diff --git a/modules/ossm-about-collecting-ossm-data.adoc b/modules/ossm-about-collecting-ossm-data.adoc index 717c283d3edb..c36781d8e714 100644 --- a/modules/ossm-about-collecting-ossm-data.adoc +++ b/modules/ossm-about-collecting-ossm-data.adoc @@ -9,6 +9,7 @@ You can use the `oc adm must-gather` CLI command to collect information about yo To collect {ProductName} data with `must-gather`, you must specify the {ProductName} image: +[source,terminal] ---- $ oc adm must-gather --image=registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel7 ---- diff --git a/modules/ossm-control-plane-deploy.adoc b/modules/ossm-control-plane-deploy.adoc index 474fbb3663ec..d1f838b4a922 100644 --- a/modules/ossm-control-plane-deploy.adoc +++ b/modules/ossm-control-plane-deploy.adoc @@ -80,12 +80,14 @@ Follow this procedure to deploy the {ProductName} control plane the command line . Log in to the {product-title} CLI as a user with the `cluster-admin` role. + +[source,terminal] ---- $ oc login https://{HOSTNAME}:6443 ---- . Create a project named `istio-system`. + +[source,terminal] ---- $ oc new-project istio-system ---- @@ -94,12 +96,14 @@ $ oc new-project istio-system . Run the following command to deploy the control plane: + +[source,terminal] ---- $ oc create -n istio-system -f istio-installation.yaml ---- + . Execute the following command to see the status of the control plane installation. + +[source,terminal] ---- $ oc get smcp -n istio-system ---- @@ -119,6 +123,8 @@ $ oc get pods -n istio-system -w + You should see output similar to the following: + +.Example output +[source,terminal] ---- NAME READY STATUS RESTARTS AGE grafana-7bf5764d9d-2b2f6 2/2 Running 0 28h diff --git a/modules/ossm-control-plane-remove.adoc b/modules/ossm-control-plane-remove.adoc index c1bc3cdf4c3c..584ece35377d 100644 --- a/modules/ossm-control-plane-remove.adoc +++ b/modules/ossm-control-plane-remove.adoc @@ -60,6 +60,7 @@ You can use the shortened `smcp` alias in place of `servicemeshcontrolplane`. . Run this command to retrieve the name of the installed `ServiceMeshControlPlane`: + +[source,terminal] ---- $ oc get servicemeshcontrolplanes -n istio-system ---- @@ -67,6 +68,7 @@ $ oc get servicemeshcontrolplanes -n istio-system + . Replace `` with the output from the previous command, and run this command to remove the custom resource: + +[source,terminal] ---- $ oc delete servicemeshcontrolplanes -n istio-system ---- diff --git a/modules/ossm-control-plane-templates.adoc b/modules/ossm-control-plane-templates.adoc index a2d62bc76515..60a2fb8d8420 100644 --- a/modules/ossm-control-plane-templates.adoc +++ b/modules/ossm-control-plane-templates.adoc @@ -31,19 +31,27 @@ Follow this procedure to create the ConfigMap. . From the CLI, run this command to create the ConfigMap named `smcp-templates` in the `openshift-operators` project and replace `` with the location of the `ServiceMeshControlPlane` files on your local disk: + +[source,terminal] ---- $ oc create configmap --from-file= smcp-templates -n openshift-operators ---- . Locate the Operator ClusterServiceVersion name. + +[source,terminal] ---- $ oc get clusterserviceversion -n openshift-operators | grep 'Service Mesh' +---- ++ +.Example output +[source,terminal] +---- maistra.v1.0.0 Red Hat OpenShift Service Mesh 1.0.0 Succeeded ---- . Edit the Operator cluster service version to instruct the Operator to use the `smcp-templates` ConfigMap. + +[source,terminal] ---- $ oc edit clusterserviceversion -n openshift-operators maistra.v1.0.0 ---- diff --git a/modules/ossm-member-roll-create.adoc b/modules/ossm-member-roll-create.adoc index e5e15577ad94..c63ecb12b060 100644 --- a/modules/ossm-member-roll-create.adoc +++ b/modules/ossm-member-roll-create.adoc @@ -74,12 +74,14 @@ Follow this procedure to add a project to the `ServiceMeshMemberRoll` from the c . Log in to the {product-title} CLI. + +[source,terminal] ---- $ oc login ---- + . Create a `ServiceMeshMemberRoll` resource in the same project as the `ServiceMeshControlPlane` resource, in our example that is `istio-system`. The resource must be named `default`. + +[source,terminal] ---- $ oc create -n istio-system -f servicemeshmemberroll-default.yaml ---- diff --git a/modules/ossm-member-roll-modify.adoc b/modules/ossm-member-roll-modify.adoc index 18d9aada90bf..27b364974659 100644 --- a/modules/ossm-member-roll-modify.adoc +++ b/modules/ossm-member-roll-modify.adoc @@ -62,6 +62,7 @@ Follow this procedure to modify an existing {ProductShortName} member roll using . Edit the `ServiceMeshMemberRoll` resource. + +[source,terminal] ---- $ oc edit smmr -n ---- diff --git a/modules/ossm-mixer-policy.adoc b/modules/ossm-mixer-policy.adoc index 7a6e2922d22b..9f9295e213fc 100644 --- a/modules/ossm-mixer-policy.adoc +++ b/modules/ossm-mixer-policy.adoc @@ -17,12 +17,14 @@ In previous versions of {ProductName}, Mixer’s policy enforcement was enabled . Run this command to check the current Mixer policy enforcement status: + +[source,terminal] ---- $ oc get cm -n istio-system istio -o jsonpath='{.data.mesh}' | grep disablePolicyChecks ---- . If `disablePolicyChecks: true`, edit the {ProductShortName} ConfigMap: + +[source,terminal] ---- $ oc edit cm -n istio-system istio ---- diff --git a/modules/ossm-observability-access.adoc b/modules/ossm-observability-access.adoc index e3e31b95d935..6a9f027d3926 100644 --- a/modules/ossm-observability-access.adoc +++ b/modules/ossm-observability-access.adoc @@ -17,6 +17,7 @@ To access the console, in the menu bar, click the *Application launcher* > *Kial . Run this command from the CLI to obtain the route and Kiali URL: + +[source,terminal] ---- $ oc get routes ---- diff --git a/modules/ossm-rn-fixed-issues.adoc b/modules/ossm-rn-fixed-issues.adoc index 2117935980b9..b4e578ce8349 100644 --- a/modules/ossm-rn-fixed-issues.adoc +++ b/modules/ossm-rn-fixed-issues.adoc @@ -23,12 +23,28 @@ The following issues been resolved in the current release: + To remove the CRDs, run the following commands: + -[source,bash] +[source,terminal] ---- $ oc delete crd clusterissuers.certmanager.k8s.io +---- ++ +[source,terminal] +---- $ oc delete crd issuers.certmanager.k8s.io +---- ++ +[source,terminal] +---- $ oc delete crd certificates.certmanager.k8s.io +---- ++ +[source,terminal] +---- $ oc delete crd orders.certmanager.k8s.io +---- ++ +[source,terminal] +---- $ oc delete crd challenges.certmanager.k8s.io ---- diff --git a/modules/ossm-routing-bookinfo-example.adoc b/modules/ossm-routing-bookinfo-example.adoc index 16a191d2704e..f6b09662463f 100644 --- a/modules/ossm-routing-bookinfo-example.adoc +++ b/modules/ossm-routing-bookinfo-example.adoc @@ -25,13 +25,19 @@ This tutorial helps you apply rules that route all traffic to `v1` (version 1) o To route to one version only, apply virtual services that set the default version for the micro-services. In the following example, the virtual service routes all traffic to `v1` of each micro-service 1. Run the following command to apply the virtual services: - - $ oc apply -f https://raw.githubusercontent.com/Maistra/istio/maistra-1.1/samples/bookinfo/networking/virtual-service-all-v1.yaml ++ +[source,terminal] +---- +$ oc apply -f https://raw.githubusercontent.com/Maistra/istio/maistra-1.1/samples/bookinfo/networking/virtual-service-all-v1.yaml +---- + 2. To test the command was successful, display the defined routes with the following command: + - $ oc get virtualservices -o yaml -+ +[source,terminal] +---- +$ oc get virtualservices -o yaml +---- ++ That command returns the following YAML file. + [source,yaml] @@ -117,13 +123,19 @@ Next, change the route configuration so that all traffic from a specific user is Note that {ProductShortName} doesn't have any special, built-in understanding of user identity. This example is enabled by the fact that the `productpage` service adds a custom `end-user` header to all outbound HTTP requests to the reviews service. 1. Run the following command to enable user-based routing: - - $ oc apply -f https://raw.githubusercontent.com/Maistra/istio/maistra-1.1/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml ++ +[source,terminal] +---- +$ oc apply -f https://raw.githubusercontent.com/Maistra/istio/maistra-1.1/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml +---- + 2. Confirm the rule is created: + - $ oc get virtualservice reviews -o yaml -+ +[source,terminal] +---- +$ oc get virtualservice reviews -o yaml +---- ++ That command returns the following YAML file. + [source,yaml] diff --git a/modules/ossm-routing-ingress.adoc b/modules/ossm-routing-ingress.adoc index 30ac23c37c8a..cbbf111b6cea 100644 --- a/modules/ossm-routing-ingress.adoc +++ b/modules/ossm-routing-ingress.adoc @@ -12,6 +12,7 @@ In {ProductName}, the Ingress Gateway enables Service Mesh features such as moni Run the following command to determine if your Kubernetes cluster is running in an environment that supports external load balancers: +[source,terminal] ---- $ oc get svc istio-ingressgateway -n istio-system ---- @@ -30,14 +31,17 @@ Follow these instructions if your environment has an external load balancer. Set the ingress IP and ports: +[source,terminal] ---- $ export INGRESS_HOST=$(oc -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}') ---- +[source,terminal] ---- $ export INGRESS_PORT=$(oc -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}') ---- +[source,terminal] ---- $ export SECURE_INGRESS_PORT=$(oc -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}') ---- @@ -46,6 +50,7 @@ In some environments, the load balancer may be exposed using a host name instead Use the following command to correct the `INGRESS_HOST` value: +[source,terminal] ---- $ export INGRESS_HOST=$(oc -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') ---- @@ -56,10 +61,12 @@ Follow these instructions if your environment does not have an external load bal Set the ingress ports: +[source,terminal] ---- $ export INGRESS_PORT=$(oc -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}') ---- +[source,terminal] ---- $ export SECURE_INGRESS_PORT=$(oc -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}') ---- diff --git a/modules/ossm-routing.adoc b/modules/ossm-routing.adoc index 208d4a7c09ad..94dc357d507a 100644 --- a/modules/ossm-routing.adoc +++ b/modules/ossm-routing.adoc @@ -24,6 +24,7 @@ Without virtual services, {ProductName} distributes traffic using round-robin lo The following example routes requests to different versions of a service depending on which user connects to the application. Use this command to apply this example YAML file, or one you create. +[source,terminal] ---- $ oc apply -f - </ca-cert.pem \ --from-file=/ca-key.pem --from-file=/root-cert.pem \ @@ -45,6 +46,7 @@ spec: + 3. To make sure the workloads add the new certificates promptly, delete the secrets generated by {ProductShortName}, named `istio.*`. In this example, `istio.default`. {ProductShortName} issues new certificates for the workloads. + +[source,terminal] ---- $ oc delete secret istio.default ---- @@ -56,18 +58,21 @@ Use the Bookinfo sample application to verify your certificates are mounted corr 1. Store the pod name in the variable `RATINGSPOD`. + +[source,terminal] ---- $ RATINGSPOD=`oc get pods -l app=ratings -o jsonpath='{.items[0].metadata.name}'` ---- + Run the following commands to retrieve the certificates mounted on the proxy. + +[source,terminal] ---- $ oc exec -it $RATINGSPOD -c istio-proxy -- /bin/cat /etc/certs/root-cert.pem > /tmp/pod-root-cert.pem ---- + The file `/tmp/pod-root-cert.pem` contains the root certificate propagated to the pod. + +[source,terminal] ---- $ oc exec -it $RATINGSPOD -c istio-proxy -- /bin/cat /etc/certs/cert-chain.pem > /tmp/pod-cert-chain.pem ---- @@ -76,9 +81,18 @@ The file `/tmp/pod-cert-chain.pem` contains the workload certificate and the CA + 3. Verify the root certificate is the same as the one specified by the Operator. Replace `` with the path to your certificates. + +[source,terminal] ---- $ openssl x509 -in /root-cert.pem -text -noout > /tmp/root-cert.crt.txt +---- ++ +[source,terminal] +---- $ openssl x509 -in /tmp/pod-root-cert.pem -text -noout > /tmp/pod-root-cert.crt.txt +---- ++ +[source,terminal] +---- $ diff /tmp/root-cert.crt.txt /tmp/pod-root-cert.crt.txt ---- + @@ -86,10 +100,23 @@ Expect the output to be empty. + 4. Verify the CA certificate is the same as the one specified by Operator. Replace `` with the path to your certificates. + +[source,terminal] ---- $ sed '0,/^-----END CERTIFICATE-----/d' /tmp/pod-cert-chain.pem > /tmp/pod-cert-chain-ca.pem +---- ++ +[source,terminal] +---- $ openssl x509 -in /ca-cert.pem -text -noout > /tmp/ca-cert.crt.txt +---- ++ +[source,terminal] +---- $ openssl x509 -in /tmp/pod-cert-chain-ca.pem -text -noout > /tmp/pod-cert-chain-ca.crt.txt +---- ++ +[source,terminal] +---- $ diff /tmp/ca-cert.crt.txt /tmp/pod-cert-chain-ca.crt.txt ---- + @@ -97,9 +124,19 @@ Expect the output to be empty. + 5. Verify the certificate chain from the root certificate to the workload certificate. Replace `` with the path to your certificates. + +[source,terminal] ---- $ head -n 21 /tmp/pod-cert-chain.pem > /tmp/pod-cert-chain-workload.pem +---- ++ +[source,terminal] +---- $ openssl verify -CAfile <(cat /ca-cert.pem /root-cert.pem) /tmp/pod-cert-chain-workload.pem +---- ++ +.Example output +[source,terminal] +---- /tmp/pod-cert-chain-workload.pem: OK ---- @@ -110,6 +147,7 @@ To remove the certificates you added, follow these steps. 1. Remove the secret `cacerts`. + +[source,terminal] ---- $ oc delete secret cacerts -n istio-system ---- diff --git a/modules/ossm-tutorial-bookinfo-install.adoc b/modules/ossm-tutorial-bookinfo-install.adoc index 362ef8cb5205..e1d28d057118 100644 --- a/modules/ossm-tutorial-bookinfo-install.adoc +++ b/modules/ossm-tutorial-bookinfo-install.adoc @@ -31,6 +31,7 @@ This tutorial walks you through creating a Bookinfo project, deploying the Booki + ** Alternatively, you can run this command from the CLI to create the `bookinfo` project. + +[source,terminal] ---- $ oc new-project bookinfo ---- @@ -67,10 +68,11 @@ You need cluster-admin rights to edit the Istio Service Mesh Member Roll. - bookinfo ---- + -** Alternatively, you can run this command from the CLI to add the `bookinfo` project to the `ServiceMeshMemberRoll`. Replace `` with the name of your control plane project. +** Alternatively, you can run this command from the CLI to add the `bookinfo` project to the `ServiceMeshMemberRoll`. Replace `` with the name of your control plane project. + +[source,terminal] ---- -$ oc -n patch --type='json' smmr default -p '[{"op": "add", "path": "/spec/members", "value":["'"bookinfo"'"]}]' +$ oc -n patch --type='json' smmr default -p '[{"op": "add", "path": "/spec/members", "value":["'"bookinfo"'"]}]' ---- . Click *Create* to save the updated Service Mesh Member Roll. @@ -98,6 +100,7 @@ $ oc apply -n bookinfo -f https://raw.githubusercontent.com/Maistra/istio/maistr Replace `` with the name of your control plane project. In this example, the control plane project is `istio-system`. ==== + +[source,terminal] ---- $ export GATEWAY_URL=$(oc -n get route istio-ingressgateway -o jsonpath='{.spec.host}') ---- diff --git a/modules/ossm-tutorial-bookinfo-removing.adoc b/modules/ossm-tutorial-bookinfo-removing.adoc index 1b712657b567..48bf6eae20d4 100644 --- a/modules/ossm-tutorial-bookinfo-removing.adoc +++ b/modules/ossm-tutorial-bookinfo-removing.adoc @@ -29,6 +29,7 @@ Follow these steps to remove the Bookinfo application. + ** Alternatively, you can run this command from the CLI to create the `bookinfo` project. + +[source,terminal] ---- $ oc delete project bookinfo ---- @@ -50,10 +51,11 @@ $ oc delete project bookinfo . Edit the default Service Mesh Member Roll YAML and remove `bookinfo` from the *members* list. + -** Alternatively, you can run this command from the CLI to remove the `bookinfo` project from the `ServiceMeshMemberRoll`. Replace `` with the name of your control plane project. +** Alternatively, you can run this command from the CLI to remove the `bookinfo` project from the `ServiceMeshMemberRoll`. Replace `` with the name of your control plane project. + +[source,terminal] ---- -$ oc -n patch --type='json' smmr default -p '[{"op": "remove", "path": "/spec/members", "value":["'"bookinfo"'"]}]' +$ oc -n patch --type='json' smmr default -p '[{"op": "remove", "path": "/spec/members", "value":["'"bookinfo"'"]}]' ---- . Click *Save* to update Service Mesh Member Roll. diff --git a/modules/ossm-tutorial-bookinfo-verify-install.adoc b/modules/ossm-tutorial-bookinfo-verify-install.adoc index 6d4376156ac5..d2f34ce75b11 100644 --- a/modules/ossm-tutorial-bookinfo-verify-install.adoc +++ b/modules/ossm-tutorial-bookinfo-verify-install.adoc @@ -27,6 +27,7 @@ $ curl -o /dev/null -s -w "%{http_code}\n" http://$GATEWAY_URL/productpage ** Alternatively, you can open `http://$GATEWAY_URL/productpage` in your browser. ** You can also verify that all pods are ready with this command: + +[source,terminal] ---- $ oc get pods -n bookinfo ---- diff --git a/modules/ossm-tutorial-prometheus-querying-metrics.adoc b/modules/ossm-tutorial-prometheus-querying-metrics.adoc index 6ae49d432d24..abc55e597874 100644 --- a/modules/ossm-tutorial-prometheus-querying-metrics.adoc +++ b/modules/ossm-tutorial-prometheus-querying-metrics.adoc @@ -20,12 +20,13 @@ After you have verified the Bookinfo application has deployed, you will need to . Verify that the `prometheus` Service is running in your cluster. In Kubernetes environments, execute the following command: + +[source,terminal] ---- $ oc get svc prometheus -n istio-system ---- + -You will see something like the following: -+ +.Example output +[source,terminal] ---- NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE prometheus 10.59.241.54 9090/TCP 2m @@ -33,12 +34,14 @@ prometheus 10.59.241.54 9090/TCP 2m + . Generate network traffic by accessing the Bookinfo application: + +[source,terminal] ---- $ curl -o /dev/null http://$GATEWAY_URL/productpage ---- + . A route to access the Prometheus user interface already exists. Query for details of the route: + +[source,terminal] ---- $ export PROMETHEUS_URL=$(oc get route -n istio-system prometheus -o jsonpath='{.spec.host}') ---- @@ -55,6 +58,7 @@ image::ossm-prometheus-metrics.png[] + . To list all available Prometheus metrics, run the following command: + +[source,terminal] ---- $ oc get prometheus -n istio-system -o jsonpath='{.items[*].spec.metrics[*].name}' requests_total request_duration_seconds request_bytes response_bytes tcp_sent_bytes_total tcp_received_bytes_total ---- diff --git a/modules/ossm-update-app-sidecar.adoc b/modules/ossm-update-app-sidecar.adoc index a15ba20d2f96..9e6da371316e 100644 --- a/modules/ossm-update-app-sidecar.adoc +++ b/modules/ossm-update-app-sidecar.adoc @@ -9,6 +9,7 @@ If you selected the Automatic Approval Strategy when you were installing your Op If your deployment uses Automatic sidecar injection, you can update the pod template in the deployment by adding or modifying an annotation. Run the following command to redeploy the pods: +[source,terminal] ---- $ oc patch deployment/ -p '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt": "'`date -Iseconds`'"}}}}}' ---- diff --git a/service_mesh/service_mesh_day_two/ossm-auto-route.adoc b/service_mesh/service_mesh_day_two/ossm-auto-route.adoc index b2efd0ead754..2e8a1b14eeee 100644 --- a/service_mesh/service_mesh_day_two/ossm-auto-route.adoc +++ b/service_mesh/service_mesh_day_two/ossm-auto-route.adoc @@ -13,6 +13,7 @@ If the Gateway contains a TLS section, the OpenShift Route will be configured to . In the `ServiceMeshControlPlane` resource, add the `ior_enabled` parameter and set it to `true`. For example, see the following resource snippet: +[source,yaml] ---- spec: istio: @@ -37,6 +38,7 @@ For more information, see xref:../../service_mesh/service_mesh_install/customizi If the following gateway is created: +[source,yaml] ---- apiVersion: networking.istio.io/v1alpha3 kind: Gateway @@ -57,8 +59,14 @@ spec: Then, the following OpenShift Routes are created automatically. You can check that the routes are created with the following command. +[source,terminal] ---- $ oc -n get routes +---- + +.Expected output +[source,terminal] +---- NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD gateway1-lvlfn bookinfo.example.com istio-ingressgateway None gateway1-scqhv www.bookinfo.com istio-ingressgateway None