如何创建自定义istio ingress网关控制器？

Question

我们的GKE集群与公司的多个团队共享.每个团队可以拥有不同的公共域(因此希望具有不同的CA证书设置以及不同的入口网关控制器).如何在Istio中做到这一点？Istio网站上的所有教程/介绍文章都使用共享入口网关.请参阅istio-1.0.0安装的示例共享入口网关:https://istio.io/docs/tasks/traffic-management/secure-ingress/

spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway

Answer 1

好的,我通过helm查看了Istio安装的代码后找到了答案.所以,基本上istio有一个官方的方式(但没有真正记录在他们的readme.md文件中)来添加额外的网关(入口和出口网关).我知道,因为我在他们的github repo中找到了这个yaml文件并阅读了评论(同时查看gateway规范及其逻辑的图表模板代码).

所以,我通过定义这个values-custom-gateway.yaml文件解决了这个问题:

# Gateways Configuration
# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh.
# You can add more gateways in addition to the defaults but make sure those are uniquely named
# and that NodePorts are not conflicting.
# Disable specifc gateway by setting the `enabled` to false.
#
gateways:
  enabled: true

  agung-ingressgateway:
    namespace: agung-ns
    enabled: true
    labels:
      app: agung-istio-ingressgateway
      istio: agung-ingressgateway
    replicaCount: 1
    autoscaleMin: 1
    autoscaleMax: 2
    resources: {}
      # limits:
      #  cpu: 100m
      #  memory: 128Mi
      #requests:
      #  cpu: 1800m
      #  memory: 256Mi

    loadBalancerIP: ""
    serviceAnnotations: {}
    type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be

    ports:
      ## You can add custom gateway ports
    - port: 80
      targetPort: 80
      name: http2
      # nodePort: 31380
    - port: 443
      name: https
      # nodePort: 31390
    - port: 31400
      name: tcp
    secretVolumes:
    - name: ingressgateway-certs
      secretName: istio-ingressgateway-certs
      mountPath: /etc/istio/ingressgateway-certs
    - name: ingressgateway-ca-certs
      secretName: istio-ingressgateway-ca-certs
      mountPath: /etc/istio/ingressgateway-ca-certs

如果你看看上面的yaml文件,我指定了ns namespace以外的其他文件istio-system.在这种情况下,我们可以有一种方法来自定义我们的自定义网关使用的TLS和ca证书.此外,agung-ingressgateway作为自定义网关控制器规范的持有者用作网关控制器的名称.

然后,我只需安装istio via,helm upgrade --install以便helm可以通过附加网关智能地升级istio.

helm upgrade my-istio-release-name <istio-chart-folder> --install

一旦成功升级,我可以为我指定自定义选择器Gateway:

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: agung-gateway
  namespace: agung-ns
spec:
  selector:
    app: agung-istio-ingressgateway # use custom gateway
    # istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "*"