istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

remove istio api from ambient mode getting started guide (#14958) 

* remove istio api from getting started guide

Signed-off-by: Ian Rudie <ian.rudie@solo.io>

* clean up old gateway file, make sure cleanup runs

Signed-off-by: Ian Rudie <ian.rudie@solo.io>

* fix indentation

Signed-off-by: Ian Rudie <ian.rudie@solo.io>

* fix numbering

Signed-off-by: Ian Rudie <ian.rudie@solo.io>

* add cleanup section marker back

Signed-off-by: Ian Rudie <ian.rudie@solo.io>

* try to fix ordered list numbering

Signed-off-by: Ian Rudie <ian.rudie@solo.io>

* addressing comments

Signed-off-by: Ian Rudie <ian.rudie@solo.io>

* removing gtwapi tip

Signed-off-by: Ian Rudie <ian.rudie@solo.io>

* trying out ol for the shorter enable/test sections

Signed-off-by: Ian Rudie <ian.rudie@solo.io>

* use ordered lists for the all sections with 2 or more steps for consistency

Signed-off-by: Ian Rudie <ian.rudie@solo.io>

* add back alias

Signed-off-by: Ian Rudie <ian.rudie@solo.io>

---------

Signed-off-by: Ian Rudie <ian.rudie@solo.io>
This commit is contained in:
Ian Rudie 2024-04-25 15:18:17 -05:00 committed by GitHub
parent 7bdad322b0
commit 1467b3b5b8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 202 additions and 392 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
content/en/docs/ambient/getting-started/gtwapi_test.sh
View File

@ -1,30 +0,0 @@
#!/usr/bin/env bash
# shellcheck disable=SC2154,SC2034
# Copyright 2023 Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# @setup profile=none
GATEWAY_API="true"
source "content/en/docs/ambient/getting-started/test.sh"
# @cleanup
GATEWAY_API="true"
snip_uninstall_1
snip_uninstall_2
snip_uninstall_3
samples/bookinfo/platform/kube/cleanup.sh
snip_uninstall_4

479
content/en/docs/ambient/getting-started/index.md
View File

@ -53,99 +53,37 @@ Follow these steps to get started with Istio's ambient mode:
{ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref={{< k8s_gateway_api_version >}}" | kubectl apply -f -; }
{{< /text >}}
{{< tip >}}
{{< boilerplate gateway-api-future >}}
{{< boilerplate gateway-api-choose >}}
{{< /tip >}}
1. Install Istio with the `ambient` profile on your Kubernetes cluster, using
the version of `istioctl` downloaded above:
{{< tabset category-name="config-api" >}}
{{< text bash >}}
$ istioctl install --set profile=ambient --skip-confirmation
{{< /text >}}
{{< tab name="Istio APIs" category-value="istio-apis" >}}
After running the above command, youll get the following output that indicates
four components (including {{< gloss "ztunnel" >}}ztunnel{{< /gloss >}}) have been installed successfully!
{{< text bash >}}
$ istioctl install --set profile=ambient --set "components.ingressGateways[0].enabled=true" --set "components.ingressGateways[0].name=istio-ingressgateway" --skip-confirmation
{{< /text >}}
{{< text syntax=plain snip_id=none >}}
✔ Istio core installed
✔ Istiod installed
✔ CNI installed
✔ Ztunnel installed
✔ Installation complete
{{< /text >}}
{{< tip >}}
Note that this command includes `--set "components.ingressGateways[0].enabled=true"` because the ambient profile does not install the ingress gateway by default.
{{< /tip >}}
1. Verify the installed components using the following command:
After running the above command, youll get the following output that indicates
five components (including {{< gloss "ztunnel" >}}ztunnel{{< /gloss >}}) have been installed successfully!
{{< text bash >}}
$ kubectl get pods,daemonset -n istio-system
NAME READY STATUS RESTARTS AGE
pod/istio-cni-node-btbjf 1/1 Running 0 2m18s
pod/istiod-55b74b77bd-xggqf 1/1 Running 0 2m27s
pod/ztunnel-5m27h 1/1 Running 0 2m10s
{{< text syntax=plain snip_id=none >}}
✔ Istio core installed
✔ Istiod installed
✔ CNI installed
✔ Ingress gateways installed
✔ Ztunnel installed
✔ Installation complete
{{< /text >}}
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
{{< text bash >}}
$ istioctl install --set profile=ambient --skip-confirmation
{{< /text >}}
After running the above command, youll get the following output that indicates
four components (including {{< gloss "ztunnel" >}}ztunnel{{< /gloss >}}) have been installed successfully!
{{< text syntax=plain snip_id=none >}}
✔ Istio core installed
✔ Istiod installed
✔ CNI installed
✔ Ztunnel installed
✔ Installation complete
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
6) Verify the installed components using the following commands:
{{< tabset category-name="config-api" >}}
{{< tab name="Istio APIs" category-value="istio-apis" >}}
{{< text bash >}}
$ kubectl get pods,daemonset -n istio-system
NAME READY STATUS RESTARTS AGE
pod/istio-cni-node-zq94l 1/1 Running 0 2m7s
pod/istio-ingressgateway-56b9cb5485-ksnvc 1/1 Running 0 2m7s
pod/istiod-56d848857c-mhr5w 1/1 Running 0 2m9s
pod/ztunnel-srrnm 1/1 Running 0 2m5s
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/istio-cni-node 1 1 1 1 1 kubernetes.io/os=linux 2m16s
daemonset.apps/ztunnel 1 1 1 1 1 kubernetes.io/os=linux 2m10s
{{< /text >}}
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
{{< text bash >}}
$ kubectl get pods,daemonset -n istio-system
NAME READY STATUS RESTARTS AGE
pod/istio-cni-node-btbjf 1/1 Running 0 2m18s
pod/istiod-55b74b77bd-xggqf 1/1 Running 0 2m27s
pod/ztunnel-5m27h 1/1 Running 0 2m10s
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/istio-cni-node 1 1 1 1 1 kubernetes.io/os=linux 2m18s
daemonset.apps/ztunnel 1 1 1 1 1 kubernetes.io/os=linux 2m10s
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/istio-cni-node 1 1 1 1 1 kubernetes.io/os=linux 2m18s
daemonset.apps/ztunnel 1 1 1 1 1 kubernetes.io/os=linux 2m10s
{{< /text >}}
## Deploy the sample application {#bookinfo}
@ -179,53 +117,27 @@ Make sure the default namespace does not include the label `istio-injection=enab
To get IP address assignment for `Loadbalancer` service types in `kind`, you may need to install a tool like [MetalLB](https://metallb.universe.tf/). Please consult [this guide](https://kind.sigs.k8s.io/docs/user/loadbalancer/) for more information.
{{</ tip >}}
{{< tabset category-name="config-api" >}}
Create a [Kubernetes Gateway](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.Gateway)
and [HTTPRoute](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.HTTPRoute):
{{< tab name="Istio APIs" category-value="istio-apis" >}}
{{< text bash >}}
$ sed -e 's/from: Same/from: All/'\
-e '/^ name: bookinfo-gateway/a\
namespace: istio-system\
' -e '/^ - name: bookinfo-gateway/a\
namespace: istio-system\
' @samples/bookinfo/gateway-api/bookinfo-gateway.yaml@ | kubectl apply -f -
{{< /text >}}
Create an Istio [Gateway](/docs/reference/config/networking/gateway/) and
[VirtualService](/docs/reference/config/networking/virtual-service/):
Set the environment variables for the Kubernetes Gateway:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/networking/bookinfo-gateway.yaml@
{{< /text >}}
{{< text bash >}}
$ kubectl wait --for=condition=programmed gtw/bookinfo-gateway -n istio-system
$ export GATEWAY_HOST=bookinfo-gateway-istio.istio-system
$ export GATEWAY_SERVICE_ACCOUNT=ns/istio-system/sa/bookinfo-gateway-istio
{{< /text >}}
Set the environment variables for the Istio ingress gateway:
{{< text bash >}}
$ export GATEWAY_HOST=istio-ingressgateway.istio-system
$ export GATEWAY_SERVICE_ACCOUNT=ns/istio-system/sa/istio-ingressgateway-service-account
{{< /text >}}
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
Create a [Kubernetes Gateway](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.Gateway)
and [HTTPRoute](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.HTTPRoute):
{{< text bash >}}
$ sed -e 's/from: Same/from: All/'\
-e '/^ name: bookinfo-gateway/a\
namespace: istio-system\
' -e '/^ - name: bookinfo-gateway/a\
namespace: istio-system\
' @samples/bookinfo/gateway-api/bookinfo-gateway.yaml@ | kubectl apply -f -
{{< /text >}}
Set the environment variables for the Kubernetes gateway:
{{< text bash >}}
$ kubectl wait --for=condition=programmed gtw/bookinfo-gateway -n istio-system
$ export GATEWAY_HOST=bookinfo-gateway-istio.istio-system
$ export GATEWAY_SERVICE_ACCOUNT=ns/istio-system/sa/bookinfo-gateway-istio
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
3) Test your bookinfo application. It should work with or without the gateway:
1. Test your bookinfo application. It should work with or without the gateway:
{{< text syntax=bash snip_id=verify_traffic_sleep_to_ingress >}}
$ kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o "<title>.*</title>"
@ -244,33 +156,32 @@ $ export GATEWAY_SERVICE_ACCOUNT=ns/istio-system/sa/bookinfo-gateway-istio
## Adding your application to the ambient mesh {#addtoambient}
You can enable all pods in a given namespace to be part of an ambient mesh
by simply labeling the namespace:
1. You can enable all pods in a given namespace to be part of an ambient mesh by simply labeling the namespace:
{{< text bash >}}
$ kubectl label namespace default istio.io/dataplane-mode=ambient
namespace/default labeled
{{< /text >}}
{{< text bash >}}
$ kubectl label namespace default istio.io/dataplane-mode=ambient
namespace/default labeled
{{< /text >}}
Congratulations! You have successfully added all pods in the default namespace
to the mesh. Note that you did not have to restart or redeploy anything!
Congratulations! You have successfully added all pods in the default namespace
to the mesh. Note that you did not have to restart or redeploy anything!
Now, send some test traffic:
1. Now, send some test traffic:
{{< text bash >}}
$ kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
{{< /text >}}
{{< text bash >}}
$ kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
{{< /text >}}
{{< text bash >}}
$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
{{< /text >}}
{{< text bash >}}
$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
{{< /text >}}
{{< text bash >}}
$ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
{{< /text >}}
{{< text bash >}}
$ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
{{< /text >}}
Youll immediately gain mTLS communication and L4 telemetry among the applications in the ambient mesh.
If you follow the instructions to install [Prometheus](/docs/ops/integrations/prometheus/#installation)
@ -287,179 +198,163 @@ identities, but not at the Layer 7 level, such as HTTP methods like `GET` and `P
### Layer 4 authorization policy
Explicitly allow the `sleep` and gateway service accounts to call the `productpage` service:
1. Explicitly allow the `sleep` and gateway service accounts to call the `productpage` service:
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: productpage-viewer
namespace: default
spec:
selector:
matchLabels:
app: productpage
action: ALLOW
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- cluster.local/$GATEWAY_SERVICE_ACCOUNT
EOF
{{< /text >}}
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: productpage-viewer
namespace: default
spec:
selector:
matchLabels:
app: productpage
action: ALLOW
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- cluster.local/$GATEWAY_SERVICE_ACCOUNT
EOF
{{< /text >}}
Confirm the above authorization policy is working:
1. Confirm the above authorization policy is working:
{{< text bash >}}
$ # this should succeed
$ kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
{{< /text >}}
{{< text bash >}}
$ # this should succeed
$ kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
{{< /text >}}
{{< text bash >}}
$ # this should succeed
$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
{{< /text >}}
{{< text bash >}}
$ # this should succeed
$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
{{< /text >}}
{{< text bash >}}
$ # this should fail with a connection reset error code 56
$ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
command terminated with exit code 56
{{< /text >}}
{{< text bash >}}
$ # this should fail with a connection reset error code 56
$ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
command terminated with exit code 56
{{< /text >}}
### Layer 7 authorization policy
Using the Kubernetes Gateway API, you can deploy a {{< gloss "waypoint" >}}waypoint proxy{{< /gloss >}} for your namespace:
1. Using the Kubernetes Gateway API, you can deploy a {{< gloss "waypoint" >}}waypoint proxy{{< /gloss >}} for your namespace:
{{< text bash >}}
$ istioctl x waypoint apply --enroll-namespace --wait
waypoint default/waypoint applied
namespace default labeled with "istio.io/use-waypoint: waypoint"
{{< /text >}}
{{< text bash >}}
$ istioctl x waypoint apply --enroll-namespace --wait
waypoint default/waypoint applied
namespace default labeled with "istio.io/use-waypoint: waypoint"
{{< /text >}}
View the waypoint proxy status; you should see the details of the gateway
resource with `Programmed` status:
1. View the waypoint proxy status; you should see the details of the gateway resource with `Programmed` status:
{{< text bash >}}
$ kubectl get gtw waypoint -o yaml
...
status:
conditions:
- lastTransitionTime: "2024-04-18T14:25:56Z"
message: Resource programmed, assigned to service(s) waypoint.default.svc.cluster.local:15008
observedGeneration: 1
reason: Programmed
status: "True"
type: Programmed
{{< /text >}}
{{< text bash >}}
$ kubectl get gtw waypoint -o yaml
...
status:
conditions:
- lastTransitionTime: "2024-04-18T14:25:56Z"
message: Resource programmed, assigned to service(s) waypoint.default.svc.cluster.local:15008
observedGeneration: 1
reason: Programmed
status: "True"
type: Programmed
{{< /text >}}
Update your `AuthorizationPolicy` to explicitly allow the `sleep` service to `GET` the `productpage` service, but perform no other operations:
1. Update your `AuthorizationPolicy` to explicitly allow the `sleep` service to `GET` the `productpage` service, but perform no other operations:
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: productpage-viewer
namespace: default
spec:
targetRef:
kind: Service
group: ""
name: productpage
action: ALLOW
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
to:
- operation:
methods: ["GET"]
EOF
{{< /text >}}
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: productpage-viewer
namespace: default
spec:
targetRef:
kind: Service
group: ""
name: productpage
action: ALLOW
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
to:
- operation:
methods: ["GET"]
EOF
{{< /text >}}
{{< text bash >}}
$ # this should fail with an RBAC error because it is not a GET operation
$ kubectl exec deploy/sleep -- curl -s "http://productpage:9080/productpage" -X DELETE
RBAC: access denied
{{< /text >}}
1. Confirm the new waypoint proxy is enforcing the updated authorization policy:
{{< text bash >}}
$ # this should fail with an RBAC error because the identity is not allowed
$ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/
RBAC: access denied
{{< /text >}}
{{< text bash >}}
$ # this should fail with an RBAC error because it is not a GET operation
$ kubectl exec deploy/sleep -- curl -s "http://productpage:9080/productpage" -X DELETE
RBAC: access denied
{{< /text >}}
{{< text bash >}}
$ # this should continue to work
$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
{{< /text >}}
{{< text bash >}}
$ # this should fail with an RBAC error because the identity is not allowed
$ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/
RBAC: access denied
{{< /text >}}
{{< text bash >}}
$ # this should continue to work
$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
{{< /text >}}
## Control traffic {#control}
You can use the same waypoint to control traffic to `reviews`. Configure traffic routing to send 90% of requests to `reviews` v1 and 10% to `reviews` v2:
1. You can use the same waypoint to control traffic to `reviews`. Configure traffic routing to send 90% of requests to `reviews` v1 and 10% to `reviews` v2:
{{< tabset category-name="config-api" >}}
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-versions.yaml@
$ kubectl apply -f @samples/bookinfo/gateway-api/route-reviews-90-10.yaml@
{{< /text >}}
{{< tab name="Istio APIs" category-value="istio-apis" >}}
1. Confirm that roughly 10% of the traffic from 100 requests goes to reviews-v2:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/networking/virtual-service-reviews-90-10.yaml@
$ kubectl apply -f @samples/bookinfo/networking/destination-rule-reviews.yaml@
{{< /text >}}
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-versions.yaml@
$ kubectl apply -f @samples/bookinfo/gateway-api/route-reviews-90-10.yaml@
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
Confirm that roughly 10% of the traffic from 100 requests goes to reviews-v2:
{{< text bash >}}
$ kubectl exec deploy/sleep -- sh -c "for i in \$(seq 1 100); do curl -s http://productpage:9080/productpage | grep reviews-v.-; done"
{{< /text >}}
{{< text bash >}}
$ kubectl exec deploy/sleep -- sh -c "for i in \$(seq 1 100); do curl -s http://productpage:9080/productpage | grep reviews-v.-; done"
{{< /text >}}
## Uninstall {#uninstall}
The label to instruct Istio to automatically include applications in the `default` namespace to an ambient mesh is not removed by default. If no longer needed, use the following command to remove it:
1. The label to instruct Istio to automatically include applications in the `default` namespace to an ambient mesh is not removed by default. If no longer needed, use the following command to remove it:
{{< text bash >}}
$ kubectl label namespace default istio.io/dataplane-mode-
$ kubectl label namespace default istio.io/use-waypoint-
{{< /text >}}
{{< text bash >}}
$ kubectl label namespace default istio.io/dataplane-mode-
$ kubectl label namespace default istio.io/use-waypoint-
{{< /text >}}
To remove waypoint proxies, installed policies, and uninstall Istio:
1. To remove waypoint proxies, installed policies, and uninstall Istio:
{{< text bash >}}
$ istioctl x waypoint delete --all
$ istioctl uninstall -y --purge
$ kubectl delete namespace istio-system
{{< /text >}}
{{< text bash >}}
$ istioctl x waypoint delete --all
$ istioctl uninstall -y --purge
$ kubectl delete namespace istio-system
{{< /text >}}
To delete the Bookinfo sample application and its configuration, see [Bookinfo cleanup](/docs/examples/bookinfo/#cleanup).
1. To delete the Bookinfo sample application and its configuration, see [Bookinfo cleanup](/docs/examples/bookinfo/#cleanup).
To remove the `sleep` and `notsleep` applications:
1. To remove the `sleep` and `notsleep` applications:
{{< text bash >}}
$ kubectl delete -f @samples/sleep/sleep.yaml@
$ kubectl delete -f @samples/sleep/notsleep.yaml@
{{< /text >}}
{{< text bash >}}
$ kubectl delete -f @samples/sleep/sleep.yaml@
$ kubectl delete -f @samples/sleep/notsleep.yaml@
{{< /text >}}
If you installed the Gateway API CRDs, remove them:
1. If you installed the Gateway API CRDs, remove them:
{{< text bash >}}
$ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref={{< k8s_gateway_api_version >}}" | kubectl delete -f -
{{< /text >}}
{{< text bash >}}
$ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref={{< k8s_gateway_api_version >}}" | kubectl delete -f -
{{< /text >}}

42
content/en/docs/ambient/getting-started/snips.sh
View File

@ -26,34 +26,14 @@ kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
}
snip_download_and_install_3() {
istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true --set profile=ambient --set "components.ingressGateways[0].enabled=true" --set "components.ingressGateways[0].name=istio-ingressgateway" --skip-confirmation
}
snip_download_and_install_5() {
istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true --set profile=ambient --skip-confirmation
}
snip_download_and_install_7() {
snip_download_and_install_5() {
kubectl get pods,daemonset -n istio-system
}
! IFS=$'\n' read -r -d '' snip_download_and_install_7_out <<\ENDSNIP
NAME READY STATUS RESTARTS AGE
pod/istio-cni-node-zq94l 1/1 Running 0 2m7s
pod/istio-ingressgateway-56b9cb5485-ksnvc 1/1 Running 0 2m7s
pod/istiod-56d848857c-mhr5w 1/1 Running 0 2m9s
pod/ztunnel-srrnm 1/1 Running 0 2m5s
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/istio-cni-node 1 1 1 1 1 kubernetes.io/os=linux 2m16s
daemonset.apps/ztunnel 1 1 1 1 1 kubernetes.io/os=linux 2m10s
ENDSNIP
snip_download_and_install_8() {
kubectl get pods,daemonset -n istio-system
}
! IFS=$'\n' read -r -d '' snip_download_and_install_8_out <<\ENDSNIP
! IFS=$'\n' read -r -d '' snip_download_and_install_5_out <<\ENDSNIP
NAME READY STATUS RESTARTS AGE
pod/istio-cni-node-btbjf 1/1 Running 0 2m18s
pod/istiod-55b74b77bd-xggqf 1/1 Running 0 2m27s
@ -74,15 +54,6 @@ kubectl apply -f samples/sleep/notsleep.yaml
}
snip_deploy_the_sample_application_3() {
kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
}
snip_deploy_the_sample_application_4() {
export GATEWAY_HOST=istio-ingressgateway.istio-system
export GATEWAY_SERVICE_ACCOUNT=ns/istio-system/sa/istio-ingressgateway-service-account
}
snip_deploy_the_sample_application_5() {
sed -e 's/from: Same/from: All/'\
-e '/^ name: bookinfo-gateway/a\
namespace: istio-system\
@ -91,7 +62,7 @@ sed -e 's/from: Same/from: All/'\
' samples/bookinfo/gateway-api/bookinfo-gateway.yaml | kubectl apply -f -
}
snip_deploy_the_sample_application_6() {
snip_deploy_the_sample_application_4() {
kubectl wait --for=condition=programmed gtw/bookinfo-gateway -n istio-system
export GATEWAY_HOST=bookinfo-gateway-istio.istio-system
export GATEWAY_SERVICE_ACCOUNT=ns/istio-system/sa/bookinfo-gateway-istio
@ -278,16 +249,11 @@ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>
ENDSNIP
snip_control_traffic_1() {
kubectl apply -f samples/bookinfo/networking/virtual-service-reviews-90-10.yaml
kubectl apply -f samples/bookinfo/networking/destination-rule-reviews.yaml
}
snip_control_traffic_2() {
kubectl apply -f samples/bookinfo/platform/kube/bookinfo-versions.yaml
kubectl apply -f samples/bookinfo/gateway-api/route-reviews-90-10.yaml
}
snip_control_traffic_3() {
snip_control_traffic_2() {
kubectl exec deploy/sleep -- sh -c "for i in \$(seq 1 100); do curl -s http://productpage:9080/productpage | grep reviews-v.-; done"
}

43
content/en/docs/ambient/getting-started/test.sh
View File

@ -15,8 +15,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
GATEWAY_API="${GATEWAY_API:-false}"
# @setup profile=none
set -e
@ -27,33 +25,20 @@ set -o pipefail
snip_download_and_install_2
# install istio with ambient profile
if [ "$GATEWAY_API" == "true" ]; then
snip_download_and_install_5
else
snip_download_and_install_3
fi
snip_download_and_install_3
_wait_for_deployment istio-system istiod
_wait_for_daemonset istio-system ztunnel
_wait_for_daemonset istio-system istio-cni-node
if [ "$GATEWAY_API" == "true" ]; then
_verify_like snip_download_and_install_8 "$snip_download_and_install_8_out"
else
_verify_like snip_download_and_install_7 "$snip_download_and_install_7_out"
fi
_verify_like snip_download_and_install_5 "$snip_download_and_install_5_out"
# deploy test application
snip_deploy_the_sample_application_1
snip_deploy_the_sample_application_2
if [ "$GATEWAY_API" == "true" ]; then
snip_deploy_the_sample_application_5
snip_deploy_the_sample_application_6
else
snip_deploy_the_sample_application_3
snip_deploy_the_sample_application_4
fi
snip_deploy_the_sample_application_3
snip_deploy_the_sample_application_4
# test traffic before ambient mode is enabled
_verify_contains snip_verify_traffic_sleep_to_ingress "$snip_verify_traffic_sleep_to_ingress_out"
@ -79,23 +64,17 @@ _verify_contains snip_layer_7_authorization_policy_4 "$snip_layer_7_authorizatio
_verify_contains snip_layer_7_authorization_policy_5 "$snip_layer_7_authorization_policy_5_out"
_verify_contains snip_layer_7_authorization_policy_6 "$snip_layer_7_authorization_policy_6_out"
if [ "$GATEWAY_API" == "true" ]; then
snip_control_traffic_2
else
snip_control_traffic_1
fi
snip_control_traffic_1
_verify_lines snip_control_traffic_3 "
_verify_lines snip_control_traffic_2 "
+ reviews-v1
+ reviews-v2
- reviews-v3
"
# @cleanup
if [ "$GATEWAY_API" != "true" ]; then
snip_uninstall_1
snip_uninstall_2
snip_uninstall_3
samples/bookinfo/platform/kube/cleanup.sh
snip_uninstall_4
fi
snip_uninstall_1
snip_uninstall_2
snip_uninstall_3
samples/bookinfo/platform/kube/cleanup.sh
snip_uninstall_4