Versions Compared

Old Version 6

changes.mady.by.user Pramod Raghavendra Jayathirth (Deactivated)

Saved on

compared with

New Version 7

changes.mady.by.user Pramod Raghavendra Jayathirth (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

Important Info - cert-chain.pem is Envoy’s cert that needs to be presented to the other side. key.pem is Envoy’s private key paired with Envoy’s cert in cert-chain.pem. root-cert.pem is the root cert to verify the peer’s cert. In this example, we only have one Citadel in a cluster, so all Envoys have the same root-cert.pem.

Add Inbound service1 01

POST - traffic intent for the inbound service (service hosted behind the cluster)

...

Add Security details for clients of inbound service 01

WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies

Code Block
languagejs
themeMidnight
titleGET
linenumberstrue
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
	"metadata": {
	"name": "<name>" // unique name for each intent
    "description": "Security intent"
	"application": "<app1>",
	"userdata1": <>,
	"userdata2": <>
	}

	spec:{
	serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/status"],
							  "cluster.local/ns/default/sa/sleep" : ["GET": "/headers"]}
	}
}

RETURN STATUS: 201
RETURN BODY:
{ 
  "name": "<name>"
  "Message": "Security Rules created"
}

...

Add Security details for client 01

WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies

Code Block
languagejs
themeMidnight
titleGET
linenumberstrue
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
	"metadata": {
	"name": "<name>" // unique name for each intent
    "description": "Security intent"
	"application": "<app1>",
	"userdata1": <>,
	"userdata2": <>
	}

	spec:{
	serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/static"],
							  "cluster.local/ns/default/sa/sleep" : ["GET": "/api/v1/products"]}
	}
}

RETURN STATUS: 201
RETURN BODY:
{ 
  "name": "<name>"
  "Message": "Security Rules created"
}

...

Add Security details for client 02

WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies

Code Block
languagejs
themeMidnight
titleGET
linenumberstrue
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
	"metadata": {
	"name": "<name>" // unique name for each intent
    "description": "Security intent"
	"application": "<app1>",
	"userdata1": <>,
	"userdata2": <>
	}

	spec:{
	serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/api/v1/products"],
							  "cluster.local/ns/default/sa/sleep" : ["GET": "/static"]}
	}
}

RETURN STATUS: 201
RETURN BODY:
{ 
  "name": "<name>"
  "Message": "Security Rules created"
}

...

Name of the ClusterMicroserviceIstio ConfigurationComments
Cluster01
  1. sleep 


MicroserviceLogicalcloud01Logicalcloud02
Common access for httpbinserviceEntry (httpbin)
sleepdestinationRule
bookinfo-productpage
AuthorizationPolicy, destinationRule 



Cluster02httpbin


MicroserviceLogicalcloud01Logicalcloud02
common access for bookinfo-productpageserviceEntry
bookinfo-userdestinationRule
sleepdestinationRule



Cluster01 Resources

1. ServiceEntry - To enable access to httpbin

...