【注意】最后更新于 August 22, 2018,文中内容可能已过时,请谨慎使用。
Istio已经发布了可以用于生产的1.0版本,这里也跟进一下。首先,我们需要在Kubernetes上安装Istio,这里将实验基于安装包安装方式。
本文的实验环境是Kubernetes 1.11。
istio的文档中说istio 1.0需要Kubernetes 1.9或更高版本,需要Kubernetes的CRD(自定义资源定义)功能
1.使用Istio安装包安装
1.1 下载Istio发布包
下载并解压缩istio的发布包:
1
2
3
|
wget https://github.com/istio/istio/releases/download/1.0.0/istio-1.0.0-linux.tar.gz
tar -zxvf
cd istio-1.0.0
|
解压缩后的目录结构如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
├── istio-1.0.0
│ ├── bin
│ │ └── istioctl
│ ├── install
│ │ ├── consul
│ │ ├── gcp
│ │ ├── kubernetes
│ │ ├── README.md
│ │ └── tools
│ ├── istio.VERSION
│ ├── LICENSE
│ ├── README.md
│ ├── samples
│ │ ├── bookinfo
│ │ ├── certs
│ │ ├── CONFIG-MIGRATION.md
│ │ ├── health-check
│ │ ├── helloworld
│ │ ├── httpbin
│ │ ├── https
│ │ ├── kubernetes-blog
│ │ ├── rawvm
│ │ ├── README.md
│ │ ├── sleep
│ │ └── websockets
│ └── tools
│ ├── cache_buster.yaml
│ ├── convert_perf_results.py
│ ├── deb
│ ├── dump_kubernetes.sh
│ ├── githubContrib
│ ├── hyperistio
│ ├── istio-docker.mk
│ ├── license
│ ├── perf_istio_rules.yaml
│ ├── perf_k8svcs.yaml
│ ├── perf_setup.svg
│ ├── README.md
│ ├── rules.yml
│ ├── run_canonical_perf_tests.sh
│ ├── setup_perf_cluster.sh
│ ├── setup_run
│ ├── update_all
│ └── vagrant
|
- 其中install/kubernetes目录中包含了在k8s集群上部署Istio的.yaml文件
- bin目录中的istioctl是istio的客户端文件,用来手动将Envoy作为sidecar proxy注入,以及对路由规则和策略的管理
将istioctl加入到PATH环境变量,这里直接将其拷贝到/usr/local/bin下.
1
2
3
4
5
6
7
8
9
|
cp bin/istioctl /usr/local/bin
istioctl version
Version: 1.0.0
GitRevision: 3a136c90ec5e308f236e0d7ebb5c4c5e405217f4
User: [email protected]
Hub: gcr.io/istio-release
GolangVersion: go1.10.1
BuildStatus: Clean
|
1.2 安装istio的CRD
安装istio的CRD(Custom Resource Definitions ),并等待一段时间CRDs将被提交到kube-apiserver中:
1
|
kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
|
查看安装的CRD:
1
|
kubectl get CustomResourceDefinition
|
1.3 安装Istio的核心组件
安装istio核心文件并不启用sidecar之间的TLS双向认证:
1
|
kubectl apply -f install/kubernetes/istio-demo.yaml
|
1.4 验证安装
确认istio相关的Service已经部署:
1
|
kubectl get svc -n istio-system
|
确认istio相关的Pod都处于running状态:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
kubectl get pod -n istio-system
NAME READY STATUS RESTARTS AGE
grafana-86645d6b4d-j56qg 1/1 Running 0 12m
istio-citadel-55d9bb9b5f-9x5s2 1/1 Running 0 12m
istio-cleanup-secrets-lvqlg 0/1 Completed 0 12m
istio-egressgateway-74bbdd9669-wsdhb 1/1 Running 0 12m
istio-galley-d4bc6c974-97h5n 1/1 Running 0 9m
istio-grafana-post-install-hn5w4 0/1 Completed 0 12m
istio-ingressgateway-756584cc64-9wqsx 1/1 Running 0 12m
istio-pilot-7dd78846f5-qbcrq 2/2 Running 0 12m
istio-policy-b9d65465-c2jc6 2/2 Running 0 12m
istio-sidecar-injector-854f6498d9-22lb8 1/1 Running 0 10m
istio-statsd-prom-bridge-549d687fd9-6lfll 1/1 Running 0 12m
istio-telemetry-64fff55fdd-tx99p 2/2 Running 0 12m
istio-tracing-7596597bd7-5m24x 1/1 Running 0 11m
prometheus-6ffc56584f-mrqpk 1/1 Running 0 12m
servicegraph-7bdb8bfc9d-xldll 1/1 Running 0 12m
|
1.5 卸载Istio
1
2
3
|
kubectl delete -f install/kubernetes/istio-demo.yaml
kubectl delete -f install/kubernetes/helm/istio/templates/crds.yaml -n istio-system
|
2.grafana和jaeger
通过查看istio-system命名空间中的svc和pod,我们看到istio的安装还包含了Prometheus、Grafana、Jaeger,我们先使用ingress将这三个服务的WebUI暴露到集群外边:
这里使用的已经部署在Kubernetes中的ingress nginx将这个三个服务暴露到集群外部,而没有使用Istio Gateway,关于Istio Gateway的功能我们后边单独学习
将站点的SSL证书存放到istio-system命名空间中:
1
|
kubectl create secret tls frognew-com-tls-secret --cert=fullchain.pem --key=privkey.pem -n istio-system
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: jaeger-query
namespace: istio-system
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/secure-backends: "false"
spec:
rules:
- host: istio-jaeger.frognew.com
http:
paths:
- path: /
backend:
serviceName: jaeger-query
servicePort: 16686
tls:
- hosts:
- istio-jaeger.frognew.com
secretName: "frognew-com-tls-secret"
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: prometheus
namespace: istio-system
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/secure-backends: "false"
spec:
rules:
- host: istio-prometheus.frognew.com
http:
paths:
- path: /
backend:
serviceName: prometheus
servicePort: 9090
tls:
- hosts:
- istio-prometheus.frognew.com
secretName: "frognew-com-tls-secret"
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: grafana
namespace: istio-system
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/secure-backends: "false"
spec:
rules:
- host: istio-grafana.frognew.com
http:
paths:
- path: /
backend:
serviceName: grafana
servicePort: 3000
tls:
- hosts:
- istio-grafana.frognew.com
secretName: "frognew-com-tls-secret"
|

从Prometheus的targes中可以看到当前Prometheus对Kubernetes、Istio的各个核心组件做了监控。


参考