一. Istio安装
1. 下载Istio发布包
wget https://github.com/istio/istio/releases/download/1.17.1/istioctl-1.17.1-osx-arm64.tar.gz
下载成功后,解压安装包:
tar -zxvf istioctl-1.17.1-osx-arm64.tar.gz
将istioctl客户端添加到系统可执行路径
cd istioctl-1.17.1 export PATH=$PWD/bin:$PATH
2. 执行安装istio命令
这里使用istioctl命令执行安装命令,具体如下:
istioctl install --set profile=demo
这里"--set profile=demo"表示安装一个istio测试环境!成功安装后的信息输出如下:
✔ Istio core installed Processing resources for Istiod. Waiting for Deployment/istio-system/istiod - Processing resources for Istiod. Waiting for Deployment/istio-system/istiod ✔ Istiod installed ✔ Ingress gateways installed ✔ Egress gateways installed ✔ Installation complete Making this installation the default for injection and validation.
安装成功,可以通过kubectl命令查看istio相关组件是否已经安装在Kubernetes环境之中:
ZBMAC-655b32453 k8s-yaml % kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE istio-egressgateway-774d6846df-95r9t 1/1 Running 0 10m istio-ingressgateway-69499dc-kgdxk 1/1 Running 0 10m istiod-65dcb8497-6qrfb 1/1 Running 0 14m
此时可以看到istio的核心组件istiod,以及入口网关ingressgateway、出口网关egressgateway已经成功以Service资源的方式运行在了Kuberntes集群之中!
3. 默认命名空间开启自动注入EnvoySidecar
这是一个关键的步骤,如果我们的微服务应用未来是默认部署在k8s的default命名空间,那么在安装istio是需要开启该空间的Sidecar自动注入功能。这是我们前面提到每启动一个微服务应用,k8s就会默认在相同的Pod中自动启动一个代理进程的关键设置!
$ kubectl label namespace default istio-injection=enabled
namespace/default labeled
4. Istio可观测性部署
Kiali是一个基于服务网格的Istio管理控制台,它提供了一些数据仪表盘和可观测能力,同时也可以让我们去操作网格的配置。使用如下方式快速部署一个用于演示的book,命令如下:
% kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml service/details created serviceaccount/bookinfo-details createdapi/ platform/ src/ deployment.apps/details-v1 created service/ratings created serviceaccount/bookinfo-ratings created deployment.apps/ratings-v1 created service/reviews created serviceaccount/bookinfo-reviews created deployment.apps/reviews-v1 created deployment.apps/reviews-v2 created deployment.apps/reviews-v3 created service/productpage created serviceaccount/bookinfo-productpage created deployment.apps/productpage-v1 created
创建gateway,生成一个gateway的crd
% kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml gateway.networking.istio.io/bookinfo-gateway created virtualservice.networking.istio.io/bookinfo created
由于前面安装istio时,我们并没有在istio-system空间开启自动注入Sidecar(其label istio-injection=disabled),这里为了在k8s集群之外正常访问Kiali、Prometheus、Granfana、Tracing的控制面板(它们共同组成了Service Mesh的可观测体系),可以通过nodePort的方式对外暴露端口。
% kubectl get svc -n istio-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-egressgateway ClusterIP 10.20.107.155 <none> 80/TCP,443/TCP 28m istio-ingressgateway LoadBalancer 10.20.16.101 <pending> 15021:31915/TCP,80:31608/TCP,443:31154/TCP,31400:31632/TCP,15443:30874/TCP 28m istiod ClusterIP 10.20.63.74 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 32m
将LoadBalancer访问修改node访问模式
kubectl edit svc istio-ingressgateway -n istio-system
type: NodePort
Kiali是一个基于服务网格的Istio管理控制台,它提供了一些数据仪表盘和可观测能力,同时也可以让我们去操作网格的配置。使用如下方式快速部署一个用于演示的Kiali,命令如下:
istio-1.17.1 % kubectl apply -f samples/addons serviceaccount/grafana created configmap/grafana created service/grafana created deployment.apps/grafana created configmap/istio-grafana-dashboards created configmap/istio-services-grafana-dashboards created deployment.apps/jaeger created service/tracing created service/zipkin created service/jaeger-collector created serviceaccount/kiali created configmap/kiali created clusterrole.rbac.authorization.k8s.io/kiali-viewer created clusterrole.rbac.authorization.k8s.io/kiali created clusterrolebinding.rbac.authorization.k8s.io/kiali created role.rbac.authorization.k8s.io/kiali-controlplane created rolebinding.rbac.authorization.k8s.io/kiali-controlplane created service/kiali created deployment.apps/kiali created serviceaccount/prometheus created configmap/prometheus created clusterrole.rbac.authorization.k8s.io/prometheus created clusterrolebinding.rbac.authorization.k8s.io/prometheus created service/prometheus created deployment.apps/prometheus created
其中具体会安装部署Promethues、Grafana、Zipkin等指标及链路采集服务!因为安装的组件比较多,也比较耗费资源,如果集群资源不是很充足,可能会出现启动比较慢的情况。如果正常部署成功,可以查看Pod状态,命令如下:
istio-1.17.1 % kubectl get pod -n istio-system -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES grafana-69f9b6bfdc-67n4c 0/1 Running 0 4m40s 10.10.1.227 node01 <none> <none> istio-egressgateway-774d6846df-95r9t 1/1 Running 0 40m 10.10.0.194 master01 <none> <none> istio-ingressgateway-69499dc-kgdxk 1/1 Running 0 40m 10.10.0.193 master01 <none> <none> istiod-65dcb8497-6qrfb 1/1 Running 0 44m 10.10.0.167 master01 <none> <none> jaeger-cc4688b98-lb9z2 0/1 ImagePullBackOff 0 4m40s 10.10.1.228 node01 <none> <none> kiali-594965b98c-spxch 1/1 Running 0 4m39s 10.10.1.229 node01 <none> <none> prometheus-5f84bbfcfd-r4grm 2/2 Running 0 4m38s 10.10.1.230 node01 <none> <none>
打开控制台
istioctl dashboard kiali