diff --git a/content/en/docs/ambient/getting-started/index.md b/content/en/docs/ambient/getting-started/index.md index e1006fa340..ee8dfa005b 100644 --- a/content/en/docs/ambient/getting-started/index.md +++ b/content/en/docs/ambient/getting-started/index.md @@ -112,11 +112,7 @@ Make sure the default namespace does not include the label `istio-injection=enab `sleep` and `notsleep` are two simple applications that can serve as curl clients. -1. Deploy an ingress gateway so you can access the bookinfo app from outside the cluster: - - {{< tip >}} - To get IP address assignment for `Loadbalancer` service types in `kind`, you may need to install a tool like [MetalLB](https://metallb.universe.tf/). Please consult [this guide](https://kind.sigs.k8s.io/docs/user/loadbalancer/) for more information. - {{}} +1. Deploy an ingress gateway: Create a [Kubernetes Gateway](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.Gateway) and [HTTPRoute](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.HTTPRoute): @@ -125,6 +121,12 @@ Make sure the default namespace does not include the label `istio-injection=enab $ kubectl apply -f @samples/bookinfo/gateway-api/bookinfo-gateway.yaml@ {{< /text >}} + By default, Istio creates a `LoadBalancer` service for a gateway. Change the service type to `ClusterIP` by annotating the gateway. + + {{< text bash >}} + $ kubectl annotate gateway bookinfo-gateway networking.istio.io/service-type=ClusterIP --namespace=default + {{< /text >}} + Set the environment variables for the Kubernetes Gateway: {{< text bash >}} @@ -133,7 +135,7 @@ Make sure the default namespace does not include the label `istio-injection=enab $ export GATEWAY_SERVICE_ACCOUNT=ns/default/sa/bookinfo-gateway-istio {{< /text >}} -1. Test your bookinfo application. It should work with or without the gateway: +1. Test your bookinfo application. It should work with and without the gateway: {{< text syntax=bash snip_id=verify_traffic_sleep_to_ingress >}} $ kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o ".*" @@ -247,19 +249,12 @@ identities, but not at the Layer 7 level, such as HTTP methods like `GET` and `P namespace default labeled with "istio.io/use-waypoint: waypoint" {{< /text >}} -1. View the waypoint proxy status; you should see the details of the gateway resource with `Programmed` status: +1. View the waypoint proxy; you should see the details of the gateway resource with `Programmed=True` status: {{< text bash >}} - $ kubectl get gtw waypoint -o yaml - ... - status: - conditions: - - lastTransitionTime: "2024-04-18T14:25:56Z" - message: Resource programmed, assigned to service(s) waypoint.default.svc.cluster.local:15008 - observedGeneration: 1 - reason: Programmed - status: "True" - type: Programmed + $ kubectl get gtw waypoint + NAME CLASS ADDRESS PROGRAMMED AGE + waypoint istio-waypoint 10.96.58.95 True 61s {{< /text >}} 1. Update your `AuthorizationPolicy` to explicitly allow the `sleep` service to `GET` the `productpage` service, but perform no other operations: diff --git a/content/en/docs/ambient/getting-started/snips.sh b/content/en/docs/ambient/getting-started/snips.sh index 7966e774eb..710db0bfb2 100644 --- a/content/en/docs/ambient/getting-started/snips.sh +++ b/content/en/docs/ambient/getting-started/snips.sh @@ -59,6 +59,10 @@ kubectl apply -f samples/bookinfo/gateway-api/bookinfo-gateway.yaml } snip_deploy_the_sample_application_4() { +kubectl annotate gateway bookinfo-gateway networking.istio.io/service-type=ClusterIP --namespace=default +} + +snip_deploy_the_sample_application_5() { kubectl wait --for=condition=programmed gtw/bookinfo-gateway export GATEWAY_HOST=bookinfo-gateway-istio.default export GATEWAY_SERVICE_ACCOUNT=ns/default/sa/bookinfo-gateway-istio @@ -178,19 +182,12 @@ namespace default labeled with "istio.io/use-waypoint: waypoint" ENDSNIP snip_layer_7_authorization_policy_2() { -kubectl get gtw waypoint -o yaml +kubectl get gtw waypoint } ! IFS=$'\n' read -r -d '' snip_layer_7_authorization_policy_2_out <<\ENDSNIP -... -status: - conditions: - - lastTransitionTime: "2024-04-18T14:25:56Z" - message: Resource programmed, assigned to service(s) waypoint.default.svc.cluster.local:15008 - observedGeneration: 1 - reason: Programmed - status: "True" - type: Programmed +NAME CLASS ADDRESS PROGRAMMED AGE +waypoint istio-waypoint 10.96.58.95 True 61s ENDSNIP snip_layer_7_authorization_policy_3() { diff --git a/content/en/docs/ambient/getting-started/test.sh b/content/en/docs/ambient/getting-started/test.sh index 60efd99915..5ed8879b72 100644 --- a/content/en/docs/ambient/getting-started/test.sh +++ b/content/en/docs/ambient/getting-started/test.sh @@ -39,6 +39,7 @@ snip_deploy_the_sample_application_2 snip_deploy_the_sample_application_3 snip_deploy_the_sample_application_4 +snip_deploy_the_sample_application_5 # test traffic before ambient mode is enabled _verify_contains snip_verify_traffic_sleep_to_ingress "$snip_verify_traffic_sleep_to_ingress_out" @@ -58,7 +59,7 @@ _verify_contains snip_layer_4_authorization_policy_3 "$snip_layer_4_authorizatio _verify_failure snip_layer_4_authorization_policy_4 _verify_contains snip_layer_7_authorization_policy_1 "$snip_layer_7_authorization_policy_1_out" -_verify_contains snip_layer_7_authorization_policy_2 "Resource programmed, assigned to service" +_verify_contains snip_layer_7_authorization_policy_2 "True" snip_layer_7_authorization_policy_3 _verify_contains snip_layer_7_authorization_policy_4 "$snip_layer_7_authorization_policy_4_out" _verify_contains snip_layer_7_authorization_policy_5 "$snip_layer_7_authorization_policy_5_out" diff --git a/content/en/docs/ambient/usage/extend-waypoint-wasm/test.sh b/content/en/docs/ambient/usage/extend-waypoint-wasm/test.sh index 079c4948dc..e3a46f9216 100644 --- a/content/en/docs/ambient/usage/extend-waypoint-wasm/test.sh +++ b/content/en/docs/ambient/usage/extend-waypoint-wasm/test.sh @@ -40,7 +40,7 @@ snip_deploy_the_sample_application_1 snip_deploy_the_sample_application_2 snip_deploy_the_sample_application_3 -snip_deploy_the_sample_application_4 +snip_deploy_the_sample_application_5 # adding applications to ambient mesh _verify_same snip_adding_your_application_to_the_ambient_mesh_1 "$snip_adding_your_application_to_the_ambient_mesh_1_out"