刚刚将istio从1.4.6(helm(升级到istio 1.5.0(istioctl([清除了istio并从istioctl安装],但istiod日志似乎一直在抛出以下内容:
2020-03-16T18:25:45.209055Z info grpc: Server.Serve failed to complete security handshake from "10.150.56.111:56870": remote error: tls: error decrypting message
2020-03-16T18:25:46.792447Z info grpc: Server.Serve failed to complete security handshake from "10.150.57.112:49162": remote error: tls: error decrypting message
2020-03-16T18:25:46.930483Z info grpc: Server.Serve failed to complete security handshake from "10.150.56.160:36878": remote error: tls: error decrypting message
2020-03-16T18:25:48.284122Z info grpc: Server.Serve failed to complete security handshake from "10.150.52.230:44758": remote error: tls: error decrypting message
2020-03-16T18:25:48.288180Z info grpc: Server.Serve failed to complete security handshake from "10.150.57.149:56756": remote error: tls: error decrypting message
2020-03-16T18:25:49.108515Z info grpc: Server.Serve failed to complete security handshake from "10.150.57.151:53970": remote error: tls: error decrypting message
2020-03-16T18:25:49.111874Z info Handling event update for pod contentgatewayaidest-7f4694d87-qmq8z in namespace djin-content -> 10.150.53.50
2020-03-16T18:25:49.519861Z info grpc: Server.Serve failed to complete security handshake from "10.150.57.91:59510": remote error: tls: error decrypting message
2020-03-16T18:25:50.133664Z info grpc: Server.Serve failed to complete security handshake from "10.150.57.203:59726": remote error: tls: error decrypting message
2020-03-16T18:25:50.331020Z info grpc: Server.Serve failed to complete security handshake from "10.150.57.195:59970": remote error: tls: error decrypting message
2020-03-16T18:25:52.110695Z info Handling event update for pod contentgateway-d74b44c7-dtdxs in namespace djin-content -> 10.150.56.215
2020-03-16T18:25:53.312761Z info Handling event update for pod dysonpriority-b6dbc589b-mk628 in namespace djin-content -> 10.150.52.91
2020-03-16T18:25:53.496524Z info grpc: Server.Serve failed to complete security handshake from "10.150.56.111:57276": remote error: tls: error decrypting message
这也导致没有侧车成功发射和失败:
2020-03-16T18:32:17.265394Z info Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 16 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2020-03-16T18:32:19.269334Z info Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 16 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2020-03-16T18:32:21.265214Z info Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 16 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2020-03-16T18:32:23.266159Z info Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 16 successful, 0 rejected; lds updates: 0 successful,
奇怪的是,我升级的其他集群运行良好。你知道这个错误可能是从哪里冒出来的吗?istioctl analysis运行良好。
杀死节点(重新创建(后错误消失,但istio代理仍然失败:
infoEnvoy代理未就绪:未从Pilot收到配置(Pilot正在运行吗?(:cd更新:1成功,0拒绝;lds更新:0成功,0拒绝
据我所知,从1.4.4版本开始,他们添加了istioctl升级,当你想将istio从1.4.x升级到1.5.0时应该使用它。
istioctl upgrade命令执行Istio的升级。在执行升级之前,它会检查Istio安装是否符合升级资格标准。此外,如果检测到Istio版本之间的配置文件默认值有任何变化,它会提醒用户。
upgrade命令还可以执行Istio的降级。
有关istioctl upgrade命令提供的所有选项,请参阅istioctl升级参考。
istioctl upgrade --help
upgrade命令检查升级版本是否合格,如果合格,则升级Istio控制平面组件。警告:升级过程中可能会中断通信。请确保定义PodDisruptionBudgets以保持服务的连续性。
我在安装了istioctl的istio 1.4.6的gcp集群上进行了测试,然后我使用了从1.5.0版本升级的istioctl,一切都很好。
kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
istio-ingressgateway-598796f4d9-lvzdb 1/1 Running 0 12m
istiod-7d9c7bdd6-mggx7 1/1 Running 0 12m
prometheus-b47d8c58c-7spq5 2/2 Running 0 12m
我检查了日志并做了一些简单的例子,在istiod中没有出现像您的例子中那样的错误。
istioctl升级的升级先决条件
Ensure you meet these requirements before starting the upgrade process:
Istio version 1.4.4 or higher is installed.
Your Istio installation was installed using istioctl.
我认为,由于1.4.x和1.5.0之间的差异,当您想同时使用helm和istioctl这两种安装方法时,可能会出现一些问题。这里最好的选择是用istioctl安装istio 1.4.6,然后升级到1.5.0。
我希望这能回答你的问题。如果你还有什么问题,请告诉我。