从 Apigee Hybrid 1.8 版开始,Apigee Hybrid 使用 Apigee 入站流量网关为 Hybrid 安装提供入站流量网关。如果您希望将 Anthos Service Mesh 用于入站流量,请按照以下步骤在集群中安装 Anthos Service Mesh。
支持的 Anthos Service Mesh 版本
如需查看 Hybrid 1.8 版支持的 Anthos Service Mesh 版本,请参阅 Apigee Hybrid:支持的平台。
如果要升级 Hybrid 安装,请按照升级 Anthos Service Mesh 中的说明操作。
安装 Anthos Service Mesh
仅当您不使用 Apigee 入站流量网关时,才在新的 Apigee Hybrid 安装上执行这些步骤。
按照适合您平台的 Anthos Service Mesh 文档执行这些过程:
安装和配置 Anthos Service Mesh 的说明因平台而异。这些平台分为以下几种类别:
- GKE:在 Google Cloud 上运行的 Google Kubernetes Engine 集群。
- Google Cloud 外部:在以下位置运行的 Anthos 集群:
- Anthos clusters on VMware (GKE on-prem)
- Anthos on Bare Metal
- Anthos clusters on AWS
- Amazon EKS
- 其他 Kubernetes 平台:在以下平台上创建和运行的合规集群:
- AKS
- EKS
- OpenShift
GKE
安装 Anthos Service Mesh 的顺序如下:
- 准备安装。
- 安装新版本的 Anthos Service Mesh。
准备安装 Anthos Service Mesh
- 查看升级 Anthos Service Mesh 中的要求,但尚不执行升级。
- 创建新的
overlay.yaml文件,或验证现有overlay.yaml是否包含以下内容:apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: ingressGateways: - name: istio-ingressgateway enabled: true k8s: nodeSelector: # default node selector, if different or not using node selectors, change accordingly. cloud.google.com/gke-nodepool: apigee-runtime resources: requests: cpu: 1000m service: type: LoadBalancer loadBalancerIP: STATIC_IP # If you do not have a reserved static IP, leave this out. ports: - name: http-status-port port: 15021 - name: http2 port: 80 targetPort: 8080 - name: https port: 443 targetPort: 8443 meshConfig: accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
- 按照 Anthos Service Mesh 文档中以下部分的说明操作:
Google Cloud 外部
下面的说明介绍了如何在以下各项上升级 Anthos Service Mesh:
- Anthos clusters on VMware (GKE on-prem)
- Anthos on Bare Metal
- Anthos clusters on AWS
- Amazon EKS
安装 Anthos Service Mesh 的顺序如下:
- 准备安装。
- 安装新版本的 Anthos Service Mesh。
准备安装 Anthos Service Mesh
- 查看升级 Anthos Service Mesh 中的要求,但尚不执行升级。
- 创建新的
overlay.yaml文件,或验证现有overlay.yaml是否包含以下内容:apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: ingressGateways: - name: istio-ingressgateway enabled: true k8s: nodeSelector: # default node selector, if different or not using node selectors, change accordingly. cloud.google.com/gke-nodepool: apigee-runtime resources: requests: cpu: 1000m service: type: LoadBalancer loadBalancerIP: STATIC_IP # If you do not have a reserved static IP, leave this out. ports: - name: http-status-port port: 15021 - name: http2 port: 80 targetPort: 8080 - name: https port: 443 targetPort: 8443 values: gateways: istio-ingressgateway: runAsRoot: true meshConfig: accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
- 按照 Anthos Service Mesh 文档中以下部分的说明操作:
AKS / EKS
准备安装 Anthos Service Mesh
- 将 Anthos Service Mesh 安装文件下载到当前工作目录中:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.13.9-asm.10-linux-amd64.tar.gz
- 下载签名文件并使用 OpenSSL 验证签名:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.13.9-asm.10-linux-amd64.tar.gz.1.sig
openssl dgst -verify /dev/stdin -signature istio-1.13.9-asm.10-linux-amd64.tar.gz.1.sig istio-1.13.9-asm.10.tar.gz <<'EOF'-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw== -----END PUBLIC KEY----- EOF - 将文件内容提取到文件系统上的任意位置。例如,如需将内容提取到当前工作目录,请运行以下命令:
tar xzf istio-1.13.9-asm.10-linux-amd64.tar.gz
该命令会在当前工作目录中创建一个名为
istio-1.13.9-asm.10的安装目录,其中包含:samples目录中的示例应用。- 用于安装 Anthos Service Mesh 的
istioctl命令行工具位于bin目录中。 - Anthos Service Mesh 配置文件位于
manifests/profiles目录中。
- 确保您位于 Anthos Service Mesh 安装的根目录。
cd istio-1.13.9-asm.10
- 为方便起见,请将
/bin目录中的工具添加到PATH:export PATH=$PWD/bin:$PATH
- 将 Anthos Service Mesh 安装文件下载到当前工作目录中:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.13.9-asm.10-osx.tar.gz
- 下载签名文件并使用 OpenSSL 验证签名:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.13.9-asm.10-osx.tar.gz.1.sig
openssl dgst -sha256 -verify /dev/stdin -signature istio-1.13.9-asm.10-osx.tar.gz.1.sig istio-1.13.9-asm.10.tar.gz <<'EOF'-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw== -----END PUBLIC KEY----- EOF - 将文件内容提取到文件系统上的任意位置。例如,如需将内容提取到当前工作目录,请运行以下命令:
tar xzf istio-1.13.9-asm.10-osx.tar.gz
该命令会在当前工作目录中创建一个名为
istio-1.13.9-asm.10的安装目录,其中包含:samples目录中的示例应用。- 用于安装 Anthos Service Mesh 的
istioctl命令行工具位于bin目录中。 - Anthos Service Mesh 配置文件位于
manifests/profiles目录中。
- 确保您位于 Anthos Service Mesh 安装的根目录。
cd istio-1.13.9-asm.10
- 为方便起见,请将
/bin目录中的工具添加到PATH:export PATH=$PWD/bin:$PATH
- 将 Anthos Service Mesh 安装文件下载到当前工作目录中:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.13.9-asm.10-win.zip
- 下载签名文件并使用 OpenSSL 验证签名:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.13.9-asm.10-win.zip.1.sig
openssl dgst -verify - -signature istio-1.13.9-asm.10-win.zip.1.sig istio-1.13.9-asm.10.win.zip <<'EOF'-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw== -----END PUBLIC KEY----- EOF - 将文件内容提取到文件系统上的任意位置。例如,如需将内容提取到当前工作目录,请运行以下命令:
tar xzf istio-1.13.9-asm.10-win.zip
该命令会在当前工作目录中创建一个名为
istio-1.13.9-asm.10的安装目录,其中包含:samples目录中的示例应用。- 用于安装 Anthos Service Mesh 的
istioctl命令行工具位于bin目录中。 - Anthos Service Mesh 配置文件位于
manifests\profiles目录中。
- 确保您位于 Anthos Service Mesh 安装的根目录。
cd istio-1.13.9-asm.10
- 为方便起见,请将 \bin 目录中的工具添加到 PATH:
set PATH=%CD%\bin:%PATH%
- 现在,Anthos Service Mesh Istio 已安装,请检查
istioctl的版本:istioctl version
- 为控制平面组件创建一个名为 istio-system 的命名空间:
kubectl create namespace istio-system
Linux
Mac OS
Windows
安装 Anthos Service Mesh
- 修改
overlay.yaml文件或创建包含以下内容的新文件:apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: meshConfig: accessLogFile: /dev/stdout enableTracing: true accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' components: ingressGateways: - name: istio-ingressgateway enabled: true k8s: service: type: LoadBalancer ports: - name: status-port port: 15021 targetPort: 15021 - name: http2 port: 80 targetPort: 8080 - name: https port: 443 targetPort: 8443 - 使用
asm-multicloud配置文件,利用istioctl来安装 Anthos Service Mesh:istioctl install \ --set profile=asm-multicloud \ --set revision="asm-1139-10" \ --filename overlay.yaml输出应如下所示:
kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE istio-ingressgateway-88b6fd976-flgp2 1/1 Running 0 3m13s istio-ingressgateway-88b6fd976-p5dl9 1/1 Running 0 2m57s istiod-asm-1139-10-798ffb964-2ls88 1/1 Running 0 3m21s istiod-asm-1139-10-798ffb964-fnj8c 1/1 Running 1 3m21s
--set revision参数会将格式为istio.io/rev=asm-1139-10的修订版本标签添加到istiod。自动边车注入器网络钩子使用修订版本标签将注入的边车与特定istiod修订版本相关联。如需为命名空间启用边车自动注入功能,您必须使用一个与istiod上的标签匹配的修订版本来为其添加标签。 - 验证安装是否已完成:
kubectl get svc -n istio-system
输出应如下所示:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 172.200.48.52 34.74.177.168 15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP 3m35s istiod ClusterIP 172.200.18.133 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 4m46s istiod-asm-1139-10 ClusterIP 172.200.63.220 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 3m43s
OpenShift
准备安装 Anthos Service Mesh
- 在安装新版本之前,确定当前修订版本。您需要使用此信息从当前 Anthos Service Mesh 安装中删除验证 webhook 和更改 webhook。使用以下命令将当前
istiod修订版本存储到环境变量中:export DELETE_REV=$(kubectl get deploy -n istio-system -l app=istiod -o jsonpath={.items[*].metadata.labels.'istio\.io\/rev'}'{"\n"}')echo $DELETE_REV输出应类似于
1.12.9-asm.2 - 使用以下 OpenShift CLI (
oc) 命令向 istio-system 授予anyuid安全上下文限制条件 (SCC):oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
- 将 Anthos Service Mesh 安装文件下载到当前工作目录中:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.13.9-asm.10-linux-amd64.tar.gz
- 下载签名文件并使用 OpenSSL 验证签名:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.13.9-asm.10-linux-amd64.tar.gz.1.sig
openssl dgst -verify /dev/stdin -signature istio-1.13.9-asm.10-linux-amd64.tar.gz.1.sig istio-1.13.9-asm.10.tar.gz <<'EOF'-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw== -----END PUBLIC KEY----- EOF - 将文件内容提取到文件系统上的任意位置。例如,如需将内容提取到当前工作目录,请运行以下命令:
tar xzf istio-1.13.9-asm.10-linux-amd64.tar.gz
该命令会在当前工作目录中创建一个名为
istio-1.13.9-asm.10的安装目录,其中包含:samples目录中的示例应用。- 用于安装 Anthos Service Mesh 的
istioctl命令行工具位于bin目录中。 - Anthos Service Mesh 配置文件位于
manifests/profiles目录中。
- 确保您位于 Anthos Service Mesh 安装的根目录。
cd istio-1.13.9-asm.10
- 为方便起见,请将
/bin目录中的工具添加到PATH:export PATH=$PWD/bin:$PATH
- 使用以下 OpenShift CLI (
oc) 命令向 istio-system 授予anyuid安全上下文限制条件 (SCC):oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
- 将 Anthos Service Mesh 安装文件下载到当前工作目录中:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.13.9-asm.10-osx.tar.gz
- 下载签名文件并使用 OpenSSL 验证签名:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.13.9-asm.10-osx.tar.gz.1.sig
openssl dgst -sha256 -verify /dev/stdin -signature istio-1.13.9-asm.10-osx.tar.gz.1.sig istio-1.13.9-asm.10.tar.gz <<'EOF'-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw== -----END PUBLIC KEY----- EOF - 将文件内容提取到文件系统上的任意位置。例如,如需将内容提取到当前工作目录,请运行以下命令:
tar xzf istio-1.13.9-asm.10-osx.tar.gz
该命令会在当前工作目录中创建一个名为
istio-1.13.9-asm.10的安装目录,其中包含:samples目录中的示例应用。- 用于安装 Anthos Service Mesh 的
istioctl命令行工具位于bin目录中。 - Anthos Service Mesh 配置文件位于
manifests/profiles目录中。
- 确保您位于 Anthos Service Mesh 安装的根目录。
cd istio-1.13.9-asm.10
- 为方便起见,请将
/bin目录中的工具添加到PATH:export PATH=$PWD/bin:$PATH
- 使用以下 OpenShift CLI (
oc) 命令向 istio-system 授予anyuid安全上下文限制条件 (SCC):oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
- 将 Anthos Service Mesh 安装文件下载到当前工作目录中:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.13.9-asm.10-win.zip
- 下载签名文件并使用 OpenSSL 验证签名:
curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.13.9-asm.10-win.zip.1.sig
openssl dgst -verify - -signature istio-1.13.9-asm.10-win.zip.1.sig istio-1.13.9-asm.10.win.zip <<'EOF'-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw== -----END PUBLIC KEY----- EOF - 将文件内容提取到文件系统上的任意位置。例如,如需将内容提取到当前工作目录,请运行以下命令:
tar xzf istio-1.13.9-asm.10-win.zip
该命令会在当前工作目录中创建一个名为
istio-1.13.9-asm.10的安装目录,其中包含:samples目录中的示例应用。- 用于安装 Anthos Service Mesh 的
istioctl命令行工具位于bin目录中。 - Anthos Service Mesh 配置文件位于
manifests\profiles目录中。
- 确保您位于 Anthos Service Mesh 安装的根目录。
cd istio-1.13.9-asm.10
- 为方便起见,请将 \bin 目录中的工具添加到 PATH:
set PATH=%CD%\bin:%PATH%
- 现在,Anthos Service Mesh Istio 已安装,请检查
istioctl的版本:istioctl version
- 为控制平面组件创建一个名为 istio-system 的命名空间:
kubectl create namespace istio-system
Linux
Mac OS
Windows
配置验证网络钩子
安装 Anthos Service Mesh 时,您可以在 istiod 上设置修订版本标签。您需要在验证网络钩子上设置相同的修订版本。
- 创建一个名为
istiod-service.yaml且包含以下内容的文件:apiVersion: v1 kind: Service metadata: name: istiod namespace: istio-system labels: istio.io/rev: asm-1139-10 app: istiod istio: pilot release: istio spec: ports: - port: 15010 name: grpc-xds # plaintext protocol: TCP - port: 15012 name: https-dns # mTLS with k8s-signed cert protocol: TCP - port: 443 name: https-webhook # validation and injection targetPort: 15017 protocol: TCP - port: 15014 name: http-monitoring # prometheus stats protocol: TCP selector: app: istiod istio.io/rev: asm-1139-10 meshConfig: accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
- 使用
kubectl应用验证网络钩子配置:kubectl apply -f istiod-service.yaml
- 验证配置是否已应用:
kubectl get svc -n istio-system
响应应如下所示:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istiod ClusterIP 172.200.18.133 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 22s
安装 Anthos Service Mesh
- 修改
overlay.yaml文件或创建包含以下内容的新文件:apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: meshConfig: accessLogFile: /dev/stdout enableTracing: true accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' components: ingressGateways: - name: istio-ingressgateway enabled: true k8s: service: type: LoadBalancer ports: - name: status-port port: 15021 targetPort: 15021 - name: http2 port: 80 targetPort: 8080 - name: https port: 443 targetPort: 8443 - 使用
asm-multicloud配置文件,利用istioctl来安装 Anthos Service Mesh:istioctl install \ --set profile=asm-multicloud \ --set revision="asm-1139-10" \ --filename overlayfile.yaml输出应如下所示:
kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE istio-ingressgateway-88b6fd976-flgp2 1/1 Running 0 3m13s istio-ingressgateway-88b6fd976-p5dl9 1/1 Running 0 2m57s istiod-asm-1139-10-798ffb964-2ls88 1/1 Running 0 3m21s istiod-asm-1139-10-798ffb964-fnj8c 1/1 Running 1 3m21s
--set revision参数会将格式为istio.io/rev=1.6.11-asm.1的修订版本标签添加到istiod。自动边车注入器网络钩子使用修订版本标签将注入的边车与特定istiod修订版本相关联。如需为命名空间启用边车自动注入功能,您必须使用一个与istiod上的标签匹配的修订版本来为其添加标签。 - 验证安装是否已完成:
kubectl get svc -n istio-system
输出应如下所示:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE istio-ingressgateway LoadBalancer 172.200.48.52 34.74.177.168 15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP 3m35s istiod ClusterIP 172.200.18.133 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 4m46s istiod-asm-1139-10 ClusterIP 172.200.63.220 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 3m43s