Last active
March 25, 2019 03:30
-
-
Save ChenLingPeng/4be73d1376f3b2b611c446260210de25 to your computer and use it in GitHub Desktop.
istio-demo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: config.istio.io/v1alpha2 | |
| kind: listchecker | |
| metadata: | |
| name: whitelist | |
| spec: | |
| # providerUrl: ordinarily black and white lists are maintained | |
| # externally and fetched asynchronously using the providerUrl. | |
| overrides: ["v1", "v2"] # overrides provide a static list | |
| blacklist: false | |
| --- | |
| apiVersion: config.istio.io/v1alpha2 | |
| kind: listentry | |
| metadata: | |
| name: appversion | |
| spec: | |
| value: source.labels["version"] | |
| --- | |
| apiVersion: config.istio.io/v1alpha2 | |
| kind: rule | |
| metadata: | |
| name: checkversion | |
| spec: | |
| match: destination.labels["app"] == "ratings" | |
| actions: | |
| - handler: whitelist.listchecker | |
| instances: | |
| - appversion.listentry |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: Gateway | |
| metadata: | |
| name: bookinfo-gateway | |
| spec: | |
| selector: | |
| istio: ingressgateway # use istio default controller | |
| servers: | |
| - port: | |
| number: 80 | |
| name: http | |
| protocol: HTTP | |
| hosts: | |
| - "*" | |
| --- | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: bookinfo | |
| spec: | |
| hosts: | |
| - "*" | |
| gateways: | |
| - bookinfo-gateway | |
| http: | |
| - match: | |
| - uri: | |
| exact: /productpage | |
| - uri: | |
| exact: /login | |
| - uri: | |
| exact: /logout | |
| - uri: | |
| prefix: /api/v1/products | |
| route: | |
| - destination: | |
| host: productpage | |
| port: | |
| number: 9080 | |
| - match: | |
| - uri: | |
| exact: /reviews/1 | |
| headers: | |
| user: | |
| exact: foo | |
| route: | |
| - destination: | |
| host: reviews | |
| subset: v3 | |
| port: | |
| number: 9080 | |
| - match: | |
| - uri: | |
| exact: /reviews/1 | |
| route: | |
| - destination: | |
| host: reviews | |
| subset: v3 | |
| port: | |
| number: 9080 | |
| weight: 25 | |
| - destination: | |
| host: reviews | |
| subset: v1 | |
| port: | |
| number: 9080 | |
| weight: 75 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: Gateway | |
| metadata: | |
| name: bookinfo-gateway | |
| spec: | |
| selector: | |
| istio: ingressgateway # use istio default controller | |
| servers: | |
| - port: | |
| number: 80 | |
| name: http | |
| protocol: HTTP | |
| hosts: | |
| - "*" | |
| --- | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: bookinfo | |
| spec: | |
| hosts: | |
| - "*" | |
| gateways: | |
| - bookinfo-gateway | |
| http: | |
| - match: | |
| - uri: | |
| exact: /productpage | |
| - uri: | |
| exact: /login | |
| - uri: | |
| exact: /logout | |
| - uri: | |
| prefix: /api/v1/products | |
| route: | |
| - destination: | |
| host: productpage | |
| port: | |
| number: 9080 | |
| --- | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: reviews | |
| spec: | |
| hosts: | |
| - "*" | |
| gateways: | |
| - bookinfo-gateway | |
| http: | |
| - match: | |
| - uri: | |
| exact: /reviews/1 | |
| route: | |
| - destination: | |
| host: reviews | |
| subset: v3 | |
| port: | |
| number: 9080 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: Gateway | |
| metadata: | |
| name: bookinfo-gateway | |
| spec: | |
| selector: | |
| istio: ingressgateway # use istio default controller | |
| servers: | |
| - port: | |
| number: 80 | |
| name: http | |
| protocol: HTTP | |
| hosts: | |
| - "*" | |
| --- | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: bookinfo | |
| spec: | |
| hosts: | |
| - "*" | |
| gateways: | |
| - bookinfo-gateway | |
| http: | |
| - match: | |
| - uri: | |
| exact: /productpage | |
| - uri: | |
| exact: /login | |
| - uri: | |
| exact: /logout | |
| - uri: | |
| prefix: /api/v1/products | |
| route: | |
| - destination: | |
| host: productpage | |
| port: | |
| number: 9080 | |
| --- | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: reviews | |
| spec: | |
| hosts: | |
| - "*" | |
| gateways: | |
| - bookinfo-gateway | |
| http: | |
| - match: | |
| - uri: | |
| exact: /reviews/1 | |
| headers: | |
| user: | |
| exact: foo | |
| route: | |
| - destination: | |
| host: reviewsv1 # change service name | |
| port: | |
| number: 9080 | |
| - match: | |
| - uri: | |
| exact: /reviews/1 | |
| route: | |
| - destination: | |
| host: reviewsv2 # change service name | |
| port: | |
| number: 9080 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sidecar在收到请求后先从Mixer进行前置条件检查,在请求之后向Mixer回报遥测数据(都有cache) | |
| # 各种[adapter](https://istio.io/docs/reference/config/policy-and-telemetry/adapters/) | |
| # 通过一套配置进行工作,需要包含3种对象 | |
| # handler: | |
| # 定义后端adapter | |
| apiVersion: config.istio.io/v1alpha2 | |
| kind: prometheus | |
| metadata: | |
| name: handler | |
| namespace: istio-system | |
| spec: | |
| metrics: | |
| - name: request_count | |
| instance_name: requestcount.metric.istio-system | |
| kind: COUNTER | |
| label_names: | |
| - destination_service | |
| - destination_version | |
| - response_code | |
| - name: request_duration | |
| instance_name: requestduration.metric.istio-system | |
| kind: DISTRIBUTION | |
| label_names: | |
| - destination_service | |
| - destination_version | |
| - response_code | |
| buckets: | |
| explicit_buckets: | |
| bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] | |
| --- | |
| # instance: | |
| # 描述如何将请求资源映射成后端需要的输入数据 | |
| apiVersion: config.istio.io/v1alpha2 | |
| kind: metric | |
| metadata: | |
| name: requestduration | |
| namespace: istio-system | |
| spec: | |
| value: response.duration | "0ms" | |
| dimensions: | |
| destination_service: destination.service | "unknown" | |
| destination_version: destination.labels["version"] | "unknown" | |
| response_code: response.code | 200 | |
| monitored_resource_type: '"UNSPECIFIED"' | |
| --- | |
| # rule: | |
| # 定义何时调用一个adapter(触发条件)以及对应的instance是什么 | |
| apiVersion: config.istio.io/v1alpha2 | |
| kind: rule | |
| metadata: | |
| name: promhttp | |
| namespace: istio-system | |
| spec: | |
| match: destination.service == "service1.ns.svc.cluster.local" && request.headers["x-user"] == "user1" | |
| actions: | |
| - handler: handler.prometheus | |
| instances: | |
| - requestduration.metric.istio-system | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # VirtualService | |
| # 定义服务网格内对服务的请求如何进行路由控制 ,支持根据 host、sourceLabels 、http headers 等不同的路由方式,也支持百分比、超时、重试、错误注入等功能。 | |
| # DestinationRule | |
| # 定义 VirtualService 之后的路由策略,包括断路器、负载均衡以及 TLS 等。 | |
| # ServiceEntry | |
| # 定义了服务网格之外的服务,支持两种类型:网格内部和网格外部。网格内的条目和其他的内部服务类似,用于显式的将服务加入网格。可以用来把服务作为服务网格扩展的一部分加入不受管理的基础设置(例如加入到基于 Kubernetes 的服务网格中的虚拟机)中。网格外的条目用于表达网格外的服务。对这种条目来说,双向 TLS 认证是禁止的,策略实现需要在客户端执行,而不像内部服务请求中的服务端执行。 | |
| # Gateway | |
| # 定义边缘网络流量的负载均衡。 | |
| # ConnectionPoolSettings 连接池设置 | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: DestinationRule | |
| metadata: | |
| name: bookinfo-redis | |
| spec: | |
| host: myredissrv.prod.svc.cluster.local | |
| trafficPolicy: | |
| connectionPool: | |
| # 设置连接池 | |
| tcp: | |
| maxConnections: 100 | |
| connectTimeout: 30ms | |
| http: | |
| # https://preliminary.istio.io/docs/reference/config/istio.networking.v1alpha3/#ConnectionPoolSettings-HTTPSettings | |
| --- | |
| # CorsPolicy 跨域支持 | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: ratings-route | |
| spec: | |
| hosts: | |
| - ratings.prod.svc.cluster.local | |
| http: | |
| - route: | |
| - destination: | |
| host: ratings.prod.svc.cluster.local | |
| subset: v1 | |
| fault: | |
| abort: | |
| percent: 10 | |
| httpStatus: 400 | |
| delay: | |
| percent: 10 | |
| fixedDelay: 5s | |
| corsPolicy: | |
| allowOrigin: | |
| - example.com | |
| allowMethods: | |
| - POST | |
| - GET | |
| allowCredentials: false | |
| allowHeaders: | |
| - X-Foo-Bar | |
| maxAge: "1d" | |
| match: | |
| - headers: | |
| end-user: | |
| exact: jason | |
| uri: | |
| prefix: "/ratings/v2/" | |
| --- | |
| # virtual service with subnet | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: reviews-route | |
| namespace: foo | |
| spec: | |
| hosts: | |
| - reviews # interpreted as reviews.foo.svc.cluster.local | |
| http: | |
| - match: | |
| - uri: | |
| prefix: "/wpcatalog" | |
| - uri: | |
| prefix: "/consumercatalog" | |
| rewrite: | |
| uri: "/newcatalog" | |
| route: | |
| - destination: | |
| host: reviews # interpreted as reviews.foo.svc.cluster.local | |
| subset: v2 | |
| - route: | |
| - destination: | |
| host: reviews # interpreted as reviews.foo.svc.cluster.local | |
| subset: v1 | |
| # associated DestinationRule | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: DestinationRule | |
| metadata: | |
| name: reviews-destination | |
| namespace: foo | |
| spec: | |
| host: reviews # interpreted as reviews.foo.svc.cluster.local | |
| subsets: | |
| - name: v1 | |
| labels: | |
| version: v1 | |
| - name: v2 | |
| labels: | |
| version: v2 | |
| --- | |
| # virtual without subnet, no need DestinationRule | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: my-productpage-rule | |
| namespace: istio-system | |
| spec: | |
| hosts: | |
| - productpage.prod.svc.cluster.local # ignores rule namespace | |
| http: | |
| - timeout: 5s | |
| route: | |
| - destination: | |
| host: productpage.prod.svc.cluster.local | |
| --- | |
| # control routing for traffic bound to services outside the mesh 访问外部服务,需要定义ServiceEntry | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: ServiceEntry | |
| metadata: | |
| name: external-svc-wikipedia | |
| spec: | |
| hosts: | |
| - wikipedia.org | |
| location: MESH_EXTERNAL | |
| ports: | |
| - number: 80 | |
| name: example-http | |
| protocol: HTTP | |
| resolution: DNS | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: my-wiki-rule | |
| spec: | |
| hosts: | |
| - wikipedia.org | |
| http: | |
| - timeout: 5s | |
| route: | |
| - destination: | |
| host: wikipedia.org | |
| --- | |
| # DestinationRule trafficPolicy | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: DestinationRule | |
| metadata: | |
| name: bookinfo-ratings | |
| spec: | |
| host: ratings.prod.svc.cluster.local | |
| trafficPolicy: | |
| loadBalancer: | |
| simple: LEAST_CONN | |
| subsets: | |
| - name: testversion | |
| labels: | |
| version: v3 | |
| trafficPolicy: | |
| loadBalancer: | |
| simple: ROUND_ROBIN | |
| --- | |
| # trafficPolicy based on port | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: DestinationRule | |
| metadata: | |
| name: bookinfo-ratings-port | |
| spec: | |
| host: ratings.prod.svc.cluster.local | |
| trafficPolicy: # Apply to all ports | |
| portLevelSettings: | |
| - port: | |
| number: 80 | |
| loadBalancer: | |
| simple: LEAST_CONN | |
| - port: | |
| number: 9080 | |
| loadBalancer: | |
| simple: ROUND_ROBIN | |
| --- | |
| # weight | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: reviews-route | |
| spec: | |
| hosts: | |
| - reviews.prod.svc.cluster.local | |
| http: | |
| - route: | |
| - destination: | |
| host: reviews.prod.svc.cluster.local | |
| subset: v2 | |
| weight: 25 | |
| - destination: | |
| host: reviews.prod.svc.cluster.local | |
| subset: v1 | |
| weight: 75 | |
| # associated DestinationRule | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: DestinationRule | |
| metadata: | |
| name: reviews-destination | |
| spec: | |
| host: reviews.prod.svc.cluster.local | |
| subsets: | |
| - name: v1 | |
| labels: | |
| version: v1 | |
| - name: v2 | |
| labels: | |
| version: v2 | |
| --- | |
| # split across two entirely different services without having to define new subsets | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: reviews-route-two-domains | |
| spec: | |
| hosts: | |
| - reviews.com | |
| http: | |
| - route: | |
| - destination: | |
| host: dev.reviews.com | |
| weight: 25 | |
| - destination: | |
| host: reviews.com | |
| weight: 75 | |
| --- | |
| # gateway with virtualService | |
| # gateway会启动一个proxy并按规则监听相关端口,外部可以访问(通过external ip或者nodeport) | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: Gateway | |
| metadata: | |
| name: my-gateway | |
| spec: | |
| selector: | |
| app: my-gatweway-controller | |
| servers: | |
| - port: | |
| number: 80 | |
| name: http | |
| protocol: HTTP | |
| hosts: | |
| - uk.bookinfo.com | |
| - eu.bookinfo.com | |
| tls: | |
| httpsRedirect: true # sends 301 redirect for http requests | |
| - port: | |
| number: 443 | |
| name: https | |
| protocol: HTTPS | |
| hosts: | |
| - uk.bookinfo.com | |
| - eu.bookinfo.com | |
| tls: | |
| mode: SIMPLE #enables HTTPS on this port | |
| serverCertificate: /etc/certs/servercert.pem | |
| privateKey: /etc/certs/privatekey.pem | |
| - port: | |
| number: 9080 | |
| name: http-wildcard | |
| protocol: HTTP | |
| hosts: | |
| - "*" | |
| - port: | |
| number: 2379 # to expose internal service via external port 2379 | |
| name: mongo | |
| protocol: MONGO | |
| hosts: | |
| - "*" | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: bookinfo-rule | |
| spec: | |
| hosts: | |
| - reviews.prod.svc.cluster.local | |
| - uk.bookinfo.com | |
| - eu.bookinfo.com | |
| gateways: | |
| - my-gateway | |
| - mesh # applies to all the sidecars in the mesh | |
| http: | |
| - match: | |
| - headers: | |
| cookie: | |
| user: dev-123 | |
| route: | |
| - destination: | |
| port: | |
| number: 7777 | |
| host: reviews.qa.svc.cluster.local | |
| - match: | |
| uri: | |
| prefix: /reviews/ | |
| route: | |
| - destination: | |
| port: | |
| number: 9080 # can be omitted if its the only port for reviews | |
| host: reviews.prod.svc.cluster.local | |
| weight: 80 | |
| - destination: | |
| host: reviews.qa.svc.cluster.local | |
| weight: 20 | |
| --- | |
| # HTTPRedirect | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: ratings-route | |
| spec: | |
| hosts: | |
| - ratings.prod.svc.cluster.local | |
| http: | |
| - match: | |
| - uri: | |
| exact: /v1/getProductRatings | |
| redirect: | |
| uri: /v1/bookRatings | |
| authority: newratings.default.svc.cluster.local | |
| --- | |
| # rewrite | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: ratings-route | |
| spec: | |
| hosts: | |
| - ratings.prod.svc.cluster.local | |
| http: | |
| - match: | |
| - uri: | |
| prefix: /ratings | |
| rewrite: | |
| uri: /v1/bookRatings | |
| route: | |
| - destination: | |
| host: ratings.prod.svc.cluster.local | |
| subset: v1 | |
| --- | |
| # OutlierDetection 异常检测 | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: DestinationRule | |
| metadata: | |
| name: reviews-cb-policy | |
| spec: | |
| host: reviews.prod.svc.cluster.local | |
| trafficPolicy: | |
| connectionPool: | |
| tcp: | |
| maxConnections: 100 | |
| http: | |
| http2MaxRequests: 1000 | |
| maxRequestsPerConnection: 10 | |
| outlierDetection: | |
| consecutiveErrors: 7 | |
| interval: 5m | |
| baseEjectionTime: 15m | |
| --- | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: ServiceEntry | |
| metadata: | |
| name: external-svc-mongocluster | |
| spec: | |
| hosts: | |
| - mymongodb.somedomain # not used | |
| addresses: | |
| - 192.192.192.192/24 # VIPs | |
| ports: | |
| - number: 27018 | |
| name: mongodb | |
| protocol: MONGO | |
| location: MESH_INTERNAL | |
| resolution: STATIC | |
| endpoints: | |
| - address: 2.2.2.2 | |
| - address: 3.3.3.3 | |
| --- | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: DestinationRule | |
| metadata: | |
| name: mtls-mongocluster | |
| spec: | |
| host: mymongodb.somedomain | |
| trafficPolicy: | |
| tls: | |
| mode: MUTUAL | |
| clientCertificate: /etc/certs/myclientcert.pem | |
| privateKey: /etc/certs/client_private_key.pem | |
| caCertificates: /etc/certs/rootcacerts.pem | |
| --- | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment