Deploy sample apps
You can install two sample apps in your demo setup: Bookinfo and httpbin. You might also install additional tools such as Keycloak as an OpenID Connect provider. These sample apps are used throughout the documentation to help test connectivity, such as in the policy guides.
Deploy Bookinfo
To test out microservice traffic management in your service mesh, deploy the Bookinfo sample app.
-
Save the Istio revision that your
istiodcontrol plane runs as an environment variable.export REVISION=$(kubectl get pod -L app=istiod -n istio-system -o jsonpath='{.items[0].metadata.labels.istio\.io/rev}') echo $REVISION -
Create the
bookinfonamespace and label it for Istio injection so that the services become part of the service mesh.kubectl create ns bookinfo kubectl label ns bookinfo istio.io/rev=$REVISION --overwrite=trueFor more information, see the Istio on OpenShift documentation.
- Create and label the
bookinfoproject.kubectl create ns bookinfo kubectl label ns bookinfo istio.io/rev=$REVISION --overwrite=true - Create a NetworkAttachmentDefinition custom resource for the
bookinfoproject.cat <<EOF | oc -n bookinfo create -f - apiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: istio-cni EOF - Elevate the permissions of the
bookinfoservice account to allow the Istio sidecars to make use of a user ID that is normally restricted by OpenShift.oc adm policy add-scc-to-group anyuid system:serviceaccounts:bookinfo
- Create and label the
-
Deploy the Bookinfo app.
# deploy bookinfo application components for all versions less than v3 kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.17.2/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app,version notin (v3)' # deploy an updated product page with extra container utilities such as 'curl' and 'netcat' kubectl -n bookinfo apply -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/productpage-with-curl.yaml # deploy all bookinfo service accounts kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.17.2/samples/bookinfo/platform/kube/bookinfo.yaml -l 'account' -
Verify that the Bookinfo app is deployed successfully.
kubectl get pods -n bookinfo kubectl get svc -n bookinfo
Deploy httpbin
The httpbin sample app is a simple tool to test HTTP requests and responses. Unlike curl, you can see not only the response headers, but also the request headers.
-
Save the Istio revision that your
istiodcontrol plane runs as an environment variable.export REVISION=$(kubectl get pod -L app=istiod -n istio-system -o jsonpath='{.items[0].metadata.labels.istio\.io/rev}') echo $REVISION -
Create an
httpbinnamespace and label the namespace for Istio injection so that the services in the namespace become part of the service mesh.kubectl create ns httpbin kubectl label ns httpbin istio.io/rev=$REVISION --overwrite=true- Create and label the
httpbinproject.kubectl create ns httpbin kubectl label ns httpbin istio.io/rev=$REVISION --overwrite=true - Create a NetworkAttachmentDefinition custom resource for the
httpbinproject.cat <<EOF | oc -n httpbin create -f - apiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: istio-cni EOF - Elevate the permissions of the
httpbinservice account to allow the Istio sidecars to make use of a user ID that is normally restricted by OpenShift.oc adm policy add-scc-to-group anyuid system:serviceaccounts:httpbin
- Create and label the
-
Deploy the httpbin app.
kubectl -n httpbin apply -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/httpbin.yaml -
Verify that the httpbin app is running.
kubectl -n httpbin get pods
Deploy hello world
The hello world sample app is a simple way to test responses for different app versions. The following examples install four versions of hello world in your cluster.
-
Save the Istio revision that your
istiodcontrol plane runs as an environment variable.export REVISION=$(kubectl get pod -L app=istiod -n istio-system -o jsonpath='{.items[0].metadata.labels.istio\.io/rev}') echo $REVISION -
Create the
helloworldnamespace and label it for Istio injection so that the services become part of the service mesh.kubectl create ns helloworld kubectl label ns helloworld istio.io/rev=$REVISION --overwrite=true- Create and label the
helloworldproject.kubectl create ns helloworld kubectl label ns helloworld istio.io/rev=$REVISION --overwrite=true - Create a NetworkAttachmentDefinition custom resource for the
helloworldproject.cat <<EOF | oc -n helloworld create -f - apiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: istio-cni EOF - Elevate the permissions of the
helloworldservice account to allow the Istio sidecars to make use of a user ID that is normally restricted by OpenShift.oc adm policy add-scc-to-group anyuid system:serviceaccounts:helloworld
- Create and label the
-
Deploy hello world v1, v2, v3, and v4 to your cluster.
kubectl -n helloworld apply -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/helloworld.yaml -
Verify that the hello world apps are running.
kubectl -n helloworld get pods
Install Keycloak
You might want to test how to restrict access to your applications to authenticated users, such as with external auth or JWT policies. You can install Keycloak in your cluster as an OpenID Connect (OIDC) provider.
The following steps install Keycloak in your cluster, and configure two user credentials as follows.
- Username:
user1, password:password, email:user1@example.com - Username:
user2, password:password, email:user2@solo.io
Install and configure Keycloak:
-
Create a namespace for your Keycloak deployment.
kubectl create namespace keycloak -
Create the Keycloak deployment.
kubectl -n keycloak apply -f https://raw.githubusercontent.com/solo-io/workshops/master/gloo-mesh-2-3/all/data/steps/deploy-keycloak/keycloak.yaml -
Wait for the Keycloak rollout to finish.
kubectl -n keycloak rollout status deploy/keycloak -
Set the Keycloak endpoint details from the load balancer service.
export ENDPOINT_KEYCLOAK=$(kubectl -n keycloak get service keycloak -o jsonpath='{.status.loadBalancer.ingress[0].*}'):8080 export HOST_KEYCLOAK=$(echo ${ENDPOINT_KEYCLOAK} | cut -d: -f1) export PORT_KEYCLOAK=$(echo ${ENDPOINT_KEYCLOAK} | cut -d: -f2) export KEYCLOAK_URL=http://${ENDPOINT_KEYCLOAK}/auth echo $KEYCLOAK_URL -
Set the Keycloak admin token. If you see a parsing error, try running the
curlcommand by itself. You might notice that your network is blocking the requests, which might require updating the security settings so that the request can be processed.export KEYCLOAK_TOKEN=$(curl -d "client_id=admin-cli" -d "username=admin" -d "password=admin" -d "grant_type=password" "$KEYCLOAK_URL/realms/master/protocol/openid-connect/token" | jq -r .access_token) echo $KEYCLOAK_TOKEN -
Use the admin token to configure Keycloak with the two users for testing purposes. If you get a
401 Unauthorizederror, run the previous command and try again.# Create initial token to register the client read -r client token <<<$(curl -H "Authorization: Bearer ${KEYCLOAK_TOKEN}" -X POST -H "Content-Type: application/json" -d '{"expiration": 0, "count": 1}' $KEYCLOAK_URL/admin/realms/master/clients-initial-access | jq -r '[.id, .token] | @tsv') export KEYCLOAK_CLIENT=${client} # Register the client read -r id secret <<<$(curl -X POST -d "{ \"clientId\": \"${KEYCLOAK_CLIENT}\" }" -H "Content-Type:application/json" -H "Authorization: bearer ${token}" ${KEYCLOAK_URL}/realms/master/clients-registrations/default| jq -r '[.id, .secret] | @tsv') export KEYCLOAK_SECRET=${secret} # Add allowed redirect URIs curl -H "Authorization: Bearer ${KEYCLOAK_TOKEN}" -X PUT -H "Content-Type: application/json" -d '{"serviceAccountsEnabled": true, "directAccessGrantsEnabled": true, "authorizationServicesEnabled": true, "redirectUris": ["'https://${ENDPOINT_HTTPS_GW_CLUSTER1}'/callback"]}' $KEYCLOAK_URL/admin/realms/master/clients/${id} # Add the group attribute in the JWT token returned by Keycloak curl -H "Authorization: Bearer ${KEYCLOAK_TOKEN}" -X POST -H "Content-Type: application/json" -d '{"name": "group", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", "config": {"claim.name": "group", "jsonType.label": "String", "user.attribute": "group", "id.token.claim": "true", "access.token.claim": "true"}}' $KEYCLOAK_URL/admin/realms/master/clients/${id}/protocol-mappers/models # Create first user curl -H "Authorization: Bearer ${KEYCLOAK_TOKEN}" -X POST -H "Content-Type: application/json" -d '{"username": "user1", "email": "user1@example.com", "enabled": true, "attributes": {"group": "users"}, "credentials": [{"type": "password", "value": "password", "temporary": false}]}' $KEYCLOAK_URL/admin/realms/master/users # Create second user curl -H "Authorization: Bearer ${KEYCLOAK_TOKEN}" -X POST -H "Content-Type: application/json" -d '{"username": "user2", "email": "user2@solo.io", "enabled": true, "attributes": {"group": "users"}, "credentials": [{"type": "password", "value": "password", "temporary": false}]}' $KEYCLOAK_URL/admin/realms/master/users
Next
Verify routing to the sample apps and apply a fault injection policy to the reviews service to delay requests and simulate network issues or an overloaded service.