Skip to main content
Version: 0.9.x

Deploying Applications

Create an applications in TSB before deploying them in any cluster. Applications act as a grouping of services and allow you to configure common traffic policies that apply to all them.

warning

For traffic routing to be in effect when individual application namespaces come up in clusters, the application object must be created in TSB before onboarding a cluster. You need to create application objects only for the applications that will require routing from the gateways.

You need the load balancer IP or host name of the TSB cluster. Refer to Tetrate Service Bridge Installation for details on how to obtain ${TSBIP}.

1. Create the (Logical) Application

Applications can be created as follows using TSB's API. Refer to the API reference for additional configuration options. In this step we assume the tenant and environment already exist.

cat >/tmp/app.json <<EOF
{
  "id":"bookinfo",
  "namespaces":["bookinfo-front", "bookinfo-middle", "bookinfo-back"]
}
EOF

curl --request POST -k --url https://${TSBIP}:8443/v1/tenants/tenant1/environments/dev/applications \
     -u "admin:<credential>" \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --data @/tmp/app.json

The API call above creates an application bookinfo spread across 3 namespace.

2. Deploy the Application

As of TSB 0.6.0, an Application's namespaces have a one-to-one mapping with the Kubernetes namespaces. Create namespaces that the application has in each cluster where the application needs to be deployed. Deploy the application's services into the namespaces.

3. Expose the Application on a Load Balancer

Applications can be exposed either on a shared load balancer common to the entire cluster or on dedicated load balancers that are deployed in the application's namespaces. The rest of this section describes the steps necessary to expose the application on dedicated load balancers.

3.1. Enable Automatic Sidecar Injection in Kubernetes & Load Credentials in the Application's Namespaces

To enable automatic sidecar injection, make sure Istio-injection label is enabled in the application namespace. Pods in the application namespaces must be restarted to have the sidecar injected. Load balancers on Kubernetes obtain the TLS certificate information from Kubernetes secrets in the same namespace. Create secrets containing the certificates that are required for the application (in this example bookinfo-front-certs and bookinfo-middle-certs). When using mutual TLS, create an additional secret of the form secretName-cacert (e.g., bookinfo-front-cacert and booking-middle-cacert) with the CA certificates required to validate client connections.

kubectl label namespace bookinfo-front istio-injection=enabled --overwrite=true
kubectl label namespace bookinfo-middle istio-injection=enabled --overwrite=true
kubectl label namespace bookinfo-back istio-injection=enabled --overwrite=true

kubectl -n bookinfo-front create secret tls bookinfo-front-certs \
  --key /path/to/bookinfo-front.key --cert /path/to/bookinfo-front.cert

kubectl -n bookinfo-middle create secret tls bookinfo-middle-certs \
  --key /path/to/bookinfo-middle.key --cert /path/to/bookinfo-middle.cert

3.2. Install the Load Balancers in the Application's Namespaces

When installing a dedicated load balancer, we need to provide the helm installer with the Tenant ID and the Environment ID (refer to Creating Tenants and Environments), and the Cluster Id (refer to Onboarding Application Clusters). We shall refer to these three values as ${TENANT}, ${ENV} and ${CLUSTER}.

OpenShift

OpenShift users need to add the load balancer service account to the gateway security context constraint.

oc adm policy add-scc-to-user gw-scc -z tsb-gateway-service-account -n <gateway-namespace>

Create a data plane resource YAML file as described below.

API compatibility

The current DataPlaneConfig API matches the Istio operator API, but this will change in future releases of TSB.

cat <<EOYAML > bookinfo-lbs.yaml
---
apiVersion: install.tetrate.io/v1alpha1
kind: DataPlaneConfig
metadata:
  namespace: bookinfo-front
  name: bookinfo-front-gateway
spec:
  hub: ${HUB}
  components:
    ingressGateways:
    - namespace: bookinfo-front
      name: tsb-gateway-bookinfo-front
      enabled: true
  values:
    gateways:
      istio-ingressgateway:
        labels:
          app: tsb-gateway-bookinfo-front
  unvalidatedValues:
    global:
      tcc:
        enabled: true
        tenant: ${TENANT}
        cluster: ${CLUSTER}
        environment: ${ENV}
---
apiVersion: install.tetrate.io/v1alpha1
kind: DataPlaneConfig
metadata:
  namespace: bookinfo-middle
  name: bookinfo-middle-gateway
spec:
  hub: ${HUB}
  components:
    ingressGateways:
    - namespace: bookinfo-middle
      name: tsb-gateway-bookinfo-middle
      enabled: true
  values:
    gateways:
      istio-ingressgateway:
        labels:
          app: tsb-gateway-bookinfo-middle
  unvalidatedValues:
    global:
      tcc:
        enabled: true
        tenant: ${TENANT}
        cluster: ${CLUSTER}
        environment: ${ENV}
EOYAML

Apply the bookinfo-lbs.yaml file to the cluster.

kubectl apply -f bookinfo-lbs.yaml

The TSB data plane operator will pick this new configurations and deploy the gateways accordingly.

NodePorts

To change the load balancer to expose node ports change the spec.values.gateways.istio-ingressgateway.type key.

values:
  gateways:
    istio-ingressgateway:
      type: NodePort

To change the assigned nodePort, we can set the spec.values.gateways.istio-ingressgateway.ports key as follows:

values:
  gateways:
    istio-ingressgateway:
      type: NodePort
      ports:
        - port: 80
          nodePort: <selected-node-port>
          name: http2
        - port: 443
          name: https
          nodePort: <selected-node-port>
Unique application label for each deployed load balancer

Notice spec.values.gateways.istio-ingressgateway.labels.app=tsb-gateway-bookinfo-front in the file above. Each load balancer (shared or dedicated) must have a unique app label that distinguishes it from other load balancers in the system. Gateway labels are copied over to the logical service to ensure any route configuration on the service is applied back to the specific gateway.

3.3. Configure Dedicated Load Balancer Services

TSB will automatically a create a load balancer service under the application for each load balancer installed in the application namespaces in the physical cluster. In this case, after the load balancers in step 3.2 were installed, we will find two load balancer services created under the bookinfo application by the name tsb-gateway-bookinfo-front and tsb-gateway-bookinfo-middle. Command below would configure these services with the routes and uses the TLS credentials found in bookinfo-front-secret and bookinfo-middle-secret to terminate the TLS traffic respectively. Load balancer in the namespace bookinfo-front with host name bookinfo.acme.com forwards traffic to an internal Kubernetes service (productpage.bookinfo-front) on port 9080. Similarly load balancer in the namespace bookinfo-middle with host name bookinfo2.acme.com forwards traffic to an internal Kubernetes service (httpbin.bookinfo-middle) on port 8000.

getSvcStr="curl -k -u admin:<credential> \
  https://${TSBIP}:8443/v1/tenants/tenant1/environments/dev/applications/bookinfo/services/tsb-gateway-bookinfo-front"

jsonSvcStr=$($getSvcStr | jq .)

jq '.lbSettings = { "enableWorkflows": false, "loadBalancerClass": "ENVOY", "loadBalancerTier": "TIER2",
    "routes": [
      { "hostname": "bookinfo.acme.com",
        "tls": {
          "tlsMode": "SIMPLE",
          "secretName": "bookinfo-front-certs"
        },
        "httpSettings": {
           "routeRules":[
             {
               "route":{"destinations":[{"local": {"host":"productpage.bookinfo-front.svc.cluster.local"},"port":9080}]}
             }
           ]
        }
      }
    ]
  }' <<<"$jsonSvcStr" >/tmp/tsb-gateway-bookinfo-front.json

curl -k -u admin:<credential> --request PUT \
  https://${TSBIP}:8443/v1/tenants/tenant1/environments/dev/applications/bookinfo/services/tsb-gateway-bookinfo-front \
  -d @/tmp/tsb-gateway-bookinfo-front.json

getSvcStr="curl -k -u admin:<credential> \
  https://${TSBIP}:8443/v1/tenants/tenant1/environments/dev/applications/bookinfo/services/tsb-gateway-bookinfo-middle"

jsonSvcStr=$($getSvcStr | jq .)

jq '.lbSettings = { "enableWorkflows": false, "loadBalancerClass": "ENVOY", "loadBalancerTier": "TIER2",
    "routes": [
      { "hostname": "bookinfo2.acme.com",
        "tls": {
          "tlsMode": "SIMPLE",
          "secretName": "bookinfo-middle-certs"
        },
        "httpSettings": {
           "routeRules":[
             {
               "route":{"destinations":[{"local": {"host":"httpbin.bookinfo-middle.svc.cluster.local"},"port": 8000}]}
             }
           ]
        }
      }
    ]
  }' <<<"$jsonSvcStr" >/tmp/tsb-gateway-bookinfo-middle.json

curl -k -u admin:<credential> --request PUT \
  https://${TSBIP}:8443/v1/tenants/tenant1/environments/dev/applications/bookinfo/services/tsb-gateway-bookinfo-middle \
  -d @/tmp/tsb-gateway-bookinfo-middle.json

Actual Kubernetes services and deployments can be created inside namespaces corresponding to the application namespaces. This operation can be done asynchronously.

Applying user application Kubernetes manifests

Actual Kubernetes services and deployments can be created inside namespaces corresponding to the application namespaces. This operation can be done asynchronously.