云原生之旅 - 9）云原生时代网关的后起之秀Envoy Proxy 和基于Envoy 的 Emissary Ingress( 二 ) _生活百科

locals.tf
config文件

文章插图

文章插图
locals {emissary_config_yaml = <<-EOThosts:- name: my-host-devspec:ambassador_id:- ${local.ambassador_id}hostname: '*.wadexu.cloud'requestPolicy:insecure:action: RedirecttlsContext:name: my-tls-contexttlsSecret:name: tls-secretnamespace: secretmappings:- name: my-nginx-mappingspec:ambassador_id:- ${local.ambassador_id}hostname: dev.wadexu.cloudprefix: /service: my-nginx.nginx:80tlscontexts:- name: my-tls-contextspec:ambassador_id:- ${local.ambassador_id}hosts:- "*.wadexu.cloud"min_tls_version: v1.2EOT}config.tf
完整代码请参考 my repo
另外因为用的https，所以需要一个tls-secret 安装在secret ns下面kubectl create secret -n secret tls tls-secret \--key ./xxx.key \--cert ./xxx.pemInstall from local ， (Optional) 如果要学习自动化Terraform安装，请参考【部署Terrform基础设施代码的自动化利器 Atlantis】
cd terraform_helm_install/devterraform initterraform planterraform applyInstall result
% helm list -n emissary-systemNAMENAMESPACEREVISION UPDATEDSTATUSCHARTAPP VERSIONemissary-crds emissary-system 12022-10-20 10:09:30.72553 +0800 CST deployed emissary-crds-8.2.0 3.2.0% helm list -n emissaryNAMENAMESPACE REVISION UPDATEDSTATUSCHARTAPP VERSIONemissary-configemissary12022-10-20 10:31:24.819555 +0800 CST deployed emissary-config-8.2.03.2.0emissary-ingress emissary12022-10-20 10:29:33.705888 +0800 CST deployed emissary-ingress-8.2.0 3.2.0 使用 Kustomize参考我的 quick start
如果不了解 Kustomize，请移步我这篇文章【不能错过的一款 Kubernetes 应用编排管理神器 Kustomize】
一个集群安装多个Emissary Ingress我这个例子 This example 展示了 multiple Emissary deployed in one cluster.
在一个集群里安装多个 Emissary 一定要设置 ambassador_id 并且替换 ClusterRoleBinding name ，否则资源冲突。

emissary-ingress-init: CRDs will be installed.
emissary-ingress-public: An emissary-ingress with allow list = all (face to internet).
emissary-ingress-private: Another emissary-ingress with an allow list (restrict connection) installed in same cluster.

Test in local
# apply CRDs firstkustomize build emissary-ingress-init/sre-mgmt-dev > ~/init.yamlkubectl apply -f ~/init.yaml# deploy first public Emissary, this allow list = all, face to internetkustomize build emissary-ingress-public/sre-mgmt-dev > ~/emissary_deploy1.yamlkubectl apply -f ~/emissary_deploy1.yaml# deploy second private Emissary with a restrict allow list to accesskustomize build emissary-ingress-private/sre-mgmt-dev > ~/emissary_deploy2.yamlkubectl apply -f ~/emissary_deploy2.yaml通过Terraform安装 Kustomize资源，请参考 my repo
如：
module "example_custom_manifests" {source= "kbst.xyz/catalog/custom-manifests/kustomization"version = "0.3.0"configuration_base_key = "default"configuration = {default = {resources = ["${path.root}/../../infra/emissary-ingress-init/sre-mgmt-dev"]common_labels = {"env" = "dev"}}}}Test建一个nginx service 测试下
helm install my-nginx bitnami/nginx --set service.type="ClusterIP" -n nginx --create-namespace【云原生之旅 - 9）云原生时代网关的后起之秀Envoy Proxy 和基于Envoy 的 Emissary Ingress】curl
% curl https://dev.wadexu.cloud<!DOCTYPE html><html><head><title>Welcome to nginx!</title><style>html { color-scheme: light dark; }body { width: 35em; margin: 0 auto;font-family: Tahoma, Verdana, Arial, sans-serif; }</style></head><body><h1>Welcome to nginx!</h1><p>If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.</p><p>For online documentation and support please refer to<a href="http://nginx.org/">nginx.org</a>.<br/>Commercial support is available at<a href="http://nginx.com/">nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p></body></html>FAQ1. 这个error 代表 tls-secret 有问题，确保正确创建
error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version2. Connection refused, 最大的可能是 Listeners 没有配置好。
curl: (7) Failed to connect to dev.wadexu.cloud port 443 after 255 ms: Connection refused3. CRDs 没创建。
│ Error: unable to build kubernetes objects from release manifest: [resource mapping not found for name: "my-resolver" namespace: "emissary-system" from "": no matches for kind "KubernetesEndpointResolver" in version "getambassador.io/v2"│ ensure CRDs are installed first, resource mapping not found for name: "ambassador" namespace: "emissary-system" from "": no matches for kind "Module" in version "getambassador.io/v2"│ ensure CRDs are installed first]