从零搭建基于Istio的ServiceMesh-01快速部署

发表于 | 更新于: | 分类于 | 阅读次数:
字数统计: 3.3k

说明

  • istio版本号1.4.2
  • k8s集群版本v1.14.8
  • istio在1.4提供了基于istioctl命令直接部署的功能,这里使用istioctl部署istio。
    • 自带配置校验、和丰富的自定义配置选项
    • API版本号还在Alpha阶段install.istio.io/v1alpha2,请自行判断是否适用
    • 部署要求
      • 至少得有Kubernetes集群
      • Istio-1.4版本在1.131.141.15的k8s集群上是做过测试通过的
      • 最新的1.16没在官方文档里注明,应该也是可以用的。官方说明在此
  • 这里通过官方示例熟悉一下istio的ServiceMesh特性

下载Istio项目文件

在Github上下载

在Github项目地址可以在release页面找到对应版本的部署文件下载

1
wget -O - https://github.com/istio/istio/releases/download/1.4.2/istio-1.4.2-linux.tar.gz | tar xz

通过Shell脚本安装

1
curl -L https://istio.io/downloadIstio | sh -

切换工作目录

1
cd istio-1.4.2

目录内容

1
2
3
4
5
6
7
8
9
tree ~/istio-1.4.2 -L 1
./istio-1.4.2
├── bin
├── install
├── LICENSE
├── manifest.yaml
├── README.md
├── samples
└── tools

项目目录:

  • install/kubernetes包含了部署在Kubernetes集群的YAML文件
  • samples包含了测试样例
  • bin包含了istioctl二进制文件
  • tools包含了命令补全和一些其他用途的脚本

拷贝二进制文件

这里把istioctl拷贝到/usr/local/bin目录

1
cp bin/istioctl /usr/local/bin/

设置命令补全

  • 支持bash和zsh的命令补全,官方文档在这里
  • 这里只做bash的
1
2
cp tools/istioctl.bash /etc/bash_completion.d/istioctl
source /etc/bash_completion.d/istioctl

部署istio

istioctl提供了内建的多个profile用于部署istio

查看内建的profile

1
istioctl profile list

输出示例

1
2
3
4
5
6
Istio configuration profiles:
    minimal
    remote
    sds
    default
    demo

查看Profile的默认值

Profile对应的YAML文件存放在install/kubernetes/operator/profiles

1
2
3
4
5
6
install/kubernetes/operator/profiles
├── default.yaml
├── demo.yaml
├── minimal.yaml
├── remote.yaml
└── sds.yaml

Profile之间的区别

这里直接照搬了官方文档的说明

  1. default: enables components according to the default settings of the IstioControlPlane API (recommend for production deployments). You can display the default setting by running the command istioctl profile dump.

  2. demo: configuration designed to showcase Istio functionality with modest resource requirements. It is suitable to run the Bookinfo application and associated tasks. This is the configuration that is installed with the quick start instructions, but you can later customize the configuration to enable additional features if you wish to explore more advanced tasks.

    This profile enables high levels of tracing and access logging so it is not suitable for performance tests.

  3. minimal: the minimal set of components necessary to use Istio’s traffic management features.

  4. sds: similar to the default profile, but also enables Istio’s SDS (secret discovery service). This profile comes with additional authentication features enabled by default (Strict Mutual TLS).

  5. remote: used for configuring remote clusters of a multicluster mesh with a shared control plane configuration.

defaultdemominimalsdsremote
Core components
istio-citadelXXXX
istio-egressgatewayX
istio-galleyXXX
istio-ingressgatewayXXX
istio-nodeagentX
istio-pilotXXXX
istio-policyXXX
istio-sidecar-injectorXXXX
istio-telemetryXXX
Addons
grafanaX
istio-tracingX
kialiX
prometheusXXX

QuickStart

使用内建的profile部署

这里用demo作为演示

1
istioctl manifest apply --set profile=demo

部署时指定参数

注意下!istioctl部署支持两种API,分别是IstioControlPlane APIHelm API

  • 使用demo作为部署默认参数
  • 开启CNI插件,并且把CNI插件部署到kube-system命名空间
  • 修改镜像源地址为dockerhub.azk8s.cn
  • istio-ingressgatewayService类型设置为NodePort
  • 开启控制平面安全功能
  • 关闭全局mTLS
1
2
3
4
5
6
7
8
9
10
istioctl manifest apply \
--set profile='demo' \
--set cni.enabled=true \
--set cni.components.cni.namespace='kube-system' \
--set hub='dockerhub.azk8s.cn/istio' \
--set values.gateways.istio-ingressgateway.type='LoadBalancer' \
--set values.gateways.istio-egressgateway.enabled=false \
--set values.gateways.istio-ingressgateway.sds.enabled=true \
--set values.global.controlPlaneSecurityEnabled=true \
--set values.global.mtls.enabled=false

验证istio安装情况

1
kubectl get svc -n istio-system

输出示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
NAME                     TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                                                                                      AGE
grafana                  ClusterIP      172.21.211.123   <none>          3000/TCP                                                                                                                                     2m
istio-citadel            ClusterIP      172.21.177.222   <none>          8060/TCP,15014/TCP                                                                                                                           2m
istio-egressgateway      ClusterIP      172.21.113.24    <none>          80/TCP,443/TCP,15443/TCP                                                                                                                     2m
istio-galley             ClusterIP      172.21.132.247   <none>          443/TCP,15014/TCP,9901/TCP                                                                                                                   2m
istio-ingressgateway     LoadBalancer   172.21.144.254   52.116.22.242   15020:31831/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:30318/TCP,15030:32645/TCP,15031:31933/TCP,15032:31188/TCP,15443:30838/TCP   2m
istio-pilot              ClusterIP      172.21.105.205   <none>          15010/TCP,15011/TCP,8080/TCP,15014/TCP                                                                                                       2m
istio-policy             ClusterIP      172.21.14.236    <none>          9091/TCP,15004/TCP,15014/TCP                                                                                                                 2m
istio-sidecar-injector   ClusterIP      172.21.155.47    <none>          443/TCP,15014/TCP                                                                                                                            2m
istio-telemetry          ClusterIP      172.21.196.79    <none>          9091/TCP,15004/TCP,15014/TCP,42422/TCP                                                                                                       2m
jaeger-agent             ClusterIP      None             <none>          5775/UDP,6831/UDP,6832/UDP                                                                                                                   2m
jaeger-collector         ClusterIP      172.21.135.51    <none>          14267/TCP,14268/TCP                                                                                                                          2m
jaeger-query             ClusterIP      172.21.26.187    <none>          16686/TCP                                                                                                                                    2m
kiali                    ClusterIP      172.21.155.201   <none>          20001/TCP                                                                                                                                    2m
prometheus               ClusterIP      172.21.63.159    <none>          9090/TCP                                                                                                                                     2m
tracing                  ClusterIP      172.21.2.245     <none>          80/TCP                                                                                                                                       2m
zipkin                   ClusterIP      172.21.182.245   <none>          9411/TCP

获取Istio-IngressGateway访问方式

NodePort

1
2
3
export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}')
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')

LoadBalancer

1
2
3
export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')

基于IstioControlPlane API部署

Istio提供的部署选项非常多,想在部署的时候做深度定制,最好基于IstioControlPlane API来实现。

官方示例模板

官方文档有点坑!不带apiVersionkind,格式也有点不对。

这里根据官方部署文件里面的Profile补齐了apiVersionkind,并且魔改了一下

  1. 使用istio默认值部署
1
2
3
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  1. 使用minimal Profile默认值部署
1
2
3
4
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  profile: minimal
  1. 使用istio默认值部署,关闭telemetry功能
1
2
3
4
5
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  telemetry:
    enabled: false
  1. 使用istio默认值部署,每个功能和安全组件安装在单独的namespace
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  traffic_management:
    components:
      namespace: istio-traffic-management
  policy:
    components:
      namespace: istio-policy
  telemetry:
    components:
      namespace: istio-telemetry
  config_management:
    components:
      namespace: istio-config-management
  security:
    components:
      citadel:
        namespace: istio-citadel
      cert_manager:
        namespace: istio-cert-manager
      node_agent:
        namespace: istio-node-agent
  1. 使用istio默认值部署,并且配置k8s相关配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  traffic_management:
    components:
      pilot:
        k8s:
          resources:
            limits:
              cpu: 444m
              memory: 333Mi
            requests:
              cpu: 222m
              memory: 111Mi
          readinessProbe:
            failureThreshold: 44
            initialDelaySeconds: 11
            periodSeconds: 22
            successThreshold: 33
  1. 使用istio默认值部署,使用values.yaml来自定义proxy组件
1
2
3
4
5
6
7
8
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  values:
  	global:
  	  proxy:
  	    enableCoreDump: true
  	    dnsRefreshRate: 10s
  1. 使用istio默认值部署,自定义gallery容器的配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  configManagement:
    components:
      galley:
        k8s:
          overlays:
          - apiVersion: extensions/v1beta1
            kind: Deployment
            name: istio-galley
            patches:
            - path: spec.template.spec.containers.[name:galley].command.[--livenessProbeInterval]
              value: --livenessProbeInterval=123s
  1. 使用istio内建的Profile来生成

这里用demo作为演示,dump出来的文件不带apiVerionkind所以没法直接用!

1
istioctl profile dump demo

修正版如下,快700行了,好长!

可以根据生成的模板文件来修改所需配置!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  autoInjection:
    ...
  cni:
    ...
  configManagement:
    ...
  gateways:
    ...
  policy:
    ...
  secure:
    ...
  values:
    global:
      ...

部署istio

编辑模板文件

1
vim istio-template.yaml
1
2
3
4
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  profile: demo

直接使用模板文件部署

1
istioctl manifest deploy -f istio-template.yaml

将模板文件转成部署文件再部署

1
2
3
4
istioctl manifest generate --set profile=demo \
                           --set hub='dockerhub.azk8s.cn' \
                           > istio-install.yaml
kubectl apply -f istio-install.yaml

验证istio安装情况

1
kubectl get svc -n istio-system

体验Istio功能特性

这里跟随官方文档的Task来探索Istio的功能特性

演示使用demo默认设置部署istio

samples目录

说明

  • samples目录存放istio的官方示例

目录结构

1
tree samples/ -L 3 --dirsfirst
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
samples/
├── bookinfo
│   ├── networking
│   │   ├── bookinfo-gateway.yaml
│   │   ├── certmanager-gateway.yaml
│   │   ├── destination-rule-all-mtls.yaml
│   │   ├── destination-rule-all.yaml
│   │   ├── destination-rule-reviews.yaml
│   │   ├── egress-rule-google-apis.yaml
│   │   ├── fault-injection-details-v1.yaml
│   │   ├── virtual-service-all-v1.yaml
│   │   ├── virtual-service-details-v2.yaml
│   │   ├── virtual-service-ratings-db.yaml
│   │   ├── virtual-service-ratings-mysql-vm.yaml
│   │   ├── virtual-service-ratings-mysql.yaml
│   │   ├── virtual-service-ratings-test-abort.yaml
│   │   ├── virtual-service-ratings-test-delay.yaml
│   │   ├── virtual-service-reviews-50-v3.yaml
│   │   ├── virtual-service-reviews-80-20.yaml
│   │   ├── virtual-service-reviews-90-10.yaml
│   │   ├── virtual-service-reviews-jason-v2-v3.yaml
│   │   ├── virtual-service-reviews-test-v2.yaml
│   │   ├── virtual-service-reviews-v2-v3.yaml
│   │   └── virtual-service-reviews-v3.yaml
│   ├── platform
│   │   ├── consul
│   │   └── kube
│   ├── policy
│   │   ├── mixer-rule-deny-ip-crd.yaml
│   │   ├── mixer-rule-deny-ip.yaml
│   │   ├── mixer-rule-deny-label-crd.yaml
│   │   ├── mixer-rule-deny-label.yaml
│   │   ├── mixer-rule-deny-serviceaccount.yaml
│   │   ├── mixer-rule-deny-whitelist-crd.yaml
│   │   ├── mixer-rule-deny-whitelist.yaml
│   │   ├── mixer-rule-ingress-denial.yaml
│   │   ├── mixer-rule-kubernetesenv-telemetry.yaml
│   │   ├── mixer-rule-productpage-ratelimit-crd.yaml
│   │   ├── mixer-rule-productpage-ratelimit.yaml
│   │   ├── mixer-rule-productpage-redis-quota-fixed-window.yaml
│   │   ├── mixer-rule-productpage-redis-quota-rolling-window.yaml
│   │   ├── mixer-rule-ratings-denial.yaml
│   │   ├── mixer-rule-ratings-ratelimit.yaml
│   │   ├── mixer-rule-ratings-redis-quota-fixed-window.yaml
│   │   ├── mixer-rule-ratings-redis-quota-rolling-window.yaml
│   │   ├── prometheus-adapter-deployment.yaml
│   │   └── prometheus-oop-rule.yaml
│   ├── README.md
│   ├── src
│   │   ├── details
│   │   ├── mongodb
│   │   ├── mysql
│   │   ├── productpage
│   │   ├── ratings
│   │   └── reviews
│   ├── swagger.yaml
│   └── telemetry
│       ├── fluentd-istio-crd.yaml
│       ├── fluentd-istio.yaml
│       ├── log-entry-crd.yaml
│       ├── log-entry.yaml
│       ├── metrics-crd.yaml
│       ├── metrics.yaml
│       ├── tcp-metrics-crd.yaml
│       └── tcp-metrics.yaml
├── certs
│   ├── ca-cert.pem
│   ├── ca-key.pem
│   ├── cert-chain.pem
│   ├── README.md
│   └── root-cert.pem
├── custom-bootstrap
│   ├── custom-bootstrap.yaml
│   ├── example-app.yaml
│   └── README.md
├── external
│   ├── aptget.yaml
│   ├── github.yaml
│   ├── pypi.yaml
│   └── README.md
├── fortio
│   └── stackdriver.yaml
├── health-check
│   ├── liveness-command.yaml
│   ├── liveness-http-same-port.yaml
│   └── liveness-http.yaml
├── helloworld
│   ├── helloworld-gateway.yaml
│   ├── helloworld.yaml
│   ├── README.md
│   └── src
│       └── requirements.txt
├── httpbin
│   ├── httpbin-gateway.yaml
│   ├── httpbin-nodeport.yaml
│   ├── httpbin-vault.yaml
│   ├── httpbin.yaml
│   ├── policy
│   │   ├── keyval-template.yaml
│   │   └── keyval.yaml
│   ├── README.md
│   └── sample-client
│       └── fortio-deploy.yaml
├── https
│   ├── default.conf
│   └── nginx-app.yaml
├── kubernetes-blog
│   ├── bookinfo-ratings.yaml
│   ├── bookinfo-reviews-v2.yaml
│   └── bookinfo-v1.yaml
├── multicluster
│   └── README.md
├── operator
│   ├── pilot-advanced-override.yaml
│   ├── pilot-k8s.yaml
│   ├── sds-policy-off.yaml
│   ├── sds.yaml
│   ├── trafficManagement-namespace.yaml
│   ├── values-global.yaml
│   └── values-pilot.yaml
├── rawvm
│   └── README.md
├── README.md
├── security
│   └── psp
│       ├── all-pods-psp.yaml
│       └── citadel-agent-psp.yaml
├── sleep
│   ├── policy
│   │   ├── sni-serviceaccount.yaml
│   │   └── sni-wikipedia.yaml
│   ├── README.md
│   ├── sleep-vault.yaml
│   ├── sleep.yaml
│   └── telemetry
│       └── sni-logging.yaml
├── tcp-echo
│   ├── README.md
│   ├── src
│   ├── tcp-echo-20-v2.yaml
│   ├── tcp-echo-all-v1.yaml
│   ├── tcp-echo-services.yaml
│   └── tcp-echo.yaml
└── websockets
    ├── app.yaml
    ├── README.md
    └── route.yaml

部署bookinfo

说明

  • 该应用程序由四个单独的微服务组成
    • productpage:productpage微服务调用details和reviews微服务来填充页面。
    • details:details微服务包含图书的详细信息。
    • reviews:reviews微服务包含书评,它还调用ratings微服务。
    • ratings:ratings微服务包含书的排名信息。
  • 其中,reviews微服务提供了3个版本
    • 版本v1不调用ratings服务,因此没有五角星。
    • 版本v2调用ratings服务,并将每个等级显示为1到5个黑星。
    • 版本v3调用ratings服务,并将每个等级显示为1到5个红色星号。
  • 服务架构图如下

  • 在部署了Istio之后,服务架构图会变成这样

部署到k8s

  1. 切换到istio的项目目录
  2. 给命名空间defaultlabel开启istio-inject功能【不是必须的
1
kubectl label namespace default istio-injection=enabled
  1. 部署bookinfo

开启了自动inject功能可以直接部署

1
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

没有在第2步开启自动inject功能,可以通过istioctl命令部署

1
kubectl apply -f <(istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml)
  1. 确认PodService状态

查看Pod

1
kubectl -n default get pod

输出示例

1
2
3
4
5
6
7
NAME                             READY   STATUS    RESTARTS   AGE
details-v1-c5b5f496d-vqm55       2/2     Running   0          1m
productpage-v1-c7765c886-g8hkm   2/2     Running   0          1m
ratings-v1-f745cf57b-5fflk       2/2     Running   0          1m
reviews-v1-75b979578c-dhdb8      2/2     Running   0          1m
reviews-v2-597bf96c8f-r8tz9      2/2     Running   0          1m
reviews-v3-54c6c64795-45f5v      2/2     Running   0          1m

查看Service

1
kubectl -n default get svc

示例代码

1
2
3
4
5
6
NAME          TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
details       ClusterIP   10.96.164.180   <none>        9080/TCP   1m
kubernetes    ClusterIP   10.96.0.1       <none>        443/TCP    3d18h
productpage   ClusterIP   10.96.110.93    <none>        9080/TCP   1m
ratings       ClusterIP   10.96.18.131    <none>        9080/TCP   1m
reviews       ClusterIP   10.96.53.148    <none>        9080/TCP   1m

5.为了确定bookinfo启动完成,使用curl命令访问bookinfo

1
kubectl -n default exec -it $(kubectl -n default get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}') -c ratings -- curl productpage:9080/productpage

可以看到有网页内容,网页title为Simple Bookstore App

1
2
3
4
5
6
7
8
9
<!DOCTYPE html>
<html>
  <head>
    <title>Simple Bookstore App</title>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
....................................................................
</html>
  1. 部署bookinfo-gateway
1
kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml

文件内容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo
spec:
  hosts:
  - "*"
  gateways:
  - bookinfo-gateway
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage
        port:
          number: 9080
  1. 检查gateway CRD
1
kubectl -n default get gateways.networking.istio.io

输出示例

1
2
NAME               AGE
bookinfo-gateway   5s
  1. 部署DestinationRule
  • 未开启mutual TLS
1
kubectl apply -f samples/bookinfo/networking/destination-rule-all.yaml

文件内容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: productpage
spec:
  host: productpage
  subsets:
  - name: v1
    labels:
      version: v1
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: reviews
spec:
  host: reviews
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2
  - name: v3
    labels:
      version: v3
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: ratings
spec:
  host: ratings
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2
  - name: v2-mysql
    labels:
      version: v2-mysql
  - name: v2-mysql-vm
    labels:
      version: v2-mysql-vm
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: details
spec:
  host: details
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2
---
  • 开启了mutual TLS
1
kubectl apply -f samples/bookinfo/networking/destination-rule-all-mtls.yaml

文件内容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: productpage
spec:
  host: productpage
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
  subsets:
  - name: v1
    labels:
      version: v1
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: reviews
spec:
  host: reviews
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2
  - name: v3
    labels:
      version: v3
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: ratings
spec:
  host: ratings
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2
  - name: v2-mysql
    labels:
      version: v2-mysql
  - name: v2-mysql-vm
    labels:
      version: v2-mysql-vm
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: details
spec:
  host: details
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2
---

通过istio-gateway访问bookinfo

  1. 声明环境变量

这里部署Istio时IngressGateway的Service类型为NodePort,所以直接用NodePort访问

1
2
3
4
export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}')
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
  1. 访问bookinfo
1
curl -s http://${GATEWAY_URL}/productpage | grep -o "<title>.*</title>"

输出示例

1
<title>Simple Bookstore App</title>

  1. 通过浏览器访问http://${GATEWAY_URL}/productpage

    根据destination-rule-all.yaml的定义,可以通过反复刷新页面访问到reviewers的三个版本,分别是

  • reviewers-v1:没五角星
  • reviewers-v2:黑五角星
  • reviewers-v3:红五角星

部署TCP-echo

说明

  • 通过TCP连接访问TCP-echo访问获取echo数据

部署到k8s

  1. 切换到istio项目目录
  2. 部署YAML文件
1
kubectl apply -f samples/tcp-echo/tcp-echo.yaml
  1. 创建Pod
1
kubectl run -i --rm --restart=Never busybox --image=busybox:1.28 -- /bin/sh
  1. 测试TCP-echo
1
echo abcdefg | nc tcp-echo 9000

输出示例

1
hello abcdefg
  1. 清理现场
1
kubectl delete -f samples/tcp-echo/tcp-echo.yaml