IstIO Ingress Gateway 上 Nginx Ingress Annonations 的等价物
Equivalents of Nginx Ingress Annonations on IstIO Ingress Gateway
我目前正在将 IT 环境从 Nginx Ingress Gateway 迁移到 Kubernetes 上的 IstIO Ingress Gateway。
我需要迁移以下 Nginx 注释:
nginx.ingress.kubernetes.io/proxy-buffer-size
nginx.ingress.kubernetes.io/proxy-read-timeout
nginx.ingress.kubernetes.io/proxy-send-timeout
nginx.ingress.kubernetes.io/proxy-body-size
nginx.ingress.kubernetes.io/upstream-vhost
对于 Nginx,注释记录在此处:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
在Nginx注解的IstIO文档上没有找到IstIO Ingress Gateway的使用方法
有人知道如何在 IstIO Ingress Gateway 中实现上述注解吗?
可以在 Istio 中使用 Envoy Filter.
实现 Nginx 入口注释等效项
更具体地说,使用 HTTP Lua filter。
具有 HTTP Lua 过滤器的特使过滤器示例:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: reviews-lua
namespace: bookinfo
spec:
workloadSelector:
labels:
app: reviews
configPatches:
# The first patch adds the lua filter to the listener/http connection manager
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 8080
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value: # lua filter specification
name: envoy.lua
config:
inlineCode: |
function envoy_on_request(request_handle)
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
"lua_cluster",
{
[":method"] = "POST",
[":path"] = "/acl",
[":authority"] = "internal.org.net"
},
"authorize call",
5000)
end
# The second patch adds the cluster that is referenced by the lua code
# cds match is omitted as a new cluster is being added
- applyTo: CLUSTER
match:
context: SIDECAR_OUTBOUND
patch:
operation: ADD
value: # cluster specification
name: "lua_cluster"
type: STRICT_DNS
connect_timeout: 0.5s
lb_policy: ROUND_ROBIN
hosts:
- socket_address:
protocol: TCP
address: "internal.org.net"
port_value: 8888
例如:
nginx.ingress.kubernetes.io/proxy-body-size 可以通过 size = buffer:length().
实现
nginx.ingress.kubernetes.io/proxy-read-timeout 或
nginx.ingress.kubernetes.io/proxy-send-timeout 是自定义超时,可以通过 httpCall(5000).
实现
可以找到完整的方法列表 here。
希望这对您有所帮助。
更新:
重新阅读 nginx 注释后 getBytes() 看起来 nginx.ingress.kubernetes.io/proxy-buffer-size 比 buffer:lenght() 更好。
getBytes()
buffer:getBytes(index, length)
Get bytes from the buffer. By default Envoy will not copy all buffer
bytes to Lua. This will cause a buffer segment to be copied. index
is an integer and supplies the buffer start index to copy. length
is an integer and supplies the buffer length to copy. index +
length must be less than the buffer length.
所以 buffer:getBytes(0, 8000) 应该从类似于 nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" 的缓冲区加载 8k 字节。
我想我找到了如何在 Istio 中设置 nginx.ingress.kubernetes.io/proxy-body-size。
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: reviews-lua
namespace: bookinfo
spec:
workloadSelector:
labels:
app: reviews
configPatches:
# The first patch adds the lua filter to the listener/http connection manager
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 8080
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value: # lua filter specification
name: envoy.lua
config:
inlineCode: |
function envoy_on_request(request_handle)
request_handle:headers():add("request_body_size", request_handle:body():length())
end
还有 TLS 密码:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-tls-ingress
spec:
selector:
app: my-tls-ingress-gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
serverCertificate: /etc/certs/server.pem
privateKey: /etc/certs/privatekey.pem
cipherSuites: "<tls-ciphers>"
如果您收到 413 实体太大作为响应,则这种情况的主要问题是链中的一个 Envoy 过滤器有缓冲。
您将在此处找到相关讨论:https://github.com/envoyproxy/envoy/issues/2919
Envoy 上缓冲的初始值由属性设置:
http2_protocol_options:
initial_stream_window_size: 65536 # 64 KiB
initial_connection_window_size: 1048576 # 1 MiB
来源:https://www.bookstack.cn/read/envoyproxy-1.13/9a624d80e56eceef.md
您可以为给定的工作负载(或全局)覆盖该缓冲区,但您必须记住,如果您增加太多,则存在内存不足攻击的风险。
重新配置它的示例过滤器:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: my-service
spec:
workloadSelector:
labels:
app: my-service
configPatches:
- applyTo: NETWORK_FILTER
match:
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
http2_protocol_options:
initial_stream_window_size: 65536
initial_connection_window_size: 10485760 # 10 MB
您将在 Istio 文档中找到有关 Envoy Filer 的更多信息:https://istio.io/latest/docs/reference/config/networking/envoy-filter/
其他示例:https://github.com/istio/istio/wiki/EnvoyFilter-Samples
我目前正在将 IT 环境从 Nginx Ingress Gateway 迁移到 Kubernetes 上的 IstIO Ingress Gateway。
我需要迁移以下 Nginx 注释:
nginx.ingress.kubernetes.io/proxy-buffer-size
nginx.ingress.kubernetes.io/proxy-read-timeout
nginx.ingress.kubernetes.io/proxy-send-timeout
nginx.ingress.kubernetes.io/proxy-body-size
nginx.ingress.kubernetes.io/upstream-vhost
对于 Nginx,注释记录在此处:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
在Nginx注解的IstIO文档上没有找到IstIO Ingress Gateway的使用方法
有人知道如何在 IstIO Ingress Gateway 中实现上述注解吗?
可以在 Istio 中使用 Envoy Filter.
实现 Nginx 入口注释等效项更具体地说,使用 HTTP Lua filter。
具有 HTTP Lua 过滤器的特使过滤器示例:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: reviews-lua
namespace: bookinfo
spec:
workloadSelector:
labels:
app: reviews
configPatches:
# The first patch adds the lua filter to the listener/http connection manager
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 8080
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value: # lua filter specification
name: envoy.lua
config:
inlineCode: |
function envoy_on_request(request_handle)
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
"lua_cluster",
{
[":method"] = "POST",
[":path"] = "/acl",
[":authority"] = "internal.org.net"
},
"authorize call",
5000)
end
# The second patch adds the cluster that is referenced by the lua code
# cds match is omitted as a new cluster is being added
- applyTo: CLUSTER
match:
context: SIDECAR_OUTBOUND
patch:
operation: ADD
value: # cluster specification
name: "lua_cluster"
type: STRICT_DNS
connect_timeout: 0.5s
lb_policy: ROUND_ROBIN
hosts:
- socket_address:
protocol: TCP
address: "internal.org.net"
port_value: 8888
例如:
nginx.ingress.kubernetes.io/proxy-body-size 可以通过 size = buffer:length().
nginx.ingress.kubernetes.io/proxy-read-timeout 或
nginx.ingress.kubernetes.io/proxy-send-timeout 是自定义超时,可以通过 httpCall(5000).
可以找到完整的方法列表 here。
希望这对您有所帮助。
更新:
重新阅读 nginx 注释后 getBytes() 看起来 nginx.ingress.kubernetes.io/proxy-buffer-size 比 buffer:lenght() 更好。
getBytes()
buffer:getBytes(index, length)
Get bytes from the buffer. By default Envoy will not copy all buffer bytes to Lua. This will cause a buffer segment to be copied. index is an integer and supplies the buffer start index to copy. length is an integer and supplies the buffer length to copy. index + length must be less than the buffer length.
所以 buffer:getBytes(0, 8000) 应该从类似于 nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" 的缓冲区加载 8k 字节。
我想我找到了如何在 Istio 中设置 nginx.ingress.kubernetes.io/proxy-body-size。
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: reviews-lua
namespace: bookinfo
spec:
workloadSelector:
labels:
app: reviews
configPatches:
# The first patch adds the lua filter to the listener/http connection manager
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
portNumber: 8080
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value: # lua filter specification
name: envoy.lua
config:
inlineCode: |
function envoy_on_request(request_handle)
request_handle:headers():add("request_body_size", request_handle:body():length())
end
还有 TLS 密码:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-tls-ingress
spec:
selector:
app: my-tls-ingress-gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
serverCertificate: /etc/certs/server.pem
privateKey: /etc/certs/privatekey.pem
cipherSuites: "<tls-ciphers>"
如果您收到 413 实体太大作为响应,则这种情况的主要问题是链中的一个 Envoy 过滤器有缓冲。
您将在此处找到相关讨论:https://github.com/envoyproxy/envoy/issues/2919
Envoy 上缓冲的初始值由属性设置:
http2_protocol_options:
initial_stream_window_size: 65536 # 64 KiB
initial_connection_window_size: 1048576 # 1 MiB
来源:https://www.bookstack.cn/read/envoyproxy-1.13/9a624d80e56eceef.md
您可以为给定的工作负载(或全局)覆盖该缓冲区,但您必须记住,如果您增加太多,则存在内存不足攻击的风险。
重新配置它的示例过滤器:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: my-service
spec:
workloadSelector:
labels:
app: my-service
configPatches:
- applyTo: NETWORK_FILTER
match:
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
http2_protocol_options:
initial_stream_window_size: 65536
initial_connection_window_size: 10485760 # 10 MB
您将在 Istio 文档中找到有关 Envoy Filer 的更多信息:https://istio.io/latest/docs/reference/config/networking/envoy-filter/
其他示例:https://github.com/istio/istio/wiki/EnvoyFilter-Samples