安装kubectl:
sudo curl --silent --location -o /usr/local/bin/kubectl \
https://s3.us-west-2.amazonaws.com/amazon-eks/1.21.5/2022-01-21/bin/linux/amd64/kubectl
sudo chmod +x /usr/local/bin/kubectl
更新awscli到v2版本:
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
安装jq及kubectl bash自动补全工具:
sudo yum -y install jq gettext bash-completion moreutils
kubectl completion bash >> ~/.bash_completion
. /etc/profile.d/bash_completion.sh
. ~/.bash_completion
安装eksctl工具:
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv -v /tmp/eksctl /usr/local/bin
eksctl version
安装helm:
curl -sSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
这部分将涵盖在EKS中使用AppMesh的基础设置。
请配置实验所在区域,例如us-west-2或cn-northwest-1:
export AWS_DEFAULT_REGION=$REGION_ID
使用以下命令,通过eksctl创建一个EKS集群:
eksctl create cluster \
--name appmeshtest \
--nodes-min 2 \
--node-type m5.large \
--nodes-max 3 \
--nodes 2 \
--auto-kubeconfig \
--full-ecr-access \
--appmesh-access
# ...
# [✔] EKS cluster "appmeshtest" in "us-west-2" region is ready
完成后,根据eksctl的输出更新KUBECONFIG环境变量:
export KUBECONFIG=~/.kube/eksctl/clusters/appmeshtest
为了打开新terminal时不需要再执行上面命令,我们将上面的配置写到~/.bash_profile:
echo "export KUBECONFIG=~/.kube/eksctl/clusters/appmeshtest" >> ~/.bash_profile
source ~/.bash_profile
为了在Pod创建时自动注入App Mesh组件和代理,我们需要在集群上创建一些自定义资源。为此,我们将使用 helm。
将代码仓库克隆到适当的目录,然后cd目录中,我们将从该路径运行所有命令。
git clone https://github.com/aws-samples/app-mesh-workshop-greater-china.git
cd app-mesh-workshop-greater-china.git
安装App Mesh组件
运行以下命令集以安装App Mesh控制器(controller)
# 添加eks charts repo 到本地 helm
helm repo add eks https://aws.github.io/eks-charts
# 安装 appmesh controller CRDS
kubectl apply -k "https://github.com/aws/eks-charts/stable/appmesh-controller/crds?ref=master"
# 创建 namespace appmesh-system
kubectl create ns appmesh-system
为集群创建 OpenID Connect (OIDC) 身份提供程序
eksctl utils associate-iam-oidc-provider \
--region=$AWS_DEFAULT_REGION \
--cluster appmeshtest \
--approve
创建对应的 IAM Role
eksctl create iamserviceaccount \
--cluster appmeshtest \
--namespace appmesh-system \
--name appmesh-controller \
--attach-policy-arn arn:aws:iam::aws:policy/AWSCloudMapFullAccess,arn:aws:iam::aws:policy/AWSAppMeshFullAccess \
--override-existing-serviceaccounts \
--approve
安装 appmesh controller
helm upgrade -i appmesh-controller eks/appmesh-controller \
--namespace appmesh-system \
--set region=$AWS_DEFAULT_REGION \
--set serviceAccount.create=false \
--set serviceAccount.name=appmesh-controller
如果在亚马逊云科技中国区域部署,可能会遇到拉取镜像失败的问题。 使用下面的命令更换亚马逊云科技中国区容器镜像
helm upgrade -i appmesh-controller eks/appmesh-controller \
--namespace appmesh-system \
--set region=$AWS_DEFAULT_REGION \
--set serviceAccount.create=false \
--set serviceAccount.name=appmesh-controller \
--set image.repository=961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon/appmesh-controller \
--set init.image.repository=048912060910.dkr.ecr.cn-northwest-1.amazonaws.com.cn/aws/appmesh/aws-appmesh-proxy-route-manager \
--set init.iamge.tag=v3-prod \
--set public.ecr.aws/appmesh/aws-appmesh-envoy \
--set sidecar.image.tag=v1.19.1.0-prod
验证
kubectl get deployment appmesh-controller \
-n appmesh-system -owide
详情可以参考:https://docs.aws.amazon.com/zh_cn/app-mesh/latest/userguide/getting-started-kubernetes.html#install-controller
目前,一切就绪,您已经配置了EKS集群并设置了App Mesh组件,这些组件能够自动向Pod注入Envoy并负责App Mesh资源(如Mesh,虚拟节点,虚拟服务和虚拟路由器)的生命周期管理。
此时,您可能还需要检查App Mesh Controller使用的自定义资源:
kubectl api-resources --api-group=appmesh.k8s.aws
# NAME SHORTNAMES APIGROUP NAMESPACED KIND
# meshes appmesh.k8s.aws false Mesh
# virtualnodes appmesh.k8s.aws true VirtualNode
# virtualrouters appmesh.k8s.aws true VirtualRouter
# virtualservices appmesh.k8s.aws true VirtualService
如果完成了上面的内容,可以使用示例应用验证集群。howto-k8s-http2 来演示将App Mesh与EKS结合使用的方法。
确保使用以下命令创建了所有资源:
kubectl -n appmesh-system get deploy,po,svc
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/appmesh-controller 1/1 1 1 19h
NAME READY STATUS RESTARTS AGE
pod/appmesh-controller-5954995557-tsnf9 1/1 Running 0 19h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/appmesh-controller-webhook-service ClusterIP 10.100.18.188 <none> 443/TCP 19h
kubectl get pod -n howto-k8s-http2 -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
blue-64885d7dd6-bjlx5 2/2 Running 0 3m48s 192.168.83.144 ip-192-168-70-3.us-west-2.compute.internal <none> 1/1
client-6ddfdd884d-l9nvv 2/2 Running 0 3m49s 192.168.87.223 ip-192-168-70-3.us-west-2.compute.internal <none> 1/1
green-5674cfb556-65qch 2/2 Running 0 3m48s 192.168.1.139 ip-192-168-4-114.us-west-2.compute.internal <none> 1/1
red-5bf7f49fbd-86f54 2/2 Running 0 3m49s 192.168.82.36 ip-192-168-70-3.us-west-2.compute.internal <none> 1/1
现在,使用aws CLI验证服务网格的创建情况:
aws appmesh list-meshes
# {
# "meshes": [
# {
# "arn": "arn:aws:appmesh:us-west-2:1234567890:mesh/howto-k8s-http2",
# "createdAt": 1592578534.868,
# "lastUpdatedAt": 1592578534.868,
# "meshName": "howto-k8s-http2",
# "meshOwner": "1234567890",
# "resourceOwner": "1234567890",
# "version": 1
# }
# ]
# }
aws appmesh list-virtual-services --mesh-name howto-k8s-http2
# {
# "virtualServices": [
# {
# "arn": "arn:aws:appmesh:us-west-2:1234567890:mesh/howto-k8s-http2/virtualService/color.howto-k8s-http2.svc.cluster.local",
# "createdAt": 1592578534.971,
# "lastUpdatedAt": 1592578535.237,
# "meshName": "howto-k8s-http2",
# "meshOwner": "1234567890",
# "resourceOwner": "1234567890",
# "version": 2,
# "virtualServiceName": "color.howto-k8s-http2.svc.cluster.local"
# }
# ]
# }
aws appmesh list-virtual-nodes --mesh-name howto-k8s-http2
# {
# "virtualNodes": [
# {
# "arn": "arn:aws:appmesh:us-west-2:1234567890:mesh/howto-k8s-http2/virtualNode/green_howto-k8s-http2",
# "createdAt": 1592578534.934,
# "lastUpdatedAt": 1592578534.934,
# "meshName": "howto-k8s-http2",
# "meshOwner": "1234567890",
# "resourceOwner": "1234567890",
# "version": 1,
# "virtualNodeName": "green_howto-k8s-http2"
# },
# {
# "arn": "arn:aws:appmesh:us-west-2:1234567890:mesh/howto-k8s-http2/virtualNode/client_howto-k8s-http2",
# "createdAt": 1592578534.965,
# "lastUpdatedAt": 1592578534.965,
# "meshName": "howto-k8s-http2",
# "meshOwner": "1234567890",
# "resourceOwner": "1234567890",
# "version": 1,
# "virtualNodeName": "client_howto-k8s-http2"
# },
# {
# "arn": "arn:aws:appmesh:us-west-2:1234567890:mesh/howto-k8s-http2/virtualNode/blue_howto-k8s-http2",
# "createdAt": 1592578534.929,
# "lastUpdatedAt": 1592578534.929,
# "meshName": "howto-k8s-http2",
# "meshOwner": "1234567890",
# "resourceOwner": "1234567890",
# "version": 1,
# "virtualNodeName": "blue_howto-k8s-http2"
# },
# {
# "arn": "arn:aws:appmesh:us-west-2:1234567890:mesh/howto-k8s-http2/virtualNode/red_howto-k8s-http2",
# "createdAt": 1592578534.91,
# "lastUpdatedAt": 1592578534.91,
# "meshName": "howto-k8s-http2",
# "meshOwner": "1234567890",
# "resourceOwner": "1234567890",
# "version": 1,
# "virtualNodeName": "red_howto-k8s-http2"
# }
# ]
# }
aws appmesh list-virtual-routers --mesh-name howto-k8s-http2
# {
# "virtualRouters": [
# {
# "arn": "arn:aws:appmesh:us-west-2:1234567890:mesh/howto-k8s-http2/virtualRouter/color_howto-k8s-http2",
# "createdAt": 1592578535.039,
# "lastUpdatedAt": 1592578535.039,
# "meshName": "howto-k8s-http2",
# "meshOwner": "1234567890",
# "resourceOwner": "1234567890",
# "version": 1,
# "virtualRouterName": "color_howto-k8s-http2"
# }
# ]
# }
您可以按以下方式访问应用程序集群中的color服务:
kubectl -n howto-k8s-http2 port-forward deployment/client 7000:8080 &
# Color virtual service uses the color virtual router with even distribution to 3 virtual nodes (red, blue, and green) over HTTP/2. Prove this by running the following command a few times:
curl localhost:7000/color ; echo;
red
curl localhost:7000/color ; echo;
green
curl localhost:7000/color ; echo;
blue
这样就完成了有关基础部署的工作。 现在,您可以继续进行第2天的操作任务,例如在EKS上将CloudWatch 与App Mesh一起使用.
删除演示命名空间(namesapce)和Mesh自定义资源时,AWS App Mesh Controller会清理网格及其相关资源(虚拟节点,服务,虚拟路由器等),如下所示:
kubectl delete ns howto-k8s-http2 && kubectl delete mesh howto-k8s-http2
helm delete appmesh-controller -n appmesh-system
最后,使用以下方法释放EKS集群所有计算,网络和存储资源:
eksctl delete cluster --name appmeshtest