服务网格 ASM(Service Mesh) 从1.22.6.109版本开始支持使用Terraform Kubernetes Provider对ASM中的自定义资源进行操作,或是对网格功能特性进行修改。本文将通过两个示例介绍如何使用Terraform创建或修改ASM自定义资源。
前提条件
已通过kubectl工具连接集群。具体操作,请参见获取集群KubeConfig并通过kubectl工具连接集群。
(可选)已在本地安装和配置Terraform。
您也可以使用Cloud Shell来操作本文所有的演示内容,开始前请切换 Terraform 版本,确保Terraform版本大于0.14即可。
(可选)已安装 tfk8s 工具。
准备工作
在开始演示流程前,建议您新建一个空目录作为Terraform项目目录,同时在目录中新建一个包含以下内容的provider.tf文件。
provider "kubernetes" {
config_path = "~/.kube/config"
}该配置文件指定了Terraform Kubernetes Provider所使用的kubeconfig。
本文完整的目录结构如下:
terraform-Project # Terraform项目目录
├── asmmeshconfig.tf # 场景二tf文件
├── virtualservice.tf # 场景一tf文件
├── provider.tf # provider文件
└── resources # 用于存放资源文件,例如yaml、json等
└── demo.yaml # 场景一资源文件provider.tf文件创建完成后,开始初始化Terraform项目。
terraform init场景一:使用Terraform创建VirtualService资源
在resources目录下创建名称为
demo.yaml的VirtualService资源文件。apiVersion: networking.istio.io/v1 kind: VirtualService metadata: name: my-productpage-rule namespace: istio-system spec: hosts: - productpage.prod.svc.cluster.local # ignores rule namespace http: - timeout: 5s route: - destination: host: productpage.prod.svc.cluster.local创建virtualservice.tf。
resource "kubernetes_manifest" "virtualservice_demo" { manifest = yamldecode(file("./resources/demo.yaml")) }查看Terraform资源的变更情况。
terraform plan预期输出:
创建并验证资源。
创建资源。
terraform apply --auto-approve验证资源。
kubectl get VirtualService -n istio-system预期输出:
NAME GATEWAYS HOSTS AGE my-productpage-rule ["productpage.prod.svc.cluster.local"] 77s
(可选)清理资源。
terraform destroy -target=kubernetes_manifest.virtualservice_demo --auto-approve
场景二:修改ASMMeshConfig资源控制网格功能特性
本场景演示如何修改已有的ASMMeshConfig资源,关闭服务网格默认的为Pod重写健康检查的功能。
导入ASMMeshConfig资源。
使用tfk8s工具
生成asmmeshconfig.tf。
kubectl get asmmeshconfig default -o yaml | tfk8s --strip -o asmmeshconfig.tf上述命令会直接生成
asmmeshconfig.tf文件,预期内容如下。resource "kubernetes_manifest" "asmmeshconfig_default" { manifest = { "apiVersion" = "istio.alibabacloud.com/v1beta1" "kind" = "ASMMeshConfig" "metadata" = { "name" = "default" } "spec" = { "accessLogConfiguration" = {} "ambientConfiguration" = { "enabled" = false "redirectMode" = "" "waypoint" = {} "ztunnel" = {} } "cniConfiguration" = { "enabled" = true "excludeNamespaces" = "istio-system,kube-system" "repair" = {} } "enableGatewayAPI" = true "gatewayAPIInferenceExtension" = {} "ingressControllerMode" = "OFF" "ingressSelector" = "ingressgateway1" "ingressService" = "istio-ingressgateway1" "sidecarInjectorWebhookConfiguration" = {} "smcEnabled" = false } } }将ASMMeshConfig资源导入到terraform state。
terraform import kubernetes_manifest.asmmeshconfig_default "apiVersion=istio.alibabacloud.com/v1beta1,name=default,kind=ASMMeshConfig"预期输出:
Import successful! The resources that were imported are shown above. These resources are now in your Terraform state and will henceforth be managed by Terraform. ╷ │ Warning: Apply needed after 'import' │ │ Please run apply after a successful import to realign the resource state to the configuration in Terraform. ╵执行
terraform apply命令,以对齐Terraform和Kubernetes资源状态。terraform apply --auto-approve部分预期输出:
... # kubernetes_manifest.asmmeshconfig_default will be updated in-place ~ resource "kubernetes_manifest" "asmmeshconfig_default" { + manifest = { + apiVersion = "istio.alibabacloud.com/v1beta1" + kind = "ASMMeshConfig" + metadata = { + annotations = null + creationTimestamp = null ...
使用terraform命令
将ASMMeshConfig资源导入state。
terraform import kubernetes_manifest.asmmeshconfig_default "apiVersion=istio.alibabacloud.com/v1beta1,name=default,kind=ASMMeshConfig"预期输出:
Import successful! The resources that were imported are shown above. These resources are now in your Terraform state and will henceforth be managed by Terraform. ╷ │ Warning: Apply needed after 'import' │ │ Please run apply after a successful import to realign the resource state to the configuration in Terraform. ╵生成asmmeshconfig.tf。
terraform show -no-color > asmmeshconfig.tf预期文件内容:
resource "kubernetes_manifest" "asmmeshconfig_default" { object = { apiVersion = "istio.alibabacloud.com/v1beta1" kind = "ASMMeshConfig" metadata = { annotations = null creationTimestamp = null deletionGracePeriodSeconds = null deletionTimestamp = null finalizers = null generateName = null generation = null labels = null managedFields = null name = "default" namespace = null ownerReferences = null resourceVersion = null selfLink = null uid = null } spec = { accessLogConfiguration = {} adaptiveSchedulerConfiguration = {} ambientConfiguration = { redirectMode = "" waypoint = {} ztunnel = {} } cniConfiguration = { enabled = true repair = {} } localityLbSetting = { enabled = true } } } }将asmmeshconfig.tf文件中的
object改为manifest,移除值为null的参数。以下为调整后的asmmeshconfig.tf内容。resource "kubernetes_manifest" "asmmeshconfig_default" { manifest = { apiVersion = "istio.alibabacloud.com/v1beta1" kind = "ASMMeshConfig" metadata = { name = "default" } spec = { accessLogConfiguration = {} adaptiveSchedulerConfiguration = {} ambientConfiguration = { redirectMode = "" waypoint = {} ztunnel = {} } cniConfiguration = { enabled = true repair = {} } localityLbSetting = { enabled = true } } } }执行
terraform apply命令,以对齐Terraform和Kubernetes资源状态。terraform apply --auto-approve部分预期输出:
... # kubernetes_manifest.asmmeshconfig_default will be updated in-place ~ resource "kubernetes_manifest" "asmmeshconfig_default" { + manifest = { + apiVersion = "istio.alibabacloud.com/v1beta1" + kind = "ASMMeshConfig" + metadata = { + annotations = null + creationTimestamp = null ...
上述步骤中,terraform import的参数说明如下:
参数
说明
kubernetes_manifest
Terraform resource类型,与
asmmeshconfig.tf中的resource类型相对应。asmmeshconfig_default
Terraform resource名称,与
asmmeshconfig.tf中的resource名称相对应。apiVersion
Kubernetes CRD中注册的API版本。您可以通过执行
kubectl get ${资源类型} ${资源名称}查看资源的apiVersion。kind
Kubernetes CRD中注册的资源类型。您可以通过执行
kubectl get ${资源类型} ${资源名称}查看资源的kind。name
需要导入的ASMMeshConfig资源名称,在这里为
default。由于ASMMeshConfig资源是一个集群级别的Kubernetes资源,所以在此并未指定命名空间。对于命名空间级别的资源,您可以通过namespace=${资源命名空间}指定。编辑asmmeshconfig.tf,增加
spec.sidecarInjectorWebhookConfiguration.rewriteAppHTTPProbe字段的值为false,以关闭服务网格默认的为Pod重写健康检查的功能。resource "kubernetes_manifest" "asmmeshconfig_default" { manifest = { "apiVersion" = "istio.alibabacloud.com/v1beta1" "kind" = "ASMMeshConfig" "metadata" = { "name" = "default" } "spec" = { "accessLogConfiguration" = {} "ambientConfiguration" = { "enabled" = false "redirectMode" = "" "waypoint" = {} "ztunnel" = {} } "cniConfiguration" = { "enabled" = true "excludeNamespaces" = "istio-system,kube-system" "repair" = {} } "enableGatewayAPI" = true "gatewayAPIInferenceExtension" = {} "ingressControllerMode" = "OFF" "ingressSelector" = "ingressgateway1" "ingressService" = "istio-ingressgateway1" "sidecarInjectorWebhookConfiguration" = { "rewriteAppHTTPProbe" = false } "smcEnabled" = false } } }查看变更情况。
terraform plan预期输出:
kubernetes_manifest.asmmeshconfig_default: Refreshing state... Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # kubernetes_manifest.asmmeshconfig_default will be updated in-place ~ resource "kubernetes_manifest" "asmmeshconfig_default" { ~ manifest = { ~ spec = { ~ sidecarInjectorWebhookConfiguration = { + rewriteAppHTTPProbe = false } # (9 unchanged attributes hidden) } # (3 unchanged attributes hidden) } ~ object = { ~ spec = { ~ sidecarInjectorWebhookConfiguration = { + rewriteAppHTTPProbe = false } # (9 unchanged attributes hidden) } # (3 unchanged attributes hidden) } } Plan: 0 to add, 1 to change, 0 to destroy.说明如果
manifest和object中的变更内容不一致,说明通过其他方式对Kubernetes资源进行了修改,Kubernetes资源的实际状态与Terraform记录的状态不同。您可以执行terraform refresh更新Terraform的状态。应用变更。
terraform apply --auto-approve预期输出:
kubernetes_manifest.asmmeshconfig_default: Modifying... kubernetes_manifest.asmmeshconfig_default: Modifications complete after 1s ... Apply complete! Resources: 0 added, 1 changed, 0 destroyed.