istio 部署 -

安装文档：

与springboot集成：

https://grpc-ecosystem.github.io/grpc-spring/zh-CN/

https://www.cnblogs.com/fengpinglangjingruma/p/14627807.html

https://developer.aliyun.com/article/1008390

https://github.com/Bluewu129/springboot-istio-demo

k8s 安装 istio

为 Istio 组件，创建命名空间 istio-system：

如果在第二步使用了 –create-namespace 参数，可以跳过这一步。

1[zhangcong@master ~]$ kubectl create namespace istio-system

安装 Istio Base Chart，它包含了集群范围的自定义资源定义 (CRD)，这些资源必须在部署 Istio 控制平面之前安装：

1[zhangcong@master ~]$ helm install istio-base istio/base -n istio-system --set defaultRevision=default

使用 helm ls 命令验证 CRD 的安装情况：

1[zhangcong@master ~]$ helm ls -n istio-system
2NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART           APP VERSION
3istio-base      istio-system    1               2024-05-07 09:32:18.377024472 +0800 CST deployed        base-1.21.2     1.21.2

在输出中找到 istio-base 的条目，并确保状态已被设置为 deployed。

安装 Istio Discovery Chart，它用于部署 istiod 服务：

1[zhangcong@master ~]$ helm install istiod istio/istiod -n istio-system

验证 Istio Discovery Chart 的安装情况：

1[zhangcong@master ~]$ helm ls -n istio-system
2NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART           APP VERSION
3istio-base      istio-system    1               2024-05-07 09:32:18.377024472 +0800 CST deployed        base-1.21.2     1.21.2     
4istiod          istio-system    1               2024-05-07 09:37:59.463897186 +0800 CST deployed        istiod-1.21.2   1.21.2

获取已安装的 Helm Chart 的状态，确保它已部署:

 1[zhangcong@master ~]$ helm status istiod -n istio-system
 2NAME: istiod
 3LAST DEPLOYED: Tue May  7 09:37:59 2024
 4NAMESPACE: istio-system
 5STATUS: deployed
 6REVISION: 1
 7TEST SUITE: None
 8NOTES:
 9"istiod" successfully installed!
10
11To learn more about the release, try:
12  $ helm status istiod
13  $ helm get all istiod
14
15Next steps:
16  * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
17  * Try out our tasks to get started on common configurations:
18    * https://istio.io/latest/docs/tasks/traffic-management
19    * https://istio.io/latest/docs/tasks/security/
20    * https://istio.io/latest/docs/tasks/policy-enforcement/
21  * Review the list of actively supported releases, CVE publications and our hardening guide:
22    * https://istio.io/latest/docs/releases/supported-releases/
23    * https://istio.io/latest/news/security/
24    * https://istio.io/latest/docs/ops/best-practices/security/
25
26For further documentation see https://istio.io website

检查 istiod 服务是否安装成功，确认其 Pod 是否正在运行:

1[zhangcong@master ~]$ kubectl get deployments -n istio-system --output wide
2NAME     READY   UP-TO-DATE   AVAILABLE   AGE   CONTAINERS   IMAGES                         SELECTOR
3istiod   1/1     1            1           25m   discovery    docker.io/istio/pilot:1.21.2   istio=pilot

安装 Istio 的入站网关：

 1[zhangcong@master ~]$ kubectl create namespace istio-ingress
 2
 3[zhangcong@master ~]$ helm install istio-ingress istio/gateway -n istio-ingress
 4NAME: istio-ingress
 5LAST DEPLOYED: Tue May  7 10:19:20 2024
 6NAMESPACE: istio-ingress
 7STATUS: deployed
 8REVISION: 1
 9TEST SUITE: None
10NOTES:
11"istio-ingress" successfully installed!
12
13To learn more about the release, try:
14  $ helm status istio-ingress
15  $ helm get all istio-ingress
16
17Next steps:
18  * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
19  * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/

istio 的 gateway 是作为一个 Kubernetes Service 对外提供访问服务，默认使用的是 LoadBalancer ，需要公有云平台支撑，不然会一直处于。

由于本例是安装在内网环境的，因此我们需要修改 Service ，将 gateway 的网络类型从 LoadBalancer 改成 NodePort，以便直接通过服务器的 IP 访问：

在终端中输入：

Istio 注入 sidecar

有两种方法：

方法一：为某个namespace下的所有pod自动注入/取消注入 sidecar

 1# 为 namespace=test 自动注入（设置标签）
 2$ kubectl label namespace test istio-injection=enabled --overwrite
 3
 4# 查看
 5$ kubectl get namespace -L istio-injection
 6NAME                   STATUS   AGE     ISTIO-INJECTION
 7default                Active   122d    
 8
 9
10test                   Active   116d  
11
12# 为 namespace=test 取消注入
13$ kubectl label namespace default istio-injection=disabled --overwrite

方法二：为某个 Pod 或者 Deployment 注入sidecar

即：在 Pod 或者 Deployment 声明 sidecar.istio.io/inject: “true”，例如：

 1apiVersion: apps/v1
 2kind: Deployment
 3metadata:
 4  name: microservice-sys-backend-deployment
 5  namespace: my
 6spec:
 7  replicas: 2
 8  selector:
 9    matchLabels:
10      app: sys-backend
11  template:
12    metadata:
13      labels:
14        app: sys-backend
15        sidecar.istio.io/inject: "true"
16    spec:
17      containers:
18        - name: microservice-sys-backend-container
19          image: microservice-k8s:sys-backend
20          ports:
21            - containerPort: 8750
22---
23apiVersion: v1
24kind: Service
25metadata:
26  name: microservice-sys-backend-service
27  namespace: my
28spec:
29  ports:
30    - name: http
31      port: 80
32      targetPort: 8750
33      nodePort: 30109
34  selector:
35    app: sys-backend
36  type: NodePort

 1### 查看 istio 入站服务
 2[zhangcong@master ~]$ kubectl get svc -n istio-ingress
 3NAME            TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                                      AGE
 4istio-ingress   NodePort   10.97.161.174   <none>        15021:31133/TCP,80:30106/TCP,443:30605/TCP   6d23h
 5
 6### 查看 Gateway 和 VirtualService
 7[zhangcong@master ~]$ kubectl get gw,vs -n my
 8NAME                                               AGE
 9gateway.networking.istio.io/microservice-gateway   27s
10
11NAME                                                             GATEWAYS                   HOSTS   AGE
12virtualservice.networking.istio.io/microservice-virtualservice   ["microservice-gateway"]   ["*"]   27s

Istio 部署

目录

k8s 安装 istio

Istio 注入 sidecar

评论