Author: Paul Fischer


Openshift 4 on GCP with the Red Hat Service Mesh

Greetings Folks!

I would like to show you how to install Openshift 4 on GCP with an enabled Red Hat Service Mesh. Once we get the cluster installed, I have some examples on how you can control the traffic flow to your applications inside the cluster. Cool? You bet it is! Let’s get going.

Openshift 4.2 can be installed on multiple cloud platforms, VMware clusters, and on bare metal. The installer has been completely revamped and borrows many things from the CoreOS installer and Tectonic. It is much more flexible and simplified. In fact it is a pleasure to work with considering the pain that the Ansible 3.x installer is.

Under the covers, the Openshift 4 installer uses a bootstrap node that will install the cluster to multiple VMs or machines. This bootstrap machine is destroyed once the cluster has completed the install.

This is an example diagram of the install process.

Openshift 4.2 installation to GCP

The first thing we need to do is select a platform to run OCP4 on. GCP seemed like a good choice, as it is my current favorite cloud platform. Something that is really fantastic with OCP4 is it does not matter what the underlying platform is. It all looks and behaves that same once it is installed. Your applications will not care whether they are on OCP4 on GCP or OCP4 on AWS or OCP4 on Vmware. It is the same OCP4 code and the same OCP4 APIs.

There are, however, several steps that we must prepare our GCP project for so that the Openshift will install properly.

DNS

You will need to use Google’s DNS cloud service and have a domain to use that must be registered publicly. It has to be a publicly resolvable name because the installer will try to reach the kubernetes API from a public URL. Create the domain with Google’s DNS service and enter in Google’s nameservers into your public registrar.

I used a free DNS service called freenom.com to create a public domain called ocp4demo.ml. This domain points to the public Google nameservers, and I have set up the Google DNS service to host the ocp4demo.ml domain.

Quotas

Ensure you have sufficient quotas ( You will need 500G SSD drives ) in the region you want to install OCP4 into. In the Canadian regions, for instance, you would need to change the default SSD size because it is set to 256G by default.

The installer will default to installing six OCP4 nodes with 4xCPUs and x 15 Gigs of RAM. Make sure you are aware of the bill that will come your way if you run this.

Service Account

A service account will need to be created with the following roles assigned to it:

  • Compute Admin
  • DNS Administrator
  • Security Admin
  • Service Account Admin
  • Service Account User
  • Storage Admin
  • Service Account Key Admin

If the service account is an Owner, then it will inherit all these proper roles.

Create a service account and save the account credentials on the machine you will be running the installer from.

[~]$ gcloud iam service-accounts keys create ~/.gcp/key.json --iam-account [email protected]

API Services

Openshift 4 uses the following GCP APIs, so they all need to be enabled.

  • Compute Engine API (compute.googleapis.com)
  • Google Cloud APIs (cloudapis.googleapis.com)
  • Cloud Resource Manager API (cloudresourcemanager.googleapis.com)
  • Google DNS API (dns.googleapis.com)
  • Identity and Access Management (IAM) API (iam.googleapis.com)
  • IAM Service Account Credentials API (iamcredentials.googleapis.com)
  • Service Management API (servicemanagement.googleapis.com)
  • Service Usage API (serviceusage.googleapis.com)
  • Google Cloud Storage JSON API (storage-api.googleapis.com)
  • Cloud Storage (storage-component.googleapis.com)

Cluster installation

Once the GCP project is set up with the requirements above, you can download the installers and client utils.

Download the binary from here: ( You will need a Red Hat account to access this URL ) https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/

Select the version of the installer that you need. In my case, I am on a Mac, so I downloaded the Mac Openshift installer. The installer is a single binary that we will need to pass several parameters too.

The last thing we need is a pull secret which you can find here:

https://cloud.redhat.com/openshift/install/gcp/installer-provisioned

Once unzipped run the installer:

[~]$ openshift-install create cluster
? SSH Public Key ~/.ssh/id_rsa.pub ( the ssh key you want installed on all the OCP4 nodes )
? Platform gcp ( the platform you are installing OCP4 on )
? Project ID my_gcp_project ( it should pick this up automatically if the key is installed correctly )
? Region us-central1 ( the region you would like to install this in )
? Base Domain ocp4demo.ml ( it should pick this up automatically if the key is installed correctly )
? Cluster Name hammer ( the name of the cluster )
? Pull Secret [? for help] < paste the pull secret here. You can find it on the install website >

The credentials to the cluster are stored in the auth directory where the installer is run from. It will contain the admin password for the cluster and the kubernetes config file. Export the kubernetes config path to use the oc command to talk to the cluster.

[~]$ export KUBECONFIG=/Users/<username>/Documents/openshift-install-mac/auth/kubeconfig

The installer uses terraform, and the state of the cluster is stored in the install directory. You should not modify or change the terraform state files, or you will need to manually remove all the objects from GCP. You can automatically remove the cluster and all GCP objects by running the following:

[~]$ openshift-installer cluster destroy cluster

Wunderbar!! Our cluster is installed and is up and running in GCP!

Red Hat Service Mesh

The Red Hat Service Mesh is Red Hat’s implementation of Istio. It is integrated into OCP4 as an Operator and is bundled with several other pieces of software to make it more of a full product.

Installing the Red Hat Service Mesh

You can install the Red Hat Service Mesh operator through the operator hub available right in the console of Openshift 4. The pre-requisites are taken care of automatically, so elastic search, kiali, and jaeger will all be installed. All Mesh components are installed into the openshift-operators project.

Search for the Red Hat Service Mesh operator in the Operator Hub and Install it.

Subscribe to the service and set up which namespaces it will be available for and if you would like it automatically updated.

Before we install the Istio control plane and member roll, let’s create an application project space to host our application. We will enable this project space to use Istio during the installation.

[~]$ oc new-project bookinfo

Install the Istio control plane

Now that the operators are installed, the Istio control plane needs to be installed so we can control the Istio components and the traffic in and out of the cluster. This can be done through the Red Hat Service Mesh Operator. Navigate to the Installed Operator tab in the console and install the control plane.

The Istio control plane and all of it’s components are installed in the openshift-sdn project.

Install the Istio member role and add your project

Now we need to enable a member role so our application project can take advantage of Istio.

Navigate to the Installed Operators in the openshift-sdn project and create a Service Mesh control plane policy for the control plane.

Now we can create a Service Mesh Roll for our project. Through the Openshift console in the installed operators under the Red Hat service mesh operator, add a service mesh roll. We will change the members of our application project.

The project is set up to use Istio for its traffic management. Let’s get on to installing a sample application and get some traffic flowing.

Install a microservice application

I am using the sample microservices application from the Istio site for this demonstration. It is a very simple application that displays book details and reviews. The important thing to note here is that there are two versions of the reviews pod, which we will be shifting traffic too.

To install the bookinfo application into our Istio enabled bookinfo project follow these steps.

[~]$ oc apply -n bookinfo -f https://raw.githubusercontent.com/Maistra/bookinfo/maistra-1.0/bookinfo.yaml

Create the Istio gateway and virtual service.

[~]$ oc apply -n bookinfo -f https://raw.githubusercontent.com/Maistra/bookinfo/maistra-1.0/bookinfo-gateway.yaml

We will need the route that was created for the Istio ingress gateway that will route traffic to our bookinfo application.

[~]$ export GATEWAY_URL=$(oc -n openshift-sdn get route istio-ingressgateway -o jsonpath='{.spec.host}')

We then need to create some rules to allow traffic inbound and outbound for each of the bookinfo pods.

[~]$ oc apply -n bookinfo -f https://raw.githubusercontent.com/istio/istio/release-1.1/samples/bookinfo/networking/destination-rule-all.yaml

Lets see if this all worked properly.

[~]$ curl -o /dev/null -s -w "%{http_code}\n" http://$GATEWAY_URL/productpage
200

Great! Curling the gateway URL gave us an HTTP 200. You could also point your browser to the URL (http://istio-ingressgateway-openshift-sdn.apps.hammer.ocp4demo.ml/productpage) in this case to make sure the application can receive traffic and is responding properly.

Traffic Manipulation

So now let’s manipulate some traffic to go to specific microservice components.

First let’s put some load on the application! This is a very simple way to get some requests going. I will use curl to query the product page ten thousand times.

[~]$ curl -o /dev/null -s -w "%{http_code}\n" "http://$GATEWAY_URL/productpage?[1-10000]"

Kiali monitoring

One of the greatest things about the Red Hat Service Mesh is it installs and uses Kiali and Jaeger for monitoring and tracing. This gives us some great visibility into what is actually happening with the traffic in the cluster.

We can get to the Kiali dashboard with this URL.

https://kiali-openshift-sdn.apps.hammer.ocp4demo.ml/console/overview?duration=60&pi=15000

Since we have traffic hitting our bookinfo application you should be able to see a graph representation of your microservice with the proper traffic flow.

Traffic control

Istio allows for granular traffic control between every pod that is participating in the service mesh. This means we can control and direct traffic how we see fit. Let’s balance the traffic between the different review pods. As I hinted above the review pod has several different versions. I would like to balance traffic between review pod v1 and review pod v3.

If I apply this file I can change the VirtaulService that controls ingress into these pods.

50 - 50 Traffic split

[~]$ oc create -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: reviews
spec:
  hosts:
    - reviews
  http:
  - route:
    - destination:
        host: reviews
        subset: v1
      weight: 50
    - destination:
        host: reviews
        subset: v3
      weight: 50
EOF      

As the screenshot illustrates, after making this change, the traffic is balanced with 47.7% of traffic directed to review v1 and 52.3% of the traffic to review v3.

Now lets shift the traffic to put more load on version 1.

70 - 30 traffic split

[~]$ oc create -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: reviews
spec:
  hosts:
    - reviews
  http:
  - route:
    - destination:
        host: reviews
        subset: v1
      weight: 70
    - destination:
        host: reviews
        subset: v3
      weight: 30
EOF

As this screenshot illustrates after making this change the traffic is balanced with 68.2% of traffic directed to review v1 and 31.8% of the traffic to review v3.

Firefox redirection

Ok, now let’s say you would rather have Firefox users go to version 3 and have everyone else go to version 1? Well, with a simple regex, we can grab Firefox as a search string in the http header and direct traffic accordingly.

[~]$ oc create -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: reviews
spec:
  hosts:
  - reviews
  http:
  - match:
    - headers:
        user-agent:
          regex: ".*Firefox.*"
    route:
    - destination:
        host: reviews
        subset: v3
  - route:
    - destination:
        host: reviews
        subset: v1
EOF        

This is a screenshot of the Firefox ( top browser ) going to the reviews v3 pod, which has book ratings and Safari ( bottom browser ) being routed to reviews v1, which has no ratings.

Conclusion

I hope you found this blog useful. Openshift 4 can be installed on many different platforms. With the Red Hat Service Mesh installed, it will give the developer the ultimate control of the flow of network traffic to the applications. Istio has features and capability well beyond just traffic control, but that is a story for another time.

Tagged:



//comments


//blog search


//other topics