Add apps to the ambient mesh
Add services in existing namepaces to your ambient mesh, or deploy the Bookinfo sample app without sidecars to try out traffic routing in your ambient mesh.
Service namespaces
Now that Istio is up and running, you can create service namespaces for your teams to run app workloads in, and onboard them to the ambient mesh.
Label each workload namespace with the istio.io/dataplane-mode=ambient
label, which adds all pods in the namespace to an ambient mesh. After you label the namespace, all ingoing and outgoing traffic to the pods is automatically redirected to the ztunnel that is co-located on the same node as the pod. If pods exist on different nodes, the ztunnel forwards the traffic to the ztunnel that is located on the other node. The communication between ztunnels is secured via mutual TLS (mTLS). However, because the pods are deployed without an Istio sidecar, the traffic from the pod to the ztunnel and vice versa is sent via plain text. For more information, see the component overview.
kubectl label namespace <service_ns> istio.io/dataplane-mode=ambient
You now have a functioning ambient service mesh in your Gloo Mesh Core setup! To try out traffic routing with a sample app, see the Bookinfo example. To start applying policies and configure traffic routing, see the next steps.
Bookinfo example
For testing purposes, you can deploy Bookinfo, the Istio sample app, and add it to your ambient mesh.
Deploy Bookinfo
Deploy the Bookinfo sample app.
Create the
bookinfo
namespace.kubectl create ns bookinfo
Deploy the Bookinfo app.
# deploy bookinfo application components for all versions kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.22.5/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app' # deploy all bookinfo service accounts kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.22.5/samples/bookinfo/platform/kube/bookinfo.yaml -l 'account'
Verify that the Bookinfo app is deployed successfully.
kubectl get pods,svc -n bookinfo
Verify that you can access the ratings app from the product page app.
kubectl -n bookinfo debug -i pods/$(kubectl get pod -l app=productpage -A -o jsonpath='{.items[0].metadata.name}') --image=curlimages/curl -- curl -v http://ratings:9080/ratings/1
Example output:
... < HTTP/1.1 200 OK < Content-type: application/json < Date: Tue, 24 Dec 2024 20:58:23 GMT < Connection: keep-alive < Keep-Alive: timeout=5 < Transfer-Encoding: chunked < { [59 bytes data] 100 48 0 48 0 0 2549 0 --:--:-- --:--:-- --:--:-- 2666 * Connection #0 to host ratings left intact {"id":1,"ratings":{"Reviewer1":5,"Reviewer2":4}}
Add Bookinfo to the ambient mesh
Add the Bookinfo services to the ambient mesh, and verify that traffic is routed through the ztunnels in your cluster.
Label the
bookinfo
namespace to onboard Bookinfo to the ambient mesh. Theistio.io/dataplane-mode=ambient
label adds all pods in the namespace to an ambient mesh.kubectl label namespace bookinfo istio.io/dataplane-mode=ambient
Verify that the label was applied.
kubectl describe namespace bookinfo
Send a request to the ratings app again.
kubectl -n bookinfo debug -i pods/$(kubectl get pod -l app=productpage -A -o jsonpath='{.items[0].metadata.name}') --image=curlimages/curl -- curl -v http://ratings:9080/ratings/1
Get the logs of the ztunnel that is co-located with the ratings app.
Get the name of the node that the ratings app is deployed to.
kubectl get pods -n bookinfo -o wide | grep ratings
In this example output,
ip-10-0-6-27.us-east-2.compute.internal
is the name of the node.ratings-v1-7c9cd8db6d-8t62f 1/1 Running 0 3m9s 10.0.13.100 ip-10-0-6-27.us-east-2.compute.internal <none> <none>
List the ztunnels in your cluster and note the name of the ztunnel that is deployed to the same node as the ratings app.
kubectl get pods -n istio-system -o wide | grep ztunnel
In this example output,
ztunnel-tvtzn
is deployed to the same node as the ratings pod.ztunnel-tvtzn 1/1 Running 0 16m 10.0.5.167 ip-10-0-6-27.us-east-2.compute.internal <none> <none> ztunnel-vtpjm 1/1 Running 0 16m 10.0.1.204 ip-10-0-8-23.us-east-2.compute.internal <none> <none>
Get the logs of the ztunnel pod that runs on the same node as the ratings app. Make sure that you see an
access
log message for the request that the product page app sent to ratings.kubectl logs -n istio-system <ztunnel-pod-name>
Example output:
2024-06-21T16:33:13.093929Z info access connection complete src.addr=10.XX.X.XX:46103 src.workload="productpage-v1-78dd566f6f-jcrtj" src.namespace="bookinfo" src.identity="spiffe://cluster.local/ns/bookinfo/sa/bookinfo-productpage" dst.addr=10.XX.X.XX:9080 dst.hbone_addr=10.XX.X.XX:9080 dst.service="ratings.bookinfo.svc.cluster.local" dst.workload="ratings-v1-7c9cd8db6d-dph55" dst.namespace="bookinfo" dst.identity="spiffe://cluster.local/ns/bookinfo/sa/bookinfo-ratings" direction="inbound" bytes_sent=222 bytes_recv=84 duration="4ms"
Port-forward the ztunnel pod on port 15020.
kubectl -n istio-system port-forward pod/<ztunnel_pod_name> 15020
Open localhost:15020/stats/prometheus in your browser to view Istio Layer 4 metrics that were emitted by the ztunnel, such as
istio_tcp_sent_bytes_total
oristio_tcp_connections_closed_total
. These metrics are forwarded to the built-in Prometheus server and are used by the Gloo UI to visualize traffic between workloads in the ambient mesh.Example output:
istio_tcp_sent_bytes_total{reporter="destination",source_workload="productpage-v1",source_canonical_service="productpage",source_canonical_revision="v1",source_workload_namespace="bookinfo",source_principal="spiffe://cluster.local/ns/bookinfo/sa/bookinfo-productpage",source_app="productpage",source_version="v1",source_cluster="gloo-mesh-docs-ambient-mgt",destination_service="unknown",destination_service_namespace="unknown",destination_service_name="unknown",destination_workload="ratings-v1",destination_canonical_service="ratings",destination_canonical_revision="v1",destination_workload_namespace="bookinfo",destination_principal="spiffe://cluster.local/ns/bookinfo/sa/bookinfo-ratings",destination_app="ratings",destination_version="v1",destination_cluster="gloo-mesh-docs-ambient-mgt",request_protocol="tcp",response_flags="-",connection_security_policy="mutual_tls",response_code="",grpc_response_status=""} 398
Next
- Launch the Gloo UI to review the Istio insights that were captured for your ambient setup. Gloo Mesh Core comes with an insights engine that automatically analyzes your Istio setups for health issues. Then, Gloo shares these issues along with recommendations to harden your Istio setups. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment. For more information, see Insights.
- Check out the Istio docs to:
- When it’s time to upgrade your ambient mesh, you can perform a safe in-place upgrade.