Istio已经发布了可以用于生产的1.0版本,这里也跟进一下。首先,我们需要在Kubernetes上安装Istio,这里将实验基于安装包安装方式。 本文的实验环境是Kubernetes 1.11。

istio的文档中说istio 1.0需要Kubernetes 1.9或更高版本,需要Kubernetes的CRD(自定义资源定义)功能

1.使用Istio安装包安装

1.1 下载Istio发布包

下载并解压缩istio的发布包:

1
2
3
wget https://github.com/istio/istio/releases/download/1.0.0/istio-1.0.0-linux.tar.gz
tar -zxvf 
cd istio-1.0.0

解压缩后的目录结构如下:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
├── istio-1.0.0
│   ├── bin
│   │   └── istioctl
│   ├── install
│   │   ├── consul
│   │   ├── gcp
│   │   ├── kubernetes
│   │   ├── README.md
│   │   └── tools
│   ├── istio.VERSION
│   ├── LICENSE
│   ├── README.md
│   ├── samples
│   │   ├── bookinfo
│   │   ├── certs
│   │   ├── CONFIG-MIGRATION.md
│   │   ├── health-check
│   │   ├── helloworld
│   │   ├── httpbin
│   │   ├── https
│   │   ├── kubernetes-blog
│   │   ├── rawvm
│   │   ├── README.md
│   │   ├── sleep
│   │   └── websockets
│   └── tools
│       ├── cache_buster.yaml
│       ├── convert_perf_results.py
│       ├── deb
│       ├── dump_kubernetes.sh
│       ├── githubContrib
│       ├── hyperistio
│       ├── istio-docker.mk
│       ├── license
│       ├── perf_istio_rules.yaml
│       ├── perf_k8svcs.yaml
│       ├── perf_setup.svg
│       ├── README.md
│       ├── rules.yml
│       ├── run_canonical_perf_tests.sh
│       ├── setup_perf_cluster.sh
│       ├── setup_run
│       ├── update_all
│       └── vagrant
  • 其中install/kubernetes目录中包含了在k8s集群上部署Istio的.yaml文件
  • bin目录中的istioctl是istio的客户端文件,用来手动将Envoy作为sidecar proxy注入,以及对路由规则和策略的管理

将istioctl加入到PATH环境变量,这里直接将其拷贝到/usr/local/bin下.

1
2
3
4
5
6
7
8
9
cp bin/istioctl /usr/local/bin

istioctl version
Version: 1.0.0
GitRevision: 3a136c90ec5e308f236e0d7ebb5c4c5e405217f4
User: [email protected]
Hub: gcr.io/istio-release
GolangVersion: go1.10.1
BuildStatus: Clean

1.2 安装istio的CRD

安装istio的CRD(Custom Resource Definitions ),并等待一段时间CRDs将被提交到kube-apiserver中:

1
kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml

查看安装的CRD:

1
kubectl get CustomResourceDefinition

1.3 安装Istio的核心组件

安装istio核心文件并不启用sidecar之间的TLS双向认证:

1
kubectl apply -f install/kubernetes/istio-demo.yaml

1.4 验证安装

确认istio相关的Service已经部署:

1
kubectl get svc -n istio-system

确认istio相关的Pod都处于running状态:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
kubectl get pod -n istio-system
NAME                                        READY     STATUS      RESTARTS   AGE
grafana-86645d6b4d-j56qg                    1/1       Running     0          12m
istio-citadel-55d9bb9b5f-9x5s2              1/1       Running     0          12m
istio-cleanup-secrets-lvqlg                 0/1       Completed   0          12m
istio-egressgateway-74bbdd9669-wsdhb        1/1       Running     0          12m
istio-galley-d4bc6c974-97h5n                1/1       Running     0          9m
istio-grafana-post-install-hn5w4            0/1       Completed   0          12m
istio-ingressgateway-756584cc64-9wqsx       1/1       Running     0          12m
istio-pilot-7dd78846f5-qbcrq                2/2       Running     0          12m
istio-policy-b9d65465-c2jc6                 2/2       Running     0          12m
istio-sidecar-injector-854f6498d9-22lb8     1/1       Running     0          10m
istio-statsd-prom-bridge-549d687fd9-6lfll   1/1       Running     0          12m
istio-telemetry-64fff55fdd-tx99p            2/2       Running     0          12m
istio-tracing-7596597bd7-5m24x              1/1       Running     0          11m
prometheus-6ffc56584f-mrqpk                 1/1       Running     0          12m
servicegraph-7bdb8bfc9d-xldll               1/1       Running     0          12m

1.5 卸载Istio

1
2
3
kubectl delete -f install/kubernetes/istio-demo.yaml

kubectl delete -f install/kubernetes/helm/istio/templates/crds.yaml -n istio-system

2.grafana和jaeger

通过查看istio-system命名空间中的svc和pod,我们看到istio的安装还包含了Prometheus、Grafana、Jaeger,我们先使用ingress将这三个服务的WebUI暴露到集群外边:

这里使用的已经部署在Kubernetes中的ingress nginx将这个三个服务暴露到集群外部,而没有使用Istio Gateway,关于Istio Gateway的功能我们后边单独学习

将站点的SSL证书存放到istio-system命名空间中:

1
kubectl create secret tls frognew-com-tls-secret --cert=fullchain.pem --key=privkey.pem -n istio-system
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: jaeger-query
  namespace: istio-system
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/secure-backends: "false"
spec:
  rules:
  - host: istio-jaeger.frognew.com
    http:
      paths:
      - path: /
        backend:
          serviceName: jaeger-query
          servicePort: 16686
  tls:
  - hosts: 
    - istio-jaeger.frognew.com
    secretName: "frognew-com-tls-secret"

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: prometheus
  namespace: istio-system
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/secure-backends: "false"
spec:
  rules:
  - host: istio-prometheus.frognew.com
    http:
      paths:
      - path: /
        backend:
          serviceName: prometheus
          servicePort: 9090
  tls:
  - hosts: 
    - istio-prometheus.frognew.com
    secretName: "frognew-com-tls-secret"

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: grafana
  namespace: istio-system
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/secure-backends: "false"
spec:
  rules:
  - host: istio-grafana.frognew.com
    http:
      paths:
      - path: /
        backend:
          serviceName: grafana
          servicePort: 3000
  tls:
  - hosts: 
    - istio-grafana.frognew.com
    secretName: "frognew-com-tls-secret"

istio prometheus

从Prometheus的targes中可以看到当前Prometheus对Kubernetes、Istio的各个核心组件做了监控。

istio grafana

istio jaeger

参考