安装

Using Istio in a non-kubernetes environment involves a few key tasks:

  1. Setting up the Istio control plane with the Istio API server
  2. Adding the Istio sidecar to every instance of a service
  3. Ensuring requests are routed through the sidecars

安装控制平面

Istio control plane consists of four main services: Pilot, Mixer, CA, and the API server.

API Server

Istio’s API server (based on Kubernetes’ API server) provides key functions such as configuration management and Role-Based Access Control. The API server requires an etcd cluster as a persistent store. Detailed instructions for setting up the API server can be found here. Documentation on set of startup options for the Kubernetes API server can be found here

本地安装

For proof of concept purposes, it is possible to install a simple single container API server using the following Docker Compose file:

  1. version: '2'
  2. services:
  3.   etcd:
  4.     image: quay.io/coreos/etcd:latest
  5.     networks:
  6.       default:
  7.         aliases:
  8.           - etcd
  9.     ports:
  10.       - "4001:4001"
  11.       - "2380:2380"
  12.       - "2379:2379"
  13.     environment:
  14.       - SERVICE_IGNORE=1
  15.     command: [
  16.               "/usr/local/bin/etcd",
  17.               "-advertise-client-urls=http://0.0.0.0:2379",
  18.               "-listen-client-urls=http://0.0.0.0:2379"
  19.              ]
  21.   istio-apiserver:
  22.     image: gcr.io/google_containers/kube-apiserver-amd64:v1.7.3
  23.     networks:
  24.       default:
  25.         aliases:
  26.           - apiserver
  27.     ports:
  28.       - "8080:8080"
  29.     privileged: true
  30.     environment:
  31.       - SERVICE_IGNORE=1
  32.     command: [
  33.                "kube-apiserver", "--etcd-servers", "http://etcd:2379", 
  34.                "--service-cluster-ip-range", "10.99.0.0/16", 
  35.                "--insecure-port", "8080", 
  36.                "-v", "2", 
  37.                "--insecure-bind-address", "0.0.0.0"
  38.              ]

其它 Istio 组件

Debian packages for Istio Pilot, Mixer, and CA are available through the Istio release. Alternatively, these components can be run as Docker containers (docker.io/istio/pilot, docker.io/istio/mixer, docker.io/istio/istio-ca). Note that these components are stateless and can be scaled horizontally. Each of these components depends on the Istio API server, which in turn depends on the etcd cluster for persistence.

向服务实例中添加 Sidecar

Each instance of a service in an application must be accompanied by the Istio sidecar. Depending on the unit of your installation (Docker containers, VM, bare metal nodes), the Istio sidecar needs to be installed into these components. For example, if your infrastructure uses VMs, the Istio sidecar process must be run on each VM that needs to be part of the service mesh.

通过 Istio Sidecar 路由流量

Part of the sidecar installation should involve setting up appropriate IP Table rules to transparently route application’s network traffic through the Istio sidecars. The IP table script to setup such forwarding can be found here.

Note: This script must be executed before starting the application or the sidecar process.