kubernetes 通过egress网关使用多个外部主机的Istio egress路由不工作

fcipmucu  于 2023-08-03  发布在  Kubernetes
关注(0)|答案(1)|浏览(107)

我们有一个用例,需要创建出口网关来与多个外部主机通信。我们遵循了www.example.com中给出的文档https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/#egress-gateway-for-https-traffic。如果我们有一个外部主机,它就可以工作,但如果有多个外部主机,它就不能工作。为了测试我们的用例,我们尝试配置两个外部主机,这是我们看到的错误:

bash curl: (35) Recv failure: Connection reset by peer                                                                                                                                                             │
│ bash   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                                                                                                               │
│ bash                                  Dload  Upload   Total   Spent    Left  Speed                                                                                                                                 │
│ bash   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0  0     0    0     0    0     0      0      0 --: │
│ bash curl: (35) Recv failure: Connection reset by peer                                                                                                                                                             │
│ bash   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                                                                                                               │
│ bash                                  Dload  Upload   Total   Spent    Left  Speed                                                                                                                                 │
│ bash   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0                                                  │
│ bash curl: (35) Recv failure: Connection reset by peer

字符串
预期行为流量应路由到谷歌和paymenttools.com。
重现bug的步骤
两个外部网站的服务条目

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  annotations:
    meta.helm.sh/release-name: test-egress-networking
    meta.helm.sh/release-namespace: test
  creationTimestamp: "2023-07-04T09:48:00Z"
  generation: 1
  labels:
    app.kubernetes.io/managed-by: Helm
    helm.toolkit.fluxcd.io/name: test-egress-networking
    helm.toolkit.fluxcd.io/namespace: flux-system
  name: test-egress-networking-www.google.com-443
  namespace: test
  resourceVersion: "402044469"
  uid: 3cc0c95d-f4fb-4bd8-a87f-00d552105458
spec:
  exportTo:
  - .
  hosts:
  - www.google.com
  location: MESH_EXTERNAL
  ports:
  - name: https
    number: 443
    protocol: TLS
  resolution: DNS
  ---

  apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  annotations:
    meta.helm.sh/release-name: test-egress-networking
    meta.helm.sh/release-namespace: test
  creationTimestamp: "2023-07-05T08:16:04Z"
  generation: 1
  labels:
    app.kubernetes.io/managed-by: Helm
    helm.toolkit.fluxcd.io/name: test-egress-networking
    helm.toolkit.fluxcd.io/namespace: flux-system
  name: test-egress-networking-www.paymenttools.com-443
  namespace: test
  resourceVersion: "403158012"
  uid: 838580e7-0982-4ef4-903a-6ab738a1e051
spec:
  exportTo:
  - .
  hosts:
  - www.paymenttools.com
  location: MESH_EXTERNAL
  ports:
  - name: https
    number: 443
    protocol: TLS
  resolution: DNS


为两者配置虚拟服务

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  annotations:
    meta.helm.sh/release-name: test-egress-networking
    meta.helm.sh/release-namespace: test
  creationTimestamp: "2023-07-04T09:52:02Z"
  generation: 5
  labels:
    app: test-egress
    app.kubernetes.io/instance: test-egress-networking
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: test-egress
    helm.sh/chart: network-3.12.1
    helm.toolkit.fluxcd.io/name: test-egress-networking
    helm.toolkit.fluxcd.io/namespace: flux-system
  name: www.google.com-443
  namespace: test
  resourceVersion: "404913509"
  uid: 39c8513b-4a82-4f48-a319-b538f4d0ff53
spec:
  gateways:
  - mesh
  - istio-bf7f5eb02957dae90addc9c99754ff5d2aedf1821-egress-gateway
  hosts:
  - www.google.com
  tls:
  - match:
    - gateways:
      - mesh
      port: 443
      sniHosts:
      - www.google.com
    route:
    - destination:
        host: istio-test-egress-networking-egress-gateway.test.svc.cluster.local
        port:
          number: 443
        subset: bf7f5eb02957dae90addc9c99754ff5d2aedf1821f5dd513f720b15f4ae3
  - match:
    - gateways:
      - istio-bf7f5eb02957dae90addc9c99754ff5d2aedf1821-egress-gateway
      port: 443
      sniHosts:
      - www.google.com
    route:
    - destination:
        host: www.google.com
        port:
          number: 443
  ---

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  annotations:
    meta.helm.sh/release-name: test-egress-networking
    meta.helm.sh/release-namespace: test
  creationTimestamp: "2023-07-05T08:16:04Z"
  generation: 3
  labels:
    app: test-egress
    app.kubernetes.io/instance: test-egress-networking
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: test-egress
    helm.sh/chart: network-3.12.1
    helm.toolkit.fluxcd.io/name: test-egress-networking
    helm.toolkit.fluxcd.io/namespace: flux-system
  name: www.paymenttools.com-443
  namespace: test
  resourceVersion: "404913970"
  uid: 73f5cf05-45e3-415d-8e5a-62f8e64b0592
spec:
  gateways:
  - mesh
  - istio-9b2f56608b26eca7193652502e7d626c9771601a0-egress-gateway
  hosts:
  - www.paymenttools.com
  tls:
  - match:
    - gateways:
      - mesh
      port: 443
      sniHosts:
      - www.paymenttools.com
    route:
    - destination:
        host: istio-test-egress-networking-egress-gateway.test.svc.cluster.local
        port:
          number: 443
        subset: 9b2f56608b26eca7193652502e7d626c9771601a0d95c1594eb39262610c
  - match:
    - gateways:
      - istio-9b2f56608b26eca7193652502e7d626c9771601a0-egress-gateway
      port: 443
      sniHosts:
      - www.paymenttools.com
    route:
    - destination:
        host: www.paymenttools.com
        port:
          number: 443


配置网关

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  annotations:
    meta.helm.sh/release-name: test-egress-networking
    meta.helm.sh/release-namespace: test
  creationTimestamp: "2023-07-05T08:16:04Z"
  generation: 4
  labels:
    app: test-egress
    app.kubernetes.io/instance: test-egress-networking
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: test-egress
    helm.sh/chart: network-3.12.1
    helm.toolkit.fluxcd.io/name: test-egress-networking
    helm.toolkit.fluxcd.io/namespace: flux-system
  name: istio-9b2f56608b26eca7193652502e7d626c9771601a0-egress-gateway
  namespace: test
  resourceVersion: "404902076"
  uid: 8ab999fa-f9d8-4103-9f26-fdcfc0fa1ae8
spec:
  selector:
    istio: test-egress-networking-egress-gateway
  servers:
  - hosts:
    - www.paymenttools.com
    port:
      name: http
      number: 80
      protocol: HTTP
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  annotations:
    meta.helm.sh/release-name: test-egress-networking
    meta.helm.sh/release-namespace: test
  creationTimestamp: "2023-07-04T09:48:00Z"
  generation: 6
  labels:
    app: test-egress
    app.kubernetes.io/instance: test-egress-networking
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: test-egress
    helm.sh/chart: network-3.12.1
    helm.toolkit.fluxcd.io/name: test-egress-networking
    helm.toolkit.fluxcd.io/namespace: flux-system
  name: istio-bf7f5eb02957dae90addc9c99754ff5d2aedf1821-egress-gateway
  namespace: test
  resourceVersion: "404902432"
  uid: 2f89af05-8ce8-43f1-b34d-534cf8e1ca8c
spec:
  selector:
    istio: test-egress-networking-egress-gateway
  servers:
  - hosts:
    - www.google.com
    port:
      name: http
      number: 80
      protocol: HTTP
Destination Rules
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  annotations:
    meta.helm.sh/release-name: test-egress-networking
    meta.helm.sh/release-namespace: test
  creationTimestamp: "2023-07-04T09:48:00Z"
  generation: 6
  labels:
    app: test-egress
    app.kubernetes.io/instance: test-egress-networking
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: test-egress
    helm.sh/chart: network-3.12.1
    helm.toolkit.fluxcd.io/name: test-egress-networking
    helm.toolkit.fluxcd.io/namespace: flux-system
  name: istio-test-egress-networking-egress-gateway
  namespace: test
  resourceVersion: "404915054"
  uid: 1f6f140b-8002-40ff-8ef8-042e4721f489
spec:
  exportTo:
  - .
  host: istio-test-egress-networking-egress-gateway.test.svc.cluster.local
  subsets:
  - name: bf7f5eb02957dae90addc9c99754ff5d2aedf1821f5dd513f720b15f4ae3
    trafficPolicy:
      loadBalancer:
        simple: ROUND_ROBIN
      portLevelSettings:
      - port:
          number: 443
        tls:
          mode: ISTIO_MUTUAL
          sni: www.google.com
  - name: 9b2f56608b26eca7193652502e7d626c9771601a0d95c1594eb39262610c
    trafficPolicy:
      loadBalancer:
        simple: ROUND_ROBIN
      portLevelSettings:
      - port:
          number: 443
        tls:
          mode: ISTIO_MUTUAL
          sni: www.paymenttools.com


Istio是如何安装的? Helm
Version istioctl version客户端版本:1.16.1控制平面版本:1.18.0数据平面版本:1.18.0(63个代理)
客户端版本:version.Info{Major:“1”,Minor:“25”,GitVersion:“v1.25.4”,GitCommit:“872a965c6c6526caa949f0c6ac028ef7aff3fb78”,GitTreeState:“clean”,BuildDate:“2022-11-09T13:28:30Z”,GoVersion:“go1.19.3”,Compiler:“gc”,Platform:“达尔文/arm64”} Kustomize Version:v4.5.7服务器版本:version.Info{Major:“1”,Minor:“26”,GitVersion:“v1.26.5-gke.1400“,GitCommit:“4eb57372b0f0ac0023caca078161b7518
我已经提出了同样的问题here,但没有得到任何反馈。有没有人遇到过类似的问题?

twh00eeo

twh00eeo1#

使用ISTIO_MUTUAL将无法与“google.com”这样的端点一起使用。
如果你想发起TLS连接,你必须在DestinationRules中使用SIMPLE
检查这里的文档。

相关问题