Deploy sample apps

You can install the Bookinfo, httpbin, and hello world sample apps in your demo setup. You might also install additional tools such as Keycloak as an OpenID Connect provider. These sample apps are used throughout the documentation to help test connectivity, such as in the policy guides.

Deploy Bookinfo

To test out microservice traffic management, deploy different versions of the Bookinfo sample app to both of the workload clusters. cluster1 runs the app with versions 1 and 2 of the reviews service (reviews-v1 and reviews-v2), and cluster2 runs version 3 of the reviews service (reviews-v3).

1. Save the Istio revision that your istiod control planes run as an environment variable.

   export REVISION=$(kubectl get pod -L app=istiod -n istio-system --context $REMOTE_CONTEXT1 -o jsonpath='{.items[0].metadata.labels.istio\.io/rev}')
   echo $REVISION
   

2. Create the bookinfo namespace in each cluster, and label the workload cluster namespaces for Istio injection so that the services become part of the service mesh.

   • Kubernetes
   • OpenShift

   kubectl create ns bookinfo --context $MGMT_CONTEXT
   
   kubectl create ns bookinfo --context $REMOTE_CONTEXT1
   kubectl label ns bookinfo istio.io/rev=$REVISION --overwrite=true --context $REMOTE_CONTEXT1
   
   kubectl create ns bookinfo --context $REMOTE_CONTEXT2
   kubectl label ns bookinfo istio.io/rev=$REVISION --overwrite=true --context $REMOTE_CONTEXT2
   

   For more information, see the Istio on OpenShift documentation.

   1. Create and label the bookinfo projects.

      kubectl create ns bookinfo --context $MGMT_CONTEXT
      
      kubectl create ns bookinfo --context $REMOTE_CONTEXT1
      kubectl label ns bookinfo istio.io/rev=$REVISION --overwrite=true --context $REMOTE_CONTEXT1
      
      kubectl create ns bookinfo --context $REMOTE_CONTEXT2
      kubectl label ns bookinfo istio.io/rev=$REVISION --overwrite=true --context $REMOTE_CONTEXT2
      

   2. Create NetworkAttachmentDefinition custom resources for the bookinfo projects of each workload cluster.

      cat <<EOF | oc --context $REMOTE_CONTEXT1 -n bookinfo create -f -
      apiVersion: "k8s.cni.cncf.io/v1"
      kind: NetworkAttachmentDefinition
      metadata:
        name: istio-cni
      EOF
            
      cat <<EOF | oc --context $REMOTE_CONTEXT2 -n bookinfo create -f -
      apiVersion: "k8s.cni.cncf.io/v1"
      kind: NetworkAttachmentDefinition
      metadata:
        name: istio-cni
      EOF
      

   3. Elevate the permissions of the bookinfo service accounts to allow the Istio sidecars to make use of a user ID that is normally restricted by OpenShift.

      oc --context $REMOTE_CONTEXT1 adm policy add-scc-to-group anyuid system:serviceaccounts:bookinfo
      oc --context $REMOTE_CONTEXT2 adm policy add-scc-to-group anyuid system:serviceaccounts:bookinfo
      

3. Deploy Bookinfo with the details, productpage, ratings, reviews-v1, and reviews-v2 services in cluster1.

   # deploy bookinfo application components for all versions less than v3
   kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.18.3/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app,version notin (v3)' --context $REMOTE_CONTEXT1
   # deploy an updated product page with extra container utilities such as 'curl' and 'netcat'
   kubectl -n bookinfo apply -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/productpage-with-curl.yaml
   # deploy all bookinfo service accounts --context $REMOTE_CONTEXT1
   kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.18.3/samples/bookinfo/platform/kube/bookinfo.yaml -l 'account' --context $REMOTE_CONTEXT1
   

4. Deploy Bookinfo with the ratings and reviews-v3 services in cluster2.

   # deploy reviews and ratings services
   kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.18.3/samples/bookinfo/platform/kube/bookinfo.yaml -l 'service in (reviews)' --context $REMOTE_CONTEXT2
   # deploy reviews-v3
   kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.18.3/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app in (reviews),version in (v3)' --context $REMOTE_CONTEXT2
   # deploy ratings
   kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.18.3/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app in (ratings)' --context $REMOTE_CONTEXT2
   # deploy reviews and ratings service accounts
   kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.18.3/samples/bookinfo/platform/kube/bookinfo.yaml -l 'account in (reviews, ratings)' --context $REMOTE_CONTEXT2
   

5. Verify that the Bookinfo pods have a status of Running in each cluster. If not, try Troubleshooting Bookinfo apps.

   kubectl get pods -n bookinfo --context $REMOTE_CONTEXT1
   kubectl get pods -n bookinfo --context $REMOTE_CONTEXT2
   

Deploy httpbin

The httpbin sample app is a simple tool to test HTTP requests and responses. Unlike curl, you can see not only the response headers, but also the request headers.

1. Save the Istio revision that your istiod control planes run as an environment variable.

   export REVISION=$(kubectl get pod -L app=istiod -n istio-system --context $REMOTE_CONTEXT1 -o jsonpath='{.items[0].metadata.labels.istio\.io/rev}')
   echo $REVISION
   

2. Create an httpbin namespace in cluster1, and label the namespace for Istio injection so that the services in the namespace become part of the service mesh.

   • Kubernetes
   • OpenShift

   kubectl create ns httpbin --context $REMOTE_CONTEXT1
   kubectl label ns httpbin istio.io/rev=$REVISION --overwrite=true --context $REMOTE_CONTEXT1
   

   1. Create and label the httpbin project.

      kubectl create ns httpbin --context $REMOTE_CONTEXT1
      kubectl label ns httpbin istio.io/rev=$REVISION --overwrite=true --context $REMOTE_CONTEXT1
      

   2. Create a NetworkAttachmentDefinition custom resource for the httpbin project.

      cat <<EOF | oc --context $REMOTE_CONTEXT1 -n httpbin create -f -
      apiVersion: "k8s.cni.cncf.io/v1"
      kind: NetworkAttachmentDefinition
      metadata:
        name: istio-cni
      EOF
      

   3. Elevate the permissions of the httpbin service account to allow the Istio sidecars to make use of a user ID that is normally restricted by OpenShift.

      oc --context $REMOTE_CONTEXT1 adm policy add-scc-to-group anyuid system:serviceaccounts:httpbin
      

3. Deploy the httpbin app.

   kubectl -n httpbin apply -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/httpbin.yaml --context $REMOTE_CONTEXT1
   

4. Verify that the httpbin app is running.

   kubectl -n httpbin get pods --context $REMOTE_CONTEXT1
   

Deploy hello world

The hello world sample app is a simple way to test responses for different app versions. The following examples install two versions of hello world in one cluster, and two versions in the other workload cluster.

1. Save the Istio revision that your istiod control planes run as an environment variable.

   export REVISION=$(kubectl get pod -L app=istiod -n istio-system --context $REMOTE_CONTEXT1 -o jsonpath='{.items[0].metadata.labels.istio\.io/rev}')
   echo $REVISION
   

2. Create the helloworld namespace in each workload cluster, and label the namespaces for Istio injection so that the services become part of the service mesh.

   • Kubernetes
   • OpenShift

   kubectl create ns helloworld --context $REMOTE_CONTEXT1
   kubectl label ns helloworld istio.io/rev=$REVISION --overwrite=true --context $REMOTE_CONTEXT1
   
   kubectl create ns helloworld --context $REMOTE_CONTEXT2
   kubectl label ns helloworld istio.io/rev=$REVISION --overwrite=true --context $REMOTE_CONTEXT2
   

   1. Create and label the helloworld projects.

      kubectl create ns helloworld --context $REMOTE_CONTEXT1
      kubectl label ns helloworld istio.io/rev=$REVISION --overwrite=true --context $REMOTE_CONTEXT1
      
      kubectl create ns helloworld --context $REMOTE_CONTEXT2
      kubectl label ns helloworld istio.io/rev=$REVISION --overwrite=true --context $REMOTE_CONTEXT2
      

   2. Create NetworkAttachmentDefinition custom resources for the helloworld project.

      cat <<EOF | oc -n helloworld create --context $REMOTE_CONTEXT1 -f -
      apiVersion: "k8s.cni.cncf.io/v1"
      kind: NetworkAttachmentDefinition
      metadata:
        name: istio-cni
      EOF
            
      cat <<EOF | oc -n helloworld create --context $REMOTE_CONTEXT2 -f -
      apiVersion: "k8s.cni.cncf.io/v1"
      kind: NetworkAttachmentDefinition
      metadata:
        name: istio-cni
      EOF
      

   3. Elevate the permissions of the helloworld service accounts to allow the Istio sidecars to make use of a user ID that is normally restricted by OpenShift.

      oc --context $REMOTE_CONTEXT1 adm policy add-scc-to-group anyuid system:serviceaccounts:helloworld
      oc --context $REMOTE_CONTEXT2 adm policy add-scc-to-group anyuid system:serviceaccounts:helloworld
      

3. Deploy hello world v1 and v2 to cluster1.

   kubectl -n helloworld apply --context $REMOTE_CONTEXT1 -l 'service=helloworld' -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/helloworld.yaml 
   kubectl -n helloworld apply --context $REMOTE_CONTEXT1 -l 'app=helloworld,version in (v1, v2)' -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/helloworld.yaml 
   

4. Deploy hello world v3 and v4 to cluster2.

   kubectl -n helloworld apply --context $REMOTE_CONTEXT2 -l 'service=helloworld' -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/helloworld.yaml 
   kubectl -n helloworld apply --context $REMOTE_CONTEXT2 -l 'app=helloworld,version in (v3, v4)' -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/helloworld.yaml 
   

5. Verify that the hello world apps are running.

   kubectl -n helloworld get pods --context $REMOTE_CONTEXT1
   kubectl -n helloworld get pods --context $REMOTE_CONTEXT2
   

Other service namespaces

For any other namespaces that you want to deploy apps to, be sure to follow these steps to include your services in the service mesh.

1. Label the namespace with the Istio revision so that Istio sidecars are deployed to your app pods.

   export REVISION=$(kubectl get pod -L app=istiod -n istio-system --context $REMOTE_CONTEXT -o jsonpath='{.items[0].metadata.labels.istio\.io/rev}')
   kubectl label ns <namespace> istio.io/rev=$REVISION --overwrite --context $REMOTE_CONTEXT
   

   Note: If you deployed revisionless installations in testing environments, you can instead label your workload namespaces with kubectl label ns <namespace> istio-injection=enabled --context $REMOTE_CONTEXT.

2. If you already deployed app pods to the namespace, restart the workloads so that sidecars are injected into the pods. For example, you might roll out a restart to each deployment by using a command similar to the following.

   kubectl rollout restart deployment -n <namespace> <deployment> --context $REMOTE_CONTEXT
   

3. OpenShift only: Follow these additional steps for each service project. For more information, see the Istio on OpenShift documentation.

   1. Create a NetworkAttachmentDefinition custom resource.

      cat <<EOF | oc --context $REMOTE_CONTEXT -n <project> create -f -
      apiVersion: "k8s.cni.cncf.io/v1"
      kind: NetworkAttachmentDefinition
      metadata:
      name: istio-cni
      EOF
      

   2. Elevate the permissions of the service account to allow the gateway to make use of a user ID that is normally restricted by OpenShift.

      oc adm policy add-scc-to-group anyuid system:serviceaccounts:<project> --context $REMOTE_CONTEXT
      

Next

Set up multicluster routing for the sample apps.