Table of Contents
Description: - Connect two HTTPS microservices belonging to stateless applications
...
Important Info - cert-chain.pem
is Envoy’s cert that needs to be presented to the other side. key.pem
is Envoy’s private key paired with Envoy’s cert in cert-chain.pem
. root-cert.pem
is the root cert to verify the peer’s cert. In this example, we only have one Citadel in a cluster, so all Envoys have the same root-cert.pem
.
Add Inbound service
The intent for this scenario
POST - traffic intent for the inbound service (service hosted behind the cluster)
...
language | js |
---|---|
theme | Midnight |
title | POST |
linenumbers | true |
...
.
...
Add Clients
POST - traffic intent to add clients for accessing a specific inbound service
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "connectivity intent add client communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
"clientServiceName": "sleep", // Name of the client service
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
"mTLS": "DISABLE", // will be the same as that of inbound service, if both are part of same logical cloud
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "sleep"
"Message": "Client created"
} |
Add Security details for clients
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/status"],
"cluster.local/ns/default/sa/sleep" : ["GET": "/headers"]}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rules created"
}
|
Generate Istio object resources
...
- sleep
...
destinationRule for simple TLS, Loadbalancing and circuit breaking
AuthorizationPolicy for Access Control
Cluster01 Resources
1. ServiceEntry - To enable sleep to access nginx
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: servicename-
spec:
hosts:
- nginx.default.global
# template for the remote service name - <servicename.namespace.global>
# Treat remote cluster services as part of the service mesh
# as all clusters in the service mesh share the same root of trust.
location: MESH_INTERNAL
ports:
- name: http1
number: 8000
protocol: http
resolution: DNS
addresses:
# the IP address to which .<namespace>.<logicalcloudname> will resolve to
# must be unique for each remote service, within a given cluster.
# This address need not be routable. Traffic for this IP will be captured
# by the sidecar and routed appropriately.
- 240.0.0.2
endpoints:
# This is the routable address of the istio ingress gateway in cluster02
# routed to this address.
- address: 172.25.55.50
ports:
http1: 15443 //Sni. Do not change this
|
2. DestinationRule for TLS - sleep
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: sleep-dr
namespace: default
spec:
host: "sleep.default.svc.cluster.local"
trafficPolicy:
tls:
mode: DISABLE
|
Cluster 02 Resources
1. DestinationRule for simple TLS, Loadbalancing and circuit breaking -
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: -dr
namespace: default
spec:
host: ".default.svc.cluster.local"
trafficPolicy:
tls:
mode: DISABLE
loadbalancer:
consistentHash:
httpCookie: "user1"
connectionPool:
tcp:
maxConnections: 10
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 100
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
|
2. AuthorizationPolicy
...
language | yml |
---|---|
theme | Eclipse |
title | AuthorizationPolicy |
linenumbers | true |
...