1.和社區版Istio的區別
OpenShift 4.2的Service Mesh和upstream的Istio項目的增強,除了產品化之外,借用官方文檔,區別在於:
Red Hat OpenShift Service Mesh differs from Istio in ways that help resolve issues, provide additional features, and ease deployment on OpenShift Container Platform. An installation of Red Hat OpenShift Service Mesh differs from upstream Istio community installations in multiple ways:
-
OpenShift Service Mesh installs a multi-tenant control plane by default
-
OpenShift Service Mesh extends Role Based Access Control (RBAC) features
-
OpenShift Service Mesh replaces BoringSSL with OpenSSL
-
Kiali and Jaeger are enabled by default in OpenShift Service Mesh
關於istio多租戶的架構和功能參考
https://blog.openshift.com/istio-multicluster-on-openshift/
2.架構
各個模塊功能不再熬述。
3.安裝和部署
- 基於OperatorHub部署service mesh,部署順序為:elasticsearch Operator->Jaeger Opeartor->Kiali Operator->OpenShift Service Mesh Operator->OpenShift Service Mesh Controller Plane
詳細可以參考
- 部署完control plane后,會在istio-system下生成如下Pod
[root@clientvm 0 ~]# oc get pods -n istio-system
NAME READY STATUS RESTARTS AGE
grafana-b67df64b6-2kp7h 2/2 Running 0 2d23h istio-citadel-79979464d-kxpxw 1/1 Running 0 2d23h istio-egressgateway-7d897695c4-c868b 1/1 Running 0 2d23h istio-galley-6bb46858c5-pf476 1/1 Running 0 2d23h istio-ingressgateway-8465bbf788-j9jgk 1/1 Running 0 2d23h istio-pilot-54b65495c4-4tg6m 2/2 Running 0 2d23h istio-policy-5fc74b8697-mk85l 2/2 Running 0 2d23h istio-sidecar-injector-65cd4c8c6f-cnp5t 1/1 Running 0 2d23h istio-telemetry-69cb778b9-qlpqj 2/2 Running 0 2d23h jaeger-57776787bc-ljls5 2/2 Running 0 2d23h kiali-6d6f9cf658-kzdwf 1/1 Running 0 2d1h prometheus-b8bdc6b77-rbxzs 2/2 Running 0 2d23h
和下面的服務
[root@clientvm 0 ~]# oc get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE grafana ClusterIP 172.30.124.97 <none> 3000/TCP 2d23h istio-citadel ClusterIP 172.30.122.114 <none> 8060/TCP,15014/TCP 2d23h istio-egressgateway ClusterIP 172.30.60.175 <none> 80/TCP,443/TCP,15443/TCP 2d23h istio-galley ClusterIP 172.30.167.213 <none> 443/TCP,15014/TCP,9901/TCP 2d23h istio-ingressgateway ClusterIP 172.30.221.247 <none> 15020/TCP,80/TCP,443/TCP,15443/TCP 2d23h istio-pilot ClusterIP 172.30.19.129 <none> 15010/TCP,15011/TCP,8080/TCP,15014/TCP 2d23h istio-policy ClusterIP 172.30.99.48 <none> 9091/TCP,15004/TCP,15014/TCP 2d23h istio-sidecar-injector ClusterIP 172.30.102.34 <none> 443/TCP 2d23h istio-telemetry ClusterIP 172.30.229.205 <none> 9091/TCP,15004/TCP,15014/TCP,42422/TCP 2d23h jaeger-agent ClusterIP None <none> 5775/TCP,5778/TCP,6831/TCP,6832/TCP 2d23h jaeger-collector ClusterIP 172.30.66.202 <none> 9411/TCP,14250/TCP,14267/TCP,14268/TCP 2d23h jaeger-collector-headless ClusterIP None <none> 9411/TCP,14250/TCP,14267/TCP,14268/TCP 2d23h jaeger-query ClusterIP 172.30.84.61 <none> 443/TCP 2d23h kiali NodePort 172.30.55.80 <none> 20001:31380/TCP 2d23h prometheus ClusterIP 172.30.122.232 <none> 9090/TCP 2d23h zipkin ClusterIP 172.30.189.90 <none> 9411/TCP 2d23h
查看對外暴露的路由
[root@clientvm 0 ~]# oc get route -n istio-system
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD grafana grafana-istio-system.apps.cluster-4674.sandbox580.opentlc.com grafana <all> reencrypt None istio-ingressgateway istio-ingressgateway-istio-system.apps.cluster-4674.sandbox580.opentlc.com istio-ingressgateway 8080 None jaeger jaeger-istio-system.apps.cluster-4674.sandbox580.opentlc.com jaeger-query <all> reencrypt None kiali kiali-istio-system.apps.cluster-4674.sandbox580.opentlc.com kiali <all> reencrypt None prometheus prometheus-istio-system.apps.cluster-4674.sandbox580.opentlc.com prometheus <all> reencrypt None
值得注意的是instio-ingressgateway這個路由是OpenShift Service Mesh暴露給外端訪問的路由。也就是通過這個唯一的鏈接,調用接入到Service Mesh服務網格。
基於Operator的安裝和部署確實使得整個過程方便不少,但也封裝了很多的架構的細節了,所以我們所需要做的就是對架構更加了解。
4.使用
部署完成sample的bookinfo項目以后,再部署一個自己的簡單的tomcat服務。
登錄Kiali Console. myproject下面看到mytomcat情況
訪問istio config,查看virtualservice mytomcat內容
然后訪問發現訪問不通。原本的想法是,如果uri是/mytomcat的化,就路由到mytomcat服務,結果出現的結果是:
經過排查發現是virtualservice的路徑問題。(因為對架構不熟悉,耗費了4,5小時啊...)
kind: VirtualService
apiVersion: networking.istio.io/v1alpha3 metadata: name: mytomcat namespace: myproject selfLink: >- /apis/networking.istio.io/v1alpha3/namespaces/myproject/virtualservices/mytomcat uid: 834c4724-0812-11ea-b3a1-0a1bba0ac472 resourceVersion: '1631674' generation: 8 creationTimestamp: '2019-11-16T01:43:39Z' spec: hosts: - '*' gateways: - mytomcat-gateway http: - match: - uri: exact: / route: - destination: host: mytomcat port: number: 8080
注意這個uri的配置,gateway會拼接uri,也就是/到你的service的路徑,如果你填入mytomcat,其實真實訪問路徑是http://mytomcat:8080/mytomcat,就會出現找不到應用的狀況。
再度訪問 http://istio-ingressgateway-istio-system.apps.cluster-4674.sandbox580.opentlc.com/ 也就是根目錄啦
發現圖片沒有出來。:(