1. 簡介
istio 目前最新版本爲1.3.0,支持helm、ansiabled的安裝方式,推薦通過Helm安裝,可以支持很多精細的配置。
本文演示了helm3和istio 1.3的安裝過程。
2、下載helm
helm 3相比helm 2.14.3變化還是比較大,跟istio的兼容性好像還有問題,推薦安裝helm 2.14.3,後面的實驗都是用2.14.3
(1)安裝helm3
helm 3實現了綠色安裝,下載解壓就可以直接運行helm命令。
mkdir -p ~/helm3
cd ~/helm3
wget https://get.helm.sh/helm-v3.0.0-beta.2-linux-amd64.tar.gz
tar -zxvf helm-v3.0.0-beta.2-linux-amd64.tar.gz
cp helm /usr/local/bin/helm3
(2)安裝helm2.14.3
mkdir -p ~/helm
cd ~/helm
wget https://get.helm.sh/helm-v2.14.3-linux-amd64.tar.gz
tar -zxvf helm-v2.14.3-linux-amd64.tar.gz
cd linux-amd64
cp helm /usr/local/bin
helm init --service-account tiller --skip-refresh --tiller-image junolu/tiller:v2.14.3
//檢查是否安裝成功
helm version
3、配置helm charts的加速倉庫
添加微軟的chart倉庫,這個倉庫與官網的charts倉庫更新比較同步
helm repo add azure http://mirror.azure.cn/kubernetes/charts/
helm repo update
helm search mysql //測試helm charts repo是否正常訪問
4.下載istio
從官網下載istio1.3.0
mkdir -p /root/istio
cd /root/istio
wget https://github.com/istio/istio/releases/download/1.3.0/istio-1.3.0-linux.tar.gz
tar -xvf istio-1.3.0-linux.tar.gz
5. 配置helm的istio倉庫
helm repo add istio.io https://storage.googleapis.com/istio-release/releases/1.3.0/charts/
6.安裝istio
使用默認配置安裝istio
(1).創建namespace,用於存放所有istio組件
kubectl create namespace istio-system
(2).創建crds自定義資源
helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f -
或則
helm install istio.io/istio-init --name istio-init --namespace=istio-system
(3).驗證crds是否創建成功,一共23個
kubectl get crds | grep 'istio.io' | wc -l
(4).安裝istio組件
爲了簡化安裝,我們使用values-istio-demo-auth.yaml這個配置文件,可以默認配置好istio的常用組組件
helm install install/kubernetes/helm/istio --name istio --namespace istio-system --values install/kubernetes/helm/istio/values-istio-demo-auth.yaml
或則
helm install istio.io/istio --name istio --namespace=istio-system --set gateways.istio-ingressgateway.type=NodePort --set grafana.enabled=true --set kiali.enabled=true --set tracing.enabled=true
(5).修改ingress-gateway的模式
系統安裝時,默認的ingress-gateway模式是load balance,本例中我們安裝在自己的kubernetes中,所以,不能使用load balance,修改爲 Nodeport
helm upgrade istio install/kubernetes/helm/istio --set gateways.istio-ingressgateway.type=NodePort
或
kubectl patch service istio-ingressgateway -n istio-system -p '{"spec":{"type":"NodePort"}}'
7 測試httpbin
(1).安裝httpbin
//創建httpbin pods和svcs
kubectl apply -f samples/httpbin/httpbin.yaml --namespace test
kubectl apply -f samples/httpbin/httpbin-gateway.yaml --namespace test
//修改gateway如下
cp httpbin-gateway.yaml httpbin-gateway1.yaml
[root@centos75 httpbin]# cat httpbin-gateway1.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "httpbin.example.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- "httpbin.example.com"
gateways:
- httpbin-gateway
http:
- match:
- uri:
prefix: /status
- uri:
prefix: /delay
route:
- destination:
port:
number: 8000
host: httpbin
- route:
- destination:
host: httpbin
port:
number: 8000
[root@centos75 httpbin]#
//取得ingress的地址和端口信息
export INGRESS_HOST=$(kubectl -n istio-system get po -l istio=ingressgateway -o go-template='{{range .items}}{{.status.hostIP}}{{end}}')
export INGRESS_PORT=$(kubectl -n istio-system get svc istio-ingressgateway -o go-template='{{range .spec.ports}}{{if eq .name "http2"}}{{.nodePort}}{{end}}{{end}}')
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
//測試是否match 路由生效
curl -I -HHost:httpbin.example.com http://$INGRESS_HOST:$INGRESS_PORT/status/200
(2).解析httpbin的流量路徑
graph LR
Gateway--hosts,gateway-->VirtualService
VirtualService--hosts,host-->Service
Service--host-->Pod
(a) kubectl describe gateway httpbin-gateway
[root@centos75 ~]# kt describe gw httpbin-gateway
Name: httpbin-gateway
Namespace: test
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"networking.istio.io/v1alpha3","kind":"Gateway","metadata":{"annotations":{},"name":"httpbin-gateway","namespace":"test"},"s...
API Version: networking.istio.io/v1alpha3
Kind: Gateway
Metadata:
Creation Timestamp: 2019-09-13T17:04:46Z
Generation: 1
Resource Version: 2771114
Self Link: /apis/networking.istio.io/v1alpha3/namespaces/test/gateways/httpbin-gateway
UID: af318455-9246-463e-9d97-736004458250
Spec:
Selector:
Istio: ingressgateway
Servers:
Hosts:
httpbin.example.com --(1)需要同virtualservice的hosts匹配
Port:
Name: http
Number: 80
Protocol: HTTP
Events: <none>
(b) kubectl describe virtualservice httpbin
[root@centos75 ~]# kt describe vs httpbin
Name: httpbin
Namespace: test
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"networking.istio.io/v1alpha3","kind":"VirtualService","metadata":{"annotations":{},"name":"httpbin","namespace":"test"},"sp...
API Version: networking.istio.io/v1alpha3
Kind: VirtualService
Metadata:
Creation Timestamp: 2019-09-13T17:14:48Z
Generation: 1
Resource Version: 2772158
Self Link: /apis/networking.istio.io/v1alpha3/namespaces/test/virtualservices/httpbin
UID: e72006ab-45ee-4e63-90a2-6fade656ea60
Spec:
Gateways:
httpbin-gateway --(2)指定本virtualservice定義的流量規則適用的gateway
Hosts:
httpbin.example.com --(3)同gateway定義裏的hosts匹配
Http:
Match:
Uri:
Prefix: /status
Uri:
Prefix: /delay
Route:
Destination:
Host: httpbin --(4)指定後端接收流量的service或ServiceEntry的名字
Port:
Number: 8000 --(5)後端Service或ServiceEntry的接收端口
Events: <none>
© kubectl describe service httpbin
[root@centos75 ~]# kt describe svc httpbin
Name: httpbin
Namespace: test
Labels: app=httpbin
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app":"httpbin"},"name":"httpbin","namespace":"test"},"spec":{"...
Selector: app=httpbin
Type: ClusterIP
IP: 172.18.145.175
Port: http 8000/TCP --(6)後端service的對外端口
TargetPort: 80/TCP --(7)後端pod的訪問端口
Endpoints: 192.168.148.94:80
Session Affinity: None
Events: <none>
(e) kubectl describe pod httpbin-7d9d5b55b9-52mxb
[root@centos75 ~]# kt describe po httpbin-7d9d5b55b9-52mxb
Name: httpbin-7d9d5b55b9-52mxb
Namespace: test
Priority: 0
Node: centos75/10.0.135.30
Start Time: Sat, 14 Sep 2019 00:26:47 +0800
Labels: app=httpbin
pod-template-hash=7d9d5b55b9
version=v1
Annotations: cni.projectcalico.org/podIP: 192.168.148.94/32
sidecar.istio.io/status:
{"version":"610f2b5742375d30d7f484e296fd022086a4c611b5a6b136bcf0758767fefecc","initContainers":["istio-init"],"containers":["istio-proxy"]...
Status: Running
IP: 192.168.148.94
Controlled By: ReplicaSet/httpbin-7d9d5b55b9
Init Containers:
istio-init:
Container ID: docker://42c5b3d84755502fe5048477585096ea35a9b33ee88bacde3c5b2241bd9935c9
Image: docker.io/istio/proxy_init:1.3.0
Image ID: docker-pullable://istio/proxy_init@sha256:aede2a1e5e810e5c0515261320d007ad192a90a6982cf6be8442cf1671475b8a
Port: <none>
Host Port: <none>
Args:
-p
15001
-z
15006
-u
1337
-m
REDIRECT
-i
*
-x
-b
*
-d
15020
State: Terminated
Reason: Completed
Exit Code: 0
Started: Sat, 14 Sep 2019 00:26:48 +0800
Finished: Sat, 14 Sep 2019 00:26:49 +0800
Ready: True
Restart Count: 0
Limits:
cpu: 100m
memory: 50Mi
Requests:
cpu: 10m
memory: 10Mi
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-r7slk (ro)
Containers:
httpbin:
Container ID: docker://50d746242eb3b1b87c1e40a3059890b6a3c2482334975452e50047010c2cb2c9
Image: docker.io/kennethreitz/httpbin
Image ID: docker-pullable://kennethreitz/httpbin@sha256:599fe5e5073102dbb0ee3dbb65f049dab44fa9fc251f6835c9990f8fb196a72b
Port: 80/TCP --(8)pod的訪問端口定義
Host Port: 0/TCP
State: Running
Started: Sat, 14 Sep 2019 00:35:28 +0800
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-r7slk (ro)
istio-proxy:
Container ID: docker://84c019f39b6215950acb79e86593cb683d9344929ceabf7d07014586af01f782
Image: docker.io/istio/proxyv2:1.3.0
Image ID: docker-pullable://istio/proxyv2@sha256:f3f68f9984dc2deb748426788ace84b777589a40025085956eb880c9c3c1c056
Port: 15090/TCP
Host Port: 0/TCP
Args:
proxy
sidecar
--domain
$(POD_NAMESPACE).svc.cluster.local
--configPath
/etc/istio/proxy
--binaryPath
/usr/local/bin/envoy
--serviceCluster
httpbin.$(POD_NAMESPACE)
--drainDuration
45s
--parentShutdownDuration
1m0s
--discoveryAddress
istio-pilot.istio-system:15010
--zipkinAddress
zipkin.istio-system:9411
--dnsRefreshRate
300s
--connectTimeout
10s
--proxyAdminPort
15000
--concurrency
2
--controlPlaneAuthPolicy
NONE
--statusPort
15020
--applicationPorts
80
State: Running
Started: Sat, 14 Sep 2019 00:35:29 +0800
Ready: True
Restart Count: 0
Limits:
cpu: 2
memory: 1Gi
Requests:
cpu: 100m
memory: 128Mi
Readiness: http-get http://:15020/healthz/ready delay=1s timeout=1s period=2s #success=1 #failure=30
Environment:
POD_NAME: httpbin-7d9d5b55b9-52mxb (v1:metadata.name)
ISTIO_META_POD_PORTS: [
{"containerPort":80,"protocol":"TCP"}
]
ISTIO_META_CLUSTER_ID: Kubernetes
POD_NAMESPACE: test (v1:metadata.namespace)
INSTANCE_IP: (v1:status.podIP)
SERVICE_ACCOUNT: (v1:spec.serviceAccountName)
ISTIO_META_POD_NAME: httpbin-7d9d5b55b9-52mxb (v1:metadata.name)
ISTIO_META_CONFIG_NAMESPACE: test (v1:metadata.namespace)
SDS_ENABLED: false
ISTIO_META_INTERCEPTION_MODE: REDIRECT
ISTIO_META_INCLUDE_INBOUND_PORTS: 80
ISTIO_METAJSON_LABELS: {"app":"httpbin","pod-template-hash":"7d9d5b55b9","version":"v1"}
ISTIO_META_WORKLOAD_NAME: httpbin
ISTIO_META_OWNER: kubernetes://api/apps/v1/namespaces/test/deployments/httpbin
Mounts:
/etc/certs/ from istio-certs (ro)
/etc/istio/proxy from istio-envoy (rw)
/var/run/secrets/kubernetes.io/serviceaccount from default-token-r7slk (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
default-token-r7slk:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-r7slk
Optional: false
istio-envoy:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium: Memory
SizeLimit: <unset>
istio-certs:
Type: Secret (a volume populated by a Secret)
SecretName: istio.default
Optional: true
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events: <none>
[root@centos75 ~]#
8 卸載istio
(1)通過helm卸載安裝的istio
helm uninstall istio
helm uninstall istio-init
(2)手動卸載istio
kubectl delete crds `kubectl get crds -o custom-columns=NAME:.metadata.name --no-headers|grep istio`
kubectl delete clusterroles `kubectl get clusterroles -o custom-columns=NAME:.metadata.name --no-headers|grep istio`
kubectl delete clusterrolebindings `kubectl get clusterrolebindings -o custom-columns=NAME:.metadata.name --no-headers|grep istio`
kubectl delete mutatingwebhookconfigurations `kubectl get mutatingwebhookconfigurations -o custom-columns=NAME:.metadata.name --no-headers|grep istio`
kubectl delete clusterroles kiali
kubectl delete clusterroles kiali-viewer
kubectl delete ns istio-system
