Deploy Sample Applications

Deploy the sample bookstore applications

In this section we will deploy 5 different Pods, and we will apply policies to control the traffic between them.

  • bookbuyer is an HTTP client making requests to bookstore. This traffic is permitted.
  • bookthief is an HTTP client and much like bookbuyer also makes HTTP requests to bookstore. This traffic should be blocked.
  • bookstore is a server, which responds to HTTP requests. It is also a client making requests to the bookwarehouse service. This traffic is permitted.
  • bookwarehouse is a server and should respond only to bookstore. Both bookbuyer and bookthief should be blocked.
  • mysql is a MySQL database only reachable by bookwarehouse.

We are going to define and deploy traffic access policies using SMI, which will bring us to this final desired

state of allowed and blocked traffic between pods:

from / to:bookbuyerbookthiefbookstorebookwarehousemysql

To show how to split traffic using SMI Traffic Split, we will deploy an additional application:

  • bookstore-v2 - this is the same container as the first bookstore we deployed, but for this demo we will assume that it is a new version of the app we need to upgrade to.

The bookbuyer, bookthief, bookstore, and bookwarehouse Pods will be in separate Kubernetes Namespaces with

the same names. mysql will be in the bookwarehouse namespace. Each new Pod in the service mesh will be injected with an Pipy sidecar container.

Create the Namespaces

kubectl create namespace bookstore
kubectl create namespace bookbuyer
kubectl create namespace bookthief
kubectl create namespace bookwarehouse

Add the new namespaces to the FSM control plane

fsm namespace add bookstore bookbuyer bookthief bookwarehouse

Now each one of the four namespaces is labelled with fsm and also

annotated with enabled. The FSM Controller, noticing the label and annotation

on these namespaces, will start injecting all new pods with Pipy sidecars.

Create Pods, Services, ServiceAccounts

Create the bookbuyer service account and deployment:

kubectl apply -f

Create the bookthief service account and deployment:

kubectl apply -f

Create the bookstore service account, service, and deployment:

kubectl apply -f

Create the bookwarehouse service account, service, and deployment:

kubectl apply -f

Create the mysql service account, service, and stateful set:

kubectl apply -f

Checkpoint: What Got Installed?

A Kubernetes Deployment and Pods for each of bookbuyer, bookthief, bookstore and bookwarehouse, and a StatefulSet for mysql. Also, Kubernetes Services and Endpoints for bookstore, bookwarehouse, and mysql.

To view these resources on your cluster, run the following commands:

kubectl get pods,deployments,serviceaccounts -n bookbuyer
kubectl get pods,deployments,serviceaccounts -n bookthief

kubectl get pods,deployments,serviceaccounts,services,endpoints -n bookstore
kubectl get pods,deployments,serviceaccounts,services,endpoints -n bookwarehouse

In addition, a Kubernetes Service Account was also created for each application. The Service Account serves as the application’s identity which will be used later in the demo to create service-to-service access control policies.

View the Application UIs

Set up client port forwarding with the following steps to access the applications in the Kubernetes cluster. It is best to start a new terminal session for running the port forwarding scripts to maintain the port forwarding session, while using the original terminal to continue to issue commands. The scripts will look for a .env file for environment variables needed to run the script. The .env creates the necessary variables that target the previously created namespaces. We will use the reference .env.example file and then run the port forwarding scripts.

In a new terminal session, run the following commands to enable port forwarding into the Kubernetes cluster from the root of the project directory (your local clone of upstream FSM).

git clone -b main
cd fsm
cp .env.example .env
bash <<EOF
./scripts/ &
./scripts/ app=bookstore &
./scripts/ &

Note: To override the default ports, prefix the BOOKBUYER_LOCAL_PORT, BOOKSTORE_LOCAL_PORT, and/or BOOKTHIEF_LOCAL_PORT variable assignments to the port-forward scripts. For example:

bash <<EOF
./scripts/ &
./scripts/ app=bookstore &
./scripts/ &

In a browser, open up the following urls:

Position the windows so that you can see all of them at the same time. The header at the top of the webpage indicates the application and version.

Next Steps

Now that the sample applications are running, configure traffic policies between the applications.


Was this page helpful?

Last modified April 11, 2024: update versions of fsm and pipy (cea5b3e)