Azure Kubernetes - 使用入口和出口网关设置 Istio?
Azure Kubernetes - Setup Istio with both Ingress & Egress Gateway?
我计划使用以下配置在我的 AKS 集群上安装 Istion,这将安装哪些组件?它会安装入口和出口网关吗?
istioctl operator init
kubectl create ns istio-system
cat << EOF | kubectl apply -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: istio-control-plane
spec:
# Use the default profile as the base
# More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
profile: default
# Enable the addons that we will want to use
addonComponents:
grafana:
enabled: true
prometheus:
enabled: true
tracing:
enabled: true
kiali:
enabled: true
values:
global:
# Ensure that the Istio pods are only scheduled to run on Linux nodes
defaultNodeSelector:
beta.kubernetes.io/os: linux
kiali:
dashboard:
auth:
strategy: anonymous
EOF
您问题中的 istio operator manifest 不会安装 egress gateway。它基于默认配置文件,根据 istio 文档可以使用 istioctl profile dump:
检查
default: enables components according to the default settings of the IstioOperator API. This profile is recommended for production deployments and for primary clusters in a multicluster mesh. You can display the default setting by running the command istioctl profile dump.
为了使用 IstioOperator 安装出口网关,请按照 istio documentation 中的以下步骤操作:
Configure gateways
Gateways are a special type of component, since multiple ingress and egress gateways can be defined. In the IstioOperator API, gateways are defined as a list type. The default profile installs one ingress gateway, called istio-ingressgateway. You can inspect the default values for this gateway:
istioctl profile dump --config-path components.ingressGateways
istioctl profile dump --config-path values.gateways.istio-ingressgateway
These commands show both the IstioOperator and Helm settings for the gateway, which are used together to define the generated gateway resources. The built-in gateways can be customized just like any other component.
From 1.7 onward, the gateway name must always be specified when overlaying. Not specifying any name no longer defaults to istio-ingressgateway or istio-egressgateway.
A new user gateway can be created by adding a new list entry:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
ingressGateways:
- name: istio-ingressgateway
enabled: true
- namespace: user-ingressgateway-ns
name: ilb-gateway
enabled: true
k8s:
resources:
requests:
cpu: 200m
serviceAnnotations:
cloud.google.com/load-balancer-type: "internal"
service:
ports:
- port: 8060
targetPort: 8060
name: tcp-citadel-grpc-tls
- port: 5353
name: tcp-dns
Note that Helm values (spec.values.gateways.istio-ingressgateway/egressgateway) are shared by all ingress/egress gateways. If these must be customized per gateway, it is recommended to use a separate IstioOperator CR to generate a manifest for the user gateways, separate from the main Istio installation:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
profile: empty
components:
ingressGateways:
- name: ilb-gateway
namespace: user-ingressgateway-ns
enabled: true
# Copy settings from istio-ingressgateway as needed.
values:
gateways:
istio-ingressgateway:
debug: error
可以找到有关在 AKS 上安装 istio 的更多信息 here。
我使用了以下配置来设置入口和出口网关。
cat << EOF | kubectl apply -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: istio-control-plane
spec:
# Use the default profile as the base
# More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
profile: default
# Enable the addons that we will want to use
addonComponents:
grafana:
enabled: true
prometheus:
enabled: true
tracing:
enabled: true
kiali:
enabled: true
values:
global:
# Ensure that the Istio pods are only scheduled to run on Linux nodes
defaultNodeSelector:
beta.kubernetes.io/os: linux
kiali:
dashboard:
auth:
strategy: anonymous
components:
egressGateways:
- name: istio-egressgateway
enabled: true
EOF
我计划使用以下配置在我的 AKS 集群上安装 Istion,这将安装哪些组件?它会安装入口和出口网关吗?
istioctl operator init
kubectl create ns istio-system
cat << EOF | kubectl apply -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: istio-control-plane
spec:
# Use the default profile as the base
# More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
profile: default
# Enable the addons that we will want to use
addonComponents:
grafana:
enabled: true
prometheus:
enabled: true
tracing:
enabled: true
kiali:
enabled: true
values:
global:
# Ensure that the Istio pods are only scheduled to run on Linux nodes
defaultNodeSelector:
beta.kubernetes.io/os: linux
kiali:
dashboard:
auth:
strategy: anonymous
EOF
您问题中的 istio operator manifest 不会安装 egress gateway。它基于默认配置文件,根据 istio 文档可以使用 istioctl profile dump:
default: enables components according to the default settings of the
IstioOperatorAPI. This profile is recommended for production deployments and for primary clusters in a multicluster mesh. You can display the default setting by running the commandistioctl profile dump.
为了使用 IstioOperator 安装出口网关,请按照 istio documentation 中的以下步骤操作:
Configure gateways
Gateways are a special type of component, since multiple ingress and egress gateways can be defined. In the
IstioOperatorAPI, gateways are defined as a list type. Thedefaultprofile installs one ingress gateway, calledistio-ingressgateway. You can inspect the default values for this gateway:istioctl profile dump --config-path components.ingressGateways istioctl profile dump --config-path values.gateways.istio-ingressgatewayThese commands show both the
IstioOperatorand Helm settings for the gateway, which are used together to define the generated gateway resources. The built-in gateways can be customized just like any other component.From 1.7 onward, the gateway name must always be specified when overlaying. Not specifying any name no longer defaults to
istio-ingressgatewayoristio-egressgateway.A new user gateway can be created by adding a new list entry:
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: ingressGateways: - name: istio-ingressgateway enabled: true - namespace: user-ingressgateway-ns name: ilb-gateway enabled: true k8s: resources: requests: cpu: 200m serviceAnnotations: cloud.google.com/load-balancer-type: "internal" service: ports: - port: 8060 targetPort: 8060 name: tcp-citadel-grpc-tls - port: 5353 name: tcp-dnsNote that Helm values (
spec.values.gateways.istio-ingressgateway/egressgateway) are shared by all ingress/egress gateways. If these must be customized per gateway, it is recommended to use a separate IstioOperator CR to generate a manifest for the user gateways, separate from the main Istio installation:apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: profile: empty components: ingressGateways: - name: ilb-gateway namespace: user-ingressgateway-ns enabled: true # Copy settings from istio-ingressgateway as needed. values: gateways: istio-ingressgateway: debug: error
可以找到有关在 AKS 上安装 istio 的更多信息 here。
我使用了以下配置来设置入口和出口网关。
cat << EOF | kubectl apply -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: istio-control-plane
spec:
# Use the default profile as the base
# More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
profile: default
# Enable the addons that we will want to use
addonComponents:
grafana:
enabled: true
prometheus:
enabled: true
tracing:
enabled: true
kiali:
enabled: true
values:
global:
# Ensure that the Istio pods are only scheduled to run on Linux nodes
defaultNodeSelector:
beta.kubernetes.io/os: linux
kiali:
dashboard:
auth:
strategy: anonymous
components:
egressGateways:
- name: istio-egressgateway
enabled: true
EOF