【Istio Network CRD VirtualService、Envoyfilter】

VirtualService brief introduction ：

VirtualService A series of traffic routing rules for specified services are defined . Each routing rule matches rules for a specific protocol . If the flow meets these characteristics , It will be sent to the target service in the service registry according to the routing rules .

hosts

string[] Required fields ： Target host of traffic . It can be prefixed with wildcards DNS name , It can also be IP
Address . According to the platform , Short names may also be used instead of FQDN. In this case , Short name to FQDN
The specific conversion process of depends on the lower platform . A host name can only be in one VirtualService In the definition of . The same VirtualService
Can be used to control multiple HTTP and TCP The traffic attribute of the port . Kubernetes Attention of users ： When using the short name of a service （ For example, using
reviews, instead of reviews.default.svc.cluster.local）,Istio
This name will be handled according to the namespace of the rule , Not the namespace where the service is located . hypothesis “default” A rule of namespace contains a reviews Of
host quote , It will be regarded as reviews.default.svc.cluster.local, Without considering reviews
The namespace of the service . To avoid possible misconfiguration , It is recommended to use FQDN To make a service reference . hosts Field pair HTTP and TCP
Services are effective . Services in the grid are those registered in the service registry , Must use their registered name for reference ; Only Gateway Defined services can be used IP
Address .

gateways

string[] Gateway Name list ,Sidecar Routes will be used accordingly .VirtualService Object can be used for
Sidecar, It can also be used for one or more Gateway. The selection conditions disclosed here can be covered in the routing filter conditions related to the Protocol . Reserved words mesh
Used to refer to all in the grid Sidecar. When this field is omitted , The default value will be used （mesh）, That is, for all in the grid Sidecar
take effect . If provided gateways Field , This rule will only apply to declared Gateway In . Make the rules right at the same time Gateway
And in Grid Services , You need to explicitly set mesh Join in gateways list .

http

HTTPRoute[] HTTP An ordered list of traffic rules . This list prefixes names with http-、http2-、grpc- Service port for , Or the agreement is
HTTP、HTTP2、GRPC And the end TLS, There are also uses HTTP、HTTP2 as well as GRPC Agreed ServiceEntry
It's all valid . The first rule matched will be used for incoming traffic .

tls

TLSRoute[] One has a sequence table , The corresponding is through transmission TLS and HTTPS Traffic . The routing process usually utilizes ClientHello In the news SNI
To complete .TLS Routing is usually used in https-、tls- Prefixed platform service port , Or by Gateway Transparent HTTPS、TLS
Protocol port , And the use of HTTPS perhaps TLS Agreed ServiceEntry On port . Be careful ： There's no connection VirtualService Of
https- perhaps tls- Port traffic is considered transparent TCP Traffic .

tcp

`TCPRoute[] One is for penetration TCP An ordered routing list of traffic .TCP Route to all HTTP and TLS
Other ports take effect . The first rule matched will be used for incoming traffic .

Envoyfilter brief introduction

EnvoyFilter Object describes the filter for the proxy service , These filters can be customized by Istio Pilot
Generated proxy configuration . This function must be used with caution . Once the wrong configuration content is propagated , The whole service grid may be paralyzed .

notes 1： This configuration is very fragile , Therefore, there will be no backward compatibility . This configuration is used for Istio The internal implementation of the network system is changed .

notes 2： If there are more than one EnvoyFilter
Bound to the same workload , All configurations will be processed in the order of creation time . If there is a conflict between multiple configurations , There will be unpredictable consequences .

workloadLabels

map<string, string> One or more labels , Used to identify a group of
Pod/ virtual machine . The agents in this set of workload instances will be configured with additional filter configurations . The search scope of the tag is platform related . For example, in Kubernetes
in , The effective scope will include all accessible namespaces . If you omit this field , The configuration will be applied to all in the grid Envoy In the proxy instance . Be careful ： Only one should be used for a workload
EnvoyFilter. If more than one EnvoyFilter Bound to the same workload , Will produce unpredictable behavior .

filters

EnvoyFilter.Filter[] Required fields . To be added to the specified listener Envoy Network filter /HTTP Filter configuration information . When http
When the connection is added to the network filter , Care should be taken to ensure that the filter is older than envoy.httpconnectionmanager.