Istio技術與實踐06:史上最全!Istio安裝引數介紹
阿新 • • 發佈:2018-11-20
一、 CertManage
Istio-1.0版本新加入的元件,利用ACME為Istio簽發證書
| Key | Default Value | Description |
| certmanager.enabled | TRUE | 是否啟用certmanager |
| certmanager.hub | quay.io/jetstack | 映象倉庫名稱 |
| certmanager.tag | v0.3.1 | 映象版本號 |
| certmanager.resources |
{} | 佔用資源及限制 |
二、Galley
Istio-1.0版本新加入元件,利用webhook校驗Istio資源建立的是否正確,用於validate
| Key | Default Value | Description |
| galley.enabled | TRUE | 是否啟用galley |
| galley.replicaCount | 1 | 例項數量 |
| galley.image | galley | 映象倉庫名稱 |
三、Gateways
Istio-1.0版本將內部ingressgateway與egressgateway引數合併為gateways,同時增加了內部ELB型別的ilbgateway
| Key | Default Value | Description |
| gateways.enabled | TRUE | 是否啟用gateway |
| gateways.istio-ingressgateway.enabled | TRUE | 是否啟用ingressgateway |
| gateways.istio-ingressgateway.labels.app | istio-ingressgateway | Labels中key為app的value值 |
| gateways.istio-ingressgateway.labels.istio | ingressgateway | Labels中key為istio的value值 |
| gateways.istio-ingressgateway.replicaCount | 1 | Ingressgateway預設例項數量 |
| gateways.istio-ingressgateway.autoscaleMin | 1 | Ingressgateway自動擴縮容最小例項數 |
| gateways.istio-ingressgateway.autoscaleMax | 5 | Ingressgateway自動擴縮容最大例項數 |
| gateways.istio-ingressgateway.resources | {} | Ingressgateway佔用資源與限制 |
| gateways.istio-ingressgateway.loadBalancerIP | "" | Ingressgateway對外暴露的ELB IP地址 |
| gateways.istio-ingressgateway.serviceAnnotations | {} | Ingressgateway的service的annotation值 |
| gateways.istio-ingressgateway.type | LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be | Ingressgateway的service釋出型別,三種可選 |
| gateways.istio-ingressgateway.ports.targetPort | 80 | Ingressgateway的service中的訪問埠與容器埠 |
| gateways.istio-ingressgateway.ports.name | http2 | http2的service中的埠名稱 |
| gateways.istio-ingressgateway.ports.nodePort | 31380 | Ingressgateway的service中的nodePort埠--http2 |
| gateways.istio-ingressgateway.ports.name | https | Ingressgateway的service中的埠名稱--https |
| gateways.istio-ingressgateway.ports.nodePort | 31390 | Ingressgateway的service中的nodePort埠--https |
| gateways.istio-ingressgateway.ports.name | tcp | Ingressgateway的service中的埠名稱--tcp |
| gateways.istio-ingressgateway.ports.nodePort | 31400 | Ingressgateway的service中的nodePort埠--tcp |
| gateways.istio-ingressgateway.ports.targetPort | 15011 | pilot-grpc訪問埠與容器埠 |
| gateways.istio-ingressgateway.ports.name | tcp-pilot-grpc-tls | pilot-grpc埠名稱 |
| gateways.istio-ingressgateway.ports.targetPort | 8060 | citadel-grpc訪問埠與容器埠 |
| gateways.istio-ingressgateway.ports.name | tcp-citadel-grpc-tls | citadel-grpc埠名稱 |
| gateways.istio-ingressgateway.ports.targetPort | 15030 | 普羅米修斯訪問埠與容器埠 |
| gateways.istio-ingressgateway.ports.name | http2-prometheus | 普羅米修斯埠名稱 |
| gateways.istio-ingressgateway.ports.targetPort | 15031 | Grafana訪問埠與容器埠 |
| gateways.istio-ingressgateway.ports.name | http2-grafana | Grafana埠名稱 |
| gateways.istio-ingressgateway.secretVolumes.secretName | istio-ingressgateway-certs | 掛載證書secret的名稱 |
| gateways.istio-ingressgateway.secretVolumes.mountPath | /etc/istio/ingressgateway-certs | 掛載證書secret的路徑 |
| gateways.istio-ingressgateway.secretVolumes.secretName | istio-ingressgateway-ca-certs | 掛載根證書secret的名稱 |
| gateways.istio-ingressgateway.secretVolumes.mountPath | /etc/istio/ingressgateway-ca-certs | 掛載根證書secret的路徑 |
| gateways.istio-egressgateway.enabled | TRUE | 是否開啟egressgateway |
| gateways.istio-egressgateway.labels.app | istio-egressgateway | Labels中key為app的value值 |
| gateways.istio-egressgateway.labels.istio | egressgateway | Labels中key為istio的value值 |
| gateways.istio-egressgateway.replicaCount | 1 | egressgateway預設例項數量 |
| gateways.istio-egressgateway.autoscaleMin | 1 | egressgateway自動擴縮容最小例項數 |
| gateways.istio-egressgateway.autoscaleMax | 5 | egressgateway自動擴縮容最大例項數 |
| gateways.istio-egressgateway.serviceAnnotations | {} | egressgateway佔用資源與限制 |
| gateways.istio-egressgateway.type | ClusterIP #change to NodePort or LoadBalancer if need be | egressgateway的service釋出型別,三種可選 |
| gateways.istio-egressgateway.ports.name | http2 | egressgateway埠名稱 |
| gateways.istio-egressgateway.ports.name.name | https | egressgateway埠名稱 |
| gateways.istio-egressgateway.secretVolumes.secretName | istio-egressgateway-certs | 掛載證書secret的名稱 |
| gateways.istio-egressgateway.secretVolumes.secretName.mountPath | /etc/istio/egressgateway-certs | 掛載證書secret的路徑 |
| gateways.istio-egressgateway.secretVolumes.secretName.secretName | istio-egressgateway-ca-certs | 掛載根證書secret的名稱 |
| gateways.istio-egressgateway.secretVolumes.secretName.mountPath | /etc/istio/egressgateway-ca-certs | 掛載根證書secret的路徑 |
| gateways.istio-ilbgateway.enabled | FALSE | 是否開啟Ilbgateway,建立InternalLoadBalancer型別gateway |
| gateways.istio-ilbgateway.enabled.labels.app | istio-ilbgateway | Labels中key為app的value值 |
| gateways.istio-ilbgateway.enabled.labels.istio | ilbgateway | Labels中key為istio的value值 |
| gateways.istio-ilbgateway.enabled.replicaCount | 1 | ilbgateway預設例項數量 |
| gateways.istio-ilbgateway.enabled.autoscaleMin | 1 | ilbgateway自動擴縮容最小例項數 |
| gateways.istio-ilbgateway.enabled.autoscaleMax | 5 | ilbgateway自動擴縮容最大例項數 |
| gateways.istio-ilbgateway.enabled.resources.requests.cpu | 800m | Ilbgateway所需CPU |
| gateways.istio-ilbgateway.enabled.resources.requests.memory | 512Mi | Ilbgateway所需記憶體 |
| gateways.istio-ilbgateway.enabled.loadBalancerIP | "" | Ilbgateway對外暴露的ELB IP地址 |
| gateways.istio-ilbgateway.enabled.serviceAnnotations.cloud.google.com/load-balancer-type | "internal" | ilbgateway訪問方式 |
| gateways.istio-ilbgateway.enabled.type | LoadBalancer | Ilbgateway的service型別 |
| gateways.istio-ilbgateway.enabled.ports.name | grpc-pilot-mtls | 是否啟用mtls認證 |
| gateways.istio-ilbgateway.enabled.ports.name | grpc-pilot | Service埠名稱 |
| gateways.istio-ilbgateway.enabled.ports.targetPort | 8060 | Grpc service埠 |
| gateways.istio-ilbgateway.enabled.ports.name | tcp-citadel-grpc-tls | Grpc-tls埠名稱 |
| gateways.istio-ilbgateway.enabled.ports.name | tcp-dns | Dns埠名稱 |
| gateways.istio-ilbgateway.enabled.secretVolumes.secretName | istio-ilbgateway-certs | 掛載證書secret的名稱 |
| gateways.istio-ilbgateway.enabled.secretVolumes.mountPath | /etc/istio/ilbgateway-certs | 掛載證書secret的路徑 |
| gateways.istio-ilbgateway.enabled.secretVolumes.secretName | istio-ilbgateway-ca-certs | 掛載根證書secret的名稱 |
| gateways.istio-ilbgateway.enabled.secretVolumes.mountPath | /etc/istio/ilbgateway-ca-certs | 掛載根證書secret的路徑 |
四、全域性變數global
| Key | Default Value | Description |
| global.hub | docker.io/istio | 映象倉庫 |
| global.tag | 1.0.0 | 映象版本號 |
| global.k8sIngressSelector | ingress | 匹配ingress所用label |
| global.k8sIngressHttps | FALSE | 是否開啟https |
| global.proxy.image | proxyv2 | Proxy映象名稱 |
| global.proxy.resources.requests.cpu | 10m | Proxy所需cpu |
| global.proxy.accessLogFile | "/dev/stdout" | Sidecar的log檔案路徑 |
| global.proxy.enableCoreDump | FALSE | 是否啟用coreDump |
| global.proxy.includeIPRanges | "*" | 如果目標IP在範圍內,出流量要經過sidecar |
| global.proxy.excludeIPRanges | "" | 如果目標IP在範圍內,出流量不經過sidecar |
| global.proxy.includeInboundPorts | "*" | 如果容器埠在範圍內,入這個埠的流量要經過sidecar |
| global.proxy.excludeInboundPorts | "" | 如果容器埠在範圍內,入這個埠的流量不經過sidecar |
| global.proxy.autoInject | enabled | 是否開啟自動注入 |
| global.proxy.envoyStatsd.enabled | TRUE | 是否對接statsd |
| global.proxy.envoyStatsd.host | istio-statsd-prom-bridge | Statsd host |
| global.proxy.envoyStatsd.port | 9125 | Statsd埠 |
| global.proxy_init.image | proxy_init | Proxy的init映象 |
| global.imagePullPolicy | IfNotPresent | 映象的拉去策略 |
| global.controlPlaneSecurityEnabled | TRUE | 控制面元件是否開啟mtls認證 |
| global.disablePolicyChecks | FALSE | 關掉mixer-check |
| global.enableTracing | TRUE | 開啟tracing |
| global.mtls.enabled | TRUE | 開啟Mtls認證 |
| global.arch.amd64 | 2 | 親和性策略 |
| global.arch.s390x | 2 | 親和性策略 |
| global.arch.ppc64le | 2 | 親和性策略 |
| global.oneNamespace | FALSE | 限制為單ns |
| global.configValidation | TRUE | 開啟引數校驗 |
| global.meshExpansion | FALSE | ingressgateway開啟pilot與citadel的mtls |
| global.meshExpansionILB | FALSE | Ilbgateway開啟pilot與citadel的mtls |
| global.defaultResources.requests.cpu | 10m | 預設資源需求 |
| global.hyperkube.hub | quay.io/coreos | Hypercube映象倉庫 |
| global.hyperkube.tag | v1.7.6_coreos.0 | 映象版本號 |
| global.priorityClassName | "" | 優先順序類別 |
| global.crds | TRUE | 是否需要優先建立crd |
五、Grafana
監控資料展示addon
| Key | Default Value | Description |
| grafana.enabled | TRUE | 安裝grafana |
| grafana.replicaCount | 1 | 例項個數 |
| grafana.image | grafana | 映象名稱 |
| grafana.security.enabled | TRUE | 開啟登入安全認證 |
| grafana.security.adminUser | admin | 認證使用者名稱 |
| grafana.security.adminPassword | admin | 認證密碼 |
| grafana.service.annotations | {} | Annotation |
| grafana.service.name | http | Service中portname |
| grafana.service.type | ClusterIP | Service型別 |
| grafana.service.externalPort | 3000 | 訪問埠 |
| grafana.service.internalPort | 3000 | 容器埠 |
六、Ingress
Istio將取消Ingress,不建議使用,推薦使用gateway
| Key | Default Value | Description |
| ingress.enabled | TRUE | 是否啟用Ingress |
| ingress.replicaCount | 1 | 例項數 |
| ingress.autoscaleMin | 1 | 最小自動伸縮例項數 |
| ingress.autoscaleMax | 5 | 最大自動伸縮例項數 |
| ingress.service.annotations | {} | Annotation |
| ingress.service.loadBalancerIP | "" | ELB IP |
| ingress.service.type | LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be | Service型別 |
| ingress.service.ports.name | http | http埠名稱 |
| ingress.service.ports.nodePort | 32000 | nodePort |
| ingress.service.ports.name | https | https埠名稱 |
| ingress.service.selector.istio | ingress | Selector匹配label |
七、kiali
kiali外掛
| Key | Default Value | Description |
| kiali.enabled | TRUE | 是否安裝kiali |
| kiali.replicaCount | 1 | 例項數 |
| kiali.hub | docker.io/kiali | 映象倉庫 |
| kiali.tag | istio-release-1.0 | 映象版本 |
| kiali.ingress.enabled | TRUE | 是否開啟ingress對外訪問 |
| kiali.dashboard.username | admin | 介面登入名 |
| kiali.dashboard.passphrase | admin | 介面登入密碼 |
八、mixer
| Key | Default Value | Description |
| mixer.enabled | TRUE | 是否啟用mixer |
| mixer.replicaCount | 1 | 例項數 |
| mixer.autoscaleMin | 1 | 最小伸縮例項數 |
| mixer.autoscaleMax | 5 | 最大伸縮例項數 |
| mixer.image | mixer | 映象名稱 |
| mixer.istio-policy.autoscaleEnabled | TRUE | policy開啟自動擴容 |
| mixer.istio-policy.autoscaleMin | 1 | 最小伸縮例項數 |
| mixer.istio-policy.autoscaleMax | 5 | 最大伸縮例項數 |
| mixer.istio-policy.cpu.targetAverageUtilization | 80 | 擴縮容CPU閾值 |
| mixer.istio-telemetry.autoscaleEnabled | TRUE | Telemetry自動擴容 |
| mixer.istio-telemetry.autoscaleMin | 1 | 最小伸縮例項數 |
| mixer.istio-telemetry.autoscaleMax | 5 | 最大伸縮例項數 |
| mixer.istio-telemetry.cpu.targetAverageUtilization | 80 | 擴縮容CPU閾值 |
| mixer.prometheusStatsdExporter.hub | docker.io/prom | 對接adapter映象 |
| mixer.prometheusStatsdExporter.tag | v0.6.0 | 映象版本 |
九、pilot
| Key | Default Value | Description |
| pilot.enabled | TRUE | 啟用pilot |
| pilot.replicaCount | 1 | 例項數 |
| pilot.autoscaleMin | 1 | 最小伸縮例項數 |
| pilot.autoscaleMax | 1 | 最大伸縮例項數 |
| pilot.image | pilot | 映象名稱 |
| pilot.sidecar | TRUE | 是否預設為pilot注入sidecar |
| pilot.traceSampling | 100 | 取樣率 |
| pilot.resources.requests.cpu | 500m | CPU需求 |
| pilot.resources.requests.memory | 2048Mi | 記憶體需求 |
十、Prometheus
| Key | Default Value | Description |
| prometheus.enabled | TRUE | 啟用prometheus |
| prometheus.replicaCount | 1 | 例項數 |
| prometheus.hub | docker.io/prom | 映象倉庫 |
| prometheus.tag | v2.3.1 | 映象版本 |
| prometheus.service.annotations | {} | Annotation |
| prometheus.service.nodePort.enabled | FALSE | 是否啟用nodePort |
| prometheus.service.nodePort.port | 32090 | nodePort埠 |
十一、security
| Key | Default Value | Description |
| security.replicaCount | 1 | 例項數 |
| security.image | citadel | 映象名稱 |
| security.selfSigned | true # indicate if self-signed CA is used. | 開啟證書自簽發 |
十二、servicegraph
| Key | Default Value | Description |
| servicegraph.enabled | FALSE | 啟用servicegraph |
| servicegraph.replicaCount | 1 | 例項數 |
| servicegraph.image | servicegraph | 映象名稱 |
| servicegraph.service.name | http | Service的portname |
| servicegraph.service.type | ClusterIP | Service型別 |
| servicegraph.service.externalPort | 8088 | 訪問埠 |
| servicegraph.service.internalPort | 8088 | 容器埠 |
| servicegraph.ingress.enabled | FALSE | 開啟ingress |
| servicegraph.prometheusAddr | http://prometheus:9090 | 對接普羅地址 |
十三、sidecarInjector
| Key | Default Value | Description |
| sidecarInjectorWebhook.enabled | TRUE | 啟用sidecarinjector |
| sidecarInjectorWebhook.replicaCount | 1 | 例項數 |
| sidecarInjectorWebhook.image | sidecar_injector | 映象名稱 |
| sidecarInjectorWebhook.enableNamespacesByDefault | FALSE | 注入規則配置,false為匹配injecor-label |
十四、telemetry-gateway
用於將grafana與prometheus以gateway方式釋出出去
| Key | Default Value | Description |
| telemetry-gateway.gatewayName | ingressgateway | Gateway名稱 |
| telemetry-gateway.grafanaEnabled | TRUE | 釋出grafana-gateway |
| telemetry-gateway.prometheusEnabled | TRUE | 釋出prome-gateway |
十五、tracing
| Key | Default Value | Description |
| tracing.enabled | TRUE | 啟用tracing |
| tracing.provider | jaeger | 是否安裝jaeger svc |
| tracing.jaeger.hub | docker.io/jaegertracing | 映象倉庫 |
| tracing.jaeger.tag | 1.5 | 映象版本號 |
| tracing.jaeger.memory.max_traces | 50000 | 最大條數 |
| tracing.jaeger.ui.port | 16686 | 前端訪問埠 |
| tracing.replicaCount | 1 | 例項數 |
| tracing.service.annotations | {} | Annotation |
| tracing.service.name | http | Service的portName |
| tracing.service.type | ClusterIP | Service型別 |
| tracing.service.externalPort | 9411 | 訪問埠 |
| tracing.service.internalPort | 9411 | 容器埠 |
| tracing.ingress.enabled | FALSE | 是否釋出為ingress |
十六、總結
本文僅列舉了Istio的helm安裝包的傳入引數,這些引數為安裝Istio時傳入並生效,而Istio控制面元件真正的啟動引數,也是重要的一部分,我們將在下期為大家講解。