Page History

...

Name of the Cluster

Microservice

Istio Configuration

Comments

Cluster01

Microservice	Logicalcloud01	Logicalcloud02
Common access for httpbin	serviceEntry (httpbin)
sleep	destinationRule
bookinfo-productpage		AuthorizationPolicy, destinationRule

Cluster02

Microservice	Logicalcloud01	Logicalcloud02
common access for bookinfo-productpage	serviceEntry
bookinfo-user	destinationRule
sleep	destinationRule

Cluster01 Resources

1. ServiceEntry - To enable sleep to access to httpbin (logicalcloud01)

Code Block

language	yml
theme	Eclipse
title	ServiceEntry
linenumbers	true

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: service-entry-httpbin
  namespace: <> // namespace where the client service are deployed
spec:
  hosts:
  - httpbin.<namespace_of_service>.logicalcloud02
  # template for the remote service name - <servicename.namespace.global>
  # Treat remote cluster services as part of the service mesh
  # as all clusters in the service mesh share the same root of trust.
  location: MESH_INTERNAL
  ports:
  - name: http1
    number: 8000
    protocol: http
  resolution: DNS
  addresses:
  # the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to
  # must be unique for each remote service, within a given cluster.
  # This address need not be routable. Traffic for this IP will be captured
  # by the sidecar and routed appropriately.
  - 240.0.0.2
  endpoints:
  # This is the routable address of the istio ingress gateway in cluster02
  # routed to this address.
  - address: 172.25.55.50 // IP of the istio-ingress-gateway
    ports:
      http1: 15443 //Sni. Do not change this

2. DestinationRule for TLS - sleep (logicalcloud01)

Code Block

language	yml
theme	Eclipse
title	DestinationRule
linenumbers	true

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: sleep-dr
  namespace: <namespace_of_sleep>
spec:
  host: "sleep"
  trafficPolicy:
    tls:
      mode: MUTUAL
      serverCertificate: /etc/certs/cert-chain.pem
      privateKey: /etc/certs/key.pem
      caCertificates: /etc/certs/root-cert.pem

3. DestinationRule for TLS, Loadbalancing and circuit breaking - productpage (logicalCloud02)

Code Block

language	yml
theme	Eclipse
title	DestinationRule
linenumbers	true

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: bookinfo-productpage-dr
  namespace: <namespace_of_productpage>
spec:
  host: "productpage"
  trafficPolicy:
    tls:
	  mode: MUTUAL
      serverCertificate: /etc/certs/cert-chain.pem
      privateKey: /etc/certs/key.pem
      caCertificates: /etc/certs/root-cert.pem
    loadbalancer:
      consistentHash:
        httpCookie: "user2"
    connectionPool:
      tcp:
        maxConnections: 10
      http:
        http2MaxRequests: 1000
        maxRequestsPerConnection: 100
    outlierDetection:
      consecutiveErrors: 7
      interval: 5m
      baseEjectionTime: 15m

4. AuthorizationPolicy for bookinfo-productpage - (logicalCloud02)

Code Block

language	yml
theme	Eclipse
title	AuthorizationPolicy
linenumbers	true

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: deny-all
 namespace: <namespace_of_prodfuct-page>
spec:
  selector:
   matchLabels:
     app: <name_used_for_productpage>
  rules:
  - from:
    - source:
        principals: ["cluster.global/ns/default/sa/sleep", "cluster.global/ns/default/sa/bookinfo-user" ]
    to:
    - operation:
        methods: ["GET"]
        paths: ["/static*"]
    - operation:
        methods: ["GET"]
        paths: ["/api/v1/products"]

Cluster 02 Resources

1. ServiceEntry - To enable access to bookinfo-productpage - (logicalCloud01)

Code Block

language	yml
theme	Eclipse
title	ServiceEntry
linenumbers	true

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: service-entry-bookinfo-productpage
  namespace: namespace01
spec:
  hosts:
  - productpage.namespace01.logicalcloud01 // format is <svc>.<namespace>.<logical_cluster_domain>
  # template for the remote service name - <servicename.namespace.global>
  # Treat remote cluster services as part of the service mesh
  # as all clusters in the service mesh share the same root of trust.
  location: MESH_INTERNAL
  ports:
  - name: http1
    number: 8000
    protocol: http
  resolution: DNS
  addresses:
  # the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to
  # must be unique for each remote service, within a given cluster.
  # This address need not be routable. Traffic for this IP will be captured
  # by the sidecar and routed appropriately.
  - 240.0.0.3
  endpoints:
  # This is the routable address of the istio ingress gateway in cluster02
  # routed to this address.
  - address: 172.25.55.210
    ports:
      http1: 15443 //Sni. Do not change this

2. DestinationRule for TLS - sleep - (logicalCloud01)

Code Block

language	yml
theme	Eclipse
title	DestinationRule
linenumbers	true

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: sleep-dr
  namespace: namespace01
spec:
  host: "sleep"
  trafficPolicy:
    tls:
	  mode: MUTUAL
      serverCertificate: /etc/certs/cert-chain.pem
      privateKey: /etc/certs/key.pem
      caCertificates: /etc/certs/root-cert.pem

3. DestinationRule for bookinfo-user - (logicalCloud01)

Code Block

language	yml
theme	Eclipse
title	DestinationRule
linenumbers	true

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: sleep-dr
  namespace: namespace01
spec:
  host: "bookinfo-user"
  trafficPolicy:
    tls:
	  mode: MUTUAL
      serverCertificate: /etc/certs/cert-chain.pem
      privateKey: /etc/certs/key.pem
      caCertificates: /etc/certs/root-cert.pem

4. DestinationRule for simple TLS, Loadbalancing and circuit breaking for httpbin - (logicalCloud02)

Code Block

language	yml
theme	Eclipse
title	DestinationRule
linenumbers	true

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: httpbin-dr
  namespace: namespace02
spec:
  host: "httpbin"
  trafficPolicy:
    tls:
      mode: MUTUAL
	  serverCertificate: /etc/certs/cert-chain.pem
      privateKey: /etc/certs/key.pem
      caCertificates: /etc/certs/root-cert.pem
    loadbalancer:
      consistentHash:
        httpCookie: "user1"
    connectionPool:
      tcp:
        maxConnections: 10
      http:
        http2MaxRequests: 1000
        maxRequestsPerConnection: 100
    outlierDetection:
      consecutiveErrors: 7
      interval: 5m
      baseEjectionTime: 15m

5. AuthorizationPolicy for httpbin - (logicalCloud02)

Code Block

language	yml
theme	Eclipse
title	AuthorizationPolicy
linenumbers	true

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: deny-all
 namespace: namespace02
spec:
  selector:
   matchLabels:
     app: <app_Name_of_httpbin>
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/default/sa/sleep"]
    to:
    - operation:
        methods: ["GET"]
        paths: ["/status*"]
    - operation:
        methods: ["GET"]
        paths: ["/headers"]

...

Space shortcuts

Page tree

Versions Compared

Old Version 21

New Version 22

Key

Cluster01 Resources

1. ServiceEntry - To enable sleep to access to httpbin (logicalcloud01)

2. DestinationRule for TLS - sleep (logicalcloud01)

3. DestinationRule for TLS, Loadbalancing and circuit breaking - productpage (logicalCloud02)

4. AuthorizationPolicy for bookinfo-productpage - (logicalCloud02)

Cluster 02 Resources

1. ServiceEntry - To enable access to bookinfo-productpage - (logicalCloud01)

2. DestinationRule for TLS - sleep - (logicalCloud01)

3. DestinationRule for bookinfo-user - (logicalCloud01)

4. DestinationRule for simple TLS, Loadbalancing and circuit breaking for httpbin - (logicalCloud02)

5. AuthorizationPolicy for httpbin - (logicalCloud02)