From 7d58df469ab46971f4dccd4311386d4e6193a869 Mon Sep 17 00:00:00 2001 From: bmangoen Date: Mon, 24 Nov 2025 21:37:54 +0100 Subject: [PATCH 01/11] Add automation test for migration from sidecar to ambient Reorganized doc and added automation test for migration from sidecar to ambient mode Signed-off-by: bmangoen --- .../migration.adoc | 272 ++++++++++++------ 1 file changed, 187 insertions(+), 85 deletions(-) diff --git a/docs/migrate-from-sidecar-to-ambient/migration.adoc b/docs/migrate-from-sidecar-to-ambient/migration.adoc index 12e635f62..ebe688973 100644 --- a/docs/migrate-from-sidecar-to-ambient/migration.adoc +++ b/docs/migrate-from-sidecar-to-ambient/migration.adoc @@ -202,20 +202,31 @@ For additional compatibility considerations refer to: link:../common/coexistence === 2.3 Pre-Migration Checklist **Environment Validation:** -[source,console] +[source,bash,subs="attributes+"] ---- # Verify Sail Operator is deployed kubectl get pods -n sail-operator ---- -[source,console] +[source,bash,subs="attributes+"] ---- # Check Istio control plane version kubectl get istio -n istio-system +---- + +Output should be similar to: +[source,console] +---- NAME NAMESPACE PROFILE REVISIONS READY IN USE ACTIVE REVISION STATUS VERSION AGE default istio-system 1 1 1 default Healthy v{istio_latest_version} 20m ---- +ifdef::istio-migrate-from-sidecar-to-ambient[] +wait_istio_ready "istio-system" +with_retries istiod_pods_count "1" +print_istio_info +endif::[] + [NOTE] ==== * If you have any of the unsupported features like VirtualServices or DestinationRules, during Step 5 you will need to migrate those to be compatible with ambient mode. @@ -225,18 +236,28 @@ default istio-system 1 1 1 default **Application Namespace Validation:** -[source,console] +[source,bash,subs="attributes+"] ---- # Check your application namespaces for sidecar injection kubectl get namespaces -l istio.io/rev=default #or any other istio revision name. Also, check if you are using instead istio-injection=enabled label. +---- + +Output should be similar to: +[source,console] +---- NAME STATUS AGE bookinfo Active 6m56 ---- -[source,console] +[source,bash,subs="attributes+"] ---- # Check current workloads with sidecar injection kubectl get pods -n bookinfo +---- + +Output should be similar to: +[source,console] +---- NAME READY STATUS RESTARTS AGE bookinfo-gateway-istio-75d96b45d9-m65mq 1/1 Running 0 4m31s details-v1-646f945867-2gg99 2/2 Running 0 6m6s @@ -247,10 +268,20 @@ reviews-v2-54ff7fcf79-22k8r 2/2 Running 0 6m5s reviews-v3-6445668877-gdr22 2/2 Running 0 6m5s ---- -[source,console] +ifdef::istio-migrate-from-sidecar-to-ambient[] +with_retries wait_pods_ready_by_ns "bookinfo" +kubectl get pods -n bookinfo +endif::[] + +[source,bash,subs="attributes+"] ---- # Check current gateway API being used kubectl get gateway -n bookinfo +---- + +Output should be similar to: +[source,console] +---- NAME CLASS ADDRESS PROGRAMMED AGE bookinfo-gateway istio 10.0.147.96 True 5m41s ---- @@ -261,7 +292,7 @@ image:./images/kiali-bookinfo-traffic.png[Kiali Bookinfo Traffic] For testing purposes during migration, you can generate traffic to your application's main service using commands similar to: -[source,console] +[source,bash,subs="attributes+"] ---- # Generate traffic to productpage service export INGRESS_HOST=$(kubectl get gtw bookinfo-gateway -n bookinfo -o jsonpath='{.status.addresses[0].value}') @@ -283,7 +314,7 @@ done === 2.4 Backup Existing Configuration Before starting migration, back up all existing Istio resources and namespace labels: -[source,console] +[source,bash,subs="attributes+"] ---- # Backup all Istio resources kubectl get istio,istiocni,virtualservice,destinationrule,authorizationpolicy,requestauthentication,httproute,gateway,peerauthentication -A -o yaml > istio-backup.yaml @@ -323,6 +354,12 @@ kubectl get virtualservice -A -o yaml | grep -B5 -A10 "subset:" | grep -E "(name kubectl get virtualservice -A -o yaml | grep -E "(fault|delay|mirror)" | grep -v "name:" ---- +ifdef::istio-migrate-from-sidecar-to-ambient[] +kubectl get authorizationpolicy -A -o yaml | grep -E "(methods|paths|headers)" | grep -v "name:" +kubectl get virtualservice -A -o yaml | grep -B5 -A10 "subset:" | grep -E "(name:|subset:)" +kubectl get virtualservice -A -o yaml | grep -E "(fault|delay|mirror)" | grep -v "name:" +endif::[] + **Migration Readiness Assessment:** [source,console] ---- @@ -337,6 +374,12 @@ echo "=== Authorization policies requiring waypoint deployment ===" kubectl get authorizationpolicy -A -o yaml | grep -c -E "(methods|paths|headers)" ---- +ifdef::istio-migrate-from-sidecar-to-ambient[] +kubectl get virtualservice -A --no-headers | wc -l +kubectl get destinationrule -A -o yaml | grep -c "subset:" +kubectl get authorizationpolicy -A -o yaml | grep -c -E "(methods|paths|headers)" +endif::[] + Note: In the step 5 of this guide you will need to migrate unsupported features. This includes: - Converting VirtualServices and DestinationRules to HTTPRoute and Gateway resources @@ -358,8 +401,9 @@ Note: In the step 5 of this guide you will need to migrate unsupported features. Update your existing Istio resource: -[source,yaml] +[source,bash,subs="attributes+"] ---- +kubectl apply -f - </dev/null || kubectl create namespace istio-cni + +# Apply Istio CNI configuration +kubectl apply -f - </dev/null || kubectl create namespace ztunnel + # If you are using discoverySelectors, label the namespace accordingly kubectl label namespace ztunnel istio-discovery=enabled ----- -[source,yaml] ----- -apiVersion: sailoperator.io/v1 +# Apply ZTunnel configuration +kubectl apply -f - <> for Step 2 cluster setup rollback instructions (Low Risk). [[step-3-update-sidecars-for-hbone-support]] @@ -466,7 +513,7 @@ default ztunnel True Healthy v{istio_latest_version} 12m Existing sidecars need to support the HBONE protocol. Restart deployments in all sidecar-injected namespaces: -[source,console] +[source,bash,subs="attributes+"] ---- # Restart workloads in each application namespace kubectl rollout restart deployment -n bookinfo @@ -481,10 +528,15 @@ Note: during the restart, sidecars will be updated to support HBONE while still Check that sidecars now support HBONE protocol: -[source,console] +[source,bash,subs="attributes+"] ---- # Check for HBONE is enabled in sidecar $ kubectl get pod $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -n bookinfo -o yaml | yq '.spec.containers[] | select(.name=="istio-proxy") | .env[] | select(.name=="PROXY_CONFIG")' +---- + +The output should be similar to: +[source,yaml] +---- name: PROXY_CONFIG value: | {"proxyMetadata":{"ISTIO_META_ENABLE_HBONE":"true"},"image":{"imageType":"distroless"}} @@ -495,10 +547,15 @@ As shown above, the `ISTIO_META_ENABLE_HBONE` environment variable is set to `tr [[step-33-connectivity-validation]] ==== Step 3.3 Connectivity Validation Send requests to ensure connectivity remains intact: -[source,console] +[source,bash,subs="attributes+"] ---- # Test service connectivity through sidecars $ kubectl exec $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -n bookinfo -- curl http://reviews.bookinfo:9080/reviews/1 +---- + +The output result should be similar to: +[source,json] +---- { "id": "1", "podname": "reviews-v1-75797bd984-7b5g6", @@ -521,10 +578,15 @@ Note: At this point, sidecars are fully functional with HBONE support, but traff **Critical**: Do NOT remove sidecars yet. They must remain until waypoints are fully deployed and active in Step 7. Test connectivity from outside the mesh: -[source,console] +[source,bash,subs="attributes+"] ---- # Test ingress connectivity $ curl -s http://$GATEWAY_URL/productpage | grep title +---- + +The output should be similar to: +[source,html] +---- Simple Bookstore App ---- @@ -540,7 +602,7 @@ Traffic should continue flowing as before. This confirms that sidecars are still Analyze your current configuration to identify services that need waypoint proxies: -[source,console] +[source,bash,subs="attributes+"] ---- # Check for existing L7 policies that will need waypoints kubectl get virtualservice,httproute -A @@ -552,9 +614,10 @@ kubectl get authorizationpolicy -A -o yaml | grep -A 10 -B 5 "rules.*methods\|op Create waypoints for namespaces requiring L7 processing: -**Example Waypoint for bookinfo namespace:** -[source,yaml] +Apply the Waypoint for bookinfo namespace configurations: +[source,bash,subs="attributes+"] ---- +kubectl apply -f - < NAME ACTION AGE productpage-waypoint ALLOW 18s productpage-ztunnel-protection DENY 7s @@ -913,7 +984,7 @@ reviews-ztunnel-protection DENY 6s **Critical**: Keep existing sidecar policies active until Policy Simplification step. Test that services are still accessible (policies not yet enforced): -[source,console] +[source,bash,subs="attributes+"] ---- NAMESPACE="bookinfo" # Replace with your namespace TEST_POD=$(kubectl get pods -n $NAMESPACE -l app=reviews -o jsonpath='{.items[0].metadata.name}') @@ -936,15 +1007,21 @@ fi We recommend enabling ambient mode for one namespace at a time, starting with the least critical. Replace `bookinfo` with your actual namespace name: -[source,console] +[source,bash,subs="attributes+"] ---- kubectl label namespace bookinfo istio.io/dataplane-mode=ambient ---- -[source,console] +[source,bash,subs="attributes+"] ---- # Verify ztunnel configuration for each namespace -$ istioctl ztunnel-config workloads --namespace ztunnel | grep bookinfo +istioctl ztunnel-config workloads --namespace ztunnel | grep bookinfo +---- + +The output should be similar to: + +[source,console] +---- bookinfo bookinfo-gateway-istio-6b9cf4b8c8-xxsq2 10.128.2.58 user-rhos-d-4-9b684-worker-0-4fhm6 None TCP bookinfo details-v1-bb955f94b-4sppn 10.128.2.59 user-rhos-d-4-9b684-worker-0-4fhm6 None HBONE bookinfo productpage-v1-c4cb9cb4b-ghzwc 10.128.2.60 user-rhos-d-4-9b684-worker-0-4fhm6 None HBONE @@ -956,7 +1033,7 @@ bookinfo waypoint-58cdc7f494-98h79 ---- **Validation after each namespace:** -[source,console] +[source,bash,subs="attributes+"] ---- # Test connectivity after enabling each namespace, e.g., bookinfo kubectl exec -n bookinfo $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -- curl http://reviews.bookinfo:9080/ @@ -979,7 +1056,7 @@ kubectl exec -n bookinfo $(kubectl get pods -n bookinfo -l app=ratings -o jsonpa Up to this point, waypoint proxies have been deployed but are not processing any traffic. They remain dormant until you explicitly configure workloads to use them. This activation happens through labeling: **Namespace-level Activation (recommended):** -[source,console] +[source,bash,subs="attributes+"] ---- # Enable waypoint for all services in the namespace kubectl label namespace bookinfo istio.io/use-waypoint=waypoint @@ -1003,6 +1080,10 @@ kubectl get namespace --show-labels kubectl get service -n --show-labels ---- +ifdef::istio-migrate-from-sidecar-to-ambient[] +with_retries wait_pods_by_label "bookinfo" "gateway.networking.k8s.io/gateway-name=waypoint" +endif::[] + **Critical Identity Security Consideration**: Waypoints do not spoof client identity. When ztunnel processes traffic from waypoints, it sees the waypoint's identity, not the original client's identity. This has important implications: @@ -1025,7 +1106,7 @@ Ensure your authorization policies account for this identity behavior when valid Once traffic flows through waypoints, remove duplicate sidecar-specific policies: -[source,console] +[source,bash,subs="attributes+"] ---- # List all authorization policies to identify duplicates kubectl get authorizationpolicy -A @@ -1053,7 +1134,7 @@ kubectl delete virtualservice -n **Final step**: Remove sidecar injection now that ambient mode is fully operational: -[source,console] +[source,bash,subs="attributes+"] ---- # Remove sidecar injection while preserving ambient mode labels kubectl label namespace bookinfo istio.io/rev- istio.io/dataplane-mode=ambient @@ -1067,12 +1148,16 @@ kubectl rollout restart deployment -n bookinfo Verify sidecars are removed and ambient mode is working: -[source,console] +[source,bash,subs="attributes+"] ---- # Verify pods no longer have sidecars containers in the application pods kubectl get pods -n bookinfo ---- +ifdef::istio-migrate-from-sidecar-to-ambient[] +with_retries wait_pods_ready_by_ns "bookinfo" +endif::[] + Checking on Kiali should show traffic flowing through ambient mode. You should see traffic flowing through ztunnel and waypoints instead of sidecars. [[step-93-validate-l7-policy-enforcement]] @@ -1080,17 +1165,29 @@ Checking on Kiali should show traffic flowing through ambient mode. You should s Test that L7 policies are now enforced through waypoints (L7 policies should work as before after waypoint activation): -[source,console] +[source,bash,subs="attributes+"] ---- # Test authorization policies work through waypoint kubectl exec -n bookinfo $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -- curl -v http://reviews.bookinfo:9080/reviews/1 + +---- + +Output should be similar to: +[source,json] +---- {"id": "1","podname": "reviews-v3-dd9d6fc89-6glvk","clustername": "null","reviews": [{ "reviewer": "Reviewer1", "text": "An extremely entertaining play by Shakespeare. The slapstick humor is refreshing!", "rating": {"stars": 5, "color": "red"}},{ "reviewer": "Reviewer2", "text": "Absolutely fun and entertaining. The play lacks thematic depth when compared to other plays by Shakespeare.", "rating": {"stars": 4, "color": "red"}}]} ---- -[source,console] +Test the traffic routing through waypoint with header (if HTTPRoute configured): + +[source,bash,subs="attributes+"] +---- +kubectl exec -n bookinfo $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -- curl -H "end-user: jason" http://reviews.bookinfo:9080/reviews/1 +---- + +Output should be similar to: +[source,json] ---- -# Test traffic routing through waypoint with header (if HTTPRoute configured) -$ kubectl exec -n bookinfo $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -- curl -H "end-user: jason" http://reviews.bookinfo:9080/reviews/1 {"id": "1","podname": "reviews-v2-67ff7bcdc5-kklgl","clustername":"null","reviews": [{ "reviewer": "Reviewer1", "text": "An extremely entertaining play by Shakespeare. The slapstick humor is refreshing!","rating": {"stars": 5, "color": "black"}},{ "reviewer": "Reviewer2", "text": "Absolutely fun and entertaining. The play lacks thematic depthwhen compared to other plays by Shakespeare.","rating": {"stars": 4, "color": "black"}}]} ---- @@ -1098,7 +1195,7 @@ Note: L7 policies should function as before, now enforced through waypoints inst Test external connectivity (if gateway configured): -[source,console] +[source,bash,subs="attributes+"] ---- # Test external connectivity through gateway export INGRESS_HOST=$(kubectl get gtw bookinfo-gateway -n bookinfo -o jsonpath='{.status.addresses[0].value}') @@ -1135,10 +1232,15 @@ fi **mTLS Verification:** -[source,console] +[source,bash,subs="attributes+"] ---- # Check ztunnel protocols for the bookinfo namespace istioctl ztunnel-config workloads -n ztunnel |grep bookinfo +---- + +Output should be similar to: +[source,console] +---- bookinfo bookinfo-gateway-istio-86496d9445-fgczp 10.128.2.66 user-rhos-d-4-9b684-worker-0-4fhm6 None TCP bookinfo details-v1-584b5c5f6c-dhkjx 10.128.2.67 user-rhos-d-4-9b684-worker-0-4fhm6 None HBONE bookinfo productpage-v1-7b5749b8bf-96mmg 10.128.2.68 user-rhos-d-4-9b684-worker-0-4fhm6 None HBONE @@ -1608,4 +1710,4 @@ spec: These resources provide further information on ambient mode and related configurations: -- https://istio.io/latest/docs/ambient/[Upstream Istio Ambient Documentation] - Official Istio ambient mode docs +- https://istio.io/latest/docs/ambient/[Upstream Istio Ambient Documentation] - Official Istio ambient mode docs \ No newline at end of file From 88a19839912ef8934cbff8fd7574f9fa4f2e13df Mon Sep 17 00:00:00 2001 From: bmangoen Date: Thu, 27 Nov 2025 14:45:33 +0100 Subject: [PATCH 02/11] Add prebuilt functions to migration documentation Adding prebuilt functions for creating default Istio resource, installing Bookinfo and creating Bookinfo Gateway Signed-off-by: bmangoen --- .../migration.adoc | 114 +++++++++--------- .../scripts/prebuilt-func.sh | 36 +++++- 2 files changed, 89 insertions(+), 61 deletions(-) diff --git a/docs/migrate-from-sidecar-to-ambient/migration.adoc b/docs/migrate-from-sidecar-to-ambient/migration.adoc index ebe688973..92e8be074 100644 --- a/docs/migrate-from-sidecar-to-ambient/migration.adoc +++ b/docs/migrate-from-sidecar-to-ambient/migration.adoc @@ -114,6 +114,13 @@ This migration guide uses example commands that can be adapted to any applicatio You can use any application that is currently running with sidecar injection enabled. +ifdef::istio-migrate-from-sidecar-to-ambient[] +create_default_istio +install_bookinfo "{istio_release_name}" +create_bookinfo_gateway_api "{istio_release_name}" +with_retries wait_pods_ready_by_ns "bookinfo" +endif::[] + [[technical-requirements]] === 2.1 Technical Requirements @@ -202,13 +209,13 @@ For additional compatibility considerations refer to: link:../common/coexistence === 2.3 Pre-Migration Checklist **Environment Validation:** -[source,bash,subs="attributes+"] +[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Verify Sail Operator is deployed kubectl get pods -n sail-operator ---- -[source,bash,subs="attributes+"] +[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Check Istio control plane version kubectl get istio -n istio-system @@ -236,7 +243,7 @@ endif::[] **Application Namespace Validation:** -[source,bash,subs="attributes+"] +[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Check your application namespaces for sidecar injection kubectl get namespaces -l istio.io/rev=default #or any other istio revision name. Also, check if you are using instead istio-injection=enabled label. @@ -249,7 +256,7 @@ NAME STATUS AGE bookinfo Active 6m56 ---- -[source,bash,subs="attributes+"] +[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Check current workloads with sidecar injection kubectl get pods -n bookinfo @@ -270,10 +277,9 @@ reviews-v3-6445668877-gdr22 2/2 Running 0 6m5s ifdef::istio-migrate-from-sidecar-to-ambient[] with_retries wait_pods_ready_by_ns "bookinfo" -kubectl get pods -n bookinfo endif::[] -[source,bash,subs="attributes+"] +[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Check current gateway API being used kubectl get gateway -n bookinfo @@ -292,7 +298,7 @@ image:./images/kiali-bookinfo-traffic.png[Kiali Bookinfo Traffic] For testing purposes during migration, you can generate traffic to your application's main service using commands similar to: -[source,bash,subs="attributes+"] +[source,bash] ---- # Generate traffic to productpage service export INGRESS_HOST=$(kubectl get gtw bookinfo-gateway -n bookinfo -o jsonpath='{.status.addresses[0].value}') @@ -314,7 +320,7 @@ done === 2.4 Backup Existing Configuration Before starting migration, back up all existing Istio resources and namespace labels: -[source,bash,subs="attributes+"] +[source,bash] ---- # Backup all Istio resources kubectl get istio,istiocni,virtualservice,destinationrule,authorizationpolicy,requestauthentication,httproute,gateway,peerauthentication -A -o yaml > istio-backup.yaml @@ -342,7 +348,7 @@ This migration follows a structured step-by-step approach, with each step includ Before starting migration, validate your cluster meets all requirements and check the current configuration for compatibility. **Enhanced Policy Compatibility Check:** -[source,console] +[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Check for Layer 7-only authorization policies that will require waypoints kubectl get authorizationpolicy -A -o yaml | grep -E "(methods|paths|headers)" | grep -v "name:" @@ -354,14 +360,8 @@ kubectl get virtualservice -A -o yaml | grep -B5 -A10 "subset:" | grep -E "(name kubectl get virtualservice -A -o yaml | grep -E "(fault|delay|mirror)" | grep -v "name:" ---- -ifdef::istio-migrate-from-sidecar-to-ambient[] -kubectl get authorizationpolicy -A -o yaml | grep -E "(methods|paths|headers)" | grep -v "name:" -kubectl get virtualservice -A -o yaml | grep -B5 -A10 "subset:" | grep -E "(name:|subset:)" -kubectl get virtualservice -A -o yaml | grep -E "(fault|delay|mirror)" | grep -v "name:" -endif::[] - **Migration Readiness Assessment:** -[source,console] +[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # List all resources that need conversion echo "=== VirtualServices requiring HTTPRoute conversion ===" @@ -374,12 +374,6 @@ echo "=== Authorization policies requiring waypoint deployment ===" kubectl get authorizationpolicy -A -o yaml | grep -c -E "(methods|paths|headers)" ---- -ifdef::istio-migrate-from-sidecar-to-ambient[] -kubectl get virtualservice -A --no-headers | wc -l -kubectl get destinationrule -A -o yaml | grep -c "subset:" -kubectl get authorizationpolicy -A -o yaml | grep -c -E "(methods|paths|headers)" -endif::[] - Note: In the step 5 of this guide you will need to migrate unsupported features. This includes: - Converting VirtualServices and DestinationRules to HTTPRoute and Gateway resources @@ -401,9 +395,9 @@ Note: In the step 5 of this guide you will need to migrate unsupported features. Update your existing Istio resource: -[source,bash,subs="attributes+"] +[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- -kubectl apply -f - </dev/null || kubectl create namespace istio-cni # Apply Istio CNI configuration -kubectl apply -f - </dev/null || kubectl create namespace ztunnel @@ -469,7 +463,7 @@ kubectl get namespace ztunnel 2>/dev/null || kubectl create namespace ztunnel kubectl label namespace ztunnel istio-discovery=enabled # Apply ZTunnel configuration -kubectl apply -f - < -n **Final step**: Remove sidecar injection now that ambient mode is fully operational: -[source,bash,subs="attributes+"] +[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Remove sidecar injection while preserving ambient mode labels kubectl label namespace bookinfo istio.io/rev- istio.io/dataplane-mode=ambient @@ -1148,7 +1142,7 @@ kubectl rollout restart deployment -n bookinfo Verify sidecars are removed and ambient mode is working: -[source,bash,subs="attributes+"] +[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Verify pods no longer have sidecars containers in the application pods kubectl get pods -n bookinfo @@ -1165,7 +1159,7 @@ Checking on Kiali should show traffic flowing through ambient mode. You should s Test that L7 policies are now enforced through waypoints (L7 policies should work as before after waypoint activation): -[source,bash,subs="attributes+"] +[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Test authorization policies work through waypoint kubectl exec -n bookinfo $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -- curl -v http://reviews.bookinfo:9080/reviews/1 @@ -1180,7 +1174,7 @@ Output should be similar to: Test the traffic routing through waypoint with header (if HTTPRoute configured): -[source,bash,subs="attributes+"] +[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- kubectl exec -n bookinfo $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -- curl -H "end-user: jason" http://reviews.bookinfo:9080/reviews/1 ---- @@ -1195,7 +1189,7 @@ Note: L7 policies should function as before, now enforced through waypoints inst Test external connectivity (if gateway configured): -[source,bash,subs="attributes+"] +[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Test external connectivity through gateway export INGRESS_HOST=$(kubectl get gtw bookinfo-gateway -n bookinfo -o jsonpath='{.status.addresses[0].value}') @@ -1232,7 +1226,7 @@ fi **mTLS Verification:** -[source,bash,subs="attributes+"] +[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Check ztunnel protocols for the bookinfo namespace istioctl ztunnel-config workloads -n ztunnel |grep bookinfo diff --git a/tests/documentation_tests/scripts/prebuilt-func.sh b/tests/documentation_tests/scripts/prebuilt-func.sh index 14bd7cb3c..f98a7f659 100644 --- a/tests/documentation_tests/scripts/prebuilt-func.sh +++ b/tests/documentation_tests/scripts/prebuilt-func.sh @@ -204,7 +204,6 @@ wait_istio_ready() { print_istio_info() { kubectl get istio kubectl get pods -n istio-system - kubectl get istio kubectl get istiorevision kubectl get istiorevisiontag } @@ -323,4 +322,39 @@ wait_for_rollout_success() { for deploy in $deploy_names; do kubectl rollout status "$deploy" -n "$namespace" --timeout=60s done +} + +# Create default Istio resource +create_default_istio() { + namespace="${1:-istio-system}" + + kubectl get namespace "$namespace" 2>/dev/null || kubectl create namespace "$namespace" + cat </dev/null || kubectl create namespace "$namespace" + kubectl label namespace "$namespace" istio-injection=enabled + kubectl apply -n "$namespace" -f https://raw.githubusercontent.com/istio/istio/${istio_release_name}/samples/bookinfo/platform/kube/bookinfo.yaml +} + +# Create Bookinfo gateway API +create_bookinfo_gateway_api() { + istio_release_name="$1" + namespace="${2:-bookinfo}" + + kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \ + kubectl apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml + kubectl apply -f https://raw.githubusercontent.com/istio/istio/${istio_release_name}/samples/bookinfo/gateway-api/bookinfo-gateway.yaml -n "$namespace" } \ No newline at end of file From a7842cc6531d37f1295755cdb27658132001db09 Mon Sep 17 00:00:00 2001 From: bmangoen Date: Mon, 1 Dec 2025 16:35:18 +0100 Subject: [PATCH 03/11] Remove steps which test external URL connectivity Signed-off-by: bmangoen --- docs/migrate-from-sidecar-to-ambient/migration.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/migrate-from-sidecar-to-ambient/migration.adoc b/docs/migrate-from-sidecar-to-ambient/migration.adoc index 92e8be074..4b6a454e9 100644 --- a/docs/migrate-from-sidecar-to-ambient/migration.adoc +++ b/docs/migrate-from-sidecar-to-ambient/migration.adoc @@ -464,7 +464,7 @@ kubectl label namespace ztunnel istio-discovery=enabled # Apply ZTunnel configuration cat < Date: Mon, 1 Dec 2025 16:36:29 +0100 Subject: [PATCH 04/11] Remove steps which test external URL connectivity Signed-off-by: bmangoen --- docs/migrate-from-sidecar-to-ambient/migration.adoc | 8 ++++---- tests/documentation_tests/scripts/prebuilt-func.sh | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/migrate-from-sidecar-to-ambient/migration.adoc b/docs/migrate-from-sidecar-to-ambient/migration.adoc index 4b6a454e9..e5bc6a362 100644 --- a/docs/migrate-from-sidecar-to-ambient/migration.adoc +++ b/docs/migrate-from-sidecar-to-ambient/migration.adoc @@ -431,7 +431,7 @@ Create or update the IstioCNI resource: [source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Create Istio CNI namespace if it doesn't exist -kubectl get namespace istio-cni 2>/dev/null || kubectl create namespace istio-cni +kubectl get namespace istio-cni >/dev/null 2>&1 || kubectl create namespace istio-cni # Apply Istio CNI configuration cat </dev/null || kubectl create namespace ztunnel +kubectl get namespace ztunnel >/dev/null 2>&1 || kubectl create namespace ztunnel # If you are using discoverySelectors, label the namespace accordingly kubectl label namespace ztunnel istio-discovery=enabled @@ -572,7 +572,7 @@ Note: At this point, sidecars are fully functional with HBONE support, but traff **Critical**: Do NOT remove sidecars yet. They must remain until waypoints are fully deployed and active in Step 7. Test connectivity from outside the mesh: -[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] +[source,bash] ---- # Test ingress connectivity $ curl -s http://$GATEWAY_URL/productpage | grep title @@ -1189,7 +1189,7 @@ Note: L7 policies should function as before, now enforced through waypoints inst Test external connectivity (if gateway configured): -[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] +[source,bash] ---- # Test external connectivity through gateway export INGRESS_HOST=$(kubectl get gtw bookinfo-gateway -n bookinfo -o jsonpath='{.status.addresses[0].value}') diff --git a/tests/documentation_tests/scripts/prebuilt-func.sh b/tests/documentation_tests/scripts/prebuilt-func.sh index f98a7f659..b9aa4c990 100644 --- a/tests/documentation_tests/scripts/prebuilt-func.sh +++ b/tests/documentation_tests/scripts/prebuilt-func.sh @@ -328,7 +328,7 @@ wait_for_rollout_success() { create_default_istio() { namespace="${1:-istio-system}" - kubectl get namespace "$namespace" 2>/dev/null || kubectl create namespace "$namespace" + kubectl get namespace "$namespace" >/dev/null 2>&1 || kubectl create namespace "$namespace" cat </dev/null || kubectl create namespace "$namespace" + kubectl get namespace "$namespace" >/dev/null 2>&1 || kubectl create namespace "$namespace" kubectl label namespace "$namespace" istio-injection=enabled - kubectl apply -n "$namespace" -f https://raw.githubusercontent.com/istio/istio/${istio_release_name}/samples/bookinfo/platform/kube/bookinfo.yaml + kubectl apply -n "$namespace" -f https://raw.githubusercontent.com/istio/istio/"${istio_release_name}"/samples/bookinfo/platform/kube/bookinfo.yaml } # Create Bookinfo gateway API @@ -354,7 +354,7 @@ create_bookinfo_gateway_api() { istio_release_name="$1" namespace="${2:-bookinfo}" - kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \ + kubectl get crd gateways.gateway.networking.k8s.io >/dev/null 2>&1 || \ kubectl apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml - kubectl apply -f https://raw.githubusercontent.com/istio/istio/${istio_release_name}/samples/bookinfo/gateway-api/bookinfo-gateway.yaml -n "$namespace" + kubectl apply -f https://raw.githubusercontent.com/istio/istio/"${istio_release_name}"/samples/bookinfo/gateway-api/bookinfo-gateway.yaml -n "$namespace" } \ No newline at end of file From 4d4c93ca263dfa356377d5b66fe5fe3468bfdab0 Mon Sep 17 00:00:00 2001 From: bmangoen Date: Fri, 5 Dec 2025 15:52:22 +0100 Subject: [PATCH 05/11] Variabilize istio latest version * Variabilize istio latest version * Remove execution of checking status Signed-off-by: bmangoen --- docs/migrate-from-sidecar-to-ambient/migration.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/migrate-from-sidecar-to-ambient/migration.adoc b/docs/migrate-from-sidecar-to-ambient/migration.adoc index e5bc6a362..4259d7b2e 100644 --- a/docs/migrate-from-sidecar-to-ambient/migration.adoc +++ b/docs/migrate-from-sidecar-to-ambient/migration.adoc @@ -283,6 +283,7 @@ endif::[] ---- # Check current gateway API being used kubectl get gateway -n bookinfo +echo "Return code: $?" ---- Output should be similar to: @@ -978,7 +979,7 @@ reviews-ztunnel-protection DENY 6s **Critical**: Keep existing sidecar policies active until Policy Simplification step. Test that services are still accessible (policies not yet enforced): -[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] +[source,bash] ---- NAMESPACE="bookinfo" # Replace with your namespace TEST_POD=$(kubectl get pods -n $NAMESPACE -l app=reviews -o jsonpath='{.items[0].metadata.name}') From 33eb71033e3c01543bd50919acd94b9c3f87bdca Mon Sep 17 00:00:00 2001 From: bmangoen Date: Mon, 8 Dec 2025 19:16:57 +0100 Subject: [PATCH 06/11] Fix all execution errors * Remove unnecessary console characters / debug statements * Fix all execution errors in the migration.adoc file Signed-off-by: bmangoen --- .../migration.adoc | 32 ++++++++++--------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/docs/migrate-from-sidecar-to-ambient/migration.adoc b/docs/migrate-from-sidecar-to-ambient/migration.adoc index 4259d7b2e..952fc2104 100644 --- a/docs/migrate-from-sidecar-to-ambient/migration.adoc +++ b/docs/migrate-from-sidecar-to-ambient/migration.adoc @@ -283,7 +283,6 @@ endif::[] ---- # Check current gateway API being used kubectl get gateway -n bookinfo -echo "Return code: $?" ---- Output should be similar to: @@ -352,13 +351,13 @@ Before starting migration, validate your cluster meets all requirements and chec [source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Check for Layer 7-only authorization policies that will require waypoints -kubectl get authorizationpolicy -A -o yaml | grep -E "(methods|paths|headers)" | grep -v "name:" +kubectl get authorizationpolicy -A -o yaml | grep -E "(methods|paths|headers)" | grep -v "name:" || echo "No authorization policies found" # Identify VirtualServices with subset-based routing requiring service migration -kubectl get virtualservice -A -o yaml | grep -B5 -A10 "subset:" | grep -E "(name:|subset:)" +kubectl get virtualservice -A -o yaml | grep -B5 -A10 "subset:" | grep -E "(name:|subset:)" || echo "No virtualservices with subset-based routing found" # Check for unsupported features that need manual conversion -kubectl get virtualservice -A -o yaml | grep -E "(fault|delay|mirror)" | grep -v "name:" +kubectl get virtualservice -A -o yaml | grep -E "(fault|delay|mirror)" | grep -v "name:" || echo "No unsupported features found" ---- **Migration Readiness Assessment:** @@ -369,10 +368,10 @@ echo "=== VirtualServices requiring HTTPRoute conversion ===" kubectl get virtualservice -A --no-headers | wc -l echo "=== DestinationRules with subsets requiring service creation ===" -kubectl get destinationrule -A -o yaml | grep -c "subset:" +kubectl get destinationrule -A -o yaml | grep -c "subset:" || true echo "=== Authorization policies requiring waypoint deployment ===" -kubectl get authorizationpolicy -A -o yaml | grep -c -E "(methods|paths|headers)" +kubectl get authorizationpolicy -A -o yaml | grep -c -E "(methods|paths|headers)" || true ---- Note: In the step 5 of this guide you will need to migrate unsupported features. This includes: @@ -471,7 +470,6 @@ metadata: name: default spec: namespace: ztunnel - profile: ambient EOF # Verify ZTunnel is ready @@ -518,6 +516,10 @@ kubectl get pods -n bookinfo ---- Note: during the restart, sidecars will be updated to support HBONE while still functioning as traditional sidecars. Having HBONE support enabled is a prerequisite for ambient mode. +ifdef::istio-migrate-from-sidecar-to-ambient[] +with_retries wait_pods_ready_by_ns "bookinfo" +endif::[] + [[step-32-validate-hbone-capability]] ==== Step 3.2 Validate HBONE Capability @@ -526,7 +528,7 @@ Check that sidecars now support HBONE protocol: [source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Check for HBONE is enabled in sidecar -$ kubectl get pod $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -n bookinfo -o yaml | yq '.spec.containers[] | select(.name=="istio-proxy") | .env[] | select(.name=="PROXY_CONFIG")' +kubectl get pod $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -n bookinfo -o yaml | yq '.spec.containers[] | select(.name=="istio-proxy") | .env[] | select(.name=="PROXY_CONFIG")' ---- The output should be similar to: @@ -545,7 +547,7 @@ Send requests to ensure connectivity remains intact: [source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Test service connectivity through sidecars -$ kubectl exec $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -n bookinfo -- curl http://reviews.bookinfo:9080/reviews/1 +kubectl exec $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -n bookinfo -- curl http://reviews.bookinfo:9080/reviews/1 ---- The output result should be similar to: @@ -576,7 +578,7 @@ Test connectivity from outside the mesh: [source,bash] ---- # Test ingress connectivity -$ curl -s http://$GATEWAY_URL/productpage | grep title +curl -s http://$GATEWAY_URL/productpage | grep title ---- The output should be similar to: @@ -601,7 +603,7 @@ Analyze your current configuration to identify services that need waypoint proxi ---- # Check for existing L7 policies that will need waypoints kubectl get virtualservice,httproute -A -kubectl get authorizationpolicy -A -o yaml | grep -A 10 -B 5 "rules.*methods\|operation" +kubectl get authorizationpolicy -A -o yaml | grep -A 10 -B 5 "rules.*methods\|operation" || true ---- [[step-42-create-waypoint-configurations]] @@ -967,7 +969,7 @@ kubectl get authorizationpolicy -n bookinfo ---- The output should be similar to: -[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] +[source,bash] ---- NAME ACTION AGE productpage-waypoint ALLOW 18s @@ -979,7 +981,7 @@ reviews-ztunnel-protection DENY 6s **Critical**: Keep existing sidecar policies active until Policy Simplification step. Test that services are still accessible (policies not yet enforced): -[source,bash] +[source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- NAMESPACE="bookinfo" # Replace with your namespace TEST_POD=$(kubectl get pods -n $NAMESPACE -l app=reviews -o jsonpath='{.items[0].metadata.name}') @@ -988,7 +990,7 @@ if [[ "$HTTP_STATUS" == "200" ]]; then echo "PASS: Service connectivity still working" else echo "FAIL: Service connectivity failed: HTTP $HTTP_STATUS" - exit 1 + sleep 1 fi ---- @@ -1380,7 +1382,7 @@ kubectl exec $TEST_POD -n -- curl -v -H "authorization: invalid" htt [source,console] ---- # Check waypoint proxy performance -$ istioctl proxy-config listeners $(kubectl get pod -n -l gateway.networking.k8s.io/gateway-name= -o jsonpath='{.items[0].metadata.name}') -n +istioctl proxy-config listeners $(kubectl get pod -n -l gateway.networking.k8s.io/gateway-name= -o jsonpath='{.items[0].metadata.name}') -n ADDRESSES PORT MATCH DESTINATION 0 ALL Cluster: inbound-vip|9080|http|..svc.cluster.local 0 ALL Cluster: inbound-vip|9080|http|-v3..svc.cluster.local From 19e3a8073a3891caaed58173c540682c5bcd896a Mon Sep 17 00:00:00 2001 From: bmangoen Date: Fri, 24 Apr 2026 11:32:27 +0200 Subject: [PATCH 07/11] Wait until istio-ca-root-cert propagation + fix KinD issue Signed-off-by: bmangoen --- common/scripts/kind_provisioner.sh | 6 ++++++ docs/migrate-from-sidecar-to-ambient/migration.adoc | 8 +++++++- tests/documentation_tests/scripts/prebuilt-func.sh | 2 +- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/common/scripts/kind_provisioner.sh b/common/scripts/kind_provisioner.sh index 3a414d7d5..a7ccfecb8 100644 --- a/common/scripts/kind_provisioner.sh +++ b/common/scripts/kind_provisioner.sh @@ -203,6 +203,12 @@ function setup_kind_cluster() { # Workaround kind issue causing taints to not be removed in 1.24 kubectl taint nodes "${NAME}"-control-plane node-role.kubernetes.io/control-plane- 2>/dev/null || true + # Increase inotify limits to prevent "too many open files" errors with ztunnel and ambient mode + # This is needed because ztunnel watches ConfigMaps and the default limits are often too low + echo "Increasing inotify limits on KIND node..." + docker exec "${NAME}"-control-plane sysctl -w fs.inotify.max_user_instances=8192 || true + docker exec "${NAME}"-control-plane sysctl -w fs.inotify.max_user_watches=524288 || true + # Determine what CNI to install case "${KUBERNETES_CNI:-}" in diff --git a/docs/migrate-from-sidecar-to-ambient/migration.adoc b/docs/migrate-from-sidecar-to-ambient/migration.adoc index 952fc2104..74cb08e39 100644 --- a/docs/migrate-from-sidecar-to-ambient/migration.adoc +++ b/docs/migrate-from-sidecar-to-ambient/migration.adoc @@ -460,7 +460,13 @@ Create the ZTunnel namespace and resource: kubectl get namespace ztunnel >/dev/null 2>&1 || kubectl create namespace ztunnel # If you are using discoverySelectors, label the namespace accordingly -kubectl label namespace ztunnel istio-discovery=enabled +kubectl label namespace ztunnel istio.io/rev=default --overwrite + +# Wait for istiod to propagate the CA certificate ConfigMap to the ztunnel namespace +kubectl wait --for=condition=Complete --timeout=120s job/wait-for-configmap -n ztunnel 2>/dev/null || \ + for i in {1..30}; do \ + kubectl get configmap istio-ca-root-cert -n ztunnel >/dev/null 2>&1 && break || sleep 2; \ + done # Apply ZTunnel configuration cat </dev/null 2>&1 || kubectl create namespace "$namespace" - kubectl label namespace "$namespace" istio-injection=enabled + kubectl label namespace "$namespace" istio.io/rev=default kubectl apply -n "$namespace" -f https://raw.githubusercontent.com/istio/istio/"${istio_release_name}"/samples/bookinfo/platform/kube/bookinfo.yaml } From 0ae82c77cbe8224f5af1a171c0b4d9ff16e8b55a Mon Sep 17 00:00:00 2001 From: bmangoen Date: Mon, 27 Apr 2026 15:28:34 +0200 Subject: [PATCH 08/11] Fix authorization policy for tests connectivity Signed-off-by: bmangoen --- .../migration.adoc | 22 ++++++++++++------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/docs/migrate-from-sidecar-to-ambient/migration.adoc b/docs/migrate-from-sidecar-to-ambient/migration.adoc index 74cb08e39..b9c7489e6 100644 --- a/docs/migrate-from-sidecar-to-ambient/migration.adoc +++ b/docs/migrate-from-sidecar-to-ambient/migration.adoc @@ -524,6 +524,7 @@ Note: during the restart, sidecars will be updated to support HBONE while still ifdef::istio-migrate-from-sidecar-to-ambient[] with_retries wait_pods_ready_by_ns "bookinfo" +kubectl get pods -n bookinfo endif::[] [[step-32-validate-hbone-capability]] @@ -534,7 +535,7 @@ Check that sidecars now support HBONE protocol: [source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Check for HBONE is enabled in sidecar -kubectl get pod $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -n bookinfo -o yaml | yq '.spec.containers[] | select(.name=="istio-proxy") | .env[] | select(.name=="PROXY_CONFIG")' +kubectl get pod $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -n bookinfo -o yaml | grep -A 2 'name: PROXY_CONFIG' ---- The output should be similar to: @@ -639,6 +640,10 @@ EOF **Important**: Deploying a waypoint does not automatically make workloads use it. You must explicitly configure namespaces, services, or pods to use the waypoint. +ifdef::istio-migrate-from-sidecar-to-ambient[] +with_retries wait_pods_by_label "bookinfo" "gateway.networking.k8s.io/gateway-name=waypoint" +endif::[] + Verify that waypoints are deployed correctly: [source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- @@ -852,7 +857,7 @@ spec: - operation: methods: ["GET", "POST"] --- -# Reviews service authorization - allows traffic from productpage +# Reviews service authorization - allows traffic from productpage, reviews, and ratings apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: @@ -870,6 +875,7 @@ spec: principals: - cluster.local/ns/bookinfo/sa/bookinfo-productpage - cluster.local/ns/bookinfo/sa/bookinfo-reviews + - cluster.local/ns/bookinfo/sa/bookinfo-ratings to: - operation: methods: ["GET"] @@ -1151,16 +1157,16 @@ kubectl rollout restart deployment -n bookinfo Verify sidecars are removed and ambient mode is working: +ifdef::istio-migrate-from-sidecar-to-ambient[] +with_retries wait_pods_ready_by_ns "bookinfo" +endif::[] + [source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Verify pods no longer have sidecars containers in the application pods kubectl get pods -n bookinfo ---- -ifdef::istio-migrate-from-sidecar-to-ambient[] -with_retries wait_pods_ready_by_ns "bookinfo" -endif::[] - Checking on Kiali should show traffic flowing through ambient mode. You should see traffic flowing through ztunnel and waypoints instead of sidecars. [[step-93-validate-l7-policy-enforcement]] @@ -1171,7 +1177,7 @@ Test that L7 policies are now enforced through waypoints (L7 policies should wor [source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- # Test authorization policies work through waypoint -kubectl exec -n bookinfo $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -- curl -v http://reviews.bookinfo:9080/reviews/1 +kubectl exec -n bookinfo $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -- curl -s http://reviews.bookinfo:9080/reviews/1 ---- @@ -1185,7 +1191,7 @@ Test the traffic routing through waypoint with header (if HTTPRoute configured): [source,bash,subs="attributes+",name="istio-migrate-from-sidecar-to-ambient"] ---- -kubectl exec -n bookinfo $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -- curl -H "end-user: jason" http://reviews.bookinfo:9080/reviews/1 +kubectl exec -n bookinfo $(kubectl get pods -n bookinfo -l app=ratings -o jsonpath='{.items[0].metadata.name}') -- curl -s -H "end-user: jason" http://reviews.bookinfo:9080/reviews/1 ---- Output should be similar to: From 428092eb5c5214aa735540973d8a83c7f7de2740 Mon Sep 17 00:00:00 2001 From: bmangoen Date: Wed, 6 May 2026 17:29:45 +0200 Subject: [PATCH 09/11] Add wait step at Istio creation Signed-off-by: bmangoen --- common/scripts/kind_provisioner.sh | 6 ------ docs/migrate-from-sidecar-to-ambient/migration.adoc | 2 ++ tests/documentation_tests/scripts/prebuilt-func.sh | 1 + 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/common/scripts/kind_provisioner.sh b/common/scripts/kind_provisioner.sh index a7ccfecb8..3a414d7d5 100644 --- a/common/scripts/kind_provisioner.sh +++ b/common/scripts/kind_provisioner.sh @@ -203,12 +203,6 @@ function setup_kind_cluster() { # Workaround kind issue causing taints to not be removed in 1.24 kubectl taint nodes "${NAME}"-control-plane node-role.kubernetes.io/control-plane- 2>/dev/null || true - # Increase inotify limits to prevent "too many open files" errors with ztunnel and ambient mode - # This is needed because ztunnel watches ConfigMaps and the default limits are often too low - echo "Increasing inotify limits on KIND node..." - docker exec "${NAME}"-control-plane sysctl -w fs.inotify.max_user_instances=8192 || true - docker exec "${NAME}"-control-plane sysctl -w fs.inotify.max_user_watches=524288 || true - # Determine what CNI to install case "${KUBERNETES_CNI:-}" in diff --git a/docs/migrate-from-sidecar-to-ambient/migration.adoc b/docs/migrate-from-sidecar-to-ambient/migration.adoc index b9c7489e6..f8e8dc366 100644 --- a/docs/migrate-from-sidecar-to-ambient/migration.adoc +++ b/docs/migrate-from-sidecar-to-ambient/migration.adoc @@ -119,6 +119,8 @@ create_default_istio install_bookinfo "{istio_release_name}" create_bookinfo_gateway_api "{istio_release_name}" with_retries wait_pods_ready_by_ns "bookinfo" +echo "Checking if pods have their application container and the Istio sidecar container (READY 2/2):" +kubectl get pods -n "bookinfo" -l app endif::[] [[technical-requirements]] diff --git a/tests/documentation_tests/scripts/prebuilt-func.sh b/tests/documentation_tests/scripts/prebuilt-func.sh index eb4d1fe8a..8aebf6ac2 100644 --- a/tests/documentation_tests/scripts/prebuilt-func.sh +++ b/tests/documentation_tests/scripts/prebuilt-func.sh @@ -337,6 +337,7 @@ metadata: spec: namespace: "$namespace" EOF + with_retries wait_istio_ready "$namespace" } # Deploy Bookinfo application From 2270e608ce9a1fd65d583ccc4ff81325031c4e8d Mon Sep 17 00:00:00 2001 From: bmangoen Date: Wed, 13 May 2026 09:21:52 +0200 Subject: [PATCH 10/11] Fix correct label Signed-off-by: bmangoen --- docs/migrate-from-sidecar-to-ambient/migration.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/migrate-from-sidecar-to-ambient/migration.adoc b/docs/migrate-from-sidecar-to-ambient/migration.adoc index f8e8dc366..b5ef92014 100644 --- a/docs/migrate-from-sidecar-to-ambient/migration.adoc +++ b/docs/migrate-from-sidecar-to-ambient/migration.adoc @@ -462,7 +462,7 @@ Create the ZTunnel namespace and resource: kubectl get namespace ztunnel >/dev/null 2>&1 || kubectl create namespace ztunnel # If you are using discoverySelectors, label the namespace accordingly -kubectl label namespace ztunnel istio.io/rev=default --overwrite +kubectl label namespace ztunnel istio-discovery=enabled --overwrite # Wait for istiod to propagate the CA certificate ConfigMap to the ztunnel namespace kubectl wait --for=condition=Complete --timeout=120s job/wait-for-configmap -n ztunnel 2>/dev/null || \ From d28f407a3bac27d288f1dd63eb917076cf5c6ba4 Mon Sep 17 00:00:00 2001 From: bmangoen Date: Wed, 13 May 2026 17:49:25 +0200 Subject: [PATCH 11/11] Fix ztunnel authorization policies Signed-off-by: bmangoen --- .../migration.adoc | 16 ++++++++-------- .../documentation_tests/scripts/prebuilt-func.sh | 1 + 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/migrate-from-sidecar-to-ambient/migration.adoc b/docs/migrate-from-sidecar-to-ambient/migration.adoc index b5ef92014..50238c994 100644 --- a/docs/migrate-from-sidecar-to-ambient/migration.adoc +++ b/docs/migrate-from-sidecar-to-ambient/migration.adoc @@ -952,11 +952,11 @@ spec: - kind: Service group: "" name: productpage - action: DENY + action: ALLOW rules: - - when: - - key: source.workload_name - notValues: ["waypoint"] + - from: + - source: + principals: ["cluster.local/ns/bookinfo/sa/waypoint"] --- apiVersion: security.istio.io/v1 kind: AuthorizationPolicy @@ -968,11 +968,11 @@ spec: - kind: Service group: "" name: reviews - action: DENY + action: ALLOW rules: - - when: - - key: source.workload_name - notValues: ["waypoint"] + - from: + - source: + principals: ["cluster.local/ns/bookinfo/sa/waypoint"] EOF ---- diff --git a/tests/documentation_tests/scripts/prebuilt-func.sh b/tests/documentation_tests/scripts/prebuilt-func.sh index 8aebf6ac2..88d42a92b 100644 --- a/tests/documentation_tests/scripts/prebuilt-func.sh +++ b/tests/documentation_tests/scripts/prebuilt-func.sh @@ -124,6 +124,7 @@ wait_pods_ready_by_ns() { for pod_name in $pod_names; do wait_for_pod_ready "$namespace" "$pod_name" done + sleep 5 } # Wait for all pods that match labels in a namespace to be ready