(2) -- Openshift 3.11 安裝 istio 及相關(guān)配套組件

一、Red Hat OpenShift Service Mesh 安裝概覽

Red Hat OpenShift Service Mesh 安裝過程中會(huì)創(chuàng)建兩個(gè)不同的 project (namespace)

  • istio-operator project (1 pod)

  • istio-system project (17 pods)

你首先需要?jiǎng)?chuàng)建一個(gè)Kubernetes operator。這個(gè)operator定義并監(jiān)控著一個(gè)custom resource。operator用于部署、升級(jí)、刪除Service Mesh的組件。

取決于你如何定義這個(gè)custom resource文件,當(dāng)安裝Service Mesh時(shí),你可以選擇安裝以下一個(gè)或多個(gè)以下組件

  • Istio - 基于開源 Istio 項(xiàng)目, 讓你能連接、安全保護(hù)、控制、觀察組成你的應(yīng)用的各個(gè)微服務(wù)

  • Jaeger - 基于開源 Jaeger 項(xiàng)目, 讓你能在一個(gè)復(fù)雜的分布式系統(tǒng)中,通過調(diào)用鏈跟蹤來監(jiān)控和排查事務(wù)問題

  • Kiali - 基于開源 Kiali 項(xiàng)目, Kiali 為你的 Service Mesh 提供了可觀察的特性,使用 Kiali 能讓你可視化地配置、監(jiān)控流量、可視化地分析調(diào)用鏈。

  • Launcher - 基于開源 fabric8 社區(qū), fabric8是一個(gè)開源集成開發(fā)平臺(tái),為基于KubernetesJenkins的微服務(wù)提供持續(xù)發(fā)布。

在 operator 的安裝過程中,會(huì)創(chuàng)建一個(gè) Ansible job, Ansible job 會(huì)啟動(dòng)一個(gè) Ansible playbook,Ansible playbook 會(huì)自動(dòng)執(zhí)行以下步驟,并配置好各個(gè)組件。

1.1 創(chuàng)建 istio-system namespace

1.2 創(chuàng)建 openshift-ansible-istio-installer-job,它會(huì)安裝以下組件:

Istio components: istio-citadel、istio-egressgateway、istio-galley、istio-ingressgateway、istio-pilot、istio-policy、istio-sidecar-injector、istio-statsd-prom-bridge、istio-telemetry

Elasticsearch

Grafana

Jaeger components: jaeger-agent、jaeger-collector、jaeger-query

Kiali components (如果在 custom resource 文件中配置了 Kiali 的話): Kiali

Prometheus

1.3 執(zhí)行 launcher 的配置任務(wù) (如果在 custom resource 文件中配置了 launcher 的話):

1.3.1 創(chuàng)建一個(gè) devex 項(xiàng)目并安裝 Fabric8 launcher 到 devex project中.

1.3.2 將集群管理角色添加到在自定義資源文件的啟動(dòng)程序參數(shù)中指定的openshift容器平臺(tái)用戶。

二、安裝前準(zhǔn)備

2.1 如果離線安裝需要下載的鏡像包括

docker pull registry.access.redhat.com/openshift-istio-tech-preview/istio-operator:0.6.0
docker pull registry.access.redhat.com/openshift-istio-tech-preview/openshift-ansible:0.6.0
docker pull registry.access.redhat.com/openshift-istio-tech-preview/citadel:0.6.0
docker pull registry.access.redhat.com/openshift-istio-tech-preview/proxyv2:0.6.0
docker pull registry.access.redhat.com/openshift-istio-tech-preview/pilot:0.6.0
docker pull registry.access.redhat.com/openshift-istio-tech-preview/mixer:0.6.0
docker pull registry.access.redhat.com/openshift-istio-tech-preview/galley:0.6.0
docker pull registry.access.redhat.com/openshift-istio-tech-preview/sidecar-injector:0.6.0
docker pull registry.access.redhat.com/openshift-istio-tech-preview/proxy-init:0.6.0
docker pull registry.access.redhat.com/openshift-istio-tech-preview/kiali:0.11.0
docker pull registry.access.redhat.com/distributed-tracing-tech-preview/jaeger-elasticsearch:5.6.10
docker pull registry.access.redhat.com/distributed-tracing-tech-preview/jaeger-agent:1.8.1
docker pull registry.access.redhat.com/distributed-tracing-tech-preview/jaeger-collector:1.8.1
docker pull registry.access.redhat.com/distributed-tracing-tech-preview/jaeger-query:1.8.1
docker pull grafana/grafana:5.4.2
docker pull docker.io/prom/prometheus:v2.3.1

2.2 更新 Openshift 各節(jié)點(diǎn)配置

2.2.1 在每臺(tái)機(jī)器新建立一個(gè)/etc/sysctl.d/99-elasticsearch.conf文件,添加

vm.max_map_count = 262144

2.2.2 在每個(gè) Node 上執(zhí)行命令

$ sysctl vm.max_map_count=262144

三、安裝 Service Mesh

3.1 創(chuàng)建 CUSTOM RESOURCE 文件

包含所有組件的 istio-installation.yaml:

apiVersion: "istio.openshift.com/v1alpha1"
kind: "Installation"
metadata:
  name: "istio-installation"
spec:
  deployment_type: openshift
  istio:
    authentication: true
    community: false
    prefix: openshift-istio-tech-preview/ #鏡像前綴
    version: 0.6.0 #鏡像tag
  jaeger:
    prefix: distributed-tracing-tech-preview/
    version: 1.8.1
    elasticsearch_memory: 1Gi
  kiali:
    username: username #kiali管理界面的登錄名
    password: password #kiali管理界面的登錄密碼
    prefix: openshift-istio-tech-preview/
    version: 0.11.0
  launcher: #內(nèi)網(wǎng)中干掉
    openshift:
      user: user
      password: password
    github:
      username: username
      token: token
    catalog:
      filter: booster.mission.metadata.istio
      branch: v71
      repo: https://github.com/fabric8-launcher/launcher-booster-catalog.git

注:如果在內(nèi)網(wǎng)環(huán)境安裝,由于無法訪問外網(wǎng)的 Github,可以不用安裝 launcher 組件,在 custom resource 文件中去掉 launcher 相關(guān)的所有配置即可。

最小化的 istio-installation.yaml

apiVersion: "istio.openshift.com/v1alpha1"
kind: "Installation"
metadata:
  name: "istio-installation"

3.2 安裝 operator

Service Mesh 安裝過程中引入了 kubernetes operator 來管理 istio-system namespace 內(nèi) control plane 的安裝。此 operator 定義了監(jiān)視 control plane 的部署、更新和刪除相關(guān)的自定義資源。

istio_product_operator_template.yaml :

apiVersion: v1
kind: Template
metadata:
  name: istio-operator-job
parameters:
- displayName: Master Public URL
  description: The public URL for master
  name: OPENSHIFT_ISTIO_MASTER_PUBLIC_URL
  value: https://127.0.0.1:8443
- displayName: OpenShift Release
  description: The version of the OpenShift release.
  name: OPENSHIFT_RELEASE
  value: v3.11.0
  required: true
- displayName: Istio Operator Namespace
  description: The namespace for the Istio operator
  name: OPENSHIFT_ISTIO_OPERATOR_NAMESPACE
  value: istio-operator
  required: true
- displayName: Default Prefix
  description: The default image prefix for istio deployments
  name: OPENSHIFT_ISTIO_PREFIX
  value: openshift-istio-tech-preview/
- displayName: Default Version
  description: The default image version for istio deployments
  name: OPENSHIFT_ISTIO_VERSION
  value: 0.6.0
- displayName: Default Deployment Type
  description: The default deployment type for istio deployments
  name: OPENSHIFT_DEPLOYMENT_TYPE
  value: openshift
objects:
- kind: CustomResourceDefinition
  apiVersion: apiextensions.k8s.io/v1beta1
  metadata:
    name: installations.istio.openshift.com
  spec:
    group: istio.openshift.com
    names:
      kind: Installation
      plural: installations
      singular: installation
    scope: Namespaced
    version: v1alpha1
- kind: Role
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
    name: istio-operator
  rules:
  - apiGroups:
    - istio.openshift.com
    resources:
    - "*"
    verbs:
    - "*"
  - apiGroups:
    - ""
    resources:
    - pods
    - services
    - endpoints
    - persistentvolumeclaims
    - events
    - configmaps
    - secrets
    - securitycontextconstraints
    verbs:
    - "*"
  - apiGroups:
    - apps
    resources:
    - deployments
    - daemonsets
    - replicasets
    - statefulsets
    verbs:
    - "*"
- kind: RoleBinding
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
    name: default-account-istio-operator
  subjects:
  - kind: ServiceAccount
    namespace: ${OPENSHIFT_ISTIO_OPERATOR_NAMESPACE}
    name: default
  roleRef:
    kind: Role
    name: istio-operator
    apiGroup: rbac.authorization.k8s.io
- kind: ClusterRoleBinding
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
    name: default-account-istio-operator-cluster-role-binding
  subjects:
  - kind: ServiceAccount
    namespace: ${OPENSHIFT_ISTIO_OPERATOR_NAMESPACE}
    name: default
  roleRef:
    kind: ClusterRole
    name: cluster-admin
    apiGroup: rbac.authorization.k8s.io
- kind: Deployment
  apiVersion: apps/v1
  metadata:
    name: istio-operator
    namespace: ${OPENSHIFT_ISTIO_OPERATOR_NAMESPACE}
  spec:
    replicas: 1
    selector:
      matchLabels:
        name: istio-operator
    template:
      metadata:
        labels:
          name: istio-operator
      spec:
        containers:
          - name: istio-operator
            image: ${OPENSHIFT_ISTIO_PREFIX}istio-operator:${OPENSHIFT_ISTIO_VERSION}
            ports:
            - containerPort: 60000
              name: metrics
            command:
            - istio-operator
            args:
            - "--release=${OPENSHIFT_RELEASE}"
            - "--masterPublicURL=${OPENSHIFT_ISTIO_MASTER_PUBLIC_URL}"
            - "--istioPrefix=${OPENSHIFT_ISTIO_PREFIX}"
            - "--istioVersion=${OPENSHIFT_ISTIO_VERSION}"
            - "--deploymentType=${OPENSHIFT_DEPLOYMENT_TYPE}"
            imagePullPolicy: IfNotPresent
            env:
              - name: WATCH_NAMESPACE
                valueFrom:
                  fieldRef:
                    fieldPath: metadata.namespace
              - name: OPERATOR_NAME
                value: "istio-operator"

3.3 安裝 operator

以下命令將安裝 Service Mesh operator 到 Openshift 容器平臺(tái)中。在集群任意一個(gè)節(jié)點(diǎn)執(zhí)行。

$ oc new-project istio-operator
$ oc new-app -f istio_product_operator_template.yaml --param=OPENSHIFT_ISTIO_MASTER_PUBLIC_URL=<master public url>

3.4 驗(yàn)證 operator 是否安裝成功

先前的命令創(chuàng)建了一個(gè) deployment 資源 到 istio-operator 這個(gè) project 里,同時(shí)運(yùn)行了 operator 通過 custom resource 來管理 Red Hat OpenShift Service Mesh 中 control plane 的狀態(tài)。

為了驗(yàn)證 operator 是否正確安裝,執(zhí)行以下命令觀察日志:

$ oc logs -n istio-operator $(oc -n istio-operator get pods -l name=istio-operator --output=jsonpath={.items..metadata.name})

執(zhí)行以上命令后,如果出現(xiàn)類似以下的結(jié)果,說明安裝正確:

time="2018-08-31T17:42:39Z" level=info msg="Go Version: go1.9.4"
time="2018-08-31T17:42:39Z" level=info msg="Go OS/Arch: linux/amd64"
time="2018-08-31T17:42:39Z" level=info msg="operator-sdk Version: 0.0.5+git"
time="2018-08-31T17:42:39Z" level=info msg="Metrics service istio-operator created"
time="2018-08-31T17:42:39Z" level=info msg="Watching resource istio.openshift.com/v1alpha1, kind Installation, namespace istio-operator, resyncPeriod 0"
time="2018-08-31T17:42:39Z" level=info msg="Installing istio for Installation istio-installation"

3.5 部署 control plane

$ oc create -f istio-installation.yaml -n istio-operator #istio-installation.yaml的內(nèi)容見上

觀察安裝過程中 pods 的狀態(tài):

$ oc get pods -n istio-system -w

3.6 驗(yàn)證 control plane 的安裝

$ oc get pods -n istio-system

如果出現(xiàn)和下面一樣的內(nèi)容,說明安裝成功:

NAME                                          READY     STATUS      RESTARTS   AGE
elasticsearch-0                               1/1       Running     0          2m
grafana-6d5c5477-k7wrh                        1/1       Running     0          2m
istio-citadel-6f9c778bb6-q9tg9                1/1       Running     0          3m
istio-egressgateway-957857444-2g84h           1/1       Running     0          3m
istio-galley-c47f5dffc-dm27s                  1/1       Running     0          3m
istio-ingressgateway-7db86747b7-s2dv9         1/1       Running     0          3m
istio-pilot-5646d7786b-rh54p                  2/2       Running     0          3m
istio-policy-7d694596c6-pfdzt                 2/2       Running     0          3m
istio-sidecar-injector-57466d9bb-4cjrs        1/1       Running     0          3m
istio-statsd-prom-bridge-7f44bb5ddb-6vx7n     1/1       Running     0          3m
istio-telemetry-7cf7b4b77c-p8m2k              2/2       Running     0          3m
jaeger-agent-5mswn                            1/1       Running     0          2m
jaeger-collector-9c9f8bc66-j7kjv              1/1       Running     0          2m
jaeger-query-fdc6dcd74-99pnx                  1/1       Running     0          2m
kiali-779bcc566f-qqt65                        1/1       Running     0          2m
openshift-ansible-istio-installer-job-f8n9g   0/1       Completed   0          7m
prometheus-84bd4b9796-2vcpc                   1/1       Running     0          3m

如果在 custom resource 文件中配置了 launcher,查看 devex project 中的 容器狀態(tài)會(huì)出現(xiàn)下面內(nèi)容:

$ oc get pods -n devex

NAME                          READY     STATUS    RESTARTS   AGE
configmapcontroller-1-8rr6w   1/1       Running   0          1m
launcher-backend-2-2wg86      1/1       Running   0          1m
launcher-frontend-2-jxjsd     1/1       Running   0          1m

四、在 Openshift Service Mesh 部署應(yīng)用需要滿足的要求

4.1 為應(yīng)用的 service account 配置 SCC (Security Context Constraints,安全上下文 )

oc adm policy add-scc-to-user anyuid -z <service account> -n <namespace>
oc adm policy add-scc-to-user privileged -z <service account> -n <namespace>

4.2 更新 Openshift Master節(jié)點(diǎn)的配置

保證以下操作在每個(gè) Openshift Container Platform 的 master 節(jié)點(diǎn)中都執(zhí)行:

4.2.1 切換目錄到包含 master configuration 文件的路徑下(for example, /etc/origin/master/master-config.yaml).

$ cd  /etc/origin/master

4.2.2 創(chuàng)建master-config.patch,包含以下內(nèi)容:

admissionConfig:
  pluginConfig:
    MutatingAdmissionWebhook:
      configuration:
        apiVersion: apiserver.config.k8s.io/v1alpha1
        kubeConfigFile: /dev/null
        kind: WebhookAdmission
    ValidatingAdmissionWebhook:
      configuration:
        apiVersion: apiserver.config.k8s.io/v1alpha1
        kubeConfigFile: /dev/null
        kind: WebhookAdmission

4.2.3 在該目錄下執(zhí)行以下命令,來修改 master-config.yaml 文件:

$ cp -p master-config.yaml master-config.yaml.prepatch
$ oc ex config patch master-config.yaml.prepatch -p "$(cat master-config.patch)" > master-config.yaml
$ /usr/local/bin/master-restart api && /usr/local/bin/master-restart controllers

4.3 如何為應(yīng)用配置 sidecar 的自動(dòng)注入

相當(dāng)簡(jiǎn)單,只需要在應(yīng)用的部署yaml文件中,為 annotation 添加 sidecar.istio.io/inject 屬性,并置為 true

例如:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: "true"
      labels:
        app: sleep
    spec:
      containers:
      - name: sleep
        image: tutum/curl
        command: ["/bin/sleep","infinity"]
        imagePullPolicy: IfNotPresent

至此,Openshift 3.11 環(huán)境下安裝 istio 及相關(guān)配套組件的步驟全部結(jié)束,下一章進(jìn)入 Service Mesh 示例工程 -- bookInfo 的安裝教程

參考:https://docs.openshift.com/container-platform/3.11/servicemesh-install/servicemesh-install.html

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容