...
| Code Block |
|---|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set
POST BODY:
{
"name": "john",
"description": "Traffic intent groups"
"set":[
{
"inbound":"abc"
},
{
"outbound":"abc"
}
]
} |
1.
...
Inbound access
POST
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{compositeblue-app-name}/{version}/traffic-intent-set/usinbound-to-us-intents/
POST BODY:
{
"metadata": {
"name": "<name><>" // unique name for each intent
"description": "connectivity intent for stateless micro-service to stateless micro-service communication"
"userdata1": <>,
"userdata2": <>
}
"spec": { // update the memory allocation for each field as per OpenAPI standards
"application": "<app1>",
"servicename": "<name><>" //actual name of the client service "protocol": "<>", // HTTP, HTTPS, TCP and UDP
"headless- {istioobject - serviceEntry of client's cluster}
"externalName": "false<>", // default is false. Option "True" prefix to expose this service outside the cluster
"mutualTLSprotocol": "<>", // Supportsupported 3protocols modesare SIMPLE and ISTIO_MUTUALHTTP, TCP, MUTUALUDP (caCertificateand required)HTTP2
"portheadless" : "<Port_Number>", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istiodefault is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "", // getdefault itis fromsimple. clusterOption record.MUTUAL Currentlywill onlyenforce istiomtls is supported{istioobject - destinationRule}
"istio-proxyport" : "<value>80", // Theport featureson (mTLS, LB, Circuit breaking) are not avaialble to services without istio-proxy. Only inbound routing is possible.
// Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it.
"loadbalancingType": "<type>", // "Simple" and "consistentHash" are the two modes
"loadBalancerMode": "<mode>" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH"
"httpCookie": "<CookieName>" // Name of the cookie to maitain sticky sessions
// Circuit Breaking
"maxConnections": "" //connection pool for tcp and http traffic
"concurrenthttp2Requests": "" // concurent http2 requests which can be allowed (only for HTTP/S traffic)
"httpRequestPerConnectionwhich service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"sidecar-proxy": "yes", // The features (mTLS, LB, Circuit breaking) are not available to services without istio-proxy. Only inbound routing is possible.
// Traffic management fields below are valid only if the sidecar-proxy is set to "yes"
traffic-management-info : {
// Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it.
"loadbalancingType": "", // "Simple" and "consistentHash" are the two modes - {istioobject - destinationRule}
"loadBalancerMode": "" //number ofModes httpfor requestsconsistentHash per connection. Valid only for http traffic
"consecutiveErrors": "- "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // Default is 5. Number choices of consecutivethe errormode beforemust thebe hostexplicit is- removed{istioobject from- load balancing pool
"baseEjectionTime" destinationRule}
"httpCookie": "user1" // Default is 5, time for which the host will be removed from load balancing pool when it returns error for no of times more than "consecutiveErrors" limit
"intervalSweepName of the cookie to maitain sticky sessions - {istioobject - destinationRule}
// Circuit Breaking
"maxConnections": "", //timeconnection limitpool beforefor thetcp removedand hostshttp aretraffic added- back{istioobject to the load balancing pool.
"connectTimeout- destinationRule}
"concurrenthttp2Requests": "" // onlyconcurent forhttp2 TCPrequests trafficwhich can be allowed - {istioobject
// credentials for mTLS.
"Servicecertificate" - destinationRule}
"httpRequestPerConnection": "" // Presentnumber actualof certificatehttp here.
"ServicePrivateKey" : "" // Present actual private key here.
"caCertificate" requests per connection. Valid only for http traffic - {istioobject - destinationRule}
"consecutiveErrors": "" // presentDefault theis trusted5. certificate toNumber verifyof theconsecutive clienterror connection,before Requiredthe onlyhost whenis mtlsremoved mode- is{istioobject MUTUAL- destinationRule}
// Access Control
namespaces: []"baseEjectionTime" : "" // WorkloadsDefault fromis this5, namespaces- can{istioobject access- the inbound service
serviceAccountAccess : {[ "<saName>": ["ACTION": "URI"]destinationRule}
"intervalSweep": '', //time forlimit httpbefore the removed hosts are added back to the load balancing pool. - {istioobject - destinationRule}
}
// credentials for mTLS.
"Servicecertificate" : "" // Present actual certificate here.
"<saName>ServicePrivateKey" : ["PORT": "27017"]} // forPresent tcpactual private }key }
RETURN STATUS: 201
RETURN BODY:
{
"name": "<>"
"Message": "inbound service created"
} |
GET
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/{set-name}/us-to-us-intents/<name>
RETURN STATUS: 201
RETURN BODY:
{
"metadata":{
"name": "<>" //unique name for each intent
"description": "connectivity intent for micro-service to microservice communication"
}
spec:{
"inboundservicename": "<>" //actual name of the client service
"protocol": "<>",
"headless": "<>", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "<>", // Support 2 modes. SIMPLE, MUTUAL with external client. For inter and intra cluster, mtls is enabled by default
"port" : "<>", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "<>", // get it from cluster record
// Traffic configuration
"loadbalancingType": "<>", // "Simple" and "consistentHash" are the two modes
"loadBalancerMode": "<>" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH"
"httpHeader": <> // Input for the hash when in "consistentHash" LB type and mode as "httpHeader"
"httpCookie": <> // Input for Hash in "ConsistenHash" LB and mode as "httpCookie" . Name of the cookie to maitain stick sessions.
"maxConnections": <> //connection pool for tcp and http traffic
"timeOut" : <> // in Seconds. Connection timeout for tcp and idleTimeout for http
// credentials for mTLS
"Servicecertificate" : {serverCertificate.pem} // Present actual certificate here. Optional, default "", required only if mTLS is set to "MUTUAL"
"ServicePrivateKey" : {serverPrivateKey.pem} // Present actual private key here. Required only if mTLS is "MUTUAL"
"caCertificate": {caCertificate.pem} // file should contain the public certificates for all root CAs that is trusted to authenticate your clients // not required for cluster level communication
}
}
|
DELETE
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
DELETE
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/{set-name}/us-to-us-intents/servicehttpbin
RETURN STATUS: 204
|
POST - with the client details
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/{set-name}/us-to-us-intent/{intent-name}/clients
POST BODY:
{
"clientServiceName": "<name>", // Actual name of the client service.
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Client created"
} |
GET - The Client resource
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/{set-name}/us-to-us-intents/{intent-name}/clients/sleep01
RETURN STATUS: 201
RETURN BODY:
"clientService": {
"clientServiceName": "<>", // if any then allow all the external applications to connect, check for serviceaccount level access
"protocol": "<>" // Same as that of inbound service
}
|
DELETE
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/{set-name}/us-to-us-intents/{intent-name}/clients/sleep01
RETURN STATUS: 204
|
Security Resource
POST
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/{set-name}/us-to-us-intents/{intent-name}/clients/sleep01/security/security-intent
{
??
}
RETURN STATUS: 204
|
Traffic Resource??
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/{set-name}/us-to-us-intents/{intent-name}/clients/sleep01/traffic/traffic-intent
{
}
RETURN STATUS: 204
|
NOTE - The default authorization policy must have with "deny-all" under spec as we need to disable all the communication between microservices during istio installation
2. External service to access Inbound service - Inbound access
NOTE - These are the services whose nature is not known. These services are assumed to have FQDN as a point of connectivity
POST
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/{set-name}/inbound-intent/
POST BODY:
{
"name": <name> //unique name for each intent
"description": <description>
"inboundservicename": "mysql" //actual name of the client service
"description": "bookinfo app",
"protocol": "HTTP",
"externalName": "", // Optional, default = "", Not required for Outbound access since the communication will be initialted from inboundservice
"localDomain": "", // Optional, default = "", Update local network (cluster scope) DNS with records for '<externalName>.<localDomain>'
"publicDomain": "", // Optional, default = "", Update public network (logical cloud scope) DNS with records for '<externalName>.<publicDomain>'
"headless": "", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "", // Setting this to true will create a dedicated egrees gateway for the service "httpbin01" on whichever cluster it is running on
"port" : "", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "", // get it from cluster record
"loadbalancing": "", // optional
}
RETURN STATUS: 201
RETURN BODY:
{
"Message": "outbound connectivity intent creation success "
"description": "Connectivity intent for inbound service to connect to external services"
} |
POST - External service to access inbound service
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/{set-name}/inbound-intent/{intent-name}/clients
POST BODY:
{
"name": <name> //unique name for each intent
"description": <description>
"externalServiceName": {cnn.edition.com} // Only the FQDN of the service name is required
"externalCaCertificate" : {clientCaCert.pem} // Present the actual client certificate
}
RETURN STATUS: 201
RETURN BODY:
{
"Message": "Success "
"description": "External service given access to inbound service"
} |
Security
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/{set-name}/inbound-intent/{intent-name}/clients/client01/security
{
"name": <name> //unique name for each intent
"description": <description>
"externalAuthenticationissuer": "<>",
"externalAuthenticationjwksURI" : "<>",
"userAccess": [{userName: "<>", accessList:Action:["<URI>": "Action", "<URI>": "Action"]} ]// These are the external users and actions
}
RETURN STATUS: 204
|
3. Outbound access
POST -
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/{set-name}/outbound-intent/{intent-name}/clients/
POST BODY:
{
"name": "<name>" //unique name for each intent
"description": <description>
"inboundservicename": "<>" //actual name of the client service
"protocol": "<>",
"headless": "", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "", // Support 2 modes. SIMPLE, MUTUAL with external client. For inter and intra cluster, mtls is enabled by default
"port" : "", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "", // get it from cluster record
// Traffic configuration
"loadbalancingType": "", // "Simple" and "consistentHash" are the two modes
"loadBalancerMode": "" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH"
"httpHeader": "" // Input for the hash when in "consistentHash" LB type and mode as "httpHeader"
"httpCookie": "" // Input for Hash in "ConsistenHash" LB and mode as "httpCookie" . Name of the cookie to maitain stick sessions.
"maxConnections": "" //connection pool for tcp and http traffic
"timeOut" : "" // in Seconds. Connection timeout for tcp and idleTimeout for http
// credentials for mTLS
"Servicecertificate" : {serverCertificate.pem} // Present actual certificate here. Optional, default "", required only if mTLS is set to "MUTUAL"
"ServicePrivateKey" : {serverPrivateKey.pem} // Present actual private key here. Required only if mTLS is "MUTUAL"
"caCertificate": {caCertificate.pem} // file should contain the public certificates for all root CAs that is trusted to authenticate your clients // not required for cluster level communication
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Inbound service created"
} |
POST - Provide access to an external service from inbound service
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/{set-name}/inbound-intent/ POST BODY: { "externalServiceName": "<name>" // Only the FQDN of the service name is required } here. "caCertificate" : "" // present the trusted certificate to verify the client connection, Required only when mtls mode is MUTUAL // Access Control namespaces: [] // Workloads from this namespaces can access the inbound service - {istioobject - authorizationPolicy} serviceAccountAccess : {[ "SaDetails": ["ACTION": "URI"]} // {istioobject - authorizationPolicy, will be applied for the inbound service} } } RETURN STATUS: 201 RETURN BODY: { "name": "<name>" "Message": "inbound service created" } |
GET
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/{set-name}/us-to-us-intents/<name>
RETURN STATUS: 201
RETURN BODY:
{
"metadata": {
"name": "<>" // unique name for each intent
"description": "connectivity intent for stateless micro-service to stateless micro-service communication"
"userdata1": <>,
"userdata2": <>
}
"spec": { // update the memory allocation for each field as per OpenAPI standards
"application": "<app1>",
"servicename": "<>" //actual name of the client service - {istioobject - serviceEntry of client's cluster}
"externalName": "<>" // prefix to expose this service outside the cluster
"protocol": "", // supported protocols are HTTP, TCP, UDP and HTTP2
"headless": "", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "", // default is simple. Option MUTUAL will enforce mtls {istioobject - destinationRule}
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"sidecar-proxy": "yes", // The features (mTLS, LB, Circuit breaking) are not available to services without istio-proxy. Only inbound routing is possible.
// Traffic management fields below are valid only if the sidecar-proxy is set to "yes"
traffic-management-info : {
// Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it.
"loadbalancingType": "", // "Simple" and "consistentHash" are the two modes - {istioobject - destinationRule}
"loadBalancerMode": "" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // choices of the mode must be explicit - {istioobject - destinationRule}
"httpCookie": "user1" // Name of the cookie to maitain sticky sessions - {istioobject - destinationRule}
// Circuit Breaking
"maxConnections": "" //connection pool for tcp and http traffic - {istioobject - destinationRule}
"concurrenthttp2Requests": "" // concurent http2 requests which can be allowed - {istioobject - destinationRule}
"httpRequestPerConnection": "" // number of http requests per connection. Valid only for http traffic - {istioobject - destinationRule}
"consecutiveErrors": "" // Default is 5. Number of consecutive error before the host is removed - {istioobject - destinationRule}
"baseEjectionTime" : "" // Default is 5, - {istioobject - destinationRule}
"intervalSweep": '', //time limit before the removed hosts are added back to the load balancing pool. - {istioobject - destinationRule}
}
// credentials for mTLS.
"Servicecertificate" : "" // Present actual certificate here.
"ServicePrivateKey" : "" // Present actual private key here.
"caCertificate" : "" // present the trusted certificate to verify the client connection, Required only when mtls mode is MUTUAL
// Access Control
namespaces: [] // Workloads from this namespaces can access the inbound service - {istioobject - authorizationPolicy}
serviceAccountAccess : {[ "SaDetails": ["ACTION": "URI"]} // {istioobject - authorizationPolicy, will be applied for the inbound service}
}
}
|
DELETE
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
DELETE
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/{set-name}/us-to-us-intents/servicehttpbin
RETURN STATUS: 204
|
2. Outbound access
POST -
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/outbound-intents/ POST BODY: { "metadata": { "name": "<name>" // unique name for each intent "description": "connectivity intent add client communication" "application": "<app1>", "userdata1": <>, "userdata2": <> } spec: { "clientServiceName": "<>", // Name of the client service "type": "", // options are istio, k8s and external "inboundServiceName": "<>" "headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service } } RETURN STATUS: 201 RETURN BODY: { "Messagename": "Success <name>" "descriptionMessage": "External service given access to inbound serviceClient created" } |
Development
- go API library - https://github.com/gorilla/mux
- backend - mongo - https://github.com/onap/multicloud-k8s/tree/master/src/k8splugin/internal/db - Reference
- intent to config conversion - use go templates and admiral? https://github.com/istio-ecosystem/admiral
- writing the config to etcd - WIP
- Unit tests and Integration test - go tests
...