OpenShift 4 - Istio-Tutorial (2) 部署三个微服务

《OpenShift 4.x HOL教程汇总》
说明：本文已经在OpenShift 4.12环境中验证

本系列演示的场景使用了基于Java实现的三个微服务：Customer、Preference、Recommendation，它们的调用关系是Customer ⇒ Preference ⇒ Recommendation，其中Recommendation有多个版本。本章节主要部署这三个微服务并能从外部访问它们。

1. 首先将教程中使用到的代码下载到本地。由于我修改过部分代码，因此建议不要使用上游项目。

$ git clone https://github.com/redhat-developer-demos/istio-tutorial
$ cd istio-tutorial

2. 以Customer微服务为例，我们可以查看customer/kubernetes/Deployment.yml文件。此文件定义了如何部署Customer微服务，其中部署的容器镜像是“quay.io/rhdevelopers/istio-tutorial-customer:v1.1”；而将“sidecar.istio.io/inject”设为“true”是为了实现自动注入微服务的Sidecar。
3. 执行以下命令，部署Customer、Preference、Recommendation微服务并创建对应的Service。

$ oc apply -n ${ISTIO_APP} -f customer/kubernetes/Deployment.yml
$ oc apply -n ${ISTIO_APP} -f customer/kubernetes/Service.yml
$ oc apply -n ${ISTIO_APP} -f preference/kubernetes/Deployment.yml
$ oc apply -n ${ISTIO_APP} -f preference/kubernetes/Service.yml
$ oc apply -n ${ISTIO_APP} -f recommendation/kubernetes/Deployment.yml
$ oc apply -n ${ISTIO_APP} -f recommendation/kubernetes/Service.yml

4. 查看运行微服务的Pod运行状态，完成后在tutorial中应该运行了3个Pod。在“READY”状态中可以看到每个Pod中运行2个Container，其中一个运行的是微服务，另一个运行的是对应的Sidecar。

$ oc get pod -n ${ISTIO_APP}
NAME                                 READY   STATUS    RESTARTS   AGE
customer-77dc47d7f8-hbxcn            2/2     Running   0          32h
preference-v1-55476494cf-xm4dq       2/2     Running   0          32h
recommendation-v1-67976848-4l4s7     2/2     Running   0          32h

注意：如果此时看到的Pod中只要1个容器，通常是由于没有将运行servicemesh应用的项目名"tutorial"添加到OpenShift Service Mesh Operator的Service MesMemberRoll中的members。另外还有可能没有为部署的pod提供自动注入的“annotations”（或没生效），可以确认在每个Deployments中有以下部分：sidecar.istio.io/inject: “true”

apiVersion: apps/v1
kind: Deployment
。。。
  template:
    metadata:
      labels:
        app: customer
        version: v1
      annotations:
        sidecar.istio.io/inject: "true"

5. 运行命令，查看Customer微服务运行Pod中包括容器的情况，其中一个运行微服务的容器customer，另一个容器运行sidecar的容器istio-proxy。

$ oc get pods -n ${ISTIO_APP} -o jsonpath="{.items[*].spec.containers[*].name}" -l app=customer
customer istio-proxy
$ oc describe pod -n ${ISTIO_APP} $(oc get pod -n ${ISTIO_APP} | grep customer | awk '{print $1}')
...
Containers:
  customer:
    Container ID:   cri-o://bb459fef3e4080f703d83c61ff88c56c2ee2c5c424bab6071e2cd0f3a149b7a6
    Image:          quay.io/rhdevelopers/istio-tutorial-customer:v1.1
    Image ID:       quay.io/rhdevelopers/istio-tutorial-customer@sha256:d1b0054dc21406b6b5fc172e8ffd35cc4f447550e26cbafdc8f6a1f7d9184661
    Ports:          8080/TCP, 8778/TCP, 9779/TCP
    Host Ports:     0/TCP, 0/TCP, 0/TCP
    State:          Running
      Started:      Sun, 12 Jan 2020 18:36:23 +0800
    Last State:     Terminated
      Reason:       OOMKilled
      Exit Code:    137
      Started:      Sun, 12 Jan 2020 14:32:19 +0800
      Finished:     Sun, 12 Jan 2020 18:36:22 +0800
    Ready:          True
    Restart Count:  2
    Limits:
      cpu:     500m
      memory:  40Mi
    Requests:
      cpu:      200m
      memory:   20Mi
    Liveness:   exec [curl localhost:8080/health/live] delay=5s timeout=1s period=4s #success=1 #failure=3
    Readiness:  exec [curl localhost:8080/health/ready] delay=6s timeout=1s period=5s #success=1 #failure=3
    Environment:
      JAVA_OPTIONS:  -Xms15m -Xmx15m -Xmn15m
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-qt9vl (ro)
  istio-proxy:
    Container ID:  cri-o://41803682d3d2d6828e4077a3e6e3e338d886025dfa030fc7d7f02229cca88ad6
    Image:         registry.redhat.io/openshift-service-mesh/proxyv2-rhel8:1.0.3
    Image ID:      registry.redhat.io/openshift-service-mesh/proxyv2-rhel8@sha256:7f01dec612f36a48cd548a81f8f47a54b9f1b1c76366e40aefb56abe39cf167e
    Port:          15090/TCP
    Host Port:     0/TCP
    Args:
      proxy
      sidecar
      --domain
      $(POD_NAMESPACE).svc.cluster.local
      --configPath
      /etc/istio/proxy
      --binaryPath
      /usr/local/bin/envoy
      --serviceCluster
      customer.$(POD_NAMESPACE)
      --drainDuration
      45s
      --parentShutdownDuration
      1m0s
      --discoveryAddress
      istio-pilot.istio-system:15010
      --zipkinAddress
      zipkin.istio-system:9411
      --connectTimeout
      10s
      --proxyAdminPort
      15000
      --concurrency
      2
      --controlPlaneAuthPolicy
      NONE
      --statusPort
      15020
      --applicationPorts
      8080,8778,9779
    State:          Running
      Started:      Sun, 12 Jan 2020 14:25:44 +0800
    Ready:          True
    Restart Count:  0
    Limits:
      cpu:     500m
      memory:  128Mi
    Requests:
      cpu:      100m
      memory:   128Mi
    Readiness:  http-get http://:15020/healthz/ready delay=1s timeout=1s period=2s #success=1 #failure=30
    Environment:
      POD_NAME:                      customer-77dc47d7f8-hbxcn (v1:metadata.name)
      POD_NAMESPACE:                 tutorial (v1:metadata.namespace)
      INSTANCE_IP:                    (v1:status.podIP)
      ISTIO_META_POD_NAME:           customer-77dc47d7f8-hbxcn (v1:metadata.name)
      ISTIO_META_CONFIG_NAMESPACE:   tutorial (v1:metadata.namespace)
      ISTIO_META_INTERCEPTION_MODE:  REDIRECT
      ISTIO_METAJSON_ANNOTATIONS:    {"openshift.io/scc":"restricted","sidecar.istio.io/inject":"true"}
      ISTIO_METAJSON_LABELS:         {"app":"customer","pod-template-hash":"77dc47d7f8","version":"v1"}
    Mounts:
      /etc/certs/ from istio-certs (ro)
      /etc/istio/proxy from istio-envoy (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-qt9vl (ro)
...

6. 为了访问 Customer 微服务，还要创建 Gateway 和 VirtualService 对象。可以查看 customer/kubernetes/Gateway.yml 文件中定义的Gateway(gw) 和 VirtualService(vs) 对象，其中名为 customer-gateway 的 VirtualService 包括了一个名为customer-gateway 的 Gateway。名为 customer-gateway 的 Gateway 监听在 80 端口，它是 VirtualService 的访问入口。当名为 customer-gateway 的 VirtualService 收到对于 istio-system 项目中名为 istio-ingressgateway 路由 + “/customer" 的路径访问请求后，VirtualService 就将请求发给名为 customer 的 service，该service 的监听端口是 8080，且转发的时候将请求域名后的 “/customer” 改写为 “/”。

VirtualService 对象：

apiVersion: networking.istio.io/v1beta1
kind: VirtualService                    
metadata:                               
  name: customer-gateway     # VirtualService name                  
spec:                                   
  hosts:                                
  - "*"                                 
  gateways:                             
  - customer-gateway        # gateway name           
  http:                                 
  - match:                              
    - uri:                              
        exact: /customer                        
    rewrite:
      uri: / 				# 将"/customer"改写为"/"
    route:                              
    - destination:                      
        host: customer        # service url, can long service url or short service url.          
        port:                           
          number: 8080        # service port          

Gateway对象：

apiVersion: networking.istio.io/v1beta1
kind: Gateway                                            
metadata:                                                
  name: customer-gateway                                
spec:                                                    
  selector:                                              
    istio: ingressgateway     # 通过 istio=ingressgateway 的Label定位于ServiceMeshControlPlane中运行ingressgateway的pod
  servers:                                               
  - port:                                                
      number: 80                                         
      name: http                                         
      protocol: HTTP                                     
    hosts:                                               
    - "*"                                                

7. 执行命令创建Gateway和VirtualService对象，然后查看它们的状态。注意：“istio-io”代表所有和网络相关的对象，包括Gateway、VirtualService、DestinationRule等对象。

$ oc apply -f customer/kubernetes/Gateway.yml -n ${ISTIO_APP}
gateway.networking.istio.io/customer-gateway created
virtualservice.networking.istio.io/customer-gateway created
 
$ oc get gateway -n ${ISTIO_APP}
NAME                AGE
gcustomer-gateway   7s
 
$ oc get virtualservice -n ${ISTIO_APP}
NAME               GATEWAYS               HOSTS   AGE
customer-gateway   ["customer-gateway"]   ["*"]   7s

8. 通过绑定到名为istio-ingressgateway路由的Gateway入口发起访问，返回结果显示微服务customer依次调用了preference和recommendation微服务。可以看到调用计数器会增加，且“67976848-4l4s7”为微服务运行pod的id。

$ ISTIO_SYSTEM=istio-system
$ INGRESS_GATEWAY=$(oc get route istio-ingressgateway -n ${ISTIO_SYSTEM} -o 'jsonpath={.spec.host}')
$ ./scripts/run.sh ${INGRESS_GATEWAY}/customer
customer => preference => recommendation v1 from 'recommendation-v1-dd8544f7c-s64sx': 1
customer => preference => recommendation v1 from 'recommendation-v1-dd8544f7c-s64sx': 2
customer => preference => recommendation v1 from 'recommendation-v1-dd8544f7c-s64sx': 3

注意：在实际操作过程中出现“Application is not available”的错误，发现是 ServiceMeshControlPlane 自动创建的负责流量入口的pod在日志中报错。此时可手动删除有问题的istio-ingressgateway-xxxxxx的pod，系统自动生成新的pod，从运行日志中（下图）确认新的pod运行正常。

至此，我们就在OpenShift 4的Serivice Mesh环境中部署好了3个微服务，并且已经可以从外部访问到它们了。