Zmq's Blog

istioctl安装istio 1.16.5

发表于 更新于 分类于
软件 版本
Kubernetes 1.22.15
istio 1.16.5

官方文档

k8s和istio支持版本 https://istio.io/latest/docs/releases/supported-releases/#support-status-of-istio-releases

istioctl 安装文档 https://istio.io/latest/docs/setup/getting-started/#download

下载

1
2
3
4
$ sudo wget https://ghproxy.com/https://github.com/istio/istio/releases/download/1.16.5/istio-1.16.5-linux-amd64.tar.gz
$ sudo tar xf istio-1.16.5-linux-amd64.tar.gz
$ sudo cp -a istio-1.16.5/bin/istioctl /usr/local/bin/
$ sudo chmod +x /usr/local/bin/istioctl

安装

1
2
3
4
5
6
7
8
9
$ istioctl install --set profile=demo -y
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Egress gateways installed
✔ Installation complete                                                                                                                                                 
Making this installation the default for injection and validation.
Thank you for installing Istio 1.16.  Please take a few minutes to tell us about your install/upgrade experience! 
https://forms.gle/99uiMML96AmsXY5d6

查看

1
2
3
4
5
6
7
8
9
10
$ kubectl  get deploy,svc  -nistio-system
NAME                                   READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/istio-egressgateway    1/1     1            1           10m
deployment.apps/istio-ingressgateway   1/1     1            1           10m
deployment.apps/istiod                 1/1     1            1           10m

NAME                           TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)                                                                      AGE
service/istio-egressgateway    ClusterIP      172.16.22.52    <none>          80/TCP,443/TCP                                                               10m
service/istio-ingressgateway   LoadBalancer   172.16.84.188   8.219.129.229   15021:30413/TCP,80:30068/TCP,443:31931/TCP,31400:31200/TCP,15443:30085/TCP   10m
service/istiod                 ClusterIP      172.16.157.58   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        10m

部署测试应用

下载sample

1
2
$ git clone https://ghproxy.com/https://github.com/istio/istio.git
$ cd istio

给需要注入的ns加上label

1
2
$ kubectl create namespace bookinfo
$ kubectl label namespace bookinfo istio-injection=enabled

部署bookinfo测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ cd istio/
# 部署数据面应用
$ kubectl -n bookinfo apply -f samples/bookinfo/platform/kube/bookinfo.yaml 
$ kubectl get services -n bookinfo
NAME          TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
details       ClusterIP   172.16.249.66    <none>        9080/TCP   8m27s
productpage   ClusterIP   172.16.223.108   <none>        9080/TCP   8m25s
ratings       ClusterIP   172.16.177.7     <none>        9080/TCP   8m27s
reviews       ClusterIP   172.16.24.13     <none>        9080/TCP   8m26s

$ kubectl get pods -n bookinfo
NAME                              READY   STATUS    RESTARTS   AGE
details-v1-b59c547-tzfl7          2/2     Running   0          8m58s
productpage-v1-5dc6ffc7c6-9fslh   2/2     Running   0          8m55s
ratings-v1-68bb68c59f-qf445       2/2     Running   0          8m57s
reviews-v1-5cc86f5957-wx26z       2/2     Running   0          8m56s
reviews-v2-5cf978d9c9-q7w4c       2/2     Running   0          8m56s
reviews-v3-cc9c5cb4f-8l5hk        2/2     Running   0          8m56s

# 部署控制面gw、vs
$ kubectl -n bookinfo apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
$ kubectl get gateway,virtualservice -n bookinfo
NAME                                           AGE
gateway.networking.istio.io/bookinfo-gateway   2m22s

NAME                                          GATEWAYS               HOSTS   AGE
virtualservice.networking.istio.io/bookinfo   ["bookinfo-gateway"]   ["*"]   2m21s

访问测试

1
$ curl $ingressgateway<EXTERNAL-IP>/productpage

配置证书

自建证书[option]

1
2
3
4
5
6
7
8
$ openssl req -newkey rsa:4096 \
            -subj "/CN=*.zmq100.cn" \
            -x509 \
            -sha256 \
            -days 3650 \
            -nodes \
            -out server.crt \
            -keyout server.key

创建secrets在istio-system名称空间

1
$ kubectl create -n istio-system secret tls bookinfo-secrets --key=server.key --cert=server.crt

修改gateway

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ cat << EOF | kubectl  apply -n bookinfo  -f -
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
        - bookinfo.zmq100.cn
      port:
        name: http
        number: 80
        protocol: HTTP
      tls:
        httpsRedirect: true  #开启http转https重定向
    - hosts:
        - bookinfo.zmq100.cn
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        credentialName: bookinfo-secrets  # 配置证书
        mode: SIMPLE
EOF

查看是否生效

1
2
3
4
5
6
7
8
9
10
11
12
$ istioctl proxy-config secret istio-ingressgateway-647bcfbbd5-pfp9w.istio-system
RESOURCE NAME                     TYPE           STATUS     VALID CERT     SERIAL NUMBER                               NOT AFTER                NOT BEFORE
default                           Cert Chain     ACTIVE     true           308035502015261488183847003465245990013     2023-05-28T08:31:36Z     2023-05-27T08:29:36Z
kubernetes://bookinfo-secrets     CA             ACTIVE     true           14908410081049176274                        2033-05-24T09:13:33Z     2023-05-27T09:13:33Z
ROOTCA                            CA             ACTIVE     true           280362160557638848503915305201489233374     2033-05-24T08:31:31Z     2023-05-27T08:31:31Z

$ kubectl exec istio-ingressgateway-647bcfbbd5-pfp9w -n istio-system -- curl -s localhost:15000/config_dump |  grep -A 3 "kubernetes://bookinfo-secrets"
...
      "name": "kubernetes://bookinfo-secrets",
      "tls_certificate": {
       "certificate_chain": {
        "inline_bytes": "LS0tLS1CRUdJTiBD...LQo="

访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
$ curl -I -v --cacert server.crt   https://bookinfo.zmq100.cn/productpage --resolve bookinfo.zmq100.cn:443:8.219.129.229

* Added bookinfo.zmq100.cn:443:8.219.129.229 to DNS cache
* About to connect() to bookinfo.zmq100.cn port 443 (#0)
*   Trying 8.219.129.229...
* Connected to bookinfo.zmq100.cn (8.219.129.229) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: server.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=*.zmq100.cn
* 	start date: May 27 09:13:33 2023 GMT
* 	expire date: May 24 09:13:33 2033 GMT
* 	common name: *.zmq100.cn
* 	issuer: CN=*.zmq100.cn
> HEAD /productpage HTTP/1.1
> User-Agent: curl/7.29.0
> Host: bookinfo.zmq100.cn
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< server: istio-envoy
server: istio-envoy
< date: Sat, 27 May 2023 09:22:22 GMT
date: Sat, 27 May 2023 09:22:22 GMT
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< content-length: 5289
content-length: 5289
< x-envoy-upstream-service-time: 23
x-envoy-upstream-service-time: 23

<
* Connection #0 to host bookinfo.zmq100.cn left intact

灰度测试

1
2
3
# reviews v1版本和v3版本 流量各50%
$ kubectl apply -n bookinfo -f samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml
$ kubectl apply -n bookinfo -f samples/bookinfo/networking/destination-rule-all.yaml

卸载

1
2
3
4
5
6
# 删除对应资源
$ kubectl -n bookinfo delete -f samples/bookinfo/networking/bookinfo-gateway.yaml
$ kubectl -n bookinfo delete -f samples/bookinfo/platform/kube/bookinfo.yaml
$ kubectl delete namespace bookinfo

$ istioctl uninstall -y --purge