Description: - Connect two microservices belonging to stateless applications
The services hosted behind Istio service mesh has the sidecar proxy installed with each pod of the service.
In the below diagram,
SERVER - httpbin (If TLS Mode is "SIMPLE", it will accept both traffic for tls and plain text. TLS Mode must be ISTIO_MUTUAL for talking to other istio clients. MUTUAL when talking to other external services) istio service which use different rootca
CLIENTS - sleep (TLS Mode can be "SIMPLE" (for services with no sidecars) or ISTIO_MUTUAL(services with sidecars)). MUTUAL when talking to other external services) or istio service which use different rootca
NOTE - For this scenario, the default mesh wide policy must be set to "PERMISSIVE" on both the clusters. It will not work if the default Mesh Policy is "STRICT"
Important Info - cert-chain.pem
is Envoy’s cert that needs to be presented to the other side. key.pem
is Envoy’s private key paired with Envoy’s cert in cert-chain.pem
. root-cert.pem
is the root cert to verify the peer’s cert. In this example, we only have one Citadel in a cluster, so all Envoys have the same root-cert.pem
Add Inbound service1 01
POST - traffic intent for the inbound service (service hosted behind the cluster)
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/us-to-us-intents/ POST BODY: { "metadata": { "name": "bookinfo-reviews" // unique name for each intent "description": "connectivity intent for stateless micro-service to stateless micro-service communication" "userdata1": <>, "userdata2": <> } "spec": { // update the memory allocation for each field as per OpenAPI standards "application": "<app1>", "servicename": "httpbin" //actual name of the client service "protocol": "HTTP", "headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service "mutualTLS": "SIMPLE", // Support 4 modes. DISABLE, SIMPLE and ISTIO_MUTUAL, MUTUAL (caCertificate required) "port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on "serviceMesh": "istio", // get it from cluster record "istio-proxy": "yes", // The features (mTLS, LB, Circuit breaking) are not avaialble to services without istio-proxy. Only inbound routing is possible. // Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it. "loadbalancingType": "ConsistenHash", // "Simple" and "consistentHash" are the two modes "loadBalancerMode": "httpCookie" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // choices of the mode must be explicit "httpCookie": "user1" // Name of the cookie to maitain stick sessions // Circuit Breaking "maxConnections": 10 //connection pool for tcp and http traffic "concurrenthttp2Requests": 1000 // concurent http2 requests which can be allowed "httpRequestPerConnection": 100 //number of http requests per connection. Valid only for http traffic "consecutiveErrors": 8 // Default is 5. Number of consecutive error before the host is removed from load balancing pool "baseEjectionTime" : 15 // Default is 5, time for which the host will be removed from load balancing pool when it returns error for no of times more than "consecutiveErrors" limit "intervalSweep": 5m, //time limit before the removed hosts are added back to the load balancing pool. // credentials for mTLS. Not required in this scenario since the services are in one logical cloud with common rootCA. ISTIO_MUTUAL is enabled by default. "Servicecertificate" : "" // Present actual certificate here. "ServicePrivateKey" : "" // Present actual private key here. // Access Control namespaces: [] // Workloads from this namespaces can access the inbound service } } RETURN STATUS: 201 RETURN BODY: { "name": "<name>" "Message": "inbound service created" }
Add Clients to inbound service 01
POST - traffic intent to add clients for accessing a specific inbound service
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients POST BODY: { "metadata": { "name": "<name>" // unique name for each intent "description": "connectivity intent add client communication" "application": "<app1>", "userdata1": <>, "userdata2": <> } spec: { "clientServiceName": "sleep", // Name of the client service "headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service "mutualTLS": "SIMPLE" // This will be automatically set to the same value as that of the inboundservice if both the client and inboundservice are in same logical cloud } } RETURN STATUS: 201 RETURN BODY: { "name": "<name>" "Message": "Client created" }
Add Security details for clients of inbound service 01
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent { "metadata": { "name": "<name>" // unique name for each intent "description": "Security intent" "application": "<app1>", "userdata1": <>, "userdata2": <> } spec:{ serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/status"], "cluster.local/ns/default/sa/sleep" : ["GET": "/headers"]} } } RETURN STATUS: 201 RETURN BODY: { "name": "<name>" "Message": "Security Rules created" }
Add Inbound services 02
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/us-to-us-intents/ POST BODY: { "metadata": { "name": "<>" // unique name for each intent "description": "connectivity intent for stateless micro-service to stateless micro-service communication" "userdata1": <>, "userdata2": <> } "spec": { // update the memory allocation for each field as per OpenAPI standards "application": "<app1>", "servicename": "productpage" //actual name of the client service "protocol": "HTTP", "headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service "mutualTLS": "ISTIO_MUTUAL", // Support 2 modes. SIMPLE and ISTIO_MUTUAL, For external Client, it is SIMPLE and MUTUAL (caCertificate required) "port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on "serviceMesh": "istio", // get it from cluster record "istio-proxy": "yes", // The features (mTLS, LB, Circuit breaking) are no avaialble to services without istio-proxy. Only inbound routing is possible. // Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it. "loadbalancingType": "ConsistenHash", // "Simple" and "consistentHash" are the two modes "loadBalancerMode": "httpCookie" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // choices of the mode must be explicit "httpCookie": "user1" // Name of the cookie to maitain stick sessions // Circuit Breaking "maxConnections": 10 //connection pool for tcp and http traffic "concurrenthttp2Requests": 1000 // concurent http2 requests which can be allowed "httpRequestPerConnection": 100 //number of http requests per connection. Valid only for http traffic "consecutiveErrors": 8 // Default is 5. Number of consecutive error before the host is removed from load balancing pool "baseEjectionTime" : 15 // Default is 5, time for which the host will be removed from load balancing pool when it returns error for no of times more than "consecutiveErrors" limit "intervalSweep": 5m, //time limit before the removed hosts are added back to the load balancing pool. // credentials for mTLS. Not required in this scenario since the services are in one logical cloud with common rootCA. ISTIO_MUTUAL is enabled by default. "Servicecertificate" : "" // Present actual certificate here. "ServicePrivateKey" : "" // Present actual private key here. // Access Control namespaces: [] // Workloads from this namespaces can access the inbound service } } RETURN STATUS: 201 RETURN BODY: { "name": "<name>" "Message": "inbound service created" }
Add Clients to inbound service 02
Client 01
POST - traffic intent to add clients for accessing a specific inbound service
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients POST BODY: { "metadata": { "name": "<name>" // unique name for each intent "description": "connectivity intent add client communication" "application": "<app1>", "userdata1": <>, "userdata2": <> } spec: { "clientServiceName": "sleep", // Name of the client service "headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service "mutualTLS" : "ISTIO_MUTUAL" , // This will be automatically set to the same value as that of the inboundservice if both the client and inboundservice are in same logical cloud } } RETURN STATUS: 201 RETURN BODY: { "name": "<name>" "Message": "Client created" }
Add Security details for client 01
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent { "metadata": { "name": "<name>" // unique name for each intent "description": "Security intent" "application": "<app1>", "userdata1": <>, "userdata2": <> } spec:{ serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/static"], "cluster.local/ns/default/sa/sleep" : ["GET": "/api/v1/products"]} } } RETURN STATUS: 201 RETURN BODY: { "name": "<name>" "Message": "Security Rules created" }
Client 02
POST - traffic intent to add clients for accessing a specific inbound service
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients POST BODY: { "metadata": { "name": "<name>" // unique name for each intent "description": "connectivity intent add client communication" "application": "<app1>", "userdata1": <>, "userdata2": <> } spec: { "clientServiceName": "bookinfo-user", // Name of the client service "headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service "mutualTLS" : "ISTIO_MUTUAL" , // This will be automatically set to the same value as that of the inboundservice if both the client and inboundservice are in same logical cloud } } RETURN STATUS: 201 RETURN BODY: { "name": "<name>" "Message": "Client created" }
Add Security details for client 02
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/bookinfo-user/security/security-intent { "metadata": { "name": "<name>" // unique name for each intent "description": "Security intent" "application": "<app1>", "userdata1": <>, "userdata2": <> } spec:{ serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/api/v1/products"], "cluster.local/ns/default/sa/sleep" : ["GET": "/static"]} } } RETURN STATUS: 201 RETURN BODY: { "name": "<name>" "Message": "Security Rules created" }
Generate Istio object resources
Name of the Cluster | Microservice | Istio Configuration | Comments | ||||||||||
Cluster01 |
| |||||||||||
Cluster02 | httpbin |
Cluster01 Resources
1. ServiceEntry - To enable access to httpbin
apiVersion: kind: ServiceEntry metadata: name: servicename-httpbin spec: hosts: - # template for the remote service name - <> # Treat remote cluster services as part of the service mesh # as all clusters in the service mesh share the same root of trust. location: MESH_INTERNAL ports: - name: http1 number: 8000 protocol: http resolution: DNS addresses: # the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to # must be unique for each remote service, within a given cluster. # This address need not be routable. Traffic for this IP will be captured # by the sidecar and routed appropriately. - endpoints: # This is the routable address of the istio ingress gateway in cluster02 # routed to this address. - address: ports: http1: 15443 //Sni. Do not change this
2. DestinationRule for TLS, Loadbalancing and circuit breaking - productpage
apiVersion: kind: DestinationRule metadata: name: bookinfo-productpage-dr namespace: default spec: host: "productpage.default.svc.cluster.local" trafficPolicy: tls: mode: SIMPLE loadbalancer: consistentHash: httpCookie: "user2" connectionPool: tcp: maxConnections: 10 http: http2MaxRequests: 1000 maxRequestsPerConnection: 100 outlierDetection: consecutiveErrors: 7 interval: 5m baseEjectionTime: 15m
3. AuthorizationPolicy
apiVersion: kind: AuthorizationPolicy metadata: name: deny-all namespace: default spec: selector: matchLabels: app: productpage rules: - from: - source: principals: ["", "" ] to: - operation: methods: ["GET"] paths: ["/static*"] - operation: methods: ["GET"] paths: ["/api/v1/products"]
4. DestinationRule for TLS - sleep
apiVersion: kind: DestinationRule metadata: name: sleep-dr namespace: default spec: host: "sleep.default.svc.cluster.local" trafficPolicy: tls: mode: ISTIO_MUTUAL
Cluster 02 Resources
1. ServiceEntry - To enable access to bookinfo-productpage
apiVersion: kind: ServiceEntry metadata: name: servicename-bookinfo-productpage spec: hosts: - # template for the remote service name - <> # Treat remote cluster services as part of the service mesh # as all clusters in the service mesh share the same root of trust. location: MESH_INTERNAL ports: - name: http1 number: 8000 protocol: http resolution: DNS addresses: # the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to # must be unique for each remote service, within a given cluster. # This address need not be routable. Traffic for this IP will be captured # by the sidecar and routed appropriately. - endpoints: # This is the routable address of the istio ingress gateway in cluster02 # routed to this address. - address: ports: http1: 15443 //Sni. Do not change this
2. DestinationRule (httpbin) for simple TLS, Loadbalancing and circuit breaking
apiVersion: kind: DestinationRule metadata: name: httpbin-dr namespace: default spec: host: "httpbin.default.svc.cluster.local" trafficPolicy: tls: mode: SIMPLE loadbalancer: consistentHash: httpCookie: "user1" connectionPool: tcp: maxConnections: 10 http: http2MaxRequests: 1000 maxRequestsPerConnection: 100 outlierDetection: consecutiveErrors: 7 interval: 5m baseEjectionTime: 15m
3. AuthorizationPolicy (httpbin)
apiVersion: kind: AuthorizationPolicy metadata: name: deny-all namespace: default spec: selector: matchLabels: app: httpbin rules: - from: - source: principals: ["cluster.local/ns/default/sa/sleep"] to: - operation: methods: ["GET"] paths: ["/status*"] - operation: methods: ["POST"] paths: ["/headers"]
4. DestinationRule for TLS - sleep
apiVersion: kind: DestinationRule metadata: name: sleep-dr namespace: default spec: host: "sleep.default.svc.cluster.local" trafficPolicy: tls: mode: ISTIO_MUTUAL
5. DestinationRule for TLS - bookinfo-user
apiVersion: kind: DestinationRule metadata: name: bookinfo-user-dr namespace: default spec: host: "bookinfi-user.default.svc.cluster.local" trafficPolicy: tls: mode: ISTIO_MUTUAL