OpenShift 4 之Istio-Tutorial (2) 部署三个微服务

本系列OpenShift Servic Mesh教程是基于Red Hat官方公开发行的《Introducing Istio Service Mesh for Micoservices》出版物，我将所有操作在OpenShift 4.2.x环境中进行了验证。喜欢读英文或者需要了解更多和场景相关知识点的小伙伴可以通过上面的链接下载该书慢慢阅读。

本系列演示的场景使用了基于Java实现的三个微服务：Customer、Preference、Recommendation，它们的调用关系是Customer ? Preference ? Recommendation，其中Recommendation有多个版本。本章节主要部署这三个微服务并能从外部访问它们。

1. 首先将教程中使用到的代码下载到本地。由于我修改过部分代码，因此建议不要使用上游项目。

$ git clone https://github.com/liuxiaoyu-git/istio-tutorial.git
$ cd istio-tutorial

2. 然后创建名为tutorial的OpenShift项目，再为该项目的默认Service Account添加scc特权。

$ oc new-project tutorial
$ oc adm policy add-scc-to-user privileged -z default -n tutorial

3. 以Customer微服务为例，我们可以查看customer/kubernetes/Deployment.yml文件。此文件定义了如何部署Customer微服务，其中部署的容器镜像是“quay.io/rhdevelopers/istio-tutorial-customer:v1.1”；而将“sidecar.istio.io/inject”设为“true”是为了实现自动注入微服务的Sidecar。
4. 执行以下命令，部署Customer、Preference、Recommendation微服务并创建对应的Service。

$ oc apply -f customer/kubernetes/Deployment.yml -n tutorial
$ oc apply -f customer/kubernetes/Service.yml 
$ oc apply -f preference/kubernetes/Deployment.yml -n tutorial
$ oc apply -f preference/kubernetes/Service.yml 
$ oc apply -f recommendation/kubernetes/Deployment.yml -n tutorial
$ oc apply -f recommendation/kubernetes/Service.yml 

5. 查看运行微服务的Pod运行状态，完成后在tutorial中应该运行了3个Pod。每个Pod中运行2个Container，其中一个运行微服务，另一个运行Istio中的Sidecar。

$ oc get pod -n tutorial
NAME                                 READY   STATUS    RESTARTS   AGE
customer-77dc47d7f8-szhd5            2/2     Running   0          32h
preference-v1-55476494cf-xm4dq       2/2     Running   0          32h
recommendation-v1-67976848-4l4s7     2/2     Running   0          32h

注意：如果此时看到的Pod中只要一个容器，通常是由于没有将当前项目名"tutorial"添加到OpenShift Service Mesh Operator的Service MesMemberRoll中的members。
6. 运行命令，查看Customer微服务运行Pod中包括容的情况，其中一个运行微服务的容器customer，另一个容器运行sidecar的容器istio-proxy。

$ oc get pods -o jsonpath="{.items[*].spec.containers[*].name}" -l app=customer
customer istio-proxy
$ oc describe pod customer-77dc47d7f8-hbxcn 
...
Containers:customer:Container ID:   cri-o://bb459fef3e4080f703d83c61ff88c56c2ee2c5c424bab6071e2cd0f3a149b7a6Image:          quay.io/rhdevelopers/istio-tutorial-customer:v1.1Image ID:       quay.io/rhdevelopers/istio-tutorial-customer@sha256:d1b0054dc21406b6b5fc172e8ffd35cc4f447550e26cbafdc8f6a1f7d9184661Ports:          8080/TCP, 8778/TCP, 9779/TCPHost Ports:     0/TCP, 0/TCP, 0/TCPState:          RunningStarted:      Sun, 12 Jan 2020 18:36:23 +0800Last State:     TerminatedReason:       OOMKilledExit Code:    137Started:      Sun, 12 Jan 2020 14:32:19 +0800Finished:     Sun, 12 Jan 2020 18:36:22 +0800Ready:          TrueRestart Count:  2Limits:cpu:     500mmemory:  40MiRequests:cpu:      200mmemory:   20MiLiveness:   exec [curl localhost:8080/health/live] delay=5s timeout=1s period=4s #success=1 #failure=3Readiness:  exec [curl localhost:8080/health/ready] delay=6s timeout=1s period=5s #success=1 #failure=3Environment:JAVA_OPTIONS:  -Xms15m -Xmx15m -Xmn15mMounts:/var/run/secrets/kubernetes.io/serviceaccount from default-token-qt9vl (ro)istio-proxy:Container ID:  cri-o://41803682d3d2d6828e4077a3e6e3e338d886025dfa030fc7d7f02229cca88ad6Image:         registry.redhat.io/openshift-service-mesh/proxyv2-rhel8:1.0.3Image ID:      registry.redhat.io/openshift-service-mesh/proxyv2-rhel8@sha256:7f01dec612f36a48cd548a81f8f47a54b9f1b1c76366e40aefb56abe39cf167ePort:          15090/TCPHost Port:     0/TCPArgs:proxysidecar--domain$(POD_NAMESPACE).svc.cluster.local--configPath/etc/istio/proxy--binaryPath/usr/local/bin/envoy--serviceClustercustomer.$(POD_NAMESPACE)--drainDuration45s--parentShutdownDuration1m0s--discoveryAddressistio-pilot.istio-system:15010--zipkinAddresszipkin.istio-system:9411--connectTimeout10s--proxyAdminPort15000--concurrency2--controlPlaneAuthPolicyNONE--statusPort15020--applicationPorts8080,8778,9779State:          RunningStarted:      Sun, 12 Jan 2020 14:25:44 +0800Ready:          TrueRestart Count:  0Limits:cpu:     500mmemory:  128MiRequests:cpu:      100mmemory:   128MiReadiness:  http-get http://:15020/healthz/ready delay=1s timeout=1s period=2s #success=1 #failure=30Environment:POD_NAME:                      customer-77dc47d7f8-hbxcn (v1:metadata.name)POD_NAMESPACE:                 tutorial (v1:metadata.namespace)INSTANCE_IP:                    (v1:status.podIP)ISTIO_META_POD_NAME:           customer-77dc47d7f8-hbxcn (v1:metadata.name)ISTIO_META_CONFIG_NAMESPACE:   tutorial (v1:metadata.namespace)ISTIO_META_INTERCEPTION_MODE:  REDIRECTISTIO_METAJSON_ANNOTATIONS:    {"openshift.io/scc":"restricted","sidecar.istio.io/inject":"true"}ISTIO_METAJSON_LABELS:         {"app":"customer","pod-template-hash":"77dc47d7f8","version":"v1"}Mounts:/etc/certs/ from istio-certs (ro)/etc/istio/proxy from istio-envoy (rw)/var/run/secrets/kubernetes.io/serviceaccount from default-token-qt9vl (ro)
...

7. 为了访问Customer微服务，还要创建Gateway和VirtualService对象。可以查看customer/kubernetes/Gateway.yml文件中定义的Gateway(gw)和VirtualService(vs)对象，其中名为customer-gateway的VirtualService包括了一个名为customer-gateway的Gateway。customer-gateway的Gateway监听在80端口，当名为customer的VirtualService收到对于“/customer"路径请求后就发给名为customer的service，该service的监听端口是8080。
   VirtualService对象：

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService                    
metadata:                               name: customer-vs     # VirtualService name 
spec:                                   hosts:                                - "*"                                 gateways:                             - customer-gw        # gateway name http:                                 - match:                              - uri:                              exact: /customer-ms                        rewrite:uri: / 				# 将"/customer"改写为"/"route:                              - destination:                      host: customer        # service url, can long service url or short service url. port:                           number: 8080 # service port 

Gateway对象：

apiVersion: networking.istio.io/v1alpha3                 
kind: Gateway                                            
metadata:                                                name: customer-gw                                
spec:                                                    selector:                                              istio: ingressgateway # 通过 istio=ingressgateway 的Label定位于ServiceMeshControlPlane，然后运行在那个ServiceMeshControlPlane.servers:                                               - port:                                                number: 80 name: http                                         protocol: HTTP                                     hosts:                                               - "*"                                                

8. 执行命令创建Gateway和VirtualService对象，然后查看它们的状态。
   注意：“istio-io”代表所有和网络相关的对象，包括Gateway、VirtualService、DestinationRule等对象。

$ oc apply -f customer/kubernetes/Gateway.yml -n tutorial
virtualservice.networking.istio.io/customer-vs created
gateway.networking.istio.io/customer-gw created
$ oc get istio-io
NAME                                             GATEWAYS        HOSTS   AGE
virtualservice.networking.istio.io/customer-vs   [customer-gw]   [*]     82
NAME                                      AGE
gateway.networking.istio.io/customer-gw   93m

9. 通过绑定到名为istio-ingressgateway路由的Gateway入口发起访问，返回结果显示微服务customer依次调用了preference和recommendation微服务。可以看到调用计数器会增加，且“67976848-4l4s7”为微服务运行pod的id。

$ export INGRESS_GATEWAY=$(oc get route istio-ingressgateway -n istio-system -o 'jsonpath={.spec.host}')
$ ./scripts/run.sh $INGRESS_GATEWAY/customer
customer => preference => recommendation v1 from '67976848-4l4s7': 1
customer => preference => recommendation v1 from '67976848-4l4s7': 2
customer => preference => recommendation v1 from '67976848-4l4s7': 3

至此，我们就在OpenShift 4的Serivice Mesh环境中部署好了三个微服务，并且已经可以从外部访问到它们了。