Setup

Prerequisite CLI tools

You will need in this tutorial:

  • openshift
  • Mac: brew install openshift-cli
  • minishift
  • docker

  • Mac OS

  • Fedora: dnf install docker

  • kubectl

  • Mac OS

  • Fedora: dnf install kubernetes-client

  • oc (eval $(minishift oc-env))

  • Apache Maven

  • Mac OS

  • Fedora: dnf install maven

  • istioctl (will be installed via the steps below)

  • curl, gunzip, tar

  • Mac OS: built-in or part of your bash shell

  • Fedora: should also be installed already, but just in case…​ dnf install curl gzip tar

  • git
  • dnf install git
  • siege

  • MAC OS: brew install siege

  • Fedora: dnf install siege

If you want to validate if everything is installed at once, just open a terminal and run:curl -sL https://git.io/_has | HAS_ALLOW_UNSAFE=y bash -sThe output should be something like:
  1.  minishift docker 18.09.0 oc kubectl git 2.17.2 mvn 3.5.0 curl 7.54.0 stern 1.6.0 siege 4.0.4
You can check quickly if you are missing any tool and decide if you want to install or not.

Setup minishift

In case of using Minishift you need at least minishift v1.24.0.

  1. #!/bin/bash
  3. # add the location of minishift executable to PATH
  4. # I also keep other handy tools like kubectl and kubetail.sh
  5. # in that directory
  7. minishift profile set istio-tutorial
  8. minishift config set memory 8GB
  9. minishift config set cpus 3
  10. minishift config set image-caching true
  11. minishift config set openshift-version v3.11.0
  12. minishift addon enable admin-user
  14. #cdk 3.7 bug - docker url check
  15. minishift config set skip-startup-checks true
  17. minishift start
  18. #This needs to be executed again if you restart minishift.
  19. minishift ssh -- sudo setenforce 0
  21. # Openshift console bug. anyuid needs to be applied after startup
  22. minishift addon apply anyuid

Setup environment

  1. eval $(minishift oc-env)
  2. oc login $(minishift ip):8443 -u admin -p admin
In this tutorial, you will often be polling the customer endpoint with curl, while simultaneously viewing logs via stern or kubetail.sh and issuing commands via oc and istioctl. Consider using three terminal windows.

Upstream Istio installation

  1. #!/bin/bash
  3. # Mac OS:
  4. curl -L https://github.com/istio/istio/releases/download/1.3.0/istio-1.3.0-osx.tar.gz | tar xz
  6. # Fedora/RHEL:
  7. curl -L https://github.com/istio/istio/releases/download/1.3.0/istio-1.3.0-linux.tar.gz | tar xz
  9. # Both:
  10. cd istio-1.3.0
  11. export ISTIO_HOME=`pwd`
  12. export PATH=$ISTIO_HOME/bin:$PATH
  1. for i in install/kubernetes/helm/istio-init/files/crd*yaml; do oc apply -f $i; done
  2. or
  3. for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done
  6. oc apply -f install/kubernetes/istio-demo.yaml
  7. or
  8. kubectl apply -f install/kubernetes/istio-demo.yaml
  10. oc project istio-system
  11. or
  12. kubectl config set-context $(kubectl config current-context) --namespace=istio-system
  14. oc expose svc istio-ingressgateway --port=80
  15. oc expose svc grafana
  16. oc expose svc prometheus
  17. oc expose svc tracing
  18. oc expose service kiali --path=/kiali
  19. oc adm policy add-cluster-role-to-user admin system:serviceaccount:istio-system:kiali-service-account -z default
istio-demo.yaml enables policy enforcement by default which is required in some sections of the tutorial. Please refer to https://istio.io/docs/tasks/policy-enforcement/enabling-policy/ if you are not using this file.

Wait for Istio’s components to be ready

  1. $ oc get pods -w
  2. or
  3. $ kubectl get pods -w
  5. NAME                                        READY     STATUS      RESTARTS   AGE
  6. grafana-55cd86b44c-2vndc                  1/1     Running     0          88m
  7. istio-citadel-f9fbdd9df-xzzr7             1/1     Running     0          88m
  8. istio-cleanup-secrets-1.1.6-d5css         0/1     Completed   0          88m
  9. istio-egressgateway-895fb885d-bdqkv       1/1     Running     0          89m
  10. istio-galley-5797db85b8-4866m             1/1     Running     0          89m
  11. istio-grafana-post-install-1.1.6-6dk5h    0/1     Completed   0          89m
  12. istio-ingressgateway-58f959476f-82zsf     1/1     Running     0          89m
  13. istio-pilot-57d4bb58ff-tt8r4              2/2     Running     0          88m
  14. istio-policy-79b88bcdf9-qqp4r             2/2     Running     6          88m
  15. istio-security-post-install-1.1.6-8mmxj   0/1     Completed   0          88m
  16. istio-sidecar-injector-7698fc57fb-dlnx4   1/1     Running     0          88m
  17. istio-telemetry-b9799c89-d94hj            2/2     Running     6          88m
  18. istio-tracing-7454db9d79-9qwqr            1/1     Running     0          88m
  19. kiali-66d74fc6cc-zdzzt                    1/1     Running     0          88m
  20. prometheus-7d9fb4b69c-ww5w7               1/1     Running     0          88m

And if you need quick access to the OpenShift console

  1. minishift console
On your first launch of the OpenShift console via minishift, you will receive a warning like "Your connection is not private". For our demo, simply select "Proceed to 192.168.xx.xx (unsafe)" to bypass the warning. Both the username and the password are set to admin, thanks to the admin-user add-on.