Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Description: - Connect two HTTPS microservices belonging to stateless applications

...

Important Info - cert-chain.pem is Envoy’s cert that needs to be presented to the other side. key.pem is Envoy’s private key paired with Envoy’s cert in cert-chain.pem. root-cert.pem is the root cert to verify the peer’s cert. In this example, we only have one Citadel in a cluster, so all Envoys have the same root-cert.pem.

Add Inbound service

The intent for this scenario

POST - traffic intent for the inbound service (service hosted behind the cluster)

...

languagejs
themeMidnight
titlePOST
linenumberstrue

...

.

...

Add Clients

POST - traffic intent to add clients for accessing a specific inbound service

Code Block
languagejs
themeMidnight
titlePOST
linenumberstrue
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients
POST BODY:
{
	"metadata": {
	"name": "<name>" // unique name for each intent
    "description": "connectivity intent add client communication"
	"application": "<app1>",
	"userdata1": <>,
	"userdata2": <>
	}

	spec: {
		"clientServiceName": "sleep", // Name of the client service
		"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
		"mTLS": "DISABLE", // will be the same as that of inbound service, if both are part of same logical cloud
	}
}

RETURN STATUS: 201
RETURN BODY:
{ 
  "name": "sleep"
  "Message": "Client created"
}

Add Security details for clients

WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies

Code Block
languagejs
themeMidnight
titleGET
linenumberstrue
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
	"metadata": {
	"name": "<name>" // unique name for each intent
    "description": "Security intent"
	"application": "<app1>",
	"userdata1": <>,
	"userdata2": <>
	}

	spec:{
	serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/status"],
							  "cluster.local/ns/default/sa/sleep" : ["GET": "/headers"]}
	}
}

RETURN STATUS: 201
RETURN BODY:
{ 
  "name": "<name>"
  "Message": "Security Rules created"
}

Generate Istio object resources

...

  1. sleep 

...

destinationRule for simple TLS, Loadbalancing and circuit breaking

AuthorizationPolicy for Access Control

Cluster01 Resources

1. ServiceEntry - To enable sleep to access nginx
Code Block
languageyml
themeEclipse
titleServiceEntry
linenumberstrue
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: servicename-
spec:
  hosts:
  - nginx.default.global
  # template for the remote service name - <servicename.namespace.global>
  # Treat remote cluster services as part of the service mesh
  # as all clusters in the service mesh share the same root of trust.
  location: MESH_INTERNAL
  ports:
  - name: http1
    number: 8000
    protocol: http
  resolution: DNS
  addresses:
  # the IP address to which .<namespace>.<logicalcloudname> will resolve to
  # must be unique for each remote service, within a given cluster.
  # This address need not be routable. Traffic for this IP will be captured
  # by the sidecar and routed appropriately.
  - 240.0.0.2
  endpoints:
  # This is the routable address of the istio ingress gateway in cluster02
  # routed to this address.
  - address: 172.25.55.50
    ports:
      http1: 15443 //Sni. Do not change this

2. DestinationRule for TLS - sleep
Code Block
languageyml
themeEclipse
titleDestinationRule
linenumberstrue
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: sleep-dr
  namespace: default
spec:
  host: "sleep.default.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: DISABLE

Cluster 02 Resources

1.  DestinationRule for simple TLS, Loadbalancing and circuit breaking -
Code Block
languageyml
themeEclipse
titleDestinationRule
linenumberstrue
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: -dr
  namespace: default
spec:
  host: ".default.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: DISABLE
    loadbalancer:
      consistentHash:
        httpCookie: "user1"
    connectionPool:
      tcp:
        maxConnections: 10
      http:
        http2MaxRequests: 1000
        maxRequestsPerConnection: 100
    outlierDetection:
      consecutiveErrors: 7
      interval: 5m
      baseEjectionTime: 15m

2.  AuthorizationPolicy

...

languageyml
themeEclipse
titleAuthorizationPolicy
linenumberstrue

...