 Okay, great. Thank you so much, Ram and Eric. And we also have Will on the line to help up with the workshop, so really appreciate. Welcome to get started with Istio Service Smash. A quick introduction about me. I've been working on Istio for a long time for plus years and recently I joined Solo. So I'm the director of open source with Solo. I wrote a book about Istio Explained, which actually have a lot of similarity as the workshop we're going through today. A little bit about our company, Solo.io, we were founded in 2017 in Boston area. We have really what's attracted me to Solo is tremendous growth of the company and the clear vision are laid by our leadership team. So very amazing growth. We actually just had a new funding round. This was very well-founded and we also play, we are our performer on the recent the GIGO M report for Service Smash. As far as the product we're offering, we offer GlueMesh, which is the enhanced Istio Service Smash, bring enterprise Istio easy for you to consume a role-based Service Smash model. We also have an API gateway build on top of Envoy, GlueEdge. Our company is building on open source and with value added for our users. We provide long-term support for Istio and Envoy through our Glue products. Today, I'm excited to talk to you about Istio Foundation badge. This is a badge we've been handing out to many of our students who gone through the Istio Get Started workshop and the tests will be sent out towards the end of the workshop. We do require 80% of passing on the test. So if you've gone through the workshop today and you like the workshop, you want to try out the test and if you pass the test, we will send you a badge like this one. It's an electronic badge and you will get it in a few weeks. Let's start talk about the common adoption patterns for Istio. In our lab one, we're going to teach you about installing Istio, which we won't have time given the length of the lab, but lab two, we will be able to experience this about how do you adopt Istio just for the Istio Ingress Gateway? That's the most common scenario for user to adopt Istio. Lab three, we're going to talk about by adding the sidecar to your services in the mesh, you immediately gain observabilities into each of your services running in the mesh. And lab four, we're going to talk about how do you secure that communication through mutual PLS by the sidecar provided of Istio for you automatically with a simple policy that you apply and then we're going to deeper into understanding how that works within Istio lab five. We're going to teach you how do you control traffic when you have more than one version of your services? How do you do a Canary rollout? How do you do dark launching? So we're going to teach you all that. With that, I would love to get you get started with the lab environment. Will, if you have the link, can you send out the invites to everybody on the chat platform? So I would love you guys to go through the link that Will is going to send out and start to get ready for the environment. So like you guys to go to the link which will get you access to this link you are seeing. And I want you to, by the way, if you need to log in, you should be able to log in with your Google ID, I think Twitter and GitHub ID. So one of these ID will get you logging. And then once you get logged in, I want to click on skip to the second lab, Istio Ingress Gateway. So exactly what I'm doing now. So I want you to skip to that lab because it's two minutes waiting which is why I want you to get started. So the environment is provided by Instructure. So essentially we pay for this company to provide a VM for us in a cloud that's closer to you. And then we're going to install Kubernetes onto that VM automatically for you. And the first lab is going to install Istio for you since we're skipping the first lab. You are automatically get to the second lab. Lynn, can you hear me? Yes. Can we just give everybody a minute to make sure that everyone has access to the Instruct link? Yeah, so I saw the link, I send it out to the Zoom ROM. Yeah, there's no Zoom link, but if you go to the event on the actual CNCF page, then there should be the same place where you're watching the event virtually. That's a good place to get the link. Yep. It's also in the service mesh con Slack channel. If you've got access to that. Oh, thank you. That's a good one too. Let's give everybody a couple of minutes to make sure they get the link. Yeah, so I'm just going to talk as you're getting the links because the key is that once you get the link, you hit this button to skip to the second lab. And we want you to get familiar with the environment. So a couple of tips working with the link is don't refresh the browser if you don't need to because there is actually a refresh button provided by Instruct. So use that refresh button first before you need to refresh the browser because the fact that you refresh the browser could reset your context and could bring interesting behavior that you may not want to see. You may see different tabs for each lab. So that's intended because each lab is very instructed where we want you to follow certain steps. So you may have access to Grafana lab, tab, but not in the other lab. So that's normal. You can always click on the check button at the end of each lab just to see how you're doing. That's highly recommended. Just making sure you've done all the steps we recommended for you. So the lab one, we're going to skip but essentially I can quickly talk to you. What essentially does is does a pre-check command to check if your Kubernetes cluster is good and it's going to teach you install Istio using Istio Cuddle. It's going to teach you how to see different profiles on your system that's available for you to install. And so it's a really simple one. And then does anyone have the environment? I wish we can run a survey like quickly to see how many of you have access and gets the environment ready. It looks like my Istio trying to skip so. Just to know that some folks are having to refresh the page to get to that Istio workshop. Okay, so yeah, so we'll definitely wait a little bit here because I also need an environment too. But the lab we're going to do together is lab two. So this lab is teaching you about adopted Istio by Istio Ingress Gateway. So you're going to deploy a couple of sample services and notice we're not going to put cycle for these services in this lab. And then you're going to config one of the services to expose to the Istio Ingress Gateway. And we're going to configure to expose on HTTP first, then we're going to expose it on HTTPS. So a couple of Istio network resources you're going to learn through this lab is a gateway resource which essentially allows you to config as low-balancer information, such as the port number, you know, the protocol on the gateway, whether you are using terminate or pass through, whether you are using what is your like TLS search keys. So that's all config in the gateway resource. The second resource you are going to learn is the virtual service resource. It's essentially contains the list of routing rules, right? When the traffic arrives on the gateway on this particular port, how you're going to config well to send the traffic next. So that's virtual service resources is for. So we're going to deploy both of these. So this is an interesting diagram I borrowed from router cloud. So it essentially highlights what I was just describing. So the gateway resource configs what URL and port number are listening to and the virtual service configs well to send the actual traffic. And the destination rule configs like some of the destination rules apply, such as circuit breaker, a liar detection. So you can config how your clients reach out to the destination with this destination rule. So the lab two, the example we're going to experience is web API recommendation and purchase history. And we're going to expose web API to the Istio Ingress gateway. Hopefully my environment is ready now. Rom, do you know if for people, oh Eric, do you know if people have their environments are mostly ready in the room? We need a couple more minutes, Lynn. Okay. And can you tell everyone to which lab that they should go to? Yeah, so if you go to a lab two, Istio Ingress gateway, just skip to that lab. So just skip to the first lab, go directly to that lab. Yeah, so click on this one to, yours should be skip to, mine is continue because I'm already part of this lab. Lynn, it's just going slow for some people. So maybe give it another couple of minutes. Yeah, sounds good. Yeah, one thing I can do is give you guys a quick overview of each of the lab while we're waiting for the environments. So we talk about lab two, right? The third lab we're going to do is mesh observability, right? So we're going to add services to the mesh incrementally and we're going to check out the benefits what Istio brings by adding services to the mesh. You will gain visibility of interactions among your services immediately without you really needing to do anything. So in order to add services to the mesh, we're going to teach you what are the things we want you to check out for, making sure you name your service port, make sure you're not using UID 1337, make sure your parts have a service associated, make sure you label your deployments with app and version. This is for telemetry purpose. So we know this metrics is for this app and version. In this lab, we're going to teach you to use the automatic injector along with the IP table Istio init to set up the IP tables. So it does require you to have net admin and let raw privilege. So if you don't have those privileges in your actual Kubernetes environment, we do recommend you to check out Istio CNI. So that's the third lab to gradually add services to the mesh. So with that, I'm going to get started on lab two. So you should, if you click on that skip button, you should get something like this. Congratulations. You have installed Istio successfully. Let me see where I can move this guy. Okay. So the first thing I want you to do is, please just follow along with me, is, you know, go into the directory where we have the contents for this lab and we're going to create a namespace card Istio in action. And we're going to deploy the couple of services. I was mentioning to you, web API recommendation, purchase history version one, and the sleep into Istio in action. So if you get a pause on this namespace, you can see everything reaches strongly and so it's all good. The next thing we're going to do is config inbound traffic, right? Because these services are in- Can you zoom in a couple of times? Okay, thanks. Pretty small on our side. Is it good? Better? A little bit more. A little bit more, okay. Better? A little bit more. Wow, I feel like it's really big on my side. Yeah, that's much better. Okay, thanks. That's very helpful. Okay, so you have these services deployed, right? But how do you reach it out from outside of your Kubernetes cluster? So we're going to configure inbound traffic for that. So the first thing we're going to do is check out the services we have in the Istio system. Remember, during the lab one, we installed Istio, which comes with Istio in Glass Gateway, and because we installed the demo profile, so it also actually installed almost everything from the Istio project, including the ads on such as tracing, zipping, Kayali, so everything is available to us. And Istio in Glass Gateway, you have external IP associated with that, right? And we're exporting out that as our gateway IP. We also set up two port number, one for AD, one for 443. Now, we're going to look at the gateway resource. Remember, we talk about gateway resource is to specify your host and your port number to open up, the gateway is listening on to. And then we're going to review the virtual service resource for the web API, which are binded to the gateway that we just reviewed the web API gateway. So this is how you bind a virtual service to your gateway. And also the host name also matches the host name we specified in our gateway resource. And remember, we talk about virtual services really, route rules, right? So this configs the routes for HTTP traffic to the actual web API service in Istio in action namespace on port 8080. So now the question is why is port 8080, right? So if you look at the get service, you can see the service is listening on port 8080, which is why we forward traffic to 8080 here. The next thing we're going to do is deploy these resources, virtual service and the gateway resource we just reviewed onto our Kubernetes cluster. And now if I occur the Istio in action host the gateway IP and the ingress port, which is 80, you can see I'm actually reaching out to web API through my Istio ingress gateway on port 80 and I'm able to reach out to the service successfully. So that's how you can simply config access of your service from outside of the cluster. If you want to dig a little bit deeper, you can check out the proxy config for the routes. And as you can see, these are the routes we will config early for HTTP 80 and it routes to the virtual service that we just defined which routes to the web API service on port 8080. If you want to see individual routes a little bit more detailed, right? So you can actually see this is the individual routes that routes the traffic to this cluster. By the way, by automatically config this to connect to the Istio ingress gateway you actually gain retries two times and retries on 503. So these are something Istio provides for you automatically by just connect to your service to Istio ingress gateway. So we don't want to expose the service just on AD, right? We actually want to expose it more securely. So in order for us to expose it on 443 on the secure port the first thing we're going to do is create a secret called Istio in action cert. And we're going to use a previewed key and certs from our lab just create that secret in the Istio system namespace. And now let's take a look an updated version of the gateway resource we're going to deploy soon. As you can see, we only config 443 not 80 this time and the same host and we are configuring a simple TLS using the credential we just created. Let's go ahead apply this gateway resource. Now we're going to call the web API through Istio ingress gateway using the secure port which is 443 here. Now everything works, right? Cause we tell Istio to open up that port for us for the service. I have a question for you. What if I go back to call the same thing on port AD? Do you think it's going to work? Yeah, it's not going to work because in that gateway resource, we only open up port 443. We remove the configuration for port 80. So Istio knows not allowing any traffic on AD. Congratulations, you have exposed the web API service to Istio ingress gateway and securely we're going to explore adding services to the mesh in the next lab. So click on this button here to check if everything is correct, which you can see it is and it's automatically loading the next challenging for you which you can click on the stop button. So this is the challenging lab three we talk about early to adding services to your mesh. Ron, any feedback from the room? Yeah, I think the room wants you to slow down a little bit. Okay. So maybe like just give everyone maybe three minutes to catch up. Yeah, that sounds good. And then I'll give you the go ahead. Yeah, please do. In terms of timing, I know I lost track of one way start because I know there's a break coming to you. I don't know if we're taking the break in the room for the lab. Oh, they want us to just take a shorter break maybe but catch up and finish on time. Do you know? Let's plan on taking like a five minute break in between. And then the, so this lab, the part two of this lab is also in this room. There's just a break in between. So yeah, we'll plan on taking a five minute break and then everyone comes back and we'll continue.