使用更新的配置安装 Istio 不会删除 Prometheus ServiceMonitor 对象
Istio install with updated configs doesn't delete Prometheus ServiceMonitor objects
我为 Istio(版本 1.16.3)配置了外部 Prometheus,并且根据本期中的讨论,我使用内置 Prometheus 运算符配置了 Prometheus ServiceMonitor 对象:https://github.com/istio/istio/issues/21187
在大多数情况下这工作正常,除了我注意到还创建了 kubernetes-services-secure-monitor 和 kubernetes-pods-secure-monitor 并且这导致 Prometheus 抛出 certificate not found错误,正如预期的那样,因为我没有设置这些。
"level=error ts=2020-07-06T03:43:33.464Z caller=manager.go:188 component="scrape manager" msg="error creating new scrape pool" err="error creating HTTP client: unable to load specified CA cert /etc/prometheus/secrets/istio.prometheus/root-cert.pem: open /etc/prometheus/secrets/istio.prometheus/root-cert.pem: no such file or directory" scrape_pool=istio-system/kubernetes-pods-secure-monitor/0
我还注意到可以使用 Values.prometheus.provisionPrometheusCert 标志禁用服务监视器创建,如下所示:
istio/manifests/charts/istio-telemetry/prometheusOperator/templates/servicemonitors.yaml
{{- if .Values.prometheus.provisionPrometheusCert }}
但是,使用 `istioctl install 重新应用配置并没有删除那些服务监视器。
istioctl install 命令不是delete/prune现有资源吗?
这是我的完整配置:
apiVersion: install.istio.io/v1alpha1
kind: IstioControlPlane
metadata:
namespace: istio-system
name: istio-controlplane
labels:
istio-injection: enabled
spec:
profile: default
addonComponents:
prometheus:
enabled: false
prometheusOperator:
enabled: true
grafana:
enabled: false
kiali:
enabled: true
namespace: staging
tracing:
enabled: false
values:
global:
proxy:
logLevel: warning
mountMtlsCerts: false
prometheusNamespace: monitoring
tracer:
zipkin:
address: jaeger-collector.staging:9411
prometheusOperator:
createPrometheusResource: false
prometheus:
security:
enabled: false
provisionPrometheusCert: false
Two separate concerns: Upgrade to a new version of Istio and updates to the config.
升级
据我所知,在将 istio 从旧版本升级到 1.4、1.5、1.6 时,我们遇到了很多问题,但是最近 istioctl upgrade 出现时,您不必担心升级您的群集。
The istioctl upgrade command performs an upgrade of Istio. Before performing the upgrade, it checks that the Istio installation meets the upgrade eligibility criteria. Also, it alerts the user if it detects any changes in the profile default values between Istio versions.
此外,Istio 1.6 将支持新的升级模型,以安全地金丝雀部署新版本的 Istio。在这个新模型中,代理将与他们使用的特定控制平面相关联。这允许以较低风险将新版本部署到集群——在用户明确选择之前,没有代理连接到新版本。这允许逐渐将工作负载迁移到新的控制平面,同时使用 Istio 遥测监控更改以调查任何问题
更新
正如我在评论中提到的,我发现可能有帮助的两件事是
- istioctl 运算符日志
如果您的更新出现问题,它将出现在 istio 操作员日志中,并且更新将失败。
You can observe the changes that the controller makes in the cluster in response to IstioOperator CR updates by checking the operator controller logs:
$ kubectl logs -f -n istio-operator $(kubectl get pods -n istio-operator -lname=istio-operator -o jsonpath='{.items[0].metadata.name}')
Verify a successful installation
You can check if the Istio installation succeeded using the verify-install command which compares the installation on your cluster to a manifest you specify.
If you didn’t generate your manifest prior to deployment, run the following command to generate it now:
$ istioctl manifest generate <your original installation options> > $HOME/generated-manifest.yaml
Then run the following verify-install command to see if the installation was successful:
$ istioctl verify-install -f $HOME/generated-manifest.yaml
希望你觉得这很有用。
我为 Istio(版本 1.16.3)配置了外部 Prometheus,并且根据本期中的讨论,我使用内置 Prometheus 运算符配置了 Prometheus ServiceMonitor 对象:https://github.com/istio/istio/issues/21187
在大多数情况下这工作正常,除了我注意到还创建了 kubernetes-services-secure-monitor 和 kubernetes-pods-secure-monitor 并且这导致 Prometheus 抛出 certificate not found错误,正如预期的那样,因为我没有设置这些。
"level=error ts=2020-07-06T03:43:33.464Z caller=manager.go:188 component="scrape manager" msg="error creating new scrape pool" err="error creating HTTP client: unable to load specified CA cert /etc/prometheus/secrets/istio.prometheus/root-cert.pem: open /etc/prometheus/secrets/istio.prometheus/root-cert.pem: no such file or directory" scrape_pool=istio-system/kubernetes-pods-secure-monitor/0
我还注意到可以使用 Values.prometheus.provisionPrometheusCert 标志禁用服务监视器创建,如下所示:
istio/manifests/charts/istio-telemetry/prometheusOperator/templates/servicemonitors.yaml
{{- if .Values.prometheus.provisionPrometheusCert }}
但是,使用 `istioctl install 重新应用配置并没有删除那些服务监视器。
istioctl install 命令不是delete/prune现有资源吗?
这是我的完整配置:
apiVersion: install.istio.io/v1alpha1
kind: IstioControlPlane
metadata:
namespace: istio-system
name: istio-controlplane
labels:
istio-injection: enabled
spec:
profile: default
addonComponents:
prometheus:
enabled: false
prometheusOperator:
enabled: true
grafana:
enabled: false
kiali:
enabled: true
namespace: staging
tracing:
enabled: false
values:
global:
proxy:
logLevel: warning
mountMtlsCerts: false
prometheusNamespace: monitoring
tracer:
zipkin:
address: jaeger-collector.staging:9411
prometheusOperator:
createPrometheusResource: false
prometheus:
security:
enabled: false
provisionPrometheusCert: false
Two separate concerns: Upgrade to a new version of Istio and updates to the config.
升级
据我所知,在将 istio 从旧版本升级到 1.4、1.5、1.6 时,我们遇到了很多问题,但是最近 istioctl upgrade 出现时,您不必担心升级您的群集。
The istioctl upgrade command performs an upgrade of Istio. Before performing the upgrade, it checks that the Istio installation meets the upgrade eligibility criteria. Also, it alerts the user if it detects any changes in the profile default values between Istio versions.
此外,Istio 1.6 将支持新的升级模型,以安全地金丝雀部署新版本的 Istio。在这个新模型中,代理将与他们使用的特定控制平面相关联。这允许以较低风险将新版本部署到集群——在用户明确选择之前,没有代理连接到新版本。这允许逐渐将工作负载迁移到新的控制平面,同时使用 Istio 遥测监控更改以调查任何问题
更新
正如我在评论中提到的,我发现可能有帮助的两件事是
- istioctl 运算符日志
如果您的更新出现问题,它将出现在 istio 操作员日志中,并且更新将失败。
You can observe the changes that the controller makes in the cluster in response to IstioOperator CR updates by checking the operator controller logs:
$ kubectl logs -f -n istio-operator $(kubectl get pods -n istio-operator -lname=istio-operator -o jsonpath='{.items[0].metadata.name}')
Verify a successful installation You can check if the Istio installation succeeded using the verify-install command which compares the installation on your cluster to a manifest you specify.
If you didn’t generate your manifest prior to deployment, run the following command to generate it now:
$ istioctl manifest generate <your original installation options> > $HOME/generated-manifest.yaml
Then run the following verify-install command to see if the installation was successful:
$ istioctl verify-install -f $HOME/generated-manifest.yaml
希望你觉得这很有用。