Created
March 14, 2018 21:33
-
-
Save jamesfalkner/ff51aa7e259d9f9c02fd79be757ef12c to your computer and use it in GitHub Desktop.
Hack to install istio to OpenShift and deploy coolstore-microservice as an istio service mesh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This script will install istio and the coolstore-microservice demo as a service mesh. | |
| # It does everything as a cluster-admin user because istio (the project) still needs it to | |
| # work. Future versions will not require so many permissions! | |
| # | |
| # Maintainer: James Falkner <[email protected]> | |
| # | |
| # Prereqs: | |
| # | |
| # internet connection (github.com, istio.io, and more) | |
| # OpenShift 3.9.x with 10G total memory across cluster | |
| # development tools: git, mvn, java (compiler), oc | |
| # Patience | |
| # | |
| # Version of Istio to use | |
| ISTIO_VERSION=0.6.0 | |
| # DO NOT CHANGE THIS. Istio hard-codes this currently. Name of project to house istio. | |
| ISTIO_PROJECT=istio-system | |
| # Name of project to house coolstore | |
| COOLSTORE_PROJECT=coolstore-mesh | |
| # Place to download istio and clone coolstore-microservice project | |
| PROJECT_DIR=${HOME}/coolstore-istio | |
| # Make sure you're logged in as an admin user. | |
| # e.g. "oc login -u admin -p admin" | |
| if ! oc get clusterrolebindings cluster-admin ; then | |
| echo "you dont appear to have cluster-admin privileges, so sorry!" | |
| exit 1 | |
| fi | |
| # install jboss and fuse imagestreams to the openshift namespace | |
| oc create -n openshift -f https://raw.githubusercontent.com/jboss-fuse/application-templates/master/fis-image-streams.json | |
| oc create -n openshift -f https://raw.githubusercontent.com/jboss-openshift/application-templates/master/jboss-image-streams.json | |
| # download istio into project dir | |
| mkdir -p $PROJECT_DIR | |
| cd $PROJECT_DIR | |
| curl -kL https://git.io/getLatestIstio | sed 's/curl/curl -k /g' | ISTIO_VERSION=${ISTIO_VERSION} sh - | |
| ISTIO_HOME=${PROJECT_DIR}/istio-${ISTIO_VERSION} | |
| export PATH="$PATH:${ISTIO_HOME}/bin" | |
| # setup permissions for istio | |
| oc new-project ${ISTIO_PROJECT} | |
| oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account | |
| oc adm policy add-scc-to-user privileged -z istio-ingress-service-account | |
| oc adm policy add-scc-to-user anyuid -z istio-egress-service-account | |
| oc adm policy add-scc-to-user privileged -z istio-egress-service-account | |
| oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account | |
| oc adm policy add-scc-to-user privileged -z istio-pilot-service-account | |
| oc adm policy add-scc-to-user anyuid -z istio-grafana-service-account | |
| oc adm policy add-scc-to-user anyuid -z istio-prometheus-service-account | |
| oc adm policy add-scc-to-user anyuid -z prometheus | |
| oc adm policy add-scc-to-user privileged -z prometheus | |
| oc adm policy add-scc-to-user anyuid -z grafana | |
| oc adm policy add-scc-to-user privileged -z grafana | |
| oc adm policy add-scc-to-user anyuid -z default | |
| oc adm policy add-scc-to-user privileged -z default | |
| oc adm policy add-cluster-role-to-user cluster-admin -z default | |
| # install istio components | |
| cd ${ISTIO_HOME} | |
| oc apply -f install/kubernetes/istio.yaml | |
| oc create -f install/kubernetes/addons/prometheus.yaml | |
| oc create -f install/kubernetes/addons/grafana.yaml | |
| oc create -f install/kubernetes/addons/servicegraph.yaml | |
| oc apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-kubernetes/master/all-in-one/jaeger-all-in-one-template.yml | |
| # expose all the istio services | |
| oc expose svc grafana | |
| oc expose svc servicegraph | |
| oc expose svc jaeger-query | |
| oc expose svc istio-ingress | |
| oc expose svc prometheus | |
| # create new project to house coolstore mesh | |
| oc new-project $COOLSTORE_PROJECT | |
| # set permissions to allow proxies to reconfigure networking | |
| oc adm policy add-scc-to-user privileged -z default | |
| oc adm policy add-scc-to-user anyuid -z default | |
| # clone coolstore-microservice repo | |
| cd $PROJECT_DIR | |
| git clone http://github.com/jbossdemocentral/coolstore-microservice | |
| # manually inject sidecars to all pods and build/deploy | |
| oc process -f coolstore-microservice/openshift/coolstore-template.yaml | istioctl kube-inject -f - | oc apply -f - | |
| # At this point coolstore-microservice will start building and deploying. | |
| # cancel and then pause all deployments as we'll be updating them (they would fail otherwise) | |
| for i in $(oc get dc -o name) ; do | |
| oc rollout cancel $i | |
| oc rollout pause $i | |
| done | |
| # ensure all service ports are named ("http") so they can be routed correctly by istio | |
| for i in $(oc get svc -o name) ; do | |
| PATCH=$(mktemp) | |
| cat <<EOF > $PATCH | |
| spec: | |
| ports: | |
| - name: http | |
| port: 8080 | |
| protocol: TCP | |
| targetPort: http | |
| EOF | |
| oc patch $i -p "$(cat $PATCH)" | |
| rm -f $PATCH | |
| done | |
| # patch deployments: | |
| # - to sleep 5 seconds before actually deploying to workaround istio proxy networking bug | |
| # - add service version for istio intelligent routing | |
| # - name http ports for routing | |
| for i in $(oc get dc -o name) ; do | |
| oc label $i version=v1 | |
| DCNAME=$(echo $i | cut -d'/' -f 2) | |
| PATCH=$(mktemp) | |
| cat <<EOF > $PATCH | |
| spec: | |
| strategy: | |
| customParams: | |
| command: | |
| - /bin/sh | |
| - '-c' | |
| - 'sleep 5; echo slept for 5; /usr/bin/openshift-deploy' | |
| template: | |
| metadata: | |
| labels: | |
| version: v1 | |
| spec: | |
| containers: | |
| - name: $DCNAME | |
| ports: | |
| - containerPort: 8080 | |
| name: http | |
| protocol: TCP | |
| EOF | |
| oc patch $i -p "$(cat $PATCH)" | |
| rm -f $PATCH | |
| done | |
| # scale up ratings and reviews and pricing (they are set to 0 by default to save resources) | |
| for i in rating rating-mongodb review review-postgresql pricing ; do | |
| oc scale --replicas=1 dc $i | |
| done | |
| # build a modified jboss-eap builder image so that EAP binds to 0.0.0.0, working around an EAP-on-openshift | |
| # bug! | |
| cat <<EOF | oc new-build --name inventory-builder -D - | |
| FROM registry.access.redhat.com/jboss-eap-7/eap70-openshift:1.6 | |
| RUN sed -i 's/JBOSS_HA_ARGS="-b \${IP_ADDR}/JBOSS_HA_ARGS="-b 0.0.0.0/' /opt/eap/bin/launch/ha.sh | |
| EOF | |
| for i in {1..200}; do oc logs -f bc/inventory-builder && break || sleep 1; done | |
| # reconfigure inventory build to use new image, which will trigger new build/deployment | |
| oc new-build --name inventory-hack --to='inventory:latest' ${COOLSTORE_PROJECT}/inventory-builder~https://github.com/jbossdemocentral/coolstore-microservice --context-dir=inventory-service | |
| for i in {1..200}; do oc logs -f bc/inventory-hack && break || sleep 1; done | |
| # fix fuse to propogate B3 tracing headers by hacking the source code and re-building the service | |
| # from the local system using java and maven (which will pull down tons of dependencies if you haven't | |
| # done this before, so be patient!) | |
| sed -i.bak 's/return original;/original.getOut().setHeaders(original.getIn().getHeaders()); return original;/g' \ | |
| $PROJECT_DIR/coolstore-microservice/coolstore-gw/src/main/java/com/redhat/coolstore/api_gateway/ProductGateway.java | |
| mvn -f $PROJECT_DIR/coolstore-microservice/coolstore-gw clean package -DskipTests -Dfabric8.skip -e -B -Pearly-access-repo | |
| oc new-build --name coolstore-gw-hack --to='coolstore-gw:latest' --image fis-java-openshift:2.0 --strategy source --binary | |
| oc start-build coolstore-gw-hack --from-file=${PROJECT_DIR}/coolstore-microservice/coolstore-gw/target/coolstore-gw.jar --follow | |
| # un-pause and re-trigger all deployments | |
| for i in $(oc get dc -o name) ; do | |
| oc rollout resume $i | |
| oc rollout latest $i | |
| done | |
| # add istio ingress | |
| cat <<EOF | oc create -f - | |
| apiVersion: extensions/v1beta1 | |
| kind: Ingress | |
| metadata: | |
| name: coolstore-ingress | |
| annotations: | |
| kubernetes.io/ingress.class: "istio" | |
| spec: | |
| backend: | |
| serviceName: web-ui | |
| servicePort: http | |
| rules: | |
| - http: | |
| paths: | |
| - path: /api/* | |
| backend: | |
| serviceName: coolstore-gw | |
| servicePort: http | |
| EOF | |
| oc get pods --show-all=false | |
| # get URL to services to load in your web browser | |
| echo | |
| echo | |
| echo ----------------------------------------- | |
| echo "Done! You should now wait a bit for everything to come up, then hit these URLs with your browser:" | |
| echo ----------------------------------------- | |
| echo "Primary web frontend URL: http://$(oc get route istio-ingress -n ${ISTIO_PROJECT} --template='{{ .spec.host }}')" | |
| echo "D3 force layout service graph: http://$(oc get route servicegraph -n ${ISTIO_PROJECT} --template='{{ .spec.host }}')/force/forcegraph.html?time_horizon=5m&filter_empty=true" | |
| echo "Example Prometheus query: http://$(oc get route prometheus -n ${ISTIO_PROJECT} --template='{{ .spec.host }}')/graph?g0.range_input=30m&g0.expr=istio_request_count&g0.tab=0" | |
| echo "Grafana Istio Dashboard: http://$(oc get route grafana -n ${ISTIO_PROJECT} --template='{{ .spec.host }}')/d/1/istio-dashboard?refresh=5s&orgId=1" | |
| echo "Jaeger Tracing Console: http://$(oc get route jaeger-query -n ${ISTIO_PROJECT} --template='{{ .spec.host }}')" | |
| echo | |
| echo |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@jamesfalkner What repo do we need to have checked out to run this script inside it for deployment?