云原生之旅 - 9）云原生時代網關的后起之秀Envoy Proxy 和基于Envoy 的 Emissary Ingress( 二 ) _生活百科

locals.tf
config文件

文章插圖

文章插圖
locals {emissary_config_yaml = <<-EOThosts:- name: my-host-devspec:ambassador_id:- ${local.ambassador_id}hostname: '*.wadexu.cloud'requestPolicy:insecure:action: RedirecttlsContext:name: my-tls-contexttlsSecret:name: tls-secretnamespace: secretmappings:- name: my-nginx-mappingspec:ambassador_id:- ${local.ambassador_id}hostname: dev.wadexu.cloudprefix: /service: my-nginx.nginx:80tlscontexts:- name: my-tls-contextspec:ambassador_id:- ${local.ambassador_id}hosts:- "*.wadexu.cloud"min_tls_version: v1.2EOT}config.tf
完整代碼請參考 my repo
另外因為用的https，所以需要一個tls-secret 安裝在secret ns下面kubectl create secret -n secret tls tls-secret \--key ./xxx.key \--cert ./xxx.pemInstall from local ， (Optional) 如果要學習自動化Terraform安裝，請參考【部署Terrform基礎設施代碼的自動化利器 Atlantis】
cd terraform_helm_install/devterraform initterraform planterraform applyInstall result
% helm list -n emissary-systemNAMENAMESPACEREVISION UPDATEDSTATUSCHARTAPP VERSIONemissary-crds emissary-system 12022-10-20 10:09:30.72553 +0800 CST deployed emissary-crds-8.2.0 3.2.0% helm list -n emissaryNAMENAMESPACE REVISION UPDATEDSTATUSCHARTAPP VERSIONemissary-configemissary12022-10-20 10:31:24.819555 +0800 CST deployed emissary-config-8.2.03.2.0emissary-ingress emissary12022-10-20 10:29:33.705888 +0800 CST deployed emissary-ingress-8.2.0 3.2.0 使用 Kustomize參考我的 quick start
如果不了解 Kustomize，請移步我這篇文章【不能錯過的一款 Kubernetes 應用編排管理神器 Kustomize】
一個集群安裝多個Emissary Ingress我這個例子 This example 展示了 multiple Emissary deployed in one cluster.
在一個集群里安裝多個 Emissary 一定要設置 ambassador_id 并且替換 ClusterRoleBinding name ，否則資源沖突。

emissary-ingress-init: CRDs will be installed.
emissary-ingress-public: An emissary-ingress with allow list = all (face to internet).
emissary-ingress-private: Another emissary-ingress with an allow list (restrict connection) installed in same cluster.

Test in local
# apply CRDs firstkustomize build emissary-ingress-init/sre-mgmt-dev > ~/init.yamlkubectl apply -f ~/init.yaml# deploy first public Emissary, this allow list = all, face to internetkustomize build emissary-ingress-public/sre-mgmt-dev > ~/emissary_deploy1.yamlkubectl apply -f ~/emissary_deploy1.yaml# deploy second private Emissary with a restrict allow list to accesskustomize build emissary-ingress-private/sre-mgmt-dev > ~/emissary_deploy2.yamlkubectl apply -f ~/emissary_deploy2.yaml通過Terraform安裝 Kustomize資源，請參考 my repo
如：
module "example_custom_manifests" {source= "kbst.xyz/catalog/custom-manifests/kustomization"version = "0.3.0"configuration_base_key = "default"configuration = {default = {resources = ["${path.root}/../../infra/emissary-ingress-init/sre-mgmt-dev"]common_labels = {"env" = "dev"}}}}Test建一個nginx service 測試下
helm install my-nginx bitnami/nginx --set service.type="ClusterIP" -n nginx --create-namespace【云原生之旅 - 9）云原生時代網關的后起之秀Envoy Proxy 和基于Envoy 的 Emissary Ingress】curl
% curl https://dev.wadexu.cloud<!DOCTYPE html><html><head><title>Welcome to nginx!</title><style>html { color-scheme: light dark; }body { width: 35em; margin: 0 auto;font-family: Tahoma, Verdana, Arial, sans-serif; }</style></head><body><h1>Welcome to nginx!</h1><p>If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.</p><p>For online documentation and support please refer to<a >nginx.org</a>.<br/>Commercial support is available at<a >nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p></body></html>FAQ1. 這個error 代表 tls-secret 有問題，確保正確創建
error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version2. Connection refused, 最大的可能是 Listeners 沒有配置好。
curl: (7) Failed to connect to dev.wadexu.cloud port 443 after 255 ms: Connection refused3. CRDs 沒創建。
│ Error: unable to build kubernetes objects from release manifest: [resource mapping not found for name: "my-resolver" namespace: "emissary-system" from "": no matches for kind "KubernetesEndpointResolver" in version "getambassador.io/v2"│ ensure CRDs are installed first, resource mapping not found for name: "ambassador" namespace: "emissary-system" from "": no matches for kind "Module" in version "getambassador.io/v2"│ ensure CRDs are installed first]