envoy proxy的配置包含以下四個(gè)部分

1. bootstrap: Envoy proxy啟動(dòng)時(shí)候加載的靜態(tài)配置

Bootstrap 是 Envoy 中配置的根本來(lái)源，Bootstrap 消息中有一個(gè)關(guān)鍵的概念，就是靜態(tài)和動(dòng)態(tài)資源的之間的區(qū)別。

2. listeners: 監(jiān)聽(tīng)器配置，使用LDS下發(fā)

Listener 顧名思義，監(jiān)聽(tīng)器，監(jiān)聽(tīng)的IP地址和端口

關(guān)鍵字段

• address
  改字段定義了服務(wù)的地址和端口
  例如監(jiān)聽(tīng)ingressgateway的的address

    "listener": {
      "name": "0.0.0.0_15443",
      "address": {
       "socket_address": {
        "address": "0.0.0.0",
        "port_value": 15443
       }
    }
  
  

• filter_chains:
  改字段定義了一系列作用在該監(jiān)聽(tīng)服務(wù)上的操作。
  在istio中可以通過(guò)創(chuàng)建envoyfilter來(lái)拓展filter
  例如ingressgateway的filter_chains

      "filter_chains": [
       {
        "filter_chain_match": {
         "server_names": [
          "*.uzone1.region1"
         ]
        },
        "filters": [
         {
          "name": "envoy.filters.network.sni_cluster"
         },
         {
          "name": "mixer",
          "config": {
           "transport": {
            "check_cluster": "outbound|15004||istio-policy.istio-system.svc.cluster.local",
            "network_fail_policy": {
             "policy": "FAIL_CLOSE",
             "max_retry_wait": "1s",
             "base_retry_wait": "0.080s"
            },
            "report_cluster": "outbound|15004||istio-telemetry.istio-system.svc.cluster.local"
           },
           "mixer_attributes": {
            "attributes": {
             "context.reporter.kind": {
              "string_value": "outbound"
             },
             "source.namespace": {
              "string_value": "istio-system"
             },
             "context.reporter.uid": {
              "string_value": "kubernetes://istio-ingressgateway-77bbb77959-f9lgg.istio-system"
             },
             "source.uid": {
              "string_value": "kubernetes://istio-ingressgateway-77bbb77959-f9lgg.istio-system"
             }
            }
           },
           "disable_check_calls": true
          }
         },
         {
          "name": "envoy.filters.network.tcp_cluster_rewrite",
          "config": {
           "cluster_replacement": ".svc.cluster.local",
           "cluster_pattern": "\\.global$"
          }
         },
         {
          "name": "envoy.tcp_proxy",
          "config": {
           "stat_prefix": "BlackHoleCluster",
           "cluster": "BlackHoleCluster"
          }
         }
        ]
       }
      ]
  

其他字段

• 具體其他字段可以參考
  Envoy v2 API reference - listener

3.clusters: 集群配置

Cluster指的是Envoy連接的一組邏輯相同的上游主機(jī), Envoy通過(guò)服務(wù)發(fā)現(xiàn)來(lái)發(fā)現(xiàn)cluster成員。Istio中的ServiceEntry、DestinationRule都會(huì)作用到cluster字段

ServiceEntry配置

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  generation: 1
  name: gzone-productcatalogservice
  namespace: test
spec:
  endpoints:
  - address: 192.xxx.xx.xx
    ports:
      grpc: 35522
  hosts:
  - productcatalogservice.test.global
  location: MESH_INTERNAL
  ports:
  - name: grpc
    number: 3550
    protocol: GRPC
  resolution: DNS

Envoyfilter cluster配置

    {
     "cluster": {
      "name": "outbound_.3550_._.productcatalogservice.test.global",
      "type": "STRICT_DNS",
      "connect_timeout": "10s",
      "circuit_breakers": {
       "thresholds": [
        {
         "max_retries": 1024
        }
       ]
      },
      "dns_refresh_rate": "300s",
      "dns_lookup_family": "V4_ONLY",
      "metadata": {
       "filter_metadata": {
        "istio": {
         "config": "/apis/networking/v1alpha3/namespaces/micro-demo/destination-rule/istio-dr-product"
        }
       }
      },
      "load_assignment": {
       "cluster_name": "outbound_.3550_._.productcatalogservice.test.global",
       "endpoints": [
        {
         "lb_endpoints": [
          {
           "endpoint": {
            "address": {
             "socket_address": {
              "address": "192.xx.xx.xx",
              "port_value": 35522
             }
            }
           },
           "load_balancing_weight": 1
          }
         ],
         "load_balancing_weight": 1
        }
       ]
      }

關(guān)鍵字段

• type：即服務(wù)發(fā)現(xiàn)類(lèi)型，支持的參數(shù)有 STATIC（缺省值）、STRICT_DNS、LOGICAL_DNS、EDS、ORIGINAL_DST。

例如一個(gè)istio ServiceEntry對(duì)應(yīng)的cluster, 指明了流向流向cluster要去的地址

其他字段

• 具體其他字段可以參考
  Envoy v2 API reference - cluster

4.routes： 路由配置

這個(gè)路由配置的作用是，是把流量路由到上面提到過(guò)的cluster中。 可以做重定向、轉(zhuǎn)發(fā)、重試等任務(wù)。

改字段可以通過(guò)istio中的VirtualService字段來(lái)設(shè)置生成，通過(guò)RDS下發(fā)
VirtualService例子
改virtualService吧url 前綴為 /（所有請(qǐng)求）的流量都路由到了frontend

kind: VirtualService
apiVersion: networking.istio.io/v1alpha3
metadata:
  name: frontend-vs
  namespace: test
  selfLink: >-
    /apis/networking.istio.io/v1alpha3/namespaces/micro-demo/virtualservices/frontend-ingress
spec:
  hosts:
    - '*'
  gateways:
    - frontend-gateway
  http:
    - match:
        - uri:
            prefix: /
      route:
        - destination:
            host: frontend
            port:
              number: 80

route例子

      "virtual_hosts": [
       {
        "name": "*:81",
        "domains": [
         "*",
         "*:81"
        ],
        "routes": [
         {
          "match": {
           "prefix": "/"
          },
          "route": {
           "cluster": "outbound|80||frontend.test.svc.cluster.local",
           "timeout": "0s",
           "retry_policy": {
            "retry_on": "connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes",
            "num_retries": 2,
            "retry_host_predicate": [
             {
              "name": "envoy.retry_host_predicates.previous_hosts"
             }
            ],
            "host_selection_retry_max_attempts": "5",
            "retriable_status_codes": [
             503
            ]
           },
           "max_grpc_timeout": "0s"
          },
          "metadata": {
           "filter_metadata": {
            "istio": {
             "config": "/apis/networking/v1alpha3/namespaces/test/virtual-service/frontend-vs"
            }
           }
          },
          "decorator": {
           "operation": "frontend.test.svc.cluster.local:80/*"
          },
          "per_filter_config": {
           "mixer": {
            "forward_attributes": {
             "attributes": {
              "destination.service.uid": {
               "string_value": "istio://test/services/frontend"
              },
              "destination.service.host": {
               "string_value": "frontend.test.svc.cluster.local"
              },
              "destination.service.namespace": {
               "string_value": "test"
              },
              "destination.service.name": {
               "string_value": "frontend"
              }
             }
            },
            "disable_check_calls": true
           }
          }
         }
        ]

關(guān)鍵字段

• match：路由匹配參數(shù)。例如 URL prefix（前綴）、path（URL 的完整路徑）、regex（規(guī)則表達(dá)式）等。
• route：這里面配置路由的行為，可以是 route、redirect 和 direct_response，不過(guò)這里面沒(méi)有專(zhuān)門(mén)的一個(gè)配置項(xiàng)用來(lái)配置以上三種行為，而是根據(jù)實(shí)際填充的配置項(xiàng)來(lái)確定的。例如在此處添加 cluster 配置則暗示路由動(dòng)作為”route“，表示將流量路由到該 cluster。詳情請(qǐng)參考 route.RouteAction。

其他字段

• 具體其他字段可以參考
  Envoy v2 API reference - HTTP route configuration。

參考

https://jimmysong.io/istio-handbook/data-plane/envoy-proxy-config-deep-dive.html