unleashed/maistra_apimgmt.sh

## maistra_apimgmt.sh
#!/bin/bash

if test -x "$(pwd)/istiooc"; then
    ISTIOOC=$(pwd)/istiooc
else
    ISTIOOC=${HOME}/istiooc
fi

NAMESPACE=${NAMESPACE:-bookinfo}
DEPLOYMENT=${DEPLOYMENT:-productpage-v1}

istiooc()
{
    echo >&2 "Calling istiooc ${@}"
    ${ISTIOOC} "${@}"
}

generate_templates()
{
    local url="${1}"
    local sid="${2}"
    local token="${3}"

    istiooc exec -n istio-system $(istiooc -n istio-system get pods -l app=3scale-istio-adapter -o name | head -n 1 | sed -E -e 's/^pod\///') -ti -- \
        ./3scale-config-gen --url="${url}" --service="${sid}" --token="${token}" --fixup
}

get_uid()
{
    # we rely on the fact that the UID is printed in the last line with a specific format.
    local templates="${1}"
    echo "${templates}" | sed -n -E -e '$ s/^# The UID for this service is (\.*)\b/\1/p'
}

gen_patch()
{
    local namespace="${1}"
    local deployment="${2}"
    local uid="${3}"

    # this command's output introduces ^M after the uid, so remove it with sed
    istiooc -n "${namespace}" get deployment "${deployment}" \
      --template='{"spec":{"template":{"metadata":{"labels":{ {{ range $k,$v := .spec.template.metadata.labels }}"{{ $k }}":"{{ $v }}",{{ end }}"service-mesh.3scale.net":"true","service-mesh.3scale.net/uid":"'""${uid}""'"}}}}}' \
      | sed -E -e 's/\r//'
}

patch()
{
    local namespace="${1}"
    local deployment="${2}"
    local uid="${3}"
    local patch="$(gen_patch "${namespace}" "${deployment}" "${uid}")"

    istiooc -n "${namespace}" patch deployment "${deployment}" --patch ''"${patch}"''
}

apimgmt_enable()
{
    local sid="${2}"
    local templates=$(generate_templates "${@}")
    local uid=$(get_uid "${templates}")

    echo "[II] Enabling API management for ${DEPLOYMENT} with service id ${sid} and UID ${uid}"
    patch "${NAMESPACE}" "${DEPLOYMENT}" "${uid}"

    echo "${templates}" | istiooc apply -f -
}

enable_policy_checks()
{
    istiooc -n istio-system get cm istio -o yaml | sed -E -e '/disablePolicyChecks:/{$!{N;s/(disablePolicyChecks:\s*\n?\s*)true/\1false/;ty;P;D;:y}}' | istiooc -n istio-system apply -f -
}

if test "x${BASH_SOURCE[0]}" = "x" -o "${BASH_SOURCE[0]}" = "${0}"; then
    set -eo pipefail
    shopt -s failglob

    if test "${#}" -lt 3; then
      echo >&2 "usage: ${0} url service_id token"
      echo >&2 "You can customise NAMESPACE and DEPLOYMENT environment variables"
      exit 1
    fi

    enable_policy_checks
    apimgmt_enable "${@}"
fi

## maistra_bookinfo.sh
#!/bin/bash

AUTHN="${AUTHN:-true}"
if test "x${AUTHN}" = "xtrue"; then
    MTLS="-mtls"
fi


if test -x "$(pwd)/istiooc"; then
    ISTIOOC=$(pwd)/istiooc
else
    ISTIOOC=${HOME}/istiooc
fi

istiooc()
{
    ${ISTIOOC} "${@}"
}

istiooc new-project bookinfo

istiooc adm policy add-scc-to-user anyuid -z default -n bookinfo
istiooc adm policy add-scc-to-user privileged -z default -n bookinfo

istiooc create -n bookinfo -f https://raw.githubusercontent.com/Maistra/bookinfo/master/bookinfo.yaml
istiooc create -n bookinfo -f https://raw.githubusercontent.com/Maistra/bookinfo/master/bookinfo-gateway.yaml
istiooc create -n bookinfo -f https://raw.githubusercontent.com/istio/istio/release-1.1/samples/bookinfo/networking/destination-rule-all${MTLS}.yaml

echo GATEWAY IS:
istiooc get route -n istio-system istio-ingressgateway -o jsonpath='{.spec.host}'
echo
echo Use the /productpage path to access the app

## maistra_install.sh
#!/bin/bash
#
# You'd want to run this with a wrapper script that fills in the correct variables below.
# In particular, for productised images, you want to log in to the Red Hat's registry, so
# you can then fill in the secrets in that wrapper script:
#
# DOCKER_USER="abc" DOCKER_PASSWD="123" ./maistra_install.sh
#
# Then invoke it with enough privileges (ie. maybe with sudo).

set -eo pipefail

PUBLIC_IP="${PUBLIC_IP:-$(curl ifconfig.me/ip)}"
# openshift or origin
DEPLOYMENT_TYPE="${DEPLOYMENT_TYPE:-origin}"

# version
MAISTRA_VERSION="${MAISTRA_VERSION:-0.10.0}"
OPENSHIFT_VERSION="${OPENSHIFT_VERSION:-3.11.0}"
# istiooc release tag
ISTIOOC_TAG="${ISTIOOC_TAG:-v${OPENSHIFT_VERSION}%2Bmaistra-${MAISTRA_VERSION}}"
# mTLS support
AUTHN="${AUTHN:-true}"
# modify image names to match community ones
COMMUNITY="${COMMUNITY:-false}"
# whether to enable the 3scale adapter
THREESCALE_ENABLED="${THREESCALE_ENABLED:-true}"
# default user/passwd
DEFAULT_USER="${DEFAULT_USER:-user}"
DEFAULT_PASSWD="${DEFAULT_PASSWD:-password}"
# users and passwords
OS_USER="${OS_USER:-${DEFAULT_USER}}"
OS_PASSWD="${OS_PASSWD:-${DEFAULT_PASSWD}}"
KIALI_USER="${KIALI_USER:-${DEFAULT_USER}}"
KIALI_PASSWD="${KIALI_PASSWD:-${DEFAULT_PASSWD}}"
GH_USER="${GH_USER:-gh_user}"
GH_TOKEN="${GH_TOKEN:-gh_token}"

if test "x${ADAPTER_VERSION}" != "x"; then
    if expr match "${ADAPTER_VERSION}" '^[0-9]' > /dev/null; then
        ADAPTER_VERSION="v${ADAPTER_VERSION}"
    fi
    ADAPTER_VERSION_YAML="version: ${ADAPTER_VERSION}"
fi
KIALI_TAG="${KIALI_VERSION}"
KIALI_VERSION="${KIALI_VERSION:+v${KIALI_VERSION}}"
CATALOG_VERSION="${CATALOG_VERSION:+v${CATALOG_VERSION}}"

MAISTRA_VERSION_YAML="${MAISTRA_VERSION:+version: ${MAISTRA_VERSION}}"
KIALI_VERSION_YAML="${KIALI_VERSION:+version: ${KIALI_VERSION}}"
KIALI_TAG_YAML="${KIALI_TAG:+tag: ${KIALI_TAG}}"
JAEGER_VERSION_YAML="${JAEGER_VERSION:+version: ${JAEGER_VERSION}}"
if test "x${JAEGER_VERSION}" != "x"; then
    if test "x${JAEGER_ENABLED}" = "x"; then
        JAEGER_ENABLED=true
    fi
fi
CATALOG_VERSION_YAML="${CATALOG_VERSION:+branch: ${CATALOG_VERSION}}"
CATALOG_VERSION_YAML_2="${CATALOG_TAG:+LAUNCHER_BOOSTER_CATALOG_REF: ${CATALOG_VERSION}}"

echo "----------------------------------------------"
echo "*** Installing Maistra ${MAISTRA_VERSION} on OS ${OPENSHIFT_VERSION} using public address ${PUBLIC_IP} ***"
echo "----------------------------------------------"
echo "*** Maistra:                  ${MAISTRA_VERSION}"
echo "*** istiooc tag:              ${ISTIOOC_TAG}"
echo "*** Deployment type:          ${DEPLOYMENT_TYPE}"
echo "*** Mutual TLS:               ${AUTHN}"
echo "*** Community image names:    ${COMMUNITY}"
echo "*** 3scale enabled:           ${THREESCALE_ENABLED}"
echo "----------------------------------------------"
echo "*** Kiali:   ${KIALI_VERSION:-(default)}"
echo "*** Jaeger:  ${JAEGER_VERSION:-(default)}"
echo "*** 3scale:  ${ADAPTER_VERSION:-(default)}"
echo "*** Catalog: ${CATALOG_VERSION:-(default)}"
echo "----------------------------------------------"

sleep 2

OKD_PATH=/var/lib/origin
OKD_CONFIG_PATH="${OKD_PATH}/openshift.local.config"
OKD_DOCKER_CONFIG_PATH="${OKD_PATH}/.docker"

# Only used if zone needs to be created
DEFAULT_DOCKER_ZONE="dockerc"

# Fill these in if you need to do docker login first (ie. for registry.redhat.io)
#DOCKER_USER=
#DOCKER_PASSWD=
DOCKER_LOGIN_REGISTRY="${DOCKER_LOGIN_REGISTRY:-registry.redhat.io}"
# memory dedicated to ES (for Jaeger)
# by default, take 1/8th of the total system memory from this node
DEFAULT_ES_MEMORY_NTH=8
# define directly the memory in gigabytes with ES_MEMORY
#ES_MEMORY=

istiooc()
{
    ${ISTIOOC} ${@}
}

docker_use_insecure_registry()
{
    local registry="${1}"

    if ! cat /etc/docker/daemon.json | grep -q "${registry}"; then
        echo >&2 "[WW] Your Docker daemon.json file does not APPEAR TO include a suitable insecure registry for OKD, so I will just OVERWRITE it with my version discarding your file including any additional entries..."
        echo "[II] Here is the old file for your records:"
        cat /etc/docker/daemon.json || true
        cat > /etc/docker/daemon.json << EOF
{
    "insecure-registries": ["${registry}"]
}
EOF
    fi
}

docker_bridge_netmask()
{
    local ip_network=$(docker network inspect -f "{{ range .IPAM.Config }}{{ .Subnet }}{{ end }}" bridge)
    if test "x${ip_network}" = "x"; then
        return 1
    fi
    echo "${ip_network}"
}

fw_add_zone()
{
    local zone="${1}"

    firewall-cmd --permanent --zone ${zone} --get-description 2> /dev/null >&2 || firewall-cmd --permanent --new-zone ${zone}
}

fw_add_source()
{
    local zone="${1}"
    local source="${2}"

    firewall-cmd --permanent --zone ${zone} --query-source ${source} 2> /dev/null >&2 || firewall-cmd --permanent --zone ${zone} --add-source ${source}
}

fw_add_port()
{
    local zone="${1}"
    local port="${2}"

    firewall-cmd --permanent --zone ${zone} --query-port ${port} 2> /dev/null >&2 || firewall-cmd --permanent --zone ${zone} --add-port ${port}
}

fw_reload()
{
    firewall-cmd --complete-reload
}

fw_zone_of()
{
    local src="${1}"
    local zone=$(firewall-cmd --get-zone-of-source=${src})
    if test "x${zone}" = "x"; then
        return 1
    else
        echo ${zone}
    fi
}

pod_logs()
{
    local ns="${1}"
    local pod="${2}"
    istiooc -n ${ns} logs ${pod}
}

pod_find()
{
    local ns="${1}"
    local pod="${2}"

    istiooc -n ${ns} get pods | cut -d' ' -f 1 | grep "^${pod}"
}

istio_operator_logs()
{
    local operator_pod=$(istio_operator_pod)
    pod_logs istio-operator "${operator_pod}"
}

istio_operator_pod()
{
    pod_find istio-operator istio-operator
}

istio_installer_job_pod()
{
    pod_find istio-system openshift-ansible-istio-installer-job
}

istio_installer_logs()
{
    local installer_pod=$(istio_installer_job_pod)
    pod_logs istio-system "${installer_pod}"
}

memory_total()
{
    echo "$(free -g | grep ^Mem | sed -e 's/\s\+/ /g' | cut -d' ' -f 2)"
}

memory_by_n()
{
    local n="${1}"
    let div="($(memory_total)+${n}-1)/${n}"
    echo "${div}"
}

echo "[II] Ensuring Docker is installed"
yum install -y docker

echo "[II] Ensuring your Docker instance uses a suitable insecure registry"
docker_use_insecure_registry "172.30.0.0/16\", \"${DOCKER_LOGIN_REGISTRY}\", \"brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888"

echo "[II] Reloading the Docker configuration"
systemctl daemon-reload
systemctl restart docker

echo "[II] Setting Docker to be started on boot"
systemctl enable docker

if test "x${DOCKER_USER}" != "x"; then
    echo "[II] Logging in with Docker on ${DOCKER_LOGIN_REGISTRY}"
    docker login -u=\'"${DOCKER_USER}"\' -p=${DOCKER_PASSWD} ${DOCKER_LOGIN_REGISTRY}
fi
if test -r ~/.docker/config.json; then
    echo "[II] Copying over Docker configuration to OKD's directory"
    mkdir -p ${OKD_DOCKER_CONFIG_PATH}
    cp ~/.docker/config.json ${OKD_DOCKER_CONFIG_PATH}/config.json
fi

echo "[II] Obtaining Docker's bridge network mask"
IP_NETWORK=$(docker_bridge_netmask)
if test "x${IP_NETWORK}" = "x"; then
    echo >&2 "[EE] Could not obtain Docker's bridge network mask"
    return 1
fi

if which firewall-cmd 2> /dev/null >&2; then
    ZONE=$(fw_zone_of ${IP_NETWORK} || true)
    if test "x${ZONE}" = "x"; then
        ZONE="${DEFAULT_DOCKER_ZONE}"
        echo "[II] Configuring firewalld zone ${ZONE} to allow source ${IP_NETWORK}"
        fw_add_zone ${ZONE}
        fw_add_source ${ZONE} ${IP_NETWORK}
    fi

    echo "[II] Adding ports to firewall zone ${ZONE}"
    fw_add_port ${ZONE} 8443/tcp
    fw_add_port ${ZONE} 443/tcp
    fw_add_port ${ZONE} 53/udp
    fw_add_port ${ZONE} 8053/udp
    echo "[II] Adding 8443/tcp to the public firewall zone"
    fw_add_port public 8443/tcp
    echo "[II] Adding 443/tcp to the public firewall zone (ie. Kiali)"
    fw_add_port public 443/tcp
    echo "[II] Adding 80/tcp to the public firewall zone (ie. Fabric8)"
    fw_add_port public 80/tcp
    echo "[II] Adding 22/tcp to the public firewall zone for SSH access"
    fw_add_port public 22/tcp
    echo "[II] Reloading the firewall rules"
    fw_reload
else
    echo >&2 "[WW] Firewalld NOT DETECTED, assuming it is not needed"
fi

ISTIOOC="${ISTIOOC:-$(pwd)/istiooc}"

echo "[II] Downloading istiooc_linux ${ISTIOOC_TAG}"
curl -SLo ${ISTIOOC} "https://github.com/Maistra/origin/releases/download/${ISTIOOC_TAG}/istiooc_linux"
chmod +x ${ISTIOOC}
echo "[II] Creating istiooc symlinks"
if ! test -x "${HOME}/istiooc"; then
    ln -s ${ISTIOOC} ${HOME}/istiooc
fi
if ! test -x "${HOME}/oc"; then
    ln -s ${HOME}/istiooc ${HOME}/oc
fi
if ! test -x "$(dirname ${ISTIOOC})/oc"; then
    ln -s ${ISTIOOC} $(dirname ${ISTIOOC})/oc
fi
echo "[II] Running istiooc cluster up"
mkdir -p "${OKD_CONFIG_PATH}" || true
/bin/echo -e "#!/bin/bash\n${ISTIOOC} cluster up --routing-suffix=${PUBLIC_IP}.nip.io --public-hostname=${PUBLIC_IP}.nip.io --base-dir=${OKD_CONFIG_PATH}" > $(pwd)/cluster_up_cmd.sh
chmod +x $(pwd)/cluster_up_cmd.sh
istiooc cluster up --routing-suffix=${PUBLIC_IP}.nip.io \
    --public-hostname=${PUBLIC_IP}.nip.io \
    --base-dir="${OKD_CONFIG_PATH}"
#    --enable=persistent-volumes \
#    --enable=registry \
#    --enable=router \
#    --enable=web-console
echo "[II] Done running cluster up."

echo "[II] Setting up the configuration file."
mkdir -p ~/.kube || true
if test -r ~/.kube/config; then
    echo >&2 "[WW] Found a kube config file, renaming it so we can link to the OKD config"
    mv ~/.kube/config{,.orig}
fi
ln -s "${OKD_CONFIG_PATH}/openshift-apiserver/admin.kubeconfig" ~/.kube/config

echo "[II] Logging in as system:admin"
istiooc login -u system:admin --insecure-skip-tls-verify=true
echo "[II] Adding user developer to cluster-admin"
istiooc adm policy add-cluster-role-to-user cluster-admin developer
echo "[II] Waiting for registry readiness"
istiooc wait --for=condition=available dc/docker-registry --namespace=default || istiooc rollout retry dc/docker-registry --namespace=default
echo "[II] Waiting for router readiness"
istiooc wait --for=condition=available dc/router --namespace=default || istiooc rollout retry dc/router --namespace=default

echo "[II] Listing pods for namespace istio-operator"
istiooc -n istio-operator get pods

echo "[II] Listing logs for istio-operator pod"
istio_operator_logs
if ! istio_operator_logs | grep -q "Watching resource istio.openshift.com/v1alpha1, kind Installation, namespace istio-operator"; then
    echo >&2 "[WW] Seems like the istio-operator pod is not watching the istio.openshift.com/v1alpha1 resource"
else
    echo "[II] Istio operator seems to be working just fine."
fi

echo "[II] Creating the installation custom resource"
if test "x${ES_MEMORY}" = "x"; then
    ES_MEMORY="$(memory_by_n ${DEFAULT_ES_MEMORY_NTH})"
fi
ES_MEMORY="${ES_MEMORY}Gi"
cat >> crv1.yaml <<- EOF
apiVersion: "istio.openshift.com/v1alpha1"
kind: "Installation"
metadata:
  name: "istio-installation"
  namespace: istio-operator
spec:
  deployment_type: ${DEPLOYMENT_TYPE}
  istio:
    authentication: ${AUTHN}
    community: ${COMMUNITY}
    ${MAISTRA_VERSION_YAML}
  jaeger:
    ${JAEGER_VERSION_YAML}
    elasticsearch_memory: ${ES_MEMORY}
  kiali:
    username: ${KIALI_USER}
    password: ${KIALI_PASSWD}
    ${KIALI_VERSION_YAML}
  launcher:
    openshift:
      user: ${OS_USER}
      password: ${OS_PASSWD}
    github:
      username: ${GH_USER}
      token: ${GH_TOKEN}
    catalog:
      filter: booster.mission.metadata.istio
      ${CATALOG_VERSION_YAML}
      repo: https://github.com/fabric8-launcher/launcher-booster-catalog.git
  threeScale:
    enabled: ${THREESCALE_ENABLED}
    ${ADAPTER_VERSION_YAML}
    adapter:
      listenAddr: 3333
      logLevel: info
      logJSON: true
      reportMetrics: true
      metricsPort: 8080
      cacheTTLSeconds: 300
      cacheRefreshSeconds: 100
      cacheEntriesMax: 1000
      cacheRefreshRetries: 1
      allowInsecureConn: false
      clientTimeoutSeconds: 10
EOF
if test "x${DISABLEPOLICYCHECKS}" = "x"; then
    if test "x${THREESCALE_ENABLED}" == "xtrue"; then
        DISABLEPOLICYCHECKS="false"
    else
        DISABLEPOLICYCHECKS="true"
    fi
fi
cat >> crv3.yaml <<- EOF
apiVersion: istio.openshift.com/v1alpha3
kind: ControlPlane
metadata:
  name: basic-install
spec:
  istio:
    global:
      tag: ${MAISTRA_VERSION}
      mtls:
        enabled: ${AUTHN}
      disablePolicyChecks: ${DISABLEPOLICYCHECKS}
      policyCheckFailOpen: ${POLICYCHECKFAILOPEN:-false}
      proxy:
        # constrain resources for use in smaller environments
        resources:
          requests:
            cpu: ${PROXY_MIN_CPU:-100m}
            memory: ${PROXY_MIN_MEM:-128Mi}
          limits:
            cpu: ${PROXY_MAX_CPU:-500m}
            memory: ${PROXY_MAX_MEM:-128Mi}
    gateways:
      istio-egressgateway:
        # disable autoscaling for use in smaller environments
        autoscaleEnabled: ${EGRESS_AUTOSCALE:-false}
        autoscaleMin: ${EGRESS_AUTOSCALE_MIN:-1}
        autoscaleMax: ${EGRESS_AUTOSCALE_MAX:-5}
      istio-ingressgateway:
        # disable autoscaling for use in smaller environments
        autoscaleEnabled: ${INGRESS_AUTOSCALE:-false}
        autoscaleMin: ${INGRESS_AUTOSCALE_MIN:-1}
        autoscaleMax: ${INGRESS_AUTOSCALE_MAX:-5}
        # set to true to enable IOR - Istio routes auto enabled in Openshift
        ior_enabled: ${IOR_ENABLED:-false}
    mixer:
      enabled: ${MIXER_ENABLED:-true}
      policy:
        # disable autoscaling for use in smaller environments
        autoscaleEnabled: ${POLICY_AUTOSCALE:-false}
        # resource constraints are not documented for policy, maybe not implemented
        resources:
          requests:
            cpu: ${POLICY_MIN_CPU:-100m}
            memory: ${POLICY_MIN_MEM:-1G}
          limits:
            cpu: ${POLICY_MAX_CPU:-500m}
            memory: ${POLICY_MAX_MEM:-4G}

      telemetry:
        # disable autoscaling for use in smaller environments
        autoscaleEnabled: ${TELEMETRY_AUTOSCALE:-false}
        # constrain resources for use in smaller environments
        resources:
          requests:
            cpu: ${TELEMETRY_MIN_CPU:-100m}
            memory: ${TELEMETRY_MIN_MEM:-1G}
          limits:
            cpu: ${TELEMETRY_MAX_CPU:-500m}
            memory: ${TELEMETRY_MAX_MEM:-4G}

    pilot:
      # disable autoscaling for use in smaller environments
      autoscaleEnabled: ${PILOT_AUTOSCALE:-false}
      # increase random sampling rate for development/testing
      traceSampling: ${PILOT_SAMPLING_RATE:-100.0}
      resources:
        requests:
          cpu: ${PILOT_MIN_CPU:-100m}
          memory: ${PILOT_MIN_MEM:-1G}
        # Limits are not documented for pilot, maybe unimplemented
        limits:
          cpu: ${PILOT_MAX_CPU:-500m}
          memory: ${PILOT_MAX_MEM:-4G}

    kiali:
      enabled: ${KIALI_ENABLED:-true}
      ${KIALI_TAG_YAML}
      dashboard:
        user: ${KIALI_USER}
        passphrase: ${KIALI_PASSWD}
    tracing:
      enabled: ${JAEGER_ENABLED}
  threescale:
    enabled: ${THREESCALE_ENABLED:-false}
    PARAM_THREESCALE_LISTEN_ADDR: 3333
    PARAM_THREESCALE_LOG_LEVEL: info
    PARAM_THREESCALE_LOG_JSON: true
    PARAM_THREESCALE_REPORT_METRICS: true
    PARAM_THREESCALE_METRICS_PORTL: 8080
    PARAM_THREESCALE_CACHE_TTL_SECONDS: 300
    PARAM_THREESCALE_CACHE_REFRESH_SECONDS: 180
    PARAM_THREESCALE_CACHE_ENTRIES_MAX: 1000
    PARAM_THREESCALE_CACHE_REFRESH_RETRIES: 1
    PARAM_THREESCALE_ALLOW_INSECURE_CONN: ${THREESCALE_ALLOW_INSECURE_CONN:-false}
    PARAM_THREESCALE_CLIENT_TIMEOUT_SECONDS: 10
  launcher:
    enabled: false
    LAUNCHER_MISSIONCONTROL_GITHUB_USERNAME: ${GH_USER}
    LAUNCHER_MISSIONCONTROL_GITHUB_TOKEN: ${GH_TOKEN}
    ${CATALOG_VERSION_YAML2}
EOF

echo "[II] Running the installation operator"
istiooc -n istio-operator create -f crv1.yaml

echo "[II] Listing (again) logs for istio-operator pod"
istio_operator_logs
if ! istio_operator_logs | grep -q "Installing istio for Installation istio-installation"; then
    echo >&2 "[WW] Seems like the istio-operator pod has not started the installation"
else
    echo "[II] Istio operator has started the installation."
fi

sleep 10
echo "[II] Initial logs from the istio installer job (container creation might still be taking place)"
istio_installer_logs || true

echo "[II] Watching istio-system pods, hit CTRL+C when openshift-ansible-istio-installer-job is completed"
istiooc -n istio-system get pods -w || true

echo "[II] Logs from the istio installer job can be shown with:"
echo "istiooc logs -n istio-system $(istio_installer_job_pod)"
#istio_installer_logs
if test "x${THREESCALE_ENABLED}" = "xtrue"; then
    echo "[II] Enabling policy checks in mixer (needed by the 3scale adapter)"
    istiooc -n istio-system get cm istio -o yaml | sed -E -e '/disablePolicyChecks:/{$!{N;s/(disablePolicyChecks:\s*\n?\s*)true/\1false/;ty;P;D;:y}}' | istiooc -n istio-system apply -f -
fi
echo "[II] Script completed."

## maistra_remove.sh
#!/bin/bash -e

OKD_PATH=/var/lib/origin
OKD_CONFIG_PATH="${OKD_PATH}/openshift.local.config"

if test -x "$(pwd)/istiooc"; then
    ISTIOOC=$(pwd)/istiooc
    FILES_HOME="$(pwd)"
else
    ISTIOOC=${HOME}/istiooc
    FILES_HOME="${HOME}"
fi

istiooc()
{
    ${ISTIOOC} "${@}"
}

umount_stuff()
{
    mount | grep -P "(openshift|docker)" | cut -d' ' -f 3 | xargs umount
}

remove_stuff()
{
    rm -rf ~/.kube ~/openshift.local.clusterup/ /etc/docker/ /etc/sysconfig/docker-storage.rpmsave /var/lib/docker/ \
        "${OKD_PATH}" ./istiooc ./oc "${files_dir}/istiooc" "${files_dir}/oc" "${files_dir}/crv1.yaml" \
        "${files_dir}"/*.{crt,csr,key} "${files_dir}/cluster_up_cmd.sh"
}

stop_docker()
{
    systemctl stop docker
}

remove_docker()
{
    yum remove -y docker && yum autoremove -y
}

cluster_down()
{
    istiooc cluster down
}

echo "[II] Running cluster down"
cluster_down
echo "[II] Stopping the docker service"
stop_docker
echo "[II] Unmounting openshift/docker mount points"
umount_stuff || {
    # this seems to work
    echo "[II] Retrying the unmounting process"
    sleep 5
    umount_stuff
}
echo "[II] Removing docker"
remove_docker
echo "[II] Removing leftover files"
remove_stuff
echo "[II] Process completed."
	#!/bin/bash

	if test -x "$(pwd)/istiooc"; then
	ISTIOOC=$(pwd)/istiooc
	else
	ISTIOOC=${HOME}/istiooc
	fi

	NAMESPACE=${NAMESPACE:-bookinfo}
	DEPLOYMENT=${DEPLOYMENT:-productpage-v1}

	istiooc()
	{
	echo >&2 "Calling istiooc ${@}"
	${ISTIOOC} "${@}"
	}

	generate_templates()
	{
	local url="${1}"
	local sid="${2}"
	local token="${3}"

	istiooc exec -n istio-system $(istiooc -n istio-system get pods -l app=3scale-istio-adapter -o name \| head -n 1 \| sed -E -e 's/^pod\///') -ti -- \
	./3scale-config-gen --url="${url}" --service="${sid}" --token="${token}" --fixup
	}

	get_uid()
	{
	# we rely on the fact that the UID is printed in the last line with a specific format.
	local templates="${1}"
	echo "${templates}" \| sed -n -E -e '$ s/^# The UID for this service is (\.*)\b/\1/p'
	}

	gen_patch()
	{
	local namespace="${1}"
	local deployment="${2}"
	local uid="${3}"

	# this command's output introduces ^M after the uid, so remove it with sed
	istiooc -n "${namespace}" get deployment "${deployment}" \
	--template='{"spec":{"template":{"metadata":{"labels":{ {{ range $k,$v := .spec.template.metadata.labels }}"{{ $k }}":"{{ $v }}",{{ end }}"service-mesh.3scale.net":"true","service-mesh.3scale.net/uid":"'""${uid}""'"}}}}}' \
	\| sed -E -e 's/\r//'
	}

	patch()
	{
	local namespace="${1}"
	local deployment="${2}"
	local uid="${3}"
	local patch="$(gen_patch "${namespace}" "${deployment}" "${uid}")"

	istiooc -n "${namespace}" patch deployment "${deployment}" --patch ''"${patch}"''
	}

	apimgmt_enable()
	{
	local sid="${2}"
	local templates=$(generate_templates "${@}")
	local uid=$(get_uid "${templates}")

	echo "[II] Enabling API management for ${DEPLOYMENT} with service id ${sid} and UID ${uid}"
	patch "${NAMESPACE}" "${DEPLOYMENT}" "${uid}"

	echo "${templates}" \| istiooc apply -f -
	}

	enable_policy_checks()
	{
	istiooc -n istio-system get cm istio -o yaml \| sed -E -e '/disablePolicyChecks:/{$!{N;s/(disablePolicyChecks:\s\n?\s)true/\1false/;ty;P;D;:y}}' \| istiooc -n istio-system apply -f -
	}

	if test "x${BASH_SOURCE[0]}" = "x" -o "${BASH_SOURCE[0]}" = "${0}"; then
	set -eo pipefail
	shopt -s failglob

	if test "${#}" -lt 3; then
	echo >&2 "usage: ${0} url service_id token"
	echo >&2 "You can customise NAMESPACE and DEPLOYMENT environment variables"
	exit 1
	fi

	enable_policy_checks
	apimgmt_enable "${@}"
	fi
	#!/bin/bash

	AUTHN="${AUTHN:-true}"
	if test "x${AUTHN}" = "xtrue"; then
	MTLS="-mtls"
	fi


	if test -x "$(pwd)/istiooc"; then
	ISTIOOC=$(pwd)/istiooc
	else
	ISTIOOC=${HOME}/istiooc
	fi

	istiooc()
	{
	${ISTIOOC} "${@}"
	}

	istiooc new-project bookinfo

	istiooc adm policy add-scc-to-user anyuid -z default -n bookinfo
	istiooc adm policy add-scc-to-user privileged -z default -n bookinfo

	istiooc create -n bookinfo -f https://raw.githubusercontent.com/Maistra/bookinfo/master/bookinfo.yaml
	istiooc create -n bookinfo -f https://raw.githubusercontent.com/Maistra/bookinfo/master/bookinfo-gateway.yaml
	istiooc create -n bookinfo -f https://raw.githubusercontent.com/istio/istio/release-1.1/samples/bookinfo/networking/destination-rule-all${MTLS}.yaml

	echo GATEWAY IS:
	istiooc get route -n istio-system istio-ingressgateway -o jsonpath='{.spec.host}'
	echo
	echo Use the /productpage path to access the app
	#!/bin/bash
	#
	# You'd want to run this with a wrapper script that fills in the correct variables below.
	# In particular, for productised images, you want to log in to the Red Hat's registry, so
	# you can then fill in the secrets in that wrapper script:
	#
	# DOCKER_USER="abc" DOCKER_PASSWD="123" ./maistra_install.sh
	#
	# Then invoke it with enough privileges (ie. maybe with sudo).

	set -eo pipefail

	PUBLIC_IP="${PUBLIC_IP:-$(curl ifconfig.me/ip)}"
	# openshift or origin
	DEPLOYMENT_TYPE="${DEPLOYMENT_TYPE:-origin}"

	# version
	MAISTRA_VERSION="${MAISTRA_VERSION:-0.10.0}"
	OPENSHIFT_VERSION="${OPENSHIFT_VERSION:-3.11.0}"
	# istiooc release tag
	ISTIOOC_TAG="${ISTIOOC_TAG:-v${OPENSHIFT_VERSION}%2Bmaistra-${MAISTRA_VERSION}}"
	# mTLS support
	AUTHN="${AUTHN:-true}"
	# modify image names to match community ones
	COMMUNITY="${COMMUNITY:-false}"
	# whether to enable the 3scale adapter
	THREESCALE_ENABLED="${THREESCALE_ENABLED:-true}"
	# default user/passwd
	DEFAULT_USER="${DEFAULT_USER:-user}"
	DEFAULT_PASSWD="${DEFAULT_PASSWD:-password}"
	# users and passwords
	OS_USER="${OS_USER:-${DEFAULT_USER}}"
	OS_PASSWD="${OS_PASSWD:-${DEFAULT_PASSWD}}"
	KIALI_USER="${KIALI_USER:-${DEFAULT_USER}}"
	KIALI_PASSWD="${KIALI_PASSWD:-${DEFAULT_PASSWD}}"
	GH_USER="${GH_USER:-gh_user}"
	GH_TOKEN="${GH_TOKEN:-gh_token}"

	if test "x${ADAPTER_VERSION}" != "x"; then
	if expr match "${ADAPTER_VERSION}" '^[0-9]' > /dev/null; then
	ADAPTER_VERSION="v${ADAPTER_VERSION}"
	fi
	ADAPTER_VERSION_YAML="version: ${ADAPTER_VERSION}"
	fi
	KIALI_TAG="${KIALI_VERSION}"
	KIALI_VERSION="${KIALI_VERSION:+v${KIALI_VERSION}}"
	CATALOG_VERSION="${CATALOG_VERSION:+v${CATALOG_VERSION}}"

	MAISTRA_VERSION_YAML="${MAISTRA_VERSION:+version: ${MAISTRA_VERSION}}"
	KIALI_VERSION_YAML="${KIALI_VERSION:+version: ${KIALI_VERSION}}"
	KIALI_TAG_YAML="${KIALI_TAG:+tag: ${KIALI_TAG}}"
	JAEGER_VERSION_YAML="${JAEGER_VERSION:+version: ${JAEGER_VERSION}}"
	if test "x${JAEGER_VERSION}" != "x"; then
	if test "x${JAEGER_ENABLED}" = "x"; then
	JAEGER_ENABLED=true
	fi
	fi
	CATALOG_VERSION_YAML="${CATALOG_VERSION:+branch: ${CATALOG_VERSION}}"
	CATALOG_VERSION_YAML_2="${CATALOG_TAG:+LAUNCHER_BOOSTER_CATALOG_REF: ${CATALOG_VERSION}}"

	echo "----------------------------------------------"
	echo "* Installing Maistra ${MAISTRA_VERSION} on OS ${OPENSHIFT_VERSION} using public address ${PUBLIC_IP} *"
	echo "----------------------------------------------"
	echo "*** Maistra: ${MAISTRA_VERSION}"
	echo "*** istiooc tag: ${ISTIOOC_TAG}"
	echo "*** Deployment type: ${DEPLOYMENT_TYPE}"
	echo "*** Mutual TLS: ${AUTHN}"
	echo "*** Community image names: ${COMMUNITY}"
	echo "*** 3scale enabled: ${THREESCALE_ENABLED}"
	echo "----------------------------------------------"
	echo "*** Kiali: ${KIALI_VERSION:-(default)}"
	echo "*** Jaeger: ${JAEGER_VERSION:-(default)}"
	echo "*** 3scale: ${ADAPTER_VERSION:-(default)}"
	echo "*** Catalog: ${CATALOG_VERSION:-(default)}"
	echo "----------------------------------------------"

	sleep 2

	OKD_PATH=/var/lib/origin
	OKD_CONFIG_PATH="${OKD_PATH}/openshift.local.config"
	OKD_DOCKER_CONFIG_PATH="${OKD_PATH}/.docker"

	# Only used if zone needs to be created
	DEFAULT_DOCKER_ZONE="dockerc"

	# Fill these in if you need to do docker login first (ie. for registry.redhat.io)
	#DOCKER_USER=
	#DOCKER_PASSWD=
	DOCKER_LOGIN_REGISTRY="${DOCKER_LOGIN_REGISTRY:-registry.redhat.io}"
	# memory dedicated to ES (for Jaeger)
	# by default, take 1/8th of the total system memory from this node
	DEFAULT_ES_MEMORY_NTH=8
	# define directly the memory in gigabytes with ES_MEMORY
	#ES_MEMORY=

	istiooc()
	{
	${ISTIOOC} ${@}
	}

	docker_use_insecure_registry()
	{
	local registry="${1}"

	if ! cat /etc/docker/daemon.json \| grep -q "${registry}"; then
	echo >&2 "[WW] Your Docker daemon.json file does not APPEAR TO include a suitable insecure registry for OKD, so I will just OVERWRITE it with my version discarding your file including any additional entries..."
	echo "[II] Here is the old file for your records:"
	cat /etc/docker/daemon.json \|\| true
	cat > /etc/docker/daemon.json << EOF
	{
	"insecure-registries": ["${registry}"]
	}
	EOF
	fi
	}

	docker_bridge_netmask()
	{
	local ip_network=$(docker network inspect -f "{{ range .IPAM.Config }}{{ .Subnet }}{{ end }}" bridge)
	if test "x${ip_network}" = "x"; then
	return 1
	fi
	echo "${ip_network}"
	}

	fw_add_zone()
	{
	local zone="${1}"

	firewall-cmd --permanent --zone ${zone} --get-description 2> /dev/null >&2 \|\| firewall-cmd --permanent --new-zone ${zone}
	}

	fw_add_source()
	{
	local zone="${1}"
	local source="${2}"

	firewall-cmd --permanent --zone ${zone} --query-source ${source} 2> /dev/null >&2 \|\| firewall-cmd --permanent --zone ${zone} --add-source ${source}
	}

	fw_add_port()
	{
	local zone="${1}"
	local port="${2}"

	firewall-cmd --permanent --zone ${zone} --query-port ${port} 2> /dev/null >&2 \|\| firewall-cmd --permanent --zone ${zone} --add-port ${port}
	}

	fw_reload()
	{
	firewall-cmd --complete-reload
	}

	fw_zone_of()
	{
	local src="${1}"
	local zone=$(firewall-cmd --get-zone-of-source=${src})
	if test "x${zone}" = "x"; then
	return 1
	else
	echo ${zone}
	fi
	}

	pod_logs()
	{
	local ns="${1}"
	local pod="${2}"
	istiooc -n ${ns} logs ${pod}
	}

	pod_find()
	{
	local ns="${1}"
	local pod="${2}"

	istiooc -n ${ns} get pods \| cut -d' ' -f 1 \| grep "^${pod}"
	}

	istio_operator_logs()
	{
	local operator_pod=$(istio_operator_pod)
	pod_logs istio-operator "${operator_pod}"
	}

	istio_operator_pod()
	{
	pod_find istio-operator istio-operator
	}

	istio_installer_job_pod()
	{
	pod_find istio-system openshift-ansible-istio-installer-job
	}

	istio_installer_logs()
	{
	local installer_pod=$(istio_installer_job_pod)
	pod_logs istio-system "${installer_pod}"
	}

	memory_total()
	{
	echo "$(free -g \| grep ^Mem \| sed -e 's/\s\+/ /g' \| cut -d' ' -f 2)"
	}

	memory_by_n()
	{
	local n="${1}"
	let div="($(memory_total)+${n}-1)/${n}"
	echo "${div}"
	}

	echo "[II] Ensuring Docker is installed"
	yum install -y docker

	echo "[II] Ensuring your Docker instance uses a suitable insecure registry"
	docker_use_insecure_registry "172.30.0.0/16\", \"${DOCKER_LOGIN_REGISTRY}\", \"brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888"

	echo "[II] Reloading the Docker configuration"
	systemctl daemon-reload
	systemctl restart docker

	echo "[II] Setting Docker to be started on boot"
	systemctl enable docker

	if test "x${DOCKER_USER}" != "x"; then
	echo "[II] Logging in with Docker on ${DOCKER_LOGIN_REGISTRY}"
	docker login -u=\'"${DOCKER_USER}"\' -p=${DOCKER_PASSWD} ${DOCKER_LOGIN_REGISTRY}
	fi
	if test -r ~/.docker/config.json; then
	echo "[II] Copying over Docker configuration to OKD's directory"
	mkdir -p ${OKD_DOCKER_CONFIG_PATH}
	cp ~/.docker/config.json ${OKD_DOCKER_CONFIG_PATH}/config.json
	fi

	echo "[II] Obtaining Docker's bridge network mask"
	IP_NETWORK=$(docker_bridge_netmask)
	if test "x${IP_NETWORK}" = "x"; then
	echo >&2 "[EE] Could not obtain Docker's bridge network mask"
	return 1
	fi

	if which firewall-cmd 2> /dev/null >&2; then
	ZONE=$(fw_zone_of ${IP_NETWORK} \|\| true)
	if test "x${ZONE}" = "x"; then
	ZONE="${DEFAULT_DOCKER_ZONE}"
	echo "[II] Configuring firewalld zone ${ZONE} to allow source ${IP_NETWORK}"
	fw_add_zone ${ZONE}
	fw_add_source ${ZONE} ${IP_NETWORK}
	fi

	echo "[II] Adding ports to firewall zone ${ZONE}"
	fw_add_port ${ZONE} 8443/tcp
	fw_add_port ${ZONE} 443/tcp
	fw_add_port ${ZONE} 53/udp
	fw_add_port ${ZONE} 8053/udp
	echo "[II] Adding 8443/tcp to the public firewall zone"
	fw_add_port public 8443/tcp
	echo "[II] Adding 443/tcp to the public firewall zone (ie. Kiali)"
	fw_add_port public 443/tcp
	echo "[II] Adding 80/tcp to the public firewall zone (ie. Fabric8)"
	fw_add_port public 80/tcp
	echo "[II] Adding 22/tcp to the public firewall zone for SSH access"
	fw_add_port public 22/tcp
	echo "[II] Reloading the firewall rules"
	fw_reload
	else
	echo >&2 "[WW] Firewalld NOT DETECTED, assuming it is not needed"
	fi

	ISTIOOC="${ISTIOOC:-$(pwd)/istiooc}"

	echo "[II] Downloading istiooc_linux ${ISTIOOC_TAG}"
	curl -SLo ${ISTIOOC} "https://github.com/Maistra/origin/releases/download/${ISTIOOC_TAG}/istiooc_linux"
	chmod +x ${ISTIOOC}
	echo "[II] Creating istiooc symlinks"
	if ! test -x "${HOME}/istiooc"; then
	ln -s ${ISTIOOC} ${HOME}/istiooc
	fi
	if ! test -x "${HOME}/oc"; then
	ln -s ${HOME}/istiooc ${HOME}/oc
	fi
	if ! test -x "$(dirname ${ISTIOOC})/oc"; then
	ln -s ${ISTIOOC} $(dirname ${ISTIOOC})/oc
	fi
	echo "[II] Running istiooc cluster up"
	mkdir -p "${OKD_CONFIG_PATH}" \|\| true
	/bin/echo -e "#!/bin/bash\n${ISTIOOC} cluster up --routing-suffix=${PUBLIC_IP}.nip.io --public-hostname=${PUBLIC_IP}.nip.io --base-dir=${OKD_CONFIG_PATH}" > $(pwd)/cluster_up_cmd.sh
	chmod +x $(pwd)/cluster_up_cmd.sh
	istiooc cluster up --routing-suffix=${PUBLIC_IP}.nip.io \
	--public-hostname=${PUBLIC_IP}.nip.io \
	--base-dir="${OKD_CONFIG_PATH}"
	# --enable=persistent-volumes \
	# --enable=registry \
	# --enable=router \
	# --enable=web-console
	echo "[II] Done running cluster up."

	echo "[II] Setting up the configuration file."
	mkdir -p ~/.kube \|\| true
	if test -r ~/.kube/config; then
	echo >&2 "[WW] Found a kube config file, renaming it so we can link to the OKD config"
	mv ~/.kube/config{,.orig}
	fi
	ln -s "${OKD_CONFIG_PATH}/openshift-apiserver/admin.kubeconfig" ~/.kube/config

	echo "[II] Logging in as system:admin"
	istiooc login -u system:admin --insecure-skip-tls-verify=true
	echo "[II] Adding user developer to cluster-admin"
	istiooc adm policy add-cluster-role-to-user cluster-admin developer
	echo "[II] Waiting for registry readiness"
	istiooc wait --for=condition=available dc/docker-registry --namespace=default \|\| istiooc rollout retry dc/docker-registry --namespace=default
	echo "[II] Waiting for router readiness"
	istiooc wait --for=condition=available dc/router --namespace=default \|\| istiooc rollout retry dc/router --namespace=default

	echo "[II] Listing pods for namespace istio-operator"
	istiooc -n istio-operator get pods

	echo "[II] Listing logs for istio-operator pod"
	istio_operator_logs
	if ! istio_operator_logs \| grep -q "Watching resource istio.openshift.com/v1alpha1, kind Installation, namespace istio-operator"; then
	echo >&2 "[WW] Seems like the istio-operator pod is not watching the istio.openshift.com/v1alpha1 resource"
	else
	echo "[II] Istio operator seems to be working just fine."
	fi

	echo "[II] Creating the installation custom resource"
	if test "x${ES_MEMORY}" = "x"; then
	ES_MEMORY="$(memory_by_n ${DEFAULT_ES_MEMORY_NTH})"
	fi
	ES_MEMORY="${ES_MEMORY}Gi"
	cat >> crv1.yaml <<- EOF
	apiVersion: "istio.openshift.com/v1alpha1"
	kind: "Installation"
	metadata:
	name: "istio-installation"
	namespace: istio-operator
	spec:
	deployment_type: ${DEPLOYMENT_TYPE}
	istio:
	authentication: ${AUTHN}
	community: ${COMMUNITY}
	${MAISTRA_VERSION_YAML}
	jaeger:
	${JAEGER_VERSION_YAML}
	elasticsearch_memory: ${ES_MEMORY}
	kiali:
	username: ${KIALI_USER}
	password: ${KIALI_PASSWD}
	${KIALI_VERSION_YAML}
	launcher:
	openshift:
	user: ${OS_USER}
	password: ${OS_PASSWD}
	github:
	username: ${GH_USER}
	token: ${GH_TOKEN}
	catalog:
	filter: booster.mission.metadata.istio
	${CATALOG_VERSION_YAML}
	repo: https://github.com/fabric8-launcher/launcher-booster-catalog.git
	threeScale:
	enabled: ${THREESCALE_ENABLED}
	${ADAPTER_VERSION_YAML}
	adapter:
	listenAddr: 3333
	logLevel: info
	logJSON: true
	reportMetrics: true
	metricsPort: 8080
	cacheTTLSeconds: 300
	cacheRefreshSeconds: 100
	cacheEntriesMax: 1000
	cacheRefreshRetries: 1
	allowInsecureConn: false
	clientTimeoutSeconds: 10
	EOF
	if test "x${DISABLEPOLICYCHECKS}" = "x"; then
	if test "x${THREESCALE_ENABLED}" == "xtrue"; then
	DISABLEPOLICYCHECKS="false"
	else
	DISABLEPOLICYCHECKS="true"
	fi
	fi
	cat >> crv3.yaml <<- EOF
	apiVersion: istio.openshift.com/v1alpha3
	kind: ControlPlane
	metadata:
	name: basic-install
	spec:
	istio:
	global:
	tag: ${MAISTRA_VERSION}
	mtls:
	enabled: ${AUTHN}
	disablePolicyChecks: ${DISABLEPOLICYCHECKS}
	policyCheckFailOpen: ${POLICYCHECKFAILOPEN:-false}
	proxy:
	# constrain resources for use in smaller environments
	resources:
	requests:
	cpu: ${PROXY_MIN_CPU:-100m}
	memory: ${PROXY_MIN_MEM:-128Mi}
	limits:
	cpu: ${PROXY_MAX_CPU:-500m}
	memory: ${PROXY_MAX_MEM:-128Mi}
	gateways:
	istio-egressgateway:
	# disable autoscaling for use in smaller environments
	autoscaleEnabled: ${EGRESS_AUTOSCALE:-false}
	autoscaleMin: ${EGRESS_AUTOSCALE_MIN:-1}
	autoscaleMax: ${EGRESS_AUTOSCALE_MAX:-5}
	istio-ingressgateway:
	# disable autoscaling for use in smaller environments
	autoscaleEnabled: ${INGRESS_AUTOSCALE:-false}
	autoscaleMin: ${INGRESS_AUTOSCALE_MIN:-1}
	autoscaleMax: ${INGRESS_AUTOSCALE_MAX:-5}
	# set to true to enable IOR - Istio routes auto enabled in Openshift
	ior_enabled: ${IOR_ENABLED:-false}
	mixer:
	enabled: ${MIXER_ENABLED:-true}
	policy:
	# disable autoscaling for use in smaller environments
	autoscaleEnabled: ${POLICY_AUTOSCALE:-false}
	# resource constraints are not documented for policy, maybe not implemented
	resources:
	requests:
	cpu: ${POLICY_MIN_CPU:-100m}
	memory: ${POLICY_MIN_MEM:-1G}
	limits:
	cpu: ${POLICY_MAX_CPU:-500m}
	memory: ${POLICY_MAX_MEM:-4G}

	telemetry:
	# disable autoscaling for use in smaller environments
	autoscaleEnabled: ${TELEMETRY_AUTOSCALE:-false}
	# constrain resources for use in smaller environments
	resources:
	requests:
	cpu: ${TELEMETRY_MIN_CPU:-100m}
	memory: ${TELEMETRY_MIN_MEM:-1G}
	limits:
	cpu: ${TELEMETRY_MAX_CPU:-500m}
	memory: ${TELEMETRY_MAX_MEM:-4G}

	pilot:
	# disable autoscaling for use in smaller environments
	autoscaleEnabled: ${PILOT_AUTOSCALE:-false}
	# increase random sampling rate for development/testing
	traceSampling: ${PILOT_SAMPLING_RATE:-100.0}
	resources:
	requests:
	cpu: ${PILOT_MIN_CPU:-100m}
	memory: ${PILOT_MIN_MEM:-1G}
	# Limits are not documented for pilot, maybe unimplemented
	limits:
	cpu: ${PILOT_MAX_CPU:-500m}
	memory: ${PILOT_MAX_MEM:-4G}

	kiali:
	enabled: ${KIALI_ENABLED:-true}
	${KIALI_TAG_YAML}
	dashboard:
	user: ${KIALI_USER}
	passphrase: ${KIALI_PASSWD}
	tracing:
	enabled: ${JAEGER_ENABLED}
	threescale:
	enabled: ${THREESCALE_ENABLED:-false}
	PARAM_THREESCALE_LISTEN_ADDR: 3333
	PARAM_THREESCALE_LOG_LEVEL: info
	PARAM_THREESCALE_LOG_JSON: true
	PARAM_THREESCALE_REPORT_METRICS: true
	PARAM_THREESCALE_METRICS_PORTL: 8080
	PARAM_THREESCALE_CACHE_TTL_SECONDS: 300
	PARAM_THREESCALE_CACHE_REFRESH_SECONDS: 180
	PARAM_THREESCALE_CACHE_ENTRIES_MAX: 1000
	PARAM_THREESCALE_CACHE_REFRESH_RETRIES: 1
	PARAM_THREESCALE_ALLOW_INSECURE_CONN: ${THREESCALE_ALLOW_INSECURE_CONN:-false}
	PARAM_THREESCALE_CLIENT_TIMEOUT_SECONDS: 10
	launcher:
	enabled: false
	LAUNCHER_MISSIONCONTROL_GITHUB_USERNAME: ${GH_USER}
	LAUNCHER_MISSIONCONTROL_GITHUB_TOKEN: ${GH_TOKEN}
	${CATALOG_VERSION_YAML2}
	EOF

	echo "[II] Running the installation operator"
	istiooc -n istio-operator create -f crv1.yaml

	echo "[II] Listing (again) logs for istio-operator pod"
	istio_operator_logs
	if ! istio_operator_logs \| grep -q "Installing istio for Installation istio-installation"; then
	echo >&2 "[WW] Seems like the istio-operator pod has not started the installation"
	else
	echo "[II] Istio operator has started the installation."
	fi

	sleep 10
	echo "[II] Initial logs from the istio installer job (container creation might still be taking place)"
	istio_installer_logs \|\| true

	echo "[II] Watching istio-system pods, hit CTRL+C when openshift-ansible-istio-installer-job is completed"
	istiooc -n istio-system get pods -w \|\| true

	echo "[II] Logs from the istio installer job can be shown with:"
	echo "istiooc logs -n istio-system $(istio_installer_job_pod)"
	#istio_installer_logs
	if test "x${THREESCALE_ENABLED}" = "xtrue"; then
	echo "[II] Enabling policy checks in mixer (needed by the 3scale adapter)"
	istiooc -n istio-system get cm istio -o yaml \| sed -E -e '/disablePolicyChecks:/{$!{N;s/(disablePolicyChecks:\s\n?\s)true/\1false/;ty;P;D;:y}}' \| istiooc -n istio-system apply -f -
	fi
	echo "[II] Script completed."
	#!/bin/bash -e

	OKD_PATH=/var/lib/origin
	OKD_CONFIG_PATH="${OKD_PATH}/openshift.local.config"

	if test -x "$(pwd)/istiooc"; then
	ISTIOOC=$(pwd)/istiooc
	FILES_HOME="$(pwd)"
	else
	ISTIOOC=${HOME}/istiooc
	FILES_HOME="${HOME}"
	fi

	istiooc()
	{
	${ISTIOOC} "${@}"
	}

	umount_stuff()
	{
	mount \| grep -P "(openshift\|docker)" \| cut -d' ' -f 3 \| xargs umount
	}

	remove_stuff()
	{
	rm -rf ~/.kube ~/openshift.local.clusterup/ /etc/docker/ /etc/sysconfig/docker-storage.rpmsave /var/lib/docker/ \
	"${OKD_PATH}" ./istiooc ./oc "${files_dir}/istiooc" "${files_dir}/oc" "${files_dir}/crv1.yaml" \
	"${files_dir}"/*.{crt,csr,key} "${files_dir}/cluster_up_cmd.sh"
	}

	stop_docker()
	{
	systemctl stop docker
	}

	remove_docker()
	{
	yum remove -y docker && yum autoremove -y
	}

	cluster_down()
	{
	istiooc cluster down
	}

	echo "[II] Running cluster down"
	cluster_down
	echo "[II] Stopping the docker service"
	stop_docker
	echo "[II] Unmounting openshift/docker mount points"
	umount_stuff \|\| {
	# this seems to work
	echo "[II] Retrying the unmounting process"
	sleep 5
	umount_stuff
	}
	echo "[II] Removing docker"
	remove_docker
	echo "[II] Removing leftover files"
	remove_stuff
	echo "[II] Process completed."