Istio

I want istio envoy proxy to translate http traffic to https

会有一股神秘感。 提交于 2021-02-11 14:50:19
问题 I'm using k8s with istio. And, I have external api with https endpoint (mutual tls) And I don't want every api request from k8s pod to implement mutual tls call, so it would be great if istio envoy proxy can process mutual tls. Then pod can call api with http, and request would be converted to https mtls request by envoy. +---------------------------------+ | (pod) ---http--> (envoy proxy) -|-https(mtls)--> external api +---------------------------------+ I managed to find a solution of

Want to specify rules in VirtualService file where two or more services have same rules

余生长醉 提交于 2021-02-11 14:01:32
问题 I have deployed eight services on Kubernetes with Istio sidecar injection. I want to set-up routing rules in VirtualService where three services have same rule. Rules:- - match: - headers: location: exact: pune uri: prefix: /wagholi route: - destination: host: wagholi port: number: 8080 uri: prefix: /yerwada route: - destination: host: yerwada port: number: 8080 uri: prefix: /hadapsar route: - destination: host: hadapsar port: number: 8080 - match: - headers: location: exact: mumbai uri:

istio somehow overriding default access logging format of envoy

為{幸葍}努か 提交于 2021-02-11 08:28:09
问题 As is very well explained in this elaborate answer, you can customise istio 's logging format in IstioOperator . In my case, IstioOperator (when it comes to access logging configuration) looks like this meshConfig: accessLogEncoding: JSON accessLogFile: /dev/stdout i.e. no accessLogFormat specified. However, in StackDriver , when seeing my istio-proxy logs, I see some fields NOT defined in the default format., e.g. here is a corresponding istio-proxy log entry response_code: "200" bytes

Service Mesh对比:Istio与Linkerd

纵饮孤独 提交于 2021-02-11 05:39:28
根据CNCF的最新年度调查,很多组织对Service Mesh表现出很高的兴趣,并且有一部分已经在生产环境中使用它们。你可能不知道Linkerd是市场上第一个Service Mesh,但是Istio使Service Mesh更受欢迎。这两个项目都是最前沿的项目,而且竞争非常激烈,因此很难选择一个项目。 在本篇文章中,我们将和你一起了解Istio和Linkerd架构,组件,并比较它们的产品以帮助你做出明智的决定。 Service Mesh简介 在过去的几年中,微服务架构已成为软件设计中流行的样式。在这种架构中,我们将应用程序分解为可独立部署的服务。这些服务通常是轻量级的,多语言的,并且通常由各种职能团队进行开发部署。 当某些服务数量增加,难以管理且越来越复杂时,微服务架构将一直有效。但这也在管理安全性,网络流量控制和可观察性等各个方面带来了挑战。 Service Mesh可以很好地帮助应对这些挑战。 Service Mesh 用于描述组成应用程序的微服务及其之间的交互。随着服务数量的增加和复杂性的增加,扩展和管理变得越来越困难。Service Mesh可以为微服务架构提供服务发现,负载均衡,故障恢复,指标和监视。 Service Mesh 通常还能够满足更复杂的需求,例如A/B测试,金丝雀发布,速率限制,访问控制和端到端身份验证。 Service Mesh

Istio: How to modify the h2UpgradePolicy globally?

笑着哭i 提交于 2021-02-11 04:42:07
问题 I want up upgrade all incoming http 1.1 connections to http2 in Istio. I understand how to achieve this via destination rules for a particular namespace and pod. However, I want to upgrade all connections in service mesh from http1.1 too http2. Even the documentation recommends this, if Istio sidecar is auto injected here. if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE. Can I update the "istio" ConfigMap under "Istio-system" namespace? If yes, what would

Istio: How to modify the h2UpgradePolicy globally?

扶醉桌前 提交于 2021-02-11 04:40:14
问题 I want up upgrade all incoming http 1.1 connections to http2 in Istio. I understand how to achieve this via destination rules for a particular namespace and pod. However, I want to upgrade all connections in service mesh from http1.1 too http2. Even the documentation recommends this, if Istio sidecar is auto injected here. if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE. Can I update the "istio" ConfigMap under "Istio-system" namespace? If yes, what would

Keycloak provides invalid signature with Istio and JWT

萝らか妹 提交于 2021-02-10 05:51:42
问题 I'm using Keycloak (latest) for Auth 2.0 , to validate authentication, provide a token (JWT) and with the token provided, allows the access to the application URLs, based in the permissions. Keycloak is currently running in Kubernates, with Istio as Gateway. For Keycloak, this is the policy being used: apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: application-auth-policy spec: targets: - name: notification origins: - jwt: issuer: http://<service_name>http.

Keycloak provides invalid signature with Istio and JWT

主宰稳场 提交于 2021-02-10 05:51:31
问题 I'm using Keycloak (latest) for Auth 2.0 , to validate authentication, provide a token (JWT) and with the token provided, allows the access to the application URLs, based in the permissions. Keycloak is currently running in Kubernates, with Istio as Gateway. For Keycloak, this is the policy being used: apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: application-auth-policy spec: targets: - name: notification origins: - jwt: issuer: http://<service_name>http.

Does Istio support hazelcast-kubernetes?

江枫思渺然 提交于 2021-02-09 11:49:49
问题 I am using istio 1.0.2 version with istio-demo-auth .yaml, and I used hazelcast-kubernetes in the k8s cluster environment. I was using hazelcast-kubernetes in the k8s cluster before, when scale two hazelcast-kubernetes StatefulSet, they can join together, and working with my services. Not using istio that time. Recently our services injected with istio. I try to inject the hazelcast-kubernetes with istio, it was running, but those two hazelcast-kubernetes cannot join together. Do you know how

正在进行计划中的停机维护

会有一股神秘感。 提交于 2021-02-09 10:07:28
我们正按照计划进行停机维护。服务随时可能中断。 * 我们在现场发现部分光模块损坏,已经要求供应商重新发货,由于疫情和物流影响,可能无法按时到货,预计恢复时间顺延2天。 以下是详细内容,随时将会更新。时间为 GMT+8 2020/04/21 [15:25:17] 搬迁前设备盘点 2020/04/21 [19:34:18] 目的机房柴电设备检查,UPS放电测试 2020/04/21 [20:49:44] 目的机房机柜AOC线缆检查 2020/04/22 [01:39:11] 磁盘完整性检查 2020/04/22 [08:26:21] 下架 2020/04/22 [12:00:12] 北京机房正在装车 2020/04/22 [12:49:33] 大禹平台资产录入 2020/04/22 [13:54:14] 设备正在运输,目的地 昌平数据中心 2020/04/22 [16:31:18] 设备已到达 昌平数据中心 2020/04/22 [21:30:24] 设备已通电,正在配置网络 2020/04/23 [00:34:38] 正在解决内网DNS故障和路由的问题 2020/04/23 [02:28:03] 准备PXE和iDrac 2020/04/23 [19:28:56] istio准备完毕,准备服务 2020/04/23 [19:35:13] Job #523694723 triggered
订阅 Istio