►
From YouTube: Workshop Deploy Istio for Production
Description
This workshop series is for those looking to learn more about how Istio works and how to operationalize it for their organization. In this first of a two-part series of workshops on operationalizing Istio service mesh, we dive into Istio foundations with a focus on understanding how it all works and how to roll it out to your organization.
A
A
Cool
all
right.
Well,
why
don't?
We
get
started?
First
of
all,
welcome
to
the
the
istio
day,
two
series
of
workshops.
This
is
the
first
one
and
this
one's
called
deploying
istio
for
production
and
in
this
workshop,
we're
going
to
get
hands-on
with
istio
some
of
its
constituent
pieces
and
understand
how
to
deploy
sdf
production.
Now
you're
going
to
see
differences
in
how
the
community
documentation
presents
istio
and
that's
on
purpose.
A
The
community
is
a
you
know,
sort
of
the
docs
there
are
for
for
everyone
and
any
possible
kind
of
you
know:
there's
reference
documentation,
there's
concept,
documentation,
there's
the
install
documentation,
parts
of
which
you
know
focus
on
user
experience
and
getting
started,
and
that's
slightly
different
than
what
we're
doing
here.
So
you
will
see
some
differences
and
that's
why?
A
Because
what
we're
doing
here
is
we're
taking
our
experience
and
the
expertise
that
we
have
here
at
solo,
supporting
and
working
with
our
customers,
our
prospects,
our
community
users
and,
of
course,
building
products
on
top
of
istio
and
with
istio,
and
what
we're
doing
is
we're
sharing
some
of
that
learning
and
some
of
that
experience
with
you
all
right.
So
there's
a
lot
of,
I
would
say,
blood,
sweat
and
tears
that
have
gone
into
learning
and
understanding
and
debugging
and
otherwise
figuring
out
these.
These
things
that
we're
going
to
dig
into
here.
A
A
C
Thank
you,
christian
hi,
everyone.
Yes,
like
christian,
said,
I
joined
solo
about
a
month
ago.
I've
been
contributing
to
istio
since
the
beginning
of
the
project.
My
passion
is
really
helping
istio
successful
and
help
you
guys
adopt
issue
next,
I'd
like
to
turn
into
rom,
who
is
also
recently
new
to
solo.
D
That's
right,
I
joined
solo.
This
is
it's
been
eight
days,
so
this
is
my
second
week
very
excited
to
be
here.
I
also
come
from
ibm
where
I
was
a
technical
product
manager
and
developer
advocate
and
I'm
focused
on
kubernetes
and
istio,
so
I
helped
a
lot
of
users.
You
know
adopt
cloud
native
technology
cloud,
foundry,
kubernetes
and
I've
been
working
on
istio
for
the
last
year
and
a
half
to
two
years
so
really
excited
to
be
here
and
continue
that
work.
A
A
So
the
first
thing
I
want
to
point
out
is
that
I'm
gonna
the
the
what
you
can
expect
from
this
workshop,
we're
gonna
start
off
with
the
first,
probably
15
minutes
or
so
setting
some
backdrop
setting
some
context,
giving
you
an
overview
of
of
what
we're
doing
here
at
solo
and
what
what
to
expect
from
this
this
workshop.
Another
point
that
I
want
to
make
is
that,
if
you're
familiar
with
this
deal,
if
you're,
if
you're
learning-
you
said
this
is
not
a
steal
101
per
se
type
type
workshop-
this
is
a
you
know.
A
A
A
But
what
we
focus
on,
I
guess
like
I
was
trying
to
allude
to
earlier-
is
helping
organizations
modernize
their
architectures
so
that
they
can
deliver
software
faster,
deploying
kubernetes,
get
ops.
You
know
fancy
telemetry
systems,
whatever
that's
all
good,
but
when
you
deploy
your
applications,
they
need
to
interact
with
each
other.
A
They
need
to
communicate
with
each
other
and
they
do
that
over
the
network,
and
that
involves
opening
up
tcp
connections
and
sending
messages
and
expecting
responses,
and
you
know
figuring
out
how
to
talk
to
various
services,
knowing
full
well
that
the
network
is
not
reliable.
The
network
is
not
secure.
The
network
does
not
guarantee
you
anything
in
terms
of
time
and
we
have
to
build
our
applications
to
be
resilient,
because
if
we
don't,
then
we
end
up
building
this
distributed
system.
A
That
any
little
piece
starts
to
fault
will
start
to
cascade
and
take
everything
down,
and
that's
we
do
not
want
that.
We
want
to
take
advantage
of
the
cloud
platforms
that
we
have
in
terms
of
the
scaling,
their
dynamicism
being
able
to
be
highly
available
and
react
appropriately
when
things
start
to
fail
and
isolate
those
failures,
identify
those
failures
and
fix
them
as
quickly
as
possible,
and
so
what
we're
doing
at
solo
is
we're
building
the
application
level
networking
pieces
that
allow
services
to
connect
with
each
other
do
that.
A
A
Now
and
then
here,
why
don't?
We
just
jump
right
to
what
an
architecture
diagram
might
look
like
where
we
have
this
decentralized
infrastructure
based
on
envoy
and
things
like
istio,
which
we'll
see
in
this
workshop,
and
you
know
what
we're
building
is
the
the
management
and
automation
pieces
to
help.
A
You
simplify
and
successfully
deploy
a
platform
like
that,
including,
and
you
know
how
your
developers
express
their
apis,
how
they
consume
those
apis
document
them
and
any
of
the
automation
that
is
involved
in
exposing
those
apis
and
exposing
them
to
only
the
designated
consumers
of
those
those
apis.
So.
A
Take
on
api
management,
it
flips
the
entire
paradigm
on
its
head,
where,
in
the
past
we
had
these
monolithic
hardware,
load,
balancers,
monolithic,
api
management
systems,
everything
was
bundled
in
massive
databases.
Everything
centralized
and
now
we're
decentralizing
some
of
these
enforcement
points,
while
keeping
and
balancing
some
of
the
the
centralization
around
around
the
management.
So
that's
what
we're
doing
here
at
solo
definitely
check
it
out,
like
I
said,
we're
hiring.
A
You
know,
industry
reasons,
geographical
reasons,
why
cert
by
a
cloud
service
can't
just
decide
to
talk
to
whatever
services
on
on-prem
that
it
wants
to
right
and
we
want
to.
We
want
to
control
and
lock
that
down,
and
then
the
last
and
important
piece
is
that
the
service
mesh
provides
an
api
for
actually
implementing
this
and
controlling.
B
A
At
runtime
dynamically
all
right,
so
we're
not
going
out
and
pushing
configuration
files
and
bouncing
proxies
and
bouncing
servers,
and
we
have.
We
have
an
api
that
the
operator
can
use
to
dynamically
configure
and
and
and
define
what
the
rules
are
for
traffic
in
between
the
the
applications.
Using
this
using
this
api,
and
this.
A
A
We
use
a
control
plane
to
control
the
individual
workloads
in
a
particular
mesh
in
a
particular
mesh
boundary
and
when
we
get
to
multi-cluster
and
all
this
other
stuff,
that
gets
a
little
bit
more
complicated,
but
for
what
we're
doing
here
in
this
workshop,
this
is,
if
you
understand
this
part
of
what
a
service
mesh
is.
If
you
understand
what
these
features
are,
that
a
service
mesh
provides,
then
you
should
be.
You
should
be
good
to
go
now.
Istio
is
what
we're
going
to
be
covering
today.
A
Istio
is
the
most
popular
most
dominantly
deployed
in
production
service
mesh
in
the
world.
You
know
all
of
us
on
on
the
call
been
following
istio
for
quite
a
long
time
and
watching
the
market
evolve,
and
we
can
say
you
know
I
guess
anecdotally,
but
what
what
we've
seen
over
the
last
eight
months
is
that
service
mesh
is
real.
A
So,
as
I
mentioned
earlier,
glue
meshes
our
service
mesh
product,
and
that
includes
istio,
upstream
support,
and
so
we
we
do
have
builds
of
istio
based
on
upstream
there's.
Some
deviation
when
it
comes
to
building
for
fips
and
arm,
and
some
of
these
specialty
builds,
but
otherwise
it's
upstream
there
might
be
some
deviation.
When
you
run
in
production,
we
have
to
patch
it
for
you.
So
between
the
time
we
patch
it
for
you
and
we
bring
those
patches
upstream.
There
might
be
some
deviation
and
then
we
also
support
long
term.
A
Otherwise,
it's
upstream,
you
can
use
the
same
seo
tooling,
there's
no
extra
clies
or
any
any
other
additional
stuff.
You
need
to
use
it
and
you
have
the
backing
of
of
a
a
company.
That's
built
entirely
around
service
mesh
with
the
expertise,
and
you
know
the
the
ability
to
influence
in
in
the
community
to
to
support
it.
Basically,
we
support
it
with
enterprise
slas
step
one.
A
We,
you
know
things
break,
whether
it's
onboard
proxy
or
the
control
plane
itself
or
anything
in
between
we
support
it
and,
along
with
our
support,
comes
architectural
guidance
and
best
practices,
and
you
know
ability
to
ask
questions
and
bounce
ideas
off
of
our
our
team
of
extremely
experienced
service
mesh
engineers
so
glue
mesh
is
the
product.
As
I
mentioned,
glue
mesh
is
oriented
around
simplifying
istio
operating
it
across
multiple
clusters.
A
Things
like
operating
across
multiple
versions,
doing
global
routing,
global
failover
and
and
routing
enforcing
security
policies,
doing
a
lot
of
automation
and
so
on.
Like
I
said,
there's
there's
a
there's
another
workshop
going
on
right
now
that
digs
deeper
into
glue
mesh,
but
you
know
so
we'll
move
through
that
a
little
bit
and
so
with
glue
mesh.
What
we
have
is
supported,
istio
with
a
management
plane
that
simplifies
the
operations,
simplifies
the
api.
A
A
You
know,
focus
an
api
on
per
specific
personas,
maybe
a
different
platform
team
or
sre
teams
or
developer
teams,
and
and
so
on,
each
with
their
own
unique
desires
for
the
functionality
in
the
service,
mesh
or
designers
for
how
they
want
to
configure
the
service
mesh.
And
so
we've
worked
with
a
lot
of
customers.
A
A
If
you
look
in
your
tabs
on
the
on
this
gold
cast
platform,
there
is
a
tab
for
docs
click
on
docs
and
the
I
think
the
bottom
entry
in
the
docs
tab
here
says
sign
up
for
lab
machine,
and
let
me
see
why
don't
we?
I
just
try
to
do
it
right
here
right.
So
you
click
on
docs
click
sign
up
for
lab
machine
that
should
take
you
to
a
spreadsheet.
A
Now
this
spreadsheet
has
a
long
list
of
ip
addresses,
as
well
as
the
region
in
which
those
ipa
addresses
or
those
those
machines
are
listed,
pick
a
machine
that
most
closely
aligns
with
your
region,
whether
that's
in
you
oop
in
europe,
u.s,
east
u.s
west.
I
guess
just
realize
that
apac
is
not
in
here.
A
You
should
see
a
username
and
password,
so
it's
solo
and
then
workshop
one
pound
with
a
capital
w
that
should
get
you
access
into
the
machine
through
this
through
this
web
browser,
try
to
space
out
and
not
step
on
on
each
other
there,
but
then,
once
you
get
access
to
your
machine,
so
I'll.
Do
it
locally
here,
if
you're
having
trouble
finding
that
spreadsheet
again
go
to
the
docs
tab
in
the
gold
cast
platform
and
click
on
sign
up
for
lab
machine.
B
A
D
D
A
B
B
A
A
Yeah,
if
you're
having
trouble
finding
the
pal
username
and
password
is
in
the
everything
should
be
in
the
spreadsheet
that
I
that
I
linked
to
including
the
url
the
username
password.
Your
the
link
to
your
vm
all
should
be
there
and
then,
once
you
open
up,
workshops.solo.I
o
go
to
go
to
the
istio
day
2
and
deploy
sdf
production
workshop.
A
D
A
A
But
for
those
of
you
that
are
at
this
point,
go
ahead
and
and
follow
this
dot
and
set
up
your
your
lab
machine,
you
can
use
the
copy,
there's
some
easy
copy
command
shortcuts
in
the
lab
docs.
If
paste
doesn't
show
up
on
the
terminal
which
I'm
seeing
on
mine,
then
just
restart
the
terminal.
The
this
is
a
known
issue
for
some
reason
with
with
the
terminal,
but
if
you
restart
the
terminal,
then
you
should
be
able
to
get
paste
working.
A
A
I
noticed
that
too,
I
picked
mine
in
us
west
and
it
shows
europe,
so
I'm
not
sure
exactly
how
the
machines
got,
how
the
ip
addresses
and
everything
that
got
translated
over
into
the
into
the
spreadsheet
or
whether
the
the
tools
that
bootstrap,
so
we
used
ansible,
but
whether
the
tools
that
bootstrapped,
the
the
machines
named
the
machines,
something
that
they
they're.
Not
I'm,
not
not
certain
about
that.
C
A
A
A
A
B
A
D
A
Well
then,
in
that
case,
we're
gonna,
so
there's
a
couple
of
tricks
for
copy
and
paste
one
is
you
know
the
keyboard
shortcut.
Thank
you
sebastian
for
for
adding
that
the
other
is,
if
you
can't
paste
in
the
terminal,
restart
the
terminal
on
the
first
boot
of
the
terminal
for
some
reason
it
it
doesn't
doesn't
seem
to
take.
But
on
the
second
time
you
recycle
the
terminal,
it
should
allow
you
to
paste
okay.
D
B
B
B
A
A
A
B
A
D
B
A
A
D
A
And
then
click
on
run
onboard
proxy.
So
the
approach
that
we're
going
to
take
is
you
want
to
you
want
to
deploy
seo.
You
want
to
see
some
of
the
best
practices
for
doing
that
before
you
get
started
with
istio
in
general.
You
got
to
understand
onboard
because
of
the
other
things
that
we're
going
to
see
in
the
rest
of
the
of
the
workshop
here.
A
C
Yeah
sure
so,
basically,
for
this
lab,
we're
gonna
have
a
sleep.
Pod
called
the
http
beam
pod,
and
so
that's
just
without
envoy
without
istio.
So
you
can
see
you
know
it's
just
a
simple
rest
api
call
and
then
we're
going
to
teach
you
having
running
envoy
as
a
pod
and
we're
going
to
teach
you.
How
do
you
configure
envoy
to
mediate
the
traffic,
so
the
sleep
card
with
the
car
envoy
and
onward
would
be
intelligent
to
know
to
forward
the
traffic
to
the
http
being
so
it's
kind
of
teach
you.
C
You
know
what
it
still
does
for
you
automatically
with
it's
your
customer
resources,
but
how
you
actually
do
it
yourself
with
onward
configurations,
you
have
you're
going
to
be
able
to
explore
like
admin
stats,
and
how
do
you
do
retries
with
our
way
and
my
take
way
for
this
lab?
Is
it's
actually
pretty
complicated
and
you'll
find
out?
It's
not
easy
to
do
it
with
envoy
configuration.
C
We
also
have
a
bonus
section
for
this
lab
christian.
If
you
can
flip
to
the
next
one.
So
in
the
bonus
section,
if
you
have
actual
time
or
which
you
may
be
able
to
do
it
offline
on
your
own,
is
you
can
do
configurations
such
as
circuit
breaking
outlier
detection
and
how
to
do
traffic
routing
and
splitting,
and
you
know,
try
the
xds
api
from
envoy.
So
it's
additional
commands
to
help.
You
learn
these
configurations
of
envoy.
A
A
A
I
just
want
to
point
out
to
any
of
the
folks
that
may
have
joined
since
we
started
that
if
you
click
on
the
docs
tab
in
the
gold
cast
platform,
you
should
see
an
entry
for
the
for
signing
up
for
the
lab
machine,
so
that
will
give
you
access
to
that
will
give
you
access
to
this
document
right
here.
That
shows
the
list
of
ip
addresses
and
how
to
access
the
lab
machines
so
that
you
can
follow
along
as
well.
A
A
A
A
A
A
We
walk
you
through
what
a
configuration
looks
like
for
envoy,
and
actually
this
can
be
pretty
handy
outside
of
the
lab
when
things
may
not
be
working
the
way
or
they're
not
configured
the
way
you're
expecting
to
from
from
seo,
and
you
just
want
to
isolate
it
and
hand,
configure
envoy
yourself
and
see
how
it
behaves.
This
is
a
this
is
a
great
vehicle
for
doing
that.
B
C
Yeah,
so
in
this
lab
we
are
going
to
install
is
still
a
little
bit
different
than
what
istio
io
teaches
you.
So
you're
going
to
install
istio
d
as
a
service.
First
and
then
you
are
going
to
install
stod
with
the
minimum
profile
and
the
revision
with
1
a3,
and
then
we're
going
to
show
you.
How
do
you
view
the
debug
endpoint
of
the
control
plane?
C
So
you
do
some
commands
just
to
learn
that
api
and
then
we're
going
to
teach
you
you're
also
going
to
install
like
a
bunch
of
deployments
and
services,
which
is
our
app.
We
use
in
the
lab
so
you're
going
to
install
those
in
istio
in
action,
namespace,
so
you're
going
to
have
like
web
recommendation
purchase
and
sleep
and
then
in
the
default
namespace
you're
going
to
install
http
being,
which
is
same
as
the
previous
lab.
But
then
we're
going
to
show
you.
C
Yeah,
definitely
the
bonuses
just
show
you:
how
do
you
explore
iptable
rules
on
that
proxy
so
that
you
can
see
how
it
works
if
you're
interested
in
that
level
of
detail,
I
would
say
you
know
it's
really
interesting,
that
we
break
the
service
and
the
deployments
into
two
steps.
The
main
reason
is
we're
going
to
teach
you.
How
do
you
upgrade
istio
in
the
next
workshop
so
that
you
can
upgrade
without
down
time
from
183,
maybe
to
a
newer
version
like
one
nine
but
you're
using
the
same
istio
service?
D
A
A
A
C
A
A
A
So
it's
two
minutes
past
the
hour
where
I
am:
let's,
let's
pause
and
and
take
a
ten
minute
break
if
you're
so
inclined
or
have
taken
a
break
already.
You
can
continue
check
out
lab
three
ask
questions
in
the
chat
please
or
if
you're
still
working
on
lab,
two
feel
free
to
continue
with
lab
two,
but
we'll.
C
C
So
for
lab
three,
which
is
sorry
meant
to
hit
the
present
button
so
for
this
lab,
what
we're
going
to
do
is
we're
going
to
install
permissus
okay.
So
the
reason
we're
teaching
you
this
right
with
observability
is
because,
what's
shipped
in
istio
the
sample
add-on,
we
don't
recommend
you
use
for
production
because
it's
just
like
a
toy
really
for
you
know
demo
purpose.
C
So
what
we
recommend
you
to
do
is
step
one
you
install
in
the
permissive
namespace
we
want
to
using
the
cube
permissive
stack,
the
helm
chart
to
install
promises
to
install
grifana.
So
we'll
teach
you
how
to
do
that.
Then
we're
going
to
also
teach
you.
You
know
you
have
these
building
blocks,
but
you're
not
going
to
get
any
dashboard
without
bringing
it
to
your
dashboard.
So
we're
going
to
teach
you.
How
do
you
lay
our
istio
dashboard
onto
the
permission?
Stack
you
just
installed
and
then
we're
also
going
to
teach
you.
C
The
configuration
using
service
monitor
customer
ratios
to
config
permisses,
to
scrape
the
control,
plane,
metrics
and
also
using
the
pod,
monitor
customer
resource
to
script
the
data
plane
matrix
so
so
that
you
are
going
to
see
control
plane
and
data
plane
metrics
at
the
end
of
step
three
and
then
we
are
going
to
also
teach
you
another
observability
tool.
Is
your
community
use
which
some
of
us
call?
It
is
your
dashboard,
it's
the
kayalys,
so
we're
going
to
teach
you.
C
How
do
you
install
kayali
using
the
kayali
operator
so
you're,
going
to
install
kayali
operator
first
into
the
kayali
operator,
namespace
and
then
you're
going
to
deploy
the
kayali
customer
resource,
which
essentially
tells
the
kayali
operator
to
go
ahead
and
install
kayali
and
in
the
it's
your
system,
namespace
and
finally,
we're
going
to
also
teach
you?
How
do
you
log
in
into
kayali?
C
C
How
do
you
view
premises,
rule
config
map
and
also,
how
do
you
do
matrix
merging
if
your
application
has
metric
how
the
metrics
merging
works
from
from
istio
service
mesh?
How
is
your
actually
merges
your
metric
from
your
application
part
and
your
pilot
agent,
and
also
the
proxy
metrics?
So
that's
pretty
interesting.
A
C
D
A
I
would
say
the
other
way
I
would
say
the
spire
community
doesn't
so
like
istio
1.8
can
integrate
with
external
cas
through
the
kubernetes
csr
api
and
through
the
istio.
You
know
that
I
forgot
what
it's
called
but
istio's
api
for
doing
csrs.
I
don't
think
this.
I
don't
think
spire
supports
that
yeah.
C
C
C
C
A
A
B
A
B
C
A
C
Then
so,
for
this
lab
we're
going
to
teach
you
a
little
bit
more
about
istio
ingress
gateway.
So
what
you're
going
to
have
is
on
the
istio
system,
you're
going
to
still
have
what
you
have
before
with
so
you,
which
is
the
sdod
as
a
service.
You
also
have
sdod
deployment
that
you
installed
from
the
minimum
profile
with
revision1a3.
C
I
think
you
did
that
in
lab
two
and
then
for
this
lab
we're
going
to
teach
you
install
ingress
gateway
using
the
empty
profile,
so
you're
going
to
install
that
also
with
revision
183,
because
we
want
to
make
sure
the
version
matches
the
control,
plane
version
and
then
you're
going
to
expose
the
web
api
service
on
the
istio
ingress
gateway.
This
is
important
so
that
the
users
who
are
using
your
web
api
service,
you
know,
can
can
access
it
through
istio
ingress
gateway
and
the
ingress
gateway
can
provide.
C
Like
trs
connection,
you
know
search
termination
and
all
that
east
west
gateway
feature
provided
by
the
ingress
gateway,
so
you're
going
to
to
expose
that
you're
going
to
need
to
create
a
gateway
resource
and
virtual
service
resource,
so
the
gateway
resource
basically
allows
you
to
config.
You
know
I'm
exposed
this
particular
port
number
onto,
and
this
is
http
for
for
the
web
api
and
then
the
virtual
service
resources
actually
config
for
this.
C
For
this
port
number,
how
you're
going
to
route
it
for
this
trs
configuration
how
you're
going
to
route
it
so
you're
going
to
do
that
with
plain
plane
traffic
first
in
step,
two
and
in
step
three
we're
going
to
teach
you.
How
do
you
do
tls
communication
to
your
ingress
gateway,
so
you're
going
to
config
a
secret
in
your
gateway
resource
and
you're,
going
to
create
that
secret
in
the
istio
system
namespace.
C
This
is
important,
because
the
currently
is
your
only
supports.
The
secret
resides
in
the
same
namespace
as
the
namespace,
where
you
deploy
is
your
ingress
gateway.
So,
given
your
ingress
gateway
is
in,
is
your
system
namespace
your
secret
masteries
idea,
at
least
on
the
current
version
of
istio
number
four
we're
going
to
play
a
little
bit
with
certification
manager
using
certificate
manager
to
manage
the
secrets
for
the
seo
ingress
gateway,
so
you're
going
to
see
how
that
works.
C
So
we're
going
to
teach
you
how
to
do
that
notice,
the
configuration
there
is
only
an
environment
variable,
but
the
community
does
intend
to
stabilize
the
configuration
and
even
make
it
default
and
then
we're
going
to
teach
you
how
to
enable
access
logging
for
it's,
your
ingress
gateway,
because
not
everything
goes
smoothly
all
the
time.
So,
if
there's
any
problem,
you
can
look
at
the
logs.
C
C
C
We
don't
want
to
introduce
new
features
and
set
it
as
default
in
case
there
are,
you
know,
unpleasant
surprises
due
to
box.
I
mean
software
always
have
bugs,
so
it
could
take
a
little
bit
time
to
mature.
This
is
why
I
said
we
do
intention
to
enable
it
as
default.
The
other
reason
we
didn't
enable
it
as
default
is
also
because
what
customer
sees
today
right.
So
this
is
a
behavior
changes
potentially
could
break
people.
C
If
you
know,
if
they're
not
convict
this
correctly,
so
for
these
type
of
semantic
behavior
change,
the
community
always
wants
to
be
a
little
bit
cautious
when
we
introduce
them.
That's
why
you
know
it's
kind
of
experimental
at
the
moment,
but
it's
hugely
recommended
by
you
know
by
the
upstream,
because
this
is
the
right
way
to
configure
the
gateway
to
have
the
right
resources,
and
only
you
know
have
the
resources
they
need.
C
C
C
C
So
for
the
folks
who
finish
the
lab,
I
would
say
for
the
bonus
section
to
do
it
offline,
it's
interesting
that
it
shows
you.
You
know
instead
of
having
the
secret
in
the
istio
system,
namespace.
What?
If
you
want
the
secret
to
be
in
the
istio
in
action
or
whichever
name
space
your
application
resides.
There
is
a
utility
to
help
you.
You
know,
sync,
the
secrets
from
one
name
space
to
the
other,
so
that
utility,
I
would
actually
teach
you
that
so
that's
interesting.
C
The
other
thing
that's
interesting
in
this
in
this
bonus
section
is
what,
if
you
want
to
run
your
own
customer
gateway
right?
What
if
you
want
to
run
your
ingress
gateway
in
the
issue
in
action?
Name
space?
In
that
case,
you
could
deploy
your
own
customer
ingress
gateway
in
the
application
namespace
and
then,
in
that
case,
your
secret
for
the
gateway
ratios
would
also
resides
in
the
issue
in
action
namespace.
So
these
are
interesting
scenarios.
We
often
hear
from
our
users
as.
C
C
C
D
Oh,
it's
okay.
I
just
said
that.
Yes,
usually
customers
use
the
gateway
to
terminate
their
tls
connections
and
that's
usually
because
you
know
they
can
provide
the
search
to
the
gateway
and
then
have
the
gateway
use,
those
search
for
termination,
and
then
you
let
istio
handle
the
mutual
tls
between
the
gateway
and
your
user
application
ponds.
C
Yeah
that
that
that
that's
very
good
it's,
it's
probably
the
most
common
configuration
at
the
gateway.
I
guess
it
depends
on
you
know
if
your
traffic
is
coming
from
within
the
mesh
or
you
know
from
outside
of
the
mesh
right.
If
it's
outside
of
the
mesh,
like
ron
mentioned
it's
commonly
terminate
and
then
the
gateway
reestablish.
But
if
it's
within
the
mesh
like
in
the
multi-cluster
scenario,
a
lot
of
time,
we
would
actually
just
config
the
gateway
to
pass
through.
So
that's
also
very
common
as
well.
C
Oh
good,
all
right
looks
like
we
have
a
few
more
user
finish.
That's
excellent!
I
think
we're
going
to
carry
on.
I
think
we
are
going
to
so.
We
have
lab
four
now.
I
think
we
have
three
more
laps.
We
are
probably
planning
a
break
right
after
lab
five,
so
that
you
guys
can
you
know,
take
a
short
break
as
well.
C
All
right,
so,
let's
get
to
here,
okay,
so
you
guys
just
did
all
the
work
about
istio
ingress
gateway
and
now
we're
going
to
teach
you.
How
do
you
roll
out
your
application
to
the
mesh?
What's
the
best
practice,
we
would
recommend
you
to
do
right.
So
remember
in
this
diagram,
you
have
none
of
your
pods
have
the
envoy
proxy,
because
you're
just
connecting
to
the
istio
ingress
gateway.
C
So
the
moment
you
deploy
will
still
magically
inject
the
cycle
configuration
and
the
sidecar
for
you.
So
you're
going
to
end
up
with
a
diagram
like
this.
So
this
continues
to
allow
your
application
function,
even
though
you
bring
up
the
additional
canary
version
with
onward
proxy
on
the
side.
So
we
definitely
recommend
you
to
do
that
and
the
next
step
we're
going
to
teach
you
is.
How
do
you
add
saika
to
the
original
deployments
you
have
so
you're
going
to
do
a
rolling
restart,
so
this
is
a
kubernetes
command.
C
Allow
you
to
rolling
restart
paths
within
your
deployment.
So
if
you
have
multiple
ones,
I
think
in
the
lab.
We
may
only
have
one,
but
if
you
have
multiple
ones,
kubernetes
knows
to
do
it
one
at
a
time
and
then
once
you
test
all
the
traffic
still
good,
your
applications
still
function.
We're
going
to
have
you
remove
the
canary
deployments
because
they
were
there
just
to
help.
C
You
make
sure
you
have
high
availability
without
downtime
as
you
transition
your
application
to
be
added
to
the
mesh
and
then
we're
going
to
have
you
explore
proxy
configurations
using
is
your
cuddle
command
so
that
you
can
understanding
you
know?
What's
the
configuration
looks
like
for
your
envoy
psycho?
I
think
we
explore.
Maybe
the
web
web
api
pod.
So
you
can
look
at
what
is
the
listener?
What
is
the
cluster?
What
is
the
configuration
specific
to
maybe
the
recommendations,
civil
services
so
you're
going
to
explore?
You
know
the
magic
of
istio.
C
Basically,
is
you
did
all
that
work?
You
know
kind
of
for
you,
so
you
don't
have
to
discovery.
You
know
your
cluster,
your
endpoint,
it's
your
actually
think
out
for
you
and
then
we're
going
to
explore
an
interesting
configuration
called
hold
application
until
your
proxy
is
ready.
This
is
a
super
important
configuration
because
today
the
the
psycho
container
and
your
application
container,
you
know
they
could
there's
no
guarantee
that
one
would
finish
and
then
the
other
one
you
know
would
hold,
and
here
the
other
and
the
app
is
ready.
So
sometimes
you
have.
C
You
may
have
a
strong
requirement
that
your
proxy
has
to
be
ready.
First,
before
your
application
runs,
because
you
want
to
make
sure
your
proxy
is
there
to
ensure
mutual
ts
traffic
is
enforced.
Maybe
you
want
to
make
sure
you
know
your
connectivity
to
the
outside
is
established
because
your
application
depends
on
that.
So
there
are
certain
apps
we're
seeing
a
lot
more
apps
have
that
requirements,
so
we're
going
to
teach
you
how
to
do
that
and
how
to
view
kubernetes
events
to
you
know
make
sure
you
actually
configure
it
correctly.
C
C
C
D
C
C
B
B
A
C
A
A
If
you
could
there's
only
three
questions
or
three
polls.
Rather,
if
you
could,
if
you
could
fill
those
out
these
those
types
of
surveys,
those
types
of
things
are
extremely
valuable
for
helping
to
guide
how
we
deliver
these
workshops,
what
material
we
focus
on
and
so
on.
So
if
you
could
spend
a
few
minutes
at
some
point
and
and
do
that,
but
yeah
continue
to
use
the
chat.
Oh,
your
pull.
Tab
is
empty.
A
B
C
C
A
C
No,
no
already
it's
not
good
okay,
so
you
guys
should
have
you
know
this
diagram.
Now,
at
the
end
of
lab
five
lab
six,
we're
going
to
teach
you,
how
do
you
do
mutual
trs
rollouts
right?
A
lot
of
our
users
adopt
istio
is
because
they
want
mutual
trs
among
all
the
traffic
within
the
mesh,
all
the
way
from
istio
ingress
gateway
to
web
api
to
all
the
microservices,
so
the
first
we're
going
to
config
mesh
wide
permissive
but
match
wide.
C
What
I
mean
is
you
make
that
configuration
into
istio
system,
which
is
the
root
name
space
by
default,
so
you're
going
to
config
that
first
and
then
we're
going
to
enable
strict
mutual
trs
just
for
one
service
in
the
lab
you're
going
to
enable
it
for
the
purchase
service?
First.
The
reason
we
do
that
is.
C
We
recommend
one
service
at
a
time
so
that
you
want
to
minimize
the
impact
of
that
configuration
as
you
test
things
out
so
once
you
enable
that
we're
going
to
have
you
to
check
whether
it's
safe
to
convert
the
whole
namespace
of
all
the
services
in
issue
in
action
to
strict
mutual
tis.
So
we're
going
to
teach
you
some
tips
to
do
that.
This
is
actually
a
very
common
question
in
the
istio
community,
because
a
lot
of
users
were
asking.
You
know.
C
I
really
want
me
to
ask:
how
do
I
know
my
traffic
is
mutual
tls?
How
do
I
enforce
that?
How
do
I
even
know
it's?
When
is
the
right
time
to
enforce
that?
So
definitely
go
through
that
it
will
teach
you
all
the
tips
and
then
we're
going
to
also
teach
you.
How
do
you
enable
strict
mutual
tls
for
the
issuing
action
namespace
so
that
you
can
rest
assured
that
all
the
traffic
within
this
namespace
is
always
mutually
eos
traffic?
C
A
A
There's
that
excuse
me
there's
actually
a
lot
a
lot
of
listeners,
but
the
listener
that's
attached
to
the
the
port
that
actually
takes
the
traffic
ends
up
doing
some
matching
and
setting
it
to
a
different
listener.
One!
That's
not
listening
on
a
port,
so
the
the
traffic's
actually
going
through
two
different
listeners.
Both
of
them
are
doing
s
and
I
sniffing
or
tls
sniffing,
and
that's
why
we
see
the
the
you
know
the
the
metric
increase
by
two
for
that
particular
those
particular
calls.
C
C
C
B
C
Well,
okay,
so
we
just
did
mutual
tris
roll
out
and
in
the
next
lab
we
will
teach
you.
How
do
you
controlling
configuration
scope
for
isro?
This
is
extremely
important
as
you
grow
from
one
or
two
or
three
micro
services
in
the
mesh,
because
by
default
seo
envoy
cycle
within
the
mesh
sees
everything.
C
So
by
everything
I
mean
every
single
name:
space
within
the
mesh,
all
the
services,
all
the
deployments,
all
the
virtual
service
destination
rule.
All
the
issue
related
networking
configuration
it's
all
visible
by
default.
So
you
don't
really
want
that
because,
as
you
have
more
services,
it's
going
to
impact
the
performance
of
the
cycle
proxy.
C
You
are
going
to
explore
next
the
export
to
configuration,
so
you
can
apply
this
configuration
as
an
annotation
to
your
service
as
a
service
producer.
You
can
also
apply
this
configuration
to
your
networking
resources,
such
as
virtual
service
destination,
rule
and
service
entry.
So
in
the
lab
you
will
explore
doing
that
the
service
and
also
the
virtual
service.
C
Next,
you
will
explore
virtual
service
merging,
so
you
could
have
multiple
virtual
services
like
in
the
lab,
we're
going
to
have
slash
hello,
config
to
a
hello
service,
and
then
everything
else
config
to
the
default
route
goes
back
to
the
web
api
service.
So
you
can
do
that
through
multiple
virtual
servers
and
it
still
is
intelligent
enough
to
merge
it
for
you
as
long
as
there's
no
conflict.
C
A
A
So
why
don't
you?
Why
don't
you
go
through
lab
seven
for
the
next
few
minutes,
two
three
minutes
or
so,
and
then
we're
going
to
leave
some
time
for
our
questions
at
the
end
about
about
nine
minutes,
I
guess
and
yeah
somebody's
asking,
but
we're
leaving
the
machines
for
a
little
bit
longer,
maybe
until
tomorrow,
probably
not
a
few
more
days.
But
let
me
just
check.
Let
me
just
check
to.
A
B
A
A
A
B
A
A
Okay,
let's
you
know
you
all
can
continue
with
the
with
the
lab
seven
and
get
to
lab
eight
as
you
as
you'd,
like
after
time,
we'll
leave
the
lab
machines
up
for
a
little
bit
longer
for
those
of
you
that
have
asked
specifically
your
machines,
we'll
try
to
keep
them
up
as
long
as
we
as
long
as
we
can,
but
yeah
with
that.
I
definitely
want
to
say:
take
the
polls,
please.
A
B
A
A
So
on
the
docs
tab,
there's
a
workshop
test
doc
and
you
can
click
on
that
and
actually
take
a
a
small
test
or
exam
that
you
know.
If
you
answer
the
questions
correctly
then
can
actually-
maybe
maybe
you
can
say
say,
but
we
get
a
badge
that
shows
you've
completed
this
particular
workshop
and
learned
something
from
this
workshop
and
then
we'll
continue
on
to
the
next.
Like
I
said
this
is
a
series
of
workshops.
C
Yeah,
this
is
something
we
are
exploring.
Thank
you
so
much
for
being
here.
We
want
to
give
you
the
badge
after
you
complete
eighty
percent
of
the
test
correctly,
I'm
sure
many
of
you
will
do
beyond
eighty
percent,
so
you
will
get
a
badge.
We
still
evaluate
the
batch
process,
but
if
you
record
your
completion
and
your
test
results,
we
will
follow
up
with
the
badge
process
with
you
once
we
have
the
process
finger
out,
so
you'll
get
a
badge
from
solo
and
completely
the
deploy.
A
A
We
work
with
with
folks
all
over
the
world
and
help
them
operate
operationalize
and
successfully
adopt
istio
and
and
this
this
type
of
technology,
so
definitely
don't
hesitate
to
reach
out,
and
you
know,
get
the
opportunity
to
to
interact
and
work
potentially
with
you
know
me
and
and
rahm
and
lynn,
and
the
many
others
extremely
expert,
istio
and
envoy
engineers
on
our
team.
So
think
think
about
think
about
that
as
you
as
you
go
down
the
path
of
this
deal.
D
A
Oh
man,
there's
there's
a
there's
a
lot
of
them
that
I
would
that
I
would
recommend
I'm
a
big
fan
of
mcters
victor's
is
a
bourbon
distillery
in
kentucky
and
there's
a
few
bottles
of
mixtures
back
there
that
I
really
like,
but
hey.
If
anybody's
ever
in
phoenix
hit
me
up,
I'm
on
twitter
at
christian
posted
hit
me
up.
A
Let
me
know
happy
to
have
you
for
a
drink
and
there's
another
question
about
being
new
to
istio
came
from
a
data
background,
and
could
you
explain
what
is
the
difference
of
or
were
the
advantage
of
history
over
classical
ipa
gateways?
Oh
awesome
ron,
thank
you
for
posting
that
and
in
in
general.
I
guess
just
a
quick
one-minute
answer
is
that
there's
there's
there's
api
gateways
and
service
mesh,
it's
not
necessarily
one
or
the
other.
It's
just.
A
What
is
the
use
case
that
you're
trying
to
problem
you're
trying
to
solve
the
api
gateway?
The
traditional
classic
api
gateway
in
terms
of
api
management
had
some
drawbacks
in
terms
of
using
a
centralized
and
a
highly
centralized
piece
of
technology
that
wasn't
built
to
be
very
dynamic,
to
be
able
to
react
like
so.
For
example,
you
look
at
kubernetes,
you
got
pods
spinning
up
coming
coming
and
going
scaling,
probably
across
multiple
clusters.
A
You
know
constantly
changing,
ips
and
and
so
on.
Those
api
management
ven,
you
know
pieces.
You
know
those
systems
built
ten
years
ago.
Didn't
take
that
into
account
this
dynamicism,
as
well
as
a
centralization
and
the
processes
that
built
up
around
the
centralization
where
traffic
was
forced
through
these
centralized
gateways
and
then
off
to
the
the
back
end
service
in
the
service
mesh
case,
you
have
services
communicating
directly
with
each
other,
not
through
some
centralized
system
which
reduces
bottlenecks.
A
A
Referenced
a
discovery,
selector
feature
that's
coming
in
istio
1.10
upstream,
and
this
helps
with
multi-tenant
discovery
service
discovery.
I
do
want
to
point
out.
This
is
available
in
previous
versions
as
well
from
the
solo
builds,
so
upstream
1.10
will
have
it,
but
we
do
have
users
on
1.7
that
are
using
this.
So
it's
a
really
important
feature.
We
are
going
to
write
a
blog
about
it
and
discuss
it.
A
All
right:
well,
we've
reached
the
time
11
a.m,
pacific
2
p.m.
Eastern.
I
definitely
want
to
again
extend
thank
you
for
spending
your
time.
Hopefully
it
was
worth
worth
your
time.
Thank
you
for
lynn
and
rom,
for
you
know
helping
helping
along
with
with
me
and
yes,
as
someone
wrote
here,
we
hopefully
we'll
see
people
in
person
in
2022.