Skip to content

Instantly share code, notes, and snippets.

@peerapach

peerapach/okd-istio.bash

Last active August 26, 2019 09:01
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save peerapach/5773eb5c199d11610549b91b490b6d6d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save peerapach/5773eb5c199d11610549b91b490b6d6d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
okd-istio.bash
ISTIO_VERSION=1.1.8
KIALI_USERNAME="admin"
KIALI_PASSPHRASE="admin"
#Patch Openshift master to support webhook"
cat << EOF > /etc/origin/master/master-config.patch
admissionConfig:
pluginConfig:
MutatingAdmissionWebhook:
configuration:
apiVersion: apiserver.config.k8s.io/v1alpha1
kubeConfigFile: /dev/null
kind: WebhookAdmission
ValidatingAdmissionWebhook:
configuration:
apiVersion: apiserver.config.k8s.io/v1alpha1
kubeConfigFile: /dev/null
kind: WebhookAdmission
EOF
cd /etc/origin/master/
cp -p master-config.yaml master-config.yaml.prepatch
oc ex config patch master-config.yaml.prepatch -p "$(cat master-config.patch)" > master-config.yaml
master-restart api
master-restart controllers
sleep 60 && cd
oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z default -n istio-system
oc adm policy add-scc-to-user anyuid -z prometheus -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-egressgateway-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-citadel-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-ingressgateway-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-cleanup-old-ca-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-mixer-post-install-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-mixer-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-sidecar-injector-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-galley-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-security-post-install-account -n istio-system
cat << EOF > /etc/sysctl.d/99-elasticsearch.conf
vm.max_map_count = 262144
EOF
#Create value.yaml
cat << EOF > value.yaml
sidecarInjectorWebhook:
enabled: true
grafana:
enabled: true
#
# addon jaeger tracing configuration
#
tracing:
enabled: true
#
# addon kiali tracing configuration
#
kiali:
enabled: true
dashboard:
jaegerURL: http://jaeger-query:16686
grafanaURL: http://grafana:3000
EOF
echo "Install helm command"
curl -L https://git.io/get_helm.sh | bash
echo "Install service account for tiller"
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.1/install/kubernetes/helm/helm-service-account.yaml
echo "Initail helm"
helm init --service-account tiller
echo "Add istio repo to helm"
helm repo add istio.io https://storage.googleapis.com/istio-release/releases/$ISTIO_VERSION/charts/
echo "Install istio init"
helm install --name istio-init --namespace istio-system istio.io/istio-init
KUSER=$(echo $KIALI_USERNAME|base64)
KPASS=$(echo $KIALI_PASSPHRASE|base64)
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: kiali
namespace: istio-system
labels:
app: kiali
type: Opaque
data:
username: $KUSER
passphrase: $KPASS
EOF
echo "Install istio"
helm install --name istio --namespace istio-system -f value.yaml istio.io/istio
cat << EOF > /tmp/patch-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kiali
chart: kiali
heritage: Tiller
release: istio
name: kiali-viewer-istio-system
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- namespaces
- nodes
- pods
- pods/log
- services
- replicationcontrollers
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- apps
resources:
- deployments
- statefulsets
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- project.openshift.io
resources:
- projects
verbs:
- get
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- get
- apiGroups:
- ""
resources:
- routes
verbs:
- get
- apiGroups:
- apps.openshift.io
resources:
- deploymentconfigs
verbs:
- get
- list
- watch
- apiGroups:
- config.istio.io
resources:
- apikeys
- authorizations
- checknothings
- circonuses
- deniers
- fluentds
- handlers
- kubernetesenvs
- kuberneteses
- listcheckers
- listentries
- logentries
- memquotas
- metrics
- opas
- prometheuses
- quotas
- quotaspecbindings
- quotaspecs
- rbacs
- reportnothings
- rules
- servicecontrolreports
- servicecontrols
- solarwindses
- stackdrivers
- statsds
- stdios
verbs:
- get
- list
- watch
- apiGroups:
- networking.istio.io
resources:
- destinationrules
- gateways
- serviceentries
- virtualservices
verbs:
- get
- list
- watch
- apiGroups:
- authentication.istio.io
resources:
- policies
- meshpolicies
verbs:
- get
- list
- watch
- apiGroups:
- rbac.istio.io
resources:
- clusterrbacconfigs
- rbacconfigs
- serviceroles
- servicerolebindings
verbs:
- get
- list
- watch
- apiGroups:
- monitoring.kiali.io
resources:
- monitoringdashboards
verbs:
- get
---
apiVersion: authorization.openshift.io/v1
kind: ClusterRole
metadata:
labels:
app: kiali
chart: kiali
heritage: Tiller
release: istio
name: kiali-istio-system
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- configmaps
- endpoints
- namespaces
- nodes
- pods
- pods/log
- replicationcontrollers
- services
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- apps
attributeRestrictions: null
resources:
- deployments
- replicasets
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
attributeRestrictions: null
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
attributeRestrictions: null
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- project.openshift.io
attributeRestrictions: null
resources:
- projects
verbs:
- get
- apiGroups:
- route.openshift.io
attributeRestrictions: null
resources:
- routes
verbs:
- get
- apiGroups:
- ""
attributeRestrictions: null
resources:
- routes
verbs:
- get
- apiGroups:
- apps.openshift.io
attributeRestrictions: null
resources:
- deploymentconfigs
verbs:
- get
- list
- watch
- apiGroups:
- config.istio.io
attributeRestrictions: null
resources:
- apikeys
- authorizations
- checknothings
- circonuses
- deniers
- fluentds
- handlers
- kubernetesenvs
- kuberneteses
- listcheckers
- listentries
- logentries
- memquotas
- metrics
- opas
- prometheuses
- quotas
- quotaspecbindings
- quotaspecs
- rbacs
- reportnothings
- rules
- solarwindses
- stackdrivers
- statsds
- stdios
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- networking.istio.io
attributeRestrictions: null
resources:
- destinationrules
- gateways
- serviceentries
- virtualservices
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- authentication.istio.io
attributeRestrictions: null
resources:
- meshpolicies
- policies
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- rbac.istio.io
attributeRestrictions: null
resources:
- clusterrbacconfigs
- rbacconfigs
- servicerolebindings
- serviceroles
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- monitoring.kiali.io
attributeRestrictions: null
resources:
- monitoringdashboards
verbs:
- get
---
apiVersion: authorization.openshift.io/v1
groupNames: null
kind: ClusterRoleBinding
metadata:
labels:
app: kiali
chart: kiali
heritage: Tiller
release: istio
name: istio-kiali-admin-role-binding-istio-system
roleRef:
name: kiali-istio-system
subjects:
- kind: ServiceAccount
name: kiali-service-account
namespace: istio-system
userNames:
- system:serviceaccount:istio-system:kiali-service-account
EOF
oc apply -f /tmp/patch-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{"maistra.io/mesh-generation":"1"},"labels":{"app":"kiali","chart":"kiali","heritage":"Tiller","maistra-version":"0.11.0","maistra.io/owner":"istio-system","release":"istio"},"name":"kiali-viewer-istio-system"},"rules":[{"apiGroups":[""],"resources":["configmaps","endpoints","namespaces","nodes","pods","pods/log","services","replicationcontrollers"],"verbs":["get","list","watch"]},{"apiGroups":["extensions","apps"],"resources":["deployments","statefulsets","replicasets"],"verbs":["get","list","watch"]},{"apiGroups":["autoscaling"],"resources":["horizontalpodautoscalers"],"verbs":["get","list","watch"]},{"apiGroups":["batch"],"resources":["cronjobs","jobs"],"verbs":["get","list","watch"]},{"apiGroups":["project.openshift.io"],"resources":["projects"],"verbs":["get"]},{"apiGroups":["route.openshift.io"],"resources":["routes"],"verbs":["get"]},{"apiGroups":[""],"resources":["routes"],"verbs":["get"]},{"apiGroups":["apps.openshift.io"],"resources":["deploymentconfigs"],"verbs":["get","list","watch"]},{"apiGroups":["config.istio.io"],"resources":["apikeys","authorizations","checknothings","circonuses","deniers","fluentds","handlers","kubernetesenvs","kuberneteses","listcheckers","listentries","logentries","memquotas","metrics","opas","prometheuses","quotas","quotaspecbindings","quotaspecs","rbacs","reportnothings","rules","servicecontrolreports","servicecontrols","solarwindses","stackdrivers","statsds","stdios"],"verbs":["get","list","watch"]},{"apiGroups":["networking.istio.io"],"resources":["destinationrules","gateways","serviceentries","virtualservices"],"verbs":["get","list","watch"]},{"apiGroups":["authentication.istio.io"],"resources":["policies","meshpolicies"],"verbs":["get","list","watch"]},{"apiGroups":["rbac.istio.io"],"resources":["clusterrbacconfigs","rbacconfigs","serviceroles","servicerolebindings"],"verbs":["get","list","watch"]},{"apiGroups":["monitoring.kiali.io"],"resources":["monitoringdashboards"],"verbs":["get"]}]}
labels:
app: kiali
chart: kiali
heritage: Tiller
release: istio
name: kiali-viewer-istio-system
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- namespaces
- nodes
- pods
- pods/log
- services
- replicationcontrollers
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- apps
resources:
- deployments
- statefulsets
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- project.openshift.io
resources:
- projects
verbs:
- get
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- get
- apiGroups:
- ""
resources:
- routes
verbs:
- get
- apiGroups:
- apps.openshift.io
resources:
- deploymentconfigs
verbs:
- get
- list
- watch
- apiGroups:
- config.istio.io
resources:
- apikeys
- authorizations
- checknothings
- circonuses
- deniers
- fluentds
- handlers
- kubernetesenvs
- kuberneteses
- listcheckers
- listentries
- logentries
- memquotas
- metrics
- opas
- prometheuses
- quotas
- quotaspecbindings
- quotaspecs
- rbacs
- reportnothings
- rules
- servicecontrolreports
- servicecontrols
- solarwindses
- stackdrivers
- statsds
- stdios
verbs:
- get
- list
- watch
- apiGroups:
- networking.istio.io
resources:
- destinationrules
- gateways
- serviceentries
- virtualservices
verbs:
- get
- list
- watch
- apiGroups:
- authentication.istio.io
resources:
- policies
- meshpolicies
verbs:
- get
- list
- watch
- apiGroups:
- rbac.istio.io
resources:
- clusterrbacconfigs
- rbacconfigs
- serviceroles
- servicerolebindings
verbs:
- get
- list
- watch
- apiGroups:
- monitoring.kiali.io
resources:
- monitoringdashboards
verbs:
- get
---
apiVersion: authorization.openshift.io/v1
groupNames: null
kind: ClusterRoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{"maistra.io/mesh-generation":"1"},"labels":{"app":"kiali","chart":"kiali","heritage":"Tiller","maistra-version":"0.11.0","maistra.io/owner":"istio-system","release":"istio"},"name":"istio-kiali-admin-role-binding-istio-system"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"kiali-istio-system"},"subjects":[{"kind":"ServiceAccount","name":"kiali-service-account","namespace":"istio-system"}]}
labels:
app: kiali
chart: kiali
heritage: Tiller
release: istio
name: istio-kiali-admin-role-binding-istio-system
roleRef:
name: kiali-istio-system
subjects:
- kind: ServiceAccount
name: kiali-service-account
namespace: istio-system
userNames:
- system:serviceaccount:istio-system:kiali-service-account
---
apiVersion: authorization.openshift.io/v1
kind: ClusterRole
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{"maistra.io/mesh-generation":"1"},"labels":{"app":"kiali","chart":"kiali","heritage":"Tiller","maistra-version":"0.11.0","maistra.io/owner":"istio-system","release":"istio"},"name":"kiali-istio-system"},"rules":[{"apiGroups":[""],"resources":["configmaps","endpoints","namespaces","nodes","pods","pods/log","services","replicationcontrollers"],"verbs":["get","list","watch"]},{"apiGroups":["extensions","apps"],"resources":["deployments","statefulsets","replicasets"],"verbs":["get","list","watch"]},{"apiGroups":["autoscaling"],"resources":["horizontalpodautoscalers"],"verbs":["get","list","watch"]},{"apiGroups":["batch"],"resources":["cronjobs","jobs"],"verbs":["get","list","watch"]},{"apiGroups":["project.openshift.io"],"resources":["projects"],"verbs":["get"]},{"apiGroups":["route.openshift.io"],"resources":["routes"],"verbs":["get"]},{"apiGroups":[""],"resources":["routes"],"verbs":["get"]},{"apiGroups":["apps.openshift.io"],"resources":["deploymentconfigs"],"verbs":["get","list","watch"]},{"apiGroups":["config.istio.io"],"resources":["apikeys","authorizations","checknothings","circonuses","deniers","fluentds","handlers","kubernetesenvs","kuberneteses","listcheckers","listentries","logentries","memquotas","metrics","opas","prometheuses","quotas","quotaspecbindings","quotaspecs","rbacs","reportnothings","rules","solarwindses","stackdrivers","statsds","stdios"],"verbs":["create","delete","get","list","patch","watch"]},{"apiGroups":["networking.istio.io"],"resources":["destinationrules","gateways","serviceentries","virtualservices"],"verbs":["create","delete","get","list","patch","watch"]},{"apiGroups":["authentication.istio.io"],"resources":["policies","meshpolicies"],"verbs":["create","delete","get","list","patch","watch"]},{"apiGroups":["rbac.istio.io"],"resources":["clusterrbacconfigs","rbacconfigs","serviceroles","servicerolebindings"],"verbs":["create","delete","get","list","patch","watch"]},{"apiGroups":["monitoring.kiali.io"],"resources":["monitoringdashboards"],"verbs":["get"]}]}
maistra.io/mesh-generation: "1"
labels:
app: kiali
chart: kiali
heritage: Tiller
release: istio
name: kiali-istio-system
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- configmaps
- endpoints
- namespaces
- nodes
- pods
- pods/log
- replicationcontrollers
- services
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- apps
attributeRestrictions: null
resources:
- deployments
- replicasets
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
attributeRestrictions: null
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
attributeRestrictions: null
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- project.openshift.io
attributeRestrictions: null
resources:
- projects
verbs:
- get
- apiGroups:
- route.openshift.io
attributeRestrictions: null
resources:
- routes
verbs:
- get
- apiGroups:
- ""
attributeRestrictions: null
resources:
- routes
verbs:
- get
- apiGroups:
- apps.openshift.io
attributeRestrictions: null
resources:
- deploymentconfigs
verbs:
- get
- list
- watch
- apiGroups:
- config.istio.io
attributeRestrictions: null
resources:
- apikeys
- authorizations
- checknothings
- circonuses
- deniers
- fluentds
- handlers
- kubernetesenvs
- kuberneteses
- listcheckers
- listentries
- logentries
- memquotas
- metrics
- opas
- prometheuses
- quotas
- quotaspecbindings
- quotaspecs
- rbacs
- reportnothings
- rules
- solarwindses
- stackdrivers
- statsds
- stdios
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- networking.istio.io
attributeRestrictions: null
resources:
- destinationrules
- gateways
- serviceentries
- virtualservices
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- authentication.istio.io
attributeRestrictions: null
resources:
- meshpolicies
- policies
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- rbac.istio.io
attributeRestrictions: null
resources:
- clusterrbacconfigs
- rbacconfigs
- servicerolebindings
- serviceroles
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- monitoring.kiali.io
attributeRestrictions: null
resources:
- monitoringdashboards
verbs:
- get
#echo "Add neverInjectSelector to configmap"
# oc edit cm istio-sidecar-injector -n istio-system
policy: enabled
neverInjectSelector:
- matchExpressions:
- {key: openshift.io/build.name, operator: Exists}
- matchExpressions:
- {key: openshift.io/deployer-pod-for.name, operator: Exists}
- matchExpressions:
- {key: openshift.io/oc-run-individual-pod, operator: Exists}
template: |-
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment