...
Name of the Cluster | Microservice | Istio Configuration | Comments | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Cluster01 |
| ||||||||||||||
Cluster02 |
|
Cluster01 Resources
1. ServiceEntry - To enable sleep to access to httpbin (logicalcloud01)
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: service-entry-httpbin namespace: <> // namespace where the client service are deployed spec: hosts: - httpbin.<namespace_of_service>.logicalcloud02 # template for the remote service name - <servicename.namespace.global> # Treat remote cluster services as part of the service mesh # as all clusters in the service mesh share the same root of trust. location: MESH_INTERNAL ports: - name: http1 number: 8000 protocol: http resolution: DNS addresses: # the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to # must be unique for each remote service, within a given cluster. # This address need not be routable. Traffic for this IP will be captured # by the sidecar and routed appropriately. - 240.0.0.2 endpoints: # This is the routable address of the istio ingress gateway in cluster02 # routed to this address. - address: 172.25.55.50 // IP of the istio-ingress-gateway ports: http1: 15443 //Sni. Do not change this |
2. DestinationRule for TLS - sleep (logicalcloud01)
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: sleep-dr namespace: <namespace_of_sleep> spec: host: "sleep" trafficPolicy: tls: mode: MUTUAL serverCertificate: /etc/certs/cert-chain.pem privateKey: /etc/certs/key.pem caCertificates: /etc/certs/root-cert.pem |
3. DestinationRule for TLS, Loadbalancing and circuit breaking - productpage (logicalCloud02)
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: bookinfo-productpage-dr namespace: <namespace_of_productpage> spec: host: "productpage" trafficPolicy: tls: mode: MUTUAL serverCertificate: /etc/certs/cert-chain.pem privateKey: /etc/certs/key.pem caCertificates: /etc/certs/root-cert.pem loadbalancer: consistentHash: httpCookie: "user2" connectionPool: tcp: maxConnections: 10 http: http2MaxRequests: 1000 maxRequestsPerConnection: 100 outlierDetection: consecutiveErrors: 7 interval: 5m baseEjectionTime: 15m |
4. AuthorizationPolicy for bookinfo-productpage - (logicalCloud02)
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: deny-all namespace: <namespace_of_prodfuct-page> spec: selector: matchLabels: app: <name_used_for_productpage> rules: - from: - source: principals: ["cluster.global/ns/default/sa/sleep", "cluster.global/ns/default/sa/bookinfo-user" ] to: - operation: methods: ["GET"] paths: ["/static*"] - operation: methods: ["GET"] paths: ["/api/v1/products"] |
Cluster 02 Resources
1. ServiceEntry - To enable access to bookinfo-productpage - (logicalCloud01)
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: service-entry-bookinfo-productpage namespace: namespace01 spec: hosts: - productpage.namespace01.logicalcloud01 // format is <svc>.<namespace>.<logical_cluster_domain> # template for the remote service name - <servicename.namespace.global> # Treat remote cluster services as part of the service mesh # as all clusters in the service mesh share the same root of trust. location: MESH_INTERNAL ports: - name: http1 number: 8000 protocol: http resolution: DNS addresses: # the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to # must be unique for each remote service, within a given cluster. # This address need not be routable. Traffic for this IP will be captured # by the sidecar and routed appropriately. - 240.0.0.3 endpoints: # This is the routable address of the istio ingress gateway in cluster02 # routed to this address. - address: 172.25.55.210 ports: http1: 15443 //Sni. Do not change this |
2. DestinationRule for TLS - sleep - (logicalCloud01)
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: sleep-dr namespace: namespace01 spec: host: "sleep" trafficPolicy: tls: mode: MUTUAL serverCertificate: /etc/certs/cert-chain.pem privateKey: /etc/certs/key.pem caCertificates: /etc/certs/root-cert.pem |
3. DestinationRule for bookinfo-user - (logicalCloud01)
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: sleep-dr namespace: namespace01 spec: host: "bookinfo-user" trafficPolicy: tls: mode: MUTUAL serverCertificate: /etc/certs/cert-chain.pem privateKey: /etc/certs/key.pem caCertificates: /etc/certs/root-cert.pem |
4. DestinationRule for simple TLS, Loadbalancing and circuit breaking for httpbin - (logicalCloud02)
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: httpbin-dr namespace: namespace02 spec: host: "httpbin" trafficPolicy: tls: mode: MUTUAL serverCertificate: /etc/certs/cert-chain.pem privateKey: /etc/certs/key.pem caCertificates: /etc/certs/root-cert.pem loadbalancer: consistentHash: httpCookie: "user1" connectionPool: tcp: maxConnections: 10 http: http2MaxRequests: 1000 maxRequestsPerConnection: 100 outlierDetection: consecutiveErrors: 7 interval: 5m baseEjectionTime: 15m |
5. AuthorizationPolicy for httpbin - (logicalCloud02)
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: deny-all namespace: namespace02 spec: selector: matchLabels: app: <app_Name_of_httpbin> rules: - from: - source: principals: ["cluster.local/ns/default/sa/sleep"] to: - operation: methods: ["GET"] paths: ["/status*"] - operation: methods: ["GET"] paths: ["/headers"] |
...