Sky Cone


Welcome to my blog. The topics here include: public clouds (AWS, Alibaba Cloud, Azure, Tencent Cloud and Google Cloud), big data, Serverless, DevOps, and IaC. Any question try to contact me: leo@tianzhui.cloud.

Migrate Istio to ARM CPU Architecture

2022年08月21日


Download the latest istioctl CLI tool

Get the download URL from: https://github.com/istio/istio/releases/

wget https://github.com/istio/istio/releases/download/1.15.0/istioctl-1.15.0-linux-amd64.tar.gz

--2022-09-10 11:12:44--  https://github.com/istio/istio/releases/download/1.15.0/istioctl-1.15.0-linux-amd64.tar.gz
正在解析主机 github.com (github.com)... 192.30.255.113
正在连接 github.com (github.com)|192.30.255.113|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 302 Found
位置:https://objects.githubusercontent.com/github-production-release-asset-2e65be/74175805/b0d30df9-04f2-4450-ba43-3f2ca7ffcbe5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220910%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220910T111244Z&X-Amz-Expires=300&X-Amz-Signature=91308927db1e3fe5e6fde4e9872ee161087826f943f17d539119d8426dcbaf4e&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=74175805&response-content-disposition=attachment%3B%20filename%3Distioctl-1.15.0-linux-amd64.tar.gz&response-content-type=application%2Foctet-stream [跟随至新的 URL]
--2022-09-10 11:12:44--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/74175805/b0d30df9-04f2-4450-ba43-3f2ca7ffcbe5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220910%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220910T111244Z&X-Amz-Expires=300&X-Amz-Signature=91308927db1e3fe5e6fde4e9872ee161087826f943f17d539119d8426dcbaf4e&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=74175805&response-content-disposition=attachment%3B%20filename%3Distioctl-1.15.0-linux-amd64.tar.gz&response-content-type=application%2Foctet-stream
正在解析主机 objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
正在连接 objects.githubusercontent.com (objects.githubusercontent.com)|185.199.109.133|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:25016557 (24M) [application/octet-stream]
正在保存至: “istioctl-1.15.0-linux-amd64.tar.gz”

100%[=======================================================================>] 25,016,557  39.2MB/s 用时 0.6s

2022-09-10 11:12:45 (39.2 MB/s) - 已保存 “istioctl-1.15.0-linux-amd64.tar.gz” [25016557/25016557])

Extract .tar.gz file
tar -xvzf istioctl-1.15.0-linux-amd64.tar.gz

sudo cp istioctl /usr/local/bin

istioctl version
exec plugin: invalid apiVersion "client.authentication.k8s.io/v1alpha1"
1.15.0
The client.authentication.k8s.io/v1alpha1 has been deprecated and removed from Kubernetes 1.24. The istioctl follows upstream and uses the latest stable Kubernetes packages, this means you need to update your kubeConfig to client.authentication.k8s.io/v1beta1.


Update kubectl
curl -LO https://dl.k8s.io/release/v1.23.10/bin/linux/amd64/kubectl

sudo cp kubectl /usr/local/bin

kubectl version --client
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.10", GitCommit:"7e54d50d3012cf3389e43b096ba35300f36e0817", GitTreeState:"clean", BuildDate:"2022-08-17T18:32:54Z", GoVersion:"go1.17.13", Compiler:"gc", Platform:"linux/amd64"}

Upgrade AWS CLI
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install


Regenerate the kubeconfig
aws eks update-kubeconfig --name blog --region us-west-2
Updated context arn:aws:eks:us-west-2:111122223333:cluster/blog in /home/ec2-user/.kube/config


kubectl version
Kubeconfig user entry is using deprecated API version client.authentication.k8s.io/v1alpha1. Run 'aws eks update-kubeconfig' to update.
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.10", GitCommit:"7e54d50d3012cf3389e43b096ba35300f36e0817", GitTreeState:"clean", BuildDate:"2022-08-17T18:32:54Z", GoVersion:"go1.17.13", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"23+", GitVersion:"v1.23.7-eks-4721010", GitCommit:"b77d9473a02fbfa834afa67d677fd12d690b195f", GitTreeState:"clean", BuildDate:"2022-06-27T22:19:07Z", GoVersion:"go1.17.10", Compiler:"gc", Platform:"linux/amd64"}

Update your kubeConfig
vim .kube/config
apiVersion: v1
kind: Config
users:
- name: arn:aws:eks:us-west-2:111122223333:cluster/blog
  user:
    exec:
      #apiVersion: client.authentication.k8s.io/v1alpha1
      apiVersion: client.authentication.k8s.io/v1beta1

kubectl version
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.10", GitCommit:"7e54d50d3012cf3389e43b096ba35300f36e0817", GitTreeState:"clean", BuildDate:"2022-08-17T18:32:54Z", GoVersion:"go1.17.13", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"23+", GitVersion:"v1.23.7-eks-4721010", GitCommit:"b77d9473a02fbfa834afa67d677fd12d690b195f", GitTreeState:"clean", BuildDate:"2022-06-27T22:19:07Z", GoVersion:"go1.17.10", Compiler:"gc", Platform:"linux/amd64"}

istioctl version
client version: 1.15.0
control plane version: 1.14.1
data plane version: 1.14.1 (14 proxies)


Download Istio
curl -kL https://istio.io/downloadIstio | ISTIO_VERSION=1.15.0 TARGET_ARCH=arm64 sh -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   101  100   101    0     0    429      0 --:--:-- --:--:-- --:--:--   431
100  4856  100  4856    0     0  17281      0 --:--:-- --:--:-- --:--:-- 17281

Downloading istio-1.15.0 from https://github.com/istio/istio/releases/download/1.15.0/istio-1.15.0-linux-arm64.tar.gz ...

Istio 1.15.0 Download Complete!

Istio has been successfully downloaded into the istio-1.15.0 folder on your system.

Next Steps:
See https://istio.io/latest/docs/setup/install/ to add Istio to your Kubernetes cluster.

To configure the istioctl client tool for your workstation,
add the /home/ec2-user/istio-1.15.0/bin directory to your environment path variable with:
	 export PATH="$PATH:/home/ec2-user/istio-1.15.0/bin"

Begin the Istio pre-installation check by running:
	 istioctl x precheck

Need more information? Visit https://istio.io/latest/docs/setup/install/

cd istio-1.15.0/

vim manifests/charts/gateways/istio-ingress/values.yaml
...
serviceAnnotations:
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
...


istioctl install --set profile=demo --charts=./manifests/ \
--set components.cni.enabled=true \
--set components.cni.namespace=kube-system

WARNING: Istio control planes installed: 1.14.1, 1.14.1, 1.14.1.
WARNING: A newer installed version of Istio has been detected. Running this command will overwrite it.
This will install the Istio 1.15.0 demo profile with ["Istio core" "Istiod" "CNI" "Ingress gateways" "Egress gateways"] components into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ CNI installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Installation complete
Making this installation the default for injection and validation.

Thank you for installing Istio 1.15.  Please take a few minutes to tell us about your install/upgrade experience!  https://forms.gle/SWHFBmwJspusK1hv6


Move the Istio Pods to ARM worker node forcefully

kubectl patch deployments -n istio-system istio-egressgateway -p '{"spec": {"template": {"spec": {"nodeSelector": {"kubernetes.io/arch": "arm64"}}}}}'
deployment.apps/istio-egressgateway patched (no change)

kubectl patch deployments -n istio-system istio-ingressgateway -p '{"spec": {"template": {"spec": {"nodeSelector": {"kubernetes.io/arch": "arm64"}}}}}'
deployment.apps/istio-ingressgateway patched (no change)

kubectl patch deployments -n istio-system istiod -p '{"spec": {"template": {"spec": {"nodeSelector": {"kubernetes.io/arch": "arm64"}}}}}'
deployment.apps/istiod patched (no change)

Upgrade Knative
Upgrade Knative Serving to 1.7

Install the required custom resources
kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.7.1/serving-crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificates.networking.internal.knative.dev configured
customresourcedefinition.apiextensions.k8s.io/configurations.serving.knative.dev configured
customresourcedefinition.apiextensions.k8s.io/clusterdomainclaims.networking.internal.knative.dev configured
customresourcedefinition.apiextensions.k8s.io/domainmappings.serving.knative.dev configured
customresourcedefinition.apiextensions.k8s.io/ingresses.networking.internal.knative.dev configured
customresourcedefinition.apiextensions.k8s.io/metrics.autoscaling.internal.knative.dev configured
customresourcedefinition.apiextensions.k8s.io/podautoscalers.autoscaling.internal.knative.dev configured
customresourcedefinition.apiextensions.k8s.io/revisions.serving.knative.dev configured
customresourcedefinition.apiextensions.k8s.io/routes.serving.knative.dev configured
customresourcedefinition.apiextensions.k8s.io/serverlessservices.networking.internal.knative.dev configured
customresourcedefinition.apiextensions.k8s.io/services.serving.knative.dev configured
customresourcedefinition.apiextensions.k8s.io/images.caching.internal.knative.dev configured

Install the core components of Knative Serving
kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.7.1/serving-core.yaml
namespace/knative-serving configured
clusterrole.rbac.authorization.k8s.io/knative-serving-aggregated-addressable-resolver configured
clusterrole.rbac.authorization.k8s.io/knative-serving-addressable-resolver configured
clusterrole.rbac.authorization.k8s.io/knative-serving-namespaced-admin configured
clusterrole.rbac.authorization.k8s.io/knative-serving-namespaced-edit configured
clusterrole.rbac.authorization.k8s.io/knative-serving-namespaced-view configured
clusterrole.rbac.authorization.k8s.io/knative-serving-core configured
clusterrole.rbac.authorization.k8s.io/knative-serving-podspecable-binding configured
serviceaccount/controller configured
clusterrole.rbac.authorization.k8s.io/knative-serving-admin configured
clusterrolebinding.rbac.authorization.k8s.io/knative-serving-controller-admin configured
clusterrolebinding.rbac.authorization.k8s.io/knative-serving-controller-addressable-resolver configured
customresourcedefinition.apiextensions.k8s.io/images.caching.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/certificates.networking.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/configurations.serving.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/clusterdomainclaims.networking.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/domainmappings.serving.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/ingresses.networking.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/metrics.autoscaling.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/podautoscalers.autoscaling.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/revisions.serving.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/routes.serving.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/serverlessservices.networking.internal.knative.dev unchanged
customresourcedefinition.apiextensions.k8s.io/services.serving.knative.dev unchanged
secret/serving-certs-ctrl-ca unchanged
secret/knative-serving-certs unchanged
image.caching.internal.knative.dev/queue-proxy configured
configmap/config-autoscaler configured
configmap/config-defaults configured
configmap/config-deployment configured
configmap/config-domain configured
configmap/config-features configured
configmap/config-gc configured
configmap/config-leader-election configured
configmap/config-logging configured
configmap/config-network configured
configmap/config-observability configured
configmap/config-tracing configured
Warning: autoscaling/v2beta2 HorizontalPodAutoscaler is deprecated in v1.23+, unavailable in v1.26+; use autoscaling/v2 HorizontalPodAutoscaler
horizontalpodautoscaler.autoscaling/activator configured
poddisruptionbudget.policy/activator-pdb configured
deployment.apps/activator configured
service/activator-service configured
deployment.apps/autoscaler configured
service/autoscaler configured
deployment.apps/controller configured
service/controller configured
deployment.apps/domain-mapping configured
deployment.apps/domainmapping-webhook configured
service/domainmapping-webhook configured
horizontalpodautoscaler.autoscaling/webhook configured
poddisruptionbudget.policy/webhook-pdb configured
deployment.apps/webhook configured
service/webhook configured
validatingwebhookconfiguration.admissionregistration.k8s.io/config.webhook.serving.knative.dev configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/webhook.serving.knative.dev configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/webhook.domainmapping.serving.knative.dev configured
secret/domainmapping-webhook-certs configured
validatingwebhookconfiguration.admissionregistration.k8s.io/validation.webhook.domainmapping.serving.knative.dev configured
validatingwebhookconfiguration.admissionregistration.k8s.io/validation.webhook.serving.knative.dev configured
secret/webhook-certs configured

Install a networking layer

Install Istio and enable its Knative integration.

Install a properly configured Istio
kubectl apply -l knative.dev/crd-install=true -f https://github.com/knative/net-istio/releases/download/knative-v1.7.0/istio.yaml
customresourcedefinition.apiextensions.k8s.io/authorizationpolicies.security.istio.io configured
customresourcedefinition.apiextensions.k8s.io/destinationrules.networking.istio.io configured
customresourcedefinition.apiextensions.k8s.io/envoyfilters.networking.istio.io configured
customresourcedefinition.apiextensions.k8s.io/gateways.networking.istio.io configured
customresourcedefinition.apiextensions.k8s.io/istiooperators.install.istio.io configured
customresourcedefinition.apiextensions.k8s.io/peerauthentications.security.istio.io configured
customresourcedefinition.apiextensions.k8s.io/proxyconfigs.networking.istio.io configured
customresourcedefinition.apiextensions.k8s.io/requestauthentications.security.istio.io configured
customresourcedefinition.apiextensions.k8s.io/serviceentries.networking.istio.io configured
customresourcedefinition.apiextensions.k8s.io/sidecars.networking.istio.io configured
customresourcedefinition.apiextensions.k8s.io/telemetries.telemetry.istio.io configured
customresourcedefinition.apiextensions.k8s.io/virtualservices.networking.istio.io configured
customresourcedefinition.apiextensions.k8s.io/wasmplugins.extensions.istio.io configured
customresourcedefinition.apiextensions.k8s.io/workloadentries.networking.istio.io configured
customresourcedefinition.apiextensions.k8s.io/workloadgroups.networking.istio.io configured

kubectl apply -f https://github.com/knative/net-istio/releases/download/knative-v1.7.0/istio.yaml
namespace/istio-system unchanged
serviceaccount/istio-ingressgateway-service-account configured
serviceaccount/istio-reader-service-account configured
serviceaccount/istiod configured
serviceaccount/istiod-service-account configured
clusterrole.rbac.authorization.k8s.io/istio-reader-clusterrole-istio-system configured
clusterrole.rbac.authorization.k8s.io/istio-reader-istio-system configured
clusterrole.rbac.authorization.k8s.io/istiod-clusterrole-istio-system configured
clusterrole.rbac.authorization.k8s.io/istiod-gateway-controller-istio-system configured
clusterrole.rbac.authorization.k8s.io/istiod-istio-system configured
clusterrolebinding.rbac.authorization.k8s.io/istio-reader-clusterrole-istio-system configured
clusterrolebinding.rbac.authorization.k8s.io/istio-reader-istio-system configured
clusterrolebinding.rbac.authorization.k8s.io/istiod-clusterrole-istio-system configured
clusterrolebinding.rbac.authorization.k8s.io/istiod-gateway-controller-istio-system configured
clusterrolebinding.rbac.authorization.k8s.io/istiod-istio-system configured
role.rbac.authorization.k8s.io/istio-ingressgateway-sds configured
role.rbac.authorization.k8s.io/istiod configured
role.rbac.authorization.k8s.io/istiod-istio-system configured
rolebinding.rbac.authorization.k8s.io/istio-ingressgateway-sds configured
rolebinding.rbac.authorization.k8s.io/istiod configured
rolebinding.rbac.authorization.k8s.io/istiod-istio-system configured
customresourcedefinition.apiextensions.k8s.io/authorizationpolicies.security.istio.io unchanged
customresourcedefinition.apiextensions.k8s.io/destinationrules.networking.istio.io unchanged
customresourcedefinition.apiextensions.k8s.io/envoyfilters.networking.istio.io unchanged
customresourcedefinition.apiextensions.k8s.io/gateways.networking.istio.io unchanged
customresourcedefinition.apiextensions.k8s.io/istiooperators.install.istio.io unchanged
customresourcedefinition.apiextensions.k8s.io/peerauthentications.security.istio.io unchanged
customresourcedefinition.apiextensions.k8s.io/proxyconfigs.networking.istio.io unchanged
customresourcedefinition.apiextensions.k8s.io/requestauthentications.security.istio.io unchanged
customresourcedefinition.apiextensions.k8s.io/serviceentries.networking.istio.io unchanged
customresourcedefinition.apiextensions.k8s.io/sidecars.networking.istio.io unchanged
customresourcedefinition.apiextensions.k8s.io/telemetries.telemetry.istio.io unchanged
customresourcedefinition.apiextensions.k8s.io/virtualservices.networking.istio.io unchanged
customresourcedefinition.apiextensions.k8s.io/wasmplugins.extensions.istio.io unchanged
customresourcedefinition.apiextensions.k8s.io/workloadentries.networking.istio.io unchanged
customresourcedefinition.apiextensions.k8s.io/workloadgroups.networking.istio.io unchanged
configmap/istio configured
configmap/istio-sidecar-injector configured
deployment.apps/istio-ingressgateway configured
deployment.apps/istiod configured
service/istio-ingressgateway configured
service/istiod configured
Warning: autoscaling/v2beta2 HorizontalPodAutoscaler is deprecated in v1.23+, unavailable in v1.26+; use autoscaling/v2 HorizontalPodAutoscaler
horizontalpodautoscaler.autoscaling/istiod unchanged
Warning: policy/v1beta1 PodDisruptionBudget is deprecated in v1.21+, unavailable in v1.25+; use policy/v1 PodDisruptionBudget
poddisruptionbudget.policy/istio-ingressgateway configured
poddisruptionbudget.policy/istiod configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/istio-sidecar-injector configured
validatingwebhookconfiguration.admissionregistration.k8s.io/istio-validator-istio-system configured
envoyfilter.networking.istio.io/stats-filter-1.11 unchanged
envoyfilter.networking.istio.io/stats-filter-1.12 unchanged
envoyfilter.networking.istio.io/stats-filter-1.13 configured
envoyfilter.networking.istio.io/stats-filter-1.14 configured
envoyfilter.networking.istio.io/stats-filter-1.15 configured
envoyfilter.networking.istio.io/tcp-stats-filter-1.11 unchanged
envoyfilter.networking.istio.io/tcp-stats-filter-1.12 unchanged
envoyfilter.networking.istio.io/tcp-stats-filter-1.13 configured
envoyfilter.networking.istio.io/tcp-stats-filter-1.14 configured
envoyfilter.networking.istio.io/tcp-stats-filter-1.15 configured

Install the Knative Istio controller
kubectl apply -f https://github.com/knative/net-istio/releases/download/knative-v1.7.0/net-istio.yaml
clusterrole.rbac.authorization.k8s.io/knative-serving-istio configured
gateway.networking.istio.io/knative-ingress-gateway configured
gateway.networking.istio.io/knative-local-gateway configured
service/knative-local-gateway configured
configmap/config-istio configured
peerauthentication.security.istio.io/webhook configured
peerauthentication.security.istio.io/domainmapping-webhook configured
peerauthentication.security.istio.io/net-istio-webhook configured
deployment.apps/net-istio-controller configured
deployment.apps/net-istio-webhook configured
secret/net-istio-webhook-certs configured
service/net-istio-webhook configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/webhook.istio.networking.internal.knative.dev configured
validatingwebhookconfiguration.admissionregistration.k8s.io/config.webhook.istio.networking.internal.knative.dev configured


References

EKS: invalid apiVersion "client.authentication.k8s.io/v1alpha1" #2817

https://community.arm.com/arm-community-blogs/b/infrastructure-solutions-blog/posts/deploying-tetrate-istio-distribution-for-arm-neoverse-based-aws-graviton-processors

https://www.tetrate.io/blog/tetrate-adds-istio-and-envoy-support-for-arm-neoverse/

https://venturebeat.com/ai/tetrate-announces-its-tools-will-now-run-natively-on-arm-chips/

https://dl.getistio.io/public/raw/files/istio-1.14.1-tetrate-multiarch-v1-linux-arm64.tar.gz

-

Category: container Tags: public

Upvote


Downvote