Azure Kubernetes-是否同时使用入口和出口网关设置Istio?

时间:2020-10-20 13:28:51

标签: kubernetes istio azure-kubernetes

我打算使用以下配置在自己的AKS群集上安装Istion,这将安装什么组件?它会同时安装Ingress和Egress网关吗?

istioctl operator init

kubectl create ns istio-system

cat << EOF | kubectl apply -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
  name: istio-control-plane
spec:
  # Use the default profile as the base
  # More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
  profile: default
  # Enable the addons that we will want to use
  addonComponents:
    grafana:
      enabled: true
    prometheus:
      enabled: true
    tracing:
      enabled: true
    kiali:
      enabled: true
  values:
    global:
      # Ensure that the Istio pods are only scheduled to run on Linux nodes
      defaultNodeSelector:
        beta.kubernetes.io/os: linux
    kiali:
      dashboard:
        auth:
          strategy: anonymous
EOF

2 个答案:

答案 0 :(得分:1)

您问题中的istio操作员清单不会安装出口网关。它基于默认配置文件,根据istio文档,可以使用istioctl profile dump进行检查:

默认:根据IstioOperator API的默认设置启用组件。建议将此配置文件用于生产部署和multicluster mesh中的主群集。您可以通过运行命令istioctl profile dump显示默认设置。

要使用IstioOperator安装出口网关,请执行istio documentation中的以下步骤:

配置网关

网关是一种特殊的组件,因为可以定义多个入口和出口网关。在IstioOperator API中,网关被定义为列表类型。 default配置文件将安装一个名为istio-ingressgateway的入口网关。您可以检查该网关的默认值:

istioctl profile dump --config-path components.ingressGateways
istioctl profile dump --config-path values.gateways.istio-ingressgateway

这些命令显示了网关的IstioOperator和Helm设置,它们一起用于定义生成的网关资源。可以像其他任何组件一样自定义内置网关。

从1.7开始,叠加时必须始终指定网关名称。不指定任何名称将不再默认为istio-ingressgatewayistio-egressgateway

可以通过添加新的列表条目来创建新的用户网关:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  components:
    ingressGateways:
      - name: istio-ingressgateway
        enabled: true
      - namespace: user-ingressgateway-ns
        name: ilb-gateway
        enabled: true
        k8s:
          resources:
            requests:
              cpu: 200m
          serviceAnnotations:
            cloud.google.com/load-balancer-type: "internal"
          service:
            ports:
            - port: 8060
              targetPort: 8060
              name: tcp-citadel-grpc-tls
            - port: 5353
              name: tcp-dns

请注意,Helm值(spec.values.gateways.istio-ingressgateway/egressgateway)由所有入口/出口网关共享。如果必须针对每个网关自定义这些选项,则建议使用单独的IstioOperator CR为用户网关生成清单,而与主要Istio安装不同:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  profile: empty
  components:
    ingressGateways:
      - name: ilb-gateway
        namespace: user-ingressgateway-ns
        enabled: true
        # Copy settings from istio-ingressgateway as needed.
  values:
    gateways:
      istio-ingressgateway:
        debug: error

有关在AKS上安装istio的更多信息,请参见here

答案 1 :(得分:1)

我已经使用以下配置来设置Ingress和Egress网关。

cat << EOF | kubectl apply -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
  name: istio-control-plane
spec:
  # Use the default profile as the base
  # More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
  profile: default
  # Enable the addons that we will want to use
  addonComponents:
    grafana:
      enabled: true
    prometheus:
      enabled: true
    tracing:
      enabled: true
    kiali:
      enabled: true
  values:
    global:
      # Ensure that the Istio pods are only scheduled to run on Linux nodes
      defaultNodeSelector:
        beta.kubernetes.io/os: linux
    kiali:
      dashboard:
        auth:
          strategy: anonymous
  components:
    egressGateways:
    - name: istio-egressgateway
      enabled: true
EOF