본문 바로가기
Kubernetes/Management

Istio 1.5 구성

by 여행을 떠나자! 2021. 9. 23.

2020.04.24

 

1. 개요

- Environments: Google Compute Engine, CentOS 7.7, Kubernetes 1.15

- Istio 1.5 has been tested with these Kubernetes releases: 1.14, 1.15, 1.16.

- The Helm installation approach will be deprecated in the future.

- 참고 사이트

   https://istio.io/docs/setup/getting-started/

   https://istio.io/docs/setup/install/istioctl/

   #1 - 마이크로 서비스와 서비스 매쉬 (https://bcho.tistory.com/1293?category=731548)

   #2 - Envoy proxy (https://bcho.tistory.com/1295?category=731548)

   #3- Istio에 대한 소개 (https://bcho.tistory.com/1296?category=731548)

   #4 - Istio 설치와 BookInfo 예제 (https://bcho.tistory.com/1297?category=731548)

   #5 Istio Traffic management (https://bcho.tistory.com/1367)

   Istio Traffic management https://istio.io/docs/ops/best-practices/traffic-management/#split-virtual-services

 

 

2. Istio 구성

- Install

$ curl -L https://istio.io/downloadIstio | sh -
…
Istio has been successfully downloaded into the istio-1.5.1 folder on your system.
$ echo "export PATH=\$PATH:/home/ysjeon71_kubeflow3/istio-1.5.1/bin" >> ~/.bash_profile
$ istioctl verify-install
…
Install Pre-Check passed! The cluster is ready for Istio installation.
$

  https://istio.io/docs/setup/additional-setup/config-profiles/

$ istioctl manifest apply --set profile=demo
Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT.
See https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.
✔ Finished applying manifest for component Base.
✔ Finished applying manifest for component Pilot.
✔ Finished applying manifest for component EgressGateways.
✔ Finished applying manifest for component IngressGateways.
✔ Finished applying manifest for component AddonComponents.
✔ Installation complete
$

 

 

- Inject Envoy Sidecar proxies

   Add a namespace label to instruct Istio to automatically inject Envoy sidecar proxies when you deploy your application later:

$ kubectl label namespace default istio-injection=enabled
namespace/default labeled
$ kubectl label namespace default istio-injection=disabled --overwrite
$

 

- Uninstall

$ istioctl manifest generate --set profile=demo | kubectl delete -f -

 

 

3. Test

- Deploy the sample application

$ k apply -f istio-1.5.1/samples/bookinfo/platform/kube/bookinfo.yaml
…
$ k get svc | egrep -v "^kubernetes"
NAME          TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
details       ClusterIP   10.103.90.234   <none>        9080/TCP   2m31s
productpage   ClusterIP   10.96.4.46      <none>        9080/TCP   2m30s
ratings       ClusterIP   10.100.230.0    <none>        9080/TCP   2m30s
reviews       ClusterIP   10.99.40.14     <none>        9080/TCP   2m30s
$ k get pod
NAME                              READY   STATUS    RESTARTS   AGE
details-v1-74f858558f-dlgdf       2/2     Running   0          2m3s
productpage-v1-76589d9fdc-rcwl9   2/2     Running   0          2m3s
ratings-v1-7855f5bcb9-bqbv2       2/2     Running   0          2m2s
reviews-v1-64bc5454b9-kpblv       2/2     Running   0          2m3s
reviews-v2-76c64d4bdf-dqt2v       2/2     Running   0          2m3s
reviews-v3-5545c7c78f-79dm5       2/2     Running   0          2m3s
$ kubectl exec -it $(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}') -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
$

 

- Open the application to outside traffic

$ cat istio-1.5.1/samples/bookinfo/networking/bookinfo-gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo
spec:
  hosts:
  - "*"
  gateways:
  - bookinfo-gateway
  http:
  - match:
    - uri:
        exact: /productpage
    …
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage
        port:
          number: 9080
$ k apply -f istio-1.5.1/samples/bookinfo/networking/bookinfo-gateway.yaml

    -  Determining the ingress IP and ports

        If the EXTERNAL-IP value is set, your environment has an external load balancer that you can use for the ingress gateway. 

        If the EXTERNAL-IP value is <none> (or perpetually <pending>), your environment does not provide an external load balancer for the ingress gateway.

$ kubectl edit svc istio-ingressgateway -n istio-system
:%s/type: LoadBalancer/type: NodePort/
$ kubectl get svc istio-ingressgateway -n istio-system
NAME                   TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)                                          AGE
istio-ingressgateway   NodePort   10.106.99.75   <none>        15020:30546/TCP,80:32549/TCP,443:30773/TCP,...   107m
$

- Service type이  NodePort 인 경우

$ export INGRESS_HOST=<workerNodeAddress>
$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
$ echo INGRESS_PORT=$INGRESS_PORT, SECURE_INGRESS_PORT=$SECURE_INGRESS_PORT
INGRESS_PORT=32549, SECURE_INGRESS_PORT=30773
$

- Service type이 LoadBalancer인 경우

$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')
$ gcloud compute firewall-rules create allow-gateway-http --allow tcp:$INGRESS_PORT
$ gcloud compute firewall-rules create allow-gateway-https --allow tcp:$SECURE_INGRESS_PORT
$ curl http://35.231.144.242:32549/productpage
…
$

 

 

4. Addon tool 구성

a.  kiali : 서비스의 관계를 시각화 해주는 툴

$ kubectl port-forward service/kiali 20001:20001 -n istio-system --address 0.0.0.0 &
$ gcloud compute firewall-rules create allow-gateway-kiali --allow tcp:20001

- http://35.231.144.242:20001/

   Username: admin, Password: admin       

 

b. jaeger-query : 개별 분산 트렌젝션에 대해서 각 구간별 응답 시간을 모니터링

$ kubectl -n istio-system port-forward service/jaeger-query 16686:16686 --address 0.0.0.0 &
$ gcloud compute firewall-rules create allow-gateway-jaeger --allow tcp:16686

http://35.231.144.242:16686/

 

c. grafana : 서비스들의 지표를 상세하게 모니터링

$ kubectl -n istio-system port-forward service/grafana 3000:3000 --address 0.0.0.0 &
$ gcloud compute firewall-rules create allow-gateway-grafana --allow tcp:3000

- http://35.231.144.242:3000/

 

d. prometheus

$ kubectl -n istio-system port-forward service/prometheus 9090:9090 --address 0.0.0.0 &
$ gcloud compute firewall-rules create allow-gateway-prometheus --allow tcp:9090

- http://35.231.144.242:9090/       

'Kubernetes > Management' 카테고리의 다른 글

K8s - Master node의 role이 '<none>' 일 때  (0) 2021.09.30
Istio - Virtual service config  (0) 2021.09.23
Cert-manager with LetsEncrypt (HTTP challenge)  (0) 2021.09.23
ClusterIP, NodePort, Ingress 개념  (0) 2021.09.23
K8s 잡학다식  (0) 2021.09.23

댓글