...
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/project/{project-name}/rb/{rb-name}/{rb-version}/traffic-intent-sets/{trafficset-name}/inboundservice
// URL: /v2/project/{project-name}/rb/{rb-name}/{rb-version}/traffic-intent-groups/{trafficgroup-name}/interclusterservice/{intercluster-record //only ms name}/clientservice// list of clients
clusterservice
POST BODY:
{
"name": "servicehttpbin" //unique name for each intent
"description": "connectivity intent for microservice replication across multiple locations and clusters"
"inboundservicename": "httpbin01" //actual name of the client service
"description": "bookinfo app",
"protocol": "HTTP",
"externalName": "", // Optional, default = "", This is the prefix used to expose this service outside the cluster, not mandatory for "intercluster" API, But mandatory foe external inbound access
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "MUTUAL", // Support 2 modes. SIMPLE, MUTUAL with external client,. forFor inter and intra cluster, mtls is enabled by default
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"loadbalancing": "true", // optional
"externalAuthenticationissuerinboundServicecertificate" : {serverCertificate.pem} // Present actual certificate here. Optional, default "",
"externalAuthenticationjwksURI" : "", required only if mTLS is set to "MUTUAL"
"clientcertificateDetailsinboundServicePrivateKey" : [{serverPrivateKey.pem, .key, .pem]
"accessPoints": [} // Present actual private key here. Required only if mTLS is "MUTUAL"
"accessPoints": ["/health", "/status"] // APIs to be exposed from this inbound service
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "servicehttpbin"
"Message": "Inbound service created"
} |
...
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | GET |
|---|
| linenumbers | true |
|---|
|
URL: /v2/project/{project-name}/rb/{rb-name}/{rb-version}/traffic-intent-sets/{trafficset-name}/inboundservice/servicehttpbin
// URL: /v2/project/{project-name}/rb/{rb-name}/{rb-version}/traffic-intent-groups/{trafficgroup-name}/interclusterservice/{intercluster-record //only ms name}/clientservice// list of clients
RETURN STATUS: 201
RETURN BODY:
{
"name": "servicehttpbin" //unique name for each intent
"description": "connectivity intent for microservice replication across multiple clusterservice/httpbin
RETURN STATUS: 201
RETURN BODY:
{
"name": "servicehttpbin" //unique name for each intent
"description": "connectivity intent for microservice replication across multiple locations and clusters"
"inboundservicename": "httpbin01httpbin" //actual name of the client service
"description": "bookinfo app",
"protocol": "HTTP",
"externalName": "", // Optional, default = "", This is the prefix used to expose this service outside the cluster, not mandatory for "intercluster" API, But mandatory foefor external inbound access
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "MUTUAL", // Support 2 modes. SIMPLE, MUTUAL with external client, for inter and intra cluster, mtls is enabled by default
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"loadbalancing": "true", // optional
"externalAuthenticationissuerinboundServicecertificate" : {serverCertificate.pem} // Present actual certificate here. Optional, default "",
"externalAuthenticationjwksURI" : "", required only if mTLS is set to "MUTUAL"
"clientcertificateDetailsinboundServicePrivateKey" : [{serverPrivateKey.pem, .key, .pem]} // Present actual private key here. Required only if mTLS is "MUTUAL"
"accessPoints": ["/health", "/status"] // APIs to be exposed from this inbound service
}
|
DELETE
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | DELETE |
|---|
| linenumbers | true |
|---|
|
DELETE
URL: /v2/project/{project-name}/rb/{rb-name}/{rb-version}/traffic-intent-sets/{trafficset-name}/inboundserviceclusterservice/servicehttpbinhttpbin
RETURN STATUS: 204
|
POST - with the client details
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/project/{project-name}/rb/{rb-name}/{rb-version}/traffic-intent-sets/{trafficset-name}/inboundserviceclusterservice/servicehttpbin/clientshttpbin
POST BODY:
{
"name": "servicehttpbin" //unique name for each intent
"description": "connectivity intent for microservice replication across multiple locations and clusters"
"inboundservicename": "httpbin01httpbin" //actual name of the client service
"description": "bookinfo app",
"protocol": "HTTP",
"externalName": "", // Optional, default = "", This is the prefix used to expose this service outside the cluster, not mandatory for "intercluster" API, But mandatory foe external inbound access
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "MUTUAL", // Support 2 modes. SIMPLE, MUTUAL with external client, for inter and intra cluster, mtls is enabled by default
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"loadbalancing": "true", // optional
"externalAuthenticationissuer": "",
"externalAuthenticationjwksURI" : "",
"clientcertificateDetailsaccessPoints" : [.pem, .key, .pem]
"accessPoints": ["/health", "/"/health", "/status"]
"clientService": {
"clientServiceName": "sleep01", // if any then allow all the external applications to connect, check for serviceaccount level access
"headless": "true", // default is false. Option "True" will generate the required configs for all the instances of headless service
"egressgateway": "true" , // Optional, default = false, All the outbound traffic from this service will flow through a dedicated egress gateway
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "sleep01"
"Message": "Client created"
} |
GET - The Client resource
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | GET |
|---|
| linenumbers | true |
|---|
|
URL: /v2/project/{project-name}/rb/{rb-name}/{rb-version}/traffic-intent-sets/{trafficset-name}/inboundserviceclusterservice/servicehttpbinhttpbin/clients/clients01intent
RETURN STATUS: 201
RETURN BODY:
{
"name": "servicehttpbin" //unique name for each intent
"description": "connectivity intent for microservice replication across multiple locations and clusters"
"inboundservicename": "httpbin01httpbin" //actual name of the client service
"description": "bookinfo app",
"protocol": "HTTP",
"externalName": "", // Optional, default = "", This is the prefix used to expose this service outside the cluster, not mandatory for "intercluster" API, But mandatory foe external inbound access
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "MUTUAL", // Support 2 modes. SIMPLE, MUTUAL with external client, for communication among interservices anddeployed intraat cluster clevel, mtls is enabled by default
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"loadbalancing": "true", // optional
"externalAuthenticationissueraccessPoints": ["/health", "/status"]
"externalAuthenticationjwksURIclientService" : "",{
"clientcertificateDetailsclientServiceName" : [.pem, .key, .pem]
"accessPoints": ["/health", "/status"]
"clientService": {
"clientServiceName": "sleep01": "sleep01", // if any then allow all the external applications to connect, check for serviceaccount level access
"headless": "true", // default is false. Option "True" will generate the required configs for all the instances of headless service
"egressgateway": "true" , // Optional, default = false, All the outbound traffic from this service will flow through a dedicated egress gateway
}
}
|
...
| Name of the Cluster | Microservices | Istio objects | Description/comments |
|---|
- Cluster01
| httpbin01 | - serviceentry - "sleep01"
- destinationrules- loadbalancing, mTLS,
- virtualservice - "externalName"
- authentication policy - authentication /user verificationfor intracluster services
- Authentication Policy - External user authentication
|
|
| 2. Cluster02 | httpbin02 | - egressgateway - if "true", create service
- destinationrules - direct traffic from service to egressgateway
|
...
- headless - create virtualservices per instance of headless service
|
|
|
|
|
|
NOTE - Call this API only if the services are running in the same cluster, The default authorization policy must have with "deny-all" under spec as we need to disable all the communication between microservices during istio installation implement this API
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/project/{project-name}/rb/{rb-name}/{rb-version}/traffic-intent-sets/{trafficset-name}/intraclusterservice/client01intent
POST BODY:
{
"name": "johndoe" //unique name for each intent
"description": "connectivity intent for microservice replication across multiple locations and clusters"
"inboundservicename": "httpbin01" //actual name of the client service
"description": "bookinfo app",
"protocol": "HTTP",
"externalName": "", // Optional, default = "", Not required for "intraclusterservice"
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "true", // Setting this to true will create a dedicated egrees gateway for the service "httpbin01" on whichever cluster it is running on
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"loadbalancing": "true", // optional
"externalAuthenticationissuer": "https://accounts.google.com",
"externalAuthenticationjwksURI" : "https://www.googleapis.com/oauth2/v3/certs",
"clientcertificateDetails" : [.pem, .key, .pem]
"endpoints": [{"/v2/api/httpin": "kim"}, {"/v2/api/auth": "roger"}] # End points of microservice which is exposed to specific user group
"clientService": {
"clientServiceName": "sleep01", // if any then allow all the external applications to connect, check for serviceaccount level access
"headless": "true", // default is false. Option "True" will generate the required configs for all the instances of headless service
"egressgateway": "true" , // Optional, default = false, All the outbound traffic from this service will flow through a dedicated egress gateway
}
}
RETURN STATUS: 201
RETURN BODY:
{
"Message": "Intercluster Connectivity intent success "
"description": "Connectivity intent for Intra cluster services"
} |
3. microservice connectivity to an external service intent API - Outbound access
NOTE - These are the services whose nature is not known. These services are assumed to have FQDN as a point of connectivity
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/project/{project-name}/rb/{rb-name}/{rb-version}/traffic-intent-sets/{trafficset-name}/outboundservice/client01intent
POST BODY:
{
"name": "johndoe" //unique name for each intent
"description": "connectivity intent for microservice replication across multiple locations and clusters"
"inboundservicename": "httpbin01" //actual name of the client service
"description": "bookinfo app",
"protocol": "HTTP",
"externalName": "", // Optional, default = "", Not required for Outbound access since the communication will be initialted from inboundservice
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "true", // Setting this to true will create a dedicated egrees gateway for the service "httpbin01" on whichever cluster it is running on
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"loadbalancing": "true", // optional
"externalAuthenticationissuer": "https://accounts.google.com",
"externalAuthenticationjwksURI" : "https://www.googleapis.com/oauth2/v3/certs",
"clientcertificateDetails" : [.pem, .key, .pem]
"user": [""] # Not required for Outbound access
"clientService": {
"clientServiceName": {"sleep01.service.com} // Only the FQDN of the service name is required.
}
}
RETURN STATUS: 201
RETURN BODY:
{
"Message": "outbound coonectivity intent creation success "
"description": "Connectivity intent for inbound service to connect to external services"
} |
...
2. microservice connectivity to an external service intent API - Outbound/Inbound access
NOTE - These are the services whose nature is not known. These services are assumed to have FQDN as a point of connectivity
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/project/{project-name}/rb/{rb-name}/{rb-version}/traffic-intent-sets/{trafficset-name}/outboundserviceexternalservice/mysql/client01intent
POST BODY:
{
"name": "johndoe" //unique name for each intent
"description": "connectivity intent for microservice replication across multiple locations and clusters"
"inboundservicename": "httpbin01mysql" //actual name of the client service
"description": "bookinfo app",
"protocol": "HTTP",
"externalName": "", // Optional, default = "", must = "", Not required for Outbound access since the communication will be definedinitialted forfrom Inboundinboundservice
access
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service service will have access to the client service
"mutualTLS": "true", // Setting this to true will create a dedicated egrees gateway for the service "httpbin01" on whichever cluster it is running on
"mutualTLSport" : "true80", // Setting this to true will create a dedicated egrees gateway for the service "httpbin01" on whichever cluster it is running on
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"loadbalancing": "true", // optional
"user": [""] # Optional. Restricts the users from accessing these services
"clientService port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"loadbalancing": "true", // optional
"inboundServicecertificate" : {serverCertificate.pem} // Present actual certificate here. Optional, default "", required only if mTLS is set to "MUTUAL"
"inboundServicePrivateKey" : {serverPrivateKey.pem} // Present actual private key here. Required only if mTLS is "MUTUAL"
"externalAuthenticationissuer": "https://accounts.google.com",
"externalAuthenticationjwksURI" : "https://www.googleapis.com/oauth2/v3/certs",
"externalService": {
"clientServiceNameexternalServiceName": {"sleep01cnn.serviceedition.com} // Only the FQDN of the service name is required
"externalCaCertificate" : {clientCaCert.pem} // Present the actual client certificate
}
}
RETURN STATUS: 201
RETURN BODY:
{
"Message": "Inboundoutbound coonectivity intent creation success "
"description": "Connectivity intent for externalinbound servicesservice to connect to inboundserviceexternal services"
} |
| Keywords | Supported fields | Description |
|---|
| {connectivity-type} | intercluster/intracluster | types in API for {connectivity-type} |
| {connectivity-sub-type} | intermicroservice/internalapplication/externalmicroservice | sub-types in API for {connectivity-sub-type}
|
| name | name of the microservice/application depending on the context |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
...
- go API library - https://github.com/gorilla/mux
- backend - mongo - https://github.com/onap/multicloud-k8s/tree/master/src/k8splugin/internal/db - Reference
- intent to config conversion - use go templates and admiral? https://github.com/istio-ecosystem/admiral
- writing the config to etcd - WIP
- Unit tests and Integration test - go tests
...
Considering RBAC/ABAC
Internal Design details
Guidelines that need to
...
keep in mind
- Support for metrics that can be retrieved by Prometheus
- Support for Jaeger distributed tracing by including opentracing open tracing libraries around HTTP calls.
- Support for logging that is understood by fluentd
- Mutual exclusion of database operations (keeping internal modules accessing database records simultaneously and also by replication entities of the scheduler micro-service).
- Resilience - ensure that the information returned by controllers is not lost as the synchronization of resources to remote edge clouds can take hours or even days when the edge is not up and running and possibility of restart of scheduler micro service in the meantime.
- Concurrency - Support multiple operations at a time and even synchronizing resources in various edge clouds in parallel.
- Performance - Avoiding file system operations as much as possible.
...