istio - publicIP 使用 istio-ingress 访问服务会出现 503 Servcie 不可用错误
问题描述
当我使用端口转发并向本地主机发送 get 请求时,我的服务运行良好,但是向 publicDomain 发送 Get 请求会给出 503 错误消息。这是我的配置文件:
apiVersion: v1
kind: Service
metadata:
name: my-app
namespace: default
spec:
ports:
- port: 8080
targetPort: 8080
protocol: TCP
name: http
- port: 9000
targetPort: 9000
protocol: TCP
name: http1
- port: 9001
targetPort: 9001
protocol: TCP
name: http2
selector:
app: my-app
部署配置:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: my-app
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- image: myrepo.azurecr.io/my-app:12
name: my-app
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 8000
protocol: TCP
- containerPort: 9000
protocol: TCP
- containerPort: 9001
protocol: TCP
虚拟服务配置:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-app
namespace: default
spec:
hosts:
- "app.mydomain.com"
gateways:
- mygateway.istio-system.svc.cluster.local
http:
- match:
- uri:
prefix: /myprefix
route:
- destination:
host: my-app
port:
number: 9001
- match:
- uri:
prefix: /
route:
- destination:
host: my-app
port:
number: 9000
corsPolicy:
allowOrigin:
- "https://test1.domain.com"
- "https://test2.domain.com"
allowMethods:
- POST
- PATCH
allowCredentials: false
allowHeaders:
- X-Tenant-Identifier
- Content-Type
maxAge: "24h"
网关配置:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*.mydomain.com"
#tls:
#httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*.mydomain.com"
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
这是更多信息:
$ kubectl get ep my-app
NAME ENDPOINTS AGE
my-app 10.244.1.169:9000,10.244.1.169:9001,10.244.1.169:8080 26h
如果我转发端口:
$ kubectl port-forward my-app-podid 6001:9001
然后使用邮递员向 localhost:6001/myprefix 发送 Get 请求,它工作正常并返回 200 OK 响应,但是如果向 publicdomain app.mydomain.com/myprefix 发送 Get 请求,我也会使用 curl 得到 503 错误:
kubectl exec -n istio-system istio-ingressgateway-podid -- curl -v http://my-app.default.svc.cluster.local:9001/myprefix
连接到 my-app.default.svc.cluster.local (10.0.71.212) 端口 9001 (#0)
GET /myprefix HTTP/1.1 主机:my-app.default.svc.cluster.local:9001 用户代理:curl/7.47.0 接受:/
上游连接错误或在标头之前断开/重置。重置原因:连接终止< HTTP/1.1 503 Service Unavailable
入口网关的日志提供的信息不只是 503 错误消息。有谁知道缺少什么?
解决方案
问题是在服务下设置了错误的端口名称。所以正确的 Service.yaml 文件如下所示:
apiVersion: v1
kind: Service
metadata:
name: my-app
namespace: default
spec:
ports:
- port: 8080
targetPort: 8080
protocol: TCP
name: http-debug
- port: 9000
targetPort: 9000
protocol: TCP
name: http-app
- port: 9001
targetPort: 9001
protocol: TCP
name: http-monitoring
selector:
app: my-app