istio安装

istio官网安装提供了多种方法,因为集群中包含helm,所以选择用helm安装istio

  • 下载istio release(目前版本为0.8.0)
  • 命令行执行helm install install/kubernetes/helm/istio --name istio --namespace istio-system(此命令采取自动注入sideCar)

istio的helm的value.yaml文件如下:

# Use --set or additional values.yaml file to configure settings.
# This file no longer uses sed, updateVersions.sh or istio.VERSIONS
# TODO: evaluate if we need individual overrides for each component version, istio
# is not typically tested with a mix of versions. Only supported case is version upgrade.

# Common settings.
global:
# Default repository for Istio images.
# Releases are published to docker hub under 'istio' project.
# Daily builds from prow are on gcr.io, and nightly builds from circle on
# docker.io/istionightly
hub: 192.168.30.100:8889/istio

# Default tag for Istio images.
# Should track latest released version in the branch.
tag: 0.8.0
proxy:
image: proxyv2
resources:
requests:
cpu: 100m
memory: 128Mi

# istio-sidecar-injector configmap stores configuration for sidecar injection.
# This config map is used by istioctl kube-inject and the injector webhook.
enableCoreDump: false
serviceAccountName: default # used only if RBAC is not enabled
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi

# istio egress capture whitelist
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
# be allowed by the sidecar
includeIPRanges: "*"
excludeIPRanges: ""

# istio ingress capture whitelist
# examples:
# Redirect no inbound traffic to Envoy: --includeInboundPorts=""
# Redirect all inbound traffic to Envoy: --includeInboundPorts="*"
# Redirect only selected ports: --includeInboundPorts="80,8080"
includeInboundPorts: "*"
excludeInboundPorts: ""
policy: enabled

proxy_init:
image: proxy_init

# imagePullPolicy is applied to istio control plane components.
# local tests require IfNotPresent, to avoid uploading to dockerhub.
# TODO: Switch to Always as default, and override in the local tests.
imagePullPolicy: IfNotPresent

# Not recommended for user to configure this. Hyperkube image to use when creating custom resources
hyperkube:
repository: 192.168.30.100:8889/coreos/hyperkube
tag: v1.7.6_coreos.0

# controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: false

# Default mtls policy. If true, mtls between services will be enabled by default.
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: false
# List of fully qualified services to exclude from mtls
# TODO: add the templating.
mtlsExcludedServices:
- "kubernetes.default.svc.cluster.local"

# create RBAC resources. Must be set for any cluster configured with rbac.
rbacEnabled: true

## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry.
# imagePullSecrets:
# - name: "private-registry-key"

# Default is 1 second
refreshInterval: 10s

# Enable multicluster operation. Must be set to true if multicluster operation
# is desired.
multicluster:
enabled: false

# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
# 0 - Never scheduled
# 1 - Least preferred
# 2 - No preference
# 3 - Most preferred
arch:
amd64: 2
s390x: 2
ppc64le: 2

# Any customization for istio testing should be here
istiotesting:
oneNameSpace: false

#
# ingress configuration
#
ingress:
enabled: true
serviceAccountName: default
autoscaleMin: 1
autoscaleMax: 1
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
service:
loadBalancerIP: "10.100.100.20"
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
ports:
- port: 80
name: http
nodePort: 32000
- port: 443
name: https
selector:
istio: ingress
#
# ingressgateway configuration
#
ingressgateway:
enabled: true
serviceAccountName: istio-ingressgateway-service-account
autoscaleMin: 1
autoscaleMax: 1
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
service:
name: istio-ingressgateway #DNS addressible
labels:
istio: ingressgateway
#namespace: istio-system
loadBalancerIP: "10.100.100.129"
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
ports:
## You can add custom gateway ports
- port: 80
name: http
nodePort: 31380
- port: 443
name: https
nodePort: 31390
- port: 31400
name: tcp
nodePort: 31400
deployment:
labels:
istio: ingressgateway #will be added to pods and service
ports:
- containerPort: 80
- containerPort: 443
- containerPort: 31400
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs

#
# egressgateway configuration
#
egressgateway:
enabled: true
serviceAccountName: istio-egressgateway-service-account
autoscaleMin: 1
autoscaleMax: 1
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
service:
name: istio-egressgateway #DNS addressible
labels:
istio: egressgateway
#namespace: istio-system
type: ClusterIP #change to NodePort or LoadBalancer if need be
ports:
## You can add custom gateway ports
- port: 80
name: http
- port: 443
name: https
deployment:
labels:
istio: egressgateway #will be added to pods and service
ports:
- containerPort: 80
- containerPort: 443
# secretVolumes: TODO
# - name: someName
# mountPath: somePath
# secretName: someName

#
# sidecar-injector webhook configuration
#
sidecarInjectorWebhook:
enabled: true
image: sidecar_injector


#
# galley configuration
#
galley:
enabled: false
serviceAccountName: default
replicaCount: 1
image: galley
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi

#
# mixer configuration
#
mixer:
enabled: true
serviceAccountName: default # used only if RBAC is not enabled
replicaCount: 1
image: mixer
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi

prometheusStatsdExporter:
repository: 192.168.30.100:8889/prom/statsd-exporter
tag: latest
resources: {}

#
# pilot configuration
#
pilot:
enabled: true
serviceAccountName: default # used only if RBAC is not enabled
replicaCount: 1
image: pilot
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi

#
# security configuration
#
security:
enabled: true
serviceAccountName: default # used only if RBAC is not enabled
replicaCount: 1
image: citadel
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
cleanUpOldCA: true

#
# addons configuration
#
grafana:
enabled: true
replicaCount: 1
image: grafana
service:
name: http
type: ClusterIP
externalPort: 3000
internalPort: 3000
ingress:
enabled: false
# Used to create an Ingress record.
hosts:
- grafana.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: grafana-tls
# hosts:
# - grafana.local

resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi

prometheus:
enabled: true
replicaCount: 1
image:
repository: 192.168.30.100:8889/prom/prometheus
tag: latest
ingress:
enabled: false
# Used to create an Ingress record.
#hosts:
# - prometheus.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: prometheus-tls
# hosts:
# - prometheus.local
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
service:
nodePort:
enabled: false
port: 32090

servicegraph:
enabled: true
replicaCount: 1
image: servicegraph
service:
name: http
type: ClusterIP
externalPort: 8088
internalPort: 8088
ingress:
enabled: false
# Used to create an Ingress record.
hosts:
- servicegraph.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: servicegraph-tls
# hosts:
# - servicegraph.local
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# prometheus addres
prometheusAddr: http://prometheus:9090

tracing:
enabled: true
jaeger:
enabled: true
memory:
max_traces: 50000
replicaCount: 1
image:
repository: 192.168.30.100:8889/jaegertracing/all-in-one
tag: 1.5
service:
name: http
type: ClusterIP
externalPort: 9411
internalPort: 9411
uiPort: 16686
ingress:
enabled: false
# Used to create an Ingress record.
hosts:
- zipkin.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: zipkin-tls
# hosts:
# - zipkin.local
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi

主要修改了镜像地址和将以些默认不安装的addon设置为安装(grafana,servicegraph,tracing)
安装成功之后

istio svc
istio svc

为了避免ingressgate-way所在的机子80端口被占用,特申请一台ingressgate-way的IP地址相同机子

在dns里添加了主机域名

Mesh Expansion

Istio 还支持管理非 Kubernetes 管理的应用。此时,需要在应用所在的 VM 或者物理中部署 Istio,具体步骤请参考 https://istio.io/docs/setup/kubernetes/mesh-expansion.html。
部署好后,就可以向 Istio 注册应用,如

# istioctl register servicename machine-ip portname:port
istioctl -n onprem register mysql 1.2.3.4 3306
istioctl -n onprem register svc1 1.2.3.4 http:7000

Prometheus、Grafana 和 Zipkin

等所有 Pod 启动后,可以通过 NodePort、负载均衡服务的外网 IP 或者 kubectl proxy 来访问这些服务或者创建一个istio的VirtualService。

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "prom.example.com"
- "grafana.example.com"
- "pilot.example.com"
- "zipkin.example.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: grafana
spec:
hosts:
- "grafana.example.com"
gateways:
- istio-gateway
http:
- route:
- destination:
host: grafana.istio-system.svc.cluster.local
port:
number: 3000
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: prom
spec:
hosts:
- "prom.example.com"
gateways:
- istio-gateway
http:
- route:
- destination:
host: prometheus.istio-system.svc.cluster.local
port:
number: 9090
---

通过 http://grafana.example.com 访问 Grafana 服务

通过loabblancer访问jaeger-query,展示服务之间调用关系图

参考文档

官方istio安装
istio安装