istio灰度方案

具体实现方式

第一步，安装istio，这里省略

第二步，查看istio的访问地址

[ec2-user@io-jumpserver ~]$ kubectl -n istio-system get svc 
NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP                                                                          PORT(S)                                                                        AGE
istio-egressgateway    ClusterIP      172.20.111.185   <none>                                                                               80/TCP,443/TCP                                                                 105d
istio-ingressgateway   LoadBalancer   172.20.28.204    k8s-istiosys-istioing-98f2d2f5fb-xxxxxx.xxxxx.com   15021:30605/TCP,80:31071/TCP,443:32172/TCP,31400:30838/TCP,15443:32000/TCP     105d

第三步，nginx反代,这里一定要注意有些nginx版本比较老需要加  proxy_http_version 1.1这个参数才可以

[root@io-doex-nginx conf.d]# cat gray.doex.io.conf 
server {
    listen 80;
    server_name gray-xxxxxx;
    access_log /var/log/nginx/gray-access.log;
    error_log /var/log/nginx/gray-error.log;
    location / {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_http_version 1.1;
     resolver 10.31.0.2 valid=10s;
     set $backend "http://k8s-istiosys-istioing-xxxx.com";
     proxy_pass $backend;
     proxy_set_header Host $http_host;
    }
}
server {
    listen 443  ssl;
    client_max_body_size 160m;
    ssl_certificate xxx.crt;
    ssl_certificate_key  /xxx.key;
    ssl_stapling                            on;
    ssl_stapling_verify                     on;
    server_name gray-www.doex.io;
    location / {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_http_version 1.1;
     resolver 10.31.0.2 valid=10s;
     set $backend "http://k8s-istiosys-istioing-9xxxx.com";
     proxy_pass $backend;
     proxy_set_header Host $http_host;
    }
}

第四步，创建istio网关,意思是xxx名称空间下的所有域名都可以走这个网关

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: xxx-gateway
  namespace: xxx
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: http
      number: 80
      protocol: HTTP

第五步，创建相应的vs规则(针对对外网提供服务的应用)

意思是如果携带头myheader: gray-sim1并且匹配到相应的路由的时候那么就访问host对应的svc

这里需要注意的是如果/v/和/都需要匹配的时候/v/一定要在/前面，匹配顺序是从上往下

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: gray-wwww.xxx-web-all
  namespace: xxx
spec:
  gateways:
  - xxx-gateway
  hosts:
  - gray-xxxx
  http:
  - match:
    - headers:
        myheader:
          exact: gray-sim1
      uri:
        prefix: /v/
    route:
    - destination:
        host: xxxx-svc
        port:
          number: 80
  - match:
    - headers:
        myheader:
          exact: gray-sim1
      uri:
        prefix: /
    route:
    - destination:
        host: xxx-svc
        port:
          number: 80

第六步，创建dr+vs规则(针对于内网服务)

dr规则如下，将xxx-svc分割成2个子服务(subset)

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: xxxx-gray-sim1
  namespace: xxx
spec:
  host: xxx-svc
  subsets:
  - labels:
      app: xxx
      gray: "0"
    name: xxx
  - labels:
      app: xxx
      gray: gray-sim1
    name: xxxx-gray-sim1

vs规则如下，通过dr切分出来的subset进行流量分发

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: xxx-gray-sim1
  namespace: xxx
spec:
  hosts:
  - xxx-svc
  http:
  - match:
    - headers:
        myheader:
          exact: gray-sim1
    route:
    - destination:
        host: xxxx
        subset: xxx-gray-sim1
  - route:
    - destination:
        host: xxx
        subset: xxx

第七步，根据pod进行加header操作，envoyfilter

我们通过workloadSelector来关联相关的pod，然后通过lua脚本来对指定的pod在出流量的时候加上请求头myheader,这样的话通过dr+vs规则联合起来就可以实现灰度到指定的服务：

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name:xxxx-gray-sim1
  namespace: xxx
spec:
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_OUTBOUND
      listener:
        filterChain:
          filter:
            name: envoy.filters.network.http_connection_manager
            subFilter:
              name: envoy.filters.http.router
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.filters.http.lua
        typed_config:
          '@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
          inlineCode: |
            function envoy_on_request(request_handle)
              local value = os.getenv("GRAY_HEADER") or "gray-sim1"
              request_handle:headers():add("myheader",value)
            end
  workloadSelector:
    labels:
      app: xxx
      gray: gray-sim1

 

serviceentry可以把集群外部的服务加入到istio网格里

如果pod访问一个集群外部的服务，那么默么kiali显示的是

 

如果创建serviceentry把集群外部服务加入进来，那么kiali将会显示

 

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-svc-entry
spec:
  hosts:
  - www.httpbin.org
  addresses:
  - 1.1.1.1
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  - number: 80
    name: http
    protocol: HTTP
  location: MESH_EXTERNAL   
  resolution: DNS    #DNS|STATIC
  #endpoints:
  #- address: 203.0.113.10
  #  ports:
  #    https: 443
  exportTo:
  - .

 

 

如果要修改istio-proxy代理的日志级别，默认是warning，有两种方式

第一种方式：针对pod修改

　　1.可以在部署清单文件的时候修改

  template:
    metadata:
      annotations:
        "sidecar.istio.io/logLevel": debug # 可选: trace, debug, info, warning, error, critical, off

　　2.可以在running的pod中修改

[root@localhost ~]# istioctl proxy-config log --help
Usage:
  istioctl proxy-config log [<type>/]<name>[.<namespace>] [flags]

Aliases:
  log, o

Examples:
  # Retrieve information about logging levels for a given pod from Envoy.
  istioctl proxy-config log <pod-name[.namespace]>

  # Update levels of the all loggers
  istioctl proxy-config log <pod-name[.namespace]> --level none

  # Update levels of the specified loggers.
  istioctl proxy-config log <pod-name[.namespace]> --level http:debug,redis:debug

  # Reset levels of all the loggers to default value (warning).
  istioctl proxy-config log <pod-name[.namespace]> -r

 

第二种方式：针对全局修改

kubectl -n istio-system edit configmap istio-sidecar-injector
#大概在1834行，原来是warning，修改为debug即可