非容器應用與K8s工作負載的服務網格化實踐-6 基于ASM的VM應用動态落遷實踐

在完成了POD和VM之間互訪驗證後，本篇将進入VM中，重點關注兩個常用的流量管理能力：

• 應用通過标簽進行分組
• 每個分組的多個副本可以動态落組和遷出

本篇

示例

的拓撲如下圖所示。ack中部署上遊服務hello1，請求下遊服務hello2。在4個ecs節點上，各部署了一個hello2應用，其中兩個為

en

版本，與hello1之間的通信使用藍線表示；另外兩個為

fr

版本，與hello1之間的通信使用綠線表示。

1 搭建實驗環境

部署hello1 POD

alias k="kubectl --kubeconfig $USER_CONFIG"
k apply -f yaml/hello1-deploy.yaml           

部署hello2 app

在 vm1/vm2兩個ecs節點上啟動如下docker container，作為group1

sh sh/ssh1.sh

docker run \
--rm \
--network host \
--name http_v1 \
registry.cn-beijing.aliyuncs.com/asm_repo/http_springboot_v1:1.0.1           

在 vm3/vm4兩個ecs節點上啟動如下docker container，作為group2

sh sh/ssh3.sh

docker run \
--rm \
--network host \
--name http_v2 \
registry.cn-beijing.aliyuncs.com/asm_repo/http_springboot_v2:1.0.1           

部署hello2 WorkloadEntry

MESH_ID=$(head -n 1 "$MESHID_CONFIG")
aliyun servicemesh AddVmAppToMesh \
  --ServiceMeshId "$MESH_ID" \
  --Namespace vm-blue-green \
  --ServiceName hello2-svc \
  --Ips "$VM_PRI_1","$VM_PRI_2","$VM_PRI_3","$VM_PRI_4" \
  --Ports http:8001 \
  --Labels app=http-workload
echo "done"           

為4個WorkloadEntry增加version标簽，v1/v2的設定為

v1

，v3/v4的設定為

v2

spec:
  address: 192.168.0.170
  labels:
    app: http-workload
    version: v1           

2 藍綠部署驗證

hello2 VirtualService

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  namespace: hello-grouping
  name: hello2-vs
spec:
  hosts:
    - hello2-svc
  http:
    - name: http-route
      match:
        - uri:
            prefix: /hello
      route:
        - destination:
            host: hello2-svc
            subset: v1
          weight: 50
        - destination:
            host: hello2-svc
            subset: v2
          weight: 50           

hello2 DestinationRule

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  namespace: hello-grouping
  name: hello2-dr
spec:
  host: hello2-svc
  subsets:
    - name: v1
      labels:
        version: v1
      trafficPolicy:
        loadBalancer:
          simple: ROUND_ROBIN
    - name: v2
      labels:
        version: v2
      trafficPolicy:
        loadBalancer:
          simple: ROUND_ROBIN           

輪詢驗證

hello1_pod=$(k get pod -l app=hello1-deploy -n hello-grouping -o jsonpath={.items..metadata.name})

verify_in_loop() {
  for i in {1..8}; do
    echo ">$i test hello2-svc.hello-grouping.svc.cluster.local"
    resp=$(k exec "$hello1_pod" -c hello-v1-deploy -n hello-grouping -- \
      curl -s hello2-svc.hello-grouping.svc.cluster.local:8001/hello/eric)
    if [[ "no healthy upstream" == $resp ]]; then
      echo "stop, no healthy upstream."
      exit
    fi
    echo "$resp"
  done
}

m get workloadentry -n hello-grouping -o wide
verify_in_loop           

預期的結果如下所示。流量轉移首先會按照group間(

v1

和

v2

)的比例配置進行，進入group後會按負載均衡政策(ROUND_ROBIN)進行路由。

...
>5 test hello2-svc.hello-grouping.svc.cluster.local
Hello eric(192.168.0.171)
>6 test hello2-svc.hello-grouping.svc.cluster.local
Hello eric(192.168.0.170)
>7 test hello2-svc.hello-grouping.svc.cluster.local
Bonjour eric(192.168.0.172)
>8 test hello2-svc.hello-grouping.svc.cluster.local
Bonjour eric(192.168.0.198)           

3 應用落遷驗證

目前group1和group2各有2個執行個體，我們按如下順序動态删除和增加workloadentry并驗證流量：

• 将vm4從group2中遷出，使group1和group2節點比例為2:1
• 将vm2從group1中遷出，使group1和group2節點比例為1:1
• 将vm4落入group2，使group1和group2節點比例為1:2
• 将vm2落入group1，使group1和group2節點比例為2:2

hello1_pod=$(k get pod -l app=hello1-deploy -n hello-grouping -o jsonpath={.items..metadata.name})
echo "1 Test blue-green 2:1"
m delete workloadentry mesh-expansion-hello2-svc-4 -n hello-grouping
m get workloadentry -n hello-grouping -o wide
verify_in_loop

echo "2 Test blue-green 1:1"
m delete workloadentry mesh-expansion-hello2-svc-2 -n hello-grouping
m get workloadentry -n hello-grouping -o wide
verify_in_loop

echo "3 Test blue-green 1:2"
m apply -f yaml/wl4.yaml
m get workloadentry -n hello-grouping -o wide
verify_in_loop

echo "4 Test blue-green 2:2"
m apply -f yaml/wl2.yaml
m get workloadentry -n hello-grouping -o wide
verify_in_loop           

verify_in_loop() {
  echo >test_traffic_result
  for i in {1..100}; do
    resp=$(k exec "$hello1_pod" -c hello-v1-deploy -n hello-grouping -- curl -s hello2-svc.hello-grouping.svc.cluster.local:8001/hello/eric)
    if [[ "no healthy upstream" == $resp ]]; then
      echo "stop, no healthy upstream."
      rm -f test_traffic_result
      exit
    fi
    echo "$resp" >>test_traffic_result
  done
  echo "result:"
  sort test_traffic_result | grep -v "^[[:space:]]*$" | uniq -c | sort -nrk1
  rm -f test_traffic_result
}           

期待的結果如下。

1 Test blue-green 2:1
workloadentry.networking.istio.io "mesh-expansion-hello2-svc-4" deleted
NAME                          AGE
mesh-expansion-hello2-svc-1   28m
mesh-expansion-hello2-svc-2   64s
mesh-expansion-hello2-svc-3   28m
result:
  56 Bonjour eric(192.168.0.172)
  22 Hello eric(192.168.0.171)
  22 Hello eric(192.168.0.170)           

2 Test blue-green 1:1
workloadentry.networking.istio.io "mesh-expansion-hello2-svc-2" deleted
NAME                          AGE
mesh-expansion-hello2-svc-1   28m
mesh-expansion-hello2-svc-3   28m
result:
  51 Bonjour eric(192.168.0.172)
  49 Hello eric(192.168.0.170)           

3 Test blue-green 1:2
workloadentry.networking.istio.io/mesh-expansion-hello2-svc-4 created
NAME                          AGE
mesh-expansion-hello2-svc-1   29m
mesh-expansion-hello2-svc-3   29m
mesh-expansion-hello2-svc-4   0s
result:
  53 Hello eric(192.168.0.170)
  24 Bonjour eric(192.168.0.198)
  23 Bonjour eric(192.168.0.172)           

4 Test blue-green 2:2
workloadentry.networking.istio.io/mesh-expansion-hello2-svc-2 created
NAME                          AGE
mesh-expansion-hello2-svc-1   29m
mesh-expansion-hello2-svc-2   1s
mesh-expansion-hello2-svc-3   29m
mesh-expansion-hello2-svc-4   37s
result:
  26 Hello eric(192.168.0.171)
  26 Hello eric(192.168.0.170)
  24 Bonjour eric(192.168.0.198)
  24 Bonjour eric(192.168.0.172)           

到此，VM應用動态落遷實踐驗證完畢。通過本篇實驗，我們可以掌握如何将VM應用進行分組，并根據實際情況，通過workload entry進行動态落組和遷出。