Deploy Bookinfo

Deploy Bookinfo, the Istio sample app.

  1. Create the bookinfo namespace.

      kubectl create ns bookinfo
      
  2. Deploy the Bookinfo app.

      # deploy bookinfo application components for all versions
    kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.20.8/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app'
    # deploy all bookinfo service accounts
    kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.20.8/samples/bookinfo/platform/kube/bookinfo.yaml -l 'account'
      
  3. Verify that the Bookinfo app is deployed successfully.

      kubectl get pods -n bookinfo
    kubectl get svc -n bookinfo
      
  4. Verify that you can access the ratings app from the product page app.

      kubectl -n bookinfo debug -i pods/$(kubectl get pod -l app=productpage -A -o jsonpath='{.items[0].metadata.name}') --image=curlimages/curl -- curl -v http://ratings:9080/ratings/1
      

    Example output:

      ...
    Mark bundle as not supporting multiuse
    < HTTP/1.1 200 OK
    < Content-type: application/json
    < Date: Thu, 08 Sep 2022 18:56:59 GMT
    < Connection: keep-alive
    < Transfer-Encoding: chunked
    < 
    * Connection #0 to host ratings left intact
    {"id":1,"ratings":{"Reviewer1":5,"Reviewer2":4}}
      

Add Bookinfo to the ambient mesh

Add the Bookinfo services to the ambient mesh, and verify that traffic is routed through the ztunnels in your cluster.

  1. Label the bookinfo namespace to onboard Bookinfo to the ambient mesh. The istio.io/dataplane-mode=ambient label adds all pods in the namespace to an ambient mesh.

      kubectl label namespace bookinfo istio.io/dataplane-mode=ambient
      
  2. Verify that the label was applied. After you label the namespace, all ingoing and outgoing traffic to the pods is automatically redirected to the ztunnel that is co-located on the same node as the pod. If pods exist on different nodes, the ztunnel forwards the traffic to the ztunnel that is located on the other node. The communication between ztunnels is secured via mutual TLS (mTLS). However, because the pods are deployed without an Istio sidecar, the traffic from the pod to the ztunnel and vice versa is sent via plain text. For more information, see the component overview.

      kubectl describe namespace bookinfo
      
  3. Send a request to the ratings app again.

      kubectl -n bookinfo debug -i pods/$(kubectl get pod -l app=productpage -A -o jsonpath='{.items[0].metadata.name}') --image=curlimages/curl -- curl -v http://ratings:9080/ratings/1
      
  4. Get the logs of the ztunnel that is co-located with the ratings app.

    1. Get the name of the node that the ratings app is deployed to.

        kubectl get pods -n bookinfo -o wide | grep ratings
        
    2. List the ztunnels in your cluster and note the name of the ztunnel that is deployed to the same node as the ratings app.

        kubectl get pods -n istio-system -o wide | grep ztunnel
        
    3. Get the logs of the ztunnel pod that runs on the same node as the ratings app. Make sure that you see an access log message for the request that the product page app sent to ratings.

        kubectl logs -n istio-system <ztunnel-pod-name>
        

      Example output:

        2024-06-21T16:33:13.093929Z	info	access	connection complete	src.addr=10.XX.X.XX:46103 src.workload="productpage-v1-78dd566f6f-jcrtj" src.namespace="bookinfo" src.identity="spiffe://cluster.local/ns/bookinfo/sa/bookinfo-productpage" dst.addr=10.XX.X.XX:9080 dst.hbone_addr=10.XX.X.XX:9080 dst.service="ratings.bookinfo.svc.cluster.local" dst.workload="ratings-v1-7c9cd8db6d-dph55" dst.namespace="bookinfo" dst.identity="spiffe://cluster.local/ns/bookinfo/sa/bookinfo-ratings" direction="inbound" bytes_sent=222 bytes_recv=84 duration="4ms"
        
    4. Port-forward the ztunnel pod on port 15090, and open localhost:15020/stats/prometheus in your browser to view Istio Layer 4 metrics that were emitted by the ztunnel, such as istio_tcp_sent_bytes_total or istio_tcp_connections_closed_total. These metrics are forwarded to the built-in Prometheus server and are used by the Gloo UI to visualize traffic between workloads in the ambient mesh.

        kubectl -n istio-system port-forward pod/<ztunnel_pod_name> 15020
        

      Example output:

        istio_tcp_sent_bytes_total{reporter="destination",source_workload="productpage-v1",source_canonical_service="productpage",source_canonical_revision="v1",source_workload_namespace="bookinfo",source_principal="spiffe://cluster.local/ns/bookinfo/sa/bookinfo-productpage",source_app="productpage",source_version="v1",source_cluster="gloo-mesh-docs-ambient-mgt",destination_service="unknown",destination_service_namespace="unknown",destination_service_name="unknown",destination_workload="ratings-v1",destination_canonical_service="ratings",destination_canonical_revision="v1",destination_workload_namespace="bookinfo",destination_principal="spiffe://cluster.local/ns/bookinfo/sa/bookinfo-ratings",destination_app="ratings",destination_version="v1",destination_cluster="gloo-mesh-docs-ambient-mgt",request_protocol="tcp",response_flags="-",connection_security_policy="mutual_tls",response_code="",grpc_response_status=""} 398
        
  5. If you plan to use L7 traffic policies, be sure to apply the CRDs for the Kubernetes Gateway API in your clusters, which are required to create waypoint proxies.

      kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null ||  (kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.6.1" | kubectl apply --context $MGMT_CONTEXT -f -)
    kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null ||  (kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.6.1" | kubectl apply --context $REMOTE_CONTEXT -f -)
      
  1. If you plan to use L7 traffic policies, be sure to apply the CRDs for the Kubernetes Gateway API in your cluster, which are required to create waypoint proxies.
      kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null ||  (kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.6.1" | kubectl apply -f -)
      

You now have a functioning ambient service mesh in your cluster, and Gloo Mesh Core is running in ambient mode! To start applying policies and configure traffic routing, see the next steps.

Next