# values 试例
cat > istio-values.yaml << EOF
prometheus:
enabled: true
# enabled: true
# tolerations:
# - effect: NoSchedule
# key: monitor
# operator: Equal
# value: monitor
grafana:
enabled: true
# enabled: true
# replicaCount: 1
# persist: true
# storageClassName: alicloud-disk-efficiency
# accessMode: ReadWriteOnce
# storageSize: 20Gi
# security:
# enabled: true
# adminUser: xxx
# adminPassword: xxxxxxxxx
mixer:
telemetry:
enabled: true
autoscaleMin: 1
pilot:
traceSampling: 10
tracing:
enabled: true
# tolerations:
# - effect: NoSchedule
# key: monitor
# operator: Equal
# value: monitor
kiali:
enabled: false
# tolerations:
# - effect: NoSchedule
# key: monitor
# operator: Equal
# value: monitor
global:
hub: istio
istioNamespace: istio-system
proxy:
accessLogFile: "/dev/stdout"
includeIPRanges: '10.96.0.0/12,10.128.0.0/12'
autoInject: false
gateways:
istio-ingressgateway:
sds:
enabled: true
autoscaleMin: 5
autoscaleMax: 8
type: LoadBalancer
externalTrafficPolicy: Local
env:
ISTIO_META_IDLE_TIMEOUT: 600s
ports:
- port: 80
targetPort: 80
name: http2
- port: 443
name: https
- port: 7080
name: http2-diiing
- port: 8883
name: mqttssl
EOF
各版本地址: https://github.com/istio/istio/releases
#istio 1.2.10 安装 helm 3.x
cd istio-1.2.10
helm install istio-init install/kubernetes/helm/istio-init --namespace istio-system
vim /install/kubernetes/helm/istio/charts/gateways/templates/rolebindings.yaml
vim install/kubernetes/helm/istio/charts/gateways/templates/rolebindings.yaml
{{- if ($spec.sds) and (eq $spec.sds.enabled true) }} 改为 {{- if and ($spec.sds) (eq $spec.sds.enabled true) }}
helm template istio install/kubernetes/helm/istio --namespace istio-system -f istio-values.yaml > istio-home.yaml
helm template istio-cni install/kubernetes/helm/istio-cni --set istio_cni.enabled=true -n istio-system >istio-cni.yaml
# rbac.authorization.k8s.io/v1 %s/v1beta1/v1/g DaemonSet apps/v1
kubectl apply -f istio-cni.yaml
# 升级 istio 1.3.8 helm 3.x
cd istio-1.3.8
kubectl delete -f ../istio-1.2.10/istio-cni.yaml ;helm install istio-cni install/kubernetes/helm/istio-cni --namespace kube-system
helm upgrade --install istio-init install/kubernetes/helm/istio-init --namespace istio-system
vim install/kubernetes/helm/istio/charts/gateways/templates/rolebindings.yaml
vim install/kubernetes/helm/istio/charts/gateways/templates/role.yaml
{{- if ($spec.sds) and (eq $spec.sds.enabled true) }} 改为 {{- if and ($spec.sds) (eq $spec.sds.enabled true) }}
--set pilot.env.PILOT_SKIP_VALIDATE_TRUST_DOMAIN=true
--set pilot.enableProtocolSniffing=false
helm upgrade istio install/kubernetes/helm/istio -f ../istio-values.yaml --namespace istio-system
# 升级 istio-1.4.10 helm 3.x
cd istio-1.4.10
helm status istio-cni -n kube-system
helm upgrade istio-cni install/kubernetes/helm/istio-cni --namespace kube-system
helm upgrade --install istio-init install/kubernetes/helm/istio-init --namespace istio-system
kubectl -n istio-system wait --for=condition=complete job --all
helm upgrade istio install/kubernetes/helm/istio -f ../istio-values.yaml --namespace istio-system
# 测试环境 istio-1.3.8 升级 istio-1.4.10 helm 2.X
cd istio-1.4.10
cp ../istio-1.3.8/istio-values.yaml .
kubectl apply -f install/kubernetes/helm/istio-init/files/
helm template istio install/kubernetes/helm/istio --namespace istio-system -f istio-values.yaml > istio-1.4.10.yaml
kubectl apply -f istio-1.4.10.yaml -n istio-system --server-dry-run
kubectl apply -f istio-1.4.10.yaml -n istio-system
# istioctl 安装 1.4.10
cd istio-1.4.10
export PATH=$PWD/bin:$PATH
install/kubernetes/operator/profiles/default.yaml # 修改自定义配置
istioctl manifest generate -f install/kubernetes/operator/profiles/default.yaml >generated-manifest.yaml
kubectl apply -f generated-manifest.yaml -n istio-system
# istioctl 升级 1.4.10至1.5.10
# curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.5.10 sh -
cd istio-1.5.10
export PATH=$PWD/bin:$PATH
istioctl manifest versions
# 取消旧版本环境变量
export PATH=`echo $PATH | sed 's#/nfs/tang/k8s/istio/istio-1.4.10/bin:##g'`
#导出Profile
istioctl profile dump default > default.yaml
#将协议修改成第一方,不然会提示证书不信任等问题
sed -i 's#jwtPolicy: third-party-jwt#jwtPolicy: first-party-jwt#g' default.yaml
sed -i 's#accessLogFile: ""#accessLogFile: "/dev/stdout"#g' default.yaml
#开启网关sds
name: istio-ingressgateway
sds:
enabled: true
# 增加网关变量
ingressGateways:
- enabled: true
k8s:
env:
- name: ISTIO_META_IDLE_TIMEOUT
value: 600s
# 增加网关端口开放
- name: http2-diiing
port: 7080
- name: mqttssl
port: 8883
# 清除1.4版本与1.5版本服务差异
kubectl -n istio-system delete service/istio-galley deployment.apps/istio-galley
kubectl delete validatingwebhookconfiguration.admissionregistration.k8s.io/istio-galley
# 升级 Istio 通过执行命令
istioctl upgrade -f default.yaml --dry-run
istioctl upgrade -f default.yaml --force
#升级完成后 清除无关服务
kubectl -n istio-system delete deployment istio-citadel istio-galley istio-pilot istio-policy istio-sidecar-injector istio-telemetry
kubectl -n istio-system delete service istio-citadel istio-policy istio-sidecar-injector istio-telemetry
kubectl -n istio-system delete horizontalpodautoscaler.autoscaling/istio-pilot horizontalpodautoscaler.autoscaling/istio-telemetry
kubectl -n istio-system delete pdb istio-citadel istio-galley istio-pilot istio-policy istio-sidecar-injector istio-telemetry
# 通过执行命令查看版本
istioctl version
#当前见到还有 5个数据平面的应用还未升级到1.5.0,因为应用还未重启,选择一个合适的时机重启即可。
# istioctl 升级 1.5.10至1.6.14
cd istio-1.6.14
export PATH=$PWD/bin:$PATH
istioctl manifest versions
istioctl profile dump default > default.yaml
sed -i 's#jwtPolicy: third-party-jwt#jwtPolicy: first-party-jwt#g' default.yaml
vim default.yaml
# 开启accessLog
spec:
meshConfig:
accessLogFile: /dev/stdout
# 增加网关变量
ingressGateways:
- enabled: true
k8s:
env:
- name: ISTIO_META_IDLE_TIMEOUT
value: 600s
# 增加网关端口开放
- name: http2-diiing
port: 7080
- name: mqttssl
port: 8883
# 清理废弃资源
kubectl delete policies.authentication.istio.io --all-namespaces --all
kubectl delete meshpolicies.authentication.istio.io --all
kubectl delete crds clusterrbacconfigs.rbac.istio.io
kubectl delete crds meshpolicies.authentication.istio.io
kubectl delete crds policies.authentication.istio.io
kubectl delete crds rbacconfigs.rbac.istio.io
kubectl delete crds servicerolebindings.rbac.istio.io
kubectl delete crds serviceroles.rbac.istio.io
istioctl experimental upgrade -f default.yaml --dry-run
istioctl experimental upgrade -f default.yaml
# istioctl 升级 1.6.14至1.7.8
cd istio-1.7.8
export PATH=$PWD/bin:$PATH
istioctl x precheck
istioctl profile dump default > default.yaml
sed -i 's#jwtPolicy: third-party-jwt#jwtPolicy: first-party-jwt#g' default.yaml
vim default.yaml
# 开启accessLog
spec:
meshConfig:
accessLogFile: /dev/stdout
# 增加网关变量
ingressGateways:
- enabled: true
k8s:
env:
- name: ISTIO_META_IDLE_TIMEOUT
value: 600s
# 增加网关端口开放
- name: http2-diiing
port: 7080
- name: mqttssl
port: 8883
istioctl experimental upgrade -f default.yaml --dry-run
istioctl experimental upgrade -f default.yaml
# istioctl 升级 1.7.8至1.8.6
cd istio-1.8.6
export PATH=$PWD/bin:$PATH
istioctl x precheck
istioctl profile dump default > default.yaml
sed -i 's#jwtPolicy: third-party-jwt#jwtPolicy: first-party-jwt#g' default.yaml
vim default.yaml
# 开启accessLog
spec:
meshConfig:
accessLogFile: /dev/stdout
# 增加网关变量
ingressGateways:
- enabled: true
k8s:
env:
- name: ISTIO_META_IDLE_TIMEOUT
value: 600s
# 增加网关端口开放
- name: http2-diiing
port: 7080
- name: mqttssl
port: 8883
istioctl upgrade -f default.yaml --dry-run
istioctl upgrade -f default.yaml
# istioctl 升级 1.8.6至1.9.9
cd istio-1.9.9
export PATH=$PWD/bin:$PATH
istioctl x precheck
istioctl profile dump default > default.yaml
sed -i 's#jwtPolicy: third-party-jwt#jwtPolicy: first-party-jwt#g' default.yaml
vim default.yaml
# 开启accessLog
spec:
meshConfig:
accessLogFile: /dev/stdout
# 增加网关端口开放
istio-ingressgateway:
ports:
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
- name: http2-diiing
port: 7080
- name: mqttssl
port: 8883
- port: 15012
targetPort: 15012
name: tcp-istiod
protocol: TCP
- port: 15443
targetPort: 15443
name: tls
protocol: TCP
istioctl upgrade -f default.yaml --dry-run
istioctl upgrade -f default.yaml
istioctl analyze
# istioctl 升级 1.9.9至1.10.6
cd istio-1.10.6
export PATH=$PWD/bin:$PATH
istioctl x precheck
istioctl profile dump default > default.yaml
vim default.yaml
# 开启accessLog
spec:
meshConfig:
accessLogFile: /dev/stdout
# 增加网关端口开放
istio-ingressgateway:
ports:
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
- name: http2-diiing
port: 7080
- name: mqttssl
port: 8883
kubectl delete crds servicerolebindings.rbac.istio.io
kubectl delete crds clusterrbacconfigs.rbac.istio.io
kubectl delete crds rbacconfigs.rbac.istio.io
kubectl delete crds serviceroles.rbac.istio.io
kubectl delete mutatingwebhookconfigurations.admissionregistration.k8s.io istio-sidecar-injector
kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io istiod-istio-system
istioctl upgrade -f default.yaml --dry-run
istioctl upgrade -f default.yaml
istioctl analyze
# istioctl 升级 1.10.6至1.11.8
# 所有节点 yum install -y socat
cd istio-1.11.8
export PATH=$PWD/bin:$PATH
istioctl x precheck
istioctl profile dump default > default.yaml
vim default.yaml
# 开启accessLog
spec:
meshConfig:
accessLogFile: /dev/stdout
# 增加网关端口开放
istio-ingressgateway:
ports:
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
- name: http2-diiing
port: 7080
- name: mqttssl
port: 8883
istioctl upgrade -f default.yaml --dry-run
istioctl upgrade -f default.yaml
istioctl analyze
# istioctl 升级 1.11.8至1.12.9
cd istio-1.12.9
export PATH=$PWD/bin:$PATH
istioctl x precheck
istioctl profile dump default > default.yaml
vim default.yaml
# 开启accessLog
spec:
meshConfig:
accessLogFile: /dev/stdout
# 增加网关端口开放
istio-ingressgateway:
ports:
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
- name: http2-diiing
port: 7080
- name: mqttssl
port: 8883
istioctl upgrade -f default.yaml --dry-run
istioctl upgrade -f default.yaml
istioctl analyze
# istioctl 升级 1.12.9至1.13.9
cd istio-1.13.9
export PATH=$PWD/bin:$PATH
istioctl x precheck
istioctl profile dump default > default.yaml
vim default.yaml
# 开启accessLog
spec:
meshConfig:
accessLogFile: /dev/stdout
# 增加网关端口开放
istio-ingressgateway:
ports:
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
- name: http2-diiing
port: 7080
- name: mqttssl
port: 8883
istioctl upgrade -f default.yaml --dry-run
istioctl upgrade -f default.yaml
istioctl analyze
# istioctl 升级 1.13.9至1.14.6
cd istio-1.14.6
export PATH=$PWD/bin:$PATH
istioctl x precheck
istioctl profile dump default > default.yaml
vim default.yaml
# 开启accessLog
spec:
meshConfig:
accessLogFile: /dev/stdout
# 增加网关端口开放
istio-ingressgateway:
ports:
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
- name: http2-diiing
port: 7080
- name: mqttssl
port: 8883
istioctl upgrade -f default.yaml --dry-run
istioctl upgrade -f default.yaml
istioctl analyze
# istioctl 升级 1.14.6至1.15.6
cd istio-1.15.6
export PATH=$PWD/bin:$PATH
istioctl x precheck
istioctl profile dump default > default.yaml
vim default.yaml
# 开启accessLog
spec:
meshConfig:
accessLogFile: /dev/stdout
# 增加网关端口开放
istio-ingressgateway:
ports:
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
- name: http2-diiing
port: 7080
- name: mqttssl
port: 8883
istioctl upgrade -f default.yaml --dry-run
istioctl upgrade -f default.yaml
istioctl analyze
VIM Linux Life