Deploy Applications
In this section we will deploy 5 different Pods, and we will apply policies to control the traffic between them.
bookbuyer
is an HTTP client making requests tobookstore
. This traffic is permitted.bookthief
is an HTTP client and much likebookbuyer
also makes HTTP requests tobookstore
. This traffic should be blocked.bookstore
is a server, which responds to HTTP requests. It is also a client making requests to thebookwarehouse
service. This traffic is permitted.bookwarehouse
is a server and should respond only tobookstore
. Bothbookbuyer
andbookthief
should be blocked.mysql
is a MySQL database only reachable bybookwarehouse
.
We are going to define and deploy traffic access policies using SMI, which will bring us to this final desired state of allowed and blocked traffic between pods:
from / to: | bookbuyer | bookthief | bookstore | bookwarehouse | mysql |
---|---|---|---|---|---|
bookbuyer | n/a | ❌ | ✔ | ❌ | ❌ |
bookthief | ❌ | n/a | ❌ | ❌ | ❌ |
bookstore | ❌ | ❌ | n/a | ✔ | ❌ |
bookwarehouse | ❌ | ❌ | ❌ | n/a | ✔ |
mysql | ❌ | ❌ | ❌ | ❌ | n/a |
To show how to split traffic using SMI Traffic Split, we will deploy an additional application:
bookstore-v2
- this is the same container as the firstbookstore
we deployed, but for this demo we will assume that it is a new version of the app we need to upgrade to.
The bookbuyer
, bookthief
, bookstore
, and bookwarehouse
Pods will be in separate Kubernetes Namespaces with
the same names. mysql
will be in the bookwarehouse
namespace. Each new Pod in the service mesh will be injected with an Envoy sidecar container.
Create the Namespaces
kubectl create namespace bookstore
kubectl create namespace bookbuyer
kubectl create namespace bookthief
kubectl create namespace bookwarehouse
Add the new namespaces to the OSM control plane
osm namespace add bookstore bookbuyer bookthief bookwarehouse
Now each one of the four namespaces is labelled with openservicemesh.io/monitored-by: osm
and also
annotated with openservicemesh.io/sidecar-injection: enabled
. The OSM Controller, noticing the label and annotation
on these namespaces, will start injecting all new pods with Envoy sidecars.
Create Pods, Services, ServiceAccounts
Create the bookbuyer
service account and deployment:
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/main/manifests/apps/bookbuyer.yaml
Create the bookthief
service account and deployment:
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/main/manifests/apps/bookthief.yaml
Create the bookstore
service account, service, and deployment:
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/main/manifests/apps/bookstore.yaml
Create the bookwarehouse
service account, service, and deployment:
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/main/manifests/apps/bookwarehouse.yaml
Create the mysql
service account, service, and stateful set:
kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/main/manifests/apps/mysql.yaml
Checkpoint: What Got Installed?
A Kubernetes Deployment and Pods for each of bookbuyer
, bookthief
, bookstore
and bookwarehouse
, and a StatefulSet for mysql
. Also, Kubernetes Services and Endpoints for bookstore
, bookwarehouse
, and mysql
.
To view these resources on your cluster, run the following commands:
kubectl get pods,deployments,serviceaccounts -n bookbuyer
kubectl get pods,deployments,serviceaccounts -n bookthief
kubectl get pods,deployments,serviceaccounts,services,endpoints -n bookstore
kubectl get pods,deployments,serviceaccounts,services,endpoints -n bookwarehouse
In addition, a Kubernetes Service Account was also created for each application. The Service Account serves as the application’s identity which will be used later in the demo to create service-to-service access control policies.
View the Application UIs
Set up client port forwarding with the following steps to access the applications in the Kubernetes cluster. It is best to start a new terminal session for running the port forwarding scripts to maintain the port forwarding session, while using the original terminal to continue to issue commands. The port-forward scripts will look for a .env
file for environment variables needed to run the script. The .env
creates the necessary variables that target the previously created namespaces. We will use the reference .env.example
file and then run the port forwarding scripts.
In a new terminal session, run the following commands to enable port forwarding into the Kubernetes cluster from the root of the project directory (your local clone of upstream OSM).
cp .env.example .env
bash <<EOF
./scripts/port-forward-bookbuyer-ui.sh &
./scripts/port-forward-bookstore-ui.sh &
./scripts/port-forward-bookthief-ui.sh &
wait
EOF
Note: To override the default ports, prefix the BOOKBUYER_LOCAL_PORT
, BOOKSTORE_LOCAL_PORT
, and/or BOOKTHIEF_LOCAL_PORT
variable assignments to the port-forward
scripts. For example:
export BOOKBUYER_LOCAL_PORT=7070 BOOKTHIEF_LOCAL_PORT=7073 BOOKSTORE_LOCAL_PORT=7074
bash <<EOF
./scripts/port-forward-bookbuyer-ui.sh &
./scripts/port-forward-bookstore-ui.sh &
./scripts/port-forward-bookthief-ui.sh &
wait
EOF
In a browser, open up the following urls:
- http://localhost:8080 - bookbuyer
- http://localhost:8083 - bookthief
- http://localhost:8084 - bookstore
Position the windows so that you can see all of them at the same time. The header at the top of the webpage indicates the application and version.
Next Steps
Now that the sample applications are running, configure traffic policies between the applications.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.