Master the Mesh — by Tom O'Rourke · Solo & Istio Ambient labs

⌕

🤖 Agentic Labs 0

Rug Pull MCP Hack Demo

May 2026

A fake retail bank with an AI-powered chatbot driving three kagent agents over A2A, each backed by MCP tool servers fronted by agentgateway. A third-party currency-converter vendor gets rug-pulled mid-prompt and tries to exfiltrate the customer's PII — the mesh catches it at the wire, not the model.

kagentagentgatewayMCP rug-pullDORA Article 17kind

Open the demo → 02 · Application Lab

Agentic / MCP Lab — federation, JWT RBAC, OAuth2 token exchange

May 2026

Multi-MCP servers behind an Ambient waypoint, federated as one MCP session. Policy layered: SPIFFE workload identity → MCP tool scoping → JWT per-user RBAC → RFC 8693 OAuth2 token exchange. Ports the rvennam AgentGateway Waypoint Workshop onto the multicluster standup, with a multicluster bonus federating orders-mcp from west-ag.

MCP federationSPIFFE authzJWT RBACOAuth2 / RFC 8693enterprise-agentgateway-waypoint

Open the lab →

🔍

No demos match your search or filter.

🌐 Cloud Connectivity Labs 0

01 · Infra Standup Lab

Istio Ingress Gateway & Ambient Multicluster Mesh on Kind

May 2026

Two kind clusters (east + west) running Istio Ambient with HBONE cross-cluster traffic, shared root CA, and MetalLB LoadBalancer IPs — no cloud account needed. Adapts Ram Vennam's ambient-multicluster-workshop for local laptops.

kindIstio AmbientztunnelMetalLBmulticluster

Stand it up → 02 · Infra Standup Lab

Solo AgentGateway Ambient Multicluster — Standup

May 2026

Platform standup: two kind clusters peered over HBONE, Solo Enterprise agentgateway v2.3.3 as the ingress, Gloo UI optional. Foundation for the two labs that build on top — no demo content here, just the infra to run them on.

agentgateway v2.3.3Istio Ambient 1.29.2ztunnelGloo UIquick.sh

Stand it up → 03 · Infra Standup Lab

Manual multi-cluster vs Solo Enterprise for Istio management plane

May 2026

A decision document — same data plane, very different operator experience. Walks through bootstrap, cert rotation, credential rotation, federation, RBAC, and audit on both paths so you can pick the right one for production.

decision docSolo Enterprise for IstioDay 2 opscert rotationRBAC

Read the comparison → 04 · Application Lab

Cloud Connectivity Lab — failover, waypoint, egress

May 2026

Three labs that build on the standup: cross-cluster mesh-layer failover via the synthetic global VIP, in-cluster L7 reviews routing through an Ambient waypoint, and egress traffic control with SPIFFE-identity authz to httpbin.org.

cross-cluster failoverenterprise-agentgateway-waypointHTTPRouteegressSPIFFE

Open the lab →

🔍

No demos match your search or filter.

📖 Knowledge Base & Musings 0

Decision

kgateway vs Istio Ingress Gateway — a decision page

May 2026

Three-way comparison (NGINX Ingress / Istio Ingress Gateway / kgateway) with the pain points from leaving NGINX, the throughput + control-plane numbers from Howard John's bench, the kgateway-edge + Ambient-east-west two-layer architecture, and per-topic answers on Frontegg OIDC, per-tenant + per-endpoint rate limiting, dynamic config, install / upgrades at fleet scale, and a deliberate pricing note.

kgatewayIstio AmbientGateway APIFrontegg · OIDCfleet-scale

Open the decision page → Reference

istiod → ztunnel + waypoint — xDS on Istio Ambient

May 2026

One istiod, one ADS gRPC stream on :15012, two different consumers: ztunnel takes Istio-specific WDS + WADS, the waypoint takes regular Envoy xDS. With proto fields, a sample delta push, ztunnel's in-memory WorkloadStore snapshot, and a side-by-side of OSS multicluster (RemoteSecret) vs Solo Enterprise (Gloo mgmt-server relay).

xDS · ADSWDS · WADSztunnel stateEnvoy xDSmulticluster

Open the xDS map → Reference

JWT claims to HTTP headers — verified-claim routing on kgateway

May 2026

claimsToHeaders on a kgateway AuthConfig lifts verified JWT claims into request headers after the JWKS signature check. From that point on HTTPRoute matches, rate-limit descriptors and your app code key off x-tenant-id with no JWT parsing — and trust it because the gateway only wrote it post-verification.

claimsToHeadersAuthConfigJWKSEnterpriseKgatewayTrafficPolicyx-tenant-id

Open the reference → Reference

JWT, OIDC and on-behalf-of — auth flows in Istio Ambient

May 2026

JWT validation (RequestAuthentication), claims-based authorization, OIDC login at the gateway, and RFC 8693 token exchange / on-behalf-of (Solo Enterprise + agentgateway). With copy-paste YAML, an OSS-vs-Solo comparison table, and docs.solo.io citations.

JWTOIDCRequestAuthenticationtoken exchangeSolo ext-authz

Open the auth map → Reference

Trust & identity — from RootTrustPolicy to an mTLS handshake

May 2026

Trace a SPIFFE workload identity from an offline root (cert-manager, Vault or BYO Secret) through RootTrustPolicy, the Gloo mgmt-server, istiod-gloo in each cluster, and finally into a ztunnel mTLS handshake on HBONE.

RootTrustPolicySPIFFEcert-managerVaultcross-cluster mTLS

Open the trust chain → Reference

Gateway API on Istio Ambient — what attaches to what

May 2026

The same Gateway kind, three very different deployments: edge ingress (gatewayClassName: istio), in-mesh waypoint (istio-waypoint), and east-west (istio-eastwest). Map of which kind attaches where, HTTPRoute vs VirtualService, and a full reference table.

Gateway APIHTTPRoutewaypointingresseast-west

Open the map → Reference

HBONE + east-west — cross-cluster packet flow

May 2026

Trace a single TCP packet from a pod in cluster-east to a service in cluster-west, hop by hop. ztunnel wraps it, the destination cluster's east-west gateway on :15008 SNI-routes it, and the remote ztunnel unwraps and delivers.

HBONEztunneleast-west gatewaySPIFFEmulti-network

Open the walkthrough → Reference

Gloo Operator — deploy Istio Ambient across N clusters

May 2026

A visual one-pager: SVG showing the operator reconciling IstioLifecycleManager, GatewayLifecycleManager, RootTrustPolicy and friends across three workload clusters. Expandable YAML per CRD and a full reference table.

Gloo Operatormulti-clusterIstio AmbientRootTrustPolicylifecycle CRDs

Open the visual map → Reference

kagent CRDs — a visual map

May 2026

A one-page visual reference: SVG showing how the kagent controller reconciles every kagent.dev CRD into pods that speak A2A and MCP, with the Solo Enterprise AccessPolicy and KubernetesCluster additions wrapped around it. OSS-vs-Enterprise split, copy-paste YAML per kind, full reference table.

kagentkagent-enterpriseA2AMCPAccessPolicy

Open the visual map → Reference

agentregistry CRDs — a visual map

May 2026

A one-page visual reference: SVG showing how the agentregistry control plane reconciles the six ar.dev/v1alpha1 kinds onto Local docker-compose and kagent-equipped Kubernetes runtimes via DeploymentAdapter. OSS-vs-Enterprise split, copy-paste YAML per kind, and a reference table.

agentregistryarctl · /v0/applyagentgatewaykagentAWS AgentCore

Open the visual map → Reference

Istio Ambient CRDs — a visual map

May 2026

A one-page visual reference: SVG diagram showing how istiod consumes every Istio Ambient CRD and programs ztunnel, waypoint and istio-cni. Expandable YAML examples per group and a full reference table.

Istio AmbientGateway APIztunnelwaypointCRDs

Open the visual map → How-To

Istio Ambient Metrics & Alerting

May 2026

Field reference for every useful Prometheus metric from istiod-gloo — WDS, WADS, multi-cluster connectivity, cert expiry, xDS sync health, and the "waiting for sync" failure mode. Includes ready-to-paste PrometheusRule alert YAML.

PrometheusAlertManageristiod · :15014WDS · WADSPrometheusRule

Preview reference →

🔍

No entries match your search or filter.