成功最有效的方法就是向有经验的人学习!

http-corsFilter和vs资源的使用

什么是cors filter

cors是 Cross-origin resource sharing ,即跨域资源共享,是用来不同域名之间共享资源的一种机制。cors filter是envoy的一个http filter,name为 envoy.filters.http.cors ,type url是固定的envoy.extensions.filters.http.cors.v3.Cors .这里对cors的实现机制不做介绍,大家可以百度。

配置说明

allow_origin_string_match:   允许共享的客户端域名
allow_methods: "GET,OPTIONS"  允许请求的方法
allow_headers: "content-type"  请求允许的头
allow_credentials: true        是否允许cookie
exposeHeaders:   暴露给调用者的response 头
- test
- test2
max_age: "60"    共享生效时间,在这个时间内不用发送option请求,可以直接掉
filter_enabled:  是否生效
  default_value:
    numerator: 0   生效百分比
    denominator: HUNDRED  单位
shadow_enabled:  记录日志是否生效
  default_value:
    numerator: 100  生效百分比
    denominator: HUNDRED   单位

实战

简单请求

virtualservice实现

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookinfo
spec:
  exportTo:
  - '*'
  gateways:
  - bookinfo-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    corsPolicy:
      allowOrigins:
      - exact: "http://192.168.229.134:80"
    route:
    - destination:
        host: productpage
        port:
          number: 9080

envoyfilter实现

cat << EOF > ef-cors-allow_origin_string_match.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: cors
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      listener:
        name: 0.0.0.0_8080  
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
        name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          codec_type: AUTO
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_route
              domains:
              - "*"
              cors:
                allow_origin_string_match:
                - exact: "http://192.168.229.134"
                filter_enabled:
                  default_value:
                    numerator: 100
                    denominator: HUNDRED
              routes:
              - match:
                  path: "/productpage"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  prefix: "/static"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  path: "/login"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  path: "/logout"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  prefix: "/api/v1/products"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
EOF

kubectl apply -f ef-cors-allow_origin_string_match.yaml -n istio-system --context context-cluster1

简单请求allowCredentials

virtualservice实现

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookinfo
spec:
  exportTo:
  - '*'
  gateways:
  - bookinfo-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    corsPolicy:
      allowCredentials: true
      allowOrigins:
      - exact: "http://192.168.229.134"
    route:
    - destination:
        host: productpage
        port:
          number: 9080

envoyfilter实现

cat << EOF > ef-cors-allowCredentials.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: cors
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      listener:
        name: 0.0.0.0_8080  
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
        name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          codec_type: AUTO
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_route
              domains:
              - "*"
              cors:
                allow_origin_string_match:
                - exact: "http://192.168.229.134"
                allow_credentials: true
                filter_enabled:
                  default_value:
                    numerator: 100
                    denominator: HUNDRED
              routes:
              - match:
                  path: "/productpage"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  prefix: "/static"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  path: "/login"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  path: "/logout"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  prefix: "/api/v1/products"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
EOF

kubectl apply -f ef-cors-allowCredentials.yaml -n istio-system --context context-cluster1

简单请求allowOrigins prefix

virtualservice实现

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookinfo
spec:
  exportTo:
  - '*'
  gateways:
  - bookinfo-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    corsPolicy:
      allowOrigins:
      - prefix: "http://192"
    route:
    - destination:
        host: productpage
        port:
          number: 9080

envoyfilter实现

cat << EOF > ef-cors-allow_origin_string_match-prefix.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: cors
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      listener:
        name: 0.0.0.0_8080  
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
        name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          codec_type: AUTO
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_route
              domains:
              - "*"
              cors:
                allow_origin_string_match:
                - prefix: "http://192"
                allow_credentials: true
                filter_enabled:
                  default_value:
                    numerator: 100
                    denominator: HUNDRED
              routes:
              - match:
                  path: "/productpage"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  prefix: "/static"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  path: "/login"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  path: "/logout"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  prefix: "/api/v1/products"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
EOF

kubectl apply -f ef-cors-allow_origin_string_match-prefix.yaml -n istio-system --context context-cluster1

简单请求allowOrigins regex

virtualservice实现

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookinfo
spec:
  exportTo:
  - '*'
  gateways:
  - bookinfo-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    corsPolicy:
      allowOrigins:
      - regex: ".*"
    route:
    - destination:
        host: productpage
        port:
          number: 9080

envoyfilter实现

cat << EOF > ef-cors-allow_origin_string_match-regex.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: cors
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      listener:
        name: 0.0.0.0_8080  
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
        name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          codec_type: AUTO
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_route
              domains:
              - "*"
              cors:
                allow_origin_string_match:
                - safeRegex:
                    googleRe2: {}
                    regex: .*
                allow_credentials: true
                filter_enabled:
                  default_value:
                    numerator: 100
                    denominator: HUNDRED
              routes:
              - match:
                  path: "/productpage"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  prefix: "/static"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  path: "/login"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  path: "/logout"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  prefix: "/api/v1/products"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
EOF

kubectl apply -f ef-cors-allow_origin_string_match-regex.yaml -n istio-system --context context-cluster1

简单请求exposeHeaders

virtualservice实现

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookinfo
spec:
  exportTo:
  - '*'
  gateways:
  - bookinfo-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    corsPolicy:
      allowOrigins:
      - exact: "http://192.168.229.134"
      exposeHeaders: 
      - test
      - test2
    route:
    - destination:
        host: productpage
        port:
          number: 9080

envoyfilter实现

cat << EOF > ef-cors-exposeHeaders.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: cors
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      listener:
        name: 0.0.0.0_8080  
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
        name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          codec_type: AUTO
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_route
              domains:
              - "*"
              cors:
                allow_origin_string_match:
                - safeRegex:
                    googleRe2: {}
                    regex: .*
                exposeHeaders: test,test2
                filter_enabled:
                  default_value:
                    numerator: 100
                    denominator: HUNDRED
              routes:
              - match:
                  path: "/productpage"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  prefix: "/static"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  path: "/login"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  path: "/logout"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
              - match:
                  prefix: "/api/v1/products"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
EOF

kubectl apply -f ef-cors-exposeHeaders.yaml -n istio-system --context context-cluster1

非简单请求

virtualservice实现

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookreviews
spec:
  exportTo:
  - '*'
  gateways:
  - bookinfo-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        prefix: /reviews
    corsPolicy:
      allowOrigins:
      - exact: "http://192.168.229.134"
      allowMethods:
      - GET
      - OPTIONS
      maxAge: "1m"
      allowHeaders:
      - content-type
    route:
    - destination:
        host: reviews
        port:
          number: 9080

envoyfilter实现

cat << EOF > ef-cors-not-simple.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: cors
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      listener:
        name: 0.0.0.0_8080  
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
        name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          codec_type: AUTO
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_route
              domains:
              - "*"
              cors:
                allow_origin_string_match:
                - exact: "http://192.168.229.134"
                allow_methods: "GET,OPTIONS"
                allow_headers: "content-type"
                max_age: "60"
                filter_enabled:
                  default_value:
                    numerator: 100
                    denominator: HUNDRED
              routes:
              - match:
                  prefix: "/reviews"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
EOF

kubectl apply -f ef-cors-not-simple.yaml -n istio-system --context context-cluster1

shadow_enabled

vs无法实现

envoyfilter实现

cat << EOF > ef-cors-shadow.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: cors
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      listener:
        name: 0.0.0.0_8080  
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
        name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          codec_type: AUTO
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_route
              domains:
              - "*"
              cors:
                allow_origin_string_match:
                - exact: "http://192.168.229.134"
                allow_methods: "GET,OPTIONS"
                allow_headers: "content-type"
                max_age: "60"
                filter_enabled:
                  default_value:
                    numerator: 0
                    denominator: HUNDRED
                shadow_enabled:
                  default_value:
                    numerator: 100
                    denominator: HUNDRED                
              routes:
              - match:
                  prefix: "/reviews"
                route:
                  cluster: outbound|9080||productpage.istio.svc.cluster.local
EOF

kubectl apply -f ef-cors-shadow.yaml -n istio-system --context context-cluster1
赞(1) 打赏
未经允许不得转载:陈桂林博客 » http-corsFilter和vs资源的使用
分享到

大佬们的评论 抢沙发

全新“一站式”建站,高质量、高售后的一条龙服务

微信 抖音 支付宝 百度 头条 快手全平台打通信息流

橙子建站.极速智能建站8折购买虚拟主机

觉得文章有用就打赏一下文章作者

非常感谢你的打赏,我们将继续给力更多优质内容,让我们一起创建更加美好的网络世界!

支付宝扫一扫打赏

微信扫一扫打赏

登录

找回密码

注册