Difference between revisions of "Kubernetes/Istio"
Line 219: | Line 219: | ||
= Resources = | = Resources = | ||
Training | Training Istio v1.5 | ||
* [https://www.youtube.com/watch?v=z6WjVJ1XelY&feature=youtu.be What is Istio Service Mesh?] | * [https://www.youtube.com/watch?v=z6WjVJ1XelY&feature=youtu.be What is Istio Service Mesh?] | ||
* [https://www.youtube.com/watch?v=2FyhNONICkY Istio Hands on Demo Part 1] | * [https://www.youtube.com/watch?v=2FyhNONICkY Istio Hands on Demo Part 1] |
Revision as of 10:04, 29 September 2020
Architecture
. | app1 | | app2 | | proxy | <----------> | proxy | # Data Plane (all Envoy proxy sidecars) | | pod | | pod | | pod | | | |citadel| |mixer| |pilot| | | C o n t r o l P l a n e A P I | ----------------------------------------
Note: All proxies are collectively named Data Plane
and everything else that Istio deployed is called Control Plane
Istio components group:
- Istio-telemetry
- Istio-pilot
- Istio-tracing
Envoy L7 proxy | Pilot | Citadel | Mixer | Galley |
---|---|---|---|---|
|
Aware about pods health, what pods are available and sends to the proxy pods that are alive with any other configuration updates. |
Pods
It's certificate store. |
It has a lot of modules/plugins. Pods: istio-policy-* istio-telemetry-* |
Interface for underlying Istio API gateway(aka server) |
- Noticeable changes
- In Istio 1.6, completed transition and fully moved functionality into Istiod. This has allow to remove the separate deployments for Citadel, the sidecar injector, and Galley.
Istio on minikube
# Minimum requirements are 8G and 4 CPUs PROFILE=minikube-v1.17.6-istio minikube start --memory=8192 --cpus=4 --kubernetes-version=v1.17.6 --profile $PROFILE minikube start --memory=8192 --cpus=4 --kubernetes-version=v1.17.6 --driver kvm --profile $PROFILE-kvm2 minikube tunnel --profile $PROFILE minikube addons enable istio --profile $PROFILE # [1] error
Troubleshooting
- [1] - no matches for kind "IstioOperator"
💣 enable failed: run callbacks: running callbacks: [sudo KUBECONFIG=/var/lib/minikube/kubeconfig /var/lib/minikube/binaries/v1.17.6/kubectl apply -f /etc/kubernetes/addons/istio-default-profile.yaml: Process exited with status 1 stdout: namespace/istio-system unchanged stderr: error: unable to recognize "/etc/kubernetes/addons/istio-default-profile.yaml": no matches for kind "IstioOperator" in version "install.istio.io/v1alpha1"
Install istioctl
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.6.8 sh - cd istio-1.6.8/ # istio package directory export PATH=$PWD/bin:$PATH export PATH=$PATH:/git3rd/istio-1.6.8/bin # make sure you can connect to k8s cluster, then verify the install istioctl verify-install ... CustomResourceDefinition: templates.config.istio.io.default checked successfully CustomResourceDefinition: istiooperators.install.istio.io.default checked successfully Checked 25 custom resource definitions Checked 1 Istio Deployments Istio is installed successfully $ istioctl version --remote client version: 1.6.8 control plane version: 1.6.8 data plane version: 1.6.8 (21 proxies)
Uninstall Istio
Uninstall v1.6.8, it's safe to ignore RBAC not existing resources.
istioctl manifest generate --set profile=default | kubectl delete --ignore-not-found=true -f - kubectl delete namespace istio-system
istioctl x uninstall --purge
Get info
# List profiles istioctl profile list # profile configuration istioctl profile dump demo istioctl profile dump --config-path components.pilot demo # Differences in the profiles istioctl profile diff default demo
Customize istio installation
Configure ingress-gateways
Gateways are a special type of component, since multiple ingress and egress gateways can be defined. In the IstioOperator API, gateways are defined as a list type. The default profile installs one ingress gateway, called istio-ingressgateway.
# Show default values of the ingressgateway istioctl profile dump --config-path components.ingressGateways istioctl profile dump --config-path values.gateways.istio-ingressgateway
Install istio with ingressgateway servioce as internal AWS loadbalancer:
istioctl install \ > --set profile=default \ > --set addonComponents.prometheus.enabled=false \ > --set addonComponents.grafana.enabled=false \ > --set addonComponents.kiali.enabled=false \ > --set addonComponents.tracing.enabled=false \ > --set components.ingressGateways[0].enabled="true" \ > --set components.ingressGateways[0].k8s.serviceAnnotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"=\"true\" ✔ Istio core installed ✔ Istiod installed ✔ Ingress gateways installed ✔ Installation complete # --set gateways.istio-ingressgateway.serviceAnnotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0\.0\.0\.0/0" istioctl version --remote client version: 1.6.4 control plane version: 1.6.4 data plane version: 1.6.4 (1 proxies)
Ingress Gateways
# manually inject the sidecar kubectl -n bin apply -f <(istioctl kube-inject -f httpbin.yaml) export INGRESS_HOST=$( kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}') # AWS, uses 'hostname' export INGRESS_HOST=$( kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') export INGRESS_PORT=$( kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}') export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}') # This is not necessary set/configured export TCP_INGRESS_PORT=$( kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="tcp")].port}') # Verify env | grep INGRESS
Add custom headers
apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: httpbin spec: hosts: - "*" gateways: - httpbin-gateway http: - match: - uri: prefix: /headers route: - destination: port: number: 8000 host: httpbin headers: response: # add to response add: "key1": "abc" request: # add to request add: "key2": "def"
Resources
Training Istio v1.5