蛮子哥
蛮子哥
2025-06-14
目录

Istio Gateway 统一入口

# 🎯 目标(统一入口设计)

最终效果:

                 🌐 统一入口
          http://192.168.51.100(唯一)
                       |
                 Istio Gateway
                       |
        --------------------------------
        |              |               |
   grafana        vmagent        logs
   HTTPRoute      HTTPRoute      HTTPRoute
1
2
3
4
5
6
7
8
9

# 🧠 核心设计原则(生产标准)

# ✔ 1. 只保留一个 Gateway(入口层)

  • 只用:istio-ingressgateway
  • 或一个专用 gateway(推荐)

# ✔ 2. 所有业务只写 HTTPRoute

  • 不再创建多个 Gateway IP

# ✔ 3. 所有域名统一入口解析

*.zzppjj.top → 192.168.51.100
1

# ✔ 4. 按 host + path 分流

# 🚀 方案设计(推荐你用这个)

# 🧱 ① 统一 Gateway(核心)

👉 只保留一个 Gateway

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: istio-unified-gateway
  namespace: istio-system
spec:
  gatewayClassName: istio
  listeners:
  - name: http
    port: 80
    protocol: HTTP
    hostname: "*.zzppjj.top"
    allowedRoutes:
      namespaces:
        from: All
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# 🌐 ② DNS 统一入口

所有域名:

grafana.zzppjj.top
vmagent.zzppjj.top
logs.zzppjj.top
1
2
3

全部指向:

192.168.51.100
1

# 📦 ③ 业务路由统一写 HTTPRoute

# 👉 vmagent

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: vmagent-route
  namespace: monitoring
spec:
  parentRefs:
  - name: istio-unified-gateway
    namespace: istio-system
    sectionName: http

  hostnames:
  - vmagent.zzppjj.top

  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /
    backendRefs:
    - name: vmagent-vmagent
      port: 8429
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

# 👉 grafana

hostnames:
- grafana.zzppjj.top
1
2

# 👉 victorialogs

hostnames:
- logs.zzppjj.top
1
2

# 统一 TLS(核心)

# 🎯 目标

所有访问变成:

https://*.zzppjj.top
1

# 🔐 第 1 步:创建统一 TLS 证书(自签 or CA)

# ✔ 方式 A(推荐生产):CA证书

如果你有企业 CA,直接签:

# ✔ 方式 B(测试/内网):自签证书

openssl req -x509 -nodes -days 365 \
-newkey rsa:2048 \
-keyout tls.key \
-out tls.crt \
-subj "/CN=*.zzppjj.top"
1
2
3
4
5

# 创建 secret

kubectl create -n istio-system secret tls wildcard-zzppjj-tls \
--key=tls.key \
--cert=tls.crt
1
2
3

# 🧱 第 2 步:升级 Gateway(HTTP → HTTPS)

👉 替换你的 istio-unified-gateway

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: istio-unified-gateway
  namespace: istio-system
spec:
  gatewayClassName: istio
  listeners:

  # HTTP(自动跳 HTTPS)
  - name: http
    port: 80
    protocol: HTTP
    hostname: "*.zzppjj.top"
    allowedRoutes:
      namespaces:
        from: All

  # HTTPS(核心)
  - name: https
    port: 443
    protocol: HTTPS
    hostname: "*.zzppjj.top"
    tls:
      mode: Terminate
      certificateRefs:
      - name: wildcard-zzppjj-tls
        kind: Secret
    allowedRoutes:
      namespaces:
        from: All
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

# 应用

kubectl apply -f gateway.yaml
1

# 🌐 第 3 步:HTTP 自动跳 HTTPS(推荐)

创建 HTTPRoute(全局跳转)

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: redirect-to-https
  namespace: istio-system
spec:
  parentRefs:
  - name: istio-unified-gateway
  hostnames:
  - "*.zzppjj.top"
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /
    filters:
    - type: RequestRedirect
      requestRedirect:
        scheme: https
        statusCode: 301
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

# 📦 第 4 步:业务 Route(不变,只加 TLS 入口)

# vmagent

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: vmagent-route
  namespace: monitoring
spec:
  parentRefs:
  - name: istio-unified-gateway
    namespace: istio-system
    sectionName: https

  hostnames:
  - vmagent.zzppjj.top

  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /
    backendRefs:
    - name: vmagent-vmagent
      port: 8429
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

# grafana / logs 同理

只改:

sectionName: https
1

# 🔒 第 5 步:TLS 安全增强(生产必备)

# 🔐 强制 TLS 版本

tls:
  mode: Terminate
  minProtocolVersion: TLSV1_2
1
2
3

# 🔐 禁止弱加密(Envoy层)

Istio 默认已经安全,但建议确认:

istioctl proxy-config listeners -n istio-system deploy/istio-ingressgateway
1

# 🧠 第 6 步:统一安全策略(SRE级)

# 🔥 ① 限流(防止打爆 vmagent)

apiVersion: networking.istio.io/v1beta1
kind: EnvoyFilter
metadata:
  name: rate-limit
  namespace: istio-system
spec:
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: GATEWAY
    patch:
      operation: INSERT_BEFORE
1
2
3
4
5
6
7
8
9
10
11
12

(如果你需要我可以给你完整限流模板)

# 🔥 ② mTLS(集群内部)

apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT
1
2
3
4
5
6
7
8

# 📊 第 7 步:可观测性(SRE核心)

# ① 开启 access log

accessLogFile: /dev/stdout
1

# ② Grafana + Prometheus

你已经有 Grafana → 建议统一接:

  • ingress metrics
  • vmagent targets
  • envoy metrics

# ③ 查看 Gateway 流量

istioctl proxy-config routes -n istio-system deploy/istio-ingressgateway
1

# 🧪 第 8 步:验证(必须做)

# ① HTTPS 测试

curl -k https://vmagent.zzppjj.top
1

# ② HTTP 自动跳转

curl -I http://vmagent.zzppjj.top
1

应返回:

301 → https://vmagent.zzppjj.top
1

# ③ 路由测试

kubectl get httproute -A
1

# 🧠 目标架构(互联网公司标准)

                 🌐 DNS
        *.zzppjj.top → 192.168.51.100
                        |
              🔐 Istio Gateway (TLS)
                        |
        ┌───────────────┼────────────────┐
        │               │                │
   🚦 灰度路由       🧭 正常路由      🧨 限流/熔断
   (Header/权重)     (HTTPRoute)     (EnvoyFilter)
        │               │                │
   grafana        vmagent         logs
1
2
3
4
5
6
7
8
9
10
11

# 🚀 第一部分:灰度发布

# 🎯 目标

同一个服务:

  • 90% → stable
  • 10% → canary

# 📦 1. Service 分版本(关键)

apiVersion: v1
kind: Service
metadata:
  name: vmagent-vmagent
  namespace: monitoring
spec:
  selector:
    app: vmagent
  ports:
  - port: 8429
1
2
3
4
5
6
7
8
9
10

👉 Pod 打标签:

kubectl label pod vmagent-xxx version=stable
kubectl label pod vmagent-yyy version=canary
1
2

# 📦 2. 灰度 HTTPRoute(权重分流)

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: vmagent-gray-route
  namespace: monitoring
spec:
  parentRefs:
  - name: istio-unified-gateway
    namespace: istio-system
    sectionName: https

  hostnames:
  - vmagent.zzppjj.top

  rules:
  # 🎯 10% 灰度流量
  - matches:
    - headers:
      - name: x-canary
        value: "true"
    backendRefs:
    - name: vmagent-vmagent
      port: 8429
      weight: 10

  # 🎯 默认 90% stable
  - backendRefs:
    - name: vmagent-vmagent
      port: 8429
      weight: 90
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

# 🧪 测试灰度

curl -H "Host: vmagent.zzppjj.top" \
     -H "x-canary: true" \
     https://192.168.51.100
1
2
3

# 🚀 第二部分:Header 路由(精准发布)

# 🎯 用于:

  • 内部用户
  • 测试用户
  • VIP用户
rules:
- matches:
  - headers:
    - name: user-type
      value: "beta"
  backendRefs:
  - name: vmagent-vmagent
    port: 8429
1
2
3
4
5
6
7
8

# 🚀 第三部分:限流(SRE核心)

# 🧨 1. Envoy 全局限流(IP级)

apiVersion: networking.istio.io/v1beta1
kind: EnvoyFilter
metadata:
  name: rate-limit
  namespace: istio-system
spec:
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: GATEWAY
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.filters.http.ratelimit
1
2
3
4
5
6
7
8
9
10
11
12
13
14

# 🧨 2. 限制 vmagent(防止打爆)

每秒 100 QPS
1

# 🚀 第四部分:熔断(防止雪崩)

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: vmagent-circuit-breaker
  namespace: monitoring
spec:
  host: vmagent-vmagent
  trafficPolicy:
    connectionPool:
      tcp:
        maxConnections: 100
      http:
        http1MaxPendingRequests: 100
        maxRequestsPerConnection: 10
    outlierDetection:
      consecutive5xxErrors: 5
      interval: 10s
      baseEjectionTime: 30s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# 🚀 第五部分:全链路追踪(SRE核心)

# 🎯 开启 Jaeger

kubectl get svc -n observability
1

# 📦 Gateway 加 tracing

Istio 自动支持,只需要确认:

meshConfig:
  enableTracing: true
1
2

# 🚀 第六部分:mTLS(零信任安全)

apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
  namespace: monitoring
spec:
  mtls:
    mode: STRICT
1
2
3
4
5
6
7
8

# 🚀 第七部分:Authorization(访问控制)

# 🎯 只允许内网访问 vmagent

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: vmagent-auth
  namespace: monitoring
spec:
  selector:
    matchLabels:
      app: vmagent
  rules:
  - from:
    - source:
        ipBlocks: ["192.168.0.0/16"]
1
2
3
4
5
6
7
8
9
10
11
12
13

# 🚀 第八部分:可观测性(SRE核心三件套)

# 📊 1. Metrics

  • Prometheus
  • vmagent scrape
  • Envoy metrics

# 📊 2. Logs

kubectl logs istio-ingressgateway
1

# 📊 3. Tracing

  • Jaeger
  • traceId 自动注入

# 🚀 第九部分:防雪崩设计(互联网级)

# 🔥 1. 连接池控制

# 🔥 2. 超时控制

timeout: 3s
1

# 🔥 3. 重试机制

retries:
  attempts: 3
  perTryTimeout: 1s
1
2
3

# 🚀 第十部分:生产级最终架构

                 DNS
      *.zzppjj.top → 192.168.51.100
                       |
           Istio Gateway (TLS)
                       |
        ┌────────────┼────────────┐
        │            │            │
     灰度路由     正常路由     限流/熔断
        │            │            │
   Header/权重   HTTPRoute   EnvoyFilter
        │
     服务层
        │
  vmagent / grafana / logs
        │
  metrics + logs + tracing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

# 🧠 你现在已经达到的等级

能力 状态
Gateway API
统一入口
TLS
灰度发布
限流熔断
mTLS
可观测性
SRE架构 ⭐ 互联网级
微信 支付宝
上次更新: 2026/06/15, 01:53:28

elk安装

最近更新
01
victorialogs配置关键字告警
06-03
02
kubernetes部署jaeger
05-30
03
grafana高可用部署
05-26
更多文章>
Theme by Vdoing | Copyright © 2019-2026 | 点击查看十年之约 | 鄂ICP备2024072800号