OpenShift Service Mesh 培训作业

第一次virtual的培训交的作业。

 

 

1.建立Service Mesh CP

#oc new-project bookretail-istio-system 

#echo "apiVersion: maistra.io/v1
kind: ServiceMeshControlPlane
metadata:
  name: service-mesh-installation
spec:
  threeScale:
    enabled: false

  istio:
    global:
      mtls: false
      disablePolicyChecks: false
      proxy:
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 500m
            memory: 128Mi

    gateways:
      istio-egressgateway:
        autoscaleEnabled: false
      istio-ingressgateway:
        autoscaleEnabled: false
        ior_enabled: false

    mixer:
      policy:
        autoscaleEnabled: false

      telemetry:
        autoscaleEnabled: false
        resources:
          requests:
            cpu: 100m
            memory: 1G
          limits:
            cpu: 500m
            memory: 4G

    pilot:
      autoscaleEnabled: false
      traceSampling: 100.0

    kiali:
      dashboard:
        user: admin
        passphrase: redhat
    tracing:
      enabled: true

" > $HOME/service-mesh.yaml


#oc apply -f $HOME/service-mesh.yaml -n bookretail-istio-system

添加ServiceMeshMemberRoll

#echo "apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
  name: default
spec:
  members:
  - bookinfo" | oc apply -n bookretail-istio-system  -f -

 

2.配置组件的injector

#!/bin/bash

oc patch deployment details-v1 --type='json' -p '[{"op": "add", "path": "/spec/template/metadata", "value": { "annotations": { "sidecar.istio.io/inject": "true"}, "labels": { "app": "details", "version": "v1"}}}]' -n bookinfo

oc patch deployment productpage-v1 --type='json' -p '[{"op": "add", "path": "/spec/template/metadata", "value": { "annotations": { "sidecar.istio.io/inject": "true"}, "labels": { "app": "productpage", "version": "v1"}}}]' -n bookinfo

oc patch deployment ratings-v1 --type='json' -p '[{"op": "add", "path": "/spec/template/metadata", "value": { "annotations": { "sidecar.istio.io/inject": "true"}, "labels": { "app": "ratings", "version": "v1"}}}]' -n bookinfo

oc patch deployment reviews-v1  --type='json' -p '[{"op": "add", "path": "/spec/template/metadata", "value": { "annotations": { "sidecar.istio.io/inject": "true"}, "labels": { "app": "reviews", "version": "v1"}}}]' -n bookinfo

oc patch deployment reviews-v2  --type='json' -p '[{"op": "add", "path": "/spec/template/metadata", "value": { "annotations": { "sidecar.istio.io/inject": "true"}, "labels": { "app": "reviews", "version": "v2"}}}]' -n bookinfo

oc patch deployment reviews-v3  --type='json' -p '[{"op": "add", "path": "/spec/template/metadata", "value": { "annotations": { "sidecar.istio.io/inject": "true"}, "labels": { "app": "reviews", "version": "v3"}}}]' -n bookinfo

 

#for POD_NAME in $(oc get pods -n bookinfo  -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}')
do
    oc get pod $POD_NAME  -n bookinfo  -o jsonpath='{.metadata.name}{"    :\t\t"}{.spec.containers[*].name}{"\n"}'
done


details-v1-6657b8bdf-5qjzd    :        details istio-proxy
productpage-v1-597b74b4c-md2jb    :        productpage istio-proxy
ratings-v1-66cddbfb8f-hd7cj    :        ratings istio-proxy
reviews-v1-6788566f98-zc6qj    :        reviews istio-proxy
reviews-v2-7c4bffdcc4-9qsvw    :        reviews istio-proxy
reviews-v3-69b6d8786-449tm    :        reviews istio-proxy

3.配置mtls

#echo "
[ req ]
req_extensions     = req_ext
distinguished_name = req_distinguished_name
prompt             = no

[req_distinguished_name]
commonName=apps.cluster-9a38.9a38.sandbox1721.opentlc.com

[req_ext]
subjectAltName   = @alt_names

[alt_names]
DNS.1  = apps.cluster-9a38.9a38.sandbox1721.opentlc.com
DNS.2  = *.apps.cluster-9a38.9a38.sandbox1721.opentlc.com
" > cert.cfg
#openssl req -x509 -config cert.cfg -extensions req_ext -nodes -days 730 -newkey rsa:2048 -sha256 -keyout tls.key -out tls.crt

#oc create secret tls istio-ingressgateway-certs --cert tls.crt --key tls.key -n bookretail-istio-system 

#oc patch deployment istio-ingressgateway -p '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt": "'`date +%FT%T%z`'"}}}}}' -n bookretail-istio-system

 

对bookinfo应用创建一堆的policy,gateway,route,virtualservice,destinationrule.

  • policy.yaml
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: details-mtls
spec:
  peers:
  - mtls:
      mode: STRICT
  targets:
  - name: details
---
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: productpage-mtls
spec:
  peers:
  - mtls:
      mode: STRICT
  targets:
  - name: productpage
---
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: ratings-mtls
spec:
  peers:
  - mtls:
      mode: STRICT
  targets:
  - name: ratings
---
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: reviews-mtls
spec:
  peers:
  - mtls:
      mode: STRICT
  targets:
  - name: reviews
  • virtualservice
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo-virtualservice
spec:
  hosts:
  - productpage.apps.cluster-9a38.9a38.sandbox1721.opentlc.com
  gateways:
  - bookinfo-wildcard-gateway
  http:
  - match:
    - uri:
        prefix: /productpage
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        port:
          number: 9080
        host: productpage

 

  • Gateway
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-wildcard-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/tls.key
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
    hosts:
    - "*.apps.cluster-9a38.9a38.sandbox1721.opentlc.com"

 

  • DestinationRule
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: details
spec:
  host: details.bookinfo.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
  subsets:
  - name: v1
    labels:
      version: v1
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: productpage
spec:
  host: productpage.bookinfo.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
  subsets:
  - name: v1
    labels:
      version: v1
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: ratings
spec:
  host: ratings.bookinfo.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
  subsets:
  - name: v1
    labels:
      version: v1
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: reviews
spec:
  host: reviews.bookinfo.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2
  - name: v3
    labels:
      version: v3

 

  • Route
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    openshift.io/host.generated: 'true'
  labels:
    app: productpage
  name: productpagegateway
spec:
  host: "productpage.apps.cluster-9a38.9a38.sandbox1721.opentlc.com"
  port:
    targetPort: https
  tls:
    termination: passthrough
  to:
    kind: Service
    name: istio-ingressgateway
    weight: 100
  wildcardPolicy: None

 

posted @ 2020-03-13 17:36  ericnie  阅读(626)  评论(0编辑  收藏  举报