Getting Started With Istio1.9

2021-03-22 17:31:36

Download and install Istio

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
$ curl -L https://istio.io/downloadIstio | sh -
$ cd istio-1.9.1
$ cp tools/istioctl.bash  /root/
$ source /root/istioctl.bash 

#we use the demo configuration profile
$ istioctl install --set profile=demo -y

#enable access logs 
$ istioctl install --set meshConfig.accessLogFile=/dev/stdout

#Add a namespace label to instruct Istio to automatically inject Envoy sidecar proxies when you deploy your application later
$ kubectl label namespace back-end istio-injection=enabled

#manually inject a deployment
istioctl kube-inject -f samples/sleep/sleep.yaml | kubectl apply -f -

# inspecting the deployments, pods, services and other resources that were installed by Istio
$ kubectl -n istio-system get deploy
NAME                   READY   UP-TO-DATE   AVAILABLE   AGE
istio-ingressgateway   1/1     1            1           47d
istiod                 1/1     1            1           47d
kiali                  1/1     1            1           52m
prometheus             1/1     1            1           35m

#display the names of Istio configuration profiles
$ istioctl profile list
Istio configuration profiles:
    default
    demo
    empty
    minimal
    openshift
    preview
    remote

Deploy the sample application

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -nback-end

$ kubectl get services -nback-end
NAME          TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
details       ClusterIP   10.10.167.174   <none>        9080/TCP   46d
productpage   ClusterIP   10.10.38.82     <none>        9080/TCP   46d
ratings       ClusterIP   10.10.146.1     <none>        9080/TCP   46d
reviews       ClusterIP   10.10.121.159   <none>        9080/TCP   46d


$ kubectl get pod -nback-end     
NAME                              READY   STATUS    RESTARTS   AGE
details-v1-7cf94f6cfc-74nzz       2/2     Running   0          3d
productpage-v1-699d889699-f9v89   2/2     Running   0          3d
ratings-v1-6676c6c6d9-hm42v       2/2     Running   0          3d
reviews-v1-768b495cc9-9rcrn       2/2     Running   0          3d
reviews-v2-76f576ddbc-nbtnz       2/2     Running   0          3d
reviews-v3-5785689f47-njxl6       2/2     Running   0          3d


$ kubectl exec "$(kubectl get pod -nback-end -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -nback-end -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>" 
<title>Simple Bookstore App</title>

Open the application to outside traffic

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml -nback-end


# istioctl analyze -nback-end
✔ No validation issues found when analyzing namespace: back-end.


$ kubectl get svc istio-ingressgateway -n istio-system
NAME                   TYPE           CLUSTER-IP    EXTERNAL-IP   PORT(S)                                                                      AGE
istio-ingressgateway   LoadBalancer   10.10.238.4   <pending>     15021:40386/TCP,80:32705/TCP,443:39232/TCP,31400:46574/TCP,15443:44787/TCP   46d


if the EXTERNAL-IP value is set, your environment has an external load balancer that you can use for the ingress gateway. If the EXTERNAL-IP value is <none> (or perpetually <pending>), your environment does not provide an external load balancer for the ingress gateway. In this case, you can access the gateway using the service’s node port.

export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')

这里我们通过node port方式访问 http://masterip:32705/productpage

View the dashboard

Use the following instructions to deploy the Kiali dashboard, along with Prometheus, Grafana, and Jaeger

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
$ istioctl apply -f samples/addons/kiali.yaml 
This will install the Istio 1.9.1  profile with ["Istio core" "Istiod" "Ingress gateways"] components into the cluster. Proceed? (y/N) y
✔ Istio core installed                                                                                                             
✔ Istiod installed                                                                                                                 
✔ Ingress gateways installed                                                                                                       
- Pruning removed resources                                                                                                          Removed PodDisruptionBudget:istio-system:istio-egressgateway.
  Removed Deployment:istio-system:istio-egressgateway.
  Removed Service:istio-system:istio-egressgateway.
  Removed ServiceAccount:istio-system:istio-egressgateway-service-account.
  Removed RoleBinding:istio-system:istio-egressgateway-sds.
  Removed Role:istio-system:istio-egressgateway-sds.
✔ Installation complete                                       


$ kubectl apply -f samples/addons/prometheus.yaml 
serviceaccount/prometheus created
configmap/prometheus created
clusterrole.rbac.authorization.k8s.io/prometheus created
clusterrolebinding.rbac.authorization.k8s.io/prometheus created
service/prometheus created
deployment.apps/prometheus created

#这里需要等待一会才部署完成
$ while ! kubectl wait --for=condition=available --timeout=600s deployment/kiali -n istio-system; do sleep 1; done
deployment.apps/kiali condition met

$ istioctl dashboard kiali
http://localhost:20001/kiali
Failed to open browser; open http://localhost:20001/kiali in your browser.

$ kubectl get pod -nistio-system
NAME                                  READY   STATUS    RESTARTS   AGE
istio-ingressgateway-98c798c9-rtcd8   1/1     Running   0          57m
istiod-845ddbdd69-crnb4               1/1     Running   0          58m
kiali-d4fdb9cdb-88lgm                 1/1     Running   0          19m
prometheus-7d76687994-5rgvs           2/2     Running   0          3m26s


tiger@abc:~$  port-forward --namespace istio-system service/kiali 4001:20001
我们访问http://localhost:4001/就可以了

#或者通过node port访问
$ kubectl get service kiali -n istio-system -o yaml > kiali-service.yaml
$ vim kiali-service.yaml

spec:
  clusterIP: 10.10.29.155
  ports:
  - name: http
   # -> nodePort: 32123
    port: 20001
    protocol: TCP
    targetPort: 20001
  - name: http-metrics
    port: 9090
    protocol: TCP
    targetPort: 9090
  selector:
    app.kubernetes.io/instance: kiali-server
    app.kubernetes.io/name: kiali
  sessionAffinity: None
  type: ClusterIP   # -> type: NodePort
status:
  loadBalancer: {}

Uninstall Istio

1
2
3
4
5
6
7
$ istioctl x uninstall --purge


#The control plane namespace (e.g., istio-system) is not removed by default. 
If no longer needed, use the following command to remove it:

$ kubectl delete namespace istio-system

upgrade istio from 1.8 to 1.9

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
$ ./istioctl upgrade -f demo.yaml                           
2021-03-19T08:37:18.145328Z     info    proto: tag has too few fields: "-"
Control Plane - istio-egressgateway pod - istio-egressgateway-7fc985bd9f-tnjcl - version: 1.8.2
Control Plane - istio-ingressgateway pod - istio-ingressgateway-58f9d7d858-bg272 - version: 1.8.2
Control Plane - istiod pod - istiod-7d8f784f96-vpx8v - version: 1.8.2

Upgrade version check passed: 1.8.2 -> 1.9.1.

2021-03-19T08:37:18.503724Z     info    Error: failed to generate Istio configs from file [demo.yaml] for the current version: 1.8.2, error: Get "https://github.com/istio/istio/releases/download/1.8.2/istio-1.8.2-osx.tar.gz": read tcp 172.17.20.10:5127->52.74.223.119:443: read: connection reset by peer

Error: failed to generate Istio configs from file [demo.yaml] for the current version: 1.8.2, error: Get "https://github.com/istio/istio/releases/download/1.8.2/istio-1.8.2-osx.tar.gz": read tcp 172.17.20.10:5127->52.74.223.119:443: read: connection reset by peer

增加hosts
52.69.186.44 github.com

$ ./istioctl upgrade -f demo.yaml 
2021-03-19T09:02:56.689202Z     info    proto: tag has too few fields: "-"
Control Plane - istio-egressgateway pod - istio-egressgateway-7fc985bd9f-tnjcl - version: 1.8.2
Control Plane - istio-ingressgateway pod - istio-ingressgateway-58f9d7d858-bg272 - version: 1.8.2
Control Plane - istiod pod - istiod-7d8f784f96-vpx8v - version: 1.8.2

Upgrade version check passed: 1.8.2 -> 1.9.1.

Upgrade check: Warning!!! The following IOPS will be changed as part of upgrade. Please double check they are correct:
spec:
  addonComponents: map[istiocoredns:map[enabled:false]] ->
  components:
    egressGateways:
      '[#0]':
        k8s:
          env: '[map[name:ISTIO_META_ROUTER_MODE value:standard]] ->'
          hpaSpec: map[maxReplicas:5 metrics:[map[resource:map[name:cpu targetAverageUtilization:80] type:Resource]] minReplicas:1 scaleTargetRef:map[apiVersion:apps/v1 kind:Deployment name:istio-egressgateway]] ->
          resources:
            limits: map[cpu:2000m memory:1024Mi] ->
          service: map[ports:[map[name:http2 port:80 protocol:TCP targetPort:8080] map[name:https port:443 protocol:TCP targetPort:8443] map[name:tls port:15443 protocol:TCP targetPort:15443]]] ->
          strategy: map[rollingUpdate:map[maxSurge:100% maxUnavailable:25%]] ->
    ingressGateways:
      '[#0]':
        k8s:
          env: '[map[name:ISTIO_META_ROUTER_MODE value:standard]] ->'
          hpaSpec: map[maxReplicas:5 metrics:[map[resource:map[name:cpu targetAverageUtilization:80] type:Resource]] minReplicas:1 scaleTargetRef:map[apiVersion:apps/v1 kind:Deployment name:istio-ingressgateway]] ->
          resources:
            limits: map[cpu:2000m memory:1024Mi] ->
          strategy: map[rollingUpdate:map[maxSurge:100% maxUnavailable:25%]] ->
    pilot:
      k8s:
        readinessProbe: map[httpGet:map[path:/ready port:8080] initialDelaySeconds:1 periodSeconds:3 timeoutSeconds:5] ->
        replicaCount: -> 1
        strategy: map[rollingUpdate:map[maxSurge:100% maxUnavailable:25%]] ->
  installPackagePath: /tmp/istio-install-packages/istio-1.8.2/manifests ->
  values:
    clusterResources: true ->
    global:
      meshExpansion: map[enabled:false useILB:false] ->
    istiocoredns: map[coreDNSImage:coredns/coredns coreDNSPluginImage:istio/coredns-plugin:0.2-istio-1.1 coreDNSTag:1.6.2] ->
    sidecarInjectorWebhook: map[enableNamespacesByDefault:false objectSelector:map[autoInject:true enabled:false] rewriteAppHTTPProbe:true] ->

Confirm to proceed [y/N]? y
✔ Istio core installed                                                                                                             
✔ Istiod installed                                                                                                                 
✔ Ingress gateways installed                                                                                                       
✔ Egress gateways installed                                                                                                        
✔ Installation complete                                                                                                            ..........
Upgrade rollout completed. All Istio control plane pods are running on the target version.


Control Plane - istio-egressgateway pod - istio-egressgateway-d65f89ff9-dd5bk - version: 1.9.1
Control Plane - istio-ingressgateway pod - istio-ingressgateway-79d84c875d-tnjfg - version: 1.9.1
Control Plane - istiod pod - istiod-bbbdc64cb-8q96m - version: 1.9.1

Success. Now the Istio control plane is running at version 1.9.1.

To upgrade the Istio data plane, you will need to re-inject it.
If you’re using automatic sidecar injection, you can upgrade the sidecar by doing a rolling update for all the pods:
    kubectl rollout restart deployment --namespace <namespace with auto injection>
If you’re using manual injection, you can upgrade the sidecar by executing:
    kubectl apply -f < (istioctl kube-inject -f <original application deployment yaml>)

$ istioctl version  
client version: 1.9.1
control plane version: 1.9.1
data plane version: 1.9.1 (8 proxies)

[ref]
Getting Started