Istio是由Google, IBM, Lyft开源的Service Mesh项目。 Istio的Introduction中说它是一个用来连接、管理和保护微服务的开放平台。 因为是个人学习Istio的开篇,对Istio概念的第一印象先停留在前面一句话上,本篇的目标是先在我们的k8s集群上部署Istio。
安装Istio
注意Istio还在快速发展,这里安装的是最新的Istio 0.2.9,后续的版本极有可能发生变化,本来也是学习和体验这里就不废话了。 当前的Istio要求在Kubernetes 1.7.4及以上版本,要求k8s集群开启RBAC,另外kubectl的版本也需要是1.7以后的版本。
这里在一个两节点的k8s 1.8.1集群上安装。从Istio 0.2.7开始,Istio被部署在Kubernetes集群的istio-system namespace下,并且在这个命名空间下可以管理所有其他命名空间的微服务。
首先下载Istio的安装包:
wget https://github.com/istio/istio/releases/download/0.2.9/istio-0.2.9-linux.tar.gz
tar -zxvf istio-0.2.9-linux.tar.gz
cd istio-0.2.9解压缩的目录结构如下:
├── bin
│ └── istioctl
├── CONTRIBUTING.md
├── install
│ ├── consul
│ ├── eureka
│ ├── kubernetes
│ ├── README.md
│ └── tools
├── istio.VERSION
├── LICENSE
├── README.md
└── samples
├── bookinfo
├── CONFIG-MIGRATION.md
├── helloworld
├── httpbin
├── README.md
└── sleep- 其中install/kubernetes目录中包含了在k8s集群上部署Istio的
.yaml文件 - bin/istioctl说是用来手动将Envoy作为sidecar proxy注入
下面读一下install/kubernetes/README.md:
cat install/kubernetes/README.md:
# Install Istio on an existing Kubernetes cluster
Please follow the installation instructions from [istio.io](https://istio.io/docs/setup/kubernetes/quick-start.html).
## Directory structure
This directory contains files needed for installing Istio on a Kubernetes cluster.
* istio.yaml - use this file for installation without authentication enabled
* istio-auth.yaml - use this file for installation with authentication enabled
* istio-initializer.yaml - use this file for installation of istio initializer for transparent injection.
* istio-one-namespace.yaml - use this file for installation without authentication enabled. Istio control plane and applications will be in one single namespace, mainly used for testing.
* istio-one-namespace-auth.yaml - use this file for installation with authentication enabled. Istio control plane and applications will be in one single namespace, mainly used for testing.
* templates - directory contains the templates used to generate istio.yaml and istio-auth.yaml
* addons - directory contains optional components (Prometheus, Grafana, Service Graph, Zipkin, Zipkin to Stackdriver)
* updateVersion.sh in the parent directory can be run to regenerate installation files我们先来部署没有mutual TLS authentication的Istio:
kubectl apply -f install/kubernetes/istio.yaml
namespace "istio-system" created
......
deployment "istio-ca" created验证是否部署成功,确认istio-system下的istio-pilot-*, istio-mixer-*, istio-ingress-*, istio-egress-*, istio-ca-*这些Pod处于Running状态。
因为我这里没有部署istio-initializer.yaml,所以忽略istio-initializer-*。
kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-ca-6c4779c95d-sq6sj 1/1 Running 0 5m
istio-egress-f567897c6-tlz4b 1/1 Running 0 5m
istio-ingress-69bbfd76b8-9c24k 1/1 Running 0 5m
istio-mixer-6549f6db4c-x6x4t 2/2 Running 0 5m
istio-pilot-5f74bfb8f4-b7bbf 1/1 Running 0 5m最后将istioctl文件拷贝到/usr/bin目录下。
istioctl version
Version: 0.2.9
GitRevision: 48ce32e6909d120a8ecee58b6b7a84094da36b7c
GitBranch: master
User: root@881c9704f303
GolangVersion: go1.8.3