我正在使用 Helm 配置 Istio。在这里你可以找到我的istio-config.yaml:
global:
proxy:
accessLogFile: "/dev/stdout"
resources:
requests:
cpu: 10m
memory: 40Mi
disablePolicyChecks: false
sidecarInjectorWebhook:
enabled: true
rewriteAppHTTPProbe: false
pilot:
autoscaleEnabled: false
traceSampling: 100.0
resources:
requests:
cpu: 10m
memory: 100Mi
mixer:
policy:
enabled: true
autoscaleEnabled: false
resources:
requests:
cpu: 10m
memory: 100Mi
telemetry:
enabled: true
autoscaleEnabled: false
resources:
requests:
cpu: 50m
memory: 100Mi
adapters:
stdio:
enabled: true
grafana:
enabled: true
tracing:
enabled: true
kiali:
enabled: true
createDemoSecret: true
gateways:
istio-ingressgateway:
autoscaleEnabled: false
resources:
requests:
cpu: 10m
memory: 40Mi
istio-egressgateway:
enabled: true
autoscaleEnabled: false
resources:
requests:
cpu: 10m
memory: 40Mi
global:
controlPlaneSecurityEnabled: false
mtls:
enabled: false
然后我使用部署了一堆微服务istioctl,都很简单REST使用 HTTP 进行调用。他们可以毫无问题地相互沟通。如果我用 NodePorts 暴露它们,我就可以正确地到达并与它们通信。
这是我的服务:
$ kubectl get svc --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default activemq ClusterIP None <none> 61616/TCP 3h17m
default activemq-np NodePort 10.110.76.147 <none> 8161:30061/TCP 3h17m
default api-exchange ClusterIP None <none> 8080/TCP 3h16m
default api-response ClusterIP None <none> 8080/TCP 3h16m
default authorization-server ClusterIP None <none> 8080/TCP 3h17m
default de-communication ClusterIP None <none> 8080/TCP 3h16m
default gateway ClusterIP None <none> 8080/TCP 3h17m
default gateway-np NodePort 10.96.123.57 <none> 8080:30080/TCP 3h17m
default identity ClusterIP None <none> 88/TCP,8080/TCP 3h18m
default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 3h19m
default matchengine ClusterIP None <none> 8080/TCP 3h16m
default monitor-redis ClusterIP None <none> 8081/TCP 3h17m
default monitor-redis-np NodePort 10.106.178.13 <none> 8081:30082/TCP 3h17m
default postgres ClusterIP None <none> 5432/TCP 3h18m
default postgres-np NodePort 10.106.223.216 <none> 5432:30032/TCP 3h18m
default redis ClusterIP None <none> 6379/TCP 3h18m
default redis-np NodePort 10.101.167.194 <none> 6379:30079/TCP 3h18m
default synchronization ClusterIP None <none> 8080/TCP 3h15m
default tx-flow ClusterIP None <none> 8080/TCP 3h15m
default tx-manager ClusterIP None <none> 8080/TCP 3h15m
default tx-scheduler ClusterIP None <none> 8080/TCP 3h15m
default ubc-config ClusterIP None <none> 8080/TCP 3h16m
default ubc-services-config ClusterIP None <none> 8888/TCP 3h18m
default ubc-services-config-np NodePort 10.110.11.213 <none> 8888:30088/TCP 3h18m
default user-admin ClusterIP None <none> 8080/TCP 3h17m
default web-exchange-np NodePort 10.105.244.194 <none> 80:30081/TCP 3h15m
istio-system grafana ClusterIP 10.97.134.230 <none> 3000/TCP 3h22m
istio-system istio-citadel ClusterIP 10.99.159.56 <none> 8060/TCP,15014/TCP 3h22m
istio-system istio-egressgateway ClusterIP 10.97.71.204 <none> 80/TCP,443/TCP,15443/TCP 3h22m
istio-system istio-galley ClusterIP 10.98.111.27 <none> 443/TCP,15014/TCP,9901/TCP 3h22m
istio-system istio-ingressgateway LoadBalancer 10.96.182.202 <pending> 15020:30936/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:31913/TCP,15030:30606/TCP,15031:32127/TCP,15032:30362/TCP,15443:31416/TCP 3h22m
istio-system istio-pilot ClusterIP 10.101.117.169 <none> 15010/TCP,15011/TCP,8080/TCP,15014/TCP 3h22m
istio-system istio-policy ClusterIP 10.97.247.54 <none> 9091/TCP,15004/TCP,15014/TCP 3h22m
istio-system istio-sidecar-injector ClusterIP 10.101.219.141 <none> 443/TCP 3h22m
istio-system istio-telemetry ClusterIP 10.109.108.78 <none> 9091/TCP,15004/TCP,15014/TCP,42422/TCP 3h22m
istio-system jaeger-agent ClusterIP None <none> 5775/UDP,6831/UDP,6832/UDP 3h22m
istio-system jaeger-collector ClusterIP 10.97.255.231 <none> 14267/TCP,14268/TCP 3h22m
istio-system jaeger-query ClusterIP 10.104.80.162 <none> 16686/TCP 3h22m
istio-system kiali ClusterIP 10.104.41.71 <none> 20001/TCP 3h22m
istio-system kiali-np NodePort 10.100.99.141 <none> 20001:30085/TCP 29h
istio-system prometheus ClusterIP 10.110.46.60 <none> 9090/TCP 3h22m
istio-system tracing ClusterIP 10.111.173.205 <none> 80/TCP 3h22m
istio-system zipkin ClusterIP 10.101.144.199 <none> 9411/TCP 3h22m
kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 54d
kube-system tiller-deploy ClusterIP 10.105.162.195 <none> 44134/TCP 24d
我创建了一个入口网关和一个 VirtualService 来路由来自集群外部的调用。这是我的网关和虚拟服务配置:
Gateway:
$ kubectl describe gateway iris-gateway
Name: iris-gateway
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"networking.istio.io/v1alpha3","kind":"Gateway","metadata":{"annotations":{},"name":"iris-gateway","namespace":"default"},"s...
API Version: networking.istio.io/v1alpha3
Kind: Gateway
Metadata:
Creation Timestamp: 2019-08-23T17:25:20Z
Generation: 1
Resource Version: 7093263
Self Link: /apis/networking.istio.io/v1alpha3/namespaces/default/gateways/iris-gateway
UID: 4c4fac7d-a698-4c9c-97e6-ebc7416c96a8
Spec:
Selector:
Istio: ingressgateway
Servers:
Hosts:
*
Port:
Name: http
Number: 80
Protocol: HTTP
Events: <none>
虚拟服务:
$ kubectl describe virtualservice apiexg
Name: apiexg
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"networking.istio.io/v1alpha3","kind":"VirtualService","metadata":{"annotations":{},"name":"apiexg","namespace":"default"},"...
API Version: networking.istio.io/v1alpha3
Kind: VirtualService
Metadata:
Creation Timestamp: 2019-08-23T19:26:16Z
Generation: 1
Resource Version: 7107510
Self Link: /apis/networking.istio.io/v1alpha3/namespaces/default/virtualservices/apiexg
UID: 861bca0d-be98-4bfb-bf92-b2bd2f1b703f
Spec:
Gateways:
iris-gateway
Hosts:
*
Http:
Match:
Uri:
Prefix: /api-exchange
Route:
Destination:
Host: api-exchange.default.svc.cluster.local
Port:
Number: 8080
Events: <none>
当我调用该服务时,我总是收到 503 服务不可用:
curl -X POST http://172.30.7.129:31380/api-exchange/ -vvv
* About to connect() to 172.30.7.129 port 31380 (#0)
* Trying 172.30.7.129...
* Connected to 172.30.7.129 (172.30.7.129) port 31380 (#0)
> POST /api-exchange/ HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 172.30.7.129:31380
> Accept: */*
>
< HTTP/1.1 503 Service Unavailable
< content-length: 19
< content-type: text/plain
< date: Fri, 23 Aug 2019 21:49:33 GMT
< server: istio-envoy
<
* Connection #0 to host 172.30.7.129 left intact
no healthy upstream
这是日志输出istio-ingressgateway pod:
[2019-08-23 21:49:34.185][38][warning][upstream] [external/envoy/source/common/upstream/original_dst_cluster.cc:110] original_dst_load_balancer: No downstream connection or no original_dst.
版本:
$ istioctl version --remote
client version: 1.2.4
citadel version: 1.2.4
egressgateway version: 94746ccd404a8e056483dd02e4e478097b950da6-dirty
galley version: 1.2.4
ingressgateway version: 94746ccd404a8e056483dd02e4e478097b950da6-dirty
pilot version: 1.2.4
policy version: 1.2.4
sidecar-injector version: 1.2.4
telemetry version: 1.2.4
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.1", GitCommit:"4485c6f18cee9a5d3c3b4e523bd27972b1b53892", GitTreeState:"clean", BuildDate:"2019-07-18T09:18:22Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.0", GitCommit:"e8462b5b5dc2584fdcd18e6bcfe9f1e4d970a529", GitTreeState:"clean", BuildDate:"2019-06-19T16:32:14Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
Istio 安装:
$ helm install /opt/istio-1.2.4/install/kubernetes/helm/istio-init --name istio-init --namespace istio-system
$ helm install /opt/istio-1.2.4/install/kubernetes/helm/istio --name istio --namespace istio-system --values istio-config/istio-config.yaml
环境:
我在使用 RHEL 7 的 Oracle Virtual Appliance 虚拟服务器和使用 RHEL 7 的 3 个物理服务器组成的集群上进行了相同的配置。
