Skip to content

Instantly share code, notes, and snippets.

@jamesfalkner
Created March 14, 2018 21:33
Show Gist options
  • Save jamesfalkner/ff51aa7e259d9f9c02fd79be757ef12c to your computer and use it in GitHub Desktop.
Save jamesfalkner/ff51aa7e259d9f9c02fd79be757ef12c to your computer and use it in GitHub Desktop.
Hack to install istio to OpenShift and deploy coolstore-microservice as an istio service mesh
#!/bin/bash
# This script will install istio and the coolstore-microservice demo as a service mesh.
# It does everything as a cluster-admin user because istio (the project) still needs it to
# work. Future versions will not require so many permissions!
#
# Maintainer: James Falkner <jfalkner@redhat.com>
#
# Prereqs:
#
# internet connection (github.com, istio.io, and more)
# OpenShift 3.9.x with 10G total memory across cluster
# development tools: git, mvn, java (compiler), oc
# Patience
#
# Version of Istio to use
ISTIO_VERSION=0.6.0
# DO NOT CHANGE THIS. Istio hard-codes this currently. Name of project to house istio.
ISTIO_PROJECT=istio-system
# Name of project to house coolstore
COOLSTORE_PROJECT=coolstore-mesh
# Place to download istio and clone coolstore-microservice project
PROJECT_DIR=${HOME}/coolstore-istio
# Make sure you're logged in as an admin user.
# e.g. "oc login -u admin -p admin"
if ! oc get clusterrolebindings cluster-admin ; then
echo "you dont appear to have cluster-admin privileges, so sorry!"
exit 1
fi
# install jboss and fuse imagestreams to the openshift namespace
oc create -n openshift -f https://raw.githubusercontent.com/jboss-fuse/application-templates/master/fis-image-streams.json
oc create -n openshift -f https://raw.githubusercontent.com/jboss-openshift/application-templates/master/jboss-image-streams.json
# download istio into project dir
mkdir -p $PROJECT_DIR
cd $PROJECT_DIR
curl -kL https://git.io/getLatestIstio | sed 's/curl/curl -k /g' | ISTIO_VERSION=${ISTIO_VERSION} sh -
ISTIO_HOME=${PROJECT_DIR}/istio-${ISTIO_VERSION}
export PATH="$PATH:${ISTIO_HOME}/bin"
# setup permissions for istio
oc new-project ${ISTIO_PROJECT}
oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account
oc adm policy add-scc-to-user privileged -z istio-ingress-service-account
oc adm policy add-scc-to-user anyuid -z istio-egress-service-account
oc adm policy add-scc-to-user privileged -z istio-egress-service-account
oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account
oc adm policy add-scc-to-user privileged -z istio-pilot-service-account
oc adm policy add-scc-to-user anyuid -z istio-grafana-service-account
oc adm policy add-scc-to-user anyuid -z istio-prometheus-service-account
oc adm policy add-scc-to-user anyuid -z prometheus
oc adm policy add-scc-to-user privileged -z prometheus
oc adm policy add-scc-to-user anyuid -z grafana
oc adm policy add-scc-to-user privileged -z grafana
oc adm policy add-scc-to-user anyuid -z default
oc adm policy add-scc-to-user privileged -z default
oc adm policy add-cluster-role-to-user cluster-admin -z default
# install istio components
cd ${ISTIO_HOME}
oc apply -f install/kubernetes/istio.yaml
oc create -f install/kubernetes/addons/prometheus.yaml
oc create -f install/kubernetes/addons/grafana.yaml
oc create -f install/kubernetes/addons/servicegraph.yaml
oc apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-kubernetes/master/all-in-one/jaeger-all-in-one-template.yml
# expose all the istio services
oc expose svc grafana
oc expose svc servicegraph
oc expose svc jaeger-query
oc expose svc istio-ingress
oc expose svc prometheus
# create new project to house coolstore mesh
oc new-project $COOLSTORE_PROJECT
# set permissions to allow proxies to reconfigure networking
oc adm policy add-scc-to-user privileged -z default
oc adm policy add-scc-to-user anyuid -z default
# clone coolstore-microservice repo
cd $PROJECT_DIR
git clone http://github.com/jbossdemocentral/coolstore-microservice
# manually inject sidecars to all pods and build/deploy
oc process -f coolstore-microservice/openshift/coolstore-template.yaml | istioctl kube-inject -f - | oc apply -f -
# At this point coolstore-microservice will start building and deploying.
# cancel and then pause all deployments as we'll be updating them (they would fail otherwise)
for i in $(oc get dc -o name) ; do
oc rollout cancel $i
oc rollout pause $i
done
# ensure all service ports are named ("http") so they can be routed correctly by istio
for i in $(oc get svc -o name) ; do
PATCH=$(mktemp)
cat <<EOF > $PATCH
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: http
EOF
oc patch $i -p "$(cat $PATCH)"
rm -f $PATCH
done
# patch deployments:
# - to sleep 5 seconds before actually deploying to workaround istio proxy networking bug
# - add service version for istio intelligent routing
# - name http ports for routing
for i in $(oc get dc -o name) ; do
oc label $i version=v1
DCNAME=$(echo $i | cut -d'/' -f 2)
PATCH=$(mktemp)
cat <<EOF > $PATCH
spec:
strategy:
customParams:
command:
- /bin/sh
- '-c'
- 'sleep 5; echo slept for 5; /usr/bin/openshift-deploy'
template:
metadata:
labels:
version: v1
spec:
containers:
- name: $DCNAME
ports:
- containerPort: 8080
name: http
protocol: TCP
EOF
oc patch $i -p "$(cat $PATCH)"
rm -f $PATCH
done
# scale up ratings and reviews and pricing (they are set to 0 by default to save resources)
for i in rating rating-mongodb review review-postgresql pricing ; do
oc scale --replicas=1 dc $i
done
# build a modified jboss-eap builder image so that EAP binds to 0.0.0.0, working around an EAP-on-openshift
# bug!
cat <<EOF | oc new-build --name inventory-builder -D -
FROM registry.access.redhat.com/jboss-eap-7/eap70-openshift:1.6
RUN sed -i 's/JBOSS_HA_ARGS="-b \${IP_ADDR}/JBOSS_HA_ARGS="-b 0.0.0.0/' /opt/eap/bin/launch/ha.sh
EOF
for i in {1..200}; do oc logs -f bc/inventory-builder && break || sleep 1; done
# reconfigure inventory build to use new image, which will trigger new build/deployment
oc new-build --name inventory-hack --to='inventory:latest' ${COOLSTORE_PROJECT}/inventory-builder~https://github.com/jbossdemocentral/coolstore-microservice --context-dir=inventory-service
for i in {1..200}; do oc logs -f bc/inventory-hack && break || sleep 1; done
# fix fuse to propogate B3 tracing headers by hacking the source code and re-building the service
# from the local system using java and maven (which will pull down tons of dependencies if you haven't
# done this before, so be patient!)
sed -i.bak 's/return original;/original.getOut().setHeaders(original.getIn().getHeaders()); return original;/g' \
$PROJECT_DIR/coolstore-microservice/coolstore-gw/src/main/java/com/redhat/coolstore/api_gateway/ProductGateway.java
mvn -f $PROJECT_DIR/coolstore-microservice/coolstore-gw clean package -DskipTests -Dfabric8.skip -e -B -Pearly-access-repo
oc new-build --name coolstore-gw-hack --to='coolstore-gw:latest' --image fis-java-openshift:2.0 --strategy source --binary
oc start-build coolstore-gw-hack --from-file=${PROJECT_DIR}/coolstore-microservice/coolstore-gw/target/coolstore-gw.jar --follow
# un-pause and re-trigger all deployments
for i in $(oc get dc -o name) ; do
oc rollout resume $i
oc rollout latest $i
done
# add istio ingress
cat <<EOF | oc create -f -
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: coolstore-ingress
annotations:
kubernetes.io/ingress.class: "istio"
spec:
backend:
serviceName: web-ui
servicePort: http
rules:
- http:
paths:
- path: /api/*
backend:
serviceName: coolstore-gw
servicePort: http
EOF
oc get pods --show-all=false
# get URL to services to load in your web browser
echo
echo
echo -----------------------------------------
echo "Done! You should now wait a bit for everything to come up, then hit these URLs with your browser:"
echo -----------------------------------------
echo "Primary web frontend URL: http://$(oc get route istio-ingress -n ${ISTIO_PROJECT} --template='{{ .spec.host }}')"
echo "D3 force layout service graph: http://$(oc get route servicegraph -n ${ISTIO_PROJECT} --template='{{ .spec.host }}')/force/forcegraph.html?time_horizon=5m&filter_empty=true"
echo "Example Prometheus query: http://$(oc get route prometheus -n ${ISTIO_PROJECT} --template='{{ .spec.host }}')/graph?g0.range_input=30m&g0.expr=istio_request_count&g0.tab=0"
echo "Grafana Istio Dashboard: http://$(oc get route grafana -n ${ISTIO_PROJECT} --template='{{ .spec.host }}')/d/1/istio-dashboard?refresh=5s&orgId=1"
echo "Jaeger Tracing Console: http://$(oc get route jaeger-query -n ${ISTIO_PROJECT} --template='{{ .spec.host }}')"
echo
echo
@InfoSec812
Copy link

@jamesfalkner What repo do we need to have checked out to run this script inside it for deployment?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment