gcp

GCP-GKE-istio

Tim Chiagn

Tim Chiagn

3 min read
GitHub - TimChiang0106/GCP-GKE-istio
Contribute to TimChiang0106/GCP-GKE-istio development by creating an account on GitHub.
GitHubTimChiang0106

Prerequisite

To get the IP of Cloud Shell

curl -s checkip.dyndns.org | sed -e 's/.*Current IP Address: //' -e 's/<.*$//'

gcloud container fleet mesh describe --project tw-rd-sp-tommy

Resister clusters to fleet

gcloud container clusters list --uri
gcloud container fleet memberships register demo-2 \\
  --gke-uri=https://container.googleapis.com/v1/projects/tw-rd-sp-tommy/zones/asia-east1-a/clusters/demo-istio-2\\
  --enable-workload-identity \\
  --project tw-rd-sp-tim
./asmcli install \\
  --project_id tw-rd-sp-tommy \\
  --cluster_name demo-istio-2 \\
  --cluster_location asia-east1-a \\
  --fleet_id tw-rd-sp-tim \\
  --enable_all \\
  --ca mesh_ca

// gcloud projects add-iam-policy-binding "ID"  \\
  --member "<serviceAccount:[email protected]>" \\
  --role roles/anthosservicemesh.serviceAgent
// gcloud container clusters update  --project id cluster \\
  --zone zone --update-labels mesh_id=proj-id


For public cluster
./asmcli create-mesh \\
      tw-rd-sp-tim \\
      tw-rd-sp-tim/asia-east1-a/cluster-istio \\
      tw-rd-sp-tommy/asia-east1-a/cluster-istio-tim

For private cluster

gcloud container clusters describe "${CLUSTER_1}" --project "${PROJECT_1}" \\
 --zone "${LOCATION_1}" --format "value(privateClusterConfig.privateEndpoint)"

Deploy applications

kubectl label namespace asm-1152-6 istio-injection=enabled istio.io/rev- --overwrite

Installation

  1. default: enables components according to the default settings of the IstioOperator API. This profile is recommended for production deployments and for primary clusters in a multicluster mesh. You can display the default settings by running the istioctl profile dump command.
# Apply a default Istio installation
istioctl install

gcloud container fleet memberships register cluster-istio \\
  --gke-uri=https://container.googleapis.com/v1/projects/tw-rd-sp-tim/zones/asia-east1-a/clusters/cluster-3 \\
  --enable-workload-identity \\
  --project tw-rd-sp-tim

 ./asmcli validate \\
  --project_id tw-rd-sp-tim \\
  --cluster_name cluster-istio \\
  --cluster_location asia-east1-a \\
  --fleet_id tw-rd-sp-tim 

kubectl create namespace asm-1152-6
kubectl create serviceaccount istio-ingressgateway \\
    --namespace istio-system
kubectl get deploy -n istio-system -l app=istiod -o \\
  "jsonpath={.items[*].metadata.labels['istio\\.io/rev']}{'\\n'}"
kubectl label namespace asm-1152-6 \\
  istio.io/rev=asm-1152-6 --overwrite
kubectl apply -n asm-1152-6 \\
  -f samples/gateways/istio-ingressgateway

kubectl exec --context="${CTX_1}" -n sample -c sleep \\
    "$(kubectl get pod --context="${CTX_1}" -n sample -l \\
    app=sleep -o jsonpath='{.items[0].metadata.name}')" \\
    -- /bin/sh -c 'for i in $(seq 1 1); do nslookup helloworld.sample; done'

External-Load-balancer

cat <<EOF | istioctl install -y -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    defaultConfig:
      proxyMetadata:
        # Enable basic DNS proxying
        ISTIO_META_DNS_CAPTURE: "true"
        # Enable automatic address allocation, optional
        ISTIO_META_DNS_AUTO_ALLOCATE: "true"
EOF

Internal-Load-balancer

kubectl apply -f samples/httpbin/httpbin.yaml

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "httpbin.example.com"
EOF

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - "httpbin.example.com"
  gateways:
  - httpbin-gateway
  http:
  - match:
    - uri:
        prefix: /status
    - uri:
        prefix: /delay
    route:
    - destination:
        port:
          number: 8000
        host: httpbin
	
EOF

istio-ilb-dev.yaml

istio-ilb-svc.yaml

Test:

curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200"

<https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/>

Error

Stuck in

asmcli: Installing ASM control plane...
Failed 

Solution:
Check your VPC route. is there any 0.0.0.0/0 default internet?

Error:
Istiod encountered an error: failed to wait for resource: resources not ready after 5m0s: timed out waiting for the condition
	 

Solution:

Does not have minimum availability, there is not sufficient RAM or CPU to do the install

i


Error:

pods "istio-ingressgateway-5b648874cc-" is forbidden: error looking up service account asm-1152-6/user-ingressgateway-service-account: serviceaccount "user-ingressgateway-service-account" not found

kubectl create namespace GATEWAY_NAMESPACE
kubectl create serviceaccount istio-ingressgateway-service-account \\
    --namespace istio-system

Error:

Internal error occurred: failed calling webhook "rev.namespace.sidecar-injector.istio.io": failed to call webhook: Post "<https://istiod-asm-1152-6.istio-system.svc:443/inject?timeout=10s>": context deadline exceeded

Firewall role.
15000-15100

Read more

如何安裝 KubeSphere 以及管理 Workspace 和新增 Label

前言 在 Kubernetes 的世界中,KubeSphere 是一個功能強大的開源容器平台,它不僅讓 Kubernetes 的管理更簡單,還集成了多集群管理、DevOps、微服務治理等功能。本篇文章將教您如何使用 Helm 快速安裝 KubeSphere,並如何通過管理 Workspace 和新增 Label 來實現資源的高效管理。 一、使用 Helm 安裝 KubeSphere 1. 為什麼選擇 Helm 安裝? Helm 是 Kubernetes 中廣泛使用的包管理工具,使用 Helm 安裝 KubeSphere 有以下優點: * 自動化:簡化安裝過程,減少手動配置。 * 靈活性:可以根據需求自定義安裝的模組。 * 版本控制:支持管理和回滾安裝的不同版本。 2. 安裝前準備 在開始安裝之前,請確保以下條件:

By Tim Chiagn

我的經驗

1. 網絡與安全 (Networking & Security) * Fortigate: 防火牆來管理網路環境 * Traefik: 用於 K8s 的 2. 虛擬化與存儲 (Virtualization & Storage) * Esxi: 買了一台server 使用 Esxi 管理 vm * TrueNAS: 還沒有買 NAS 使用這個加減用一下 3. DevOps 與持續交付 (DevOps & CI/CD) * ArgoCD: GitOps 工具,用於 Kubernetes 的應用交付和管理,支持自動化部署和同步。 * KubeSphere:提供完整的 CI/CD 工作流管理、應用部署和 DevOps 整合功能,是 Kubernetes

By Tim Chiagn