部署Istio与BookInfo样例
Istio是非入侵式的跨语言服务治理方案,与业务代码达到进程解耦,以SideCar模式完成服务治理——流量管理、安全、策略、遥测。Istio架构比Dubbo、Spring Cloud先进。
本文将演示:在K8s集群中部署Istio与其BookInfo样例。
1. 准备条件
- 安装Helm与Tiller:参考“给K8s安装Helm与Tiller”。
- 更大的内存。最小内存要求:主节点3GB,2个工作节点各6GB。
2. 安装Istio
安装Istio-1.3.2,开启CNI,使用demo配置文件(不适用于生产环境),SideCar自动注入到default命名空间。
在k8s-master节点上执行:
# Get the release file
wget https://github.com/istio/istio/releases/download/1.3.2/istio-1.3.2-linux.tar.gz
tar -zxvf istio-1.3.2-linux.tar.gz
# Install 'istio-init' with Helm: https://istio.io/docs/setup/install/helm/
cd istio-1.3.2/
helm install install/kubernetes/helm/istio-init --name istio-init --namespace istio-system
# Check PODs, waiting for the STATUS 'Completed'
xxx@k8s-master:~/istio-1.3.2$ kubectl get pods -n istio-system -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
istio-init-crd-10-1.3.2-v27ll 0/1 Completed 0 3m1s 10.244.2.7 k8s-worker-2 <none> <none>
istio-init-crd-11-1.3.2-x695w 0/1 Completed 0 3m1s 10.244.2.8 k8s-worker-2 <none> <none>
istio-init-crd-12-1.3.2-4j872 0/1 Completed 0 3m1s 10.244.1.8 k8s-worker-1 <none> <none>
# Check crds
xxx@k8s-master:~/istio-1.3.2$ kubectl get crds | grep 'istio.io' | wc -l
23
# Install 'istio-cni'
helm install install/kubernetes/helm/istio-cni --name istio-cni --namespace kube-system
# Check and wait
helm status istio-cni
# Install 'istio-demo'
helm install install/kubernetes/helm/istio --name istio --namespace istio-system --values install/kubernetes/helm/istio/values-istio-demo.yaml --set istio_cni.enabled=true --set gateways.istio-ingressgateway.type=NodePort
# Check and wait
helm status istio
# Verifying the installation
kubectl get svc -n istio-system
xxx@k8s-master:~/istio-1.3.2$ kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
grafana-59d57c5c56-v254t 1/1 Running 0 17m
istio-citadel-658567496c-s8w7b 1/1 Running 0 17m
istio-egressgateway-54f65d655-l7qx8 1/1 Running 0 17m
istio-galley-9695fbd77-4kmtm 1/1 Running 0 17m
istio-ingressgateway-6b49645788-92qzj 1/1 Running 0 17m
istio-init-crd-10-1.3.2-v27ll 0/1 Completed 0 137m
istio-init-crd-11-1.3.2-x695w 0/1 Completed 0 137m
istio-init-crd-12-1.3.2-4j872 0/1 Completed 0 137m
istio-pilot-68d7657565-fb56j 2/2 Running 0 17m
istio-policy-7fc77f846b-f2kt9 2/2 Running 6 17m
istio-sidecar-injector-54d9c5b6f8-clntx 1/1 Running 0 17m
istio-telemetry-777cb89b7b-gqhz9 2/2 Running 6 17m
istio-tracing-6bbdc67d6c-54rjg 1/1 Running 0 17m
kiali-8c9d6fbf6-xndjn 1/1 Running 0 17m
prometheus-7d7b9f7844-l94mw 1/1 Running 0 17m
# Auto inject namespace: 'default'
kubectl label namespace default istio-injection=enabled
kubectl get namespace -L istio-injection
3. 部署BookInfo样例
在k8s-master节点上执行:
cd istio-1.3.2/
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
kubectl get services -o wide
xxx@k8s-master:~/istio-1.3.2$ kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
details-v1-74f858558f-h49qt 2/2 Running 0 2m42s 10.244.2.17 k8s-worker-2 <none> <none>
productpage-v1-8554d58bff-nj8wj 2/2 Running 0 2m40s 10.244.2.19 k8s-worker-2 <none> <none>
ratings-v1-7855f5bcb9-xglxd 2/2 Running 0 2m42s 10.244.2.18 k8s-worker-2 <none> <none>
reviews-v1-59fd8b965b-cnjdc 2/2 Running 0 2m40s 10.244.2.20 k8s-worker-2 <none> <none>
reviews-v2-d6cfdb7d6-txtkr 2/2 Running 0 2m41s 10.244.1.18 k8s-worker-1 <none> <none>
reviews-v3-75699b5cfb-5nhsr 2/2 Running 0 2m41s 10.244.1.19 k8s-worker-1 <none> <none>
test-cephfs-67469b6fdd-8x2s9 1/1 Running 2 5h46m 10.244.1.10 k8s-worker-1 <none> <none>
# Check result
kubectl exec -it $(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}') -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"
# <title>Simple Bookstore App</title>
# Bookinfo-gateway
kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
kubectl get gateway
# Confirm with ingress gateway (node port)
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}')
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
echo $GATEWAY_URL
curl -s http://${GATEWAY_URL}/productpage | grep -o "<title>.*</title>"
# <title>Simple Bookstore App</title>
# Default destination rules (not enable mutual TLS)
kubectl apply -f samples/bookinfo/networking/destination-rule-all.yaml
kubectl get destinationrules -o yaml
default命名空间下,新部署的Pod都自动注入istio-proxy容器,所以READY显示为2/2。istio-proxy完成Istio的很多事情,去中心化负载均衡、熔断等功能就靠它。
使用Chrome浏览器 http://${GATEWAY_URL}/productpage,刷新3次看到不同的效果:
4. 使用Demo中的工具观察集群
Kiali,查看服务拓扑图:
export MASTER_NODE_IP=192.168.80.90
kubectl --address $MASTER_NODE_IP -n istio-system port-forward $(kubectl -n istio-system get pod -l app=kiali -o jsonpath='{.items[0].metadata.name}') 20001:20001
Chrome查看http://$MASTER_NODE_IP:20001,用户/密码:admin/admin:
Jaeger Trace:
kubectl --address $MASTER_NODE_IP -n istio-system port-forward $(kubectl -n istio-system get pod -l app=jaeger -o jsonpath='{.items[0].metadata.name}') 16686:16686
Chrome查看http://$MASTER_NODE_IP:16686:
Grafana:
kubectl --address $MASTER_NODE_IP -n istio-system port-forward $(kubectl -n istio-system get pod -l app=grafana -o jsonpath='{.items[0].metadata.name}') 3000:3000
Chrome查看http://$MASTER_NODE_IP:3000:
Prometheus:
kubectl --address $MASTER_NODE_IP -n istio-system port-forward $(kubectl -n istio-system get pod -l app=prometheus -o jsonpath='{.items[0].metadata.name}') 9090:9090
Chrome查看http://$MASTER_NODE_IP:9090:
5. 微服务注意事项
自己的微服务必需符合以下规范:
- Service的端口名称必需符合规范
name: <protocol>[-<suffix>],见: https://istio.io/docs/setup/additional-setup/requirements/ - Pod中容器存在HTTP的
readinessProbe或livenessProbe时,必需开启rewriteAppHTTPProbe(s),见: https://istio.io/docs/ops/app-health-check/#enable-via-helm-option-globally 。否则,微服务Pod不停重启。