• Envoy学习笔记


    一、基本概念

      XDS、CDS、EDS、LDS、SDS、ADS、RDS、HDS

    二、安装

    三、动态文件配置

    还没找到好的控制平面,为了解决动态更新CDS、LDS配置所以就采用了动态文件配置。

    admin:
      access_log_path: /home/logs/envoy/admin.access.log
      address:
        socket_address: { address: 0.0.0.0, port_value: 9001}
    node:
      cluster: test-cluster
      id: test-id
    dynamic_resources:
      cds_config:
        path: /home/envoy/cds.yaml
      lds_config:
        path: /home/envoy/lds.yaml

    上面的配置文件定义动态资源的位置。cds_config 指定 cds配置文件存放位置。lds_config 指定lds配置文件存放位置。

    当我们修改了其中某个配置项后可以通过 mv 命令 使envoy进行热更新 。例如: mv cds.yaml cds.yaml1 然后再mv cds.yaml1 cds.yaml。envoy 提供热启动器,但是还是建议使用mv 文件的方式来更新文件,热启动器是完全重新加载配置项,一旦某项配置不小心配置错误会导致整个监听失败。使用mv 热更新的好处是 当envoy检测到有错误配置项时它不会更新配置,这就保证了envoy不会因错误的配置导致整个监听不可用。

    四、CDS

    cds.yaml 文件中定义一组或多组Cluster。

    resources:
    - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster
      connect_timeout: 1s
      name: k8s.proxy       
      type: STATIC
      http2_protocol_options: {}
      load_assignment:
        cluster_name: k8s.proxy
        endpoints:
        - lb_endpoints:
          - endpoint:
              address:
                socket_address:
                  address: xxx.xxx.xxx.xxx
                  port_value: 31080
    - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster
      connect_timeout: 1s
      name: k8shttp1.proxy
      type: STATIC
      load_assignment:
        cluster_name: k8shttp1.proxy
        endpoints:
        - lb_endpoints:
          - endpoint:
              address:
                socket_address:
                  address: xxx.xxx.xxx.xx
                  port_value: 31080
    - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster
      connect_timeout: 1s
      name: ActivityService  
      type: STATIC
      circuit_breakers:
        thresholds:
        - priority: "DEFAULT"
          max_connections: 100000
          max_pending_requests: 100000
          max_requests: 100000
        - priority: "HIGH"
          max_connections: 100000
          max_pending_requests: 100000
          max_requests: 100000
      health_checks:
        timeout: 1s
        interval: 2s
        unhealthy_threshold: 1
        healthy_threshold: 1
        grpc_health_check: {}
      http2_protocol_options: {}
      load_assignment:
        cluster_name: ActivityService
        endpoints:
        - lb_endpoints:
          - endpoint:
              address:
                socket_address:
                  address: xxx.xxx.xxx.xxx
                  port_value: 10099
    - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster
      connect_timeout: 1s
      name: bigdata
      type: STRICT_DNS
      circuit_breakers:
        thresholds:
        - priority: "DEFAULT"
          max_connections: 100000
          max_pending_requests: 100000
          max_requests: 100000
        - priority: "HIGH"
          max_connections: 100000
          max_pending_requests: 100000
          max_requests: 100000
      health_checks:
        timeout: 1s
        interval: 2s
        unhealthy_threshold: 1
        healthy_threshold: 1
        grpc_health_check: {}
      http2_protocol_options: {}
      load_assignment:
        cluster_name: bigdata
        endpoints:
        - lb_endpoints:
          - endpoint:
              address:
                socket_address:
                  address:a.service.consul
                  port_value: 10030

    上面的配置中定义了两种不同的cluster,一种是STATIC 表明这种Cluster是指定静态的IP表示上游服务,一种是STRICT_DNS表明这种Cluster通过域名解析出具体的endpoint。

    envoy 启动后可以通过curl localhost:9001/clusters 来查看指定的域名有几个Endpoint。

    配置中还定义了健康检查、熔断。也可以通过 curl localhost:9001/clusters |grep xxx 来查看EndPoint是否健康,对于不健康的服务envoy不会将流量转发过去。健康检查只有在第一次访问该cluster才开始运行,如果没有流量则不开启健康检查。

    五、LDS

    lds.yaml 文件中定义了一组或多组监听配置项。

    resources:
    - "@type": type.googleapis.com/envoy.config.listener.v3.Listener
      name: k8shttps.proxy
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 443
      filter_chains:
      - transport_socket:
          name: "a.com"
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
            common_tls_context:
              tls_certificates:
                certificate_chain:
                  filename: /home/envoy/x.com-crt.pem
                private_key:
                  filename: /home/envoy/x.com-key.pem
        filters:
          - name: envoy.filters.network.http_connection_manager
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
              stat_prefix: ingress_http
              access_log:
              - name: envoy.access_loggers.file
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                  path: /home/logs/envoy/k8s.https.access.log
              http_filters:
              - name: envoy.filters.http.router
              route_config:
                name: local_route
                virtual_hosts:
                - name: local_service
                  domains: 
                  - a.com
                  - a.com:*
                  routes:
                  - match:
                      prefix: "/com.activity.server"
                    route:
                      cluster: ActivityService
                  - match:
                      prefix: "/AppGL"
                    route:
                      cluster: k8sqahttp1.proxy
                      upgrade_configs:
                      - upgrade_type: "websocket"
                        enabled: true
                  - match:
                      prefix: "/"
                    route:
                      cluster: abc
                      timeout: 1200s
                - name: local_service
                  domains: ["*"]
                  routes:
                  - match:
                      prefix: "/"
                      headers:
                      - name: ":method"
                        exact_match: "HEAD"
                    direct_response:
                      status: 200
                      body:
                        inline_string: "heihei"
                  - match:
                      prefix: "/abc."
                      headers: 
                        name: abc
                        exact_match: abc1
                      case_sensitive: false
                    route:
                      cluster: abc1
                  - match:
                      prefix: "/abc."
                      case_sensitive: false
                      headers:
                        name: abc
                        exact_match: abc2
                    route:
                      cluster: abc2
                  - match:
                      prefix: "/hostrewrite"
                      case_sensitive: false
                    route:
                      cluster: pcwang
                      host_rewrite_literal: wangpengchong.com
                  - match:
                      prefix: "/AppGL"
                    route:
                      cluster: k8shttp1.proxy
                      upgrade_configs:
                      - upgrade_type: "websocket"
                        enabled: true
                  - match:
                      prefix: "/"
                    route:
                      cluster: k8s.proxy
                      timeout: 1200s
    - "@type": type.googleapis.com/envoy.config.listener.v3.Listener
      name: k8s.proxy
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 80
      filter_chains:
      - filters:
          - name: envoy.filters.network.http_connection_manager
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
              stat_prefix: ingress_http
              access_log:
              - name: envoy.access_loggers.file
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                  path: /home/logs/envoy/k8s.access.log
              http_filters:
              - name: envoy.filters.http.router
              route_config:
                name: local_route
                virtual_hosts:
                - name: local_service
                  domains: 
                  - b.com
                  - b.com:*
                  routes:
                  - match:
                      prefix: "/AppGL"
                    route:
                      cluster: k8sqahttp1.proxy
                      upgrade_configs:
                      - upgrade_type: "websocket"
                        enabled: true
                  - match:
                      prefix: "/"
                    route:
                      cluster: k8sqa.proxy
                      timeout: 1200s
                - name: local_service
                  domains: ["*"]
                  routes:
                  - match:
                      prefix: "/"
                      headers:
                      - name: ":method"
                        exact_match: "HEAD"
                    direct_response:
                      status: 200
                      body:
                        inline_string: "heihei"
                  - match:
                      prefix: "/"
                    route:
                      cluster: k8s.proxy
                      timeout: 1200s

     上面的配置中定义了两组监听分别是443、80 ,443端口有配置https证书,提供https服务。

    配置文件中还定义了预发布机制,根据特定域名,将该域名的所有请求都转发到预发布的Cluster中去。该机制还可以用作其他用途,可根据实际情况进行操作

    还配置了较为复杂的流量转发,根据请求头中的值将流量转发到不同的Cluster中。

    还配置了websocket升级机制,可将http1.1 升级为websocket,这需要客户端发送正确的升级请求。

    还配置了host重写机制、超时,特定请求(健康检查)返回固定值,有需要的童鞋可以参考。

    六、TCP监听

    - "@type": type.googleapis.com/envoy.config.listener.v3.Listener
      name: AlertService
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 20010
      filter_chains:
      - filters:
          name: envoy.filters.network.tcp
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
            stat_prefix: ingress_tcp
            max_connect_attempts: 5
            cluster: AlertService

    七、jwk认证鉴权

    - "@type": type.googleapis.com/envoy.config.listener.v3.Listener
      name: k8s.proxy
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 10021
      filter_chains:
      - filters:
          - name: envoy.filters.network.http_connection_manager
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
              stat_prefix: ingress_http
              access_log:
              - name: envoy.access_loggers.file
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                  path: /home/logs/envoy/beta.grpc.access.log
              http_filters:
              - name: envoy.filters.http.jwt_authn
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
                  providers:
                    identityserver:
                      issuer: http://xxxx
                      audiences:
                      - grpc1
                      remote_jwks:
                        http_uri:
                          uri: http://xxxx/.well-known/openid-configuration/jwks
                          cluster: identityserver
                          timeout: 5s
                        cache_duration: 600s
                  rules:
                  - match:
                      prefix: /
                    requires:
                      provider_name: identityserver

    这里展示较为简单的配置,更复杂的请参考官方文档:

    https://www.envoyproxy.io/docs/envoy/v1.18.3/api-v3/extensions/filters/http/jwt_authn/v3/config.proto#extension-envoy-filters-http-jwt-authn

    八、监控

    直接使用 prometheus 收集信息通grafana 展示即可

  • 相关阅读:
    构建之法阅读笔记2
    2020.2.10
    2020.2.9
    2020.2.8
    2020.2.7
    2020.2.6
    2020.2.5
    学习进度——第十三周
    PHPStorm+XAMPP开发php项目
    第一阶段成果建议
  • 原文地址:https://www.cnblogs.com/pjjwpc/p/15196662.html
Copyright © 2020-2023  润新知