Read details about BookInfo application.

1. Deploy the application with automatic sidecar injection for each pod:

   kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

2. Verify services:

   kubectl get svc

3. Verify pods:

   kubectl get pods

1. Define the ingress gateway for the application:

   kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml

2. Confirm gateway:

   kubectl get gateway
   TODO

1. Define environment variables:

   export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
   export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http")].port}')
   export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')
   export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT

2. Access the application:

   echo "Accessing bookinfo at http://${GATEWAY_URL}/productpage"
   open http://${GATEWAY_URL}/productpage    # Open browser, OS/X only.

This will show the output:

reviews service has 3 versions and so the output page will look diffeent with each refresh.

Kiali is a UI for Istio that can dynamically show the mesh topology and traffic flows. Using Kiali will help you understanding the routing rules we are going to apply in the next section.

1. Accessing Kiali

We use Kubernetes port forwarding to access Kiali via tunnel to our local host

Use admin/admin as username/password. Once logged in, click on Graph in the left navigation.

This will then show the graph like the following. Hit the bookinfo a few times to see how the traffic is visualised

1. Define the destination rules:

   kubectl apply -f samples/bookinfo/networking/destination-rule-all.yaml

2. Verify:

   kubectl get destinationrules -o yaml

1. Route all traffic to v1 of each microservice:

   kubectl apply -f samples/bookinfo/networking/virtual-service-all-v1.yaml

2. Refresh http://$GATEWAY_URL/productpage. Multiple refereshes of the page now shows output from the same reviews service (no rating stars).

3. Route all traffic based on user identity:

   kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml

4. On the /productpage, log in as user jason, no password. end-user: jason is sent as an HTTP header. VirtualService is configured to send traffic to v2 if end-user: jason is included in the HTTP request header. Otherwise traffic is sent to v1.

5. Refresh the browser and star ratings appear next to each review.

6. Log out and log in as any other user. Refresh the browser and the stars disappear again.

1. Transfer 50% of the traffic from reviews:v1 to reviews:v3:

   kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml

2. Refresh the /productpage in your browser and you now see red colored star ratings approximately 50% of the time.

3. Route 100% of the traffic to reviews:v3 by applying this virtual service:

   kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-v3.yaml

4. Refresh the /productpage in your browser and you now see red colored star ratings for each review.

This section explains how to configure Istio to expose a service outside of the service mesh using an Istio Gateway instead of the usual Kubernetes Ingress Resource.

1. Deploy httpbin sample:

   kubectl apply -f samples/httpbin/httpbin.yaml

2. Determine IP ingress and ports:

   export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
   export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
   export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')

3. Create an Istio Gateway:

   kubectl apply -f httpbin-ingress-gateway.yaml

4. Configure routes for the gateway:

   kubectl apply -f httpbin-virtualservice.yaml

5. Access the httpbin service using curl:

   curl -I -HHost:httpbin.example.com http://$INGRESS_HOST:$INGRESS_PORT/status/200
   TODO

6. Access any other URL:

   curl -I -HHost:httpbin.example.com http://$INGRESS_HOST:$INGRESS_PORT/headers

7. Enable a wildcard * value for the host in Gateway:

   kubectl apply -f httpbin-ingress-browser.yaml

8. Access $INGRESS_HOST:$INGRESS_PORT/headers in the browser.

9. Clean up:

   kubectl delete gateway httpbin-gateway
   kubectl delete virtualservice httpbin
   kubectl delete --ignore-not-found=true -f samples/httpbin/httpbin.yaml

1. Generate certificates, select y for all the questions:

   git clone https://github.com/nicholasjackson/mtls-go-example
   cd mtls-go-example
   ./generate.sh httpbin.example.com abc123
   mkdir ~/httpbin.example.com
   mv 1_root 2_intermediate 3_application 4_client ~/httpbin.example.com

2. Create a Kubernetes Secret to hold the server’s certificate and private key:

   kubectl create -n istio-system secret tls istio-ingressgateway-certs --key httpbin.example.com/3_application/private/httpbin.example.com.key.pem --cert ~/httpbin.example.com/3_application/certs/httpbin.example.com.cert.pem

3. Define a Gateway with a server section for port 443:

   kubectl apply -f httpbin-gateway-server-cert.yaml

4. Configure routes for traffic entering via the Gateway:

   kubectl apply -f httpbin-virtualservice-https.yaml

5. Access the httpbin service with HTTPS by sending an https request using curl to $SECURE_INGRESS_PORT:

   curl -v -HHost:httpbin.example.com --resolve httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST --cacert ~/httpbin.example.com/2_intermediate/certs/ca-chain.cert.pem https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418

By default, Istio-enabled services cannot access URLs outside of the cluster. This section will explain how to configure Istio using ServiceEntry to expose external services to Istio-enabled clients. Specifically, the service will access httpbin.org.

1. Deploy sleep sample:

   kubectl apply -f samples/sleep/sleep.yaml

2. Create a ServiceEntry to allow access to an external HTTP service:

   kubectl apply -f httpbin-serviceentry.yaml

3. Create a ServiceEntry and VirtualService to allow access to an external HTTPS service:

   kubectl apply -f httpbin-serviceentry-https.yaml

4. Exec into the pod:

   export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
   kubectl exec -it $SOURCE_POD -c sleep bash

5. Make a request to the external HTTP service:

   curl http://httpbin.org/headers

6. Make a request to the external HTTPS service:

   curl https://www.google.com

This sections shows how to configure circuit breaking for connections, requests, and outlier detection.

1. Create a destination rule to apply circuit breaking. These rules allow only one connection and request concurrently, anything more will trip the circuit:

   kubectl apply -f httpbin-circuitbreaker.yaml

2. Create the client:

   kubectl apply -f samples/httpbin/sample-client/fortio-deploy.yaml

3. Make a successful request:

   FORTIO_POD=$(kubectl get pod | grep fortio | awk '{ print $1 }')
   kubectl exec -it $FORTIO_POD  -c fortio /usr/local/bin/fortio -- load -curl  http://httpbin:8000/get

4. Call the service with two concurrent connections and send 20 requests:

   kubectl exec -it $FORTIO_POD -c fortio /usr/local/bin/fortio -- load -c 2 -qps 0 -n 20 -loglevel Warning http://httpbin:8000/get

5. Increase the number of concurrent requests to 3:

   kubectl exec -it $FORTIO_POD  -c fortio /usr/local/bin/fortio -- load -c 3 -qps 0 -n 20 -loglevel Warning http://httpbin:8000/get

6. Query istio-proxy to see stats:

   kubectl exec -it $FORTIO_POD  -c istio-proxy  -- sh -c 'curl localhost:15000/stats' | grep httpbin | grep pending

1. Deploy two versions of httpbin Deployment and one Service:

   kubectl apply -f httpbin-mirroring-v1.yaml
   kubectl apply -f httpbin-mirroring-v2.yaml
   kubectl apply -f httpbin-mirroring-service.yaml

2. Start sleep service to generate load:

   kubectl apply -f httpbin-mirroring-client.yaml

3. Route all traffic to v1:

   kubectl apply -f httpbin-mirroring-v1-route.yaml

4. Send traffic to the service:

   export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
   kubectl exec -it $SLEEP_POD -c sleep -- sh -c 'curl  http://httpbin:8080/headers' | python -m json.tool

5. Check the logs for v1 and v2. There should be log entries for v1 and none for v2:

   export V1_POD=$(kubectl get pod -l app=httpbin,version=v1 -o jsonpath={.items..metadata.name})
   kubectl logs -f $V1_POD -c httpbin
   export V2_POD=$(kubectl get pod -l app=httpbin,version=v2 -o jsonpath={.items..metadata.name})
   kubectl logs -f $V2_POD -c httpbin

6. Mirror traffic to v2:

   kubectl apply -f httpbin-mirroring-to-v2.yaml

7. Send in traffic:

   kubectl exec -it $SLEEP_POD -c sleep -- sh -c 'curl  http://httpbin:8080/headers' | python -m json.tool

8. Check the logs in v1 and v2:

   kubectl logs -f $V1_POD -c httpbin
   kubectl logs -f $V2_POD -c httpbin