# Agenda
## Git Clone https://github.com/ilyas-it83/globalazure2021.git
## what are microservices? 

## "Services are small in size, messaging-enabled, bounded by contexts, autonomously developed, independently deployable,decentralized and built and released with automated processes" - WIKI

## Intro to Service Mesh

## A service mesh is a dedicated infrastructure layer for facilitating service-to-service communications between services or microservices,using a proxy.


![Intro to Service Mesh](https://res.cloudinary.com/stackrox/v1564617364/servicemesh2_my8hwn.png "Intro to Service Mesh")

## How does it work

![Intro to Service Mesh](https://www.redhat.com/cms/managed-files/service-mesh-1680.png "Intro to Service Mesh")

![Intro to Service Mesh](https://dz2cdn1.dzone.com/storage/article-thumb/11927340-thumb.jpg "Intro to Service Mesh")

Source: DZone

## Intro to Istio

- Open source service mesh that helps to run distributed, microservices-based apps anywhere.

- Why use Istio? Istio enables developers to 
  - secure
  - connect
  - monitor microservices

![Intro to Service Mesh](https://istio.io/latest/docs/ops/deployment/architecture/arch.svg "Intro to Service Mesh")


## Features of Istio

## Traffic Management

#### - Request routing
#### - Fault injection
#### - Traffic shifting
#### - Querying metrics
#### - Visualizing metrics
#### - Accessing external services
#### - Visualizing your mesh
  
![Traffic Management](https://istio.io/v1.1/docs/concepts/traffic-management/TrafficManagementOverview.svg)

## Security
#### - Identity and certificate management
#### - Authentication
#### - Authorization  
![Security Management](https://istio.io/v1.3/docs/concepts/security/overview.svg)

## Observability
#### - Metrics (latency, traffic, errors, and saturation)
#### - Distributed Traces.
#### - Access Logs
  
![Observability -fullwidth](https://istio.io/v1.6/docs/tasks/observability/kiali/kiali-graph.png)

## Pre-Requisites

```
1. Kubernetes Cluster (eg. minikube, DockerforDesktop with K8s or Azure Kubernetes Service)
2. Docker
3. Helm (Optional)
4. Istio
```

In [1]:
!kubectl version && docker version && helm version && istioctl version

Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCommit:"1dd5338295409edcfff11505e7bb246f0d325d15", GitTreeState:"clean", BuildDate:"2021-01-13T13:23:52Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCommit:"1dd5338295409edcfff11505e7bb246f0d325d15", GitTreeState:"clean", BuildDate:"2021-01-13T13:15:20Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}
Client:
 Cloud integration: 1.0.14
 Version:           20.10.6
 API version:       1.41
 Go version:        go1.16.3
 Git commit:        370c289
 Built:             Fri Apr  9 22:49:36 2021
 OS/Arch:           windows/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.6
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       8728dd2
  Built:            Fri Apr  9 22:44:56 2021
  OS/Arc

## Istio Setup

```bash {cmd}
Linux:

curl -L https://istio.io/downloadIstio | sh - (preferred for linux)

Windows:
https://github.com/istio/istio/releases/tag/1.9.2 (Download and unzip and add the exe to the PATH)

(or)

choco install istioctl
```


## Getting Started - Demo

### About the sample app

![Intro to Service Mesh](https://istio.io/latest/docs/examples/bookinfo/noistio.svg "Intro to Service Mesh")

Reference: https://istio.io/latest/docs/examples/bookinfo/


In [2]:
# Install the demo profile
!istioctl install --set profile=demo -y

Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/v1.8/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.



- Processing resources for Istio core.
✔ Istio core installed
- Processing resources for Istiod.
- Processing resources for Istiod. Waiting for Deployment/istio-system/istiod
✔ Istiod installed
- Processing resources for Egress gateways, Ingress gateways.
- Processing resources for Egress gateways, Ingress gateways. Waiting for Deployment/istio-system...
✔ Egress gateways installed
✔ Ingress gateways installed
- Pruning removed resources
✔ Installation complete


In [3]:
# Verify Istio 
!istioctl verify-install

ClusterRole: istiod-istio-system.default checked successfully
ClusterRole: istio-reader-istio-system.default checked successfully
ClusterRoleBinding: istio-reader-istio-system.default checked successfully
ClusterRoleBinding: istiod-istio-system.default checked successfully
Role: istiod-istio-system.istio-system checked successfully
RoleBinding: istiod-istio-system.istio-system checked successfully
ServiceAccount: istio-reader-service-account.istio-system checked successfully
ServiceAccount: istiod-service-account.istio-system checked successfully
ValidatingWebhookConfiguration: istiod-istio-system.default checked successfully
CustomResourceDefinition: destinationrules.networking.istio.io.default checked successfully
CustomResourceDefinition: envoyfilters.networking.istio.io.default checked successfully
CustomResourceDefinition: gateways.networking.istio.io.default checked successfully
CustomResourceDefinition: serviceentries.networking.istio.io.default checked successfully
CustomResour

In [None]:
!kubectl get all -n istio-system

In [4]:
# Create namespace
!kubectl create ns istiodemo

namespace/istiodemo created


In [5]:
# Set the namespace
!kubectl config set-context --current --namespace=istiodemo

Context "docker-desktop" modified.


In [6]:
# Validate it
!kubectl config view --minify | grep namespace:

    namespace: istiodemo


In [7]:
# Add label to the target namespace to enable automatic side-car injection
!kubectl label namespace istiodemo istio-injection=enabled

namespace/istiodemo labeled


In [8]:
# Check the labels attached to the namespace
!kubectl get ns istiodemo --show-labels

NAME        STATUS   AGE   LABELS
istiodemo   Active   67s   istio-injection=enabled


In [9]:
# Deploy the sample application
!kubectl apply -f 1_bookinfo.yaml -n istiodemo

service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created


In [11]:
# Check if all the pods,services are up and running
!kubectl get all -n istiodemo

NAME                                  READY   STATUS    RESTARTS   AGE
pod/details-v1-79f774bdb9-5gm66       2/2     Running   0          57s
pod/productpage-v1-6b746f74dc-s8qbp   2/2     Running   0          56s
pod/ratings-v1-b6994bb9-gnf8l         2/2     Running   0          57s
pod/reviews-v1-545db77b95-nkl8f       2/2     Running   0          57s
pod/reviews-v2-7bf8c9648f-bns2s       2/2     Running   0          57s
pod/reviews-v3-84779c7bbc-pkjdb       2/2     Running   0          57s

NAME                  TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
service/details       ClusterIP   10.102.105.49    <none>        9080/TCP   57s
service/productpage   ClusterIP   10.102.106.103   <none>        9080/TCP   57s
service/ratings       ClusterIP   10.111.64.88     <none>        9080/TCP   57s
service/reviews       ClusterIP   10.99.230.238    <none>        9080/TCP   57s

NAME                             READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/details-v1     

In [13]:
!kubectl apply -f 2_bookinfo-gateway.yaml -n istiodemo

gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created


In [None]:
# Check if there is any issue with the ingress
!istioctl analyze -n istiodemo

In [12]:
# Getting Ingress IP & Port
!kubectl get svc istio-ingressgateway -n istio-system

NAME                   TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                                                                      AGE
istio-ingressgateway   LoadBalancer   10.106.69.192   localhost     15021:31219/TCP,80:31859/TCP,443:31554/TCP,31400:32100/TCP,15443:30968/TCP   6m35s


In [None]:
#Check the application
!curl -sS http://localhost/productpage | grep -o "<title>.*</title>"

#http://localhost/productpage

#Traffic Management - Demo

#Request routing
#Apply destination rules & Virtual services

In [14]:
!kubectl apply -f traffic/destination-rule-all.yaml

destinationrule.networking.istio.io/productpage created
destinationrule.networking.istio.io/reviews created
destinationrule.networking.istio.io/ratings created
destinationrule.networking.istio.io/details created


In [15]:
!kubectl apply -f traffic/virtual-service-all-v1.yaml

virtualservice.networking.istio.io/productpage created
virtualservice.networking.istio.io/reviews created
virtualservice.networking.istio.io/ratings created
virtualservice.networking.istio.io/details created


In [16]:
#HTTP Header based routing
!kubectl apply -f traffic/virtual-service-reviews-test-v2.yaml

virtualservice.networking.istio.io/reviews configured


In [17]:
##### Traffic shifting
!kubectl apply -f traffic/virtual-service-all-v1.yaml

virtualservice.networking.istio.io/productpage unchanged
virtualservice.networking.istio.io/reviews configured
virtualservice.networking.istio.io/ratings unchanged
virtualservice.networking.istio.io/details unchanged


In [18]:
!kubectl apply -f traffic/virtual-service-reviews-50-v3.yaml

virtualservice.networking.istio.io/reviews configured


In [None]:
!kubectl apply -f traffic/virtual-service-reviews-80-20.yaml

In [None]:
!kubectl apply -f traffic/virtual-service-reviews-90-10.yaml

In [None]:
## 100% routing
!kubectl apply -f traffic/virtual-service-reviews-v3.yaml

## Fault injection

In [None]:
!kubectl apply -f traffic/virtual-service-reviews-v3.yaml

In [None]:
!kubectl apply -f traffic/virtual-service-ratings-test-abort.yaml

## Observability - Demo

In [None]:
!kubectl apply -f observability/

In [None]:
! ./loadgen.sh

In [None]:
## Run Istioctl dashboards

!istioctl dashboard

!istioctl dashboard kiali
!istioctl dashboard grafana
!istioctl dashboard jaeger
!istioctl dashboard envoy
!istioctl dashboard prometheus

## Security - Demo

In [None]:
!kubectl create ns foo
!kubectl create ns bar
!kubectl create ns legacy

!kubectl label namespace foo istio-injection=enabled
!kubectl label namespace bar istio-injection=enabled

!kubectl apply -f security/mtls/httpbin.yaml -n foo
!kubectl apply -f security/mtls/sleep.yaml -n foo

!kubectl apply -f security/mtls/httpbin.yaml -n bar
!kubectl apply -f security/mtls/sleep.yaml -n bar


!kubectl apply -f security/mtls/sleep.yaml -n legacy

#for from in "foo" "bar" "legacy"; do for to in "foo" "bar" "legacy"; do kubectl exec "$(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name})" -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s  -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done

!kubectl apply -f security/mtls/mesh-mtls.yaml -n foo

!kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl -s http://httpbin.foo:8000/headers -s

!kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl http://httpbin.legacy:8000/headers -s

## JWT Validation


In [None]:
!kubectl apply -f security/jwt/httpbin-gateway.yaml -n foo

#http://localhost:80

!kubectl apply -f security/jwt/auth-policy.yaml -n istio-system

!curl "http://localhost:80/headers" -s -o /dev/null -w "%{http_code}\n"

!curl --header "Authorization: Bearer deadbeef" "http://localhost:80/headers" -s -o /dev/null -w "%{http_code}\n"

!curl --header "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9zP7c-LS9qd_vpdLG4Tn1A15NxfCjp5f7QNBUo-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZzvc7M__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCgefSj_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJ3Uc1MI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvHsU60_GhGbiSFzgPTAa9WTltbnarTbxudb_YEOx12JiwYToeX0DCPb43W1tzIBxgm8NxUg" "http://localhost:80/headers" -s -o /dev/null -w "%{http_code}\n"

### Next step - Getting started
https://istio.io/latest/docs/setup/getting-started/

### Sources
https://en.wikipedia.org/wiki/Service_mesh
https://www.redhat.com/en/topics/microservices/what-is-a-service-mesh
https://www.stackrox.com/post/2019/06/getting-started-with-istio-service-mesh-what-is-it-and-what-does-it-do/