...
Description: - Connect multiple microservices on multiple logical clouds deployed across multiple clusters
Diagram
| draw.io Diagram |
|---|
| border | true |
|---|
| |
|---|
| diagramName | us-to-us intent |
|---|
| simpleViewer | false |
|---|
| width | |
|---|
| links | auto |
|---|
| tbstyle | top |
|---|
| lbox | true |
|---|
| diagramWidth | 15481758 |
|---|
| revision | 57 |
|---|
|
NOTE - For this scenario, the default mesh wide policy must be set to "PERMISSIVE" on both the clusters. It will not work if the default Mesh Policy is "STRICT"
Important Info - cert-chain.pem is Envoy’s cert that needs to be presented to the other side. key.pem is Envoy’s private key paired with Envoy’s cert in cert-chain.pem. root-cert.pem is the root cert to verify the peer’s cert. In this example, we only have one Citadel in a cluster, so all Envoys have the same root-cert.pem.
Add Inbound service 01
POST - traffic intent for the inbound service (service hosted behind the cluster)
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{compositeblue-app-name}/{version}/traffic-intent-set/usinbound-to-us-intents/
POST BODY:
{
"metadata": {
"name": "<>" // unique name for each intent
"description": "connectivity intent for stateless micro-service to stateless micro-service inbound communication"
"userdata1": <>,
"userdata2": <>
}
"spec": { // update the memory allocation for each field as per OpenAPI standards
"application": "<app1>",
"servicename": "httpbin" //actual name of the client service - {istioobject - serviceEntry of client's cluster}
"externalName": "httpbin.k8s.com"
"protocol": "HTTP",
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "MUTUAL", // default is simple. Option MUTUAL will enforce mtls {istioobject - destinationRule}
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"istiosidecar-proxy": "yes", // The features (mTLS, LB, Circuit breaking) are not avaialbleavailable to services without istio-proxy. Only inbound routing is possible.
// Traffic configurationmanagement -fields Loadbalancingbelow isare applicablevalid peronly service.if The traffic to this service is distrbuted amongst the pods the sidecar-proxy is set to "yes"
"traffic-management-info" : {
// Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it.
"loadbalancingType": "ConsistenHash", // "Simple" and "consistentHash" are the two modes - {istioobject - destinationRule}
"loadBalancerMode": "httpCookie" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // choices of the mode must be explicit - {istioobject - destinationRule}
"httpCookie": "user1" // Name of the cookie to maitain sticksticky sessions - {istioobject - destinationRule}
// Circuit Breaking
"maxConnections": 10 //connection pool for tcp and http traffic - {istioobject - destinationRule}
"concurrenthttp2Requests": 1000 // concurent http2 requests which can be allowed - {istioobject - destinationRule}
"httpRequestPerConnection": 100 // number of http requests per connection. Valid only for http traffic - {istioobject - destinationRule}
"consecutiveErrors": 8 // Default is 5. Number of consecutive error before the host is removed from load balancing pool - {istioobject - destinationRule}
"baseEjectionTime" : 15 // Default is 5, time- for{istioobject which the host will be removed from load balancing pool when it returns error for no of times more than "consecutiveErrors" limit - {istioobject - destinationRule}
"intervalSweep": 5m, //time limit before - destinationRule}
"intervalSweep": 5m, //time limit before the removed hosts are added back to the load balancing pool. - {istioobject - destinationRule}
}
// credentials for mTLS.
"Servicecertificate" : "" // Present actual certificate here.
"ServicePrivateKey" : "" // Present actual private key here.
"caCertificate" : "" // present the trusted certificate to verify the client connection, Required only when mtls mode is MUTUAL
}
}
// Access Control
namespaces: [] // Workloads from this namespaces can access the inbound service - {istioobject - authorizationPolicy}
}
}
RETURN STATUS: 201
RETURN BODY:
{
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "inbound service created"
} |
Add Clients to inbound service 01
POST - traffic intent to add clients for accessing a specific inbound service - NOTE - Clients will have the mTLS mode same as the inbound service
Authorization for Inbound Service 01
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: |
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{compositeblue-app-name}/{version}/traffic-groupintent-intentset/uservice-to-uservice-intent/clientsinbound-intents/{serviceName}/authorization-policies
POST BODY:
{
"metadata": {
"name": "<name><>" // unique name for each intent
"description": "connectivityAuthorization intentPolicy addfor clientinbound communicationservices"
"applicationuserdata1": "<app1>"<>,
"userdata1userdata2": <>,
"userdata2": <>
}}
"spec": {
"clientServiceName": "sleep", // Name of the client serviceAccess Control
"headlessnamespaces": "false",[] // defaultWorkloads isfrom false.this Optionnamespaces "True" will generatecan access the requiredinbound configsservice for- all{istioobject the instances of headless service
}
}
RETURN STATUS: - authorizationPolicy}
"serviceAccountAccess" : {[ "cluster.local/ns/<Namespace>/sa/sleep": ["GET": "/status"]} // {istioobject - authorizationPolicy, will be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "ClientAuthorizations Policy created"
} |
Add Security detail for a client of inbound service 01
...
Client 01
POST - traffic intent to add clients for accessing a specific inbound service - NOTE - Clients will have the mTLS mode same as the inbound service
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | GETPOST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{compositebrown-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intentoutbound-intents/
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Securityconnectivity intent for outbound communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
serviceAccountAccess "ServiceName": {[ "cluster.local/ns/default/sa/sleep": ["GET"sleep", // Name of the client service
"type": "/statusistio"]}, // {istioobjectoptions -are authorizationPolicyistio, willk8s be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rule created"
}
|
Add another Security detail for a client of inbound service 01
...
and external
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
"targetServiceName": "httpbin.k8s.com" // FQDN expected since the client belongs to a different composite app
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Client created"
} |
Client 02
POST - traffic intent to add clients for accessing a specific inbound service - NOTE - Clients will have the mTLS mode same as the inbound service
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | GETPOST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{compositeblue-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intentoutbound-intents/
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Securityconnectivity intent add client communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
serviceAccountAccess "clientServiceName": {"cluster.local/ns/default/sa/sleep" : ["GET"sleep", // Name of the client service
"type": "/headersistio"]}, // {istioobjectoptions -are authorizationPolicyistio, willk8s be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rule created"
}
|
Add Inbound service 02
POST
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/us-to-us-intents/
POST BODY:
{
"metadata": {
and external
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
"targetService": "httpbin.k8s.com" // Both client and service belong to the same composite. This notation is still used for consistency
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<httpbin>" // unique name for each intent<name>"
"descriptionMessage": "Client created"
} |
Client 03
POST - traffic intent to add clients for accessing a specific inbound service - NOTE - Clients will have the mTLS mode same as the inbound service
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/brown-app/{version}/traffic-group-intent/outbound-intents/
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "connectivity intent add client communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
"clientServiceName": "onap.k8s.orgconnectivity intent for stateless micro-service to stateless micro-service communication"
"userdata1": <>,
"userdata2": <>
}
"spec": {
"application": "<app1>",
"servicename": "productpage" //actual name of the client service
"protocol": "HTTP",
"headless": "false", // defaultName isof false.the Optionclient service
"Truetype": will make sure all the instances of the headless service will have access to the client service
"mutualTLS"external", // options are istio, k8s and external
"headless": "MUTUALfalse", // default is simplefalse. Option MUTUAL will enforce mtls
"port"True" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"istio-proxy": "yes", // The features (mTLS, LB, Circuit breaking) are no avaialble to services without istio-proxy. Only inbound routing is possible.
// Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it.
"loadbalancingType": "ConsistenHash", // "Simple" and "consistentHash" are the two modes
"loadBalancerMode": "httpCookie" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // choices of the mode must be explicit
"httpCookie": "user2" // Name of the cookie to maitain stick sessions
// Circuit Breaking
"maxConnections": 10 //connection pool for tcp and http traffic
"concurrenthttp2Requests": 1000 // concurent http2 requests which can be allowed
"httpRequestPerConnection": 100 //number of http requests per connection. Valid only for http traffic
"consecutiveErrors": 8 // Default is 5. Number of consecutive error before the host is removed from load balancing pool
"baseEjectionTime" : 15 // Default is 5, time for which the host will be removed from load balancing pool when it returns error for no of times more than "consecutiveErrors" limit
"intervalSweep": 5m, //time limit before the removed hosts are added back to the load balancing pool.
// credentials for mTLS.
"Servicecertificate" : "" // Present actual certificate here.
"ServicePrivateKey" : "" // Present actual private key here.
"caCertificate": "" // Trusted caCertificates used to verify the client
// Access Control
namespaces: [] // Workloads from this namespaces can access the inbound service
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "inbound service created"
} |
Add Clients to inbound service 02
Client 01
POST - traffic intent to add clients for accessing a specific inbound service
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "connectivity intent add client communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
"clientServiceName": "sleep", // Name of the client service
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Client created"
} |
Add Security detail 01 for client 01
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
will generate the required configs for all the instances of headless service
"targetService": "httpbin.k8s.com"
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Client created"
} |
Add Inbound service 02
POST
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/blue-app/{version}/traffic-intent-set/inbound-intents/
POST BODY:
{
"metadata": {
"name": "<httpbin>" // unique name for each intent
"description": "connectivity intent for stateless micro-service to stateless micro-service communication"
"userdata1": <>,
"userdata2": <>
}
"spec": {
"application": "<app1>",
"servicename": "productpage" //actual name of the client service
"externalName": "productpage.k8s.com"
"protocol": "HTTP",
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "MUTUAL", // default is simple. Option MUTUAL will enforce mtls
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"sidecar-proxy": "yes", // The features (mTLS, LB, Circuit breaking) are no avaialble to services without istio-proxy. Only inbound routing is possible.
// Traffic management fields below are valid only if the sidecar-proxy is set to "yes"
traffic-management-info : {
// Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it.
"loadbalancingType": "ConsistenHash", // "Simple" and "consistentHash" are the two modes - {istioobject - destinationRule}
"loadBalancerMode": "httpCookie" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // choices of the mode must be explicit - {istioobject - destinationRule}
"httpCookie": "user2" // Name of the cookie to maitain sticky sessions - {istioobject - destinationRule}
// Circuit Breaking
"maxConnections": 10 //connection pool for tcp and http traffic - {istioobject - destinationRule}
"concurrenthttp2Requests": 1000 // concurent http2 requests which can be allowed - {istioobject - destinationRule}
"httpRequestPerConnection": 100 // number of http requests per connection. Valid only for http traffic - {istioobject - destinationRule}
"consecutiveErrors": 8 // Default is 5. Number of consecutive error before the host is removed - {istioobject - destinationRule}
"baseEjectionTime" : 15 // Default is 5, - {istioobject - destinationRule}
"intervalSweep": 5m, //time limit before the removed hosts are added back to the load balancing pool. - {istioobject - destinationRule}
}
// credentials for mTLS.
"Servicecertificate" : "" // Present actual certificate here.
"ServicePrivateKey" : "" // Present actual private key here.
"caCertificate": "" // Trusted caCertificates used to verify the client
// Access Control
"namespaces": [] // Workloads from this namespaces can access the inbound service |
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | GET |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {"cluster.local/ns/default/sa/sleep": {"GET": "/static"}} // {istioobject - authorizationPolicy, will be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Securityinbound Ruleservice created"
}
|
Add Security detail 02 for client 01
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
Add Authorization Policy to the inbound service
| Code Block |
|---|
|
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | GETPOST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{compositeblue-app-name}/{version}/traffic-groupintent-intentset/uservice-to-uservice-intent/clients/sleep/security/security-intentinbound-intents/{serviceName}/authrization-policies
POST BODY:
{
"metadata": {
"name": "<name><httpbin>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",Authorization Policy for the client"
"userdata1": <>,
"userdata2": <>
}
"spec": {
serviceAccountAccess// :Access {"Control
"namespaces": [] // Workloads from this namespaces can access the inbound service
serviceAccountAccess : {"cluster.local/ns/default/sa/sleep" : {"GET": "/api/v1/productsstatic"}} // {istioobject - authorizationPolicy, will be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Securityinbound Ruleservice created"
}
|
Add Clients to inbound service 02
Client
...
01
POST - traffic intent to add clients for accessing a specific inbound service
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{compositebrown-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "connectivity intent add client communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
"clientServiceName": "bookinfo-user", // Name of the client service
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Client created"
} |
Add Security details for client 02
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | GET |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {"cluster.local/ns/default/sa/sleep": {"GET": "/api/v1/products"}}, // {istioobject - authorizationPolicy, will be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rule created"
}
|
Generate Istio object resources
...
Cluster01 Resources
...
outbound-intents/httpbin/
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "connectivity intent add client communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
"clientServiceName": "sleep", // Name of the client service
"type": "istio", // options are istio, k8s and external
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
"targetService": "productpage.k8s.com"
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Client created"
} |
Client 02
POST - traffic intent to add clients for accessing a specific inbound service
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | POST |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/brown-app/{version}/traffic-group-intent/outbound-intents/httpbin
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "connectivity intent add client communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
"clientServiceName": "bookinfo-user", // Name of the client service
"type": "istio", // options are istio, k8s and external
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
"inboundServiceName": "productpage.k8s.com"
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Client created"
} |
Generate Istio object resources
| Name of the Cluster | Microservice | Istio Configuration | Comments |
|---|
| Cluster01 |
|
| Microservice | Logicalcloud01 | Logicalcloud02 |
|---|
| Common access for httpbin | serviceEntry (httpbin) |
| | sleep | destinationRule |
| | bookinfo-productpage |
| AuthorizationPolicy, destinationRule |
|
|
| Cluster02 |
|
| Microservice | Logicalcloud01 | Logicalcloud02 |
|---|
| common access for bookinfo-productpage | serviceEntry |
| | bookinfo-user | destinationRule |
| | sleep | destinationRule |
|
|
|
Cluster01 Resources
1. ServiceEntry - To enable sleep to access to httpbin (logicalcloud01)
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | ServiceEntry |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: service-entry-httpbin
namespace: <> // namespace where the client service are deployed
spec:
hosts:
- httpbin.<namespace_of_service>.logicalcloud02 // which is the translation of "httpbin.k8s.com"
# template for the remote service name - <servicename.namespace.global>
# Treat remote cluster services as part of the service mesh
# as all clusters in the service mesh share the same root of trust.
location: MESH_INTERNAL
ports:
- name: http1
number: 8000
protocol: http
resolution: DNS
addresses:
# the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to
# must be unique for each remote service, within a given cluster.
# This address need not be routable. Traffic for this IP will be captured
# by the sidecar and routed appropriately.
- 240.0.0.2
endpoints:
# This is the routable address of the istio ingress gateway in cluster02
# routed to this address.
- address: 172.25.55.50 // IP of the istio-ingress-gateway
ports:
http1: 15443 //Sni. Do not change this
|
2. DestinationRule for TLS - sleep (logicalcloud01)
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: sleep-dr
namespace: <namespace_of_sleep>
spec:
host: "sleep"
trafficPolicy:
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
|
3. DestinationRule for TLS, Loadbalancing and circuit breaking - productpage (logicalCloud02)
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | ServiceEntryDestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata: DestinationRule
metadata:
name: bookinfo-productpage-dr
namespace: <namespace_of_productpage>
spec:
namehost: service-entry-httpbin"productpage"
namespacetrafficPolicy: namespace01
spec
tls:
hostsmode: MUTUAL
- httpbin.namespace02.logicalcloud02
# template for the remote service name - <servicename.namespace.global>
# Treat remote cluster services as part of the service mesh
# as all clusters in the service mesh share the same root of trust.
location: MESH_INTERNAL
ports:
- name: http1
number: 8000
protocol: http
resolution: DNS
addresses:
# the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to
# must be unique for each remote service, within a given cluster.
# This address need not be routable. Traffic for this IP will be captured
# by the sidecar and routed appropriately.
- 240.0.0.2
endpoints:
# This is the routable address of the istio ingress gateway in cluster02
# routed to this address.
- address: 172.25.55.50 // IP of the istio-ingress-gateway
ports:
http1: 15443 //Sni. Do not change this
|
2. DestinationRule for TLS - sleep (logicalcloud01)
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
loadbalancer:
consistentHash:
httpCookie: "user2"
connectionPool:
tcp:
maxConnections: 10
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 100
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
|
4. Gateway and Virtual Service resource to allow specific host headers and expose the service outside the cluster
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
namespace: namespace02
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*.local"
- ".*logicalcloud01"
- ".*logicalcloud02"
---
|
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRuleVirtualService
metadata:
name: sleep-dr
namespace: default
spec:
host: "sleep.namespace01.svc.cluster.local"
trafficPolicyhttpbin
spec:
hosts:
- "*.local"
- ".*logicalcloud01"
- ".*logicalcloud02"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
prefix: /productpage.k8s.com
route:
tls- destination:
modeport: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
number: 8000
privateKey: /etc/certs/key.pem
caCertificateshost: /etc/certs/root-cert.pem
|
...
productpage.namespace02.local
|
5. AuthorizationPolicy for bookinfo-productpage - (logicalCloud02)
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRuleAuthorizationPolicy |
|---|
| linenumbers | true |
|---|
|
apiVersion: networkingsecurity.istio.io/v1alpha3v1beta1
kind: DestinationRuleAuthorizationPolicy
metadata:
name: bookinfo-productpage-dr
namespace: default
spec:
host: "productpage.namespace02.svc.cluster.local"
trafficPolicy:
tls:
mode: MUTUAL
name: deny-all
namespace: <namespace_of_prodfuct-page>
spec:
selector:
matchLabels:
app: <name_used_for_productpage>
rules:
- from:
- source:
principals: ["cluster.global/ns/default/sa/sleep", "cluster.global/ns/default/sa/bookinfo-user" ]
to:
- operation:
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
methods: ["GET"]
caCertificatespaths: /etc/certs/root-cert.pem["/static*"]
loadbalancer- operation:
consistentHash:
methods: ["GET"]
paths: httpCookie: "user2"
connectionPool["/api/v1/products"]
|
Cluster 02 Resources
1. ServiceEntry - To enable access to bookinfo-productpage - (logicalCloud01)
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | ServiceEntry |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: service-entry-bookinfo-productpage
namespace: tcp:
maxConnections: 10namespace01
spec:
httphosts:
- productpage.namespace01.logicalcloud01 // format is http2MaxRequests: 1000
maxRequestsPerConnection: 100
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
|
4. AuthorizationPolicy for bookinfo-productpage - (logicalCloud02)
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | AuthorizationPolicy |
|---|
| linenumbers | true |
|---|
|
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: default
spec:
selector:
matchLabels:
app: <name_used_for_productpage>
rules:
- from:
- source:
principals: ["cluster.global/ns/default/sa/sleep", "cluster.global/ns/default/sa/bookinfo-user" ]
to:
- operation:
methods: ["GET"]
paths: ["/static*"]
- operation:
methods: ["GET"]<svc>.<namespace>.<logical_cluster_domain>
# template for the remote service name - <servicename.namespace.global>
# Treat remote cluster services as part of the service mesh
# as all clusters in the service mesh share the same root of trust.
location: MESH_INTERNAL
ports:
- name: http1
number: 8000
protocol: http
resolution: DNS
addresses:
# the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to
# must be unique for each remote service, within a given cluster.
# This address need not be routable. Traffic for this IP will be captured
# by the sidecar and routed appropriately.
- 240.0.0.3
endpoints:
# This is the routable address of the istio ingress gateway in cluster02
# routed to this address.
- address: 172.25.55.210
ports:
http1: 15443 paths: ["/api/v1/products"]
|
Cluster 02 Resources
...
2. DestinationRule for TLS - sleep - (logicalCloud01)
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | ServiceEntryDestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntryDestinationRule
metadata:
name: service-entry-bookinfo-productpagesleep-dr
namespace: namespace01
spec:
hostshost: "sleep"
- productpage.namespace01.logicalcloud01 // format is <svc>.<namespace>.<logical_cluster_domain>
# template for the remote service name - <servicename.namespace.global>
# Treat remote cluster services as part of the service mesh
# as all clusters in the service mesh share the same root of trust.
location: MESH_INTERNAL
ports:
- name: http1
number: 8000
protocol: http
resolution: DNS
addresses:
# the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to
# must be unique for each remote service, within a given cluster.
# This address need not be routable. Traffic for this IP will be captured
# by the sidecar and routed appropriately.
- 240.0.0.3
endpoints:
# This is the routable address of the istio ingress gateway in cluster02
# routed to this address.
- address: 172.25.55.210
ports:
http1: 15443 //Sni. Do not change this
|
2. DestinationRule for TLS - sleep - (logicalCloud01)
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: sleep-dr
namespace: namespace01
spec:
host: "sleep"
trafficPolicy:
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
|
...
trafficPolicy:
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
|
3. DestinationRule for bookinfo-user - (logicalCloud01)
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: sleep-dr
namespace: namespace01
spec:
host: "bookinfo-user"
trafficPolicy:
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
|
4. DestinationRule for simple TLS, Loadbalancing and circuit breaking for httpbin - (logicalCloud02)
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: httpbin-dr
namespace: namespace02
spec:
host: "httpbin"
trafficPolicy:
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
loadbalancer:
consistentHash:
httpCookie: "user1"
connectionPool:
tcp:
maxConnections: 10
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 100
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
|
5. AuthorizationPolicy for httpbin - (logicalCloud02)
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRuleAuthorizationPolicy |
|---|
| linenumbers | true |
|---|
|
apiVersion: networkingsecurity.istio.io/v1alpha3v1beta1
kind: DestinationRuleAuthorizationPolicy
metadata:
name: sleepdeny-drall
namespace: namespace01
spec:
host: "bookinfo-user"
trafficPolicy namespace02
spec:
tlsselector:
modematchLabels: MUTUAL
serverCertificate: /etc/certs/cert-chain.pemapp: <app_Name_of_httpbin>
rules:
- privateKey: /etc/certs/key.pemfrom:
caCertificates: /etc/certs/root-cert.pem
|
4. DestinationRule for simple TLS, Loadbalancing and circuit breaking for httpbin - (logicalCloud02)
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: httpbin-dr
namespace: namespace02
spec:
host: "httpbin"
trafficPolicy:
tls - source:
principals: ["cluster.local/ns/default/sa/sleep"]
to:
- operation:
methods: ["GET"]
paths: ["/status*"]
- operation:
mode methods: MUTUAL["GET"]
serverCertificate: /etc/certs/cert-chain.pem
privateKeypaths: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem["/headers"]
|
6. Gateway and Virtual Service resource to allow specific host headers and expose the service outside the cluster
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
namespace: namespace02
spec:
selector
loadbalancer:
consistentHash:
httpCookie: "user1"
connectionPool:
tcp:
maxConnections: 10
http:
istio: ingressgateway # use http2MaxRequests:Istio 1000
default gateway implementation
servers:
- port:
maxRequestsPerConnection: 100
outlierDetectionnumber: 80
consecutiveErrorsname: 7http
intervalprotocol: 5mHTTP
hosts:
baseEjectionTime: 15m
|
5. AuthorizationPolicy for httpbin - (logicalCloud02)
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | AuthorizationPolicy |
|---|
| linenumbers | true |
|---|
|
apiVersion: security - "*.local"
- ".*logicalcloud01"
- ".*logicalcloud02"
- "onap.k8s.org"
---
apiVersion: networking.istio.io/v1beta1v1alpha3
kind: AuthorizationPolicyVirtualService
metadata:
name: deny-all
namespace: namespace02httpbin-gateway
spec:
selectorhosts:
matchLabels:
app: <app_Name_of_httpbin>
rules - "*.local"
- ".*logicalcloud01"
- ".*logicalcloud02"
- "onap.k8s.org"
gateways:
- httpbin-gateway
http:
- frommatch:
- sourceuri:
principalsprefix: ["cluster.local/ns/default/sa/sleep"]/httpbin.k8s.com
toroute:
- operationdestination:
methods: ["GET"]port:
paths: ["/status*"]
- operation: number: 8000
methodshost: ["GET"]
paths: ["/headers"]httpbin.namespace02.local
|
