- Overview
- Configure Prerequisites
- Install OSM CLI
- Install OSM Control Plane
- Deploying the Bookstore Demo Applications
- Deploy SMI Access Control Policies
- Traffic Encryption
- Configure Traffic Split between Services
- Inspect Dashbaords
The OSM Manual Install Demo Guide is designed to quickly allow you to demo and experience the OSM mesh.
- Kubernetes cluster running Kubernetes v1.15.0 or greater
- Have
kubectlCLI installed - Install and Set Up Kubectl - kubectl current context is configured for the target cluster install
kubectl config current-context
- Have a local clone of the OSM GitHub Repo
git clone https://github.com/openservicemesh/osm.gitcd osm
Use the installation guide to install the osm cli.
osm installThe Bookstore, Bookbuyer, Bookthief, Bookwarehouse demo applications will be installed in their respective Kubernetes Namespaces. In order for these applications to be injected with a Envoy sidecar automatically, we must add the Namespaces to be monitored by the mesh.
for i in bookstore bookbuyer bookthief bookwarehouse; do kubectl create ns $i; doneosm namespace add bookstore bookbuyer bookthief bookwarehouse --enable-sidecar-injectionInstall Bookstore, Bookbuyer, Bookthief, Bookwarehouse.
kubectl apply -f docs/example/manifests/apps/The following are the key components of the demo application:
- A Kubernetes Deployment, Kubernetes Service, and Kubernetes ServiceAccount for each application.
- A root service called
bookstorewhich other applications will use to direct traffic to the Bookbuyer application. - An SMI TrafficSplit resource which specifies how much traffic should go to each version of
Bookstore.
To view these resources on your cluster, run the following commands:
kubectl get svc --all-namespaces
kubectl get deploy --all-namespaces
kubectl get trafficsplit -n bookstore
A simple topology view of the Bookstore application looks like the following:
Note: At the moment, you must configure a TrafficSplit object to get your applications set up correctly for inbound traffic because it helps us properly configure the dataplane. We're working on removing the need for this entirely. #1370
We will now setup client port forwarding, so we can access the services in the Kubernetes cluster. It is best to start a new terminal session for running the port forwarding script to maintain the port forwarding session, while using the original terminal to continue to issue commands. The port-forward-all.sh script will look for a ".env" file for variables. The ".env" creates the necessary variables that target the previously created namespaces. We will use the reference .env.examples file and then run the port forwarding script.
In a new terminal session, run the following commands to enable port forwarding into the Kubernetes cluster.
cp .env.example .env
./scripts/port-forward-all.shNote: To override the default ports, prefix the BOOKBUYER_LOCAL_PORT, BOOKSTOREv1_LOCAL_PORT, BOOKSTOREv2_LOCAL_PORT, and/or BOOKTHIEF_LOCAL_PORT variable assignments to the port-forward scripts. For example:
BOOKBUYER_LOCAL_PORT=7070 BOOKSTOREv1_LOCAL_PORT=7071 BOOKSTOREv2_LOCAL_PORT=7072 BOOKTHIEF_LOCAL_PORT=7073 ./scripts/port-forward-all.shIn a browser, open up the following urls:
- http://localhost:8080 - Bookbuyer
- http://localhost:8081 - bookstore-v1
- http://localhost:8082 - bookstore-v2
- Note: This page will not be available at this time in the demo. This will become available during the Traffic Split Configuration
- http://localhost:8083 - bookthief
Position the windows so that you can see all four at the same time. The header at the top of the webpage indicates the application and version.
At this point, no applications have access to each other because no access control policies have been applied. Confirm this by confirming that none of the counters in the UI are incrementing. Apply the SMI Traffic Target and SMI Traffic Specs resources to define access control policies below:
kubectl create -f docs/example/manifests/access/The counters should now be incrementing for the Bookbuyer, and Bookstore-v1 applications:
- http://localhost:8080 - Bookbuyer
- http://localhost:8081 - bookstore-v1
Currently the Bookthief application has not been authorized to participate in the service mesh communication. We will now uncomment out the lines in the docs/example/manifests/access/traffic-access.yaml to allow Bookthief to communicate with Bookstore. Then, re-apply the manifest and watch the change in policy propagate.
Current TrafficTarget spec with commented Bookthief kind:
kind: TrafficTarget
apiVersion: access.smi-spec.io/v1alpha2
metadata:
name: bookstore-v1
namespace: bookstore
spec:
destination:
kind: ServiceAccount
name: bookstore-v1
namespace: bookstore
rules:
- kind: HTTPRouteGroup
name: bookstore-service-routes
matches:
- buy-a-book
- books-bought
sources:
- kind: ServiceAccount
name: bookbuyer
namespace: bookbuyer
#- kind: ServiceAccount
#name: bookthief
#namespace: bookthief
Updated TrafficTarget spec with uncommented Bookthief kind:
kind: TrafficTarget
apiVersion: access.smi-spec.io/v1alpha2
metadata:
name: bookstore-v1
namespace: bookstore
spec:
destination:
kind: ServiceAccount
name: bookstore-v1
namespace: bookstore
rules:
- kind: HTTPRouteGroup
name: bookstore-service-routes
matches:
- buy-a-book
- books-bought
sources:
- kind: ServiceAccount
name: bookbuyer
namespace: bookbuyer
- kind: ServiceAccount
name: bookthief
namespace: bookthief
Re-apply the access manifest with the updates.
kubectl apply -f docs/example/manifests/access/The counter in the Bookthief window will start incrementing.
- http://localhost:8083 - bookthief
Note: Bypass setting up and using access control policies entirely by enabling permissive traffic policy mode when installing a control plane: osm install --enable-permissive-traffic-policy
All traffic is encrypted via mTLS regardless of whether you're using access control policies or have enabled permissive traffic policy mode.
We will now demonstrate how to balance traffic between two Kubernetes services, commonly known as a traffic split. We will be splitting the traffic between the bookstore-v1 service and the bookstore-v2 service. The bookstore-v1 service is currently deployed. We will deploy the bookstore-v2 service of the Bookstore app. Once the bookstore-v2 service is deployed we will then apply the updated TrafficSplit configuration between the two services.
A Kubernetes Service, ServiceAccount, and Deployment and SMI TrafficTarget for bookstore-v2 will be applied with the following command:
kubectl apply -f docs/example/manifests/bookstore-v2/Browse to http://localhost:8082. You should see the bookstore-v2 heading in your browser window. NOTE Please exit and restart the ./scripts/port-forward-all.sh script in order to access v2 of Bookstore.
After restarting the port forwarding script, you should now be able to access the bookstore-v2 application at http://localhost:8082. The count for the books sold should remain at 0, this is because the current traffic split policy is currently weighted 100% for bookstore-v1. You can verify the traffic split policy by running the following and viewing the Backends properties:
kubectl describe trafficsplit bookstore-split -n bookstore
An updated SMI TrafficSplit policy for bookstore Service configuring all traffic to go to bookstore-v2 will be applied using the following command:
kubectl apply -f docs/example/manifests/split-v2/Wait for the changes to propagate and observe the counters increment for bookstore-v2 in your browser windows. Modify the weight fields in manifests/split-v2/traffic-split-v2.yaml and re-apply changes to experiment.
- http://localhost:8082 - bookstore-v2
OSM ships with a set of pre-configured Grafana dashboards. NOTE If you still have the additional terminal still running the ./scripts/port-forward-all.sh script, go ahead and CTRL+C to terminate the port forwarding. The osm dashboard port redirection will not work simultaneously with the port forwarding script still running. The osm dashboard can be viewed with the following command:
$ osm dashboardSimply navigate to http://localhost:3000 to access the Grafana dashboards. The default user name is admin and the default password is admin. On the Grafana homepage click on the Home icon, you will see a folders containing dashboards for both OSM Control Plan and OSM Data Plane.