如何解决将带有片段的 nginx 入口规则转换为 Istio
我有一个 Nginx 入口控制器并向他公开服务,我们计划将 istio 更改为入口流量。
apiVersion: networking.k8s.io/v1
kind: Ingress
Metadata:
annotations:
Nginx.ingress.kubernetes.io/rewrite-target: /$1
Nginx.ingress.kubernetes.io/server-snippet: |
location ~* "^/" {
proxy_pass "https://127.0.0.1";
proxy_set_header Host $http_x_forwarded_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_connect_timeout 10s;
proxy_send_timeout 120s;
proxy_read_timeout 120s;
client_max_body_size 300m;
}
name: foo
spec:
ingressClassName: bar
rules:
- host: foo.bar
tls:
- hosts:
- foo.bar
此入口将 http_x_forwarded_host 复制到 Host 并发送到 Nginx 入口。
有什么想法可以将此规则转换为 istio? 谢谢。
马可
解决方法
欢迎来到 SO!
理论上应该可以使用以下 Istio 构建组件:
- 使用基于正则表达式的重写
jar verified.
Warning:
This jar contains entries whose signer certificate has expired.
This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This jar contains entries whose signer certificate is self-signed.
The SHA1withDSA signature algorithm is considered a security risk. This algorithm will be disabled in a future update.
The DSA signing key has a keysize of 1024 which is considered a security risk. This key size will be disabled in a future update.
This jar contains signatures that do not include a timestamp. Without a timestamp,users may not be able to validate this jar after any of the signer certificates expire (as early as 2017-10-01).
Re-run with the -verbose and -certs options for more details.
=> EnvoyFilter 到 nginx.ingress.kubernetes.io/rewrite-target 对象
(示例可在 github here 上找到)
- 将“X-Forwarded-For/X-Real-IP”标头转发到上游主机
如果您的应用程序需要知道真实的客户端 IP 地址,请使用 Gateway Network Topology (Alpha) 功能。
备注:
您附上的源清单文件似乎受到最新 nginx 入口控制器 known issue 的影响,这在我的环境中显示以下错误:
HTTP_ROUTE版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
