Abin da ? Wannan ita ce abin da ake kira Sabis mesh, fasaha ce da ke ƙara ɓarna a kan hanyar sadarwa. Muna ƙetare gaba ɗaya ko ɓangaren zirga-zirgar a cikin gungu kuma muna aiwatar da takamaiman tsari da shi. Wanne? Misali, muna yin hanya mai wayo, ko kuma muna aiwatar da tsarin da'ira, za mu iya tsara "canary deployment", juzu'in jujjuya zirga-zirga zuwa sabon sigar sabis ɗin, ko za mu iya iyakance hulɗar waje da sarrafa duk tafiye-tafiye daga gungu zuwa waje cibiyar sadarwa. Yana yiwuwa a saita ƙa'idodin manufofi don sarrafa tafiye-tafiye tsakanin ƙananan ayyuka daban-daban. A ƙarshe, za mu iya samun taswirar hulɗar cibiyar sadarwa gabaɗaya kuma mu sanya haɗe-haɗen tarin ma'auni ga aikace-aikace.
Kuna iya karanta game da tsarin aikin a ciki . Istio kayan aiki ne mai ƙarfi na gaske wanda ke ba ku damar magance ayyuka da matsaloli da yawa. A cikin wannan labarin, Ina so in amsa manyan tambayoyin da suka saba tasowa lokacin farawa da Istio. Wannan zai taimake ka ka magance shi da sauri.
Yadda yake aiki
Istio ya ƙunshi manyan wurare guda biyu - jirgin sarrafawa da jirgin bayanai. Jirgin sarrafawa ya ƙunshi manyan abubuwan da ke tabbatar da daidaitaccen aiki na sauran. A cikin sigar yanzu (1.0) jirgin sarrafawa yana da manyan abubuwa guda uku: Pilot, Mixer, Citadel. Ba za mu yi la'akari da Citadel ba, ana buƙatar samar da takaddun shaida don tabbatar da TLS tsakanin sabis. Bari mu kalli na'ura da manufar Pilot da Mixer.
Matukin jirgi shine babban sashin sarrafawa wanda ke rarraba duk bayanan game da abin da muke da shi a cikin tari - ayyuka, ƙarshen su da ka'idodin tuƙi (misali, ƙa'idodi na tura Canary ko ka'idodin keɓancewa).
Mixer wani ɓangaren jirgin sama ne na zaɓi wanda ke ba da ikon tattara awo, rajistan ayyukan, da kowane bayani game da hulɗar cibiyar sadarwa. Yana kuma sa ido kan bin ka'idodin Siyasa da bin ka'idojin ƙima.
Ana aiwatar da jirgin bayanan ta hanyar amfani da kwantena masu wakilci na gefen mota. Ana amfani da ƙarfi ta tsohuwa. . Ana iya maye gurbin shi da wani aiwatarwa, kamar nginx (nginmesh).
Domin Istio yayi aiki gaba ɗaya a bayyane ga aikace-aikace, akwai tsarin allura ta atomatik. Sabbin aiwatarwa ya dace da nau'ikan Kubernetes 1.9+ (mai shiga yanar gizo na mutational). Don nau'ikan Kubernetes 1.7, 1.8 yana yiwuwa a yi amfani da Initializer.
An haɗa kwantena na gefe zuwa Pilot ta amfani da ka'idar GRPC, wanda ke ba ku damar haɓaka ƙirar turawa don canje-canjen da ke faruwa a cikin tari. An yi amfani da GRPC a cikin Manzo tun daga nau'in 1.6, a cikin Istio an yi amfani da shi tun daga sigar 0.8 kuma wakili ne na matukin jirgi - golang wrapper akan manzo wanda ke daidaita zaɓuɓɓukan ƙaddamarwa.
Pilot da Mixer gaba ɗaya abubuwan da ba su da ƙasa, duk jihar ana adana su cikin ƙwaƙwalwar ajiya. An saita saitin su a cikin hanyar Kubernetes Custom Resources, waɗanda aka adana a cikin da dai sauransu.
Istio-agent yana samun adireshin Pilot kuma ya buɗe rafi na GRPC zuwa gare shi.
Kamar yadda na ce, Istio yana aiwatar da duk ayyuka gaba ɗaya a bayyane ga aikace-aikace. Bari mu ga yadda. Algorithm shine:
- Ana tura sabon sigar sabis ɗin.
- Dangane da tsarin alluran akwati na gefe, ana ƙara kwandon istio-init da kwandon wakili na istio-agent (manzo) a matakin aiwatar da tsarin, ko kuma an riga an shigar da su da hannu cikin bayanin mahaɗan Kubernetes Pod.
- Akwatin istio-init rubutun ne wanda ke amfani da ka'idojin iptables zuwa kwafsa. Akwai zaɓuɓɓuka guda biyu don daidaita zirga-zirgar zirga-zirgar da za a nannade a cikin kwandon wakili na istio: yi amfani da ƙa'idodin tura iptables, ko . A lokacin rubutawa, hanyar da ta dace tana tare da ƙa'idodin turawa. A cikin istio-init, yana yiwuwa a daidaita waɗanne zirga-zirgar zirga-zirgar da ya kamata a katse su kuma aika zuwa wakili na istio. Misali, domin katse duk wani zirga-zirga mai shigowa da mai fita, kuna buƙatar saita sigogi
-iи-bcikin ma'ana*. Kuna iya ƙayyade takamaiman tashar jiragen ruwa don kutse. Domin kar a kuskura takamammen gidan yanar gizo, zaku iya tantance ta ta amfani da tuta-x. - Bayan an aiwatar da kwantena na init, ana ƙaddamar da manyan, ciki har da wakili na matukin jirgi (maniki). Yana haɗawa da matukin jirgi da aka riga aka tura ta GRPC kuma yana karɓar bayanai game da duk sabis ɗin da ake da su da manufofin zagayawa a cikin gungu. Dangane da bayanan da aka karɓa, yana saita gungu kuma ya sanya su kai tsaye zuwa ƙarshen wuraren aikace-aikacen mu a cikin gungu na Kubernetes. Hakanan ya zama dole a lura da wani muhimmin batu: manzo yana daidaita masu sauraro da ƙarfi (IP, tashar jiragen ruwa) wanda zai fara saurare. Don haka, lokacin da buƙatun suka shiga cikin kwas ɗin, ana tura su ta amfani da ƙa'idodin iptables na sake turawa a cikin motar sidecar, manzo ya rigaya ya sami nasarar aiwatar da waɗannan hanyoyin haɗin gwiwa kuma ya fahimci inda zai ƙara wakilta zirga-zirgar. Har ila yau, a wannan mataki, ana aika bayanai zuwa ga Mixer, wanda za mu duba daga baya, kuma ana aika tazarar ganowa.
A sakamakon haka, muna samun gaba ɗaya cibiyar sadarwa na sabar wakili wanda za mu iya daidaitawa daga aya ɗaya (Pilot). Duk buƙatun shigowa da waje suna tafiya ta wurin manzo. Haka kuma, zirga-zirgar TCP kawai ake katsewa. Wannan yana nufin cewa an warware sabis ɗin Kubernetes IP ta amfani da kube-dns akan UDP ba tare da canzawa ba. Bayan haka, bayan yanke shawara, ana karɓar buƙatar mai fita da wakili, wanda ya riga ya yanke shawarar wane ƙarshen buƙatun ya kamata a aika zuwa (ko ba a aika ba, dangane da manufofin samun dama ko na'ura mai warwarewa).
Mun gano Pilot, yanzu muna buƙatar fahimtar yadda Mixer ke aiki da kuma dalilin da yasa ake buƙata. Kuna iya karanta masa takaddun hukuma .
Mixer a cikin nau'insa na yanzu ya ƙunshi sassa biyu: istio-telemetry, istio-policy (kafin sigar 0.8 tana ɗaya ɓangaren istio-mixer). Dukkansu biyun masu hadawa ne, kowannensu yana da alhakin aikinsa. Istio telemetry yana karɓar bayani game da wanda ke zuwa inda kuma tare da waɗanne sigogi daga kwantena Rahoton mota ta hanyar GRPC. Manufar Istio tana karɓar buƙatun Duba don tabbatar da cewa an gamsu da ƙa'idodin Siyasa. Ba shakka, ba a aiwatar da rajistan ayyukan ga kowane buƙatu ba, amma ana adana su akan abokin ciniki (a cikin motar gefe) na ɗan lokaci. Ana aika da duba rahotanni azaman buƙatun buƙatun. Bari mu ga yadda za a daidaita da kuma abin da sigogi ya kamata a aika kadan daga baya.
Ya kamata Mixer ya zama babban abin da ake samu wanda ke tabbatar da aikin da ba a katsewa ba akan haɗawa da sarrafa bayanan telemetry. Ana samun tsarin ne a sakamakon a matsayin mai ɗaukar matakai masu yawa. Da farko, ana adana bayanai a gefen akwati na gefen mota, sannan a gefen mahaɗin, sannan a aika zuwa abin da ake kira mahaɗin baya. A sakamakon haka, idan wani ɓangaren tsarin ya gaza, buffer yana girma kuma yana gogewa bayan an dawo da tsarin. Maɓallan baya na mahaɗa sune wuraren ƙarshe don aika bayanan telemetry: statsd, newrelic, da sauransu. Za ka iya rubuta naka baya, abu ne mai sauqi qwarai, kuma za mu ga yadda za a yi.
Don taƙaitawa, tsarin aiki tare da istio-telemetry shine kamar haka.
- Sabis 1 yana aika buƙatu zuwa sabis 2.
- Lokacin barin sabis 1, buƙatar ana nannade shi a cikin motar gefensa.
- Wakilin Sidecar yana lura da yadda buƙatun ke zuwa sabis na 2 kuma yana shirya mahimman bayanai.
- Sannan aika shi zuwa istio-telemetry ta amfani da buƙatar Rahoton.
- Istio-telemetry yana ƙayyade ko ya kamata a aika wannan Rahoton zuwa ga baya, wanda kuma menene ya kamata a aika.
- Istio-telemetry yana aika rahoton bayanai zuwa ga baya idan an buƙata.
Yanzu bari mu ga yadda za a tura Istio a cikin tsarin, wanda ya ƙunshi kawai manyan abubuwan da aka gyara (Pilot da sidecar envoy).
Da farko, bari mu kalli babban tsari (mesh) wanda Pilot ya karanta:
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: istio-system
labels:
app: istio
service: istio
data:
mesh: |-
# пока что не включаем отправку tracing информации (pilot настроит envoy’и таким образом, что отправка не будет происходить)
enableTracing: false
# пока что не указываем mixer endpoint’ы, чтобы sidecar контейнеры не отправляли информацию туда
#mixerCheckServer: istio-policy.istio-system:15004
#mixerReportServer: istio-telemetry.istio-system:15004
# ставим временной промежуток, с которым будет envoy переспрашивать Pilot (это для старой версии envoy proxy)
rdsRefreshDelay: 5s
# default конфигурация для envoy sidecar
defaultConfig:
# аналогично как rdsRefreshDelay
discoveryRefreshDelay: 5s
# оставляем по умолчанию (путь к конфигурации и бинарю envoy)
configPath: "/etc/istio/proxy"
binaryPath: "/usr/local/bin/envoy"
# дефолтное имя запущенного sidecar контейнера (используется, например, в именах сервиса при отправке tracing span’ов)
serviceCluster: istio-proxy
# время, которое будет ждать envoy до того, как он принудительно завершит все установленные соединения
drainDuration: 45s
parentShutdownDuration: 1m0s
# по умолчанию используются REDIRECT правила iptables. Можно изменить на TPROXY.
#interceptionMode: REDIRECT
# Порт, на котором будет запущена admin панель каждого sidecar контейнера (envoy)
proxyAdminPort: 15000
# адрес, по которому будут отправляться trace’ы по zipkin протоколу (в начале мы отключили саму отправку, поэтому это поле сейчас не будет использоваться)
zipkinAddress: tracing-collector.tracing:9411
# statsd адрес для отправки метрик envoy контейнеров (отключаем)
# statsdUdpAddress: aggregator:8126
# выключаем поддержку опции Mutual TLS
controlPlaneAuthPolicy: NONE
# адрес, на котором будет слушать istio-pilot для того, чтобы сообщать информацию о service discovery всем sidecar контейнерам
discoveryAddress: istio-pilot.istio-system:15007
Duk manyan abubuwan sarrafawa (jirgin sarrafawa) za su kasance a cikin tsarin istio-namespace a Kubernetes.
Aƙalla, muna buƙatar tura Pilot kawai. Don wannan muna amfani
Kuma da hannu za mu daidaita motar allurar gefen akwati.
Akwatin ciki:
initContainers:
- name: istio-init
args:
- -p
- "15001"
- -u
- "1337"
- -m
- REDIRECT
- -i
- '*'
- -b
- '*'
- -d
- ""
image: istio/proxy_init:1.0.0
imagePullPolicy: IfNotPresent
resources:
limits:
memory: 128Mi
securityContext:
capabilities:
add:
- NET_ADMIN
Kuma sidecar:
name: istio-proxy
args:
- "bash"
- "-c"
- |
exec /usr/local/bin/pilot-agent proxy sidecar
--configPath
/etc/istio/proxy
--binaryPath
/usr/local/bin/envoy
--serviceCluster
service-name
--drainDuration
45s
--parentShutdownDuration
1m0s
--discoveryAddress
istio-pilot.istio-system:15007
--discoveryRefreshDelay
1s
--connectTimeout
10s
--proxyAdminPort
"15000"
--controlPlaneAuthPolicy
NONE
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_INTERCEPTION_MODE
value: REDIRECT
image: istio/proxyv2:1.0.0
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
memory: 2048Mi
securityContext:
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1337
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
Domin komai ya fara nasara cikin nasara, kuna buƙatar ƙirƙirar AccountAccount, ClusterRole, ClusterRoleBinding, CRD don Pilot, bayanin da za'a iya samu. .
A sakamakon haka, sabis ɗin da muke allurar motar gefe tare da manzo ya kamata ya fara cikin nasara, samun duk abin da aka gano daga matukin jirgin da kuma aiwatar da buƙatun.
Yana da mahimmanci a fahimci cewa duk abubuwan haɗin jirgin sama aikace-aikace ne marasa ƙasa kuma ana iya daidaita shi a kwance ba tare da matsala ba. Ana adana duk bayanai a cikin etcd a cikin sigar kwatancen al'ada na albarkatun Kubernetes.
Har ila yau, Istio (har yanzu yana gwaji) yana da ikon yin gudu a waje da gungu da ikon kallo da fashewar gano sabis tsakanin gungu na Kubernetes da yawa. Kuna iya karanta ƙarin game da wannan .
Don shigar da tarin tarin yawa, kula da iyakoki masu zuwa:
- Pod CIDR da CIDR Sabis dole ne su kasance na musamman a cikin dukkan gungu kuma dole ne kada su zo juna.
- Duk CIDR Pods dole ne a sami dama daga kowane CIDR Pods tsakanin gungu.
- Duk sabobin API na Kubernetes dole ne su kasance masu isa ga juna.
Wannan shine bayanin farko don taimaka muku farawa da Istio. Duk da haka, har yanzu akwai matsaloli da yawa. Misali, fasalulluka na zirga-zirgar ababen hawa na waje (a wajen cluster), hanyoyin da za a bi don gyara motocin gefe, bayanin martaba, kafa na'ura mai haɗawa da rubuta bayanan mahaɗa na al'ada, kafa hanyar ganowa da aikinta ta amfani da manzo.
Duk waɗannan za mu yi la'akari da su a cikin littattafai masu zuwa. Yi tambayoyinku, zan yi ƙoƙarin rufe su.
source: www.habr.com