自建Kubernetes叢集在Istio中部署Bookinfo應用 - Elastic Container Instance

Istio是一個開源的服務網格，提供流量管理、可觀測性，以及安全和策略等能力。在Kubernetes中配合使用Istio，可以協助您更好地管理和控制容器應用，提高應用程式的效能、安全性和可靠性。本文以Bookinfo應用為例，介紹自建Kubernetes叢集通過VNode對接ECI的情境下，如何使用Istio。

背景資訊

Istio是一個開源的服務網格（Service Mesh）平台，用於管理微服務之間的流量以及處理各種網路通訊和安全問題。Istio可以與Kubernetes整合，提供標準、安全的流量管理，簡化部署和營運工作。

Bookinfo是一個範例應用，它模仿線上書店的一個目錄，可以顯示一本書的資訊，包括書籍描述，書籍詳細資料（ISBN、頁數等），以及關於這本書的一些評論。Bookinfo是一個異構應用，由四個使用不同語言編寫的微服務組成，可以示範多種Istio特性。Bookinfo包含的四個微服務如下：

bookinfo

Productpage：為Python服務，會調用Details和Reviews兩個服務，用來產生頁面。同時，Productpage還包含登入和登出功能。
Details：為Ruby服務，包含了書籍的資訊。
Reviews：為Java服務，包含了書籍相關的評論。Reviews包含3個版本：
- v1版本不會調用Ratings服務。
- v2版本會調用Ratings服務，並使用1到5個黑色星形表徵圖來顯示評分資訊。
- v3版本會調用Ratings服務，並使用1到5個紅色星形表徵圖來顯示評分資訊。
Ratings：為Node.js服務，包含了由書籍評價組成的評級資訊。

更多資訊，請參見Istio Bookinfo。

前提條件

本文適用於自建Kubernetes叢集，請確保您的叢集滿足以下條件：

自建Kubernetes叢集中已部署VNode。
如果您的Kubernetes叢集部署線上下IDC，請確保已打通IDC與阿里雲的網路。
如果您的Kubernetes叢集部署在ECS上，且使用的網路外掛程式為Flannel，請確保已在叢集中部署CCM，保證ECI與標準節點上的Pod可以正常通訊。具體操作，請參見部署CCM。

準備工作

安裝Istio。具體操作，請參見Istio快速入門。

建立Namespace並配置Label。

kubectl create namespace istio-test
kubectl label namespace istio-test istio-injection=enabled

操作步驟

部署Bookinfo應用

將以下內容儲存為bookinfo.yaml。

說明

下述YAML樣本中已增加nodeSelector實現將Pod調度到VNode，您也可以配置eci-profile來實現。更多資訊，請參見將Pod調度到VNode和使用eci-profile調度Pod到VNode。

展開查看bookinfo.yaml

# Copyright Istio Authors
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

##################################################################################################
# This file defines the services, service accounts, and deployments for the Bookinfo sample.
#
# To apply all 4 Bookinfo services, their corresponding service accounts, and deployments:
#
#   kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
#
# Alternatively, you can deploy any resource separately:
#
#   kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l service=reviews # reviews Service
#   kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l account=reviews # reviews ServiceAccount
#   kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l app=reviews,version=v3 # reviews-v3 Deployment
##################################################################################################

##################################################################################################
# Details service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
  name: details
  labels:
    app: details
    service: details
spec:
  ports:
  - port: 9080
    name: http
  selector:
    app: details
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: bookinfo-details
  labels:
    account: details
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: details-v1
  labels:
    app: details
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: details
      version: v1
  template:
    metadata:
      labels:
        app: details
        version: v1
    spec:
      nodeSelector:     #配置特定的nodeSelector
        k8s.aliyun.com/vnode: "true"
      tolerations:      #配置特定的tolerations
      - key: k8s.aliyun.com/vnode
        operator: "Equal"
        value: "true"
        effect: "NoSchedule"
      serviceAccountName: bookinfo-details
      containers:
      - name: details
        image: docker.io/istio/examples-bookinfo-details-v1:1.16.4
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 9080
        securityContext:
          runAsUser: 1000
---
##################################################################################################
# Ratings service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
  name: ratings
  labels:
    app: ratings
    service: ratings
spec:
  ports:
  - port: 9080
    name: http
  selector:
    app: ratings
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: bookinfo-ratings
  labels:
    account: ratings
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ratings-v1
  labels:
    app: ratings
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ratings
      version: v1
  template:
    metadata:
      labels:
        app: ratings
        version: v1
    spec:
      nodeSelector:     #配置特定的nodeSelector
        k8s.aliyun.com/vnode: "true"
      tolerations:      #配置特定的tolerations
      - key: k8s.aliyun.com/vnode
        operator: "Equal"
        value: "true"
        effect: "NoSchedule"
      serviceAccountName: bookinfo-ratings
      containers:
      - name: ratings
        image: docker.io/istio/examples-bookinfo-ratings-v1:1.16.4
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 9080
        securityContext:
          runAsUser: 1000
---
##################################################################################################
# Reviews service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
  name: reviews
  labels:
    app: reviews
    service: reviews
spec:
  ports:
  - port: 9080
    name: http
  selector:
    app: reviews
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: bookinfo-reviews
  labels:
    account: reviews
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: reviews-v1
  labels:
    app: reviews
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: reviews
      version: v1
  template:
    metadata:
      labels:
        app: reviews
        version: v1
    spec:
      nodeSelector:     #配置特定的nodeSelector
        k8s.aliyun.com/vnode: "true"
      tolerations:      #配置特定的tolerations
      - key: k8s.aliyun.com/vnode
        operator: "Equal"
        value: "true"
        effect: "NoSchedule"
      serviceAccountName: bookinfo-reviews
      containers:
      - name: reviews
        image: docker.io/istio/examples-bookinfo-reviews-v1:1.16.4
        imagePullPolicy: IfNotPresent
        env:
        - name: LOG_DIR
          value: "/tmp/logs"
        ports:
        - containerPort: 9080
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        - name: wlp-output
          mountPath: /opt/ibm/wlp/output
        securityContext:
          runAsUser: 1000
      volumes:
      - name: wlp-output
        emptyDir: {}
      - name: tmp
        emptyDir: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: reviews-v2
  labels:
    app: reviews
    version: v2
spec:
  replicas: 1
  selector:
    matchLabels:
      app: reviews
      version: v2
  template:
    metadata:
      labels:
        app: reviews
        version: v2
    spec:
      nodeSelector:     #配置特定的nodeSelector
        k8s.aliyun.com/vnode: "true"
      tolerations:      #配置特定的tolerations
      - key: k8s.aliyun.com/vnode
        operator: "Equal"
        value: "true"
        effect: "NoSchedule"
      serviceAccountName: bookinfo-reviews
      containers:
      - name: reviews
        image: docker.io/istio/examples-bookinfo-reviews-v2:1.16.4
        imagePullPolicy: IfNotPresent
        env:
        - name: LOG_DIR
          value: "/tmp/logs"
        ports:
        - containerPort: 9080
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        - name: wlp-output
          mountPath: /opt/ibm/wlp/output
        securityContext:
          runAsUser: 1000
      volumes:
      - name: wlp-output
        emptyDir: {}
      - name: tmp
        emptyDir: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: reviews-v3
  labels:
    app: reviews
    version: v3
spec:
  replicas: 1
  selector:
    matchLabels:
      app: reviews
      version: v3
  template:
    metadata:
      labels:
        app: reviews
        version: v3
    spec:
      nodeSelector:     #配置特定的nodeSelector
        k8s.aliyun.com/vnode: "true"
      tolerations:      #配置特定的tolerations
      - key: k8s.aliyun.com/vnode
        operator: "Equal"
        value: "true"
        effect: "NoSchedule"
      serviceAccountName: bookinfo-reviews
      containers:
      - name: reviews
        image: docker.io/istio/examples-bookinfo-reviews-v3:1.16.4
        imagePullPolicy: IfNotPresent
        env:
        - name: LOG_DIR
          value: "/tmp/logs"
        ports:
        - containerPort: 9080
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        - name: wlp-output
          mountPath: /opt/ibm/wlp/output
        securityContext:
          runAsUser: 1000
      volumes:
      - name: wlp-output
        emptyDir: {}
      - name: tmp
        emptyDir: {}
---
##################################################################################################
# Productpage services
##################################################################################################
apiVersion: v1
kind: Service
metadata:
  name: productpage
  labels:
    app: productpage
    service: productpage
spec:
  ports:
  - port: 9080
    name: http
  selector:
    app: productpage
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: bookinfo-productpage
  labels:
    account: productpage
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: productpage-v1
  labels:
    app: productpage
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: productpage
      version: v1
  template:
    metadata:
      labels:
        app: productpage
        version: v1
    spec:
      nodeSelector:     #配置特定的nodeSelector
        k8s.aliyun.com/vnode: "true"
      tolerations:      #配置特定的tolerations
      - key: k8s.aliyun.com/vnode
        operator: "Equal"
        value: "true"
        effect: "NoSchedule"
      serviceAccountName: bookinfo-productpage
      containers:
      - name: productpage
        image: docker.io/istio/examples-bookinfo-productpage-v1:1.16.4
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 9080
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        securityContext:
          runAsUser: 1000
      volumes:
      - name: tmp
        emptyDir: {}
---

部署Bookinfo。

kubectl -n istio-test apply -f bookinfo.yaml

預期返回：

istio-1

查看Bookinfo運行情況。
```
kubectl -n istio-test get pods -o wide
```
預期返回：
檢查Services。
```
kubectl -n istio-test get services
```
預期返回：

部署Gateway

將以下內容儲存為bookinfo-gateway.yaml。

展開查看bookinfo-gateway.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo
spec:
  hosts:
  - "*"
  gateways:
  - bookinfo-gateway
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage
        port:
          number: 9080

部署Gateway。

kubectl -n istio-test apply -f bookinfo-gateway.yaml

預期返回： istio-4

查看Gateway。
```
kubectl -n istio-test get gateway
```
預期返回：

驗證Bookinfo服務

確定Istio Gateway的Host地址。
請根據叢集情況選擇Istio Ingress Service，本文使用LoadBalancer方式：
```
kubectl -n istio-system get service istio-ingressgateway
```
預期返回：
通過返回資訊可以得到istio-ingressgateway的Host地址（IP:Port格式）為10.96.XX.XX:80。

建立一個測試Pod，用於驗證服務。

將以下內容儲存為test-pod.yaml。

展開查看test-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: centos
spec:
  nodeSelector:    
    k8s.aliyun.com/vnode: "true"
  tolerations:      
  - key: k8s.aliyun.com/vnode
    operator: "Equal"
    value: "true"
    effect: "NoSchedule"
  containers:
  - name: eip
    image: registry-vpc.cn-shanghai.aliyuncs.com/eci_open/centos:7
    command:
    - bash
    - -c
    - sleep inf

部署Pod。
```
kubectl apply -f test-pod.yaml
```

登入測試Pod，然後執行命令驗證服務。
```
kubectl exec -it centos -- bash
```
```
curl -s http://10.96.XX.XX:80/productpage | grep -o "<title>.*</title>"
```
其中10.96.XX.XX:80為步驟1擷取的Host地址。如果返回<title>Simple BookStore App<title>，則表示Istio已經成功運行在VNode上。樣本如下：