Istio 安装及示例应用部署

Demon.Lee 2023年02月07日 1,419次浏览

本文演示环境:

demon@ubuntu2204:~$ hostnamectl 
Static hostname: ubuntu2204
Chassis: vm
Virtualization: vmware
Operating System: Ubuntu 22.04.1 LTS              
Kernel: Linux 5.15.0-58-generic
Architecture: arm64
demon@ubuntu2204:~$

这两年服务网格(Service Mesh)架构也非常火,它是对 Kubernetes 下微服务架构的更新迭代。那迭代的是什么?网络通信


在 Kubernetes 下,对网络流量的管理只能到 Pod 级别,更细粒度的控制,依然得靠应用代码支撑。也就是说,与业务无关的网络控制逻辑依然夹杂在程序员开发的业务代码中。

这就是耦合。比如,当远程服务出现超时,我们会考虑重试几次。如果重试多次后(超过某个阈值),依然超时,则认定对方挂了。这是一个很常见的服务治理功能:超时重试。但,对不起,Kubernetes 现有体系无法优雅地解决,还得靠程序员使用相关类库(比如 Java 生态中的 Spring Cloud Feign,Netflix Ribbon 等)进行处理。

既然网络通信的控制逻辑还没有彻底同业务逻辑分家,优秀的工程师们自然就会去研究这方面的课题,不断推进软件架构的演化。关于服务网格架构的演进过程,笔者将在后续的文章中进行梳理。

如果问服务网格的主流产品,Istio 肯定绕不过去。为此,笔者在这里对 Istio 的安装过程进行一个记录。

安装 Istio

关于 Istio,官方文档非常详细,并且有中文版,建议参阅。

root@ubuntu2204-master:/etc/istio# curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.16.2 sh -

上面的脚本会下载指定版本的 istio,并且选择合适的架构,比如 x86_64。但由于不可抗力,下载会比较慢。此时,可以考虑手动下载(本机为 Arm 架构,故选择 arm64 版本),命令如下:

wget -c https://github.com/istio/istio/releases/download/1.16.2/istio-1.16.2-linux-arm64.tar.gz

然后解压缩:

root@ubuntu2204-master:/usr/local/share/istio# ll
total 22680
drwxr-xr-x 2 root  root      4096  2月  3 17:18 ./
drwxr-xr-x 9 root  root      4096  2月  3 17:18 ../
-rw-r--r-- 1 demon demon 23213835  2月  3 17:17 istio-1.16.2-linux-arm64.tar.gz
root@ubuntu2204-master:/usr/local/share/istio# 
root@ubuntu2204-master:/usr/local/share/istio# 
root@ubuntu2204-master:/usr/local/share/istio# tar zxvf istio-1.16.2-linux-arm64.tar.gz 
...
...
...
root@ubuntu2204-master:/usr/local/share/istio# ls -l
total 40
drwxr-x---  2 root root  4096  1月 28 00:00 bin
-rw-r--r--  1 root root 11348  1月 28 00:00 LICENSE
drwxr-xr-x  5 root root  4096  1月 28 00:00 manifests
-rw-r-----  1 root root   925  1月 28 00:00 manifest.yaml
-rw-r--r--  1 root root  6595  1月 28 00:00 README.md
drwxr-xr-x 24 root root  4096  1月 28 00:00 samples
drwxr-xr-x  3 root root  4096  1月 28 00:00 tools
root@ubuntu2204-master:/usr/local/share/service-mesh/istio-1.16.2#

将客户端程序 istioctl 加入 path 环境变量,再查看版本:

➜  ~ ls -l /usr/local/share/service-mesh/istio-1.16.2/bin
total 85440
-rwxr-xr-x 1 root root 87490560  1月 28 00:00 istioctl
➜  ~ nvim .bashrc
# 在末尾增加
export PATH=/usr/local/share/service-mesh/istio-1.16.2/bin:$PATH
➜  ~ 
➜  ~ istioctl version
no running Istio pods in "istio-system"
1.16.2
➜  ~ 

给 bash/zsh 增加自动补全,请参考这里(笔者在 bash 下实现了自动补全,但 zsh 下一直不生效,原因暂未找到)。


istioctl 安装好之后,使用它部署 Istio:

➜  ~ istioctl manifest install --set profile=demo
This will install the Istio 1.16.2 demo profile with ["Istio core" "Istiod" "Ingress gateways" "Egress gateways"] components into the cluster. Proceed? (y/N) y
✔ Istio core installed                                                                                                                       
✔ Istiod installed                                                                                                                           
✔ Ingress gateways installed                                                                                                                 
✔ Egress gateways installed                                                                                                                  
✔ Installation complete                                                                                                                      Making this installation the default for injection and validation.

Thank you for installing Istio 1.16.  Please take a few minutes to tell us about your install/upgrade experience!  https://forms.gle/99uiMML96AmsXY5d6
➜  ~ 

这里选择的 profile=demodemo 这个词可能会产生一些误解,其实该配置文件是安装组件最多的。通过 istioctl profile list 可以看到目前支持的所有 profiles:

➜  ~ istioctl profile list
Istio configuration profiles:
    ambient
    default
    demo
    empty
    external
    minimal
    openshift
    preview
    remote
➜  ~

它们有什么区别?适用的环境,安装的组件会有所差异,如下表所示,更多内容可以参考官方文档

Component\Profile default demo minimal remote empty preview
istio-egressgateway
istio-ingressgateway
istiod
  • istiod:核心组件,作为服务网格的控制平面(control plane),主要功能是:服务发现、配置及证书管理等;
  • istio-ingressgateway:服务网格流量入口网关;
  • istio-egressgateway:服务网格流量出口网关。



通过 istioctl 部署的另一种方式,是先获得 istio manifest,再通过 kubectl apply -f 来安装:

➜  ~ istioctl manifest generate --set profile=demo > ./istio-manifest.yml
➜  ~ kubectl apply -f ./istio-manifest.yml

用来向 Kubernetes 描述“期望最终状态”的文件(即描述如何将容器镜像部署到集群中),就叫做 Kubernetes Manifest,也可以称之为清单文件。Manifest 就好比餐厅的菜单,你只管点菜,做菜的过程我不管。


安装结束后,可以通过如下方式验证:

1)查看工作负载、服务、CRD、API 资源等:

➜  ~ kubectl get po -n istio-system                         
NAME                                    READY   STATUS    RESTARTS        AGE
istio-egressgateway-757bfb7888-xpsgb    1/1     Running   0               21h
istio-ingressgateway-7cf5c5849d-fxfm8   1/1     Running   0               21h
istiod-66c575d5c5-qcpc7                 1/1     Running   1 (7m33s ago)   21h
➜  ~ 
➜  ~ kubectl get deploy -n istio-system 
NAME                   READY   UP-TO-DATE   AVAILABLE   AGE
istio-egressgateway    1/1     1            1           21h
istio-ingressgateway   1/1     1            1           21h
istiod                 1/1     1            1           21h
➜  ~ 
➜  ~ kubectl get svc -n istio-system 
NAME                   TYPE           CLUSTER-IP     EXTERNAL-IP   PORT(S)                                                                      AGE
istio-egressgateway    ClusterIP      10.104.77.72   <none>        80/TCP,443/TCP                                                               21h
istio-ingressgateway   LoadBalancer   10.102.18.10   <pending>     15021:24604/TCP,80:17457/TCP,443:16961/TCP,31400:25268/TCP,15443:15011/TCP   21h
istiod                 ClusterIP      10.104.20.9    <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP                                        21h
➜  ~ 
➜  ~ kubectl get crd | grep -i istio
authorizationpolicies.security.istio.io               2023-02-03T09:54:50Z
destinationrules.networking.istio.io                  2023-02-03T09:54:51Z
envoyfilters.networking.istio.io                      2023-02-03T09:54:51Z
gateways.networking.istio.io                          2023-02-03T09:54:51Z
istiooperators.install.istio.io                       2023-02-03T09:54:51Z
peerauthentications.security.istio.io                 2023-02-03T09:54:51Z
proxyconfigs.networking.istio.io                      2023-02-03T09:54:51Z
requestauthentications.security.istio.io              2023-02-03T09:54:51Z
serviceentries.networking.istio.io                    2023-02-03T09:54:51Z
sidecars.networking.istio.io                          2023-02-03T09:54:51Z
telemetries.telemetry.istio.io                        2023-02-03T09:54:51Z
virtualservices.networking.istio.io                   2023-02-03T09:54:51Z
wasmplugins.extensions.istio.io                       2023-02-03T09:54:51Z
workloadentries.networking.istio.io                   2023-02-03T09:54:51Z
workloadgroups.networking.istio.io                    2023-02-03T09:54:51Z
➜  ~ 
➜  ~ kubectl api-resources | grep -i istio
wasmplugins                                    extensions.istio.io/v1alpha1           true         WasmPlugin
istiooperators                    iop,io       install.istio.io/v1alpha1              true         IstioOperator
destinationrules                  dr           networking.istio.io/v1beta1            true         DestinationRule
envoyfilters                                   networking.istio.io/v1alpha3           true         EnvoyFilter
gateways                          gw           networking.istio.io/v1beta1            true         Gateway
proxyconfigs                                   networking.istio.io/v1beta1            true         ProxyConfig
serviceentries                    se           networking.istio.io/v1beta1            true         ServiceEntry
sidecars                                       networking.istio.io/v1beta1            true         Sidecar
virtualservices                   vs           networking.istio.io/v1beta1            true         VirtualService
workloadentries                   we           networking.istio.io/v1beta1            true         WorkloadEntry
workloadgroups                    wg           networking.istio.io/v1beta1            true         WorkloadGroup
authorizationpolicies                          security.istio.io/v1beta1              true         AuthorizationPolicy
peerauthentications               pa           security.istio.io/v1beta1              true         PeerAuthentication
requestauthentications            ra           security.istio.io/v1beta1              true         RequestAuthentication
telemetries                       telemetry    telemetry.istio.io/v1alpha1            true         Telemetry
➜  ~

此时,重新运行 istioctl version ,可以看到控制平面和数据平面的版本:

➜  ~ istioctl version
client version: 1.16.2
control plane version: 1.16.2
data plane version: 1.16.2 (2 proxies)
➜  ~

需要注意的是,默认情况下 istio-ingressgateway 对应 Service 的类型为 LoadBalancer,这需要使用到额外的负载均衡器。为此,笔者将其改成了 NodePort,方便后续的学习,部署命令如下:

istioctl manifest install --set profile=demo --set values.gateways.istio-ingressgateway.type=NodePort

对应 Service:

➜  ~ kubectl get svc -n istio-system
NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                                                     AGE
istio-egressgateway    ClusterIP   10.96.195.112    <none>        80/TCP,443/TCP                                                              45m
istio-ingressgateway   NodePort    10.110.181.36    <none>        15021:9451/TCP,80:31551/TCP,443:16050/TCP,31400:26443/TCP,15443:29226/TCP   45m
istiod                 ClusterIP   10.106.6.156     <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP                                       45m
kiali                  NodePort    10.103.103.145   <none>        20001:5001/TCP,9090:25125/TCP                                               47h
prometheus             ClusterIP   10.102.12.48     <none>        9090/TCP                                                                    4h10m
➜  ~

2)相比前面手动查看安装结果,最可靠的验证方式是通过官方提供的 istioctl verify-install 命令:

# 先通过 `istioctl manifest generate` 获得安装的清单文件:
➜  ch12 # istioctl manifest generate --set profile=demo --set values.gateways.istio-ingressgateway.type=NodePort > ./istio-manifest.yml
➜  ch12 # 
# 再通过 `istioctl verify-install` 验证安装结果:
➜  ch12 # istioctl verify-install -f ./istio-manifest.yml
✔ CustomResourceDefinition: authorizationpolicies.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: destinationrules.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: envoyfilters.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: gateways.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: istiooperators.install.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: peerauthentications.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: proxyconfigs.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: requestauthentications.security.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: serviceentries.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: sidecars.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: telemetries.telemetry.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: virtualservices.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: wasmplugins.extensions.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: workloadentries.networking.istio.io.istio-system checked successfully
✔ CustomResourceDefinition: workloadgroups.networking.istio.io.istio-system checked successfully
✔ ServiceAccount: istio-egressgateway-service-account.istio-system checked successfully
✔ ServiceAccount: istio-ingressgateway-service-account.istio-system checked successfully
✔ ServiceAccount: istio-reader-service-account.istio-system checked successfully
✔ ServiceAccount: istiod.istio-system checked successfully
✔ ServiceAccount: istiod-service-account.istio-system checked successfully
✔ ClusterRole: istio-reader-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRole: istio-reader-istio-system.istio-system checked successfully
✔ ClusterRole: istiod-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRole: istiod-gateway-controller-istio-system.istio-system checked successfully
✔ ClusterRole: istiod-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istio-reader-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istio-reader-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istiod-clusterrole-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istiod-gateway-controller-istio-system.istio-system checked successfully
✔ ClusterRoleBinding: istiod-istio-system.istio-system checked successfully
✔ ValidatingWebhookConfiguration: istio-validator-istio-system.istio-system checked successfully
✔ EnvoyFilter: stats-filter-1.13.istio-system checked successfully
✔ EnvoyFilter: stats-filter-1.14.istio-system checked successfully
✔ EnvoyFilter: stats-filter-1.15.istio-system checked successfully
✔ EnvoyFilter: tcp-stats-filter-1.13.istio-system checked successfully
✔ EnvoyFilter: tcp-stats-filter-1.14.istio-system checked successfully
✔ EnvoyFilter: tcp-stats-filter-1.15.istio-system checked successfully
✔ ConfigMap: istio.istio-system checked successfully
✔ ConfigMap: istio-sidecar-injector.istio-system checked successfully
✔ MutatingWebhookConfiguration: istio-sidecar-injector.istio-system checked successfully
✔ Deployment: istio-egressgateway.istio-system checked successfully
✔ Deployment: istio-ingressgateway.istio-system checked successfully
✔ Deployment: istiod.istio-system checked successfully
✔ PodDisruptionBudget: istio-egressgateway.istio-system checked successfully
✔ PodDisruptionBudget: istio-ingressgateway.istio-system checked successfully
✔ PodDisruptionBudget: istiod.istio-system checked successfully
✔ Role: istio-egressgateway-sds.istio-system checked successfully
✔ Role: istio-ingressgateway-sds.istio-system checked successfully
✔ Role: istiod.istio-system checked successfully
✔ Role: istiod-istio-system.istio-system checked successfully
✔ RoleBinding: istio-egressgateway-sds.istio-system checked successfully
✔ RoleBinding: istio-ingressgateway-sds.istio-system checked successfully
✔ RoleBinding: istiod.istio-system checked successfully
✔ RoleBinding: istiod-istio-system.istio-system checked successfully
✔ Service: istio-egressgateway.istio-system checked successfully
✔ Service: istio-ingressgateway.istio-system checked successfully
✔ Service: istiod.istio-system checked successfully
Checked 15 custom resource definitions
Checked 3 Istio Deployments
✔ Istio is installed and verified successfully
➜  ch12 # 

如果出现验证失败的情况,可以看看 PodDisruptionBudget 的版本是否不匹配。比如我用的 Kubernetes 版本较新(v1.25.3),PodDisruptionBudget 对应版本为 policy/v1,而 istioctl 生成的版本为 policy/v1beta1


3)另外,官方还提供了 Dashboard UI 进行查看,运行命令: istioctl dashboard

➜  ~ istioctl dashboard
Access to Istio web UIs

Usage:
  istioctl dashboard [flags]
  istioctl dashboard [command]

Aliases:
  dashboard, dash, d

Available Commands:
  controlz    Open ControlZ web UI
  envoy       Open Envoy admin web UI
  grafana     Open Grafana web UI
  jaeger      Open Jaeger web UI
  kiali       Open Kiali web UI
  prometheus  Open Prometheus web UI
  skywalking  Open SkyWalking UI
  zipkin      Open Zipkin web UI
  
  ...
  ...

这里有很多 Web UI 可供选择,但需要安装对应的插件,我们选择官方推荐的 kiali:

➜  addons# pwd
/usr/local/share/service-mesh/istio-1.16.2/samples/addons
➜  addons# 
➜  addons# ll
total 288K
drwxr-xr-x 2 root root 4.0K  1月 28 00:00 extras
-rwxr-xr-x 1 root root 242K  1月 28 00:00 grafana.yaml
-rwxr-xr-x 1 root root 2.5K  1月 28 00:00 jaeger.yaml
-rwxr-xr-x 1 root root  12K  1月 28 00:00 kiali.yaml
-rwxr-xr-x 1 root root  15K  1月 28 00:00 prometheus.yaml
-rwxr-xr-x 1 root root 5.1K  1月 28 00:00 README.md
➜  addons# 
➜  addons# tree
.
├── extras
│   ├── prometheus-operator.yaml
│   ├── prometheus_vm_tls.yaml
│   ├── prometheus_vm.yaml
│   ├── skywalking.yaml
│   └── zipkin.yaml
├── grafana.yaml
├── jaeger.yaml
├── kiali.yaml
├── prometheus.yaml
└── README.md

1 directory, 10 files
➜  addons# 
➜  addons# kubectl apply -f kiali.yaml 
serviceaccount/kiali created
configmap/kiali created
clusterrole.rbac.authorization.k8s.io/kiali-viewer created
clusterrole.rbac.authorization.k8s.io/kiali created
clusterrolebinding.rbac.authorization.k8s.io/kiali created
role.rbac.authorization.k8s.io/kiali-controlplane created
rolebinding.rbac.authorization.k8s.io/kiali-controlplane created
service/kiali created
deployment.apps/kiali created
➜  addons#

安装成功后,启动 kiali,然后在浏览器中打开对应的网址:

➜  ~ istioctl dashboard kiali
http://localhost:20001/kiali



从安装 kiali 的过程中,我们发现,跟 Istio 之前的版本不同,插件不再默认安装,需要我们手动加载。为方便后面的学习,笔者将常用的几个插件一并安装,比如 prometheus,grafana,jaeger 等:

kubectl apply -f grafana.yaml -f prometheus.yaml -f jaeger.yaml

部署应用示例

安装完核心组件后,我们参考官方文档,把一个应用示例(Bookinfo)也一并跑起来,好对 sidecar 这种边车代理模式有一个更直观的认识。

Bookinfo 应用分为四个单独的微服务:

  • productpage. 这个微服务会调用 detailsreviews 两个微服务,用来生成页面。
  • details. 这个微服务中包含了书籍的信息。
  • reviews. 这个微服务中包含了书籍相关的评论。它还会调用 ratings 微服务。
  • ratings. 这个微服务中包含了由书籍评价组成的评级信息。

reviews 微服务有 3 个版本:

  • v1 版本不会调用 ratings 服务。
  • v2 版本会调用 ratings 服务,并使用 1 到 5 个黑色星形图标来显示评分信息。
  • v3 版本会调用 ratings 服务,并使用 1 到 5 个红色星形图标来显示评分信息。



给某个 namespace 注入 sidecar 的命令如下:

kubectl label namespaces default istio-injection=enabled

➜  ~ kubectl label namespaces default istio-injection=enabled
namespace/default labeled
➜  ~ kubectl describe namespaces default
Name:         default
Labels:       istio-injection=enabled
              kubernetes.io/metadata.name=default
Annotations:  <none>
Status:       Active

No resource quota.

No LimitRange resource.
➜  ~

通过添加 istio-injection=enabled 这个 Label,会让该 namespace 下新建的 Pod 中自动注入一个代理容器:istio-proxy。

若要取消注入,删除该 label 即可:

➜  istio-1.16.2 kubectl label namespaces default istio-injection-
namespace/default unlabeled
➜  istio-1.16.2

部署示例应用 Bookinfo:

➜  samples# pwd
/usr/local/share/service-mesh/istio-1.16.2/samples
➜  samples#
➜  samples# kubectl apply -f bookinfo/platform/kube/bookinfo.yaml
➜  samples#

为了调试方便,笔者单独创建了一个 namespace:istio-dev,后面的操作都基于该 namespace。因为更换了 namespace,对应的 manifest 文件也需要更新。该操作比较简单,这里不做赘述。
如果只是开发调试,不想修改 manifest 文件,可以使用命令:kubectl -n istio-dev apply -f xxx.yml


查看示例应用的状态:
➜  ~ kubectl get po,svc -n istio-dev
NAME                                 READY   STATUS    RESTARTS      AGE
pod/details-v1-5ffd6b64f7-vhrxm      2/2     Running   2 (14m ago)   5h3m
pod/productpage-v1-979d4d9fc-pkrgm   2/2     Running   2 (14m ago)   5h3m
pod/ratings-v1-5f9699cfdf-rwwph      2/2     Running   2 (14m ago)   4h53m
pod/reviews-v1-569db879f5-dkt8p      2/2     Running   2 (14m ago)   4h53m
pod/reviews-v2-65c4dc6fdc-5ftfj      2/2     Running   2 (14m ago)   5h3m
pod/reviews-v3-c9c4fb987-dfszc       2/2     Running   2 (14m ago)   5h3m

NAME                  TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/details       ClusterIP   10.100.34.200   <none>        9080/TCP   5h3m
service/productpage   ClusterIP   10.104.77.216   <none>        9080/TCP   5h3m
service/ratings       ClusterIP   10.106.175.19   <none>        9080/TCP   5h3m
service/reviews       ClusterIP   10.99.7.180     <none>        9080/TCP   5h3m
➜  ~

通过 Kubernetes Dashboard 可以看到 details pod 中的两个容器,其中一个就是自动注入的 istio-proxy


为啥认定这个容器是自动注入的?因为原始 manifest 文件中,该 Deployment 只定义了一个容器:

# cat /usr/local/share/service-mesh/istio-1.16.2/samples/bookinfo/platform/kube/bookinfo.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: details-v1
  namespace: istio-dev
  labels:
    app: details
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: details
      version: v1
  template:
    metadata:
      labels:
        app: details
        version: v1
    spec:
      serviceAccountName: bookinfo-details
      containers:
      - name: details
        image: docker.io/istio/examples-bookinfo-details-v1:1.17.0
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 9080
        securityContext:
          runAsUser: 1000

istio-proxy 是 Istio 对 Envoy 代理的包装容器,其中包含用 Golang 编写的 pilot-agent 和用 C++ 编写的 envoy 两个进程。

  • pilot-agent 进程负责 Envoy 的生命周期管理,比如启动、重启、优雅退出等,并维护 Envoy 所需的配置信息,比如初始化配置、随时根据控制平面的指令热更新 Envoy 的配置等。
  • Envoy 即为数据平面的服务代理,它根据控制平面下发的指令,在应用无感知的情况下接管其流量,完成相关服务治理功能,包括:服务路由、负载均衡、认证授权、健康检查、生成监测数据等。

接着,我们为 Bookinfo 应用部署入口网关:istio gateway

➜  networking# pwd
/usr/local/share/service-mesh/istio-1.16.2/samples/bookinfo/networking
➜  networking# cat bookinfo-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
  namespace: istio-dev
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo
  namespace: istio-dev
spec:
  hosts:
  - "*"
  gateways:
  - bookinfo-gateway
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage
        port:
          number: 9080
➜  networking#
➜  networking# kubectl apply -f bookinfo-gateway.yaml
gateway.networking.istio.io/bookinfo-gateway unchanged
virtualservice.networking.istio.io/bookinfo unchanged
➜  networking#
➜  networking# kubectl -n istio-dev get virtualservices.networking.istio.io
NAME       GATEWAYS               HOSTS   AGE
bookinfo   ["bookinfo-gateway"]   ["*"]   29m
➜  networking#
➜  networking# kubectl -n istio-dev get gateways.networking.istio.io
NAME               AGE
bookinfo-gateway   29m
➜  networking#

根据前面 istio-ingressgateway 服务的 NodePort,再结合上面 VirtualService 配置的路由 /productpage,便可以访问应用:http://{WorkerNodeIP}:{IngressPort}/productpage



好,到这里,Istio 安装部署基本就结束了,后续笔者将持续更新云原生、服务网格相关方面的文章,也算是对自己持续学习的一个见证。

如果想卸载 Istio,很简单,请查阅命令:istioctl uninstall --help

P.S. 前文如果安装了 jaeger 链路追踪组件,此时点击 kiali 中的 Graph 界面,便可以直观地看到 Bookinfo 应用中各个服务之间的拓扑关系:



题图来源: PSYENCE:MEDIA