...
Description: - Connect two microservices belonging to stateless applications
Diagram
| draw.io Diagram |
|---|
| border | true |
|---|
| |
|---|
| diagramName | us-to-us intent |
|---|
| simpleViewer | false |
|---|
| width | |
|---|
| links | auto |
|---|
| tbstyle | top |
|---|
| lbox | true |
|---|
| diagramWidth | 1136 |
|---|
| revision | 3 |
|---|
|
...
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/us-to-us-intents/
POST BODY:
{
"metadata": {
"name": "servicehttpbin<name>" // unique name for each intent
"description": "connectivity intent for stateless micro-service to stateless micro-service communication"
"userdata1": <>,
"userdata2": <>
}
"spec": { // update the memory allocation for each field as per OpenAPI standards
"application": "<app1>",
"servicename": "httpbin" //actual name of the client service
"protocol": "HTTP",
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "SIMPLE", // Support 2 modes. SIMPLE, and ISTIO_MUTUAL. For external Client, it is SIMPLE and MUTUAL (caCertificate required)
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"istio-proxy": "yes", // The features (mTLS, LB, Circuit breaking) are limited to services without istio-proxy
// Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it.
"loadbalancingType": "ConsistenHash", // "Simple" and "consistentHash" are the two modes
"loadBalancerMode": "httpCookie" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // choices of the mode must be explicit
"httpCookie": "user" // Input for Hash in "ConsistenHash" LB and mode as "httpCookie" . Name of the cookie to maitain stick sessions
"httpHeadermaxConnections": "john-user"10 //connection mustpool befor filledtcp onlyand if "loadBalancerMode" is "httpHeader"http traffic
"maxConnectionshttpRequestPerConnection": 10100 //number of http requests per connection. poolValid only for tcp and http traffic
"timeOut" : 5 // in Seconds. Connection timeout for tcp and idleTimeout for http
// credentials for mTLS in "SIMPLE" mode
"Servicecertificate" : {serviceCertificate.pem} // Present actual certificate here.
"ServicePrivateKey" : {servicePrivateKey.pem} // Present actual private key here.
// Access Control
namespaces: [] // Workloads from this namespaces can access the inbound service
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "servicehttpbin"
"Message": "Inboundinbound service created"
} |
Add Clients
...
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "connectivity intent add client communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
"clientServiceName": "sleep", // Name of the client service
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
"egressgateway": "true" , // Optional, default = false, All the outbound traffic from this service will flow through a dedicated egress gateway}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "sleep"
"Message": "Client created"
} |
...
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | GET |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {[ "cluster.local/ns/default/sa/bookinfo-ratings-v2": ["GET": "/health_check"],
"cluster.local/ns/default/sa/sleep" : ["GET": "/status"]} // template [sa: portNum] for TCP traffic
}
}
RETURN STATUS: 201
RETURN BODY: 204
{
"name": "<name>"
"Message": "Security Rules created"
}
|
Generate Istio object resources
| Name of the Cluster | Microservice | Istio Configuration | Comments |
|---|
| Cluster01 | - echo
- sleep
|
| Microservice | Resource |
|---|
| common | serviceEntry (httpbin) | | echo | destinationRule for simple TLS | | sleep | destinationRule for simple TLS |
|
|
|
|
| Cluster02 | httpbin |
| Microservice | Resource |
|---|
| httpbin | destinationRule for simple TLS destinationRule for Loadbalancing AuthorizationPolicy for Access Control
|
|
|
...
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | ServiceEntry |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: servicename-httpbin
spec:
hosts:
# template for the remote service name - <servicename.namespace.global>
# Treat remote cluster services as part of the service mesh
# as all clusters in the service mesh share the same root of trust.
location: MESH_INTERNAL
ports:
- name: http1
number: 8000
protocol: http
resolution: DNS
addresses:
# the IP address to which httpbin.bar<namespace>.global<logicalcloudname> will resolve to
# must be unique for each remote service, within a given cluster.
# This address need not be routable. Traffic for this IP will be captured
# by the sidecar and routed appropriately.
- 240.0.0.2
endpoints:
# This is the routable address of the istio ingress gateway in cluster02
# routed to this address.
- address: 172.25.55.50
ports:
http1: 15443 //Sni. Do not change this
|
