安装与部署:如何安装Istio?它都支持哪些环境和部署方式?
首先,我们需要准备一个Kubernetes环境:
下载Istio
在当前版本Istio的安装与部署已经变得非常简单了,只需要几个简单的步骤就能将Istio环境搭建起来。首先要做的是下载Istio(在文档中核对Istio支持的k8s版本):
- https://istio.io/latest/docs/setup/getting-started/#download
获取下载脚本并执行:
[root@m1 ~]# curl -L https://istio.io/downloadIstio | sh -
将下载好的istio目录移动到合适的位置下:
[root@m1 ~]# mv istio-1.8.1/ /usr/local
配置环境变量:
[root@m1 ~]# vim /etc/profile
export ISTIO_HOME=/usr/local/istio-1.8.1
export PATH=$PATH:$ISTIO_HOME/bin
[root@m1 ~]# source /etc/profile
验证 istioctl 命令是否可正常工作:
[root@m1 ~]# istioctl version
no running Istio pods in "istio-system"
1.8.1
[root@m1 ~]#
安装Istio
配置档案(configuration profile):
- 安装时选择不同的 profile 会安装不同的组件,官方文档
使用 istioctl 的安装方式:
| 安装方式 | 示例 |
|---|---|
| 默认安装 | istioctl manifest apply |
| 选择profile | istioctl manifest apply --set profile=demo |
| 自定义安装选项 | istioctl manifest apply --set addonComponents.grafana.enabled=true |
| 自定义安装清单 | istioctl manifest apply --set installPackagePath=<发布路径>/install/kubernetes/operator/charts |
在学习、实验环境我们可以选择 demo 这个 profile 进行安装,如下示例:
[root@m1 ~]# istioctl install --set profile=demo -y
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Installation complete
[root@m1 ~]#
查看istio相应的 namespace 和 pod 是否已经正常创建:
[root@m1 ~]# kubectl get ns |grep istio
istio-system Active 7m10s
[root@m1 ~]# kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-egressgateway-d84f95b69-dmpzf 1/1 Running 0 6m28s
istio-ingressgateway-75f6d79f48-5lr5b 1/1 Running 0 6m28s
istiod-c9f6864c4-5kjz7 1/1 Running 0 7m50s
[root@m1 ~]#
检查 istio 的 CRD 和 API 资源:
[root@m1 ~]# kubectl get crd |grep istio
2020-12-21T02:53:41Z
2020-12-21T02:53:41Z
2020-12-21T02:53:41Z
2020-12-21T02:53:41Z
2020-12-21T02:53:41Z
2020-12-21T02:53:41Z
2020-12-21T02:53:41Z
2020-12-21T02:53:41Z
2020-12-21T02:53:41Z
2020-12-21T02:53:41Z
2020-12-21T02:53:41Z
2020-12-21T02:53:41Z
[root@m1 ~]# kubectl api-resources |grep istio
istiooperators iop,io true IstioOperator
destinationrules dr true DestinationRule
envoyfilters true EnvoyFilter
gateways gw true Gateway
serviceentries se true ServiceEntry
sidecars true Sidecar
virtualservices vs true VirtualService
workloadentries we true WorkloadEntry
workloadgroups wg true WorkloadGroup
authorizationpolicies true AuthorizationPolicy
peerauthentications pa true PeerAuthentication
requestauthentications ra true RequestAuthentication
[root@m1 ~]#
添加一个命名空间标签,让Istio在之后部署应用程序时自动注入 Envoy 的 SideCar 代理:
[root@m1 ~]# kubectl label namespace default istio-injection=enabled
namespace/default labeled
[root@m1 ~]#
安装 dashboard 组件。命令如下:
[root@m1 ~]# kubectl apply -f /usr/local/istio-1.8.1/samples/addons -n istio-system
启用 kiali 作为 istio 的 dashboard:
[root@m1 ~]# istioctl dashboard kiali --address 192.168.243.138 -p 20001
http://localhost:20001/kiali
使用浏览器访问:
在 “Application” 页面可以查看 istio 组件信息:
部署 Bookinfo 应用
接下来我们部署官方提供的 demo应用 来验证 istio 的功能:
部署命令如下:
[root@m1 ~]# kubectl apply -f /usr/local/istio-1.8.1/samples/bookinfo/platform/kube/bookinfo.yaml
service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
[root@m1 ~]#
确认服务、Pod 已启动:
[root@m1 ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
details-v1-79c697d759-qmtpn 2/2 Running 0 19m
productpage-v1-65576bb7bf-wqt7v 2/2 Running 0 19m
ratings-v1-7d99676f7f-jhcv6 2/2 Running 0 19m
reviews-v1-987d495c-4jlcv 2/2 Running 0 19m
reviews-v2-6c5bf657cf-n7hmw 2/2 Running 0 19m
reviews-v3-5f7b9f4f77-fpcvc 2/2 Running 0 19m
[root@m1 ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
details ClusterIP 10.102.20.100 <none> 9080/TCP 20m
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 112d
productpage ClusterIP 10.97.68.248 <none> 9080/TCP 20m
ratings ClusterIP 10.109.205.171 <none> 9080/TCP 20m
reviews ClusterIP 10.108.11.178 <none> 9080/TCP 20m
[root@m1 ~]#
创建 Ingress 网关,否则外部无法访问该服务:
[root@m1 ~]# kubectl apply -f /usr/local/istio-1.8.1/samples/bookinfo/networking/bookinfo-gateway.yaml
gateway./bookinfo-gateway created
virtualservice./bookinfo created
[root@m1 ~]#
确认网关和访问地址:
[root@m1 ~]# kubectl get
NAME AGE
bookinfo-gateway 1m
[root@m1 ~]# kubectl get
NAME GATEWAYS HOSTS AGE
bookinfo ["bookinfo-gateway"] ["*"] 1m
[root@m1 ~]# kubectl get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP AGE
istio-ingressgateway LoadBalancer 10.111.237.225 <pending> 15021:32730/TCP,80:30383/TCP,443:30555/TCP,31400:30963/TCP,15443:32634/TCP 4h5m
[root@m1 ~]#
根据官方文档的描述,当 istio-ingressgateway 服务的 EXTERNAL-IP 为 pending 时,需要通过如下方式获取访问地址和端口号:
[root@m1 ~]# kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}'
192.168.243.140
[root@m1 ~]# kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}'
30383
然后就可以使用浏览器访问应用页面了:
此时尝试多刷新几次页面,可以发现请求会被轮询到不同版本的 reviews 服务上:
