Description: - Connect multiple microservices on multiple logical clouds deployed across multiple clusters
...
Important Info - cert-chain.pem is Envoy’s cert that needs to be presented to the other side. key.pem is Envoy’s private key paired with Envoy’s cert in cert-chain.pem. root-cert.pem is the root cert to verify the peer’s cert. In this example, we only have one Citadel in a cluster, so all Envoys have the same root-cert.pem.
Add Inbound service 01
POST - traffic intent for the inbound service (service hosted behind the cluster)
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/blue-app/{version}/traffic-intent-set/inbound-intents/
POST BODY:
{
"metadata": {
"name": "<>" // unique name for each intent
"description": "connectivity intent for inbound communication"
"userdata1": <>,
"userdata2": <>
}
"spec": { // update the memory allocation for each field as per OpenAPI standards
"application": "<app1>",
"servicename": "httpbin" //actual name of the client service - {istioobject - serviceEntry of client's cluster}
"externalName": "httpbin.k8s.com"
"protocol": "HTTP",
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "MUTUAL", // default is simple. Option MUTUAL will enforce mtls {istioobject - destinationRule}
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"sidecar-proxy": "yes", // The features (mTLS, LB, Circuit breaking) are not available to services without istio-proxy. Only inbound routing is possible.
// Traffic management fields below are valid only if the sidecar-proxy is set to "yes"
"traffic-management-info" : {
// Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it.
"loadbalancingType": "ConsistenHash", // "Simple" and "consistentHash" are the two modes - {istioobject - destinationRule}
"loadBalancerMode": "httpCookie" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // choices of the mode must be explicit - {istioobject - destinationRule}
"httpCookie": "user1" // Name of the cookie to maitain sticky sessions - {istioobject - destinationRule}
// Circuit Breaking
"maxConnections": 10 //connection pool for tcp and http traffic - {istioobject - destinationRule}
"concurrenthttp2Requests": 1000 // concurent http2 requests which can be allowed - {istioobject - destinationRule}
"httpRequestPerConnection": 100 // number of http requests per connection. Valid only for http traffic - {istioobject - destinationRule}
"consecutiveErrors": 8 // Default is 5. Number of consecutive error before the host is removed - {istioobject - destinationRule}
"baseEjectionTime" : 15 // Default is 5, - {istioobject - destinationRule}
"intervalSweep": 5m, //time limit before the removed hosts are added back to the load balancing pool. - {istioobject - destinationRule}
}
// credentials for mTLS.
"Servicecertificate" : "" // Present actual certificate here.
"ServicePrivateKey" : "" // Present actual private key here.
"caCertificate" : "" // present the trusted certificate to verify the client connection, Required only when mtls mode is MUTUAL
}
//}
Access
Control
"namespaces"RETURN STATUS: []201
//RETURN WorkloadsBODY: from
this{ namespaces
can access the inbound service - {istioobject - authorizationPolicy}
"serviceAccountAccess" : {[ "cluster.local/ns/<Namespace>/sa/sleep": ["GET": "/status"]} // {istioobject - authorizationPolicy, will be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "inbound service created"
} |
Authorization for Inbound Service 01
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/blue-app/{version}/traffic-intent-set/inbound-intents/{serviceName}/authorization-policies/policy01
POST BODY:
{
"metadata": {
"name": "<>" // unique name for each intent
"description": "Authorization Policy for inbound services"
"userdata1": <>,
"userdata2": <>
}
"spec": {
// Access Control
"namespaces": [] // Workloads from this namespaces can access the inbound service - {istioobject - authorizationPolicy}
"serviceAccountAccess" : {[ "cluster.local/ns/<Namespace>/sa/sleep": ["GET": "/status"]} // {istioobject - authorizationPolicy, will be applied for the inbound service}
"name": "<name>"
"Message": "inbound service created"
} |
Authorization for Inbound Service 01
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/blue-app/{version}/traffic-intent-set/inbound-intents/{serviceName}/authorization-policies
POST BODY:
{
"metadata": {
"name": "<>" // unique name for each intent
"description": "Authorization Policy for inbound services"
"userdata1": <>,
"userdata2": <>
}
"spec": {
// Access Control
"namespaces": [] // Workloads from this namespaces can access the inbound service - {istioobject - authorizationPolicy}
"serviceAccountAccess" : {[ "cluster.local/ns/<Namespace>/sa/sleep": ["GET": "/status"]} // {istioobject - authorizationPolicy, will be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Authorizations Policy created"
} |
Client 01
POST - traffic intent to add clients for accessing a specific inbound service - NOTE - Clients will have the mTLS mode same as the inbound service
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/brown-app/{version}/traffic-group-intent/outbound-intents/
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "connectivity intent for outbound communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
"ServiceName": "sleep", // Name of the client service
"type": "istio", // options are istio, k8s and external
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
"targetServiceName": "httpbin.k8s.com" // FQDN expected since the client belongs to a different composite app
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "AuthorizationsClient Policy created"
} |
Client
...
02
POST - traffic intent to add clients for accessing a specific inbound service - NOTE - Clients will have the mTLS mode same as the inbound service
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/brownblue-app/{version}/traffic-group-intent/outbound-intents/
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "connectivity intent foradd outboundclient communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
"ServiceNameclientServiceName": "sleep", // Name of the client service
"type": "istio", // options are istio, k8s and external
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
"targetServiceNametargetService": "httpbin.k8s.com" // FQDN expected since the client belongs to a different composite app Both client and service belong to the same composite. This notation is still used for consistency
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Client created"
} |
Client
...
03
POST - traffic intent to add clients for accessing a specific inbound service - NOTE - Clients will have the mTLS mode same as the inbound service
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/bluebrown-app/{version}/traffic-group-intent/outbound-intents/
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "connectivity intent add client communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
"clientServiceName": "sleeponap.k8s.org", // Name of the client service
"type": "istioexternal", // options are istio, k8s and external
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
"targetService": "httpbin.k8s.com" // Both client and service belong to the same composite. This notation is still used for consistency "httpbin.k8s.com"
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Client created"
} |
Client 03
...
Add Inbound service 02
POST
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/brownblue-app/{version}/traffic-groupintent-intentset/outboundinbound-intents/
POST BODY:
{
"metadata": {
"name": "<name><httpbin>" // unique name for each intent
"description": "connectivity intent add client communication"
"application": "<app1>", for stateless micro-service to stateless micro-service communication"
"userdata1": <>,
"userdata2": <>
}
"spec: {
"clientServiceName": {
"application": "<app1>",
"servicename": "onap.k8s.orgproductpage", //actual Namename of the client service
"typeexternalName": "externalproductpage.k8s.com", // options are istio, k8s and external
"protocol": "HTTP",
"headless": "false", // default is false. Option "True" will generate the required configs for make sure all the instances of the headless service "targetService": "httpbin.k8s.com"
}
}
RETURN STATUS: 201
RETURN BODY:
{
"namewill have access to the client service
"mutualTLS": "<name>MUTUAL", // default "Message": "Client created"
} |
Add Inbound service 02
POST
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/blue-app/{version}/traffic-intent-set/inbound-intents/
POST BODY:
{
"metadata": {
"name": "<httpbin>" // unique name for each intent
"description": "connectivity intent for stateless micro-service to stateless micro-service communication"
"userdata1": <>,
"userdata2": <>
}
"spec": {
"application": "<app1>",
"servicename": "productpage" //actual name of the client service
"externalName": "productpage.k8s.com"
"protocol": "HTTP",
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "MUTUAL", // default is simple. Option MUTUAL will enforce mtls
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"sidecar-proxy": "yes", // The features (mTLS, LB, Circuit breaking) are no avaialble to services without istio-proxy. Only inbound routing is possible.
// Traffic management fields below are valid only if the sidecar-proxy is set to "yes"
traffic-management-info : {
// Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it.
"loadbalancingType": "ConsistenHash", // "Simple" and "consistentHash" are the two modesis simple. Option MUTUAL will enforce mtls
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"sidecar-proxy": "yes", // The features (mTLS, LB, Circuit breaking) are no avaialble to services without istio-proxy. Only inbound routing is possible.
// Traffic management fields below are valid only if the sidecar-proxy is set to "yes"
traffic-management-info : {
// Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it.
"loadbalancingType": "ConsistenHash", // "Simple" and "consistentHash" are the two modes - {istioobject - destinationRule}
"loadBalancerMode": "httpCookie" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // choices of the mode must be explicit - {istioobject - destinationRule}
"httpCookie": "user2" // Name of the cookie to maitain sticky sessions - {istioobject - destinationRule}
// Circuit Breaking
"maxConnections": 10 //connection pool for tcp and http traffic - {istioobject - destinationRule}
"concurrenthttp2Requests": 1000 // concurent http2 requests which can be allowed - {istioobject - destinationRule}
"httpRequestPerConnection": 100 // number of http requests per connection. Valid only for http traffic - {istioobject - destinationRule}
"loadBalancerModeconsecutiveErrors": "httpCookie"8 // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // choices of the mode must be explicit Default is 5. Number of consecutive error before the host is removed - {istioobject - destinationRule}
"baseEjectionTime" : 15 // Default is 5, - {istioobject - destinationRule}
"httpCookieintervalSweep": "user2"5m, //time Namelimit ofbefore the cookieremoved hosts are added back to the maitainload stickybalancing sessionspool. - {istioobject - destinationRule}
}
// Circuit Breakingcredentials for mTLS.
"maxConnectionsServicecertificate" : 10"" //connection pool for tcp and http traffic - {istioobject - destinationRule}
"concurrenthttp2Requests": 1000 Present actual certificate here.
"ServicePrivateKey" : "" // Present actual private key here.
"caCertificate": "" // concurentTrusted http2caCertificates requestsused whichto canverify bethe allowedclient
-
{istioobject - destinationRule} // Access Control
"httpRequestPerConnectionnamespaces": 100[] // numberWorkloads offrom httpthis requestsnamespaces percan connection.access Validthe onlyinbound forservice
http traffic - {istioobject - destinationRule}
"consecutiveErrors": 8 serviceAccountAccess : {"cluster.local/ns/default/sa/sleep": {"GET": "/static"}} // Default{istioobject is- 5.authorizationPolicy, will Numberbe ofapplied consecutive errorfor before the hostinbound isservice}
removed
- }
{istioobject}
-
destinationRule}
"baseEjectionTime" RETURN STATUS: 15201
//RETURN DefaultBODY: is
5, - {istioobject - destinationRule}
"intervalSweep": 5m, //time limit before the removed hosts are added back to the load balancing pool. - {istioobject - destinationRule}
}
// credentials for mTLS.
"Servicecertificate" : "" // Present actual certificate here.
"ServicePrivateKey" : "" // Present actual private key here.
"caCertificate": "" // Trusted caCertificates used to verify the client
{
"name": "<name>"
"Message": "inbound service created"
} |
Add Authorization Policy to the inbound service
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/blue-app/{version}/traffic-intent-set/inbound-intents/{serviceName}/authrization-policies
POST BODY:
{
"metadata": {
"name": "<httpbin>" // unique name for each intent
"description": "Authorization Policy for the client"
"userdata1": <>,
"userdata2": <>
}
"spec": {
// Access Control
"namespaces": [] // Workloads from this namespaces can access the inbound service
serviceAccountAccess : {"cluster.local/ns/default/sa/sleep": {"GET": "/static"}} // {istioobject - authorizationPolicy, will be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "inbound service created"
} |
...
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: sleep-dr
namespace: namespace01
spec:
host: "bookinfo-user"
trafficPolicy:
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
|
4. DestinationRule for simple TLS, Loadbalancing and circuit breaking for httpbin - (logicalCloud02)
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: httpbin-dr
namespace: namespace02
spec:
host: "httpbin"
trafficPolicy:
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
loadbalancer:
consistentHash:
httpCookie: "user1"
connectionPool:
tcp:
maxConnections: 10
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 100
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
|
...