引入入口到istio网格

我有一个禁用mtls的Istio网格，其中包含以下pod和服务。我正在使用kubeadm。

pasan@ubuntu:~$ kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default debug-tools 2/2 Running 0 2h
default employee--debug-deployment-57947cf67-gwpjq 2/2 Running 0 2h
default employee--employee-deployment-5f4d7c9d78-sfmtx 2/2 Running 0 2h
default employee--gateway-deployment-bc646bd84-wnqwq 2/2 Running 0 2h
default employee--salary-deployment-d4969d6c8-lz7n7 2/2 Running 0 2h
default employee--sts-deployment-7bb9b44bf7-lthc8 1/1 Running 0 2h
default hr--debug-deployment-86575cffb6-6wrlf 2/2 Running 0 2h
default hr--gateway-deployment-8c488ff6-827pf 2/2 Running 0 2h
default hr--hr-deployment-596946948d-rzc7z 2/2 Running 0 2h
default hr--sts-deployment-694d7cff97-4nz29 1/1 Running 0 2h
default stock-options--debug-deployment-68b8fccb97-4znlc 2/2 Running 0 2h
default stock-options--gateway-deployment-64974b5fbb-rjrwq 2/2 Running 0 2h
default stock-options--stock-deployment-d5c9d4bc8-dqtrr 2/2 Running 0 2h
default stock-options--sts-deployment-66c4799599-xx9d4 1/1 Running 0 2h

pasan@ubuntu:~$ kubectl get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
employee--debug-service ClusterIP 10.104.23.141 80/TCP 2h
employee--employee-service ClusterIP 10.96.203.80 80/TCP 2h
employee--gateway-service ClusterIP 10.97.145.188 80/TCP 2h
employee--salary-service ClusterIP 10.110.167.162 80/TCP 2h
employee--sts-service ClusterIP 10.100.145.102 8080/TCP,8081/TCP 2h
hr--debug-service ClusterIP 10.103.81.158 80/TCP 2h
hr--gateway-service ClusterIP 10.106.183.101 80/TCP 2h
hr--hr-service ClusterIP 10.107.136.178 80/TCP 2h
hr--sts-service ClusterIP 10.105.184.100 8080/TCP,8081/TCP 2h
kubernetes ClusterIP 10.96.0.1 443/TCP 2h
stock-options--debug-service ClusterIP 10.111.51.88 80/TCP 2h
stock-options--gateway-service ClusterIP 10.100.81.254 80/TCP 2h
stock-options--stock-service ClusterIP 10.96.189.100 80/TCP 2h
stock-options--sts-service ClusterIP 10.108.59.68 8080/TCP,8081/TCP 2h
我使用以下命令使用调试pod访问此服务：

curl -X GET http://hr--gateway-service.default:80/info -H "Authorization: Bearer $token" -v
下一步，我在网格中启用了mtls。正如所料，上面的curl命令失败了。

现在我想设置一个入口控制器，这样我就可以像以前一样访问服务网格了。

所以我设置了Gateway和VirtualService，如下所示：

cat <apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: hr-ingress-gateway
spec:
selector:

istio: ingressgateway # use Istio default gateway implementation

servers:

• port:
  number: 80
  name: http
  protocol: HTTP
  hosts:

  • "hr--gateway-service.default"
    EOF

cat <apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: hr-ingress-virtual-service
spec:
hosts:

• "*"
  gateways:
• hr-ingress-gateway
  http:

• match:

  • uri:

    prefix: /info/

    route:

  • destination:

    port:
      number: 80
    host: hr--gateway-service

    EOF

但我仍然得到以下输出

wso2carbon@gateway-5bd88fd679-l8jn5:~$ curl -X GET http://hr--gateway-service.default:80/info -H "Authorization: Bearer $token" -v
Note: Unnecessary use of -X or --request, GET is already inferred.

• Trying 10.106.183.101...
• Connected to hr--gateway-service.default (10.106.183.101) port 80 (#0)

GET /info HTTP/1.1
Host: hr--gateway-service.default
User-Agent: curl/7.47.0
Accept: /
...

• Recv failure: Connection reset by peer
• Closing connection 0
  curl: (56) Recv failure: Connection reset by peer

如果我的入口设置正确以及如何在设置后使用curl访问服务，请告诉我。我的Ingress服务如下：

ingress-nginx default-http-backend ClusterIP 10.105.46.168 80TCP 3h
ingress-nginx ingress-nginx NodePort 10.110.75.131 172.17.17.100 80:30770/TCP,443:32478/TCP
istio-ingressgateway NodePort 10.98.243.205 80:31380/TCP,443:31390/TCP,31400:31400/TCP,15011:31775/TCP,8060:32436/TCP,853:31351/TCP,15030:32149/TCP,15031:32653/TCP 3h