kubernetes istio的快速安装和使用例子

安装

[root@master ~]# wget https://github.com/istio/istio/releases/download/1.1.5/istio-1.1.5-linux.tar.gz
[root@master ~]# tar -zxvf istio-1.1.5-linux.tar.gz
[root@master ~]# cd istio-1.1.5

安装所有Istio自定义资源定义 

[root@master istio-1.1.5]# for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done
[root@master istio-1.1.5]# kubectl apply -f install/kubernetes/istio-demo.yaml
[root@master istio-1.1.5]# kubectl  get svc -n istio-system
NAME                     TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                                                                                                                                      AGE
grafana                  ClusterIP      10.105.112.216   <none>        3000/TCP                                                                                                                                     19s
istio-citadel            ClusterIP      10.104.129.126   <none>        8060/TCP,15014/TCP                                                                                                                           19s
istio-egressgateway      ClusterIP      10.96.68.169     <none>        80/TCP,443/TCP,15443/TCP                                                                                                                     19s
istio-galley             ClusterIP      10.101.195.214   <none>        443/TCP,15014/TCP,9901/TCP                                                                                                                   19s
istio-ingressgateway     LoadBalancer   10.102.30.240    <pending>     15020:31109/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:32481/TCP,15030:30697/TCP,15031:32508/TCP,15032:31496/TCP,15443:30329/TCP   19s
istio-pilot              ClusterIP      10.105.128.66    <none>        15010/TCP,15011/TCP,8080/TCP,15014/TCP                                                                                                       19s
istio-policy             ClusterIP      10.97.159.124    <none>        9091/TCP,15004/TCP,15014/TCP                                                                                                                 19s
istio-sidecar-injector   ClusterIP      10.99.226.143    <none>        443/TCP                                                                                                                                      19s
istio-telemetry          ClusterIP      10.109.97.180    <none>        9091/TCP,15004/TCP,15014/TCP,42422/TCP                                                                                                       19s
jaeger-agent             ClusterIP      None             <none>        5775/UDP,6831/UDP,6832/UDP                                                                                                                   19s
jaeger-collector         ClusterIP      10.96.209.196    <none>        14267/TCP,14268/TCP                                                                                                                          19s
jaeger-query             ClusterIP      10.110.178.26    <none>        16686/TCP                                                                                                                                    19s
kiali                    ClusterIP      10.103.103.154   <none>        20001/TCP                                                                                                                                    19s
prometheus               ClusterIP      10.102.6.211     <none>        9090/TCP                                                                                                                                     19s
tracing                  ClusterIP      10.110.154.208   <none>        80/TCP                                                                                                                                       19s
zipkin                   ClusterIP      10.98.186.181    <none>        9411/TCP 

当前 EXTERNAL-IP 处于 pending 状态，我们目前的环境并没有可用于Istio Ingress Gateway外部的负载均衡器，为了使得可以从外部访问，通过修改 istio-ingressgateway 这个Service的externalIps，以为当前Kubernetes集群的kube-proxy启用了ipvs，所以这个指定一个VIP 10.0.1.111作为externalIp。也可以把externalIp改为clusterIP

[root@master istio-1.1.5]# kubectl edit svc istio-ingressgateway -n istio-system

......
spec:
  externalIPs:
  - 10.0.1.111

......
//再次查看
[root@master istio-1.1.5]# kubectl get svc istio-ingressgateway -n istio-system
NAME                     TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                                                                                                                                      AGE
istio-ingressgateway     LoadBalancer   10.102.30.240    10.0.1.111    15020:31109/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:32481/TCP,15030:30697/TCP,15031:32508/TCP,15032:31496/TCP,15443:30329/TCP   7m54s
[root@master istio-1.1.5]# kubectl label namespace default istio-injection=enabled //为需要自动注入sidecar的namespace打label
[root@master istio-1.1.5]# kubectl get namespace -L istio-system
NAME              STATUS   AGE   ISTIO-SYSTEM
default           Active   13d   enabled
istio-system      Active   22m   
kube-node-lease   Active   13d   
kube-public       Active   13d   
kube-system       Active   13d  

部署案例

[root@master istio-1.1.5]# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
service/details created
deployment.extensions/details-v1 created
service/ratings created
deployment.extensions/ratings-v1 created
service/reviews created
deployment.extensions/reviews-v1 created
deployment.extensions/reviews-v2 created
deployment.extensions/reviews-v3 created
service/productpage created
deployment.extensions/productpage-v1 created
[root@master istio-1.1.5]# kubectl get svc
NAME           TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
details        ClusterIP      10.106.209.133   <none>        9080/TCP       84s
kubernetes     ClusterIP      10.96.0.1        <none>        443/TCP        13d
productpage    ClusterIP      10.96.27.39      <none>        9080/TCP       84s
ratings        ClusterIP      10.109.45.236    <none>        9080/TCP       84s
reviews        ClusterIP      10.102.249.50    <none>        9080/TCP       84s
[root@master istio-1.1.5]# kubectl get pods
NAME                             READY   STATUS    RESTARTS   AGE
details-v1-79c6548b59-d8448      1/1     Running   0          3m1s
productpage-v1-95d579cd5-62s8v   1/1     Running   0          3m1s
ratings-v1-7665579b75-jjvv7      1/1     Running   0          3m1s
reviews-v1-67446f7d9b-hrhbj      1/1     Running   0          3m1s
reviews-v2-6bc7b4f678-vhjwh      1/1     Running   0          3m1s
reviews-v3-59b5b6948-sxxhj       1/1     Running   0          3m1s
[root@master istio-1.1.5]# kubectl exec -it $(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}') -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>

使用Istio Gateway接入集群外部流量
现在Bookinfo服务已启动并运行，您需要从Kubernetes集群外部访问应用程序，例如，从浏览器访问。一个Istio网关 用于此目的。

1.为应用程序定义入口网关：

[root@master istio-1.1.5]# kubectl apply -f samples/bookinfo/networking/destination-rule-all.yaml //此处不能楼，不然http://NodeIP:31380/productpage访问不了
[root@master istio-1.1.5]# kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created
[root@master istio-1.1.5]# kubectl get gateway
NAME               AGE
bookinfo-gateway   22s
[root@master istio-1.1.5]# kubectl get gateway bookinfo-gateway -o yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"networking.istio.io/v1alpha3","kind":"Gateway","metadata":{"annotations":{},"name":"bookinfo-gateway","namespace":"default"},"spec":{"selector":{"istio":"ingressgateway"},"servers":[{"hosts":["istio.haipai.com"],"port":{"name":"http","number":80,"protocol":"HTTP"}}]}}
  creationTimestamp: "2019-05-24T09:03:51Z"
  generation: 1
  name: bookinfo-gateway
  namespace: default
  resourceVersion: "1649570"
  selfLink: /apis/networking.istio.io/v1alpha3/namespaces/default/gateways/bookinfo-gateway
  uid: d93469d6-7e02-11e9-9cfc-fa163ec472b0
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - istio.haipai.com
    port:
      name: http
      number: 80
      protocol: HTTP

[root@master istio-1.1.5]# kubectl get VirtualService -o wide
NAME       GATEWAYS             HOSTS   AGE
bookinfo   [bookinfo-gateway]   [*]     4m51s

浏览器访问http://NodeIP:31380/productpage
然后创建v3的再去浏览器刷新几次就会发现有红有黑

[root@master istio-1.1.5]# kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-v3.yaml 
virtualservice.networking.istio.io/reviews created

我们再建一个virtual-service-reviews-jason-v2-v3.yaml此service不登陆的话默认转发到v3(红色)，登陆就转发到v2(黑色)

[root@master istio-1.1.5]# ls samples/bookinfo/networking/
bookinfo-gateway.yaml            virtual-service-all-v1.yaml              virtual-service-reviews-80-20.yaml
certmanager-gateway.yaml         virtual-service-details-v2.yaml          virtual-service-reviews-90-10.yaml
destination-rule-all-mtls.yaml   virtual-service-ratings-db.yaml          virtual-service-reviews-jason-v2-v3.yaml
destination-rule-all.yaml        virtual-service-ratings-mysql-vm.yaml    virtual-service-reviews-test-v2.yaml
destination-rule-reviews.yaml    virtual-service-ratings-mysql.yaml       virtual-service-reviews-v2-v3.yaml
egress-rule-google-apis.yaml     virtual-service-ratings-test-abort.yaml  virtual-service-reviews-v3.yaml
fault-injection-details-v1.yaml  virtual-service-ratings-test-delay.yaml
ROUTING_RULE_MIGRATION.md        virtual-service-reviews-50-v3.yaml
[root@master istio-1.1.5]# kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml
virtualservice.networking.istio.io/reviews configured

//此时不登陆刷新都是红色，登陆用户jason，密码jason刷新都是黑色