下載istio - HackMD

# 下載istio ``` curl -L https://istio.io/downloadIstio | sh - ``` # 建立ns與權證 ``` cd <istio 資料夾>mkdir -p certs cd certs make -f ../tools/certs/Makefile.selfsigned.mk root-ca make -f ../tools/certs/Makefile.selfsigned.mk cluster1-cacerts make -f ../tools/certs/Makefile.selfsigned.mk cluster2-cacerts kubectl create namespace istio-system --context cluster1 kubectl create secret generic cacerts -n istio-system --context cluster1 \ --from-file=../certs/cluster1/ca-cert.pem \ --from-file=../certs/cluster1/ca-key.pem \ --from-file=../certs/cluster1/root-cert.pem \ --from-file=../certs/cluster1/cert-chain.pem kubectl create namespace istio-system --context cluster2 kubectl create secret generic cacerts -n istio-system --context cluster2 \ --from-file=../certs/cluster2/ca-cert.pem \ --from-file=../certs/cluster2/ca-key.pem \ --from-file=../certs/cluster2/root-cert.pem \ --from-file=../certs/cluster2/cert-chain.pem ``` # route 設定 ``` 集群1 master= 10.135.80.10 fog1= 10.135.80.1 fog2= 10.135.80.3 sv-cidr= 10.96.0.0/16 master-cidr= 10.244.97.64/26 fog1-cidr= 10.244.43.0/26 fog2-cidr= 10.244.70.128/26 ================================= 集群1內的所有機器需要設定route指定到集群2中 route add -net 10.245.8.128 netmask 255.255.255.192 gw 10.135.80.11 route add -net 10.245.71.192 netmask 255.255.255.192 gw 10.135.80.5 route add -net 10.245.104.64 netmask 255.255.255.192 gw 10.135.80.7 route add -net 10.97.0.0 netmask 255.255.0.0 gw 10.135.80.11 ``` ``` 集群2 master= 10.135.80.11 fog1= 10.135.80.5 fog2= 10.135.80.7 sv-cidr= 10.97.0.0/16 master-cidr= 10.245.8.128/26 fog1-cidr= 10.245.71.192/26 fog2-cidr= 10.245.104.64/26 ================================= 集群2內的所有機器需要設定route指定到集群1中 route add -net 10.244.97.64 netmask 255.255.255.192 gw 10.135.80.10 route add -net 10.244.43.0 netmask 255.255.255.192 gw 10.135.80.1 route add -net 10.244.70.128 netmask 255.255.255.192 gw 10.135.80.3 route add -net 10.96.0.0 netmask 255.255.0.0 gw 10.135.80.10 ``` # 正式安裝 ``` 先前指定 export CTX_CLUSTER1=$(kubectl config view -o jsonpath='{.contexts[0].name}') export CTX_CLUSTER2=$(kubectl config view -o jsonpath='{.contexts[1].name}') export PATH=$PWD/bin:$PATH ``` # istio正式安裝 ## cluster1.yaml ``` apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: values: global: meshID: mesh1 multiCluster: clusterName: cluster1 network: network1 meshConfig: accessLogFile: /dev/stdout enableTracing: true defaultConfig: proxyMetadata: ISTIO_META_DNS_CAPTURE: "true" ISTIO_META_DNS_AUTO_ALLOCATE: "true" components: egressGateways: - name: istio-egressgateway enabled: true ``` ## cluster2.yaml ``` apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: values: global: meshID: mesh1 multiCluster: clusterName: cluster2 network: network1 meshConfig: accessLogFile: /dev/stdout enableTracing: true defaultConfig: proxyMetadata: ISTIO_META_DNS_CAPTURE: "true" ISTIO_META_DNS_AUTO_ALLOCATE: "true" components: egressGateways: - name: istio-egressgateway enabled: true ``` ## 工作集群的安裝 ``` istioctl install --context="${CTX_CLUSTER1}" -f cluster1.yaml istioctl install --context="${CTX_CLUSTER2}" -f cluster2.yaml ``` # istio 開啟遠程端點 ``` istioctl create-remote-secret \ --context="${CTX_CLUSTER1}" \ --name=cluster1 | \ kubectl apply -f - --context="${CTX_CLUSTER2}" istioctl create-remote-secret \ --context="${CTX_CLUSTER2}" \ --name=cluster2 | \ kubectl apply -f - --context="${CTX_CLUSTER1}" ``` # 驗證方法 ``` https://ithelp.ithome.com.tw/m/articles/10289718 ``` # 測試方法 ``` #確認endpoint istioctl ps --context <集群名稱> istioctl pc endpoint <ingress or egress name> --context <集群名稱> ```