├── ABTesting.md ├── ApplyingRateLimits.md ├── CircuitBreaking.md ├── ControllingEgressTraffic.md ├── ControllingIngressTraffic.md ├── DeployingIstioWithMinishift.md ├── DeployingIstioWithOcclusterup.md ├── DeployingSampleApplication.md ├── FaultInjection.md ├── InstallInfrastructureComponents.md ├── InstallingIstioOnOpenShift.md ├── RequestRouting.md ├── RequestTimeOut.md ├── RulesPrecedence.md ├── UsingIstioSupportingServices.md ├── images ├── FaultWith10SDelay.jpeg ├── IstioIngress.jpeg ├── Jaeger_tracing_fault1.png ├── Jaeger_tracing_fault2.png ├── Prometheus_1.png ├── bookinfo_jaeger_1.png ├── bookinfo_jaeger_2.png ├── bookinfo_servicegraph_v1.png ├── grafana_1.png ├── grafana_2.png ├── jaeger_1.png ├── jaeger_timeout1.png ├── jaeger_timeout2.png ├── kiali.png ├── kialiServiceGraph.jpeg ├── kiali_ratings_fault.png ├── servicegraph.jpeg ├── servicegraph2.png ├── servicegraph3.png ├── servicegraph4.png └── servicegraph5.png ├── istio_installation.yaml └── readme.md /ABTesting.md: -------------------------------------------------------------------------------- 1 | # Traffic Shifting - AB testing 2 | 3 | In this lab, we will learn to shift specific amount of traffic to specific version of a service not by changing code but just by using routing rules. Note that this feature is available in OpenShift router by default. However, Istio enables this for services that may not not have been exposed via the router. 4 | 5 | ### Pre-Requisites 6 | 7 | * A running Istio Cluster 8 | * Sample BookInfo Application deployed 9 | * Destination rules created 10 | 11 | ## Traffic to V1 12 | 13 | Route all the traffic is routed to version 1 by default as before by running 14 | 15 | ``` 16 | kubectl apply -f samples/bookinfo/networking/virtual-service-all-v1.yaml 17 | ``` 18 | 19 | On the Kiali Service Graph, click on `Graph Settings` dropdown and select the check box to show `Request Percent of Total`. This will be useful for us to measure the amount of traffic flowing to specific version. 20 | 21 | Use the application a few times to find **no stars** for ratings. Also check the Kiali service graph. You will notice that all the traffic is going to reviews version v1 as below. 22 | 23 | ![](./images/servicegraph2.png) 24 | 25 | ## AB Testing with 50% Split 26 | 27 | Now, we will replace the default routing rule for reviews virtual service to share the traffic across versions reviews v1 (that does not connect to the ratings service) and reviews v3 (that connects to the ratings service and displays the starts in red). 28 | 29 | See the description of the virtual service on how it distributes the traffic between versions v1 and v3 50% each. 30 | 31 | ``` 32 | $ cat samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml 33 | apiVersion: networking.istio.io/v1alpha3 34 | kind: VirtualService 35 | metadata: 36 | name: reviews 37 | spec: 38 | hosts: 39 | - reviews 40 | http: 41 | - route: 42 | - destination: 43 | host: reviews 44 | subset: v1 45 | weight: 50 46 | - destination: 47 | host: reviews 48 | subset: v3 49 | weight: 50 50 | ``` 51 | 52 | Now let's apply this routing rule by running 53 | 54 | ``` 55 | kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml 56 | ``` 57 | 58 | Wait a few minutes until the service graph shows grey lines (0 requests/sec) everywhere. If you havent used it in a while it will be all grey. 59 | 60 | Let's now test the app again by pumping some load 61 | 62 | ``` 63 | export URL=$(kubectl get virtualservice bookinfo -o yaml -o jsonpath={.spec.hosts[0]}) 64 | ``` 65 | 66 | Let us send 100 requests 67 | ``` 68 | for i in {1..100}; do curl -o /dev/null -s -w "%{http_code}\n" http://${URL}/productpage; done 69 | ``` 70 | 71 | > **Note** If you are using a header `Host: bookinfo1.istio.apps.devday.ocpcloud.com` then you would want to include header in the curl as well, as shown below (substitute your own hostname) 72 | >`for i in {1..100}; do curl -o /dev/null -s -w "%{http_code}\n" -H "Host: bookinfo1.istio.apps.devday.ocpcloud.com" http://${URL}/productpage; done` 73 | 74 | 75 | Notice that the traffic being split would be approximately equal between reviews v1 and v3 on the service graph as shown below. There wouldn't be any traffic to reviews v2. 76 | ![](./images/servicegraph3.png) 77 | 78 | If you refresh the product page in the browser you will see **red stars** approximately 50% of the times you clicked. The rest 50% you will see **no stars**. 79 | 80 | ## 100% to V3 81 | 82 | Next let's apply the following rule to route the traffic to reviews v3 100% of the time 83 | 84 | ``` 85 | kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-v3.yaml 86 | ``` 87 | 88 | Now you will see all the traffic going to reviews v3 and you will always see **red stars** on the page. 89 | ![](./images/servicegraph4.png) 90 | 91 | ### Cleanup 92 | 93 | To clean up, remove the routing rules by deleting the virtual services created earlier. 94 | 95 | ``` 96 | kubectl delete -f samples/bookinfo/networking/virtual-service-all-v1.yaml 97 | ``` 98 | 99 | ### Summary 100 | In this lab we observed how we can shift traffic by using traffic rules. The example above was AB Testing. -------------------------------------------------------------------------------- /ApplyingRateLimits.md: -------------------------------------------------------------------------------- 1 | # Applying Rate Limits 2 | 3 | In this exercise we will test rate limiting a service by defining a rate limit handler. Assume that you want to allow a certain service to be used only 'n' number of times in a given period. 4 | 5 | ### Pre-requisites 6 | * A running Istio Cluster 7 | * Sample BookInfo Application deployed 8 | * Destination rules created 9 | * Create virtual services that would default to v1 i.e, `kubectl apply -f samples/bookinfo/networking/virtual-service-all-v1.yaml` 10 | 11 | ### Exercise 12 | 13 | 14 | ``` 15 | $ cat samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml 16 | apiVersion: "config.istio.io/v1alpha2" 17 | kind: memquota 18 | metadata: 19 | name: handler 20 | namespace: istio-system 21 | spec: 22 | quotas: 23 | - name: requestcount.quota.istio-system 24 | maxAmount: 500 25 | validDuration: 1s 26 | # The first matching override is applied. 27 | # A requestcount instance is checked against override dimensions. 28 | overrides: 29 | # The following override applies to 'reviews' regardless 30 | # of the source. 31 | - dimensions: 32 | destination: reviews 33 | maxAmount: 1 34 | validDuration: 5s 35 | # The following override applies to 'productpage' when 36 | # the source is a specific ip address. 37 | - dimensions: 38 | destination: productpage 39 | source: "10.28.11.20" 40 | maxAmount: 500 41 | validDuration: 1s 42 | # The following override applies to 'productpage' regardless 43 | # of the source. 44 | - dimensions: 45 | destination: productpage 46 | maxAmount: 2 47 | validDuration: 5s 48 | --- 49 | apiVersion: "config.istio.io/v1alpha2" 50 | kind: quota 51 | metadata: 52 | name: requestcount 53 | namespace: istio-system 54 | spec: 55 | dimensions: 56 | source: request.headers["x-forwarded-for"] | "unknown" 57 | destination: destination.labels["app"] | destination.service | "unknown" 58 | destinationVersion: destination.labels["version"] | "unknown" 59 | --- 60 | apiVersion: config.istio.io/v1alpha2 61 | kind: QuotaSpec 62 | metadata: 63 | name: request-count 64 | namespace: istio-system 65 | spec: 66 | rules: 67 | - quotas: 68 | - charge: 1 69 | quota: requestcount 70 | --- 71 | apiVersion: config.istio.io/v1alpha2 72 | kind: QuotaSpecBinding 73 | metadata: 74 | name: request-count 75 | namespace: istio-system 76 | spec: 77 | quotaSpecs: 78 | - name: request-count 79 | namespace: istio-system 80 | services: 81 | - name: productpage 82 | namespace: default 83 | # - service: '*' # Uncomment this to bind *all* services to request-count 84 | --- 85 | apiVersion: config.istio.io/v1alpha2 86 | kind: rule 87 | metadata: 88 | name: quota 89 | spec: 90 | # quota only applies if you are not logged in. 91 | # match: match(request.headers["cookie"], "user=*") == false 92 | actions: 93 | - handler: handler.memquota 94 | instances: 95 | - requestcount.quota 96 | ``` 97 | 98 | 99 | ``` 100 | $ kubectl apply -f samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml 101 | memquota.config.istio.io/handler created 102 | quota.config.istio.io/requestcount created 103 | quotaspec.config.istio.io/request-count created 104 | quotaspecbinding.config.istio.io/request-count created 105 | rule.config.istio.io/quota created 106 | ``` 107 | 108 | 109 | ``` 110 | $ kubectl -n istio-system get memquota handler -o yaml 111 | apiVersion: config.istio.io/v1alpha2 112 | kind: memquota 113 | metadata: 114 | annotations: 115 | kubectl.kubernetes.io/last-applied-configuration: | 116 | {"apiVersion":"config.istio.io/v1alpha2","kind":"memquota","metadata":{"annotations":{},"name":"handler","namespace":"istio-system"},"spec":{"quotas":[{"maxAmount":500,"name":"requestcount.quota.istio-system","overrides":[{"dimensions":{"destination":"reviews"},"maxAmount":1,"validDuration":"5s"},{"dimensions":{"destination":"productpage","source":"10.28.11.20"},"maxAmount":500,"validDuration":"1s"},{"dimensions":{"destination":"productpage"},"maxAmount":2,"validDuration":"5s"}],"validDuration":"1s"}]}} 117 | clusterName: "" 118 | creationTimestamp: 2018-10-16T17:46:13Z 119 | generation: 1 120 | name: handler 121 | namespace: istio-system 122 | resourceVersion: "15902" 123 | selfLink: /apis/config.istio.io/v1alpha2/namespaces/istio-system/memquotas/handler 124 | uid: 5fd5f613-d16b-11e8-bfea-625578ce8fcd 125 | spec: 126 | quotas: 127 | - maxAmount: 500 128 | name: requestcount.quota.istio-system 129 | overrides: 130 | - dimensions: 131 | destination: reviews 132 | maxAmount: 1 133 | validDuration: 5s 134 | - dimensions: 135 | destination: productpage 136 | source: 10.28.11.20 137 | maxAmount: 500 138 | validDuration: 1s 139 | - dimensions: 140 | destination: productpage 141 | maxAmount: 2 142 | validDuration: 5s 143 | validDuration: 1s 144 | ``` 145 | 146 | 147 | 148 | Direct user Jason to reviews version v2 by running 149 | 150 | ``` 151 | $ oc create -f samples/bookinfo/kube/route-rule-reviews-test-v2.yaml 152 | routerule "reviews-test-v2" created 153 | ``` 154 | 155 | Direct all other users to reviews version v3 156 | 157 | ``` 158 | $ oc replace -f samples/bookinfo/kube/route-rule-reviews-v3.yaml 159 | routerule "reviews-default" replaced 160 | ``` 161 | 162 | Test the application in browser. All the requests from Jason should show black stars for ratings. For any other user, it should show red stars. 163 | 164 | Now let's apply rate-limits 165 | 166 | We will first define a memquota adapter with following features: 167 | * Apply default rate limit of 5000 queries per second (qps) for the ratings service 168 | * Apply just 1 queries for every 5s for ratings v2 svc. This should give us enough time to test between the queries. 169 | So when the user "Jason" uses the system, the requests are directed to v2 and it should be limited to 1 query per 5s 170 | 171 | The memquota adapter named handler is applied as shown below: 172 | 173 | ``` 174 | $ cat < 8000/TCP 4m 91 | ``` 92 | 93 | Now call the `httpdbin` service from inside the client pod to observe that the request is successful. 94 | 95 | ``` 96 | $ kubectl exec -it $FORTIO_POD -c fortio /usr/local/bin/fortio -- load -curl http://httpbin:8000/get 97 | HTTP/1.1 200 OK 98 | server: envoy 99 | date: Tue, 16 Oct 2018 18:07:24 GMT 100 | content-type: application/json 101 | access-control-allow-origin: * 102 | access-control-allow-credentials: true 103 | content-length: 934 104 | x-envoy-upstream-service-time: 17 105 | 106 | { 107 | "args": {}, 108 | "headers": { 109 | "Content-Length": "0", 110 | "Host": "httpbin:8000", 111 | "User-Agent": "istio/fortio-1.0.1", 112 | "X-B3-Sampled": "1", 113 | "X-B3-Spanid": "702e0b5984cd62be", 114 | "X-B3-Traceid": "702e0b5984cd62be", 115 | "X-Envoy-Decorator-Operation": "httpbin.httpbin.svc.cluster.local:8000/*", 116 | "X-Istio-Attributes": "CjoKE2Rlc3RpbmF0aW9uLnNlcnZpY2USIxIhaHR0cGJpbi5odHRwYmluLnN2Yy5jbHVzdGVyLmxvY2FsCkMKCnNvdXJjZS51aWQSNRIza3ViZXJuZXRlczovL2ZvcnRpby1kZXBsb3ktNmZiNTlmOWQ2ZC1xbXdoNC5odHRwYmluCj8KGGRlc3RpbmF0aW9uLnNlcnZpY2UuaG9zdBIjEiFodHRwYmluLmh0dHBiaW4uc3ZjLmNsdXN0ZXIubG9jYWwKPQoXZGVzdGluYXRpb24uc2VydmljZS51aWQSIhIgaXN0aW86Ly9odHRwYmluL3NlcnZpY2VzL2h0dHBiaW4KJQoYZGVzdGluYXRpb24uc2VydmljZS5uYW1lEgkSB2h0dHBiaW4KKgodZGVzdGluYXRpb24uc2VydmljZS5uYW1lc3BhY2USCRIHaHR0cGJpbg==", 117 | "X-Request-Id": "51e3b07e-daf1-9544-a946-5a9a7de3f05d" 118 | }, 119 | "origin": "172.17.0.29", 120 | "url": "http://httpbin:8000/get" 121 | } 122 | 123 | ``` 124 | 125 | 126 | Now let's call the service with two concurrent connections (-c 2) and send 20 requests (-n 20) 127 | 128 | ``` 129 | $ kubectl exec -it $FORTIO_POD -c fortio /usr/local/bin/fortio -- load -c 2 -qps 0 -n 20 -loglevel Warning http://httpbin:8000/get 130 | 18:09:14 I logger.go:97> Log level is now 3 Warning (was 2 Info) 131 | Fortio 1.0.1 running at 0 queries per second, 4->4 procs, for 20 calls: http://httpbin:8000/get 132 | Starting at max qps with 2 thread(s) [gomax 4] for exactly 20 calls (10 per thread + 0) 133 | 18:09:14 W http_client.go:604> Parsed non ok code 503 (HTTP/1.1 503) 134 | 18:09:14 W http_client.go:604> Parsed non ok code 503 (HTTP/1.1 503) 135 | Ended after 34.963125ms : 20 calls. qps=572.03 136 | Aggregated Function Time : count 20 avg 0.0033139377 +/- 0.001149 min 0.001911933 max 0.005379765 sum 0.066278755 137 | # range, mid point, percentile, count 138 | >= 0.00191193 <= 0.002 , 0.00195597 , 5.00, 1 139 | > 0.002 <= 0.003 , 0.0025 , 50.00, 9 140 | > 0.003 <= 0.004 , 0.0035 , 70.00, 4 141 | > 0.004 <= 0.005 , 0.0045 , 90.00, 4 142 | > 0.005 <= 0.00537976 , 0.00518988 , 100.00, 2 143 | # target 50% 0.003 144 | # target 75% 0.00425 145 | # target 90% 0.005 146 | # target 99% 0.00534179 147 | # target 99.9% 0.00537597 148 | Sockets used: 4 (for perfect keepalive, would be 2) 149 | Code 200 : 18 (90.0 %) 150 | Code 503 : 2 (10.0 %) 151 | Response Header Sizes : count 20 avg 207 +/- 69 min 0 max 230 sum 4140 152 | Response Body/Total Sizes : count 20 avg 1069.3 +/- 284.1 min 217 max 1164 sum 21386 153 | All done 20 calls (plus 0 warmup) 3.314 ms avg, 572.0 qps 154 | ``` 155 | 156 | We observe that most of the requests have gone thru `http code 200` and a couple of them have failed due to circuit breaking. 157 | 158 | ``` 159 | Code 200 : 18 (90.0 %) 160 | Code 503 : 2 (10.0 %) 161 | ``` 162 | 163 | Let's increase the load by increasing the number of concurrent connections up to 3: 164 | 165 | ``` 166 | $ kubectl exec -it $FORTIO_POD -c fortio /usr/local/bin/fortio -- load -c 3 -qps 0 -n 20 -loglevel Warning http://httpbin:8000/get 167 | 18:10:39 I logger.go:97> Log level is now 3 Warning (was 2 Info) 168 | Fortio 1.0.1 running at 0 queries per second, 4->4 procs, for 20 calls: http://httpbin:8000/get 169 | Starting at max qps with 3 thread(s) [gomax 4] for exactly 20 calls (6 per thread + 2) 170 | 18:10:39 W http_client.go:604> Parsed non ok code 503 (HTTP/1.1 503) 171 | 18:10:39 W http_client.go:604> Parsed non ok code 503 (HTTP/1.1 503) 172 | 18:10:39 W http_client.go:604> Parsed non ok code 503 (HTTP/1.1 503) 173 | 18:10:39 W http_client.go:604> Parsed non ok code 503 (HTTP/1.1 503) 174 | 18:10:39 W http_client.go:604> Parsed non ok code 503 (HTTP/1.1 503) 175 | 18:10:39 W http_client.go:604> Parsed non ok code 503 (HTTP/1.1 503) 176 | 18:10:39 W http_client.go:604> Parsed non ok code 503 (HTTP/1.1 503) 177 | 18:10:39 W http_client.go:604> Parsed non ok code 503 (HTTP/1.1 503) 178 | 18:10:39 W http_client.go:604> Parsed non ok code 503 (HTTP/1.1 503) 179 | 18:10:39 W http_client.go:604> Parsed non ok code 503 (HTTP/1.1 503) 180 | Ended after 37.302157ms : 20 calls. qps=536.16 181 | Aggregated Function Time : count 20 avg 0.0042114846 +/- 0.004256 min 0.000481987 max 0.016395203 sum 0.084229692 182 | # range, mid point, percentile, count 183 | >= 0.000481987 <= 0.001 , 0.000740994 , 25.00, 5 184 | > 0.001 <= 0.002 , 0.0015 , 40.00, 3 185 | > 0.002 <= 0.003 , 0.0025 , 50.00, 2 186 | > 0.003 <= 0.004 , 0.0035 , 55.00, 1 187 | > 0.004 <= 0.005 , 0.0045 , 70.00, 3 188 | > 0.005 <= 0.006 , 0.0055 , 80.00, 2 189 | > 0.006 <= 0.007 , 0.0065 , 85.00, 1 190 | > 0.007 <= 0.008 , 0.0075 , 90.00, 1 191 | > 0.012 <= 0.014 , 0.013 , 95.00, 1 192 | > 0.016 <= 0.0163952 , 0.0161976 , 100.00, 1 193 | # target 50% 0.003 194 | # target 75% 0.0055 195 | # target 90% 0.008 196 | # target 99% 0.0163162 197 | # target 99.9% 0.0163873 198 | Sockets used: 12 (for perfect keepalive, would be 3) 199 | Code 200 : 10 (50.0 %) 200 | Code 503 : 10 (50.0 %) 201 | Response Header Sizes : count 20 avg 115.1 +/- 115.1 min 0 max 231 sum 2302 202 | Response Body/Total Sizes : count 20 avg 690.6 +/- 473.6 min 217 max 1165 sum 13812 203 | All done 20 calls (plus 0 warmup) 4.211 ms avg, 536.2 qps 204 | ``` 205 | 206 | This time the failures are about 50% 207 | 208 | ``` 209 | Code 200 : 10 (50.0 %) 210 | Code 503 : 10 (50.0 %) 211 | ``` 212 | 213 | Let us query the istio-proxy stats: 214 | 215 | ``` 216 | $ kubectl exec -it $FORTIO_POD -c istio-proxy -- sh -c 'curl localhost:15000/stats' | grep httpbin | grep pending 217 | cluster.outbound|8000||httpbin.httpbin.svc.cluster.local.upstream_rq_pending_active: 0 218 | cluster.outbound|8000||httpbin.httpbin.svc.cluster.local.upstream_rq_pending_failure_eject: 0 219 | cluster.outbound|8000||httpbin.httpbin.svc.cluster.local.upstream_rq_pending_overflow: 12 220 | cluster.outbound|8000||httpbin.httpbin.svc.cluster.local.upstream_rq_pending_total: 29 221 | ``` 222 | 223 | We see that 12 requests are flagged for circuit breaking. 224 | 225 | ``` 226 | httpbin.httpbin.svc.cluster.local.upstream_rq_pending_overflow: 12 227 | ``` 228 | 229 | ## Clean up 230 | 231 | Remove the destination rule 232 | 233 | ``` 234 | kubectl delete destinationrule httpbin 235 | ``` 236 | Remove the deployments for httpbin and the client 237 | 238 | ``` 239 | kubectl delete deploy --all 240 | kubectl get rs --all 241 | kubectl delete po --all 242 | kubectl delete svc httpbin 243 | oc delete project httpbin 244 | ``` 245 | 246 | 247 | 248 | -------------------------------------------------------------------------------- /ControllingEgressTraffic.md: -------------------------------------------------------------------------------- 1 | # Egress Traffic 2 | 3 | ### Prerequisites 4 | 5 | * We need a running Istio Cluster 6 | 7 | 8 | Sidecar proxy by default handles only intercluster communications i.e, access is not allowed to any external URLs. Here we will learn how to make external services reachable from the services running on your cluster by defining [ServiceEntry](https://istio.io/docs/reference/config/istio.networking.v1alpha3/#ServiceEntry) configurations. 9 | 10 | ### Deploy an application to test Connectivity 11 | 12 | Let us deploy a simple sample application in the project that is istio-enabled. This application can be used as a terminal to `curl` to make external calls. 13 | 14 | ``` 15 | kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml) 16 | ``` 17 | 18 | Once the application starts up, you'll see the corresponding pod 19 | 20 | ``` 21 | $ kubectl get po 22 | NAME READY STATUS RESTARTS AGE 23 | sleep-74fcbff5d9-sn52m 2/2 Running 0 3h 24 | ``` 25 | 26 | Once the pod is in `Running` status, note the pod name and you can log into the pod and get access to the terminal by running the following command: 27 | 28 | > **Note** Substitute your pod name 29 | 30 | ``` 31 | $ oc rsh -c sleep sleep-74fcbff5d9-sn52m 32 | / # 33 | ``` 34 | This command will exec into the pod, and specifically into the container named sleep. We choose a particular container with `-c sleep` because our pod has multiple containers i.e, istio-sidecar container runs alongside your application container. If you want the same effect with kubectl, you can run `kubectl exec -it sleep-74fcbff5d9-sn52m -c sleep bash` as an alternative. 35 | 36 | You can exit this pod by typing in `exit` 37 | 38 | ### Configure External Services 39 | 40 | Allowing access to an external service over `HTTP` such as [http://httpbin.org](http://httpbin.org) requires us to define a ServiceEntry. Run the following command to create a ServiceEntry. 41 | 42 | ``` 43 | cat < **Note** Substitute pod name 134 | 135 | ``` 136 | $ oc rsh -c sleep sleep-74fcbff5d9-sn52m time curl -o /dev/null -s -w "%{http_code}\n" http://httpbin.org/delay/5 137 | 200 138 | real 0m 5.25s 139 | user 0m 0.00s 140 | sys 0m 0.00s 141 | ``` 142 | 143 | You can also run a more wordy kubectl command `kubectl exec -it $SOURCE_POD -c sleep bash time curl -o /dev/null -s -w "%{http_code}\n" http://httpbin.org/delay/5` instead. At this point you'll notice a return code of `200` which indicates a success and the time taken to service this request is a little over 5s due to the delay we set. 144 | 145 | Now let us set a 3s timeout by creating a VirtualService for httpbin.org as shown below: 146 | 147 | ``` 148 | cat <Wikipedia Summary: The Comedy of Errors is one of William Shakespeare's early plays. It is his shortest and one of his most farcical comedies, with a major part of the humour coming from slapstick and mistaken identity, in addition to puns and word play.", "id": 0, "title": "The Comedy of Errors"}] 119 | 120 | ``` 121 | 122 | Note the product's ` "id": 0`. We will use this id to call other APIs. Let us use our prefix and get reviews 123 | 124 | `curl http://bookinfo20.istio.apps.311.ocpcloud.com/api/v1/products/0/reviews` 125 | 126 | and observe the output similar to 127 | 128 | ``` 129 | {"reviews": [{"reviewer": "Reviewer1", "rating": {"color": "red", "stars": 5}, "text": "An extremely entertaining play by Shakespeare. The slapstick humour is refreshing!"}, {"reviewer": "Reviewer2", "rating": {"color": "red", "stars": 4}, "text": "Absolutely fun and entertaining. The play lacks thematic depth when compared to other plays by Shakespeare."}], "id": "0"} 130 | ``` 131 | 132 | and ratings service by running 133 | 134 | `curl http://bookinfo20.istio.apps.311.ocpcloud.com/api/v1/products/0/ratings` 135 | 136 | to observe output similar to 137 | 138 | ``` 139 | {"ratings": {"Reviewer2": 4, "Reviewer1": 5}, "id": 0} 140 | ``` 141 | 142 | Now let us edit this match criteria. We will replace `prefix: /api/v1/products` with `exact: /api/v1/products`. This means the URL will be matched exactly with `/api/v1/products` which means no other URLs should work. 143 | 144 | Run the following command to apply this change. 145 | > **Note** Substitute the hostname with your own value 146 | 147 | ``` 148 | cat < **Note** If you have previously created a profile with this name, either choose a different name or remove the existing profile by running the following commands 42 | > 43 | ``` 44 | minishift delete profile servicemesh 45 | rm -rf ~/.minishift/profiles/servicemesh 46 | ``` 47 | 48 | Now start the minishift instance 49 | 50 | ``` 51 | minishift start 52 | ``` 53 | 54 | ### Login as Administrator 55 | 56 | Now that minishift has started, login as administrator to minishift by running 57 | 58 | ``` 59 | oc login -u system:admin 60 | ``` 61 | The above command will switch the user to administrator to your own minishift. 62 | 63 | ### Istio Addon for Minishift 64 | 65 | Let us download the `istio addon` for minishift. 66 | 67 | > **Note:** You will have to figure out a way to download a specific directory `istio` from [https://github.com/minishift/minishift-addons](https://github.com/minishift/minishift-addons). In my case I am using [github-files-fetcher](https://github.com/Gyumeijie/github-files-fetcher). 68 | > 69 | > **Other alternatives** 70 | > 71 | > * you can try git's [sparse checkout](https://github.community/t5/How-to-use-Git-and-GitHub/How-can-I-download-a-specific-folder-from-a-GitHub-repo/td-p/88) 72 | > * you can clone all the addons by running `git clone https://github.com/minishift/minishift-addons`, but that will download a bunch of other addons as well 73 | 74 | ``` 75 | fetcher --url=https://github.com/minishift/minishift-addons/tree/master/add-ons/istio 76 | ``` 77 | 78 | Once fetched, you will see `istio` folder with the following contents 79 | 80 | ``` 81 | $ ls -r istio 82 | istio_community_operator_template.yaml installation.yaml 83 | istio.addon.remove README.adoc 84 | istio.addon 85 | ``` 86 | 87 | Now let's install minishift istio addon, enable the addon and apply it to our current running minishift. 88 | 89 | ``` 90 | minishift addon install ./istio 91 | minishift addon enable istio 92 | minishift addon apply istio 93 | ``` 94 | 95 | You will see the following output as the istio addon is applied to your minishift instance 96 | 97 | ``` 98 | -- Applying addon 'istio': 99 | Prepare for install istio... 100 | Installing istio-operator... 101 | Installing Istio.. 102 | 'minishift addons enable admin-user' 103 | 'minishift addons apply admin-user' 104 | 'minishift addons enable anyuid' 105 | 'minishift addons apply anyuid' 106 | 'oc adm policy add-scc-to-user anyuid -z default -n myproject' 107 | 'oc adm policy add-scc-to-user privileged -z default -n myproject' 108 | Please wait for few seconds before all pods are up! 109 | Watch the pods status via minishift console or oc get pods -w -n istio-system --as system:admin 110 | ``` 111 | 112 | As the output suggested let us watch the status of istio-system by running 113 | 114 | ``` 115 | oc get pods -w -n istio-system --as system:admin 116 | ``` 117 | This addon invokes an installer pod `openshift-ansible-istio-installer-job-xxxx` which installs istio on openshift and completes. 118 | 119 | ``` 120 | $ oc get pods -w -n istio-system --as system:admin 121 | NAME READY STATUS RESTARTS AGE 122 | openshift-ansible-istio-installer-job-thwkz 0/1 Pending 0 10s 123 | openshift-ansible-istio-installer-job-thwkz 0/1 Pending 0 10s 124 | openshift-ansible-istio-installer-job-thwkz 0/1 ContainerCreating 0 10s 125 | ``` 126 | 127 | > **Note** By default, OpenShift doesn’t allow containers running with user ID 0 ie root. Currently all the Istio containers run as root. Installer enables containers running with UID 0 for Istio’s service accounts and the supporting service accounts such as prometheus, grafana etc. 128 | > Also, a service account that runs application pods needs privileged security context constraints as part of sidecar injection. We will deal with this when we are installing a sample application. 129 | 130 | This will take a few minutes. You should see the istio pods initializing until you see the final state as 131 | 132 | ``` 133 | NAME READY STATUS RESTARTS AGE 134 | elasticsearch-0 1/1 Running 0 4m 135 | grafana-65db6b47c9-b999k 1/1 Running 0 4m 136 | istio-citadel-84fb7985bf-l98zc 1/1 Running 0 7m 137 | istio-egressgateway-86f49899c9-4t4gx 1/1 Running 0 7m 138 | istio-galley-655c4f9ccd-bmbc2 1/1 Running 0 7m 139 | istio-ingressgateway-8695db5498-sfxtg 1/1 Running 0 7m 140 | istio-pilot-b969499c4-bkt9k 2/2 Running 0 7m 141 | istio-policy-5455899b66-x44v6 2/2 Running 0 7m 142 | istio-sidecar-injector-8975849b4-m5rdc 1/1 Running 0 7m 143 | istio-statsd-prom-bridge-7f44bb5ddb-z6m89 1/1 Running 0 7m 144 | istio-telemetry-584c9ff7f5-4s847 2/2 Running 0 7m 145 | jaeger-agent-4jj4v 1/1 Running 0 2m 146 | jaeger-collector-7764fc77b6-drk4l 1/1 Running 1 2m 147 | jaeger-query-5c7fb9878d-h9ztr 1/1 Running 0 2m 148 | kiali-5dd65695f7-vrd96 1/1 Running 0 2m 149 | openshift-ansible-istio-installer-job-5smn2 0/1 Completed 0 9m 150 | prometheus-84bd4b9796-kgc9z 1/1 Running 0 7m 151 | ``` 152 | 153 | 154 | Now you have an OpenShift cluster running on your box along with openshift istio framework. The openshift istio framework also includes monitoring using `prometheus` and `grafana`, request tracing using `jaeger`, visualization using `kiali` in addition to the key istio components such as `pilot`, `mixer`, `sidecar-injector`, and `citadel`. 155 | 156 | 157 | ### Verify Istio 158 | 159 | > **Note** You should be logged in as `system:admin` to accomplish the tasks in this section. `oc login -u system:admin` 160 | 161 | Switch over to `istio-system` project and understand all the components that are deployed. Look at the service accounts, pods, and different types of custom resource definitions added by the previous step. You will find the 5 core components of Istio running as pods and their correspoding deployments i.e, ca, pilot, mixer, ingress and egress. 162 | 163 | 164 | ``` 165 | $ oc project istio-system 166 | 167 | $ oc get sa 168 | NAME SECRETS AGE 169 | builder 2 7h 170 | default 2 7h 171 | deployer 2 7h 172 | elasticsearch 2 7h 173 | grafana 2 7h 174 | istio-citadel-service-account 2 7h 175 | istio-egressgateway-service-account 2 7h 176 | istio-galley-service-account 2 7h 177 | istio-ingressgateway-service-account 2 7h 178 | istio-mixer-service-account 2 7h 179 | istio-pilot-service-account 2 7h 180 | istio-sidecar-injector-service-account 2 7h 181 | jaeger 2 7h 182 | kiali-service-account 2 7h 183 | openshift-ansible 2 7h 184 | prometheus 2 7h 185 | 186 | $ oc get pods 187 | NAME READY STATUS RESTARTS AGE 188 | istio-ca-2617747623-0ch0b 1/1 Running 0 15s 189 | istio-egress-2389443630-l8706 1/1 Running 0 16s 190 | istio-ingress-355016184-nd4gp 1/1 Running 0 16s 191 | istio-mixer-3229407178-v3q3m 2/2 Running 0 19s 192 | istio-pilot-589912157-7x7p7 1/1 Running 0 17s 193 | 194 | $ oc get crd 195 | NAME AGE 196 | adapters.config.istio.io 7h 197 | apikeys.config.istio.io 7h 198 | attributemanifests.config.istio.io 7h 199 | authorizations.config.istio.io 7h 200 | bypasses.config.istio.io 7h 201 | checknothings.config.istio.io 7h 202 | circonuses.config.istio.io 7h 203 | deniers.config.istio.io 7h 204 | destinationrules.networking.istio.io 7h 205 | edges.config.istio.io 7h 206 | envoyfilters.networking.istio.io 7h 207 | fluentds.config.istio.io 7h 208 | gateways.networking.istio.io 7h 209 | handlers.config.istio.io 7h 210 | httpapispecbindings.config.istio.io 7h 211 | httpapispecs.config.istio.io 7h 212 | installations.istio.openshift.com 7h 213 | instances.config.istio.io 7h 214 | kubernetesenvs.config.istio.io 7h 215 | kuberneteses.config.istio.io 7h 216 | listcheckers.config.istio.io 7h 217 | listentries.config.istio.io 7h 218 | logentries.config.istio.io 7h 219 | memquotas.config.istio.io 7h 220 | meshpolicies.authentication.istio.io 7h 221 | metrics.config.istio.io 7h 222 | noops.config.istio.io 7h 223 | opas.config.istio.io 7h 224 | openshiftwebconsoleconfigs.webconsole.operator.openshift.io 7h 225 | policies.authentication.istio.io 7h 226 | prometheuses.config.istio.io 7h 227 | quotas.config.istio.io 7h 228 | quotaspecbindings.config.istio.io 7h 229 | quotaspecs.config.istio.io 7h 230 | rbacconfigs.rbac.istio.io 7h 231 | rbacs.config.istio.io 7h 232 | redisquotas.config.istio.io 7h 233 | reportnothings.config.istio.io 7h 234 | rules.config.istio.io 7h 235 | servicecontrolreports.config.istio.io 7h 236 | servicecontrols.config.istio.io 7h 237 | serviceentries.networking.istio.io 7h 238 | servicerolebindings.rbac.istio.io 7h 239 | serviceroles.rbac.istio.io 7h 240 | signalfxs.config.istio.io 7h 241 | solarwindses.config.istio.io 7h 242 | stackdrivers.config.istio.io 7h 243 | statsds.config.istio.io 7h 244 | stdios.config.istio.io 7h 245 | templates.config.istio.io 7h 246 | tracespans.config.istio.io 7h 247 | virtualservices.networking.istio.io 7h 248 | 249 | $ oc get attributemanifests 250 | NAME AGE 251 | istioproxy 7h 252 | kubernetes 7h 253 | 254 | 255 | $ oc get metrics 256 | NAME AGE 257 | requestcount 7h 258 | requestduration 7h 259 | requestsize 7h 260 | responsesize 7h 261 | tcpbytereceived 7h 262 | tcpbytesent 7h 263 | 264 | 265 | $ oc get prometheuses 266 | NAME AGE 267 | handler 7h 268 | 269 | 270 | $ oc get rules 271 | NAME AGE 272 | kubeattrgenrulerule 7h 273 | promhttp 7h 274 | promtcp 7h 275 | stdio 7h 276 | stdiotcp 7h 277 | tcpkubeattrgenrulerule 7h 278 | 279 | $ oc get logentries 280 | NAME AGE 281 | accesslog 7h 282 | tcpaccesslog 7h 283 | 284 | 285 | $ oc get stdios 286 | NAME AGE 287 | handler 7h 288 | 289 | $ oc get deployments 290 | NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE 291 | grafana 1 1 1 1 7h 292 | istio-citadel 1 1 1 1 7h 293 | istio-egressgateway 1 1 1 1 7h 294 | istio-galley 1 1 1 1 7h 295 | istio-ingressgateway 1 1 1 1 7h 296 | istio-pilot 1 1 1 1 7h 297 | istio-policy 1 1 1 1 7h 298 | istio-sidecar-injector 1 1 1 1 7h 299 | istio-statsd-prom-bridge 1 1 1 1 7h 300 | istio-telemetry 1 1 1 1 7h 301 | jaeger-collector 1 1 1 1 7h 302 | jaeger-query 1 1 1 1 7h 303 | kiali 1 1 1 1 7h 304 | prometheus 1 1 1 1 7h 305 | ``` 306 | 307 | Note the services running here. 308 | 309 | ``` 310 | $ oc get svc 311 | NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE 312 | elasticsearch ClusterIP 172.30.221.120 9200/TCP 7h 313 | elasticsearch-cluster ClusterIP 172.30.146.4 9300/TCP 7h 314 | grafana ClusterIP 172.30.98.124 3000/TCP 7h 315 | istio-citadel ClusterIP 172.30.7.128 8060/TCP,9093/TCP 7h 316 | istio-egressgateway ClusterIP 172.30.42.76 80/TCP,443/TCP 7h 317 | istio-galley ClusterIP 172.30.40.24 443/TCP,9093/TCP 7h 318 | istio-ingressgateway LoadBalancer 172.30.57.84 172.29.203.39,172.29.203.39 80:31380/TCP,443:31390/TCP,31400:31400/TCP,15011:30316/TCP,8060:32290/TCP,853:31213/TCP,15030:30194/TCP,15031:31527/TCP 7h 319 | istio-pilot ClusterIP 172.30.7.142 15010/TCP,15011/TCP,8080/TCP,9093/TCP 7h 320 | istio-policy ClusterIP 172.30.57.36 9091/TCP,15004/TCP,9093/TCP 7h 321 | istio-sidecar-injector ClusterIP 172.30.76.218 443/TCP 7h 322 | istio-statsd-prom-bridge ClusterIP 172.30.56.73 9102/TCP,9125/UDP 7h 323 | istio-telemetry ClusterIP 172.30.16.103 9091/TCP,15004/TCP,9093/TCP,42422/TCP 7h 324 | jaeger-collector ClusterIP 172.30.21.135 14267/TCP,14268/TCP,9411/TCP 7h 325 | jaeger-query LoadBalancer 172.30.102.230 172.29.59.125,172.29.59.125 80:30224/TCP 7h 326 | kiali ClusterIP 172.30.178.25 20001/TCP 7h 327 | prometheus ClusterIP 172.30.63.80 9090/TCP 7h 328 | tracing LoadBalancer 172.30.226.196 172.29.56.4,172.29.56.4 80:31411/TCP 7h 329 | zipkin ClusterIP 172.30.218.223 9411/TCP 7h 330 | ``` 331 | 332 | `istio-ingressgateway` is the entrypoint for all your traffic through Istio. The simplest way to get our routing to work on OpenShift is to expose this service as an openshift route so that the openshift router that captures traffic on ports 80/443 will send the traffic to this `istio-ingressgateway` service and rest of the control is with `istio-ingressway`. This has been done for us by the istio installer. 333 | 334 | Let us check the exposes services a.k.a routes 335 | 336 | ``` 337 | $ oc get route 338 | NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD 339 | grafana grafana-istio-system.192.168.64.72.nip.io grafana http None 340 | istio-ingressgateway istio-ingressgateway-istio-system.192.168.64.72.nip.io istio-ingressgateway http2 None 341 | jaeger-query jaeger-query-istio-system.192.168.64.72.nip.io jaeger-query jaeger-query edge None 342 | kiali kiali-istio-system.192.168.64.72.nip.io kiali http-kiali reencrypt None 343 | prometheus prometheus-istio-system.192.168.64.72.nip.io prometheus http-prometheus None 344 | tracing tracing-istio-system.192.168.64.72.nip.io tracing tracing edge None 345 | 346 | ``` 347 | 348 | Now the url [istio-ingressgateway-istio-system.192.168.64.72.nip.io](istio-ingressgateway-istio-system.192.168.64.72.nip.io) is my ingress point. You also see a bunch of other routes for jaeeger, grafana, prometheus etc. All these are also exposed by the installer for you. You can reach the respective applications using those routes. 349 | 350 | 351 | **Istio is now up and running.** 352 | 353 | ## Preparing for Application Deployment 354 | 355 | ### Preparing the user `developer` 356 | 357 | > **Note** You should be logged in as `system:admin` to accomplish the tasks in this section. `oc login -u system:admin` 358 | 359 | Now that Istio is set up and running on Minishift, we want to run our samples as a regular user. Minishift creates a user `developer` by default. Although minishift is not a multi-user environment and is just a private cluster of your own, for our examples, we will treat it like one. 360 | 361 | 362 | As of now, a user that needs to run Istio examples need view access to the istio-system project. You can provide such access by running the following command: 363 | 364 | ``` 365 | oc adm policy add-role-to-user view developer -n istio-system 366 | ``` 367 | 368 | ### Additional Access to Project 369 | 370 | Applications are deployed in to projects/namespaces. On OpenShift the applications running in a namespace run with a `default` service account. This `default` service account runs with `restricted` SCC, which prevents it from running containers as specific user-ids or root, and also has restrictions on the linux capabilities. 371 | 372 | Istio requires specific kinds of access at the project level: 373 | 374 | * Project needs to be labeled as `istio-injection=enabled` to let Istio know that this project can be used to enable automatic injection of side cars 375 | * As of now, the `default` service account need to be elevated to `privileged` SCC, so that it can allow the application pods to have init containers whose `proxy_init` runs in privileged mode and adds `NET_ADMIN` 376 | as shown here. You will find this configuration in the individual `deployment` artifacts when you deploy the application. 377 | 378 | ``` 379 | initContainers: 380 | - args: 381 | - -p 382 | - "15001" 383 | - -u 384 | - "1337" 385 | - -m 386 | - REDIRECT 387 | - -i 388 | - '*' 389 | - -x 390 | - "" 391 | - -b 392 | - 9080, 393 | - -d 394 | - "" 395 | image: docker.io/istio/proxy_init:1.0.2 396 | imagePullPolicy: IfNotPresent 397 | name: istio-init 398 | resources: {} 399 | securityContext: 400 | capabilities: 401 | add: 402 | - NET_ADMIN 403 | privileged: true 404 | ``` 405 | 406 | Let's create a project named `bookinfo` for the user `developer`, label this project for istio-injection, and make `developer` a project administrator. 407 | 408 | ``` 409 | oc adm new-project bookinfo --admin=developer 410 | oc label namespace bookinfo istio-injection=enabled 411 | oc adm policy add-scc-to-user privileged -z default -n bookinfo 412 | ``` 413 | 414 | Now, if you login as `developer`, you will see both `bookinfo` and `istio-system` on the project list. 415 | 416 | 417 | ## Summary 418 | 419 | In this chapter we learnt to perform the following administrative tasks: 420 | 421 | * Start Minishift 422 | * Deploy Istio on Minishift 423 | * Verify that Minishift is running 424 | * Enabled `developer` to run applications on minishift cluster 425 | * Created a project for `developer` to use and set necessary privileges 426 | 427 | 428 | 429 | 430 | 431 | -------------------------------------------------------------------------------- /DeployingIstioWithOcclusterup.md: -------------------------------------------------------------------------------- 1 | # Deploying Istio with `oc cluster up` 2 | 3 | This chapter explains deploying Istio with `oc cluster up`. We will need at least OpenShift 3.7. As of the time of writing this, OpenShift 3.7 is alpha. 4 | 5 | The steps discussed here are adopted from the Istio setup on Kubernetes explained in the following link 6 | [https://istio.io/docs/setup/kubernetes/quick-start.html](https://istio.io/docs/setup/kubernetes/quick-start.html) 7 | 8 | **Prerequisites:** 9 | * Docker should be running on your workstation 10 | 11 | ### Download OpenShift Client 12 | Refer documentation here [https://docs.openshift.org/latest/cli_reference/get_started_cli.html](https://docs.openshift.org/latest/cli_reference/get_started_cli.html) to download and set up OpenShift CLI on your workstation. 13 | 14 | I have tested this with the following version of OpenShift CLI running on my Mac. 15 | 16 | ``` 17 | $ oc version 18 | oc v3.7.0-alpha.1+fdbd3dc 19 | kubernetes v1.7.0+695f48a16f 20 | features: Basic-Auth 21 | ``` 22 | 23 | ### Start OpenShift Cluster 24 | 25 | To start an OpenShift cluster on your box run the following command. 26 | 27 | ``` 28 | $ oc cluster up 29 | Starting OpenShift using openshift/origin:v3.7.0-alpha.1 ... 30 | OpenShift server started. 31 | 32 | The server is accessible via web console at: 33 | https://127.0.0.1:8443 34 | 35 | You are logged in as: 36 | User: developer 37 | Password: 38 | 39 | To login as administrator: 40 | oc login -u system:admin 41 | ``` 42 | 43 | This will download and start an OpenShift all-in-one image and start this image to run OpenShift on your workstation. It will also provide you a URL for your master (on Mac it gives https://127.0.0.1:8443 by default) and creates a user `developer` which you can use with any password of your choice. It will also log you in as `developer` by default. Also you will have a project named `myproject` created to use. 44 | 45 | We have an OpenShift Kubernetes environment to test Istio on. 46 | 47 | ### Download Istio 48 | 49 | You can download the installation file corresponding to your OS from here [https://github.com/istio/istio/releases](https://github.com/istio/istio/releases) 50 | 51 | If you are using Mac or Linux you can run the following command that will extract the latest release automatically 52 | 53 | ``` 54 | $ curl -L https://git.io/getLatestIstio | sh - 55 | ``` 56 | 57 | I am testing with Istio version `0.2.7`. 58 | 59 | ``` 60 | $ cd istio-0.2.7 61 | ``` 62 | 63 | Set the path to `istioctl` binary or copy to a location where it can run. As an example on Mac, I am copying istioctl to `/usr/local/bin` so that I can run this command. Verify running `istioctl version`. 64 | 65 | ``` 66 | $ cp bin/istioctl /usr/local/bin 67 | 68 | $ which istioctl 69 | /usr/local/bin/istioctl 70 | 71 | $ istioctl version 72 | Version: 0.2.7 73 | GitRevision: 6b145c189aad8306b13af1725123bebfbc7eefd4 74 | GitBranch: master 75 | User: root@f1eeb85f62ab 76 | GolangVersion: go1.8 77 | ``` 78 | 79 | You are all good to setup Istio now. 80 | 81 | ### Setup Istio 82 | 83 | When you started the cluster. You were logged in as the user `developer`. In order to install Istio, you will need to log in as cluster administrator on OpenShift. Run the following command to log in as the cluster admin. 84 | 85 | ``` 86 | $ oc login -u system:admin 87 | Logged into "https://127.0.0.1:8443" as "system:admin" using existing credentials. 88 | 89 | You have access to the following projects and can switch between them with 'oc project ': 90 | 91 | default 92 | kube-public 93 | kube-system 94 | * myproject 95 | openshift 96 | openshift-infra 97 | 98 | Using project "myproject". 99 | ``` 100 | 101 | The components that make up Istio run as specific service accounts on Kubernetes and OpenShift. When we install Istio in the next few steps, a new project with name `istio-system` will be created and a few service accounts are added to this project. Any new service accounts created on OpenShift are restricted by default. `Ingress` and `Egress` pods run as root. Hence we have to allow these service accounts to run as `anyuid`. 102 | 103 | 104 | ``` 105 | $ oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account -n istio-system 106 | $ oc adm policy add-scc-to-user anyuid -z istio-egress-service-account -n istio-system 107 | ``` 108 | 109 | In the same way, when we run supporting components `prometheus` and `grafana` for monitoring, they use `default` service account in the `istio-system` project. We are also allowing this `default` service account to containers as `anyuid`. 110 | 111 | ``` 112 | #prometheus and grafana run as root and they use default sa 113 | $ oc adm policy add-scc-to-user anyuid -z default -n istio-system 114 | ``` 115 | 116 | **Note:** This above workaround may change in the future as they should run with separate service accounts that would have to be assigned priveleged access individually. 117 | 118 | Istio installer is available in two variants. 119 | * `istio.yaml` without mutual TLS authentication between sidecars 120 | * `istio-auth.yaml` with mutual TLS authentication between sidecars 121 | 122 | Run the following command to setup Istio. This will create a project named `istio-system`, creates clusterroles, service accounts, and deploys Istio on your OpenShift cluster. 123 | 124 | ``` 125 | $ oc apply -f install/kubernetes/istio-auth.yaml 126 | namespace "istio-system" created 127 | clusterrole "istio-pilot-istio-system" created 128 | clusterrole "istio-initializer-istio-system" created 129 | clusterrole "istio-mixer-istio-system" created 130 | clusterrole "istio-ca-istio-system" created 131 | clusterrole "istio-sidecar-istio-system" created 132 | clusterrolebinding "istio-pilot-admin-role-binding-istio-system" created 133 | clusterrolebinding "istio-initializer-admin-role-binding-istio-system" created 134 | clusterrolebinding "istio-ca-role-binding-istio-system" created 135 | clusterrolebinding "istio-ingress-admin-role-binding-istio-system" created 136 | clusterrolebinding "istio-egress-admin-role-binding-istio-system" created 137 | clusterrolebinding "istio-sidecar-role-binding-istio-system" created 138 | clusterrolebinding "istio-mixer-admin-role-binding-istio-system" created 139 | configmap "istio-mixer" created 140 | service "istio-mixer" created 141 | serviceaccount "istio-mixer-service-account" created 142 | deployment "istio-mixer" created 143 | customresourcedefinition "rules.config.istio.io" created 144 | customresourcedefinition "attributemanifests.config.istio.io" created 145 | customresourcedefinition "deniers.config.istio.io" created 146 | customresourcedefinition "listcheckers.config.istio.io" created 147 | customresourcedefinition "memquotas.config.istio.io" created 148 | customresourcedefinition "noops.config.istio.io" created 149 | customresourcedefinition "prometheuses.config.istio.io" created 150 | customresourcedefinition "stackdrivers.config.istio.io" created 151 | customresourcedefinition "statsds.config.istio.io" created 152 | customresourcedefinition "stdios.config.istio.io" created 153 | customresourcedefinition "svcctrls.config.istio.io" created 154 | customresourcedefinition "checknothings.config.istio.io" created 155 | customresourcedefinition "listentries.config.istio.io" created 156 | customresourcedefinition "logentries.config.istio.io" created 157 | customresourcedefinition "metrics.config.istio.io" created 158 | customresourcedefinition "quotas.config.istio.io" created 159 | customresourcedefinition "reportnothings.config.istio.io" created 160 | attributemanifest "istioproxy" created 161 | attributemanifest "kubernetes" created 162 | stdio "handler" created 163 | logentry "accesslog" created 164 | rule "stdio" created 165 | metric "requestcount" created 166 | metric "requestduration" created 167 | metric "requestsize" created 168 | metric "responsesize" created 169 | metric "tcpbytesent" created 170 | metric "tcpbytereceived" created 171 | prometheus "handler" created 172 | rule "promhttp" created 173 | rule "promtcp" created 174 | configmap "istio" created 175 | customresourcedefinition "destinationpolicies.config.istio.io" created 176 | customresourcedefinition "egressrules.config.istio.io" created 177 | customresourcedefinition "routerules.config.istio.io" created 178 | service "istio-pilot" created 179 | serviceaccount "istio-pilot-service-account" created 180 | deployment "istio-pilot" created 181 | service "istio-ingress" created 182 | serviceaccount "istio-ingress-service-account" created 183 | deployment "istio-ingress" created 184 | service "istio-egress" created 185 | serviceaccount "istio-egress-service-account" created 186 | deployment "istio-egress" created 187 | serviceaccount "istio-ca-service-account" created 188 | deployment "istio-ca" created 189 | ``` 190 | 191 | It will take a few minutes for these images to be downloaded and the pods to come up. 192 | 193 | ### Verify Istio 194 | 195 | Switch over to `istio-system` project and understand all the components that are deployed. Look at the service accounts, pods, and different types of custom resource definitions added by the previous step. You will find the 5 core components of Istio running as pods and their correspoding deployments i.e, ca, pilot, mixer, ingress and egress. 196 | 197 | 198 | ``` 199 | $ oc project istio-system 200 | 201 | $ oc get sa 202 | NAME SECRETS AGE 203 | builder 2 23s 204 | default 2 23s 205 | deployer 2 23s 206 | istio-ca-service-account 2 19s 207 | istio-egress-service-account 2 20s 208 | istio-ingress-service-account 2 20s 209 | istio-mixer-service-account 2 22s 210 | istio-pilot-service-account 2 20s 211 | 212 | $ oc get pods 213 | NAME READY STATUS RESTARTS AGE 214 | istio-ca-2617747623-0ch0b 1/1 Running 0 15s 215 | istio-egress-2389443630-l8706 1/1 Running 0 16s 216 | istio-ingress-355016184-nd4gp 1/1 Running 0 16s 217 | istio-mixer-3229407178-v3q3m 2/2 Running 0 19s 218 | istio-pilot-589912157-7x7p7 1/1 Running 0 17s 219 | 220 | $ oc get crd 221 | NAME KIND 222 | attributemanifests.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 223 | checknothings.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 224 | deniers.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 225 | destinationpolicies.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 226 | egressrules.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 227 | listcheckers.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 228 | listentries.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 229 | logentries.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 230 | memquotas.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 231 | metrics.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 232 | noops.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 233 | prometheuses.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 234 | quotas.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 235 | reportnothings.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 236 | routerules.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 237 | rules.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 238 | stackdrivers.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 239 | statsds.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 240 | stdios.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 241 | svcctrls.config.istio.io CustomResourceDefinition.v1beta1.apiextensions.k8s.io 242 | 243 | $ oc get attributemanifests 244 | NAME KIND 245 | istioproxy attributemanifest.v1alpha2.config.istio.io 246 | kubernetes attributemanifest.v1alpha2.config.istio.io 247 | 248 | $ oc get metrics 249 | NAME KIND 250 | requestcount metric.v1alpha2.config.istio.io 251 | requestduration metric.v1alpha2.config.istio.io 252 | requestsize metric.v1alpha2.config.istio.io 253 | responsesize metric.v1alpha2.config.istio.io 254 | tcpbytereceived metric.v1alpha2.config.istio.io 255 | tcpbytesent metric.v1alpha2.config.istio.io 256 | 257 | $ oc get prometheuses 258 | NAME KIND 259 | handler prometheus.v1alpha2.config.istio.io 260 | 261 | $ oc get rules 262 | NAME KIND 263 | promhttp rule.v1alpha2.config.istio.io 264 | promtcp rule.v1alpha2.config.istio.io 265 | stdio rule.v1alpha2.config.istio.io 266 | 267 | $ oc get logentries 268 | NAME KIND 269 | accesslog logentry.v1alpha2.config.istio.io 270 | 271 | $ oc get stdios 272 | NAME KIND 273 | handler stdio.v1alpha2.config.istio.io 274 | 275 | 276 | $ oc get deployments 277 | NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE 278 | istio-ca 1 1 1 1 1h 279 | istio-egress 1 1 1 1 1h 280 | istio-ingress 1 1 1 1 1h 281 | istio-mixer 1 1 1 1 1h 282 | istio-pilot 1 1 1 1 1h 283 | ``` 284 | 285 | Note the services running here. 286 | 287 | ``` 288 | $ oc get svc 289 | NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE 290 | istio-egress 172.30.98.105 80/TCP 3m 291 | istio-ingress 172.30.45.112 172.29.101.193,172.29.101.193 80:31388/TCP,443:30520/TCP 3m 292 | istio-mixer 172.30.82.151 9091/TCP,9093/TCP,9094/TCP,9102/TCP,9125/UDP,42422/TCP 3m 293 | istio-pilot 172.30.82.242 8080/TCP,443/TCP 294 | ``` 295 | 296 | `istio-ingress` is the entrypoint for all your traffic through Istio. The simplest way to get our routing to work on OpenShift is to expose this service as an openshift route so that the openshift router that captures traffic on ports 80/443 will send the traffic to this `istio-ingress` service and rest of the control is with `istio-ingress`. So create a route by running: 297 | 298 | ``` 299 | $ oc expose svc istio-ingress 300 | 301 | $ oc get route -n istio-system 302 | NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD 303 | istio-ingress istio-ingress-istio-system.127.0.0.1.nip.io istio-ingress http 304 | ``` 305 | Now the url [http://istio-ingress-istio-system.127.0.0.1.nip.io](istio-ingress-istio-system.127.0.0.1.nip.io) is my ingress point. 306 | 307 | 308 | Istio is now up and running. Let's now install supporting infrastructure components for metrics, tracing and service graph. 309 | 310 | 311 | 312 | -------------------------------------------------------------------------------- /DeployingSampleApplication.md: -------------------------------------------------------------------------------- 1 | # Deploying sample application 2 | 3 | >**Note**: You could be running these labs from Minishift or an OpenShift cluster. There are slight variations based which environment you are using. As an example, project names will be different in order to make them unique in a multi-user OpenShift cluster as opposed to using a single user minishift. Those changes have been documented. So please read carefully before executing the commands. 4 | 5 | ### Prerequisites 6 | 7 | * Istio is installed and running on either Minishift or OpenShift. 8 | * Your administrator has assigned you a userid to run these samples. If you are using minishift, you have provided necessary access to the user `developer`. 9 | * A project has been created, and istio-injection enabled, the `default` service account has been given access for Istio 10 | * If running on OpenShift, your administrator has given you a hostname to use with your application instance. 11 | 12 | ### Download Istio Samples 13 | 14 | While we are already running Istio, let us do some extra steps to get the samples and istio cli downloaded to our box. 15 | 16 | You can download Istio binaries and samples corresponding to your OS from here [https://github.com/istio/istio/releases](https://github.com/istio/istio/releases) 17 | 18 | If you are using Mac or Linux you can run the following command that will extract the latest release automatically 19 | 20 | ``` 21 | curl -L https://git.io/getLatestIstio | sh - 22 | ``` 23 | 24 | I am testing with Istio version `1.1.1`. 25 | 26 | Change over to the folder where Istio samples are downloaded 27 | ``` 28 | cd istio-1.1.1 29 | ``` 30 | 31 | When you list the files you should see this 32 | 33 | ``` 34 | $ ls 35 | LICENSE bin istio.VERSION tools 36 | README.md install samples 37 | ``` 38 | This is where you will execute all subsequent commands for application deployment from. 39 | 40 | 41 | 42 | ### Deploy Bookinfo sample application 43 | 44 | We will deploy the sample bookinfo application explained in the [istiodocs](https://istio.io/docs/guides/bookinfo.html). The instructions are more or less the same as kubernetes with some slight variations. Hence I have documented the openshift deployment process here. 45 | 46 | 47 | Login with the userid (such as `user1`) assigned to you by the administrator. If you are using minishift you will login as `developer` by running the following command. 48 | 49 | > **Note** substitute the userid assigned to you. 50 | 51 | ``` 52 | oc login -u YourUserId 53 | ``` 54 | 55 | Now if you list the projects you should see access to a `bookinfo` project and `istio-system` project. If you are running on OpenShift, the bookinfo project may be named differently based on your userid. Example: `bookinfo1` if you are `user1` to make it unique to each user. 56 | 57 | ``` 58 | $ oc get projects 59 | NAME DISPLAY NAME STATUS 60 | bookinfo Active 61 | istio-system Active 62 | ... 63 | ... 64 | 65 | ``` 66 | 67 | Switch your context to bookinfo project assigned to you by running a command like: 68 | 69 | > **Note** Change the project name to the one assigned to you 70 | 71 | ``` 72 | oc project bookinfo 73 | ``` 74 | 75 | Let's now deploy the `bookinfo` application. In order to inject the sidecar into the deployment, we will apply an annotation `sidecar.istio.io/inject: "true"` to our deployment. 76 | 77 | ``` 78 | kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml 79 | ``` 80 | > **Note** you are in the folder where you downloaded Istio samples. 81 | 82 | and watch the output as shown below 83 | 84 | ``` 85 | service/details created 86 | deployment.extensions/details-v1 created 87 | service/ratings created 88 | deployment.extensions/ratings-v1 created 89 | service/reviews created 90 | deployment.extensions/reviews-v1 created 91 | deployment.extensions/reviews-v2 created 92 | deployment.extensions/reviews-v3 created 93 | service/productpage created 94 | deployment.extensions/productpage-v1 created 95 | ``` 96 | 97 | As you observed above it created deployments `productpage-v1`, `details-v1`, `ratings-v1`, `reviews-v1`, `reviews-v2`, and `reviews-v3`. 98 | 99 | We will patch these deployments to add the annotation by running the following script. This script simply gets all the above deployments and applies the annotation to the podspectemplate in each deployment. 100 | 101 | ``` 102 | for i in $(kubectl get deployments -o jsonpath='{range.items[*]}{.metadata.name}{"\n"}{end}'); do echo $i; oc patch deployment $i -p '{"spec":{"template":{"metadata":{"annotations":{"sidecar.istio.io/inject": "true"}}}}}'; done 103 | ``` 104 | 105 | Give a few mins for the container images to be pulled and for the pods to come up. Note all the components that are running. Also note that `2` out of `2` containers are Ready. One of those containers is your application and the other is the sidecar. 106 | 107 | ``` 108 | $ kubectl get po 109 | NAME READY STATUS RESTARTS AGE 110 | details-v1-7bbdd88f4f-drw95 2/2 Running 0 25m 111 | productpage-v1-7bddcc55bc-7nxdq 2/2 Running 0 25m 112 | ratings-v1-798b466f7c-9q4h8 2/2 Running 0 25m 113 | reviews-v1-9d64cc6db-prqw7 2/2 Running 0 25m 114 | reviews-v2-784596cc4c-nmk2z 2/2 Running 0 7m 115 | reviews-v3-f97b77448-zmv6b 2/2 Running 0 25m 116 | 117 | $ kubectl get services 118 | NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE 119 | details ClusterIP 172.30.4.163 9080/TCP 30s 120 | productpage ClusterIP 172.30.247.217 9080/TCP 28s 121 | ratings ClusterIP 172.30.119.188 9080/TCP 30s 122 | reviews ClusterIP 172.30.142.212 9080/TCP 29s 123 | ``` 124 | 125 | ### Create a Gateway to access your application 126 | 127 | In order to make your application accessible from outside the cluster, an [Istio Gateway](https://istio.io/docs/concepts/traffic-management/#gateways) is required. Let us understand gateway and virtual service configurations 128 | 129 | ``` 130 | $ cat samples/bookinfo/networking/bookinfo-gateway.yaml 131 | apiVersion: networking.istio.io/v1alpha3 132 | kind: Gateway 133 | metadata: 134 | name: bookinfo-gateway 135 | spec: 136 | selector: 137 | istio: ingressgateway # use istio default controller 138 | servers: 139 | - port: 140 | number: 80 141 | name: http 142 | protocol: HTTP 143 | hosts: 144 | - "*" 145 | --- 146 | apiVersion: networking.istio.io/v1alpha3 147 | kind: VirtualService 148 | metadata: 149 | name: bookinfo 150 | spec: 151 | hosts: 152 | - "*" 153 | gateways: 154 | - bookinfo-gateway 155 | http: 156 | - match: 157 | - uri: 158 | exact: /productpage 159 | - uri: 160 | exact: /login 161 | - uri: 162 | exact: /logout 163 | - uri: 164 | prefix: /api/v1/products 165 | route: 166 | - destination: 167 | host: productpage 168 | port: 169 | number: 9080 170 | 171 | ``` 172 | **Gateway**: A [Gateway](https://istio.io/docs/reference/config/istio.networking.v1alpha3/#Gateway) configures a load balancer for HTTP/TCP traffic, most commonly operating at the edge of the mesh to enable ingress traffic for an application. The above gateway will direct all the `HTTP` traffic coming on port `80` at istio-ingressgateway to the bookinfo sample application. 173 | 174 | * The selector `istio: ingressgateway` pull the traffic coming to istio-ingressgateway service in the `istio-system` project 175 | * The parameter `hosts: "*"` says that any traffic coming to this `bookinfo-gateway` for any hostname will be consumed. If we want our application to cater to specific hostnames, we should list those here instead of using `*` 176 | 177 | **VirtualService**: A [VirtualService](https://istio.io/docs/reference/config/istio.networking.v1alpha3/#VirtualService) defines the rules that control how requests for a service are routed within an Istio service mesh. With the above virtualservice configuration: 178 | 179 | * `gateways: - bookinfo-gateway` configures it to listens to traffic coming to `bookinfo-gateway` defined earlier 180 | * `host: "*"` caters to any hostnames. If we want specific hostname, we can change this to a specific hostname. 181 | * URI matching allows it to listen to `/productpage` etc. 182 | 183 | ----- 184 | #### Minishift 185 | To deploy with minishift, since it is not multi-tenant you can just deploy the gateway and a virtual service as shown below: 186 | 187 | ``` 188 | $ kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml 189 | gateway.networking.istio.io/bookinfo-gateway created 190 | virtualservice.networking.istio.io/bookinfo created 191 | ``` 192 | The virtual service above shows that we can access product page at `/productpage` endpoint. This endpoint is for the Istio ingress i.e., 193 | 194 | ``` 195 | $ kubectl get route -n istio-system istio-ingressgateway 196 | NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD 197 | istio-ingressgateway istio-ingressgateway-istio-system.192.168.64.72.nip.io istio-ingressgateway http2 None 198 | ``` 199 | 200 | ----- 201 | 202 | ----- 203 | #### OpenShift 204 | To deploy on a multi-user OpenShift cluster, since you want a separate URL for each application instance, 205 | 206 | **Ask your organizer for the Hostname to assign to your application.**
207 | **Ask your organizer for the Hostname to assign to your application.**
208 | **Ask your organizer for the Hostname to assign to your application.**
209 | **Ask your organizer for the Hostname to assign to your application.**
210 | **Ask your organizer for the Hostname to assign to your application.**
211 | 212 | If you are `user1` you will be allocated a url such as `bookinfo1.istio.apps.devday.ocpcloud.com`. The domain name may vary. Similarly `user2` may get `bookinfo2`. 213 | 214 | Create an environment variable with the hostname allocated to you as below 215 | > **Substitute** the value in the command before running 216 | ``` 217 | export APPHOSTNAME=bookinfo1.istio.apps.devday.ocpcloud.com 218 | ``` 219 | 220 | The command below will change assign a specific hostname in place of `*`, before creating gateway and virtual service for your application. 221 | 222 | ``` 223 | sed "s/*/$APPHOSTNAME/" samples/bookinfo/networking/bookinfo-gateway.yaml | kubectl apply -f - 224 | ``` 225 | You will see the following configurations for gateway and virtualservice. Look at the `hosts` parameters. 226 | 227 | ``` 228 | $ kubectl get gateway bookinfo-gateway -o yaml 229 | apiVersion: networking.istio.io/v1alpha3 230 | kind: Gateway 231 | metadata: 232 | annotations: 233 | kubectl.kubernetes.io/last-applied-configuration: | 234 | {"apiVersion":"networking.istio.io/v1alpha3","kind":"Gateway","metadata":{"annotations":{},"name":"bookinfo-gateway","namespace":"bookinfo1"},"spec":{"selector":{"istio":"ingressgateway"},"servers":[{"hosts":["bookinfo1.istio.apps.devday.ocpcloud.com"],"port":{"name":"http","number":80,"protocol":"HTTP"}}]}} 235 | clusterName: "" 236 | creationTimestamp: 2018-10-18T01:01:17Z 237 | generation: 1 238 | name: bookinfo-gateway 239 | namespace: bookinfo1 240 | resourceVersion: "4500380" 241 | selfLink: /apis/networking.istio.io/v1alpha3/namespaces/bookinfo1/gateways/bookinfo-gateway 242 | uid: 517d308a-d271-11e8-900a-069c4762f7ea 243 | spec: 244 | selector: 245 | istio: ingressgateway 246 | servers: 247 | - hosts: 248 | - bookinfo1.istio.apps.devday.ocpcloud.com 249 | port: 250 | name: http 251 | number: 80 252 | protocol: HTTP 253 | 254 | 255 | ----- 256 | 257 | $ kubectl get virtualservice bookinfo -o yaml 258 | apiVersion: networking.istio.io/v1alpha3 259 | kind: VirtualService 260 | metadata: 261 | annotations: 262 | kubectl.kubernetes.io/last-applied-configuration: | 263 | {"apiVersion":"networking.istio.io/v1alpha3","kind":"VirtualService","metadata":{"annotations":{},"name":"bookinfo","namespace":"bookinfo1"},"spec":{"gateways":["bookinfo-gateway"],"hosts":["bookinfo1.istio.apps.devday.ocpcloud.com"],"http":[{"match":[{"uri":{"exact":"/productpage"}},{"uri":{"exact":"/login"}},{"uri":{"exact":"/logout"}},{"uri":{"prefix":"/api/v1/products"}}],"route":[{"destination":{"host":"productpage","port":{"number":9080}}}]}]}} 264 | clusterName: "" 265 | creationTimestamp: 2018-10-18T01:01:17Z 266 | generation: 1 267 | name: bookinfo 268 | namespace: bookinfo1 269 | resourceVersion: "4500381" 270 | selfLink: /apis/networking.istio.io/v1alpha3/namespaces/bookinfo1/virtualservices/bookinfo 271 | uid: 51a76501-d271-11e8-900a-069c4762f7ea 272 | spec: 273 | gateways: 274 | - bookinfo-gateway 275 | hosts: 276 | - bookinfo1.istio.apps.devday.ocpcloud.com 277 | http: 278 | - match: 279 | - uri: 280 | exact: /productpage 281 | - uri: 282 | exact: /login 283 | - uri: 284 | exact: /logout 285 | - uri: 286 | prefix: /api/v1/products 287 | route: 288 | - destination: 289 | host: productpage 290 | port: 291 | number: 9080 292 | 293 | ``` 294 | 295 | In order to access this application from outside the cluster you will use `bookinfo1.istio.apps.devday.ocpcloud.com`. 296 | 297 | So how does the routing work? 298 | 299 | Let us take a closer look at the pods running in the `istio-system` project specifically for the `ior` pod. 300 | 301 | ``` 302 | $ oc get po -n istio-system | grep ior 303 | ior-69cbb8b7f5-ch6v6 1/1 Running 0 5h 304 | ``` 305 | This pod automatically creates a new route in the `istio-system` project for every `host` entry in the gateway by exposing `istio-ingressgateway`. So in the above example it creates an openshift route for based on the value assigned in the gateway 306 | 307 | ``` 308 | - hosts: 309 | - bookinfo1.istio.apps.devday.ocpcloud.com 310 | ``` 311 | 312 | So, let us check `istio-system` projects for routes for `istio-ingressgateway` service. You will see two routes. 313 | 314 | ``` 315 | $ oc get route -n istio-system | grep istio-ingressgateway 316 | bookinfo1-gateway-fwb55 bookinfo1.istio.apps.devday.ocpcloud.com istio-ingressgateway http2 None 317 | istio-ingressgateway istio-ingressgateway-istio-system.apps.devday.ocpcloud.com istio-ingressgateway 80 None 318 | ``` 319 | 320 | One of these routes is the route named `istio-ingressgateway` that was created when the Istio control plane was deployed 321 | The other one named as `bookinfo1-gateway-fwb55` (in your case the name could be slightly different), is the one that is just automatically added by IOR pod. 322 | 323 | > **Note:** If multiple people are creating their apps, there may be many routes as IOR will expose all those routes. 324 | 325 | 326 | 327 | So when you access your application hostname (in this case `bookinfo1.istio.apps.devday.ocpcloud.com`), since there is an openshift route, the request will come to `istio-ingressgateway` service. Based on the gateway and virtualservice configurations discussed above, the traffic will land in your application. 328 | 329 | To summarize the routing: 330 | 331 | `Client` --> `OpenShiftRouter`--> `istio-ingressgateway`-->`bookinfo-gateway`--> `bookinfo virtualservice`--> `productpage` 332 | 333 | * OpenShift router receives the traffic for the default domain (in my case `*.apps.devday.ocpcloud.com`) 334 | * Istio-ingressgateway service receives the traffic via autogenerated ior route 335 | * `bookinfo-gateway` receives traffic for specific application hostname (in the above case `bookinfo1.istio.apps.devday.ocpcloud.com`) 336 | * `bookinfo virtualservice` redirects the traffic to specific endpoints exposed by the application. 337 | 338 | ----- 339 | 340 | 341 | 342 | > **Note** Your URLs would be different from mine. So use your values. If you want to know your URLs run `kubectl get route -n istio-system` 343 | 344 | Save this URL as an environment variable 345 | 346 | ``` 347 | export URL=$(kubectl get virtualservice bookinfo -o yaml -o jsonpath={.spec.hosts[0]}) 348 | ``` 349 | So I can access the product page at the URL [http://${URL}/productpage](http://${URL}/productpage). 350 | 351 | Familiarize with this application a little bit. Use it a few times. 352 | 353 | ### Service Graph 354 | 355 | Check the service graph on kiali at [https://kiali-istio-system.192.168.64.72.nip.io](https://kiali-istio-system.192.168.64.72.nip.io) 356 | You can use the `Graph` menu item on the left of Kiala to view this graph as below: *Use your own URL* 357 | ![kiaiservicegraph](./images/kialiServiceGraph.jpeg) 358 | 359 | Right next to the service graph, you will see a summary of the traffic success and error rates which gives you a snapshot of the health of your microservices running on the platform 360 | 361 | ### Application Metrics 362 | 363 | Click on the `Applications` menu to get an application centric view of different microservices, their health/error rate and their inbound and outbound metrics such as `Request Volume`, `Request Duration`, `Request Size`, `Response Size` etc. 364 | These are helpful for debugging your microservices as you use them further. 365 | 366 | You'll get similar information using `Workloads` menu item, where the viewpoint is based on kubernetes deployments rather than applications. 367 | 368 | Yet another view is provided based on Kubernetes Services with the `Services` menu item. 369 | 370 | ### Tracing 371 | 372 | Click on `Distributed Tracing ` on the Kiali menu to connect to Jaeger. 373 | 374 | > **Note** If you are not getting redirected to Jaeger, you may have to enable popups from Kiali page 375 | 376 | Jaeger provides tracing info for all the calls you made. Select a service on the left hand menu such as `istio-ingressgateway` or `productpage` and you will see the list of traces for all your usage. 377 | 378 | ![JaegerTracing](./images/bookinfo_jaeger_1.png) 379 | 380 | You can compare these traces by selecting a few of them, or you can select a particular trace by clicking on one of them and look at the response times as shown below. 381 | 382 | ![JaegerTracing](./images/bookinfo_jaeger_2.png) 383 | 384 | 385 | ### Monitoring 386 | 387 | Also notice the data collected by Prometheus and displayed on Grafana at [http://grafana-istio-system.192.168.64.72.nip.io/d/LJ_uJAvmk/istio-service-dashboard](http://grafana-istio-system.192.168.64.72.nip.io/d/LJ_uJAvmk/istio-service-dashboard) *Use your own URL* 388 | 389 | 390 | 391 | ### Destination Rules 392 | 393 | We have the Bookinfo application running now. Let's apply some destination rules from the file `samples/bookinfo/networking/destination-rule-all-mtls.yaml` that will allow us to shape traffic according to the subsets we define in these rules. 394 | 395 | A [DestinationRule](https://istio.io/docs/reference/config/istio.networking.v1alpha3/#DestinationRule) configures the set of policies to be applied to a request after VirtualService routing has occurred. 396 | 397 | Let us first look at these destination rules. These are four rules applies to **productpage**, **reviews**, **ratings** and **details**. The rules define subsets based on the *version* labels. These subsets will be used in the future labs for traffic shaping. 398 | 399 | ``` 400 | $ cat samples/bookinfo/networking/destination-rule-all-mtls.yaml 401 | apiVersion: networking.istio.io/v1alpha3 402 | kind: DestinationRule 403 | metadata: 404 | name: productpage 405 | spec: 406 | host: productpage 407 | trafficPolicy: 408 | tls: 409 | mode: ISTIO_MUTUAL 410 | subsets: 411 | - name: v1 412 | labels: 413 | version: v1 414 | --- 415 | apiVersion: networking.istio.io/v1alpha3 416 | kind: DestinationRule 417 | metadata: 418 | name: reviews 419 | spec: 420 | host: reviews 421 | trafficPolicy: 422 | tls: 423 | mode: ISTIO_MUTUAL 424 | subsets: 425 | - name: v1 426 | labels: 427 | version: v1 428 | - name: v2 429 | labels: 430 | version: v2 431 | - name: v3 432 | labels: 433 | version: v3 434 | --- 435 | apiVersion: networking.istio.io/v1alpha3 436 | kind: DestinationRule 437 | metadata: 438 | name: ratings 439 | spec: 440 | host: ratings 441 | trafficPolicy: 442 | tls: 443 | mode: ISTIO_MUTUAL 444 | subsets: 445 | - name: v1 446 | labels: 447 | version: v1 448 | - name: v2 449 | labels: 450 | version: v2 451 | - name: v2-mysql 452 | labels: 453 | version: v2-mysql 454 | - name: v2-mysql-vm 455 | labels: 456 | version: v2-mysql-vm 457 | --- 458 | apiVersion: networking.istio.io/v1alpha3 459 | kind: DestinationRule 460 | metadata: 461 | name: details 462 | spec: 463 | host: details 464 | trafficPolicy: 465 | tls: 466 | mode: ISTIO_MUTUAL 467 | subsets: 468 | - name: v1 469 | labels: 470 | version: v1 471 | - name: v2 472 | labels: 473 | version: v2 474 | --- 475 | ``` 476 | 477 | Let us now apply these labels by running 478 | 479 | ``` 480 | kubectl apply -f samples/bookinfo/networking/destination-rule-all-mtls.yaml 481 | ``` 482 | 483 | Get back to Kiala menu option `Istio Config` on the left to find these destination rules. **Istio Config** can be used to view all the rules applied on the traffic at any point of time. 484 | 485 | 486 | ### Clean Up 487 | 488 | > **Note** If you are proceeding with other labs, you don't run clean up. Just move ahead with the next lab. 489 | 490 | In order to remove the BookInfo application deployed so far, run the following commands. 491 | 492 | ``` 493 | samples/bookinfo/platform/kube/cleanup.sh 494 | ``` 495 | 496 | or you can clean up the objects individually by running the following 497 | 498 | ``` 499 | kubectl -n bookinfo delete virtualservices --all # deletes all virtual services 500 | kubectl -n bookinfo delete destinationrules --all # delete all destination rules 501 | kubectl -n bookinfo delete gateway --all # deletes all gateways 502 | kubectl -n bookinfo delete -f samples/bookinfo/platform/kube/bookinfo.yaml # deletes all services and deployments 503 | kubectl -n bookinfo delete rs --all # deletes all replica sets 504 | kubectl -n bookinfo delete pods --all # deletes all pods 505 | ``` 506 | 507 | 508 | ### Summary 509 | 510 | In this chapter 511 | 512 | * We have deployed our sample Bookinfo application and tested it 513 | * Created a gateway and virtualservice to reach the application. 514 | * Added destination rules to set up routing rules later 515 | * We also looked at how to monitor and trace this application using Istio's supported services 516 | 517 | 518 | 519 | 520 | 521 | -------------------------------------------------------------------------------- /FaultInjection.md: -------------------------------------------------------------------------------- 1 | # Fault Injection 2 | Fault injection is a mechanism where we will intentionally introduce a fault condition into a system and observe it's behavior. 3 | 4 | In this example, we will observe what happens when we add some delay to mimic network latency into the ratings microservice. We will then observe the overall behavior of the system to check if still responds or will it cause failures other failures. 5 | 6 | ### Pre-requisites 7 | 8 | * A running Istio Cluster 9 | * Sample BookInfo application deployed 10 | * This is a followup after the [Request Routing Example](./RequestRouting.md). So if you haven't executed the test, you would want to 11 | * create virtual services that would default to v1 i.e, `kubectl apply -f samples/bookinfo/networking/virtual-service-all-v1.yaml` 12 | * content based routing for user jason to be redirected to v2 i.e, `kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml` 13 | 14 | 15 | 16 | ## Verify the response times with No delay 17 | 18 | Run the application a few times from the browser as user `jason`. You will notice in the Jaeager tracer, that the response time for the service is a few milliseconds 19 | 20 | ![JaegerTrace](./images/Jaeger_tracing_fault1.png) 21 | 22 | 23 | ## Inject Delay 24 | 25 | Now let's introduce some delay on the ratings service specifically for user "Jason". This rule introduces a fixed delay of 7 seconds on the ratings service for any traffic coming from Jason. You will understand that we are introducing this delay using `httpFault`. 26 | 27 | ``` 28 | $ cat samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml 29 | apiVersion: networking.istio.io/v1alpha3 30 | kind: VirtualService 31 | metadata: 32 | name: ratings 33 | spec: 34 | hosts: 35 | - ratings 36 | http: 37 | - match: 38 | - headers: 39 | end-user: 40 | exact: jason 41 | fault: 42 | delay: 43 | percent: 100 44 | fixedDelay: 7s 45 | route: 46 | - destination: 47 | host: ratings 48 | subset: v1 49 | - route: 50 | - destination: 51 | host: ratings 52 | subset: v1 53 | ``` 54 | 55 | Apply the delay by running 56 | 57 | ``` 58 | kubectl apply -f samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml 59 | ``` 60 | and watch the virtual service for ratings updated 61 | 62 | ``` 63 | virtualservice.networking.istio.io/ratings configured 64 | ``` 65 | 66 | Now try accessing the application. The reviews part of the application fails with error "**Error Fetching Product Reviews**" as below: 67 | ![FaultIntroduced](./images/FaultWith10SDelay.jpeg) 68 | 69 | Check Jaeger tracing now again to check the failures. 70 | 71 | ![JaegerTraceWithRatings](./images/Jaeger_tracing_fault2.png) 72 | 73 | 74 | The detailed trace shows that ratings service responded in ~7 seconds. But the reviews service failed in ~3 seconds and then it went for a retry. Even during the retry ratings responded after ~7 seconds and the reviews failed. This is because the timeout between the productpage and reviews service is less (3s + 1 retry = 6s total) than the timeout between the reviews and ratings service (10s) as [hardcoded here](https://github.com/istio/istio/blob/master/samples/bookinfo/src/productpage/productpage.py#L231). 75 | 76 | Sign-out from "Jason" and test as a default user, the calls should go through fine with no errors. 77 | 78 | 79 | ### Edit Delay 80 | 81 | Let's now edit the delay to 2.8 seconds on the ratings service to see 82 | 83 | ``` 84 | $ kubectl edit virtualservice ratings 85 | ``` 86 | 87 | Find this section in the editor 88 | ``` 89 | spec: 90 | hosts: 91 | - ratings 92 | http: 93 | - fault: 94 | delay: 95 | fixedDelay: 7s 96 | percent: 100 97 | ``` 98 | 99 | Change it to 100 | 101 | ``` 102 | spec: 103 | hosts: 104 | - ratings 105 | http: 106 | - fault: 107 | delay: 108 | fixedDelay: 2.8s 109 | percent: 100 110 | 111 | ``` 112 | and save. 113 | 114 | Test again signing in as user "jason". Black star ratings (reviews v2) should be back again. But you will notice a slight wait of <3 seconds. Also observe Jaeger traces to find that the ratings service uses ~2.8 seconds and the rest of the calls go through with no errors. 115 | 116 | ## Inject HTTP Abort Fault 117 | 118 | We'll now introduce a HTTP Abort Fault to the `ratings` service for user `jason`. 119 | 120 | Let us look at the fault we are adding. The following rule throws `httpStatus 500` for the ratings service when the user is `jason`. 121 | 122 | ``` 123 | $ cat samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml 124 | apiVersion: networking.istio.io/v1alpha3 125 | kind: VirtualService 126 | metadata: 127 | name: ratings 128 | spec: 129 | hosts: 130 | - ratings 131 | http: 132 | - match: 133 | - headers: 134 | end-user: 135 | exact: jason 136 | fault: 137 | abort: 138 | percent: 100 139 | httpStatus: 500 140 | route: 141 | - destination: 142 | host: ratings 143 | subset: v1 144 | - route: 145 | - destination: 146 | host: ratings 147 | subset: v1 148 | ``` 149 | 150 | Apply this fault by running 151 | 152 | ``` 153 | kubectl apply -f samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml 154 | ``` 155 | 156 | Test the application as a regular user. The output should show output with ratings not displaying any stars. 157 | 158 | Now signin as user `jason` and run again. You will see a message that *`Ratings service is currently unavailable`* 159 | 160 | You can also notice errors in Jaeger for the ratings service. Also note the service graph showing errors between `reviews` and `ratings` in red as shown below. 161 | 162 | ![Ratings Http Fault](./images/kiali_ratings_fault.png) 163 | 164 | ## Clean up 165 | 166 | To clean up, remove the routing rules by deleting the virtual services created earlier. 167 | 168 | ``` 169 | kubectl delete -f samples/bookinfo/networking/virtual-service-all-v1.yaml 170 | ``` 171 | ## Summary 172 | In this lab, we have learnt to inject a fault by mimicing network latency and a http fault for a specific user and tested how the overall system behaves. -------------------------------------------------------------------------------- /InstallInfrastructureComponents.md: -------------------------------------------------------------------------------- 1 | # Install Infrastructure Components 2 | 3 | Switch over to `istio-system` project 4 | 5 | ``` 6 | $ oc project istio-system 7 | ``` 8 | 9 | Install [Zipkin](http://zipkin.io/) for tracing and expose the service as route so that you can access Zipkin UI. 10 | 11 | ``` 12 | $ oc apply -f install/kubernetes/addons/zipkin.yaml 13 | $ oc expose svc zipkin 14 | ``` 15 | 16 | Install [Prometheus](https://prometheus.io/) for metrics and expose the service as route to access Prometheus. 17 | 18 | ``` 19 | $ oc apply -f install/kubernetes/addons/prometheus.yaml 20 | $ oc expose svc prometheus 21 | ``` 22 | 23 | Prometheus uses [Grafana](https://grafana.com/) for visualization of metrics. Expose the service to get the UI. 24 | 25 | ``` 26 | $ oc apply -f install/kubernetes/addons/grafana.yaml 27 | $ oc expose svc grafana 28 | ``` 29 | 30 | Service graph allows you to visualize in microservices call tree. Let's install servicegraph and expose the service to get the UI. 31 | 32 | ``` 33 | $ oc apply -f install/kubernetes/addons/servicegraph.yaml 34 | $ oc expose svc servicegraph 35 | ``` 36 | 37 | If you list the routes in the `istio-system` project you will get all the URLs that you can access. 38 | 39 | ``` 40 | $ oc get route 41 | NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD 42 | grafana grafana-istio-system.127.0.0.1.nip.io grafana http None 43 | istio-ingress istio-ingress-istio-system.127.0.0.1.nip.io istio-ingress http None 44 | prometheus prometheus-istio-system.127.0.0.1.nip.io prometheus prometheus None 45 | servicegraph servicegraph-istio-system.127.0.0.1.nip.io servicegraph http None 46 | zipkin zipkin-istio-system.127.0.0.1.nip.io zipkin http None 47 | ``` 48 | 49 | Open up the following URLs in the browser. As of now that data will all be empty as we don't have any application running yet. 50 | 51 | 52 | To access service graph as a graph use `/dotviz` suffix 53 | 54 | [http://servicegraph-istio-system.127.0.0.1.nip.io/dotviz](http://servicegraph-istio-system.127.0.0.1.nip.io/dotviz) 55 | 56 | 57 | To access Istio dashboard on Grafana use: 58 | 59 | [http://grafana-istio-system.127.0.0.1.nip.io/dashboard/db/istio-dashboard](http://grafana-istio-system.127.0.0.1.nip.io/dashboard/db/istio-dashboard) 60 | 61 | 62 | For tracing using zipkin: 63 | [http://zipkin-istio-system.127.0.0.1.nip.io/zipkin/](http://zipkin-istio-system.127.0.0.1.nip.io/zipkin/) 64 | 65 | At this point we are ready to deploy an application and test. 66 | -------------------------------------------------------------------------------- /InstallingIstioOnOpenShift.md: -------------------------------------------------------------------------------- 1 | # Deploying Istio on OpenShift 2 | 3 | Here we will learn the administrative steps to deploy Istio on OpenShift and set up the Istio cluster for running the examples to follow in a multi user environment. The instructions listed here are based on the official documentation [here](https://docs.openshift.com/container-platform/3.11/servicemesh-install/servicemesh-install.html). 4 | 5 | >**Note** Istio on OpenShift is still Tech Preview. So, these labs are to learn how things are shaping up. Technology Preview releases are not supported with Red Hat production service-level agreements (SLAs) and might not be functionally complete, and Red Hat does NOT recommend using them for production. 6 | 7 | These steps have been tested for `openshift v3.11.88`. 8 | 9 | ## Prerequisites 10 | * A Running OpenShift Cluster that is deployed either using `ovs-subnet` or `ovs-networkpolicy` plugins 11 | * You need administrative access to the cluster to perform the tasks listed in this chapter 12 | 13 | 14 | ## Preparing the Cluster 15 | 16 | ### Apply Patch to Master(s) 17 | 18 | Let us apply the following patch to the master(s) on the master configuration file `/etc/origin/master/master-config.yaml` to enable `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook`. 19 | 20 | ``` 21 | admissionConfig: 22 | pluginConfig: 23 | MutatingAdmissionWebhook: 24 | configuration: 25 | apiVersion: apiserver.config.k8s.io/v1alpha1 26 | kubeConfigFile: /dev/null 27 | kind: WebhookAdmission 28 | ValidatingAdmissionWebhook: 29 | configuration: 30 | apiVersion: apiserver.config.k8s.io/v1alpha1 31 | kubeConfigFile: /dev/null 32 | kind: WebhookAdmission 33 | ``` 34 | 35 | You can download the patch first, take a back up and use `oc ex config patch` using the patch and the backup files to apply the patch as shown below: 36 | 37 | ``` 38 | mkdir istio-install 39 | cd istio-install 40 | wget https://raw.githubusercontent.com/Maistra/openshift-ansible/maistra-0.4/istio/master-config.patch 41 | cp -p /etc/origin/master/master-config.yaml /etc/origin/master/master-config.yaml.prepatch 42 | oc ex config patch /etc/origin/master/master-config.yaml.prepatch -p "$(cat ./master-config.patch)" > /etc/origin/master/master-config.yaml 43 | ``` 44 | 45 | >**Note** If you have multiple masters, do this on all masters. 46 | 47 | Ensure your master-config file shows the webhooks as shown below 48 | 49 | ``` 50 | # cat /etc/origin/master/master-config.yaml 51 | admissionConfig: 52 | pluginConfig: 53 | .... 54 | .... 55 | MutatingAdmissionWebhook: 56 | configuration: 57 | apiVersion: apiserver.config.k8s.io/v1alpha1 58 | kind: WebhookAdmission 59 | kubeConfigFile: /dev/null 60 | ValidatingAdmissionWebhook: 61 | configuration: 62 | apiVersion: apiserver.config.k8s.io/v1alpha1 63 | kind: WebhookAdmission 64 | kubeConfigFile: /dev/null 65 | .... 66 | .... 67 | 68 | ``` 69 | 70 | Now restart the master(s) by running: 71 | 72 | ``` 73 | /usr/local/bin/master-restart api 74 | /usr/local/bin/master-restart controllers 75 | ``` 76 | 77 | ### Updating Node Configuration 78 | 79 | To run the Elasticsearch application, you must make a change to the kernel configuration on each node. On every node 80 | 81 | * Create a file named `/etc/sysctl.d/99-elasticsearch.conf` with `vm.max_map_count = 262144` 82 | * Run the command `sysctl vm.max_map_count=262144` 83 | 84 | Let us accomplish these tasks using ansible. Create a list of all nodes in a file as shown below. You can as well use `/etc/ansible/hosts` file if you already have this list there. 85 | 86 | ``` 87 | # cat hostnames.txt 88 | [nodes] 89 | master.us-west-2.compute.internal 90 | node1.us-west-2.compute.internal 91 | node2.us-west-2.compute.internal 92 | node3.us-west-2.compute.internal 93 | node4.us-west-2.compute.internal 94 | ``` 95 | 96 | Run the commands across all nodes to update configurations 97 | 98 | ``` 99 | ansible nodes -i hostnames.txt -m shell -a "echo 'vm.max_map_count = 262144' > /etc/sysctl.d/99-elasticsearch.conf" 100 | ansible nodes -i hostnames.txt -m shell -a "sysctl vm.max_map_count=262144" 101 | ``` 102 | 103 | **Note:** If you restart the nodes, the setting `sysctl vm.max_map_count=262144` goes away. You may want to check and run the command again. 104 | 105 | ## Installing Service Mesh 106 | 107 | Istio installation is handled by an operator on OpenShift. Istio operator runs as a pod and it watches custom resource (CR) of kind `controlplane`. If a custom resource of kind `controlplane` is created, the operator follows the configurated provided in that CR and creates a control plane accordingly. 108 | 109 | ### Installing Istio Operator 110 | 111 | As a cluster administrator run the following 112 | 113 | * Create two projects to run operator and the other one for istio control plane 114 | 115 | ``` 116 | oc new-project istio-operator 117 | oc new-project istio-system 118 | ``` 119 | 120 | Review the template [https://raw.githubusercontent.com/Maistra/istio-operator/maistra-0.10/deploy/servicemesh-operator.yaml](https://raw.githubusercontent.com/Maistra/istio-operator/maistra-0.10/deploy/servicemesh-operator.yaml) 121 | 122 | This template adds 123 | * Custom Resource Definitions for `installation` and `controlplane` 124 | * Adds a cluster role, and service account for `istio-operator` and creates a role-binding 125 | * Creates a deployment for `istio-operator`. This deployment results in running an `istio-operator` pod that watches the CRs for the above CRDs. 126 | 127 | Apply this template to create custom resource definitions and to run the operator. 128 | 129 | ``` 130 | # oc apply -n istio-operator -f https://raw.githubusercontent.com/Maistra/istio-operator/maistra-0.10/deploy/servicemesh-operator.yaml 131 | 132 | 133 | customresourcedefinition.apiextensions.k8s.io/installations.istio.openshift.com created 134 | customresourcedefinition.apiextensions.k8s.io/controlplanes.istio.openshift.com created 135 | clusterrole.rbac.authorization.k8s.io/istio-operator created 136 | serviceaccount/istio-operator created 137 | clusterrolebinding.rbac.authorization.k8s.io/istio-operator-account-istio-operator-cluster-role-binding created 138 | deployment.apps/istio-operator created 139 | ``` 140 | 141 | Verify that the operator is running 142 | 143 | ``` 144 | # oc get po -n istio-operator 145 | NAME READY STATUS RESTARTS AGE 146 | istio-operator-79c5b4d68f-gvglw 1/1 Running 0 1h 147 | ``` 148 | 149 | Also verify the CRDS created 150 | 151 | ``` 152 | # oc get crd installations.istio.openshift.com 153 | NAME CREATED AT 154 | installations.istio.openshift.com 2019-04-25T23:25:51Z 155 | 156 | # oc get crd controlplanes.istio.openshift.com 157 | NAME CREATED AT 158 | controlplanes.istio.openshift.com 2019-04-25T23:25:51Z 159 | ``` 160 | 161 | So if you create a custom resource of kind controlplane, the operator is now ready to act on it. 162 | 163 | 164 | ### Create Custom Resource for Istio Installation 165 | 166 | A basic istio control plane installation is provided by the custom resource. Review this custom resource [https://raw.githubusercontent.com/Maistra/istio-operator/maistra-0.10/deploy/examples/istio_v1alpha3_controlplane_cr_basic.yaml](https://raw.githubusercontent.com/Maistra/istio-operator/maistra-0.10/deploy/examples/istio_v1alpha3_controlplane_cr_basic.yaml) 167 | 168 | Note the kind is `ControlPlane` (the CRD that was created earlier) and the CR is named `basic-install` 169 | 170 | ``` 171 | kind: ControlPlane 172 | metadata: 173 | name: basic-install 174 | ``` 175 | Notice that the CR provides configurations for various istio control plane components installed by the operator. 176 | 177 | We will make a small change to this CR so let us first download this CR 178 | 179 | ``` 180 | wget -O istio-installation.yaml https://raw.githubusercontent.com/Maistra/istio-operator/maistra-0.10/deploy/examples/istio_v1alpha3_controlplane_cr_basic.yaml 181 | ``` 182 | 183 | and make a change to enable automatic Istio openshift route creation by changing `ior_enabled` to `true`. This change will start an ior operator that automatically creates a new openshift route for each application you deploy with a specific host so that we have an ingress for our application. If you don't understand this, it's OK. We will discuss more on this later. Run the following command to make the above change to the CR. 184 | 185 | ``` 186 | sed -ibak -e "s/ior_enabled: false/ior_enabled: true/" istio-installation.yaml 187 | ``` 188 | 189 | You can `cat istio-installation.yaml` to verify the change is effective. 190 | 191 | 192 | Create the CR by running 193 | 194 | ``` 195 | # oc create -f istio-installation.yaml 196 | 197 | controlplane.istio.openshift.com/basic-install created 198 | ``` 199 | Once the CR is created, operator starts installing the istio control plane components. If you watch `istio-system` project running `watch oc get po -n istio-system` eventually you will see the following pods running 200 | 201 | ``` 202 | watch oc get po -n istio-system 203 | 204 | NAME READY STATUS RESTARTS AGE 205 | elasticsearch-0 1/1 Running 0 2h 206 | grafana-6c5dfdf5bd-pphkp 1/1 Running 0 2h 207 | ior-69cbb8b7f5-ch6v6 1/1 Running 0 8m 208 | istio-citadel-66cf447cbd-9vzlw 1/1 Running 0 2h 209 | istio-egressgateway-69b65dddf5-mpkbd 1/1 Running 0 2h 210 | istio-galley-5dbd58568d-g7bkl 1/1 Running 0 2h 211 | istio-ingressgateway-b688c9d9b-st44c 1/1 Running 0 2h 212 | istio-pilot-79668d4bf6-ppp5n 2/2 Running 0 2h 213 | istio-policy-5f45fcf95f-zn72c 2/2 Running 0 2h 214 | istio-sidecar-injector-7c44bcbbcd-rshvg 1/1 Running 0 2h 215 | istio-telemetry-7fcd854d6b-2q7wd 2/2 Running 0 2h 216 | jaeger-agent-cvgk9 1/1 Running 0 2h 217 | jaeger-agent-kjhpb 1/1 Running 0 2h 218 | jaeger-agent-kwfxh 1/1 Running 0 2h 219 | jaeger-agent-vdv92 1/1 Running 0 2h 220 | jaeger-agent-zw7hm 1/1 Running 0 2h 221 | jaeger-collector-576b66f88c-qrzrt 1/1 Running 2 2h 222 | jaeger-query-7549b87c55-cfvfv 1/1 Running 2 2h 223 | kiali-7475849854-cfxsq 1/1 Running 0 2h 224 | prometheus-5dfcf8dcf9-l9xgp 1/1 Running 0 2h 225 | ``` 226 | 227 | ### Cleanup 228 | 229 | To **uninstall Istio Control Plane**, we just need to delete the custom resource and the operator will handle the clean up. 230 | 231 | ``` 232 | oc delete controlplane basic-install 233 | ``` 234 | 235 | Verify that the controlplane custom resource is deleted and the operator has deleted the pods related to control plane in the `istio-system` project. 236 | 237 | ``` 238 | # oc get controlplane -n istio-system 239 | No resources found. 240 | 241 | # oc get po -n istio-system 242 | No resources found. 243 | ``` 244 | 245 | Note that istio-operator is still running. If you are interested in just removing control plane to reinstall, you can stop here. 246 | 247 | ``` 248 | # oc get po -n istio-operator 249 | NAME READY STATUS RESTARTS AGE 250 | istio-operator-79c5b4d68f-b6gj2 1/1 Running 0 19h 251 | ``` 252 | 253 | If you want to remove istio-operator, run `oc delete` using the same template that we used to create the operator. This removes the CRDs and the deployment for the operator 254 | 255 | ``` 256 | # oc delete -n istio-operator -f https://raw.githubusercontent.com/Maistra/istio-operator/maistra-0.10/deploy/servicemesh-operator.yaml 257 | 258 | 259 | customresourcedefinition.apiextensions.k8s.io "installations.istio.openshift.com" deleted 260 | customresourcedefinition.apiextensions.k8s.io "controlplanes.istio.openshift.com" deleted 261 | clusterrole.rbac.authorization.k8s.io "istio-operator" deleted 262 | serviceaccount "istio-operator" deleted 263 | clusterrolebinding.rbac.authorization.k8s.io "istio-operator-account-istio-operator-cluster-role-binding" deleted 264 | deployment.apps "istio-operator" deleted 265 | ``` 266 | and delete respective projects 267 | 268 | ``` 269 | oc delete project istio-system 270 | ``` 271 | and 272 | 273 | ``` 274 | oc delete project istio-operator 275 | ``` 276 | 277 | Now your cluster is completely free of istio and istio-operator. 278 | 279 | 280 | ## Preparing Istio Cluster for a Multi-user Workshop 281 | 282 | ### Additional access to the users 283 | 284 | As of now, each user that needs to run Istio examples need `view` access to the `istio-system` project. You can provide such access by running the following command for each user: 285 | 286 | ``` 287 | oc adm policy add-role-to-user view user1 -n istio-system 288 | ``` 289 | > **Note** If you are enabling this cluster for a workshop with a bunch of users, run the above command for all the user-ids created for the workshop. 290 | 291 | 292 | ### Additional access to the project 293 | 294 | Applications are deployed in to projects/namespaces. On OpenShift the applications running in a namespace run with a `default` service account. This `default` service account runs with `restricted` SCC, which prevents it from running containers as specific user-ids or root, and also has restrictions on the linux capabilities. 295 | 296 | Istio requires specific kinds of access at the project level: 297 | 298 | * As of now, the `default` service account need to be elevated to `privileged` SCC, so that it can allow the application pods to have init containers whose `proxy_init` runs in privileged mode and adds `NET_ADMIN` 299 | as shown here. You will find this configuration in the individual `deployment` artifacts when you deploy the application. 300 | 301 | ``` 302 | initContainers: 303 | - args: 304 | - -p 305 | - "15001" 306 | - -u 307 | - "1337" 308 | - -m 309 | - REDIRECT 310 | - -i 311 | - '*' 312 | - -x 313 | - "" 314 | - -b 315 | - 9080, 316 | - -d 317 | - "" 318 | image: docker.io/istio/proxy_init:1.0.2 319 | imagePullPolicy: IfNotPresent 320 | name: istio-init 321 | resources: {} 322 | securityContext: 323 | capabilities: 324 | add: 325 | - NET_ADMIN 326 | privileged: true 327 | ``` 328 | 329 | Let's create a project named `bookinfo1` for a workshop user named `user1`, label this project for istio-injection, and make `user1` the project administrator. If there are multiple workshop users, you would repeat these for every user. **Example:** Project `bookinfo2` for `user2` and so on. Make a note of the projects created for each user and let them know. 330 | 331 | ``` 332 | oc new-project bookinfo1 333 | oc adm policy add-scc-to-user privileged -z default -n bookinfo1 334 | oc adm policy add-scc-to-user anyuid -z default -n bookinfo1 335 | oc adm policy add-role-to-user admin user1 -n bookinfo1 336 | ``` 337 | 338 | Now, if a user logs in as `user1`, they will see both `bookinfo1` and `istio-system` in their list. 339 | 340 | 341 | ## Summary 342 | 343 | In this chapter we learnt to perform the following administrative tasks on an OpenShift cluster: 344 | 345 | * Preparing an OpenShift cluster to install Istio 346 | * Installed Istio 347 | * Enabled user(s) to run applications on Istio 348 | * Created a project(s) with necessary privileges for end users to use 349 | 350 | -------------------------------------------------------------------------------- /RequestRouting.md: -------------------------------------------------------------------------------- 1 | # Request Routing 2 | 3 | ### Prerequisites 4 | 5 | * A running Istio Cluster 6 | * Sample BookInfo Application deployed 7 | * Destination rules created 8 | 9 | ## Routing all traffic to version 1 10 | If you test the Bookinfo application in the browser. "Reviews" output is random each time you access the page. 11 | 12 | * Sometimes it hits reviews v1 (No stars) 13 | * Sometimes it hits reviews v2 (black stars) 14 | * Sometimes it hits reviews v3 (red stars) 15 | 16 | In this lab we will add virtualservices to route all the traffic to version 1. In order to accomplish this behavior, we will apply the a set of virtual services to land traffic on `subset: v1`. These subsets were defined while creating destination rules previously. 17 | 18 | > **Note** You can list the current destination rules by running `kubectl get destinationrules -o yaml` 19 | 20 | ``` 21 | $ cat samples/bookinfo/networking/virtual-service-all-v1.yaml 22 | apiVersion: networking.istio.io/v1alpha3 23 | kind: VirtualService 24 | metadata: 25 | name: productpage 26 | spec: 27 | hosts: 28 | - productpage 29 | http: 30 | - route: 31 | - destination: 32 | host: productpage 33 | subset: v1 34 | --- 35 | apiVersion: networking.istio.io/v1alpha3 36 | kind: VirtualService 37 | metadata: 38 | name: reviews 39 | spec: 40 | hosts: 41 | - reviews 42 | http: 43 | - route: 44 | - destination: 45 | host: reviews 46 | subset: v1 47 | --- 48 | apiVersion: networking.istio.io/v1alpha3 49 | kind: VirtualService 50 | metadata: 51 | name: ratings 52 | spec: 53 | hosts: 54 | - ratings 55 | http: 56 | - route: 57 | - destination: 58 | host: ratings 59 | subset: v1 60 | --- 61 | apiVersion: networking.istio.io/v1alpha3 62 | kind: VirtualService 63 | metadata: 64 | name: details 65 | spec: 66 | hosts: 67 | - details 68 | http: 69 | - route: 70 | - destination: 71 | host: details 72 | subset: v1 73 | --- 74 | 75 | ``` 76 | 77 | Let us apply the virtual services by running 78 | 79 | ``` 80 | kubectl apply -f samples/bookinfo/networking/virtual-service-all-v1.yaml 81 | ``` 82 | and watch for the following output 83 | 84 | ``` 85 | virtualservice.networking.istio.io/productpage created 86 | virtualservice.networking.istio.io/reviews created 87 | virtualservice.networking.istio.io/ratings created 88 | virtualservice.networking.istio.io/details created 89 | ``` 90 | 91 | At this point you should see the following virtual services. The virtual service bookinfo was created previously and we just created the rest of them. 92 | 93 | ``` 94 | $ kubectl get virtualservice -n bookinfo 95 | NAME CREATED AT 96 | bookinfo 13m 97 | details 20s 98 | productpage 20s 99 | ratings 20s 100 | reviews 20s 101 | ``` 102 | 103 | If you test the application now, the reviews part of the page displays with no rating stars, no matter how many times you refresh. This is because you configured Istio to route all traffic for the reviews service to the version reviews:v1 and this version of the service does not access the star ratings service. 104 | 105 | To generate some data that can be visualized by support services, you can access the application in a loop. Open a new command line window. 106 | 107 | * Save the URL as an environment variable 108 | 109 | ``` 110 | export URL=$(kubectl get virtualservice bookinfo -o yaml -o jsonpath={.spec.hosts[0]}) 111 | ``` 112 | 113 | * Invoke application in a loop 114 | 115 | ``` 116 | while true; do curl -o /dev/null -s -w "%{http_code}\n" http://${URL}/productpage; sleep 2; done 117 | ``` 118 | 119 | If you now observe the service graph in Kiali, you will see green lines that show traffic only to version 1 as below: 120 | 121 | ![ServiceGraphV1](./images/bookinfo_servicegraph_v1.png) 122 | 123 | Also watch the newly created services in `Istio-Config` menu in Kiali. 124 | 125 | ### Summary 126 | We have added routing rules to redirect all the traffic by default to version 1. 127 | 128 | ## Canary - Route based on user identity 129 | 130 | Let's now assume that we are adding Reviews service v2 as a canary and let us say we want to allow a specific user to use this service. Reviews v2 calls ratings service but displays the ratings as **black stars**. 131 | 132 | Redirect specific user to `reviews version v2` based on the header content, i.e, end-user matching jason as shown below. Rest of the traffic will still flow to `reviews version v1`. Note how the subsets defined previously in the destination rules are being used here. 133 | 134 | ``` 135 | $ cat samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml 136 | apiVersion: networking.istio.io/v1alpha3 137 | kind: VirtualService 138 | metadata: 139 | name: reviews 140 | spec: 141 | hosts: 142 | - reviews 143 | http: 144 | - match: 145 | - headers: 146 | end-user: 147 | exact: jason 148 | route: 149 | - destination: 150 | host: reviews 151 | subset: v2 152 | - route: 153 | - destination: 154 | host: reviews 155 | subset: v1 156 | ``` 157 | 158 | Let us now update the virtual service `reviews` by applying this. 159 | 160 | ``` 161 | kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml 162 | ``` 163 | and watch the following output 164 | 165 | ``` 166 | virtualservice.networking.istio.io/reviews configured 167 | ``` 168 | 169 | You can verify that the change is applied by running `kubectl get virtualservice reviews -o yaml` and checking the output. 170 | 171 | Now in the browser access the application, click on `Signin` on the top right corner and login as user `jason`. (Password can be anything). As soon as you login you will see the reviews with **black stars** i.e., reviews version v2. Logout and try again to see **no stars**. 172 | 173 | 174 | Try it a few times and have fun :) 175 | 176 | ### Summary 177 | Assume you created a new version of reviews service v2 and you want to test it as specific user before releasing it or making it generally available. You introduce it as a canary to specific user to test. 178 | 179 | 180 | ### Cleanup 181 | 182 | > **Note** If you want to continue to the next lab, this clean up is not required. 183 | 184 | To clean up all the virtual services we added, remove them using the following command 185 | 186 | ``` 187 | kubectl delete -f samples/bookinfo/networking/virtual-service-all-v1.yaml 188 | ``` 189 | 190 | Once you clean up these rules, the traffic should now be distributed to all versions and hence you should be randomly seeing **no stars**, **black stars** and **red stars**. 191 | 192 | -------------------------------------------------------------------------------- /RequestTimeOut.md: -------------------------------------------------------------------------------- 1 | # Request timeouts 2 | 3 | In this exercise we will learn to to introduce timeouts using Routing rules. 4 | 5 | 6 | ### Pre-requisites 7 | 8 | * A running Istio Cluster 9 | * Sample BookInfo Application deployed 10 | * Destination rules created 11 | * Create virtual services that would default to v1 i.e, `kubectl apply -f samples/bookinfo/networking/virtual-service-all-v1.yaml` 12 | 13 | ## Add Request Time Out 14 | 15 | We'll change the default reviews virtual service to redirect the traffic to reviews version v2 as below: 16 | 17 | ``` 18 | cat < **Note** OpenShift installer automagically setup all these for you!! You don't need to go through extra steps to setup supporting services. 18 | 19 | ```` 20 | $ kubectl get route -n istio-system 21 | NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD 22 | grafana grafana-istio-system.192.168.64.72.nip.io grafana http None 23 | istio-ingressgateway istio-ingressgateway-istio-system.192.168.64.72.nip.io istio-ingressgateway http2 None 24 | jaeger-query jaeger-query-istio-system.192.168.64.72.nip.io jaeger-query jaeger-query edge None 25 | kiali kiali-istio-system.192.168.64.72.nip.io kiali http-kiali reencrypt None 26 | prometheus prometheus-istio-system.192.168.64.72.nip.io prometheus http-prometheus None 27 | tracing tracing-istio-system.192.168.64.72.nip.io tracing tracing edge None 28 | ```` 29 | 30 | ### Prometheus 31 | 32 | You can access prometheus using the route exposed for prometheus. In my case it is [http://prometheus-istio-system.192.168.64.72.nip.io](http://prometheus-istio-system.192.168.64.72.nip.io/graph) 33 | 34 | ![Prometheus](./images/Prometheus_1.png) 35 | 36 | You can select metrics, create expressions and Execute. You can also view data in graphical form. 37 | 38 | ### Grafana 39 | 40 | You can access prometheus using the route exposed for prometheus. In my case it is [http://grafana-istio-system.192.168.64.72.nip.io/graph](http://grafana-istio-system.192.168.64.72.nip.io/graph). 41 | 42 | ![Grafana 1](./images/grafana_1.png) 43 | 44 | Istio provides a set of dashboards by default, you can select each one of them to view the metrics it displays in a graphical form. 45 | ![Grafana 2](./images/grafana_2.png) 46 | 47 | ### Jaeger 48 | Jaeger provides distributed tracking on microservices (observability) are connecting to each other. You can access Jaeger using the route exposed. In my case it is 49 | [https://jaeger-query-istio-system.192.168.64.74.nip.io](https://jaeger-query-istio-system.192.168.64.74.nip.io] 50 | 51 | You will see the Jaeger console as below. Once we deploy an application and run, you will start seeing some content here. 52 | ![Jaeger](./images/jaeger_1.png) 53 | 54 | 55 | ### Kiali 56 | Openshift uses Kiali for observability using service graph representation, distributed tracing, metrics collection and graphs, configuration validation, Health computation and display, service discovery etc 57 | 58 | You can access Kiali using the route exposed. In my case it is [https://kiali-istio-system.192.168.64.74.nip.io/](https://kiali-istio-system.192.168.64.74.nip.io/) 59 | 60 | It will prompt you to login to Kiali, and you can use `admin/admin` as credentials for now. Once you log in it shows the console as shown below. 61 | 62 | ![Kiali](./images/kiali.png) 63 | 64 | Navigate and familiarize with all these supporting tools. We will be use these as required once we deploy sample applications. 65 | -------------------------------------------------------------------------------- /images/FaultWith10SDelay.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/FaultWith10SDelay.jpeg -------------------------------------------------------------------------------- /images/IstioIngress.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/IstioIngress.jpeg -------------------------------------------------------------------------------- /images/Jaeger_tracing_fault1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/Jaeger_tracing_fault1.png -------------------------------------------------------------------------------- /images/Jaeger_tracing_fault2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/Jaeger_tracing_fault2.png -------------------------------------------------------------------------------- /images/Prometheus_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/Prometheus_1.png -------------------------------------------------------------------------------- /images/bookinfo_jaeger_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/bookinfo_jaeger_1.png -------------------------------------------------------------------------------- /images/bookinfo_jaeger_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/bookinfo_jaeger_2.png -------------------------------------------------------------------------------- /images/bookinfo_servicegraph_v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/bookinfo_servicegraph_v1.png -------------------------------------------------------------------------------- /images/grafana_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/grafana_1.png -------------------------------------------------------------------------------- /images/grafana_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/grafana_2.png -------------------------------------------------------------------------------- /images/jaeger_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/jaeger_1.png -------------------------------------------------------------------------------- /images/jaeger_timeout1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/jaeger_timeout1.png -------------------------------------------------------------------------------- /images/jaeger_timeout2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/jaeger_timeout2.png -------------------------------------------------------------------------------- /images/kiali.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/kiali.png -------------------------------------------------------------------------------- /images/kialiServiceGraph.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/kialiServiceGraph.jpeg -------------------------------------------------------------------------------- /images/kiali_ratings_fault.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/kiali_ratings_fault.png -------------------------------------------------------------------------------- /images/servicegraph.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/servicegraph.jpeg -------------------------------------------------------------------------------- /images/servicegraph2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/servicegraph2.png -------------------------------------------------------------------------------- /images/servicegraph3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/servicegraph3.png -------------------------------------------------------------------------------- /images/servicegraph4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/servicegraph4.png -------------------------------------------------------------------------------- /images/servicegraph5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VeerMuchandi/istio-on-openshift/7e7af255b90ba7e698de112395e1c69f2ff1348f/images/servicegraph5.png -------------------------------------------------------------------------------- /istio_installation.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "istio.openshift.com/v1alpha1" 2 | kind: "Installation" 3 | metadata: 4 | name: "istio-installation" 5 | spec: 6 | deployment_type: openshift 7 | istio: 8 | authentication: true 9 | community: false 10 | prefix: openshift-istio-tech-preview/ 11 | version: 0.5.0 12 | jaeger: 13 | prefix: distributed-tracing-tech-preview/ 14 | version: 1.8.1 15 | elasticsearch_memory: 1Gi 16 | kiali: 17 | username: admin 18 | password: admin 19 | prefix: openshift-istio-tech-preview/ 20 | version: 0.10.1 21 | -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # Istio on Openshift 2 | 3 | 4 | ## Deploying Istio 5 | 6 | * [Deploying Istio with minishift](./DeployingIstioWithMinishift.md) 7 | * [Installing Istio on an OpenShift Cluster](./InstallingIstioOnOpenShift.md) 8 | 9 | ## Supporting Services 10 | * [Understanding Supporting Services](./UsingIstioSupportingServices.md) 11 | 12 | 13 | ## Sample Application 14 | * [Deploy Sample BookInfo Application](./DeployingSampleApplication.md)           [Istio_Documentation](https://istio.io/docs/examples/bookinfo/) 15 | 16 | ## Traffic Management 17 | * [Request Routing and Identity Based Routing](./RequestRouting.md)           [Istio_Documentation](https://istio.io/docs/tasks/traffic-management/request-routing/) 18 | * [Fault Injections - Latency and Abort](./FaultInjection.md)           [Istio_Documentation](https://istio.io/docs/tasks/traffic-management/fault-injection.html) 19 | * [Traffic Shifting - AB Testing](./ABTesting.md)           [Istio_Documentation](https://istio.io/docs/tasks/traffic-management/traffic-shifting/) 20 | * [Request Timeouts](./RequestTimeOut.md)           [Istio_Documentation](https://istio.io/docs/tasks/traffic-management/request-timeouts) 21 | * [Rules Precedence](./RulesPrecedence.md)           22 | * [Ingress Routing](./ControllingIngressTraffic.md)           23 | * [Egress Routing](./ControllingEgressTraffic.md)           [Istio_Documentation](https://istio.io/docs/tasks/traffic-management/egress/) 24 | * [Circuit Breaking](./CircuitBreaking.md)           [Istio_Documentation](https://istio.io/docs/tasks/traffic-management/circuit-breaking) --------------------------------------------------------------------------------