T13:03:03.942Z] "HEAD / HTTP/1.1" 200 - "-" "-" 0 0 0 0 "-" "curl/7.59.0" "a7c32d21-dcea-95da-b7c1-67c5783a1641" "demo.istio" "127.0.0.1:80" inbound|80|http|demo.istio.svc.cluster.local 127.0.0.1:33180 192.168.72.186:80 192.168.66.168:34814 outbound_.80_._.demo.istio.svc.cluster.local default
[2020-06-22T13:03:05.245Z] "HEAD / HTTP/1.1" 200 - "-" "-" 0 0 0 0 "-" "curl/7.59.0" "409b3432-365f-94fe-87cd-8a85b586b42d" "demo.istio" "127.0.0.1:80" inbound|80|http|demo.istio.svc.cluster.local 127.0.0.1:60952 192.168.72.186:80 192.168.66.168:34830 outbound_.80_._.demo.istio.svc.cluster.local default
[2020-06-22T13:03:36.732Z] "HEAD / HTTP/2" 200 - "-" "-" 0 0 0 0 "-" "curl/7.59.0" "45dd94e5-6f29-9114-b09f-bda065dfd1eb" "demo.istio" "127.0.0.1:80" inbound|80|http|demo.istio.svc.cluster.local 127.0.0.1:33180 192.168.72.186:80 192.168.66.168:35120 outbound_.80_._.demo.istio.svc.cluster.local default
[2020-06-22T13:03:38.743Z] "HEAD / HTTP/2" 200 - "-" "-" 0 0 0 0 "-" "curl/7.59.0" "79e72286-f247-9ed0-b510-2819a886c7f9" "demo.istio" "127.0.0.1:80" inbound|80|http|demo.istio.svc.cluster.local 127.0.0.1:33180 192.168.72.186:80 192.168.66.168:35120 outbound_.80_._.demo.istio.svc.cluster.local default
非常重要:要使其正常工作,前面的服务(如果下游对等方(必须具有命名端口,并且必须将其称为http
apiVersion: v1
kind: Service
metadata:
name: demo
spec:
ports:
- name: http #<- this parameter is mandatory to upgrade to HTTP2
port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx