Table of Contents
...
The services hosted behind Istio service mesh has the sidecar proxy installed with each pod of the service. The communication between these is possible only when the TLS option is set to the "ISTIO_MUTUAL"
In the below diagram,
SERVER - httpbin (If TLS Mode is "SIMPLE", it will accept both traffic for tls and plain text. TLS Mode must be ISTIO_MUTUAL for talking to other istio clients. MUTUAL when talking to other external services) istio service which use different rootca
CLIENTS - sleep (TLS Mode can be "SIMPLE" (for services with no sidecars) or ISTIO_MUTUAL(services with sidecars)). MUTUAL when talking to other external services) or istio service which use different rootca
Diagram
| Drawio | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
NOTE - For this scenario, the default mesh wide policy must be set to "PERMISSIVE" on both the clusters. It will not work if the default Mesh Policy is "STRICT"
Important Info - cert-chain.pem is Envoy’s cert that needs to be presented to the other side. key.pem is Envoy’s private key paired with Envoy’s cert in cert-chain.pem. root-cert.pem is the root cert to verify the peer’s cert. In this example, we only have one Citadel in a cluster, so all Envoys have the same root-cert.pem.
Add Inbound service1 01
POST - traffic intent for the inbound service (service hosted behind the cluster)
...
Add Security details for clients of inbound service 01
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/status"],
"cluster.local/ns/default/sa/sleep" : ["GET": "/headers"]}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rules created"
}
|
...
Add Security details for client 01
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/static"],
"cluster.local/ns/default/sa/sleep" : ["GET": "/api/v1/products"]}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rules created"
}
|
...
Add Security details for client 02
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/api/v1/products"],
"cluster.local/ns/default/sa/sleep" : ["GET": "/static"]}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rules created"
}
|
...