Istio

regex in URI for proxy passing

泪湿孤枕 提交于 2019-12-11 04:48:48
问题 I have following config in my nginx: location / { if ($request_uri ~* ^/checkout/(dev-dist|dist|images|js|libs|resources|angular4-hybrid|bundle.js)) { proxy_pass http://static-qa-uscentral1.company.com/hybrid/live$request_uri; break; } } I am trying to replicate this in istio's virtual service I have written following virtual service to match this regex: apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: routes-static namespace: mui-relqa spec: gateways: - my

istio-pilot on minikube is always in pending state

左心房为你撑大大i 提交于 2019-12-11 01:58:56
问题 istio-pilot pod on minikube kubernetes cluster is always in Pending state. Increased CPU=4 and memory=8GB. Still the status of istio-pilot pod is Pending. Is specific change required to run istio on minikube other than the ones mentioned in documentation? 回答1: Resolved the issue . Im running minikube with Virtual box and running minikube with higher memory and CPU does not reflect until minikube is deleted and started with new parameters. Without this it was resulting in Insufficient memory.

Istio Origin Authentication Using JWT does not work

余生颓废 提交于 2019-12-11 00:39:23
问题 I’ve been applying Authentication Policy to my testing service using JWT. I have followed this guide and it did work as expected. But, when I tried to using a different pod image, it did not work even though almost everything is the same. Is there anyone facing this issue? or know the reason why it did not work in my case? Thank you very much! These are my configuration files: Deployment apiVersion: extensions/v1beta1 kind: Deployment metadata: name: hostname spec: replicas: 1 selector:

How can I use custom client certificate for external service with istio?

自作多情 提交于 2019-12-09 03:25:08
问题 I need to setup mutual tls communication from kubernetes pod to external service. My system is running with istio system. I found reference about this. https://istio.io/docs/reference/config/networking/v1alpha3/destination-rule/#TLSSettings apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: external-mtls spec: host: *.external.com trafficPolicy: tls: mode: MUTUAL clientCertificate: /etc/certs/myclientcert.pem privateKey: /etc/certs/client_private_key.pem

Internal service requests in Istio

余生长醉 提交于 2019-12-08 11:14:43
问题 I have managed to get going with Istio. I've been testing a lot of the fundamentals and have a basic cluster working nicely with HTTP and gRPC. I have a Service that however needs to make an internal request to another service that isn't externally exposed. So take this example: Request comes in from an Istio gateway as HTTP My custom grpc-gateway handler proxies the request to a gRPC service The gateway responds to the user via HTTP I have a Gateway and a VirtualService declared: apiVersion:

Not able to connect to HTTPS service using ISTIO Gateway and Virtual Service

风流意气都作罢 提交于 2019-12-08 04:02:19
问题 As I am new to istio, along with all my team members, we would really appreciate if we can get some help here. Problem I have followed the below documentation to create certs and create secrets in k8s using the application cert and key https://istio.io/docs/tasks/traffic-management/secure-ingress/#troubleshooting After that I restarted my istio-ingressgateway pod so that it loads the certs. Which aanyway I can see inside the pod when I exec. And I have added below annotation in istio

Knative-开源的Serverless架构方案

倾然丶 夕夏残阳落幕 提交于 2019-12-07 15:39:45
Knative(发音为 kay-nay-tiv)是谷歌开源的一套 Serverless 架构方案,它扩展了 Kubernetes,提供了一组中间件,提高了构建可在本地、云和第三方数据中心等地方运行的现代化、以源为中心且基于容器的应用的能力。 Knative资源: 源码, https://github.com/knative 文档, https://github.com/knative/docs 教程,《 Knative 入门中文版 》 其他Serverless方案与参考: Spring Cloud Function - 基于 Spring Boot 的函数计算框架 Kubeless - Kubernetes 原生 Serverless 框架 VMware-Dispatch - 开源 Serverless 框架 Fn project - ServerLess 容器原生平台 OpenFaaS - 构建 Serverless 功能的框架 Serverless - 无服务器架构 1、knative架构简介 目前已经提供了以下组件: Build - 源到容器的构建编排 Eventing - 事件管理和交付 Serving - 请求驱动的计算 Knative 专注于解决容器为核心的 Serverless 应用的构建、部署和运行的问题,它构建在 Kubernetes 和 Istio 平台之上

Istio to allow all egress traffic

痴心易碎 提交于 2019-12-07 06:47:16
问题 How do you allow all outbound traffic with Istio? I tried the following: Disable the egress gateway and bypass the sidecar with --set global.proxy.includeIPRanges="0.0.0.0/0\,0.0.0.0/0" None of the options work, worth to mention I'm using kubernetes 1.11.2 回答1: I assume you followed this, that's pretty much the way to do it. Make sure that you update the istio-sidecar-injector ConfigMap on your namespace and restart your pods. 回答2: Doing **global.proxy.includeIPRanges: "0.0.0.0" ** won't work

Istio manual sidecar injection gives an error

拟墨画扇 提交于 2019-12-06 14:54:31
I am trying to manually inject istio sidecar into an existing deployment according to the instructions here: https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection I am getting the following error, however: $ istioctl kube-inject -f k8s/prod/deployment.yaml Error: missing configuration map key "values" in "istio-sidecar-injector" This error occurs to me even why I try different kinds with different yaml files. Is this a bug or am I doing something wrong? How can I add "values" to the configuration map? Check the version of your istioctl binary ( istioctl version ) versus

Not able to connect to HTTPS service using ISTIO Gateway and Virtual Service

蓝咒 提交于 2019-12-06 14:35:43
As I am new to istio, along with all my team members, we would really appreciate if we can get some help here. Problem I have followed the below documentation to create certs and create secrets in k8s using the application cert and key https://istio.io/docs/tasks/traffic-management/secure-ingress/#troubleshooting After that I restarted my istio-ingressgateway pod so that it loads the certs. Which aanyway I can see inside the pod when I exec. And I have added below annotation in istio-ingressgateway service to use domain names: *external-dns.alpha.kubernetes.io/hostname: .byom-i344382.xxx.xxx
订阅 Istio