1.24.1-Istio安装

1. 概述

Istio是一个由Google、IBM、Lyft开源的一个Service Mesh框架。Istio是希腊语,翻译成英文是:sail,翻译成中为:帆。意味着:杨帆启航。(Kubernetes好像也是希腊语,意思是船长/舵手/飞行员.但是Docker好像不是希腊语).
本文章主要介绍Istio的sidecar模式通过helm的安装流程(目前Istio已经发布了v1.24.1,并且支持两种模式:sidecar和Ambient(1.22版本已经GA))

2. 安装流程

2.1 按照官网的流程进行

Istio的Helm安装方式转存失败,建议直接上传图片文件

2.2 前置条件

  1. 已经安装可k8s的集群(本文档使用的k8s版本为:1.26.3)
  2. Helm已经安装,版本 >=3.6(本文档使用Helm的版本为:v3.15.1)

2.3 执行helm仓库操作

bash 复制代码
linux> helm repo add istio https://istio-release.storage.googleapis.com/charts

"istio" has been added to your repositories

2.4 更新helm仓库

bash 复制代码
linux> helm update

Hang tight while we grab the latest from your chart repositories...
...Unable to get an update from the "vm" chart repository (https://victoriametrics.github.io/helm-charts/):
Get"https://victoriametrics.github.io/helm-charts/index.yaml":read tcp 172.16.84.26:39334->185.199.111.153:443:read: connection reset by peer
...Successfully got an update from the "openobserve" chart repository
...Successfully got an update from the "istio" chart repository
...Successfully got an update from the "pixie-operator" chart repository
...Successfully got an update from the "vector" chart repository
...Successfully got an update from the "komodorio" chart repository
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "minio" chart repository
...Successfully got an update from the "quickwit" chart repository
...Successfully got an update from the "teleport" chart repository
...Successfully got an update from the "redpanda" chart repository
...Successfully got an update from the "datawire" chart repository
...Successfully got an update from the "cilium" chart repository
...Successfully got an update from the "bitnami" chart repository
UpdateComplete.⎈HappyHelming!⎈

2.5 查看istio下面的一些chart及其详细信息

bash 复制代码
linux>  helm search repo istio

NAME                                CHART VERSION APP VERSION DESCRIPTION                                       
bitnami/wavefront-adapter-for-istio 2.0.60.1.5       DEPRECATED WavefrontAdapterforIstio is an ad...
istio/istiod                        1.24.11.24.1Helm chart for istio control plane                
istio/istiod-remote                 1.23.31.23.3Helm chart for a remote cluster using an extern...
jetstack/cert-manager-istio-csr     v0.13.0       v0.13.0     istio-csr enables the use of cert-manager for i...
istio/ambient                       1.24.11.24.1Helm umbrella chart for ambient                   
istio/base                          1.24.11.24.1Helm chart for deploying Istio cluster resource...
istio/cni                           1.24.11.24.1Helm chart for istio-cni components               
istio/gateway                       1.24.11.24.1Helm chart for deploying Istio gateways           
istio/ztunnel                       1.24.11.24.1Helm chart for istio ztunnel components

2.5 创建一个k8s的namespace

bash 复制代码
linux> kubectl create ns istio-system

namespace/istio-system created

2.6 安装istio/base

bash 复制代码
#1.拉取istio/base的最新版本的包
linux> helm pull istio/base

在当前目录下会得到一个如下的文件:
base-1.24.1.tgz

#2.解压tgz文件
linux> tar -zxvf  base-1.24.1.tgz

在当前目录会得到一个
base的文件夹

#3.进入base目录
linux>cd base

#4.执行install操作
linux> helm install istio-base ./-n istio-system --set defaultRevision=default

NAME: istio-base
LAST DEPLOYED:MonDec219:13:072024
NAMESPACE: istio-system
STATUS: deployed
REVISION:1
TEST SUITE:None
NOTES:
Istio base successfully installed!

To learn more about the release, try:
  $ helm status istio-base -n istio-system
  $ helm get all istio-base -n istio-system

#5.检查crd资源含有istio的 
linux> kubectl get crd|grep istio

authorizationpolicies.security.istio.io      2024-12-02T11:13:07Zdestinationrules.networking.istio.io         2024-12-02T11:13:07Z
envoyfilters.networking.istio.io             2024-12-02T11:13:07Z
gateways.networking.istio.io                 2024-12-02T11:13:07Z
peerauthentications.security.istio.io        2024-12-02T11:13:07Z
proxyconfigs.networking.istio.io             2024-12-02T11:13:07Z
requestauthentications.security.istio.io     2024-12-02T11:13:07Z
serviceentries.networking.istio.io           2024-12-02T11:13:07Z
sidecars.networking.istio.io                 2024-12-02T11:13:07Z
telemetries.telemetry.istio.io               2024-12-02T11:13:07Z
virtualservices.networking.istio.io          2024-12-02T11:13:07Z
wasmplugins.extensions.istio.io              2024-12-02T11:13:07Z
workloadentries.networking.istio.io          2024-12-02T11:13:07Z
workloadgroups.networking.istio.io           2024-12-02T11:13:07Z

2.7 安装istiod

bash 复制代码
#1.拉取istio/istiod
linux> helm pull istio/istiod

istiod-1.24.1.tgz
#2.解压
linux> tar -zxvf 

istiod

#3.进入istiod
linux>cd istiod

#4.执行安装,具体涉及到的一些--set的values.yaml参数,后面会介绍
# --set hub属性设置的
linux> helm install istiod ./ --set hub="xwharbor.wxchina.com/cpaas/istio"  --set global.proxy.clusterDomain="idc.local" --set global.proxy.autoInject="disabled"  -n istio-system

NAME: istiod
LAST DEPLOYED:MonDec219:35:022024
NAMESPACE: istio-system
STATUS: deployed
REVISION:1
TEST SUITE:None
NOTES:
"istiod" successfully installed!

To learn more about the release, try:
  $ helm status istiod -n istio-system
  $ helm get all istiod -n istio-system

Next steps:
*Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
*Try out our tasks to get started on common configurations:
* https://istio.io/latest/docs/tasks/traffic-management
* https://istio.io/latest/docs/tasks/security/
* https://istio.io/latest/docs/tasks/policy-enforcement/
*Review the list of actively supported releases, CVE publications and our hardening guide:
* https://istio.io/latest/docs/releases/supported-releases/
* https://istio.io/latest/news/security/
* https://istio.io/latest/docs/ops/best-practices/security/

For further documentation see https://istio.io website

#5. 查看pod
linux> kubectl get pods -n istio-system

NAME                      READY   STATUS    RESTARTS   AGE
istiod-7fc89f56f7-5dqw91/1Running0          77s

由于Istiod-1.24.1版本的helm的chart,的values.yaml文件大致如下:

yaml 复制代码
_internal_defaults_do_not_set:
  autoscaleEnabled:true
  autoscaleMin:1
  autoscaleMax:5
  autoscaleBehavior:{}
  replicaCount:1
  ......

都放置到了_internal_defaults_do_not_set下面了,这样子,之前通过创建一个re-values.yaml形式用来覆盖合并values.yaml的形式行不通了,只能通过--set的方式了,下面是helm的values.yaml的注释说明:

bash 复制代码
# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.

2.8 具体的参数介绍

参数 解释 备注
global.hub Istio所需要镜像的registry地址,之前默认都是从docker.hub拉取的,如果存在网络或者是不允许和外网交互的情况下,可以拉取到本地的镜像服务(例如harbor),假设你们的镜像是:harbor.liuxu.com/component/istio/pilot:1.24.1 那就填写 --set global.hub="harbor.liuxu.com/component/istio" 请确保istio/pilot istio/proxyv2都在harbor.liuxu.com/compoent下面
global.proxy.clusterDomain 集群的域名后缀,这个可以通过进入到任何一个pod里面,查看/etc/resolve.conf文件,就能看到了,默认是cluster.local 这个需要问下安装集群的人,或者是去pod里面看下/etc/resolve.conf文件
global.proxy.autoInject 默认值是enabled,enabled的情况下,只需要给namespace级别打上label istio-injection=enabled,那么只要这个namespace下的pod有重启或者是新建就会自动注入istio的组件;如果设置为disabled,那么需要namespace上打上label: istio-injection=enabled,还需要给Deployment(注意是template下面)或者是Pod的annotation加上sidecar.istio.io/inject: 'true',才会在启动或者是新建的时候注入istio组件 这个特性在从无Istio到Istio的环境最适合逐步推进的使用
globa.proxy.image istio-proxy的镜像 如果不配置则使用docker.hub上的istiod/proxyv2

在官方的values.yaml当中有个顶级的hub,实验了下只是对Istio的pilot镜像有影响,不会影响到proxyv2这个镜像.所以建议设置global.hub这个

3. 最后

当然,在2.6和2.7步骤,可以直接执行如下的命令:

bash 复制代码
$ helm install istio-base istio/base -n istio-system --set defaultRevision=default
和命令
$ helm install istiod istio/istiod -n istio-system --wait

主要是想看下具体的values.yaml配置,还有一个就是本地的网络不支持从docker.hub拉取镜像,需要查看下values.yaml的镜像配置信息,作出一些具体的参数替换。当然也可以通过helm的如下命令查看需要的values参数:

bash 复制代码
$ helm show values istio/istiod
相关推荐
aherhuo12 小时前
kubevirt网络
linux·云原生·容器·kubernetes
catoop13 小时前
K8s 无头服务(Headless Service)
云原生·容器·kubernetes
道一云黑板报15 小时前
Flink集群批作业实践:七析BI批作业执行
大数据·分布式·数据分析·flink·kubernetes
运维小文15 小时前
K8S中的PV、PVC介绍和使用
docker·云原生·容器·kubernetes·存储
ζั͡山 ั͡有扶苏 ั͡✾16 小时前
Kubeadm+Containerd部署k8s(v1.28.2)集群(非高可用版)
云原生·容器·kubernetes
Hadoop_Liang16 小时前
Kubernetes ConfigMap的创建与使用
云原生·容器·kubernetes
小诸葛的博客1 天前
istio-proxy不打印访问日志怎么解决?
云原生·istio
知本知至1 天前
istio配置重复的svc报错
k8s·istio
年薪丰厚1 天前
如何在K8S集群中查看和操作Pod内的文件?
docker·云原生·容器·kubernetes·k8s·container