Download

AWS – EKS安装ISTIO, 使用NLB和ACM部署phpmyadmin

参考文档:
https://faun.pub/managing-tls-keys-and-certs-in-istio-using-amazons-acm-8ff9a0b99033

https://aws.amazon.com/blogs/containers/secure-end-to-end-traffic-on-amazon-eks-using-tls-certificate-in-acm-alb-and-istio/

【本机安装istioctl】

  1. 下载istio,并且把istioctl安装在本机当中
    参考文档:https://istio.io/latest/zh/docs/setup/getting-started/
curl -L https://istio.io/downloadIstio | sh -

2. 进入istio目录当中

cd istio-1.22.2

4. (MAC 用户) 把 bin/istioctl 复制到 /usr/local/bin 当中

sudo cp bin/istioctl /usr/local/bin/istioctl

5. 检查安装istioctl是否安装成功

istioctl version

//输出结果
client version: 1.22.2
control plane version: 1.22.2
data plane version: 1.22.2 (2 proxies)

【EKS安装ISTIO】

  1. 为了添加链路追踪,所以需要在本地创建tracing.yaml
    参考文档:https://istio.io/latest/zh/docs/tasks/observability/distributed-tracing/telemetry-api/#installation
PowerShell
cat <<EOF > ./tracing.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    enableTracing: true
    defaultConfig:
      tracing: {} # 禁用 MeshConfig 链路追踪选项
    extensionProviders:
    # 添加 zipkin 提供商
    - name: zipkin
      zipkin:
        service: zipkin.istio-system.svc.cluster.local
        port: 9411
EOF
PowerShell

2. 本机必须安装好istioctl
– 使用NLB作为istio ingress gateway
– SSL直接使用ACM的证书,以下必须替换成你的ACM ARN

PowerShell
istioctl install -f ./tracing.yaml \
--set values.gateways.istio-ingressgateway.serviceAnnotations."service\.beta\.kubernetes\.io/aws-load-balancer-type"="nlb" \
--set values.gateways.istio-ingressgateway.serviceAnnotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" \
--set values.gateways.istio-ingressgateway.serviceAnnotations."service\.beta\.kubernetes\.io/aws-load-balancer-backend-protocol"="tcp" \
--set values.gateways.istio-ingressgateway.serviceAnnotations."service\.beta\.kubernetes\.io/aws-load-balancer-ssl-cert"="arn:aws:你的ACM ARN" \
--set values.gateways.istio-ingressgateway.serviceAnnotations."service\.beta\.kubernetes\.io/aws-load-balancer-ssl-ports"="https" \
--set profile=default
PowerShell

2.通常服务器上装default的就可以了,自己本机装的话可以选择demo版本
多版本的差异可以查看这里:https://istio.io/latest/zh/docs/setup/additional-setup/config-profiles/

3. 安装完毕之后terminal就会出现以下的信息

✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Installation complete

你配置使用的ACM证书,原本自动更新是ineligible的,如果被使用着的话就变成了eligible,也就说只有被使用着的ACM才能够自动更新证书

AWS为你创建了network load balancer

4. 启动服务网格链路追踪

PowerShell
kubectl apply -f - <<EOF
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: mesh-default
  namespace: istio-system
spec:
  tracing:
    - providers:
        - name: "zipkin"
EOF
PowerShell

5. 设定自定义链路追踪采样率
– 采样率选项可用于控制向链路追踪系统报告的请求百分比, 应根据服务网格中的流量和您想要收集的链路追踪数据量来配置此选项, 默认采样率为 1%。

PowerShell
kubectl apply -f - <<EOF
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: mesh-default
  namespace: istio-system
spec:
  tracing:
    - providers:
        - name: "zipkin"
      randomSamplingPercentage: 100.00
EOF
PowerShell

【安装istio插件】

  1. 使用以下的命令安装必要的插件, 以下的命令是istio1.22版本的,可以更改版本号
//安装jaeger
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/addons/jaeger.yaml

//安装kiali
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/addons/kiali.yaml

//安装prometheus
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/addons/prometheus.yaml

//安装zipkin
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/addons/jaeger/extras/zipkin.yaml
【需要安装完所有插件才执行这命令】
//使用以下的命令可以安装完所有的插件,当前目录必须在istio directory底下
kubectl apply -f samples/addons

在Istio1.22版本的插件有Jaeger, Prometheus, Grafana, Kiali 和 Loki , 如果只想单独安装插件的话,可以在addons底下选择相对应的yaml文件来执行

2. 部署Loki有点不同,需要更改原有的yaml
原有Loki Yaml文件:https://raw.githubusercontent.com/istio/istio/release-1.22/samples/addons/loki.yaml

需要为你的EKS集群开启CSI插件否则无法继续部署
EBS CSI 文档:https://www.pangzai.win/aws-eks-%e5%ae%89%e8%a3%85-ebs-csi%e6%8f%92%e4%bb%b6/

覆盖原有loki statefulset当中的volumeClaimTemplates, 其实只是加上storageClassName而已

YAML
  volumeClaimTemplates:
    - apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: storage
      spec:
        accessModes:
          - ReadWriteOnce
        storageClassName: "gp3-storage-class"
        resources:
          requests:
            storage: "10Gi"
YAML

创建StorageClass

YAML
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: gp3-storage-class
provisioner: kubernetes.io/aws-ebs
volumeBindingMode: WaitForFirstConsumer #创建pvc之后也不会创建 pv,直到某个pod与该pvc关联
parameters:
  type: gp3
  fsType: ext4
  iops: "3000"  # Minimum: 3000 IOPS
  throughput: "125"  # Minimum: 125 MiB/s
reclaimPolicy: Delete # 能够设置Retain 或 Delete
YAML

3. 安装完成之后,可以使用k8s lens 打开Kiali service进行 port foward 以便让本机让问服务

【EKS删除ISTIO】

如果想要在EKS删除ISTIO的话,可以执行以下的cmd

istioctl uninstall --purge
kubectl delete namespace istio-system

【部署phpmyadmin】

  1. 创建namespace
kubectl create namespace phpmyadmin

2. 为phpmyadmin namespace加上label,那么ISTIO就会自动的为每个pod注入istio sidecar container

kubectl label namespace phpmyadmin istio-injection=enabled

3. 部署deployment

YAML
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: phpmyadmin
  name: phpmyadmin-deployment
  labels:
    app: phpmyadmin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: phpmyadmin_app
  template:
    metadata:
      labels:
        app: phpmyadmin_app
    spec:
      containers:
        - name: phpmyadmin
          image: phpmyadmin:latest
          imagePullPolicy: Always
          ports:
            - containerPort: 80
          env:
            - name: PMA_HOST
              value: 你的rds host
            - name: PMA_PORT
              value: "3306"
            - name: UPLOAD_LIMIT
              value: 2000M
YAML

4. 部署service

YAML
apiVersion: v1
kind: Service
metadata:
  namespace: phpmyadmin
  name: phpmyadmin-service
spec:
  selector:
    app: phpmyadmin_app
  ports:
    - name: "phpmyadmin80"
      protocol: TCP
      port: 80
      targetPort: 80
  clusterIP: None
YAML

4. 部署virtual service
– VirtualService是istio的组件,它有些功能和k8s ingress很一样,他们都能设定path或host指定到特定的service
– VirtualService支持的功能比较多,比较趋向Service mesh的用途,支持更复杂的流量管理策略,如重试、故障注入、权重路由等
– 参考文档:https://istio.whuanle.cn/4.1.vs.html
– 以下的gatways是指定使用my-gateway component
– 把所有的流量都导向phpmyadmin namespace当中的phpmyadmin-service服务

YAML
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: my-virtualservice
  namespace: phpmyadmin
spec:
  hosts:
    - "ss.pangzai.win"  # Replace with your host name or '*'
  gateways:
    - my-gateway     # Reference the name of your Gateway
  http:
    - match:
        - uri:
            prefix: "/"
      route:
        - destination:
            host: phpmyadmin-service.phpmyadmin.svc.cluster.local  # Replace with your service FQDN
            port:
              number: 80  # Replace with your service port number
YAML

5. 部署gateway
– port 80 redirect 到 port 443
– selector 指定在service当中的istio ingress gateway (这是在一开始安装istio的时候就创建好了的)

YAML
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-gateway
  namespace: phpmyadmin
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "ss.pangzai.win"
    tls:
      httpsRedirect: true # sends 301 redirect for http requests
  - port:
      number: 443
      name: https-443
      protocol: HTTP
    hosts:
    - "ss.pangzai.win"
YAML

Loading

Facebook评论

Related Posts