Solo.io · Istio Ambient · ztunnel · Waypoints · Gateway API

Demos, deployment patterns and guides for Istio Ambient and the service mesh.

Hands-on demos covering Istio Ambient and service-mesh networking — ztunnel and waypoints, L4 and L7 routing, multicluster connectivity, and zero-trust mTLS identity. Everything runs locally on kind so you can replay it end-to-end.

Disclaimer: Thoughts and ideas here are my own. I'm a new hire at Solo.io and this site is where I collate the notes, findings and musings I pick up as I get up to speed — so expect some inaccuracies as I work through it. Whilst I work at Solo, this is not an official Solo.io website.

MCP Ask this site questions from your AI client — point Claude Code, Claude.ai or Cursor at https://solo-demos-mcp.tom-ed6.workers.dev/mcp. Setup guide →
Agentic Application Lab OSS

Per-team Bedrock cost profiling with application inference profiles, through agentgateway

See Amazon Bedrock LLM usage and cost broken out per team even though every team shares one gateway to Bedrock: one application inference profile per team, one AgentgatewayBackend, per-team tokens from the gateway's gen_ai_request_model metric and per-team dollars from AWS Cost Explorer. A JWT team claim picks each team's profile so no client carries an ARN.

Solo Enterprise for agentgatewayAmazon Bedrock · ConverseApplication inference profilesgen_ai_request_model metrickind
Open the demo
Agentic Application Lab OSS

Claude Code on a non-Anthropic model, through agentgateway

Run Claude Code against a model you run instead of Anthropic's, with the model key held in the cluster and every call gated by identity. Solo Enterprise for agentgateway serves the Anthropic Messages API, translates it to an OpenAI model behind the gateway and translates the reply back, with JWT authentication and a CEL rule in front.

Solo Enterprise for agentgatewayAnthropic ↔ OpenAIEnterpriseAgentgatewayPolicy · JWT + CELAgentgatewayBackend · ai.routeskind
Open the demo
Cloud Connect Application Lab OSS

Shipping request events from kgateway over OpenTelemetry

Meter API usage per customer at the kgateway edge with no backend instrumentation: one ListenerPolicy ships each request as an OpenTelemetry access-log record over OTLP to a collector and into self-hosted OpenMeter, off the request path so metering never slows or breaks live traffic.

OSS kgateway 2.2ListenerPolicy · OTLP access logOpenMeter collectorself-hosted OpenMeterkind
Open the demo
Cloud Connect Application Lab Enterprise

Versioned cluster routing with Solo Enterprise for kgateway

Route every request to the right versioned app cluster and keep those clusters independent, using an out-of-cluster kgateway that picks the target from a client header or a JWT version claim and defaults to latest.

Solo Enterprise for kgatewayGateway API · HTTPRouteout-of-cluster BackendentJWT · claimsToHeaderskind
Open the demo
Cloud Connect Application Lab OSS

Versioned cluster routing with agentgateway (part 2)

Route each request to the right versioned app cluster from a gateway outside them, choosing v2 or latest from an override header or a JWT claim and defaulting to latest, so no client can fake its version. Same lab as part 1, now on the agentgateway Rust data plane.

Solo Enterprise for agentgatewayEnterpriseAgentgatewayPolicyCEL · PreRoutingAgentgatewayBackendkind
Open the demo
Agentic Application Lab Enterprise

AgentRegistry end to end, part 3: one agent, three runtimes, governed MCP tools

Run one published agent unchanged on three runtimes (Solo Enterprise for kagent, AWS Bedrock AgentCore, Google Cloud Vertex), pulling approved MCP tools from the AgentRegistry catalog, then lock down which tools it may call with a kagent AccessPolicy enforced at an agentgateway waypoint and watch its tool list shrink live.

arctl · init / build / applyAgentRegistry · in-clusterRuntime · kagent / AgentCore / GeminiAgentRuntimeAccessPolicy · agentgateway waypointKeycloak · OIDC
Open the demo
Agentic Application Lab Enterprise

AgentRegistry end to end, part 2: one realm, two teams, a policy-partitioned catalog

Give three people three different views of one shared AgentRegistry catalog. Registry OIDC maps each Keycloak group to a role, the catalog goes default-deny, and two AccessPolicy resources partition it per team, with every read and publish denial captured live.

AccessPolicy · ar.dev/v1alpha1registry:read / publishRBAC_ROLE_CLAIM=groupssuperuser · field-adminKeycloak · one realm
Open the demo
Agentic Application Lab Enterprise

AgentRegistry end to end, part 1: arctl from init to an agent hosted on kagent

Take three catalog artifacts (an MCP server, a skill, and an agent) from an arctl init scaffold to a summarizer agent hosted on Solo Enterprise for kagent, reachable only with a valid Keycloak token. One kind cluster runs the whole AgentRegistry lifecycle: scaffold, build, publish, deploy, then invoke live over the OIDC-protected A2A endpoint.

arctl · init / run / build / applyAgentRegistry · ar.dev/v1alpha1Runtime · Kuberneteskagent · BYO Agent + kmcpKeycloak · OIDC · A2A
Open the demo
Agentic Platform Lab Enterprise

Full Solo Enterprise Install deployment

Stand up the whole Solo Enterprise agentic platform on one kind cluster: Keycloak as the single OIDC issuer, Solo for kagent, the Enterprise UI, in-cluster AgentRegistry, and Istio ambient with enterprise agentgateway, all reachable at http://*.localtest.me. Installed product by product in dependency order, with every Helm flag and config note explained.

Istio ambient · Gloo OperatorKeycloak · one OIDC realmkagent + AgentRegistryagentgateway · ingress + waypointOTel · ClickHouse · Tracing
Open the lab
Agentic Application Lab Enterprise

Code mode in agentgateway — one run_code tool instead of a wall of MCP tools

Expose the whole nineteen-operation Swagger petstore through agentgateway as a single run_code tool (toolMode: Code) on kind, then watch a model answer a plain-English question by writing one JavaScript program the gateway runs in a sandbox instead of one MCP call per operation.

agentgateway code modetoolMode: Coderun_codeOpenAPI → TS APIMCP
Open the demo
Agentic Application Lab Enterprise

Running agent frameworks on kagent: ADK, LangGraph, CrewAI and AutoGen

Run one Kubernetes incident-response workflow five ways on a single kind cluster (kagent-native, Google ADK, LangGraph, CrewAI, AutoGen), each on Solo Enterprise for kagent and reaching its model and tools through enterprise agentgateway. All five diagnose a broken checkout Deployment, one prompt guard on the LLM route protects every one, and no agent gets rewritten.

ADK · LangGraph · CrewAI · AutoGenBYO agentskagent adapters + A2A shimLLM + MCP via agentgatewayprompt guard
Open the demo
Agentic Application Lab Enterprise

Agent-to-Agent in kagent — an SRE that delegates DB incidents to a DBA

Stand up two kagent agents on kind and watch an SRE orchestrator delegate a database incident to a DBA specialist over A2A (agent-to-agent message/send), captured live from the cluster. Runs on Solo Enterprise for kagent, so the caller's identity rides into the agent as an exchanged On-Behalf-Of token.

kagent A2Atools[].type: Agenta2aConfig.skillsSRE → DBAOBO identity
Open the demo
Agentic Application Lab OSS

AgentHarness SRE Sandbox — OpenClaw triages and fixes the cluster

Stand up an on-call SRE agent in a sandbox inside your own kind cluster: it triages broken workloads and patches the autofix=true namespace, but hits a real 403 in the namespace without the label and escalates that one to Slack. What it may change is enforced by Kubernetes RBAC, not the prompt (kagent's AgentHarness standing up an OpenClaw sandbox via an OpenShell gateway).

kagent AgentHarnessOpenShell + OpenClawModelConfiglabel-gated RBACSlack escalation
Open the demo
Agentic Application Lab OSS

Inference routing on agentgateway — KV-cache-aware routing to a self-hosted model pool

Route LLM traffic to a self-hosted model pool and let agentgateway pick the replica from the model servers' live load. The HTTPRoute backend is an InferencePool, not a Service, so the Gateway API Inference Extension Endpoint Picker routes on KV-cache usage and queue depth. Two llm-d simulators with pinned gauges flip the routing decision on cue, no GPU. One kind cluster, driven by a notebook.

agentgateway v2.3.4InferencePool v1Endpoint PickerInferenceObjectivellm-d inference sim
Open the demo
Agentic Application Lab OSS

vLLM Semantic Router on agentgateway — model-aware routing as ExtProc

Route every chat request to the right model or LoRA adapter by prompt content, while clients only ever send "model": "auto" to one endpoint. The vLLM Semantic Router runs inline as a gRPC ExtProc on OSS upstream agentgateway, classifies each prompt and rewrites the request body, on a single kind cluster.

OSS agentgatewayAgentgatewayPolicyextProc processingOptionsAgentgatewayBackend ai.providervLLM + LoRA
Open the demo
Agentic Application Lab OSS

AI Data Loss Prevention — built-in regex + custom webhook

Keep PII out of your LLM calls and block prompt injection at the gateway, using Solo Enterprise agentgateway in front of Anthropic Claude with two stacked promptGuard layers (built-in regex plus a custom webhook) on both request and response.

Solo Enterprise AGWEnterpriseAgentgatewayPolicypromptGuard.request + responseGuardrail Webhook APIAnthropic Claude
Open the demo
Agentic Application Lab OSS

Bring your own guardrail — an external AI firewall on the agentgateway webhook

Plug a third-party AI firewall (NeuralTrust GAF) into agentgateway's promptGuard webhook and enforce Pass/Mask/Reject in front of any LLM. The guard is decoupled from the backend, so one adapter protects an Anthropic, OpenAI or Gemini route unchanged.

Solo Enterprise AGWpromptGuard.webhookexternal guardrailNeuralTrust GAFAnthropic Claude
Open the demo
Agentic Application Lab Enterprise

Cost management on agentgateway — budgets, virtual keys and per-team spend

See which team, user or model is spending on LLM calls and cap that spend before it runs away, all priced by agentgateway and enforced by EnterpriseAgentgatewayBudget on one kind cluster.

Solo Enterprise AGWCost ManagementEnterpriseAgentgatewayBudgetvirtual API keysClickHouse
Open the demo
Agentic Application Lab Enterprise

Per-team static key injection — swap a user JWT for a team API key

Give every team its own upstream LLM API key without any user ever holding a credential: agentgateway validates the user's JWT, routes on the verified team claim, and injects that team's static key. Signed-claim selection means a client can't spoof its way onto another team's key.

Solo Enterprise AGWjwtAuthenticationclaim → headerpolicies.auth.secretRefPreRouting
Open the demo
Agentic Application Lab OSS

End-User and Platform Approval Gates for MCP Agents

Put two independent human approval gates on one MCP agent: the end user approves changes to their own data inside the kagent chat, while a platform reviewer approves shared-infrastructure changes from a separate queue the agent never sees.

kagentagentgateway · extAuthMCP · Streamable HTTPLangGraph interrupt()HTMX UI
Open the demo
Agentic Application Lab OSS

Per-User MCP Tool RBAC — same agent, different visible tools

One MCP server hands each caller a different set of tools and hides the rest, filtered at the gateway from the caller's JWT so forbidden tools never reach the LLM.

kagentSolo Enterprise AGWEnterpriseAgentgatewayPolicymcp.authorization · CELJWT · jwt.team
Open the demo
Agentic Application Lab

Per-user MCP RBAC, one Agent on kagent and AgentCore

Ship one ADK-Python agent from a single AgentRegistry record and run it on both in-cluster kagent and AWS Bedrock AgentCore, changing only the runtimeRef. An agentgateway in front of the shared Solo KB MCP gates each request to individual tools by Keycloak group.

AgentRegistry · ar.dev/v1alpha1Runtime · Kagent + BedrockAgentCoreAccessPolicy · targetRef.toolsKeycloak · UserGroup claimADK-Python · Solo KB MCP
Open the demo
Agentic Application Lab OSS

Loop and Runaway Containment at the Gateway — max turns + max tool calls + max chain depth + repetition

Stop a runaway agent at the gateway by enforcing four per-session budgets (max tool calls, max turns, max chain depth, repetition) on MCP tools/call traffic, with every cut-off returning a structured JSON deny the agent can parse.

Solo Enterprise AGWEnterpriseAgentgatewayPolicyext-auth · forwardBodyRedis counterscontrolled cut-offper-session budgets
Open the demo
Agentic Application Lab OSS

Locking Down MCP Tools at the Gateway — approved manifest + risk tiers + chain rules

Only curator-approved tools reach the agent, and every tools/call is checked before it hits the upstream. One curated manifest drives the gateway allow-list, the sanitized tools/list, and a gRPC ext-auth that validates args, gates high-risk tools by JWT intent, and blocks forbidden call chains.

agentregistrySolo Enterprise AGWEnterpriseAgentgatewayPolicyext-auth · forwardBodyJSON SchemaRedis
Open the demo
Agentic Application Lab Enterprise

Per-Team LLM Token Budgets — the gateway caps the spend

Give each team a hard LLM token budget that agentgateway enforces: it reads usage.total_tokens off each response and debits that team's bucket, so an over-budget team gets 429 on its next call while every other team keeps working.

kagentSolo Enterprise AGWRateLimitConfig · type:TOKENEnterpriseAgentgatewayPolicyPrometheus + Grafana
Open the demo
Agentic Application Lab

Rug Pull MCP Hack Demo

A fake retail bank with an AI-powered chatbot driving three kagent agents over A2A, each backed by MCP tool servers fronted by agentgateway. A third-party currency-converter vendor gets rug-pulled mid-prompt and tries to exfiltrate the customer's PII — the mesh catches it at the wire, not the model.

kagentagentgatewayMCP rug-pullDORA Article 17kind
Open the demo
Agentic Application Lab

Agentic / MCP Lab — federation, JWT RBAC, OAuth2 token exchange

Put several MCP servers behind one Ambient enterprise-agentgateway-waypoint, federate them into a single MCP session, and gate every call by SPIFFE identity, MCP tool name, per-user JWT and OAuth2 token exchange. Six labs build it up on the multicluster standup, ending with a cross-cluster twist over HBONE.

MCP federationSPIFFE authzJWT RBACOAuth2 / RFC 8693enterprise-agentgateway-waypoint
Open the lab
Cloud Connect Infra Standup Lab Enterprise

Istio Ingress Gateway & Ambient Multicluster Mesh on Kind

Stand up a working Istio Ambient multicluster mesh on two local kind clusters and see cross-cluster traffic run over mTLS. A mock VM joins the mesh with its own SPIFFE identity, and AuthorizationPolicy controls egress and blocks the VM on identity alone.

kindIstio AmbientztunnelMetalLBmulticlusterVM enrollment
Stand it up
Cloud Connect Infra Standup Lab Enterprise

Solo AgentGateway Ambient Multicluster — Standup

Stand up a two-cluster ambient mesh you can run any cross-cluster or agentic lab on: two kind clusters peered over HBONE, with Solo Enterprise agentgateway v2.3.3 registered as the Gateway API class for both the ingress and the L7 waypoint/egress, Gloo UI optional. No workloads, just the platform the labs that follow build on.

agentgateway v2.3.3Istio Ambient 1.29.2ztunnelGloo UIquick.sh
Stand it up
Cloud Connect Infra Standup Lab

Manual multi-cluster vs Solo Enterprise for Istio management plane

Decide whether to wire a multi-cluster Solo Istio Ambient mesh by hand or run the Solo Enterprise for Istio management plane in front of it, judged on the Day-2 realities that actually cost you: root CA and remote-secret rotation, cluster registration, cross-cluster RBAC, federation, and audit.

decision docSolo Enterprise for IstioDay 2 opscert rotationRBAC
Read the comparison
Cloud Connect Application Lab

Cloud Connectivity Lab — failover, waypoint, egress

Three demos on the multicluster standup. You'll keep an app serving after a whole cluster loses its copy of a service (cross-cluster failover via the global mesh.internal hostname), add L7 routing to traffic that never leaves the mesh (an Ambient waypoint), and allow one workload to reach an external service while denying another on SPIFFE identity (an egress waypoint to httpbin.org).

cross-cluster failoverenterprise-agentgateway-waypointHTTPRouteegressSPIFFE
Open the lab
🔍

No labs match your search or filter.

Optional: short on local resources? See the setup guide for running a kind cluster on a remote Mac and driving it from your laptop — handy when you want more headroom than your day-to-day machine can spare.