Istio概述

• 连接（Connect）
  - 流量管理
  - 负载均衡
  - 灰度发布
• 安全（Secure）
  - 认证
  - 鉴权
• 控制（Control）
  - 限流
  - ACL
• 观察（Observe）
  - 监控
  - 调用链

部署Istio

tar zxvf istio-1.8.2-linux.tar.gz
cd istio-1.8.2
cp bin/istioctl /usr/bin
istioctl install
kubectl get pods -n istio-system
kubectl get svc -n istio-system

#卸载：
istioctl manifest generate | kubectl delete -f -

Sidercar注入-部署httpbin Web示例

部署

cd istio-1.8.2/samples/httpbin

# 手动注入
istioctl kube-inject -f httpbin-nodeport.yaml |kubectl apply -f -

[root@k8s-m1 httpbin]# kubectl get pod
NAME                      READY   STATUS    RESTARTS   AGE
httpbin-db6dd7888-rp7cm   2/2     Running   0          4m12s

# 自动注入（给命名空间打指定标签，启用自动注入）
[root@k8s-m1 httpbin]# kubectl create ns test
namespace/test created

[root@k8s-m1 httpbin]# kubectl label namespace test istio-injection=enabled   
namespace/test labeled

[root@k8s-m1 httpbin]# kubectl create deployment web --image=nginx -n test
deployment.apps/web created

[root@k8s-m1 httpbin]# kubectl get pod -n test
NAME                  READY   STATUS    RESTARTS   AGE
web-96d5df5c8-fr2cq   2/2     Running   0          3m10s

#部署网关
[root@k8s-m1 httpbin]# kubectl apply -f httpbin-gateway.yaml 
[root@k8s-m1 httpbin]# kubectl get svc -n istio-system
NAME                   TYPE           CLUSTER-IP   EXTERNAL-IP   PORT(S)                                                                      AGE
istio-ingressgateway   LoadBalancer   10.0.0.136        15021:30103/TCP,80:32110/TCP,443:32181/TCP,15012:31888/TCP,15443:30731/TCP   40m
istiod                 ClusterIP      10.0.0.7             15010/TCP,15012/TCP,443/TCP,15014/TCP  

http://192.168.153.25:32110/

1640612451663.png

访问流程图

1640613125637.png

Istio流量管理核心资源

VirtualService

VirtualService（虚拟服务） 
• 定义路由规则
• 描述满足条件的请求去哪里

--------------------------------------------------------------------------------

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - "*"
  gateways:
  - httpbin-gateway
  http:
  - route:
    - destination:
        host: httpbin    # 指定Service名称
        port:
          number: 8000   # service端口
          
--------------------------------------------------------------------------------
# 查看已创建的虚拟服务
[root@k8s-m1 httpbin]# kubectl get vs
NAME      GATEWAYS              HOSTS   AGE
httpbin   ["httpbin-gateway"]   ["*"]   19m

DestinationRule

DestinationRule（目标规则）：定义虚拟服务路由目标地址的真实地址，即子集（subset）
支持多种负载均衡策略：
• 随机
• 权重
• 最小请求数

---------------------------------------------------------------------------
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: nginx
spec:
  host: nginx
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2

Gateway

目前Gateway支持的功能：
• 支持L4-L7的负载均衡
• 支持HTTPS和mTLS
• 支持流量镜像、熔断等

---------------------------------------------------------------------------
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"

灰度发布：部署Bookinfo微服务项目

概述

服务	说明	调用服务
productpage	主页	reviews、details
reviews	评论内容	ratings
details	详细内容
ratings	评分

1640655443368.png

部署

#创建命名空间并开启自动注入
kubectl create ns bookinfo
kubectl label namespace bookinfo istio-injection=enabled

#部署应用YAML
cd istio-1.8.2/samples/bookinfo
kubectl apply -f platform/kube/bookinfo.yaml -n bookinfo
kubectl get pod -n bookinfo

[root@k8s-m1 kube]# kubectl get pod -n bookinfo
NAME                              READY   STATUS    RESTARTS   AGE
details-v1-79c697d759-kqktb       2/2     Running   0          17m
productpage-v1-65576bb7bf-tdt8g   2/2     Running   0          17m
ratings-v1-7d99676f7f-b975f       2/2     Running   0          17m
reviews-v1-987d495c-ldzhs         2/2     Running   0          17m
reviews-v2-6c5bf657cf-xpzrv       2/2     Running   0          17m
reviews-v3-5f7b9f4f77-wsdps       2/2     Running   0          17m

#创建Ingress网关
kubectl apply -f networking/bookinfo-gateway.yaml -n bookinfo

kubectl get pods，svc -n istio-system
访问地址：http://192.168.153.25:32110/productpage

基于权重的路由

1. 流量全部发送到reviews v1版本（不带五角星）
2. 将90%的流量发送到reviews v1版本，另外10%的流量发送到reviews v2版本（5个黑色五角星），最后完全切换到v2版本
3. 将50%的流量发送到v2版本，另外50%的流量发送到v3版本（5个红色五角星）

kubectl apply -f networking/virtual-service-all-v1.yaml -n bookinfo
kubectl apply -f networking/destination-rule-all.yaml -n bookinfo
kubectl apply -f networking/virtual-service-reviews-90-10.yaml -n bookinfo
kubectl apply -f networking/virtual-service-reviews-v2-v3.yaml -n bookinfo

基于请求内容的路由

1. 将特定用户的请求发送到reviews v2版本（5个黑色五角星），其他用户则不受影响（v3）

kubectl apply -f networking/virtual-service-reviews-jason-v2-v3.yaml -n bookinfo

工作流程

1640670381081.png

总结

1、将deployment里pod标签增加一个"version:v1"
2、部署deployment介入到istio
3、目标规则管理服务版本标签
4、虚拟服务实现灰度发布

流量镜像

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: nginx 
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "nginx.aliangedu.cn"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: nginx 
spec:
  hosts:
  - "nginx.aliangedu.cn"
  gateways:
  - nginx 
  http:
  - route:
    - destination:
        host: nginx 
        subset: v1
      weight: 100
    mirror:
      host: nginx
      subset: v2
    mirror_percent: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: nginx 
spec:
  host: nginx 
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2

将应用暴露到互联网

配置nginx

    server {
        listen       80 default_server;
        server_name  _;

        location / {
            proxy_http_version 1.1;
            proxy_set_header Host $host;
            proxy_pass http://192.168.153.25:32110;
        }
    }

配置Gateway

kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "httpbin.aliangedu.cn"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - "httpbin.aliangedu.cn"
  gateways:
  - httpbin-gateway
  http:
  - route:
    - destination:
        host: httpbin
        port:
          number: 8000
--------------------------------------------------------------------
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: nginx 
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "nginx.aliangedu.cn"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: nginx 
spec:
  hosts:
  - "nginx.aliangedu.cn"
  gateways:
  - nginx 
  http:
  - route:
    - destination:
        host: nginx 
        subset: v1
      weight: 100
    mirror:
      host: nginx
      subset: v2
    mirror_percent: 100

访问网站

http://httpbin.aliangedu.cn/
http://nginx.aliangedu.cn/
http://bookinfo.aliangedu.cn/productpage

可视化监控

crds.yaml

[root@k8s-m1 addons]# pwd
/root/istio/istio-1.8.2/samples/addons

#先发布
/istio-1.8.2/samples/addons

---
# Source: crds/crds.yaml
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: monitoringdashboards.monitoring.kiali.io
spec:
  group: monitoring.kiali.io
  names:
    kind: MonitoringDashboard
    listKind: MonitoringDashboardList
    plural: monitoringdashboards
    singular: monitoringdashboard
  scope: Namespaced
  versions:
  - name: v1alpha1
    served: true
    storage: true

修改NodePort

kiali.yaml

spec:
  ports:
  - name: http
    protocol: TCP
    port: 20001
  - name: http-metrics
    protocol: TCP
    port: 9090
  selector:
    app.kubernetes.io/name: kiali
    app.kubernetes.io/instance: kiali-server
  type: NodePort
  
------------------------------------------------------------------------------
grafana.yaml

    app.kubernetes.io/managed-by: Helm
spec:
  type: NodePort
  ports:
    - name: service
      port: 3000
      protocol: TCP
      targetPort: 3000

------------------------------------------------------------------------------
jaeger.yaml
spec:
  type: NodePort
  ports:
    - name: http-query
      port: 80
      protocol: TCP
      targetPort: 16686
  selector:
    app: jaeger

发布服务

kubectl apply -f crds.yaml -n istio-system
kubectl apply -f prometheus.yaml -n istio-system
kubectl apply -f grafana.yaml -n istio-system
kubectl apply -f jaeger.yaml -n istio-system
kubectl apply -f kiali.yaml -n istio-system



service/grafana                NodePort       10.0.0.70            3000:31397/TCP                                                                
service/kiali                  NodePort       10.0.0.26            9090:30584/TCP                                         
service/tracing                NodePort       10.0.0.177           80:31205/TCP

kiali

http://192.168.153.25:30235/

1640744478728.png

grafana

http://192.168.153.25:31397/

1640744611642.png

jaeger

http://192.168.153.25:31205/

1640744700687.png

示例：微服务订单管理istio

order.yaml

apiVersion: apps/v1
kind: Deployment 
metadata:
  name: order
  namespace: ms 
spec:
  replicas: 1
  selector:
    matchLabels:
      project: ms
      app: order
      version: v1
  template:
    metadata:
      labels:
        project: ms 
        app: order
        version: v1
    spec:
      imagePullSecrets:
      - name: registry-pull-secret
      containers:
      - name: order
        image: 192.168.153.20/ms/order:v1
        ports:
          - protocol: TCP
            containerPort: 8020 
        resources:
          requests:
            cpu: 0.5
            memory: 256Mi
          limits:
            cpu: 2
            memory: 2Gi
        readinessProbe:
          tcpSocket:
            port: 8020
          initialDelaySeconds: 60
          periodSeconds: 10
        livenessProbe:
          tcpSocket:
            port: 8020
          initialDelaySeconds: 60
          periodSeconds: 10
          
          
          
----------------------------------------------------------------------------
#含有版本version；
#委托istioctl管理
[root@k8s-m1 order]# istioctl kube-inject -f order.yaml |kubectl apply -f -

service.yaml

[root@k8s-m1 order]# vi service.yaml                    
spec:
apiVersion: v1
kind: Service
metadata:
  labels:
    app: order
  name: order
spec:
  ports:
  - port: 8020
    protocol: TCP
    targetPort: 8020
  selector:
    app: order
 
---------------------------------------------------------------------------------- 
[root@k8s-m1 order]# kubectl apply -f service.yaml -n ms
 

 curl 10.0.0.153:8020/queryAllOrder

验证

[root@k8s-m1 order]# kubectl get pod,svc -n ms
NAME                         READY   STATUS    RESTARTS   AGE
pod/eureka-0                 1/1     Running   1          85m
pod/eureka-1                 1/1     Running   0          84m
pod/eureka-2                 1/1     Running   1          83m
pod/mysql-85ff654cdf-gk4dm   1/1     Running   1          4h4m
pod/order-5446c6b8fd-prs4r   2/2     Running   0          17m

NAME             TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)    AGE
service/eureka   ClusterIP   None                 8888/TCP   85m
service/mysql    ClusterIP   10.0.0.40            3306/TCP   4h4m
service/order    ClusterIP   10.0.0.153           8020/TCP   36m

[root@k8s-m1 order]#  curl 10.0.0.153:8020/queryAllOrder
{"status":200,"msg":"success","result":[{"id":1,"orderNumber":"0j889r86wo0tng9x","orderProductName":"美女","orderPrice":999.0,"count":1,"buyDate":"2021-12-21T03:40:32.000+0000"},{"id":2,"orderNumber":"9ep7iugx2topgwe9","orderProductName":"貂皮大衣很厚很厚的那种","orderPrice":9999.0,"count":1,"buyDate":"2021-12-22T12:25:42.000+0000"},{"id":3,"orderNumber":"cb30ynaukc61riu1","orderProductName":"测试商品1","orderPrice":99.99,"count":1,"buyDate":"2021-12-22T12:31:23.000+0000"}]}

Gateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: order 
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "order.aliangedu.cn"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: order 
spec:
  hosts:
  - "order.aliangedu.cn"
  gateways:
  - order 
  http:
  - route:
    - destination:
        host: order 
        subset: v1
      weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: order 
spec:
  host: order 
  subsets:
  - name: v1
    labels:
      version: v1

------------------------------------------------------------------------------
http://order.aliangedu.cn/queryAllOrder

1640762656150.png

Istio微服务治理

Istio概述

部署Istio

Sidercar注入-部署httpbin Web示例

部署

访问流程图

Istio流量管理核心资源

VirtualService

DestinationRule

Gateway

灰度发布：部署Bookinfo微服务项目

概述

部署

基于权重的路由

基于请求内容的路由

工作流程

总结

流量镜像

将应用暴露到互联网

配置nginx

配置Gateway

访问网站

可视化监控

crds.yaml

修改NodePort

发布服务

kiali

grafana

jaeger

示例：微服务订单管理istio

order.yaml

service.yaml

验证

Gateway

你可能感兴趣的:(Istio微服务治理)