经验总结

  1. 首页 > 生活 > >

云原生之旅 - 9)云原生时代网关的后起之秀Envoy Proxy 和基于Envoy 的 Emissary Ingress( 二 )

生活百科

locals 变量

云原生之旅 - 9)云原生时代网关的后起之秀Envoy Proxy 和基于Envoy 的 Emissary Ingress

文章插图
云原生之旅 - 9)云原生时代网关的后起之秀Envoy Proxy 和基于Envoy 的 Emissary Ingress

文章插图
locals {project_id= "global-sre-dev"cluster_name= "sre-gke"cluster_region = "us-central1"emissary_ns= "emissary"chart_version= "8.2.0"common_yaml_d= "../common/helm/yamls"ambassador_id= "ambassador"emissary_ingress_map = {ambassadorID= local.ambassador_idloadBalancerIP= "35.232.98.249" # Prepare a Static IP first instead to use EphemeralreplicaCount= 2minReplicas= 2maxReplicas= 3canaryEnabled= false # set to true in ProdlogLevel= "error" # valid log levels are error, warn/warning, info, debug, and traceendpointEnable= trueendpointName= "my-resolver"diagnosticsEnable= falseclusterRequestTimeout = 120000 # milliseconds}emissary_listeners_map = {ambassadorID= local.ambassador_idlistenersEnabled= true # custom listeners}}locals.tf
config文件
云原生之旅 - 9)云原生时代网关的后起之秀Envoy Proxy 和基于Envoy 的 Emissary Ingress

文章插图
云原生之旅 - 9)云原生时代网关的后起之秀Envoy Proxy 和基于Envoy 的 Emissary Ingress

文章插图
locals {emissary_config_yaml = <<-EOThosts:- name: my-host-devspec:ambassador_id:- ${local.ambassador_id}hostname: '*.wadexu.cloud'requestPolicy:insecure:action: RedirecttlsContext:name: my-tls-contexttlsSecret:name: tls-secretnamespace: secretmappings:- name: my-nginx-mappingspec:ambassador_id:- ${local.ambassador_id}hostname: dev.wadexu.cloudprefix: /service: my-nginx.nginx:80tlscontexts:- name: my-tls-contextspec:ambassador_id:- ${local.ambassador_id}hosts:- "*.wadexu.cloud"min_tls_version: v1.2EOT}config.tf
完整代码请参考 my repo
另外因为用的https,所以需要一个tls-secret 安装在secret ns下面kubectl create secret -n secret tls tls-secret \--key ./xxx.key \--cert ./xxx.pemInstall from local, (Optional) 如果要学习自动化Terraform安装,请参考【部署Terrform基础设施代码的自动化利器 Atlantis】
cd terraform_helm_install/devterraform initterraform planterraform applyInstall result
% helm list -n emissary-systemNAMENAMESPACEREVISION UPDATEDSTATUSCHARTAPP VERSIONemissary-crds emissary-system 12022-10-20 10:09:30.72553 +0800 CST deployed emissary-crds-8.2.0 3.2.0% helm list -n emissaryNAMENAMESPACE REVISION UPDATEDSTATUSCHARTAPP VERSIONemissary-configemissary12022-10-20 10:31:24.819555 +0800 CST deployed emissary-config-8.2.03.2.0emissary-ingress emissary12022-10-20 10:29:33.705888 +0800 CST deployed emissary-ingress-8.2.0 3.2.0 使用 Kustomize参考我的 quick start
如果不了解 Kustomize, 请移步我这篇文章【不能错过的一款 Kubernetes 应用编排管理神器 Kustomize】
一个集群安装多个Emissary Ingress我这个例子 This example 展示了 multiple Emissary deployed in one cluster.
在一个集群里安装多个 Emissary 一定要设置 ambassador_id 并且替换 ClusterRoleBinding name, 否则资源冲突 。
  • emissary-ingress-init: CRDs will be installed.
  • emissary-ingress-public: An emissary-ingress with allow list = all (face to internet).
  • emissary-ingress-private: Another emissary-ingress with an allow list (restrict connection) installed in same cluster.
Test in local
# apply CRDs firstkustomize build emissary-ingress-init/sre-mgmt-dev > ~/init.yamlkubectl apply -f ~/init.yaml# deploy first public Emissary, this allow list = all, face to internetkustomize build emissary-ingress-public/sre-mgmt-dev > ~/emissary_deploy1.yamlkubectl apply -f ~/emissary_deploy1.yaml# deploy second private Emissary with a restrict allow list to accesskustomize build emissary-ingress-private/sre-mgmt-dev > ~/emissary_deploy2.yamlkubectl apply -f ~/emissary_deploy2.yaml

经验总结扩展阅读


上一篇:2023年1月26日财神 1月26日财神方位

下一篇:淮北100岁老人补贴多少钱 淮北市的高龄津贴标准2023年一览