...
Description: - Connect two microservices belonging to stateless applications which that are deployed on the same cluster
...
and Istio service mesh has the sidecar proxy installed with each pod of the service.
In the below diagram,
SERVER - httpbin (If TLS Mode is "SIMPLE", it will accept both traffic for tls and plain text. TLS Mode must be ISTIO_MUTUAL for talking to other istio clients. MUTUAL when talking to other external services) istio service which use different rootca
CLIENTS - sleep (TLS Mode can be "SIMPLE" (for services with no sidecars) or ISTIO_MUTUAL(services with sidecars)). MUTUAL when talking to other external services) or istio service which use different rootca
Diagram
| draw.io Diagram | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Important Info - cert-chain.pem is Envoy’s cert that needs to be presented to the other side. key.pem is Envoy’s private key paired with Envoy’s cert in cert-chain.pem. root-cert.pem is the root cert to verify the peer’s cert. In this example, we only have one Citadel in a cluster, so all Envoys have the same root-cert.pem.
Add Inbound service1 01
POST - traffic intent for the inbound service (service hosted behind the cluster)
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/us-to-us-intents/
POST BODY:
{
"metadata": {
"name": "<>" // unique name for each intent
"description": "connectivity intent for stateless micro-service to stateless micro-service communication"
"userdata1": <>,
"userdata2": <>
}
"spec": { // update the memory allocation for each field as per OpenAPI standards
"application": "<app1>",
"servicename": "httpbin" //actual name of the client service
"protocol": "HTTP",
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "SIMPLE", // Support 4 modes. DISABLE, SIMPLE and ISTIO_MUTUAL, MUTUAL (caCertificate required)
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"istio-proxy": "yes", // The features (mTLS, LB, Circuit breaking) are not avaialble to services without istio-proxy. Only inbound routing is possible.
// Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it.
"loadbalancingType": "ConsistenHash", // "Simple" and "consistentHash" are the two modes
"loadBalancerMode": "httpCookie" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // choices of the mode must be explicit
"httpCookie": "user1" // Name of the cookie to maitain stick sessions
// Circuit Breaking
"maxConnections": 10 //connection pool for tcp and http traffic
"concurrenthttp2Requests": 1000 // concurent http2 requests which can be allowed
"httpRequestPerConnection": 100 //number of http requests per connection. Valid only for http traffic
"consecutiveErrors": 8 // Default is 5. Number of consecutive error before the host is removed from load balancing pool
"baseEjectionTime" : 15 // Default is 5, time for which the host will be removed from load balancing pool when it returns error for no of times more than "consecutiveErrors" limit
"intervalSweep": 5m, //time limit before the removed hosts are added back to the load balancing pool.
// credentials for mTLS. Not required in this scenario since the services are in one logical cloud with common rootCA. ISTIO_MUTUAL is enabled by default.
"Servicecertificate" : "" // Present actual certificate here.
"ServicePrivateKey" : "" // Present actual private key here.
// Access Control
namespaces: [] // Workloads from this namespaces can access the inbound service
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "inbound service created"
} |
Add Clients to inbound service 01
POST - traffic intent to add clients for accessing a specific inbound service
...
| language | js |
|---|---|
| theme | Midnight |
| title | POST |
| linenumbers | true |
...
.
...
Add Security details for clients of inbound service 01
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/status"],
"cluster.local/ns/default/sa/sleep" : ["GET": "/headers"]}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rules created"
}
|
Add Inbound services 02
POST
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/us-to-us-intents/
POST BODY:
{
"metadata": {
"name": "<>" // unique name for each intent
"description": "connectivity intent for stateless micro-service to stateless micro-service communication"
"userdata1": <>,
"userdata2": <>
}
"spec": { // update the memory allocation for each field as per OpenAPI standards
"application": "<app1>",
"servicename": "bookinfo-productpage" //actual name of the client service
"protocol": "HTTP",
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "SIMPLE",// Support 4 modes. DISABLE, SIMPLE and ISTIO_MUTUAL, MUTUAL (caCertificate required)
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"istio-proxy": "yes", // The features (mTLS, LB, Circuit breaking) are no avaialble to services without istio-proxy. Only inbound routing is possible.
// Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it.
"loadbalancingType": "ConsistenHash", // "Simple" and "consistentHash" are the two modes
"loadBalancerMode": "httpCookie" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // choices of the mode must be explicit
"httpCookie": "user1" // Name of the cookie to maitain stick sessions
// Circuit Breaking
"maxConnections": 10 //connection pool for tcp and http traffic
"concurrenthttp2Requests": 1000 // concurent http2 requests which can be allowed
"httpRequestPerConnection": 100 //number of http requests per connection. Valid only for http traffic
"consecutiveErrors": 8 // Default is 5. Number of consecutive error before the host is removed from load balancing pool
"baseEjectionTime" : 15 // Default is 5, time for which the host will be removed from load balancing pool when it returns error for no of times more than "consecutiveErrors" limit
"intervalSweep": 5m, //time limit before the removed hosts are added back to the load balancing pool.
// credentials for mTLS. Not required in this scenario since the services are in one logical cloud with common rootCA. ISTIO_MUTUAL is enabled by default.
"Servicecertificate" : "" // Present actual certificate here.
"ServicePrivateKey" : "" // Present actual private key here.
// Access Control
namespaces: [] // Workloads from this namespaces can access the inbound service
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "inbound service created"
} |
Add Clients to inbound service 02
Client 01
POST - traffic intent to add clients for accessing a specific inbound service
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "connectivity intent add client communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
"clientServiceName": "bookinfo-user", // Name of the client service
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Client created"
} |
Add Security details for client 01
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/static"],
"cluster.local/ns/default/sa/sleep" : ["GET": "/api/v1/products"]}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rules created"
}
|
Generate Istio object resources
...
- httpbin
- sleep
- bookinfo-productpage
- bookinfo-user
| Microservice | Resource |
|---|---|
| httpbin | destinationRule for simple TLS, Loadbalancing and circuit breaking AuthorizationPolicy for Access Control |
| sleep | destinationRule for TLS |
| bookinfo-productpage | destinationRule for simple TLS, Loadbalancing and circuit breaking AuthorizationPolicy for Access Control |
| bookinfo-user | destinationRule for TLS |
Cluster01 Resources
1. DestinationRule for TLS, Loadbalancing and circuit breaking - productpage
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: bookinfo-productpage-dr
namespace: default
spec:
host: "productpage.default.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
loadbalancer:
consistentHash:
httpCookie: "user2"
connectionPool:
tcp:
maxConnections: 10
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 100
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
|
2. AuthorizationPolicy
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: default
spec:
selector:
matchLabels:
app: productpage
rules:
- from:
- source:
principals: ["cluster.global/ns/default/sa/sleep", "cluster.global/ns/default/sa/bookinfo-user" ]
to:
- operation:
methods: ["GET"]
paths: ["/static*"]
- operation:
methods: ["GET"]
paths: ["/api/v1/products"]
|
3. DestinationRule for TLS - bookinfo-user
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: bookinfo-user
namespace: default
spec:
host: "bookinfo-user.default.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
|
4. DestinationRule (httpbin) for simple TLS, Loadbalancing and circuit breaking
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: httpbin-dr
namespace: default
spec:
host: "httpbin.default.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
loadbalancer:
consistentHash:
httpCookie: "user1"
connectionPool:
tcp:
maxConnections: 10
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 100
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
|
5. AuthorizationPolicy
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: default
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/sleep"]
to:
- operation:
methods: ["GET"]
paths: ["/status*"]
- operation:
methods: ["POST"]
paths: ["/headers"]
|
6. DestinationRule for TLS - sleep
...
| language | yml |
|---|---|
| theme | Eclipse |
| title | DestinationRule |
| linenumbers | true |
...