1. 概述
Istio是一个由Google、IBM、Lyft开源的一个Service Mesh框架。Istio是希腊语,翻译成英文是:sail,翻译成中为:帆。意味着:杨帆启航。(Kubernetes好像也是希腊语,意思是船长/舵手/飞行员.但是Docker好像不是希腊语).
本文章主要介绍Istio的sidecar模式通过helm的安装流程(目前Istio已经发布了v1.24.1,并且支持两种模式:sidecar和Ambient(1.22版本已经GA))
2. 安装流程
2.1 按照官网的流程进行
2.2 前置条件
- 已经安装可k8s的集群(本文档使用的k8s版本为:1.26.3)
- Helm已经安装,版本 >=3.6(本文档使用Helm的版本为:v3.15.1)
2.3 执行helm仓库操作
bash
linux> helm repo add istio https://istio-release.storage.googleapis.com/charts
"istio" has been added to your repositories
2.4 更新helm仓库
bash
linux> helm update
Hang tight while we grab the latest from your chart repositories...
...Unable to get an update from the "vm" chart repository (https://victoriametrics.github.io/helm-charts/):
Get"https://victoriametrics.github.io/helm-charts/index.yaml":read tcp 172.16.84.26:39334->185.199.111.153:443:read: connection reset by peer
...Successfully got an update from the "openobserve" chart repository
...Successfully got an update from the "istio" chart repository
...Successfully got an update from the "pixie-operator" chart repository
...Successfully got an update from the "vector" chart repository
...Successfully got an update from the "komodorio" chart repository
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "minio" chart repository
...Successfully got an update from the "quickwit" chart repository
...Successfully got an update from the "teleport" chart repository
...Successfully got an update from the "redpanda" chart repository
...Successfully got an update from the "datawire" chart repository
...Successfully got an update from the "cilium" chart repository
...Successfully got an update from the "bitnami" chart repository
UpdateComplete.⎈HappyHelming!⎈
2.5 查看istio下面的一些chart及其详细信息
bash
linux> helm search repo istio
NAME CHART VERSION APP VERSION DESCRIPTION
bitnami/wavefront-adapter-for-istio 2.0.60.1.5 DEPRECATED WavefrontAdapterforIstio is an ad...
istio/istiod 1.24.11.24.1Helm chart for istio control plane
istio/istiod-remote 1.23.31.23.3Helm chart for a remote cluster using an extern...
jetstack/cert-manager-istio-csr v0.13.0 v0.13.0 istio-csr enables the use of cert-manager for i...
istio/ambient 1.24.11.24.1Helm umbrella chart for ambient
istio/base 1.24.11.24.1Helm chart for deploying Istio cluster resource...
istio/cni 1.24.11.24.1Helm chart for istio-cni components
istio/gateway 1.24.11.24.1Helm chart for deploying Istio gateways
istio/ztunnel 1.24.11.24.1Helm chart for istio ztunnel components
2.5 创建一个k8s的namespace
bash
linux> kubectl create ns istio-system
namespace/istio-system created
2.6 安装istio/base
bash
#1.拉取istio/base的最新版本的包
linux> helm pull istio/base
在当前目录下会得到一个如下的文件:
base-1.24.1.tgz
#2.解压tgz文件
linux> tar -zxvf base-1.24.1.tgz
在当前目录会得到一个
base的文件夹
#3.进入base目录
linux>cd base
#4.执行install操作
linux> helm install istio-base ./-n istio-system --set defaultRevision=default
NAME: istio-base
LAST DEPLOYED:MonDec219:13:072024
NAMESPACE: istio-system
STATUS: deployed
REVISION:1
TEST SUITE:None
NOTES:
Istio base successfully installed!
To learn more about the release, try:
$ helm status istio-base -n istio-system
$ helm get all istio-base -n istio-system
#5.检查crd资源含有istio的
linux> kubectl get crd|grep istio
authorizationpolicies.security.istio.io 2024-12-02T11:13:07Zdestinationrules.networking.istio.io 2024-12-02T11:13:07Z
envoyfilters.networking.istio.io 2024-12-02T11:13:07Z
gateways.networking.istio.io 2024-12-02T11:13:07Z
peerauthentications.security.istio.io 2024-12-02T11:13:07Z
proxyconfigs.networking.istio.io 2024-12-02T11:13:07Z
requestauthentications.security.istio.io 2024-12-02T11:13:07Z
serviceentries.networking.istio.io 2024-12-02T11:13:07Z
sidecars.networking.istio.io 2024-12-02T11:13:07Z
telemetries.telemetry.istio.io 2024-12-02T11:13:07Z
virtualservices.networking.istio.io 2024-12-02T11:13:07Z
wasmplugins.extensions.istio.io 2024-12-02T11:13:07Z
workloadentries.networking.istio.io 2024-12-02T11:13:07Z
workloadgroups.networking.istio.io 2024-12-02T11:13:07Z
2.7 安装istiod
bash
#1.拉取istio/istiod
linux> helm pull istio/istiod
istiod-1.24.1.tgz
#2.解压
linux> tar -zxvf
istiod
#3.进入istiod
linux>cd istiod
#4.执行安装,具体涉及到的一些--set的values.yaml参数,后面会介绍
# --set hub属性设置的
linux> helm install istiod ./ --set hub="xwharbor.wxchina.com/cpaas/istio" --set global.proxy.clusterDomain="idc.local" --set global.proxy.autoInject="disabled" -n istio-system
NAME: istiod
LAST DEPLOYED:MonDec219:35:022024
NAMESPACE: istio-system
STATUS: deployed
REVISION:1
TEST SUITE:None
NOTES:
"istiod" successfully installed!
To learn more about the release, try:
$ helm status istiod -n istio-system
$ helm get all istiod -n istio-system
Next steps:
*Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
*Try out our tasks to get started on common configurations:
* https://istio.io/latest/docs/tasks/traffic-management
* https://istio.io/latest/docs/tasks/security/
* https://istio.io/latest/docs/tasks/policy-enforcement/
*Review the list of actively supported releases, CVE publications and our hardening guide:
* https://istio.io/latest/docs/releases/supported-releases/
* https://istio.io/latest/news/security/
* https://istio.io/latest/docs/ops/best-practices/security/
For further documentation see https://istio.io website
#5. 查看pod
linux> kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istiod-7fc89f56f7-5dqw91/1Running0 77s
由于Istiod-1.24.1版本的helm的chart,的values.yaml文件大致如下:
yaml
_internal_defaults_do_not_set:
autoscaleEnabled:true
autoscaleMin:1
autoscaleMax:5
autoscaleBehavior:{}
replicaCount:1
......
都放置到了_internal_defaults_do_not_set下面了,这样子,之前通过创建一个re-values.yaml形式用来覆盖合并values.yaml的形式行不通了,只能通过--set的方式了,下面是helm的values.yaml的注释说明:
bash
# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
2.8 具体的参数介绍
参数 | 解释 | 备注 |
---|---|---|
global.hub | Istio所需要镜像的registry地址,之前默认都是从docker.hub拉取的,如果存在网络或者是不允许和外网交互的情况下,可以拉取到本地的镜像服务(例如harbor),假设你们的镜像是:harbor.liuxu.com/component/istio/pilot:1.24.1 那就填写 --set global.hub="harbor.liuxu.com/component/istio" | 请确保istio/pilot istio/proxyv2都在harbor.liuxu.com/compoent下面 |
global.proxy.clusterDomain | 集群的域名后缀,这个可以通过进入到任何一个pod里面,查看/etc/resolve.conf文件,就能看到了,默认是cluster.local | 这个需要问下安装集群的人,或者是去pod里面看下/etc/resolve.conf文件 |
global.proxy.autoInject | 默认值是enabled,enabled的情况下,只需要给namespace级别打上label istio-injection=enabled,那么只要这个namespace下的pod有重启或者是新建就会自动注入istio的组件;如果设置为disabled,那么需要namespace上打上label: istio-injection=enabled,还需要给Deployment(注意是template下面)或者是Pod的annotation加上sidecar.istio.io/inject: 'true',才会在启动或者是新建的时候注入istio组件 | 这个特性在从无Istio到Istio的环境最适合逐步推进的使用 |
globa.proxy.image | istio-proxy的镜像 | 如果不配置则使用docker.hub上的istiod/proxyv2 |
在官方的values.yaml当中有个顶级的hub,实验了下只是对Istio的pilot镜像有影响,不会影响到proxyv2这个镜像.所以建议设置global.hub这个
3. 最后
当然,在2.6和2.7步骤,可以直接执行如下的命令:
bash
$ helm install istio-base istio/base -n istio-system --set defaultRevision=default
和命令
$ helm install istiod istio/istiod -n istio-system --wait
主要是想看下具体的values.yaml配置,还有一个就是本地的网络不支持从docker.hub拉取镜像,需要查看下values.yaml的镜像配置信息,作出一些具体的参数替换。当然也可以通过helm的如下命令查看需要的values参数:
bash
$ helm show values istio/istiod