# ServiceMesh Lab ## OpenShift Service Mesh for Example Bank ![Example Bank diagram](https://3928126737-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHI9hQsrkpOgN4dX6Cj%2Fsync%2Fa954ea2ec422395147108fc291c98d051396cf34.png?generation=1600426872096496\&alt=media) ### Part 1: Deploy Example Bank Login and checkout Example Bank github repo. ``` oc login ibmcloud login -u git clone https://github.com/IBM/example-bank.git oc new-project example-bank ``` ``` cd example-bank/scripts/ ./createappid.sh ./createsecrets.sh ./deploy-db.sh ./installServerlessOperator.sh ``` * Note: Verify the `creditdb` database pod is in Running state before running the SQL schema loader. Deploy front end service and SQL data schema. ``` oc apply -f deployment.yaml oc apply -f data_model/job.yaml ``` Verify schema loaded to ensure the database is ready to use. ``` oc logs cc-schema-load- ``` Deploy back-end services: ``` oc apply -f bank-app-backend/transaction-service/deployment.yaml -f bank-app-backend/user-service/deployment.yaml ``` Deploy the Serverless (knative) service. ``` cd bank-knative-service/ oc apply -f deployment.yaml ``` Verify it's running: ``` oc get kservice ``` At this point we can verify the app is running prior to setting up service mesh. We are using an OpenShift route. ``` oc get routes ``` Visit URL for the mobile simulator route. ## Part 2: Service Mesh Setup Open up the OpenShift console, navigate to the the OperatorHub, install operators in this order: 1. Elastic Search (choose version 4.3) 2. Jaeger Operator 3. Kiali 4. Service Mesh Operator Create a new project called `istio-system`. Go to installed operators, and wait until they become available in this namespace. While waiting, check out the `service-mesh` branch: ``` git checkout service-mesh ` ``` #### Next steps: * Create Control Plane instance. * Create ServiceMeshMemberRolls Verify install: `oc get smmr -o yaml --all-namespaces | egrep -A2 'ControlPlane|configuredMembers'` Open up a second terminal to watch pods: `watch -n1 oc get pods` Deploy with sidecar enabled: ``` oc apply -f bank-app-backend/user-service/deployment.yaml -f bank-app-backend/transaction-service/deployment.yaml -f deployment.yaml ``` Patch database pod to inject the Istio sidecar. ``` kubectl patch deployments.apps creditdb -p '{"spec":{"template":{"metadata":{"annotations":{"sidecar.istio.io/inject":"true"}}}}}' ``` Delete route and replace with Istio ingress gateway: ``` oc delete routes --all oc apply -f bank-istio-gw.yaml ``` Force mTLS between database and other services: ``` oc apply -f bank-istio-policy.yaml -f bank-istio-destination-mtls.yaml ``` Enable knative-serving with Istio. ``` ./label-knative.sh ``` This sets the appropriate labels in the `knative-serving` namespace allowing the knative service to be triggered. Redeploy the knative service with the Istio sidecar annotation. ``` oc apply -f bank-knative-service/network.yaml oc apply -f bank-knative-service/deployment.yaml ``` > We are updating the cleanup utility because we need to send a signal to the Envoy sidecar to exit after the job completes. ``` oc delete -f bank-user-cleanup-utility/job.yaml oc apply -f bank-user-cleanup-utility/job.yaml ``` > Expose access via OpenShift secured route. Go to istio-system namespace in Admin console. Set port 80 -> 8080, Edge, Redirect. Default OpenShift certs can be used, or you can upload your own certificates. > Click on URL, e.g. > > Click on "Padlock" to examine certs. > > Use bank simulator. Note that all relevant pods have extra container. > > Open up Kiali from App square to view traffic flow. ![kiali](https://github.com/IBM/example-bank/blob/main/images/kiali.png) #### Badge After completion of the workshop, you can collect your [badge](https://www.youracclaim.com/org/ibm/badge/hybrid-cloud-conference-service-mesh-networker)