时间戳

首页 > 解决方案 > 如何在不使用 kubectl 端口转发的情况下在生产中部署 Istio Jaeger UI 跟踪

kubernetes - 如何在不使用 kubectl 端口转发的情况下在生产中部署 Istio Jaeger UI 跟踪

问题描述

我正在尝试部署 Istio Jaeger UI 以进行分布式跟踪。目前我正在使用命令 kubectl 端口转发kubectl port-forward -n monitoring prometheus-prometheus-operator-prometheus-0 9090。但它在http://localhost:port上运行那么我该如何在生产中做到这一点呢?有没有其他方法可以在生产中部署。还有我怎样才能让它继续运行https

标签: kubernetesistiojaegerdistributed-tracing

解决方案

根据文档Remotely Accessing Telemetry Addons。有不同的方法可以访问遥测。

推荐的方法是使用 https 而不是 http 创建安全访问。

两种方法的注意事项:

此选项仅涵盖保护传输层。您还应该将遥测插件配置为在向外部公开它们时要求进行身份验证。

请注意,jaeger 本身不支持身份验证方法github和在此处使用 Apache httpd 服务器的解决方法。

  1. 通过您的招聘,您可以使用带有自签名证书的网关 (SDS) :

    a .) 确保您在 istio 安装期间已在入口网关启用 SDS--set gateways.istio-ingressgateway.sds.enabled=true--set tracing.enabled=true用于跟踪目的。

    b .) 为测试目的创建自签名证书,您可以使用此示例和存储库

    c .) 请遵循生成客户端和服务器证书和密钥 以及使用 SDS 配置 TLS 入口网关

  2. 创建虚拟服务和网关:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: "httpbin-credential" # must be the same as secret crated in the step 2.
    hosts:
    - "httpbin.example.com" ## You can apply "*" for all hosts

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: tracing
spec:
  hosts:
  - "httpbin.example.com" ## You can apply "*" for all hosts
  gateways:
  - mygateway
  http:
  - match:
    - port: 443
    route:
    - destination:
        port:
          number: 80
        host: tracing.istio-system.svc.cluster.local

curl -kvI https ://xx.xx.xx.xx/
*   Trying xx.xx.xx.xx...
* TCP_NODELAY set
* Connected to xx.xx.xx.xx (xx.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

* ALPN, server accepted to use h2
> HEAD / HTTP/1.1
> Host: xx.xx.xx.xx
> User-Agent: curl/7.52.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< date: Thu, 07 Nov 2019 10:01:33 GMT
date: Thu, 07 Nov 2019 10:01:33 GMT
< x-envoy-upstream-service-time: 1
x-envoy-upstream-service-time: 1
< server: istio-envoy
server: istio-envoy

希望这有帮助

推荐阅读