1. 简介

目的是把其他主机纳入到service mesh里

2. 原理

3. 创建

3.1 启用自动注册

1
istioctl install --set profile=demo --set values.pilot.env.PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION=true

3.2 添加路由

集群外主机添加路由到istiod

1
route add -net 10.244.0.0 gw 192.168.10.33 netmask 255.255.0.0

3.3 安装sidecar

1
2
3
https://storage.googleapis.com/istio-release/releases/1.14.1/deb/istio-sidecar.deb

dpkg -i istio-sidecar.deb

3.4 创建wg

workloadgroup可以理解为是一个模板,类似于deployment,wg也有模板—这些节点有什么标签,以什么sa来运行等

1
2
3
4
5
6
7
8
9
10
11
12
13
apiVersion: networking.istio.io/v1alpha3
kind: WorkloadGroup
metadata:
  name: mywg
  namespace: ns1
spec:
  metadata:
    annotations: {}
    labels:
      app: test
  template:
    ports: {}
    serviceAccount: default

3.5 安装证书

1
2
mkdir 11
istioctl x workload entry configure -f wg.yaml -o 11

3.6 启动sidecar

在虚拟机上安装根证书

1
2
mkdir -p /etc/certs
cp 11/root-cert.pem /etc/certs/root-cert.pem

安装令牌

1
2
3
mkdir -p /var/run/secrets/tokens
cp 11/istio-token /var/run/secrets/tokens/istio-token
cp 11/cluster.env /var/lib/istio/envoy/cluster.env

将网格配置安装到/etc/istio/config/mesh

1
2
3
cp 11/mesh.yaml /etc/istio/config/mesh
mkdir -p /etc/istio/proxy
chown -R istio-proxy /var/lib/istio /etc/certs /etc/istio/proxy /etc/istio/config /var/run/secrets /etc/certs/root-cert.pem

修改/etc/hosts

1
10.244.186.141 istiod.istio-system.svc

启动sidecar

1
systemctl start istio

3.7 创建we

1
2
3
4
5
6
7
8
9
10
11
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
  name: test-vm-2
  namespace: ns1
spec:
  serviceAccount: test
  address: 192.168.10.10
  labels:
    app: test
    instance-id: vm2

3.8 创建svc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: v1
kind: Service
metadata:
  name: vm-svc
  namespace: ns1
  labels:
    app: test
spec:
  ports:
  - port: 80
    name: http-vm
    targetPort: 8888
  selector:
    app: test

3.9 创建vs

1
2
3
4
5
6
7
8
9
10
11
12
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: myvs4
spec:
  hosts:
  - cc.rhce.cc
  http:
  - timeout: 5s
    route:
    - destination:
        host: vm-svc

3.10 关闭mtls

1
2
3
4
5
6
7
8
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
spec:
  mtls:
    #mode: PERMISSIVE
    mode: DISABLE

3.11 测试

1
2
root@control:~# curl cc.rhce.cc
test-nginx

3.12 创建se

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: svc1
  namespace: ns1
spec:
  hosts:
  - vm-svc
  ports:
  - number: 8888
    name: http
    protocol: HTTP
  resolution: STATIC
  workloadSelector:
    labels:
      app: test

3.13 测试

1
2
root@pod1:/# curl vm-svc
test-nginx