Istio 1.1安裝部署實踐

3月20日，Istio 1.1版本正式發佈，我們已在《全方位解讀 | Istio v1.1正式發佈》一文中爲大家進行了簡單介紹。本文將給大家帶來詳細的部署過程詳解，需要說明的是，本文針對單集羣安裝部署，多集羣安裝部署會在後續文章中詳細說明。

前提條件

• 正確安裝配置Kubernetes集羣
• CentOS Linux release 7.5.1804

安裝

下載istio 1.1版本

[root@vm157 ~]# wget https://github.com/istio/istio/releases/download/1.1.1/istio-1.1.1-linux.tar.gz

   ……

2019-03-26 09:39:06 (483 KB/s) - ‘istio-1.1.1-linux.tar.gz’ saved [15736205/15736205]

Istio安裝有多種方式，本文根據helm template生成istio部署的配置文件，其他部署方式請參考官方文檔。

[root@vm157 ~]# cd istio-1.1.1/

[root@ruffy istio-1.1.1]# helm template ../install/kubernetes/helm/istio-init --name istio-init --namespace istio-system > istio-init.yaml

[root@ruffy istio-1.1.1]# kubectl get crds | grep 'istio.io\|certmanager.k8s.io' | wc -l

[root@ruffy istio-1.1.1]# InternalIp=10.20.1.175

[root@ruffy istio-1.1.1]# helm template install/kubernetes/helm/istio --namespace istio-system \

>   --set global.mtls.enabled=true \

>   --set global.controlPlaneSecurityEnabled=true \

>   --set gateways.istio-ingressgateway.type=NodePort \

>   --set grafana.enabled=true \

>   --set servicegraph.enabled=true \

>   --set servicegraph.ingress.enabled=true \

>   --set servicegraph.ingress.hosts={servicegraph-istio-system.${InternalIp}.nip.io} \

>   --set tracing.enabled=true \

>   --set tracing.jaeger.ingress.enabled=true \

>   --set tracing.jaeger.ingress.hosts={jaeger-query-istio-system.${InternalIp}.nip.io} \

>   --set tracing.ingress.enabled=true \

>   --set tracing.ingress.hosts={tracing-istio-system.${InternalIp}.nip.io} \

>   --set kiali.enabled=true \

>   --set kiali.ingress.enabled=true \

>   --set kiali.ingress.hosts={kiali-istio-system.${InternalIp}.nip.io} \

>   --set kiali.dashboard.grafanaURL=http://grafana-istio-system.${InternalIp}.nip.io \

>   --set kiali.dashboard.jaegerURL=http://jaeger-query-istio-system.${InternalIp}.nip.io \

>   --name istio > ruffy/istio-${InternalIp}.yaml

[root@vm175 istio-1.1.1]# cd ruffy

[root@vm175 ruffy]# ls

istio-10.20.1.175.yaml  istio-init.yaml         namespace.yaml

根據配置模板部署Isito組件

[root@vm175 istio-1.1.1]# kubectl apply -f ruffy/namespace.yaml

namespace/istio-system created         

[root@vm175 istio-1.1.1]# kubectl apply -f ruffy/istio-init.yaml

configmap/istio-crd-10 created

configmap/istio-crd-11 created

serviceaccount/istio-init-service-account created

clusterrole.rbac.authorization.k8s.io/istio-init-istio-system configured

clusterrolebinding.rbac.authorization.k8s.io/istio-init-admin-role-binding-istio-system configured

job.batch/istio-init-crd-10 created

job.batch/istio-init-crd-11 created

[root@vm175 istio-1.1.1]# kubectl apply -f ruffy/istio-10.20.1.175.yaml

poddisruptionbudget.policy/istio-galley created

poddisruptionbudget.policy/istio-ingressgateway created

poddisruptionbudget.policy/istio-policy created

poddisruptionbudget.policy/istio-telemetry created

poddisruptionbudget.policy/istio-pilot created

……

rule.config.istio.io/promhttp created

rule.config.istio.io/promtcp created

rule.config.istio.io/promtcpconnectionopen created

rule.config.istio.io/promtcpconnectionclosed created

handler.config.istio.io/kubernetesenv created

rule.config.istio.io/kubeattrgenrulerule created

rule.config.istio.io/tcpkubeattrgenrulerule created

kubernetes.config.istio.io/attributes created

destinationrule.networking.istio.io/istio-policy created

destinationrule.networking.istio.io/istio-telemetry created

查看Isito部署狀態

[root@vm175 istio-1.1.1]# kubectl -n istio-system get all

NAME                                          READY     STATUS              RESTARTS   AGE

pod/grafana-7b46bf6b7c-xr2lw                  1/1       Running             0          2m

pod/istio-citadel-5878d994cc-kfm7p            1/1       Running             0          2m

pod/istio-cleanup-secrets-1.1.1-wlk7p         0/1       Completed           0          2m

pod/istio-galley-6db4964df6-9lpsl             1/1       Running             0          2m

pod/istio-grafana-post-install-1.1.1-44lv7    0/1       Completed           0          2m

pod/istio-ingressgateway-cd5df7bc6-sgh5m      0/1       Running             0          2m

pod/istio-init-crd-10-q5kvp                   0/1       Completed           0          3m

pod/istio-init-crd-11-kdd25                   0/1       Completed           0          3m

pod/istio-pilot-597dd58685-hsp72              1/2       Running             0          2m

pod/istio-policy-67f66c8b5c-8kqwm             2/2       Running             5          2m

pod/istio-security-post-install-1.1.1-gcjrm   0/1       Completed           0          2m

pod/istio-sidecar-injector-59fc9d6f7d-j9prx   0/1       ContainerCreating   0          2m

pod/istio-telemetry-c5bfc457f-qqzb5           2/2       Running             4          2m

pod/istio-tracing-75dd89b8b4-2t2hl            0/1       ContainerCreating   0          2m

pod/kiali-5d68f4c676-bdltq                    1/1       Running             0          2m

pod/prometheus-89bc5668c-7kp8b                0/1       Init:Error          1          2m

pod/servicegraph-57bfbbd697-6tldj             0/1       Running             0          2m

……

NAME                                          DESIRED   SUCCESSFUL   AGE

job.batch/istio-cleanup-secrets-1.1.1         1         1            2m

job.batch/istio-grafana-post-install-1.1.1    1         1            2m

job.batch/istio-init-crd-10                   1         1            3m

job.batch/istio-init-crd-11                   1         1            3m

job.batch/istio-security-post-install-1.1.1   1         1            2m

增加grafana和prometheus的ingress文件

Istio-grafana.yaml

[root@vm175 ruffy]# cat istio-grafana-ingress.yaml

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

  name: grafana

  namespace: istio-system

  labels:

    app: grafana

  annotations:

spec:

  rules:

  - host: granafa-istio.10.20.1.175.xip.io

    http:

      paths:

      - path: /

        backend:

          serviceName: grafana

          servicePort: 3000

Isito-prometheus-ingress.yaml

[root@vm175 ruffy]# cat istio-prometheus-ingress.yaml

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

  name: istio-prometheus

  namespace: istio-system

spec:

  rules:

  - host: prometheus-istio.10.20.1.175.xip.io

    http:

      paths:

      - path: /prometheus

        backend:

          serviceName: prometheus

          servicePort: 9090

查看部署的組件訪問路徑

[root@vm175 ruffy]# kubectl -n istio-system get ing

NAME                 HOSTS                                          ADDRESS   PORTS     AGE

grafana              granafa-istio.10.20.1.175.xip.io                         80        5m

istio-prometheus     prometheus-istio.10.20.1.175.xip.io                      80        5m

istio-servicegraph   servicegraph-istio-system.10.20.1.175.nip.io             80        56m

istio-tracing        tracing-istio-system.10.20.1.175.nip.io                  80        56m

kiali                kiali-istio-system.10.20.1.175.nip.io                    80        56m

訪問kiali時，出現secret不存在的情況，需要通過kiali-secret.yaml文件創建secret，並且重啓kiali服務。

Kiali-secret.yaml文件

[root@vm175 ruffy]# cat kiali-secret.yaml

apiVersion: v1

kind: Secret

metadata:

  name: kiali

  namespace: istio-system

  labels:

    app: kiali

type: Opaque

data:

  username: "YWRtaW4="

  passphrase: "YWRtaW4="

訪問Kiali

瀏覽器輸入地址：http://kiali-istio-system.10.20.1.175.nip.io/kiali/

用戶名/密碼：admin/admin

訪問servicegraph

瀏覽器輸入地址：http://servicegraph-istio-system.10.20.1.175.nip.io/force/forcegraph.html

訪問tracing

瀏覽器輸入地址：http://servicegraph-istio-system.10.20.1.175.nip.io/force/forcegraph.html

訪問granafa

瀏覽器輸入地址：http://granafa-istio.10.20.1.175.xip.io/d/TSEY6jLmk/istio-galley-dashboard?refresh=5s&orgId=1

至此 Istio1.1及其依賴組件搭建完畢。