...
Important Info - cert-chain.pem is Envoy’s cert that needs to be presented to the other side. key.pem is Envoy’s private key paired with Envoy’s cert in cert-chain.pem. root-cert.pem is the root cert to verify the peer’s cert. In this example, we only have one Citadel in a cluster, so all Envoys have the same root-cert.pem.
Add Inbound service 01
POST - traffic intent for the inbound service (service hosted behind the cluster)
...
Add Security detail for a client of inbound service 01
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | GET |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/status"]} // {istioobject - authorizationPolicy, will be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rule created"
}
|
Add another Security detail for a client of inbound service 01
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | GET |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {"cluster.local/ns/default/sa/sleep" : ["GET": "/headers"]} // {istioobject - authorizationPolicy, will be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rule created"
}
|
...
Add Security detail 01 for client 01
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | GET |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {"cluster.local/ns/default/sa/sleep": {"GET": "/static"}} // {istioobject - authorizationPolicy, will be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rule created"
}
|
Add Security detail 02 for client 01
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | GET |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {"cluster.local/ns/default/sa/sleep" : {"GET": "/api/v1/products"}} // {istioobject - authorizationPolicy, will be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rule created"
}
|
...
Add Security details for client 02
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | GET |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {"cluster.local/ns/default/sa/sleep": {"GET": "/api/v1/products"}}, // {istioobject - authorizationPolicy, will be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rule created"
}
|
...
| Name of the Cluster | Microservice | Istio Configuration | Comments |
|---|
| Cluster01 | - sleep
|
|
| Microservice | Logicalcloud01 | Logicalcloud02 |
|---|
| Common access for httpbin | serviceEntry (httpbin) |
| | sleep | destinationRule |
| | bookinfo-productpage |
| AuthorizationPolicy, destinationRule |
|
|
| Cluster02httpbin |
|
| Microservice | Logicalcloud01 | Logicalcloud02 |
|---|
| common access for bookinfo-productpage | serviceEntry |
| | bookinfo-user | destinationRule |
| | sleep | destinationRule |
|
|
|
...
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: sleep-dr
namespace: namespace01
spec:
host: "bookinfo-user"
trafficPolicy:
tls:
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
|
4. DestinationRule for simple TLS, Loadbalancing and circuit breaking for httpbin - (logicalCloud02)
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: httpbin-dr
namespace: namespace02
spec:
host: "httpbin"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
loadbalancer:
consistentHash:
httpCookie: "user1"
connectionPool:
tcp:
maxConnections: 10
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 100
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
|
...