Created
July 15, 2019 03:14
-
-
Save jeremyxu2010/11e660b1bba546828a746aa4fa915faf to your computer and use it in GitHub Desktop.
istio网格扩展在虚拟机上的初始化动作
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# local-vm-ip e.g. 192.168.2.200 | |
# istio-control-plane-vm-ip e.g. 192.168.2.100 | |
# k8s-service-cidr e.g. 10.68.0.0/16 | |
# k8s-pod-cidr e.g. 172.20.0.0/24 | |
# k8s-dns-svc-ip e.g. 10.68.0.10 | |
# app-namespace e.g. bookinfo | |
# app-namespace-certs e.g. /tmp/certs.tar | |
# app-inbound-ports e.g. 8081,8082,8083 | |
function usage { | |
echo -e "Usage: \n" | |
"e.g. bash ./istio-sidecar-post-setup.sh" | |
"--local-vm-ip=192.168.2.200" | |
"--istio-control-plane-vm-ip=192.168.2.100" | |
"--k8s-service-cidr=10.68.0.0/16" | |
"--k8s-pod-cidr=172.20.0.0/24" | |
"--k8s-dns-svc-ip=10.68.0.10" | |
"--app-namespace=bookinfo" | |
"--app-namespace-certs=/tmp/certs.tar" | |
"--app-inbound-ports=8081,8082,8083" | |
} | |
GETOPT_CMD=getopt | |
if [[ "$OSTYPE" == "darwin"* ]]; then | |
GETOPT_CMD=/usr/local/opt/gnu-getopt/bin/getopt | |
fi | |
ARGS=`"${GETOPT_CMD}" -a -o L:I:S:P:D:n:c:p:h --long local-vm-ip:,istio-control-plane-vm-ip:,k8s-service-cidr:,k8s-pod-cidr:,k8s-dns-svc-ip:,app-namespace:,app-namespace-certs:,app-inbound-ports:,help -- "$@"` | |
[[ $? -ne 0 ]] && echo "Arguments error!" && usage && exit 1 | |
eval set -- "${ARGS}" | |
while true | |
do | |
case "$1" in | |
-L|--local-vm-ip) | |
local_vm_ip="$2" | |
shift | |
;; | |
-I|--istio-control-plane-vm-ip) | |
istio_control_plane_vm_ip="$2" | |
shift | |
;; | |
-S|--k8s-service-cidr) | |
k8s_service_cidr="$2" | |
shift | |
;; | |
-P|--k8s-pod-cidr) | |
k8s_pod_cidr="$2" | |
shift | |
;; | |
-D|--k8s-dns-svc-ip) | |
k8s_dns_svc_ip="$2" | |
shift | |
;; | |
-n|--app-namespace) | |
app_namespace="$2" | |
shift | |
;; | |
-c|--app-namespace-certs) | |
app_namespace_certs="$2" | |
shift | |
;; | |
-p|--app-inbound-ports) | |
app_inbound_ports="$2" | |
shift | |
;; | |
-h|--help) | |
usage | |
exit 0 | |
;; | |
--) | |
shift | |
break | |
;; | |
esac | |
shift | |
done | |
echo 'local_vm_ip: ' ${local_vm_ip} | |
echo 'istio_control_plane_vm_ip: ' ${istio_control_plane_vm_ip} | |
echo 'k8s_service_cidr: ' ${k8s_service_cidr} | |
echo 'k8s_pod_cidr: ' ${k8s_pod_cidr} | |
echo 'k8s_dns_svc_ip: ' ${k8s_dns_svc_ip} | |
echo 'app_namespace: ' ${app_namespace} | |
echo 'app_namespace_certs: ' ${app_namespace_certs} | |
echo 'app_inbound_ports: ' ${app_inbound_ports} | |
function check_args { | |
# TODO | |
} | |
function install_pkgs { | |
yum install -y istio-sidecar dnsmasq net-tools bind-utils chrony | |
} | |
function config_route_rules { | |
ip route add ${k8s_service_cidr} via ${istio_control_plane_vm_ip} | |
ip route add ${k8s_pod_cidr} via ${istio_control_plane_vm_ip} | |
} | |
function config_chrony_service { | |
sed -i -e 's/^server/#server/g' /etc/chrony.conf | |
echo "server ${istio_control_plane_vm_ip} iburst" | tee -a /etc/chrony.conf | |
sed -i -e 's/^#keyfile/keyfile/' /etc/chrony.conf | |
systemctl restart chronyd | |
timedatectl set-ntp 1 | |
chronyc -a makestep | |
} | |
function generate_istio_sidecar_cfg { | |
KUBE_DNS_SVC_IP=${k8s_dns_svc_ip} | |
ISTIO_POLICY_SVC_IP=$(dig istio-policy.istio-system.svc.cluster.local @${k8s_dns_svc_ip}|grep -v -E '^;'|grep 'IN A'|awk '{print $5}') | |
ISTIO_TELEMETRY_SVC_IP=$(dig istio-telemetry.istio-system.svc.cluster.local @${k8s_dns_svc_ip}|grep -v -E '^;'|grep 'IN A'|awk '{print $5}') | |
ISTIO_PILOT_SVC_IP=$(dig istio-pilot.istio-system.svc.cluster.local @${k8s_dns_svc_ip}|grep -v -E '^;'|grep 'IN A'|awk '{print $5}') | |
ISTIO_CITADEL_SVC_IP=$(dig istio-citadel.istio-system.svc.cluster.local @${k8s_dns_svc_ip}|grep -v -E '^;'|grep 'IN A'|awk '{print $5}') | |
ZIPKIN_SVC_IP=$(dig zipkin.istio-system.svc.cluster.local @${k8s_dns_svc_ip}|grep -v -E '^;'|grep 'IN A'|awk '{print $5}') | |
cat << EOF > /etc/dnsmasq.d/kubedns | |
server=/svc.cluster.local/${KUBE_DNS_SVC_IP} | |
address=/istio-policy/${ISTIO_POLICY_SVC_IP} | |
address=/istio-telemetry/${ISTIO_TELEMETRY_SVC_IP} | |
address=/istio-pilot/${ISTIO_PILOT_SVC_IP} | |
address=/istio-citadel/${ISTIO_CITADEL_SVC_IP} | |
address=/istio-ca/${ISTIO_CITADEL_SVC_IP} | |
address=/zipkin/${ZIPKIN_SVC_IP} | |
address=/istio-policy.istio-system/${ISTIO_POLICY_SVC_IP} | |
address=/istio-telemetry.istio-system/${ISTIO_TELEMETRY_SVC_IP} | |
address=/istio-pilot.istio-system/${ISTIO_PILOT_SVC_IP} | |
address=/istio-citadel.istio-system/${ISTIO_CITADEL_SVC_IP} | |
address=/istio-ca.istio-system/${ISTIO_CITADEL_SVC_IP} | |
address=/zipkin.istio-system/${ZIPKIN_SVC_IP} | |
EOF | |
systemctl restart dnsmasq | |
systemctl enable dnsmasq | |
cat << EOF > /etc/istio/envoy/cluster.env | |
ISTIO_SERVICE_CIDR=${k8s_service_cidr} | |
ISTIO_SYSTEM_NAMESPACE=istio-system | |
ISTIO_CP_AUTH=NONE | |
ISTIO_INBOUND_PORTS=${app_inbound_ports} | |
ISTIO_NAMESPACE=${app_namespace} | |
ISTIO_SVC_IP=${local_vm_ip} | |
EOF | |
chown istio-proxy.istio-proxy /etc/istio/envoy/cluster.env | |
} | |
function config_dns { | |
sed -i -e '/^\[main\]$/ s/$/\nplugins=ifcfg-rh\ndns=none/' /etc/NetworkManager/NetworkManager.conf | |
systemctl restart NetworkManager | |
sed -i -e "1s/^/search ${app_namespace}.svc.cluster.local svc.cluster.local\nnameserver 127.0.0.1\n/" /etc/resolv.conf | |
} | |
function extract_app_namespace_certs { | |
tar -xzf ${app_namespace_certs} -C /etc/certs | |
chown -R istio-proxy.istio-proxy /etc/certs | |
} | |
function restart_istio_sidecar_service { | |
systemctl restart istio | |
systemctl restart istio-auth-node-agent | |
} | |
function main { | |
# 1. check arguments | |
check_args | |
# 2. install istio-sidecar, dnsmasq, net-tools, bind-utils, chrony | |
install_pkgs | |
# 3. add route rules | |
config_route_rules | |
# 4. configure NTP client | |
config_chrony_service | |
# 5. generate cluster.env and kubedns | |
generate_istio_sidecar_cfg | |
# 6. disable network-manager, configure /etc/resolv.conf | |
config_dns | |
# 7. extract app namespace's certs to /etc/certs | |
extract_app_namespace_certs | |
# 8. restart istio-auth-node-agent, istio service | |
restart_istio_sidecar_service | |
} | |
main |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment