Istio Service Mesh Workshop

Welcome to the Istio Service Mesh Workshop. This workshop is designed to help you understand, deploy, and manage Istio service mesh in your Kubernetes environment. Through hands-on exercises and detailed explanations, you will learn how to leverage Istio’s powerful features to enhance the security, observability, and reliability of your microservices architecture.

Shared CLI tools image (OpenShift 102 showroom)

If you prefer not to install oc, kubectl, helm, istioctl, and related tools on your laptop, run the workshop CLI tools image on the cluster. You do not need a local oc client: apply the manifest from the web console (see below). An interactive bash session prints a short list of bundled tools when the shell starts (for example after opening Terminal on the pod and running bash or bash -l if the default shell is sh).

The image build copies the showroom Helm chart into ~/chart so you can run helm upgrade --install from the pod without cloning the git repository; use --set tools.enabled=false when installing from this pod so the chart does not start a second tools Deployment.

Default image (change the tag to match your deployed showroom chart or offline bundle):

ghcr.io/shpwrck/openshift-102-tools:latest

To apply the workload without a local oc client:

  1. In the OpenShift console, select your Project.

  2. Click + in the top bar, then Import YAML.

  3. Paste the manifest below, adjust the image: line if you mirror images, then click Create.

  4. Go to Workloads → Deployments → openshift-102-workshop-tools, open the Pods tab, select the running pod, then Terminal (or Actions → Debug pod). Run bash or bash -l if you need the interactive bash banner.

The same manifest lives in the repository as deploy/openshift-102-tools-deployment.yaml and is shipped in the offline release tarball.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: openshift-102-workshop-tools
  labels:
    app.kubernetes.io/name: openshift-102-workshop-tools
    app.kubernetes.io/part-of: openshift-102-workshop
spec:
  replicas: 1
  revisionHistoryLimit: 2
  selector:
    matchLabels:
      app.kubernetes.io/name: openshift-102-workshop-tools
  template:
    metadata:
      labels:
        app.kubernetes.io/name: openshift-102-workshop-tools
    spec:
      containers:
        - name: tools
          image: "ghcr.io/shpwrck/openshift-102-tools:latest"
          imagePullPolicy: IfNotPresent
          resources:
            requests:
              cpu: 50m
              memory: 128Mi
            limits:
              cpu: "1"
              memory: 512Mi

The container image CMD keeps the process alive (sleep via the image entrypoint) so the pod stays running until you delete the Deployment. The image includes a small docker CLI shim for Helm OCI exercises (no Docker Engine); manifest operations use skopeo under the hood. For disconnected clusters, mirror the tools image and UBI base listed in the release tarball TOOLS.md and images-mirror.txt.

Prerequisites

This workshop assumes the following:

  • Basic understanding of Kubernetes concepts (pods, services, deployments)

  • Familiarity with containerization and microservices architecture

  • Access to a Kubernetes cluster

  • Command-line experience with oc (OpenShift CLI)

If you are new to service meshes or Istio, we recommend reviewing the official Istio documentation before proceeding.

Workshop Structure

This workshop is divided into four modules:

  • Module 1: Overview - Introduction to Istio, Envoy, and sidecar architecture. Learn about the benefits of Istio, the strengths of Envoy proxy, and the basics of sidecar architecture. Hands-on exercises cover enabling sidecar injection and configuring mutual TLS (mTLS).

  • Module 2: Traffic Management - Learn how traffic enters the mesh through Gateways and how VirtualServices route traffic within the mesh. Exercises include creating Gateways, implementing path-based routing, weighted traffic splitting for canary deployments, and combining Gateways with VirtualServices.

  • Module 3: Advanced Traffic Management and Security - Explore advanced DestinationRule features including load balancing, failover, and circuit breaking. Learn how to implement request authentication with JWT and create authorization policies for fine-grained access control.

  • Module 4: Observability - Understand how Istio provides metrics, traces, and logs in standard formats. Learn to access Envoy metrics and logs directly from sidecar proxies, and explore observability data using built-in Istio tools without external dependencies.

Learning Objectives

After completing this workshop, you will be able to:

  • Understand the core concepts and benefits of service mesh technology, including Istio and Envoy

  • Enable sidecar injection and configure mutual TLS (mTLS) for secure service-to-service communication

  • Create and configure Gateways to manage external traffic entry points

  • Implement VirtualServices for sophisticated traffic routing, including path-based routing and weighted traffic splitting

  • Configure DestinationRules for load balancing, failover, and circuit breaking

  • Implement request authentication and authorization policies to secure your services

  • Access and analyze metrics and logs directly from Envoy sidecar proxies

  • Use Istio’s built-in observability features to monitor and troubleshoot your service mesh

  • Troubleshoot common issues and optimize Istio configurations