我们有一个用例,需要创建出口网关来与多个外部主机通信。我们遵循了www.example.com中给出的文档https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/#egress-gateway-for-https-traffic。如果我们有一个外部主机,它就可以工作,但如果有多个外部主机,它就不能工作。为了测试我们的用例,我们尝试配置两个外部主机,这是我们看到的错误:
bash curl: (35) Recv failure: Connection reset by peer │
│ bash % Total % Received % Xferd Average Speed Time Time Time Current │
│ bash Dload Upload Total Spent Left Speed │
│ bash 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --: │
│ bash curl: (35) Recv failure: Connection reset by peer │
│ bash % Total % Received % Xferd Average Speed Time Time Time Current │
│ bash Dload Upload Total Spent Left Speed │
│ bash 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 │
│ bash curl: (35) Recv failure: Connection reset by peer
字符串
预期行为流量应路由到谷歌和paymenttools.com。
重现bug的步骤
两个外部网站的服务条目
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
annotations:
meta.helm.sh/release-name: test-egress-networking
meta.helm.sh/release-namespace: test
creationTimestamp: "2023-07-04T09:48:00Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: test-egress-networking
helm.toolkit.fluxcd.io/namespace: flux-system
name: test-egress-networking-www.google.com-443
namespace: test
resourceVersion: "402044469"
uid: 3cc0c95d-f4fb-4bd8-a87f-00d552105458
spec:
exportTo:
- .
hosts:
- www.google.com
location: MESH_EXTERNAL
ports:
- name: https
number: 443
protocol: TLS
resolution: DNS
---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
annotations:
meta.helm.sh/release-name: test-egress-networking
meta.helm.sh/release-namespace: test
creationTimestamp: "2023-07-05T08:16:04Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: test-egress-networking
helm.toolkit.fluxcd.io/namespace: flux-system
name: test-egress-networking-www.paymenttools.com-443
namespace: test
resourceVersion: "403158012"
uid: 838580e7-0982-4ef4-903a-6ab738a1e051
spec:
exportTo:
- .
hosts:
- www.paymenttools.com
location: MESH_EXTERNAL
ports:
- name: https
number: 443
protocol: TLS
resolution: DNS
型
为两者配置虚拟服务
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
annotations:
meta.helm.sh/release-name: test-egress-networking
meta.helm.sh/release-namespace: test
creationTimestamp: "2023-07-04T09:52:02Z"
generation: 5
labels:
app: test-egress
app.kubernetes.io/instance: test-egress-networking
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: test-egress
helm.sh/chart: network-3.12.1
helm.toolkit.fluxcd.io/name: test-egress-networking
helm.toolkit.fluxcd.io/namespace: flux-system
name: www.google.com-443
namespace: test
resourceVersion: "404913509"
uid: 39c8513b-4a82-4f48-a319-b538f4d0ff53
spec:
gateways:
- mesh
- istio-bf7f5eb02957dae90addc9c99754ff5d2aedf1821-egress-gateway
hosts:
- www.google.com
tls:
- match:
- gateways:
- mesh
port: 443
sniHosts:
- www.google.com
route:
- destination:
host: istio-test-egress-networking-egress-gateway.test.svc.cluster.local
port:
number: 443
subset: bf7f5eb02957dae90addc9c99754ff5d2aedf1821f5dd513f720b15f4ae3
- match:
- gateways:
- istio-bf7f5eb02957dae90addc9c99754ff5d2aedf1821-egress-gateway
port: 443
sniHosts:
- www.google.com
route:
- destination:
host: www.google.com
port:
number: 443
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
annotations:
meta.helm.sh/release-name: test-egress-networking
meta.helm.sh/release-namespace: test
creationTimestamp: "2023-07-05T08:16:04Z"
generation: 3
labels:
app: test-egress
app.kubernetes.io/instance: test-egress-networking
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: test-egress
helm.sh/chart: network-3.12.1
helm.toolkit.fluxcd.io/name: test-egress-networking
helm.toolkit.fluxcd.io/namespace: flux-system
name: www.paymenttools.com-443
namespace: test
resourceVersion: "404913970"
uid: 73f5cf05-45e3-415d-8e5a-62f8e64b0592
spec:
gateways:
- mesh
- istio-9b2f56608b26eca7193652502e7d626c9771601a0-egress-gateway
hosts:
- www.paymenttools.com
tls:
- match:
- gateways:
- mesh
port: 443
sniHosts:
- www.paymenttools.com
route:
- destination:
host: istio-test-egress-networking-egress-gateway.test.svc.cluster.local
port:
number: 443
subset: 9b2f56608b26eca7193652502e7d626c9771601a0d95c1594eb39262610c
- match:
- gateways:
- istio-9b2f56608b26eca7193652502e7d626c9771601a0-egress-gateway
port: 443
sniHosts:
- www.paymenttools.com
route:
- destination:
host: www.paymenttools.com
port:
number: 443
型
配置网关
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
annotations:
meta.helm.sh/release-name: test-egress-networking
meta.helm.sh/release-namespace: test
creationTimestamp: "2023-07-05T08:16:04Z"
generation: 4
labels:
app: test-egress
app.kubernetes.io/instance: test-egress-networking
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: test-egress
helm.sh/chart: network-3.12.1
helm.toolkit.fluxcd.io/name: test-egress-networking
helm.toolkit.fluxcd.io/namespace: flux-system
name: istio-9b2f56608b26eca7193652502e7d626c9771601a0-egress-gateway
namespace: test
resourceVersion: "404902076"
uid: 8ab999fa-f9d8-4103-9f26-fdcfc0fa1ae8
spec:
selector:
istio: test-egress-networking-egress-gateway
servers:
- hosts:
- www.paymenttools.com
port:
name: http
number: 80
protocol: HTTP
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
annotations:
meta.helm.sh/release-name: test-egress-networking
meta.helm.sh/release-namespace: test
creationTimestamp: "2023-07-04T09:48:00Z"
generation: 6
labels:
app: test-egress
app.kubernetes.io/instance: test-egress-networking
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: test-egress
helm.sh/chart: network-3.12.1
helm.toolkit.fluxcd.io/name: test-egress-networking
helm.toolkit.fluxcd.io/namespace: flux-system
name: istio-bf7f5eb02957dae90addc9c99754ff5d2aedf1821-egress-gateway
namespace: test
resourceVersion: "404902432"
uid: 2f89af05-8ce8-43f1-b34d-534cf8e1ca8c
spec:
selector:
istio: test-egress-networking-egress-gateway
servers:
- hosts:
- www.google.com
port:
name: http
number: 80
protocol: HTTP
Destination Rules
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
annotations:
meta.helm.sh/release-name: test-egress-networking
meta.helm.sh/release-namespace: test
creationTimestamp: "2023-07-04T09:48:00Z"
generation: 6
labels:
app: test-egress
app.kubernetes.io/instance: test-egress-networking
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: test-egress
helm.sh/chart: network-3.12.1
helm.toolkit.fluxcd.io/name: test-egress-networking
helm.toolkit.fluxcd.io/namespace: flux-system
name: istio-test-egress-networking-egress-gateway
namespace: test
resourceVersion: "404915054"
uid: 1f6f140b-8002-40ff-8ef8-042e4721f489
spec:
exportTo:
- .
host: istio-test-egress-networking-egress-gateway.test.svc.cluster.local
subsets:
- name: bf7f5eb02957dae90addc9c99754ff5d2aedf1821f5dd513f720b15f4ae3
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: ISTIO_MUTUAL
sni: www.google.com
- name: 9b2f56608b26eca7193652502e7d626c9771601a0d95c1594eb39262610c
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: ISTIO_MUTUAL
sni: www.paymenttools.com
型
Istio是如何安装的? Helm
Version istioctl version客户端版本:1.16.1控制平面版本:1.18.0数据平面版本:1.18.0(63个代理)
客户端版本:version.Info{Major:“1”,Minor:“25”,GitVersion:“v1.25.4”,GitCommit:“872a965c6c6526caa949f0c6ac028ef7aff3fb78”,GitTreeState:“clean”,BuildDate:“2022-11-09T13:28:30Z”,GoVersion:“go1.19.3”,Compiler:“gc”,Platform:“达尔文/arm64”} Kustomize Version:v4.5.7服务器版本:version.Info{Major:“1”,Minor:“26”,GitVersion:“v1.26.5-gke.1400“,GitCommit:“4eb57372b0f0ac0023caca078161b7518
我已经提出了同样的问题here,但没有得到任何反馈。有没有人遇到过类似的问题?
1条答案
按热度按时间twh00eeo1#
使用ISTIO_MUTUAL将无法与“google.com”这样的端点一起使用。
如果你想发起TLS连接,你必须在DestinationRules中使用
SIMPLE
。检查这里的文档。