istio 升级跨版本升级备忘

1、ingress-nginx网关创建各服务备用ingress入口，测试备用各服务网关的正确性。
cd /root/k8s-testdomain/nginx-ingress-gateway/

2、备份正式在运行的istio服务的helm values，以便升级失败使用helm安装1.4.6版本，或者使用阿里云控制台安装istio。
cd /root/istio-system-bakcup

3、测试删除istio服务后，各服务 istio 注入插件的稳定性。（测试后，部分服务会因为istio各组件缺失导致istio-proxy无限重启，服务无法正常工作，升级前所有相关命名空间需要关闭istio-injection，并重启相应的注入插件的服务）
kubectl label namespace bike-monitor istio-injection-
kubectl label namespace changshan istio-injection-
kubectl label namespace chuzhou istio-injection-
kubectl label namespace deqing istio-injection-
kubectl label namespace testdomain istio-injection-
kubectl label namespace jinjingzhen istio-injection-
kubectl label namespace linyi istio-injection-
kubectl label namespace tianjin istio-injection-
kubectl label namespace xbb istio-injection-

升级完成后开启自动注入并重启相关服务：
kubectl label namespace bike-monitor istio-injection=enabled
kubectl label namespace changshan istio-injection=enabled
kubectl label namespace chuzhou istio-injection=enabled
kubectl label namespace deqing istio-injection=enabled
kubectl label namespace testdomain istio-injection=enabled
kubectl label namespace jinjingzhen istio-injection=enabled
kubectl label namespace linyi istio-injection=enabled
kubectl label namespace tianjin istio-injection=enabled
kubectl label namespace xbb istio-injection=enabled

4、根据正式运行环境准备部署文件。
cd /home/wuyutang/istio-1.7.0/bin

5、istio 公网负载均衡正式网关 80 443 7080 监听转发至ingress-nginx负载均衡的 80 443 7080 监听对应的后端节点端口。并观察服务运行状态一段时间。没问题进行下一步。有问题立马改回原后端。

6、卸载istio
helm delete istio-init
helm delete istio-ingressgateway
helm delete istio

7、安装 istio
cd /home/wuyutang/istio-1.7.0/bin

./istioctl manifest generate -f ../default.yaml --set addonComponents.grafana.enabled=true --set addonComponents.prometheus.enabled=true --set addonComponents.kiali.enabled=true --set values.kiali.createDemoSecret=true --set values.gateways.istio-egressgateway.enabled=false --set values.global.jwtPolicy=first-party-jwt --set values.gateways.istio-ingressgateway.sds.enabled=true --set meshConfig.accessLogFile="/dev/stdout" >generated-manifest-prometheus-grafana-kiali.yaml

kubectl apply -f generated-manifest-prometheus-grafana-kiali.yaml

8、统计使用了 192.168.2.165 负载均衡网关的配置位置，istio升级后vpc网关会变更需要及时更改。
# hlwbluet  /etc/nginx/nginx.conf /usr/nestfile/config/server.properties /data/gateway/webapi-gateway-0.0.1-SNAPSHOT/run.sh restart
# hlwmt06-36  /etc/hosts---/etc/nginx/nginx.conf /usr/nestfile/config/server.properties /home/webservice/bike-web-web-0.0.1-SNAPSHOT/run.sh restart
# hlwmt05-xbb-bus  /etc/nginx/my-config/api-gateway.conf
# hlwmt04-调度3.0  /etc/nginx/nginx.conf /etc/nginx/conf.d/management.conf
# hlwbus  /home/dd/nestfile/config/server.properties su - dd /home/dd/msc-web-0.0.1-SNAPSHOT/run.sh restart

9、相关网关与虚拟服务需要重新应用部署。
===============================================================================================================
# kubectl get gateways.networking.istio.io --all-namespaces
NAMESPACE NAME AGE
bike-monitor bike-monitor-gateway 482d
testdomain testdomain-gateway 521d
testdomain testdomain-h5-gateway 500d 弃用
istio-system testdomain-cn 381d
istio-system testdomain-com 417d
istio-system testdomain-com 426d
offical offical-gateway 76d

应用相关网关：
kubectl apply -f istio-ingress/testdomain-cn-gateway.yaml -n istio-system
kubectl apply -f istio-ingress/testdomain-gateway.yaml -n istio-system
kubectl apply -f istio-ingress/testdomain-gateway.yaml -n istio-system
kubectl apply -f bike-monitor/gateway/bike-monitor-gateway.yaml -n bike-monitor
kubectl apply -f istio-ingress/testdomain-gateway.yaml -n testdomain
kubectl apply -f istio-ingress/h5-gateway.yaml -n testdomain
kubectl apply -f offical/gateway.yaml -n offical

===============================================================================================================
# kubectl get virtualservices.networking.istio.io --all-namespaces
NAMESPACE NAME GATEWAYS HOSTS
bike-monitor bike-monitor-gateway [bike-monitor-gateway] [bike-monitor.testdomain.cn]
changshan bikecc [testdomain-cn.istio-system] [changshan.testdomain.cn]
chuzhou bikecc [testdomain-cn.istio-system] [chuzhou.testdomain.cn]
deqing bikecc [testdomain-cn.istio-system] [deqing.testdomain.cn]
testdomain bike-ca [bike-ca]
testdomain bikeswipe [bikeswipe]
testdomain device [device]
testdomain testdomain-gateway [testdomain-gateway testdomain-com.istio-system] [*]
testdomain testdomain-h5-gateway [testdomain-com.istio-system] [wxtestdomain.testdomain.com]
jinjingzhen bikecc [testdomain-cn.istio-system] [jinjing.testdomain.cn]
linyi bikecc [testdomain-cn.istio-system] [linyi.testdomain.cn]
luxi bikecc [testdomain-cn.istio-system] [luxi.testdomain.cn] 关闭
offical offical-gateway [offical-gateway] [www.jtkjbike.com www.jtkjgroup.com]
pinghu bikecc [testdomain-cn.istio-system] [pinghu.testdomain.cn] 关闭
tianjin bikecc [testdomain-cn.istio-system] [tianjin.testdomain.cn]
xbb xbb-gateway [testdomain-com.istio-system] [www.testdomain.com]

应用相关virtualservices：
kubectl apply -f bike-monitor/gateway/bike-monitor-gateway.yaml -n bike-monitor
kubectl apply -f city/virtual-service/changshan-bikecc.yaml -n changshan
kubectl apply -f city/virtual-service/chuzhou-bikecc.yaml -n chuzhou
kubectl apply -f city/virtual-service/deqing-bikecc.yaml -n deqing
kubectl apply -f bike-ca/destination-rule.yaml -n testdomain
kubectl apply -f bike-ca/virtual-service.yaml -n testdomain
kubectl apply -f bikeswipe/destination-rule.yaml -n testdomain
kubectl apply -f bikeswipe/virtual-service.yaml -n testdomain
kubectl apply -f device/destination-rule.yaml -n testdomain
kubectl apply -f device/virtual-service.yaml -n testdomain
kubectl apply -f istio-ingress/testdomain-gateway.yaml -n testdomain
kubectl apply -f istio-ingress/h5-gateway.yaml -n testdomain
kubectl apply -f city/virtual-service/jinjing-bikecc.yaml -n jinjingzhen
kubectl apply -f city/virtual-service/linyi-bikecc.yaml -n linyi
kubectl apply -f offical/gateway.yaml -n offical
kubectl apply -f city/virtual-service/tianjin-bikecc.yaml -n tianjin
kubectl apply -f xbb/gateway/xbb-gateway.yaml -n xbb

===============================================================================================================
# kubectl get serviceentries.networking.istio.io --all-namespaces
NAMESPACE NAME HOSTS
testdomain dingda-cdn01.oss-cn-hangzhou-internal.aliyuncs.com [dingda-cdn01.oss-cn-hangzhou-internal.aliyuncs.com]
testdomain gateway.testdomain.com [gateway.testdomain.com]
testdomain gatewaytest.testdomain.com [gatewaytest.testdomain.com]
offical jt-offical.oss-cn-hangzhou-internal.aliyuncs.com [jt-offical.oss-cn-hangzhou-internal.aliyuncs.com]

应用serviceentries：
kubectl apply -f istio-ingress/oss-dingda-cdn01-ServiceEntry.yaml -n testdomain
kubectl apply -f istio-ingress/testdomain-ServiceEntry.yaml -n testdomain
kubectl apply -f istio-ingress/hz-outimpl-ServiceEntry.yaml -n testdomain
kubectl apply -f istio-ingress/oss-jt-offical-ServiceEntry.yaml -n offical

===============================================================================================================
# kubectl get envoyfilters.networking.istio.io --all-namespaces
NAMESPACE NAME AGE
testdomain vault-grpc-web-filter 17d
istio-system gateway-gzip 482d

应用envoyfilters：
kubectl apply -f vault/grpc-web-envoyfilter.yaml -n testdomain
kubectl apply -f istio-ingress/gzip_filter.yaml -n istio-system