使用Ambassador API网关作为Istio入口吗?

huangapple go评论146阅读模式
英文:

use Ambassador api gateway as Istio ingress?

问题

我整天在互联网上搜索,但找不到一个完整而合适的示例,说明如何将Ambassador API网关用作Istio Ingress。Ambassador网站上关于Istio的默认文档不够清晰。所以能否有人提供一个完整详细的示例,说明如何在Istio服务网格中使用Ambassador API网关?

我的平台规格如下:
操作系统:Windows 10
容器平台:Docker Desktop
Kubernetes版本:1.10.11

英文:

every one i have been searching the internet whole day but can't find a complete and decent example of how to use ambassador api gateway as istio ingress. The default documentation at ambassador site regarding istio isn't clear enough. So can someone please provide a complete and detailed example of how to use ambassador Api gateway along with istio service mesh?

My platform specs are
OS: Windows10
Container-Platform: Docker-desktop
Kubernetes-version: 1.10.11

答案1

得分: 1

这个主题在Ambassador 文档中有详细解释:

Ambassador是一个针对微服务的Kubernetes本地API网关。Ambassador部署在您网络的边缘,并将传入的流量路由到您的内部服务(也称为“南北”流量)。 Istio 是面向微服务的服务网格,旨在为服务之间的流量(也称为“东西”流量)添加应用程序级别的第7层观察、路由和弹性。Istio和Ambassador都是使用Envoy构建的。

按照这个链接,了解如何逐步配置Ambassador与Istio一起使用。

此外,您需要根据Istio的要求更新您的Kubernetes版本:

  • Istio 1.41.3 已经与Kubernetes版本 1.131.141.15 进行了测试。

  • Istio 1.2 已经与Kubernetes版本 1.121.131.14 进行了测试。

我建议避免使用较旧的版本。

英文:

This topic is explained in detail in Ambassador documentation:

>Ambassador is a Kubernetes-native API gateway for microservices. Ambassador is deployed at the edge of your network, and routes incoming traffic to your internal services (aka "north-south" traffic). Istio is a service mesh for microservices, and is designed to add application-level Layer (L7) observability, routing, and resilience to service-to-service traffic (aka "east-west" traffic). Both Istio and Ambassador are built using Envoy.

Follow this link for step-by-step guide how to get Ambassador working with Istio.


Additionally You will need to update Your Kubernetes version as Istio requirements are:

  • Istio 1.4 and 1.3 has been tested with Kubernetes: 1.13, 1.14, 1.15.

  • Istio 1.2 has been tested with Kubernetes: 1.12, 1.13, 1.14.

I suggest avoiding older versions.

答案2

得分: 0

以下是您要翻译的内容:

"After many hours I succeded integrating Ambassador 1.8 with Istio 1.7.3. The mTLS integration was really tricky.

First I upgraded Kubernetes to the latest one (1.19.2) with the following extraArgs:

extraArgs:
service-account-issuer: kubernetes.default.svc
service-account-signing-key-file: /etc/kubernetes/pki/sa.key
Then installed Istio with the default profile.

Then I went on with the documentation Piotr mentioned, but the Ambassador pod did not want to start. So I compared the side car in the docs line-by-line with a side car generated automatically by Istio in another pod. Finally I got to the following working deployment yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
name: ambassador
namespace: rocket
spec:
replicas: 1
selector:
matchLabels:
service: ambassador
template:
metadata:
annotations:
consul.hashicorp.com/connect-inject: 'false'
sidecar.istio.io/inject: 'false'
labels:
service: ambassador
app.kubernetes.io/managed-by: getambassador.io
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
service: ambassador
topologyKey: kubernetes.io/hostname
weight: 100
containers:
- name: ambassador
image: docker.io/datawire/ambassador:1.8.0
env:
- name: AMBASSADOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: REDIS_URL
value: ambassador-redis:6379
- name: AMBASSADOR_URL
value: https://ambassador.rocket.svc.cluster.local
- name: POLL_EVERY_SECS
value: '60'
- name: AMBASSADOR_INTERNAL_URL
value: https://127.0.0.1:8443
- name: AMBASSADOR_SINGLE_NAMESPACE
value: "YES"
- name: AMBASSADOR_ID
value: "ambassador-rocket"
# Necessary to run the istio-proxy sidecar
- name: AMBASSADOR_ENVOY_BASE_ID
value: "1"
ports:
- containerPort: 8080
name: http
- containerPort: 8443
name: https
- containerPort: 8877
name: http-admin
livenessProbe:
httpGet:
path: /ambassador/v0/check_alive
port: http-admin
periodSeconds: 3
readinessProbe:
httpGet:
path: /ambassador/v0/check_ready
port: http-admin
periodSeconds: 3
resources:
limits:
cpu: 1000m
memory: 600Mi
requests:
cpu: 200m
memory: 300Mi
securityContext:
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /tmp/ambassador-pod-info
name: ambassador-pod-info
- mountPath: /etc/istio-certs/
name: istio-certs
- name: istio-proxy
# Use the same version as your Istio installation
image: docker.io/istio/proxyv2:1.7.3
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --serviceCluster
- istio-proxy-ambassador.$(POD_NAMESPACE)
- --discoveryAddress
- istiod.istio-system.svc:15012
- --connectTimeout
- 10s
- --statusPort
- "15020"
- --trust-domain=cluster.local
- --controlPlaneBootstrap=false
env:
- name: OUTPUT_CERTS
value: "/etc/istio-certs"
- name: JWT_POLICY
value: third-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: CA_ADDR
value: istiod.istio-system.svc:15012
- name: ISTIO_META_MESH_ID
value: cluster.local
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15020
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
volumeMounts:
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /etc/istio-certs/
name: istio-certs
- mountPath: /var/run/secrets/tokens
name: istio-token
securityContext:
runAsUser: 0
volumes:
- name: istio-certs
emptyDir:
medium: Memory
- name: istiod-ca-cert
configMap:
defaultMode: 420
name: istio-ca-root-cert
- name: istio-envoy
emptyDir:
medium: Memory
- name: istio-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
- downwardAPI:

英文:

After many hours I succeded integrating Ambassador 1.8 with Istio 1.7.3. The mTLS integration was really tricky.

First I upgraded Kubernetes to the latest one (1.19.2) with the following extraArgs:

extraArgs:
service-account-issuer: kubernetes.default.svc
service-account-signing-key-file: /etc/kubernetes/pki/sa.key
Then installed Istio with the default profile.

Then I went on with the [documentation][1] Piotr mentioned, but the Ambassador pod did not want to start. So I compared the side car in the docs line-by-line with a side car generated automatically by Istio in another pod. Finally I got to the following working deployment yaml:
<pre>
apiVersion: apps/v1
kind: Deployment
metadata:
name: ambassador
namespace: rocket
spec:
replicas: 1
selector:
matchLabels:
service: ambassador
template:
metadata:
annotations:
consul.hashicorp.com/connect-inject: 'false'
sidecar.istio.io/inject: 'false'
labels:
service: ambassador
app.kubernetes.io/managed-by: getambassador.io
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
service: ambassador
topologyKey: kubernetes.io/hostname
weight: 100
containers:
- name: ambassador
image: docker.io/datawire/ambassador:1.8.0
env:
- name: AMBASSADOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: REDIS_URL
value: ambassador-redis:6379
- name: AMBASSADOR_URL
value: https://ambassador.rocket.svc.cluster.local
- name: POLL_EVERY_SECS
value: '60'
- name: AMBASSADOR_INTERNAL_URL
value: https://127.0.0.1:8443
- name: AMBASSADOR_SINGLE_NAMESPACE
value: "YES"
- name: AMBASSADOR_ID
value: "ambassador-rocket"
# Necessary to run the istio-proxy sidecar
- name: AMBASSADOR_ENVOY_BASE_ID
value: "1"
ports:
- containerPort: 8080
name: http
- containerPort: 8443
name: https
- containerPort: 8877
name: http-admin
livenessProbe:
httpGet:
path: /ambassador/v0/check_alive
port: http-admin
periodSeconds: 3
readinessProbe:
httpGet:
path: /ambassador/v0/check_ready
port: http-admin
periodSeconds: 3
resources:
limits:
cpu: 1000m
memory: 600Mi
requests:
cpu: 200m
memory: 300Mi
securityContext:
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /tmp/ambassador-pod-info
name: ambassador-pod-info
- mountPath: /etc/istio-certs/
name: istio-certs
- name: istio-proxy
# Use the same version as your Istio installation
image: docker.io/istio/proxyv2:1.7.3
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --serviceCluster
- istio-proxy-ambassador.$(POD_NAMESPACE)
- --discoveryAddress
- istiod.istio-system.svc:15012
- --connectTimeout
- 10s
- --statusPort
- "15020"
- --trust-domain=cluster.local
- --controlPlaneBootstrap=false
env:
- name: OUTPUT_CERTS
value: "/etc/istio-certs"
- name: JWT_POLICY
value: third-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: CA_ADDR
value: istiod.istio-system.svc:15012
- name: ISTIO_META_MESH_ID
value: cluster.local
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15020
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
volumeMounts:
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /etc/istio-certs/
name: istio-certs
- mountPath: /var/run/secrets/tokens
name: istio-token
securityContext:
runAsUser: 0
volumes:
- name: istio-certs
emptyDir:
medium: Memory
- name: istiod-ca-cert
configMap:
defaultMode: 420
name: istio-ca-root-cert
- name: istio-envoy
emptyDir:
medium: Memory
- name: istio-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
- downwardAPI:
items:
- fieldRef:
fieldPath: metadata.labels
path: labels
name: ambassador-pod-info
restartPolicy: Always
securityContext:
runAsUser: 8888
serviceAccountName: ambassador
terminationGracePeriodSeconds: 0
</pre>
Note: I prefer running one Istio per cluster and one Ambassador per namespace, so I put the Ambassador pod and my other pods into the "rocket" namespace.

[1]: https://www.getambassador.io/docs/latest/howtos/istio/

huangapple
  • 本文由 发表于 2020年1月6日 22:35:43
  • 转载请务必保留本文链接:https://go.coder-hub.com/59613934.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定