Skip to content

Creating a deployment and using a Gateway to expose it💣

In this lab, we will deploy a Hello World application to the cluster. We will then deploy a Hello World application, a Service resource and a VirtualService that binds to the ingress gateway istio-system/public to expose the application on the external IP address.

Let’s enable automatic sidecar injection on the default namespace by adding the label istio-injection=enabled:

kubectl label namespace default istio-injection=enabled

Check that the default namespace contains the label for Istio proxy injection.

kubectl get namespace -L istio-injection
default             Active   19h   enabled
kube-system         Active   19h
kube-public         Active   19h
kube-node-lease     Active   19h
flux-system         Active   19h
bigbang             Active   16h
jaeger              Active   16h   enabled
gatekeeper-system   Active   16h
istio-operator      Active   16h   disabled
logging             Active   16h   enabled
monitoring          Active   16h
kiali               Active   16h   enabled
istio-system        Active   16h
eck-operator        Active   16h

Deploying the Hello-World app💣

To execute the following steps in a Big Bang deployment it is necessary to make modifications in the contrains allowed-docker-registries, that initially includes only [“registry1.dso.mil”, “registry.dso.mil”] In the dev/configmap.yaml make the following modifications: gatekeeper:

values:
  violations:
    allowedDockerRegistries:
      parameters:
        exemptContainers: []
        repos:
          - registry1.dso.mil
          - registry.dso.mil
          - gcr.io/tetratelabs
          - docker.io/istio

The next step is to create the Hello World deployment and service:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-world
  labels:
    app: hello-world
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-world
  template:
    metadata:
      labels:
        app: hello-world
    spec:
      containers:
        - image: gcr.io/tetratelabs/hello-world:1.0.0
          imagePullPolicy: Always
          name: svc
          ports:
            - containerPort: 3000
---
kind: Service
apiVersion: v1
metadata:
  name: hello-world
  labels:
    app: hello-world
spec:
  selector:
    app: hello-world
  ports:
    - port: 80
      name: http
      targetPort: 3000

Save the above YAML to hello-world.yaml and create the deployment and service using kubectl apply -f hello-world.yaml. If we look at the created Pods, we will notice in pod hello-world, two containers running. One is the Envoy sidecar proxy, and the second one is the application. We have also created a Kubernetes service called hello-world:

kubectl get po,svc -l=app=hello-world

NAME                              READY   STATUS    RESTARTS   AGE
pod/hello-world-85c8685dd-7n2dw    2/2    Running      0       7m38s

NAME                  TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)   AGE
service/hello-world   ClusterIP   10.43.4.118   <none>        80/TCP    7m38s

The next step is to create a VirtualService for the hello-world service and bind it to the Gateway resource:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: hello-world
spec:
  hosts:
    - "hello.bigbang.dev"
  gateways:
    - istio-system/public
  http:
    - route:
        - destination:
            host: hello-world.default.svc.cluster.local
            port:
              number: 80

We are matching the value of the hosts field with the hosts defined in the Gateway resource. We have also added the Gateway resource istio-system/public to the gateways array. Finally, we are specifying a single route with a destination that points to the Kubernetes service hello-world.default.svc.cluster.local.

Save the above YAML to vs-hello-world.yaml and create the VirtualService using kubectl apply -f vs-hello-world.yaml. If you look at the deployed VirtualService, you should see a similar output:

kubectl get vs
NAME          GATEWAYS                  HOSTS                   AGE
hello-world   ["istio-system/public"]   ["hello.bigbang.dev"]   80m

To reach the host hello.bigbang.dev, it is necessary to add the following line in /etc/hosts:

<public-ip> hello.bigbang.dev

If we run cURL against hello.bigbang.dev or open it in the browser, we will get back a response of Hello World:

curl -v  https://hello.bigbang.dev/
*   Trying 18.222.24.147:443...
* Connected to hello.bigbang.dev (18.222.24.147) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.bigbang.dev
*  start date: Jun 30 08:41:48 2021 GMT
*  expire date: Sep 28 08:41:47 2021 GMT
*  subjectAltName: host "hello.bigbang.dev" matched cert's "*.bigbang.dev"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55ae9fff8960)
> GET / HTTP/2
> Host: hello.bigbang.dev
> user-agent: curl/7.78.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
< HTTP/2 200
< date: Mon, 16 Aug 2021 19:48:15 GMT
< content-length: 11
< content-type: text/plain; charset=utf-8
< x-envoy-upstream-service-time: 23
<
* Connection #0 to host hello.bigbang.dev left intact
Hello World

Clean-up💣

The following commands will clean-up your cluster.

Delete the nginx app. Be sure to run the command from the directory hello-world.yaml file is located.

kubectl delete -f hello-world.yaml

Delete the hello-world Virtual Service.

kubectl delete -f vs-hello-world.yaml