...
draw.io Diagram |
---|
border | true |
---|
| |
---|
diagramName | us-to-us intent |
---|
simpleViewer | false |
---|
width | |
---|
links | auto |
---|
tbstyle | top |
---|
lbox | true |
---|
diagramWidth | 16881758 |
---|
revision | 67 |
---|
|
NOTE - For this scenario, the default mesh wide policy must be set to "PERMISSIVE" on both the clusters. It will not work if the default Mesh Policy is "STRICT"
...
Code Block |
---|
language | js |
---|
theme | Midnight |
---|
title | POST |
---|
linenumbers | true |
---|
|
URL: /v2/projects/{project-name}/composite-apps/blue-app/{version}/traffic-intent-set/inbound-intents/
POST BODY:
{
"metadata": {
"name": "<>" // unique name for each intent
"description": "connectivity intent for inbound communication"
"userdata1": <>,
"userdata2": <>
}
"spec": { // update the memory allocation for each field as per OpenAPI standards
"application": "<app1>",
"servicename": "httpbin" //actual name of the client service - {istioobject - serviceEntry of client's cluster}
"externalName": "httpbin.k8s.com"
"protocol": "HTTP",
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "MUTUAL", // default is simple. Option MUTUAL will enforce mtls {istioobject - destinationRule}
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"sidecar-proxy": "yes", // The features (mTLS, LB, Circuit breaking) are not available to services without istio-proxy. Only inbound routing is possible.
// Traffic management fields below are valid only if the sidecar-proxy is set to "yes"
"traffic-management-info" : {
// Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it.
"loadbalancingType": "ConsistenHash", // "Simple" and "consistentHash" are the two modes - {istioobject - destinationRule}
"loadBalancerMode": "httpCookie" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // choices of the mode must be explicit - {istioobject - destinationRule}
"httpCookie": "user1" // Name of the cookie to maitain sticky sessions - {istioobject - destinationRule}
// Circuit Breaking
"maxConnections": 10 //connection pool for tcp and http traffic - {istioobject - destinationRule}
"concurrenthttp2Requests": 1000 // concurent http2 requests which can be allowed - {istioobject - destinationRule}
"httpRequestPerConnection": 100 // number of http requests per connection. Valid only for http traffic - {istioobject - destinationRule}
"consecutiveErrors": 8 // Default is 5. Number of consecutive error before the host is removed - {istioobject - destinationRule}
"baseEjectionTime" : 15 // Default is 5, - {istioobject - destinationRule}
"intervalSweep": 5m, //time limit before the removed hosts are added back to the load balancing pool. - {istioobject - destinationRule}
}
// credentials for mTLS.
"Servicecertificate" : "" // Present actual certificate here.
"ServicePrivateKey" : "" // Present actual private key here.
"caCertificate" : "" // present the trusted certificate to verify the client connection, Required only when mtls mode is MUTUAL
}
}
// Access Control
namespaces: [] // Workloads from this namespaces can access the inbound service - {istioobject - authorizationPolicy}
serviceAccountAccess : {[ "cluster.local/ns/<Namespace>/sa/sleep": ["GET": "/status"]} // {istioobject - authorizationPolicy, will be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "inbound service created"
} |
Client 01
POST - traffic intent to add clients for accessing a specific inbound service - NOTE - Clients will have the mTLS mode same as the inbound service
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "inbound service created"
} |
Authorization for Inbound Service 01
Code Block |
---|
Code Block |
---|
language | js |
---|
theme | Midnight |
---|
title | POST |
---|
linenumbers | true |
---|
|
URL: /v2/projects/{project-name}/composite-apps/brownblue-app/{version}/traffic-groupintent-intentset/outboundinbound-intents/{serviceName}/authorization-policies
POST BODY:
{
"metadata": {
"name": "<name><>" // unique name for each intent
"description": "connectivityAuthorization intentPolicy for outbound communication"
"application": "<app1>",inbound services"
"userdata1": <>,
"userdata2": <>
}
"spec": {
// Access Control
"clientServiceNamenamespaces": "sleep",[] // NameWorkloads offrom thethis client service
"type": "istio", // options are istio, k8s and external
"inboundServiceName": "httpbin.namespace02.logicalcloud02"
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
namespaces can access the inbound service - {istioobject - authorizationPolicy}
"serviceAccountAccess" : {[ "cluster.local/ns/<Namespace>/sa/sleep": ["GET": "/status"]} // {istioobject - authorizationPolicy, will be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "ClientAuthorizations Policy created"
} |
Client
...
01
POST - traffic intent to add clients for accessing a specific inbound service - NOTE - Clients will have the mTLS mode same as the inbound service
Code Block |
---|
language | js |
---|
theme | Midnight |
---|
title | POST |
---|
linenumbers | true |
---|
|
URL: /v2/projects/{project-name}/composite-apps/bluebrown-app/{version}/traffic-group-intent/outbound-intents/
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "connectivity intent addfor clientoutbound communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
"clientServiceNameServiceName": "sleep", // Name of the client service
"type": "istio", // options are istio, k8s and external
"inboundServiceName": "httpbin"
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
"targetServiceName": "httpbin.k8s.com" // FQDN expected since the client belongs to a different composite app
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Client created"
} |
Client
...
02
POST - traffic intent to add clients for accessing a specific inbound service - NOTE - Clients will have the mTLS mode same as the inbound service
Code Block |
---|
language | js |
---|
theme | Midnight |
---|
title | POST |
---|
linenumbers | true |
---|
|
URL: /v2/projects/{project-name}/composite-apps/brownblue-app/{version}/traffic-group-intent/outbound-intents/
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "connectivity intent add client communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
"clientServiceName": "onap.k8s.orgsleep", // Name of the client service
"type": "externalistio", // options are istio, k8s and external
"inboundServiceName": "httpbin.namespace02.logicalcloud02"
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
"targetService": "httpbin.k8s.com" // Both client and service belong to the same composite. This notation is still used for consistency
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Client created"
} |
Add Inbound service 02
POST
Client 03
POST - traffic intent to add clients for accessing a specific inbound service - NOTE - Clients will have the mTLS mode same as the inbound service
Code Blockcode |
---|
language | js |
---|
theme | Midnight |
---|
title | POST |
---|
linenumbers | true |
---|
|
URL: /v2/projects/{project-name}/composite-apps/bluebrown-app/{version}/traffic-group-intent-set/inboundoutbound-intents/
POST BODY:
{
"metadata": {
"name": "<httpbin><name>" // unique name for each intent
"description": "connectivity intent foradd stateless micro-service to stateless micro-service communication"client communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
"spec": {
"applicationclientServiceName": "<app1>onap.k8s.org",
"servicename": "productpage" //actual nameName of the client service
"protocoltype": "HTTP",
external", // options are istio, k8s and external
"headless": "false", // default is false. Option "True" will make sure generate the required configs for all the instances of the headless service will have access to the client service
"mutualTLS
"targetService": "httpbin.k8s.com"
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "MUTUAL<name>",
// default is simple. Option MUTUAL will enforce mtls
"port" "Message": "Client created"
} |
Add Inbound service 02
POST
Code Block |
---|
language | js |
---|
theme | Midnight |
---|
title | POST |
---|
linenumbers | true |
---|
|
URL: /v2/projects/{project-name}/composite-apps/blue-app/{version}/traffic-intent-set/inbound-intents/
POST BODY:
{
"metadata": {
"name": "<httpbin>" // unique name for each intent
"description": "connectivity intent for stateless micro-service to stateless micro-service communication"
"userdata1": <>,
"userdata2": <>
}
"spec": {
"application": "<app1>",
"servicename": "productpage" //actual name of the client service
"externalName": "productpage.k8s.com"
"protocol": "HTTP",
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
"mutualTLS": "MUTUAL", // default is simple. Option MUTUAL will enforce mtls
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"sidecar-proxy": "yes", // The features (mTLS, LB, Circuit breaking) are no avaialble to services without istio-proxy. Only inbound routing is possible.
// Traffic management fields below are valid only if the sidecar-proxy is set to "yes"
traffic-management-info : {
// Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it.
"loadbalancingType": "ConsistenHash", // "Simple" and "consistentHash" are the two modes80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"serviceMesh": "istio", // get it from cluster record
"sidecar-proxy": "yes", // The features (mTLS, LB, Circuit breaking) are no avaialble to services without istio-proxy. Only inbound routing is possible.
// Traffic management fields below are valid only if the sidecar-proxy is set to "yes"
traffic-management-info : {
// Traffic configuration - Loadbalancing is applicable per service. The traffic to this service is distrbuted amongst the pods under it.
"loadbalancingType": "ConsistenHash", // "Simple" and "consistentHash" are the two modes - {istioobject - destinationRule}
"loadBalancerMode": "httpCookie" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // choices of the mode must be explicit - {istioobject - destinationRule}
"httpCookie": "user2" // Name of the cookie to maitain sticky sessions - {istioobject - destinationRule}
// Circuit Breaking
"maxConnections": 10 //connection pool for tcp and http traffic - {istioobject - destinationRule}
"concurrenthttp2Requests": 1000 // concurent http2 requests which can be allowed - {istioobject - destinationRule}
"httpRequestPerConnectionloadBalancerMode": 100"httpCookie" // Modes numberfor ofconsistentHash http requests per connection. Valid only for http traffic - {istioobject - destinationRule}
"consecutiveErrors": 8 // Default is 5. Number of consecutive error before the host is removed - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // choices of the mode must be explicit - {istioobject - destinationRule}
"baseEjectionTimehttpCookie" : 15"user2" // Default is 5, Name of the cookie to maitain sticky sessions - {istioobject - destinationRule}
"intervalSweep// Circuit Breaking
"maxConnections": 5m,10 //timeconnection limitpool beforefor thetcp removedand hosts are added back to the load balancing pool.http traffic - {istioobject - destinationRule}
}
"concurrenthttp2Requests": 1000 // credentialsconcurent http2 for mTLS.
"Servicecertificate" : "" // Present actual certificate here.
"ServicePrivateKey" : ""requests which can be allowed - {istioobject - destinationRule}
"httpRequestPerConnection": 100 // Presentnumber actualof privatehttp keyrequests here.per connection. Valid only for http traffic - {istioobject - destinationRule}
"caCertificateconsecutiveErrors": ""8 // Trusted caCertificates used to verify the client
// Access Control
namespaces: [] // Workloads from this namespaces can access the inbound service
serviceAccountAccess : {"cluster.local/ns/default/sa/sleep": {"GET": "/static"}} // {istioobject - authorizationPolicy, will be applied for the inbound service Default is 5. Number of consecutive error before the host is removed - {istioobject - destinationRule}
"baseEjectionTime" : 15 // Default is 5, - {istioobject - destinationRule}
"intervalSweep": 5m, //time limit before the removed hosts are added back to the load balancing pool. - {istioobject - destinationRule}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "inbound service created"
} |
Add Clients to inbound service 02
Client 01
POST - traffic intent to add clients for accessing a specific inbound service
Code Block |
---|
language | js |
---|
theme | Midnight |
---|
title | POST |
---|
linenumbers | true |
---|
|
URL: /v2/projects/{project-name}/composite-apps/brown-app/{version}/traffic-group-intent/outbound-intents/httpbin/
POST BODY:
{
"metadata": {
// credentials for mTLS.
"Servicecertificate" : "" // Present actual certificate here.
"ServicePrivateKey" : "" // Present actual private key here.
"caCertificate": "" // Trusted caCertificates used to verify the client
// Access Control
"namespaces": [] // Workloads from this namespaces can access the inbound service
serviceAccountAccess : {"cluster.local/ns/default/sa/sleep": {"GET": "/static"}} // {istioobject - authorizationPolicy, will be applied for the inbound service}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "inbound service created"
} |
Add Authorization Policy to the inbound service
Code Block |
---|
language | js |
---|
theme | Midnight |
---|
title | POST |
---|
linenumbers | true |
---|
|
URL: /v2/projects/{project-name}/composite-apps/blue-app/{version}/traffic-intent-set/inbound-intents/{serviceName}/authrization-policies
POST BODY:
{
"metadata": {
"name": "<httpbin>" // unique name for each intent
"description": "Authorization Policy for the client"// unique name for each intent
"description": "connectivity intent add client communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
"spec": {
// Access Control
"clientServiceNamenamespaces": "sleep",[] // Name ofWorkloads from this namespaces can access the clientinbound service
"type"serviceAccountAccess : "istio", // options are istio, k8s and external
"headless{"cluster.local/ns/default/sa/sleep": {"GET": "false/static",}} // default{istioobject is- false. Option "True" authorizationPolicy, will generate the required configsbe applied for all the instancesinbound of headless service}
"inboundServiceName": "productpage.namespace02.logicalcloud02"
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Clientinbound service created"
} |
Client 02
Add Clients to inbound service 02
Client 01
POST - traffic intent to add clients for accessing a specific inbound service
Code Block |
---|
language | js |
---|
theme | Midnight |
---|
title | POST |
---|
linenumbers | true |
---|
|
URL: /v2/projects/{project-name}/composite-apps/brown-app/{version}/traffic-group-intent/outbound-intents/httpbin/
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "connectivity intent add client communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
"clientServiceName": "bookinfo-usersleep", // Name of the client service
"type": "istio", // options are istio, k8s and external
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
"inboundServiceNametargetService": "productpage.namespace02k8s.logicalcloud02com"
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Client created"
} |
Generate Istio object resources
...
Cluster01 Resources
1. ServiceEntry - To enable sleep to access to httpbin (logicalcloud01)
Code Block |
---|
language | yml |
---|
theme | Eclipse |
---|
title | ServiceEntry |
---|
linenumbers | true |
---|
|
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: service-entry-httpbin
namespace: <> // namespace where the client service are deployed
spec:
hosts:
- httpbin.<namespace_of_service>.logicalcloud02
# template for the remote service name - <servicename.namespace.global>
# Treat remote cluster services as part of the service mesh
# as all clusters in the service mesh share the same root of trust.
location: MESH_INTERNAL
ports:
- name: http1
number: 8000
protocol: http
resolution: DNS
addresses:
# the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to
# must be unique for each remote service, within a given cluster.
# This address need not be routable. Traffic for this IP will be captured
# by the sidecar and routed appropriately.
- 240.0.0.2
endpoints:
# This is the routable address of the istio ingress gateway in cluster02
# routed to this address.
- address: 172.25.55.50 // IP of the istio-ingress-gateway
ports:
http1: 15443 //Sni. Do not change this
|
...
Client 02
POST - traffic intent to add clients for accessing a specific inbound service
Code Block |
---|
language | js |
---|
theme | Midnight |
---|
title | POST |
---|
linenumbers | true |
---|
|
URL: /v2/projects/{project-name}/composite-apps/brown-app/{version}/traffic-group-intent/outbound-intents/httpbin
POST BODY:
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "connectivity intent add client communication"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec: {
"clientServiceName": "bookinfo-user", // Name of the client service
"type": "istio", // options are istio, k8s and external
"headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service
"inboundServiceName": "productpage.k8s.com"
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Client created"
} |
Generate Istio object resources
Name of the Cluster | Microservice | Istio Configuration | Comments |
---|
Cluster01 |
|
Microservice | Logicalcloud01 | Logicalcloud02 |
---|
Common access for httpbin | serviceEntry (httpbin) |
| sleep | destinationRule |
| bookinfo-productpage |
| AuthorizationPolicy, destinationRule |
|
|
Cluster02 |
|
Microservice | Logicalcloud01 | Logicalcloud02 |
---|
common access for bookinfo-productpage | serviceEntry |
| bookinfo-user | destinationRule |
| sleep | destinationRule |
|
|
|
Cluster01 Resources
1. ServiceEntry - To enable sleep to access to httpbin (logicalcloud01)
Code Block |
---|
language | yml |
---|
theme | Eclipse |
---|
title | ServiceEntry |
---|
linenumbers | true |
---|
|
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: service-entry-httpbin
namespace: <> // namespace where the client service are deployed
spec:
hosts:
- httpbin.<namespace_of_service>.logicalcloud02 // which is the translation of "httpbin.k8s.com"
# template for the remote service name - <servicename.namespace.global>
# Treat remote cluster services as part of the service mesh
# as all clusters in the service mesh share the same root of trust.
location: MESH_INTERNAL
ports:
- name: http1
number: 8000
protocol: http
resolution: DNS
addresses:
# the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to
# must be unique for each remote service, within a given cluster.
# This address need not be routable. Traffic for this IP will be captured
# by the sidecar and routed appropriately.
- 240.0.0.2
endpoints:
# This is the routable address of the istio ingress gateway in cluster02
# routed to this address.
- address: 172.25.55.50 // IP of the istio-ingress-gateway
ports:
http1: 15443 //Sni. Do not change this
|
2. DestinationRule for TLS - sleep (logicalcloud01)
Code Block |
---|
language | yml |
---|
theme | Eclipse |
---|
title | DestinationRule |
---|
linenumbers | true |
---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: sleep-dr
namespace: <namespace_of_sleep>
spec:
host: "sleep"
trafficPolicy:
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
|
3. DestinationRule for TLS, Loadbalancing and circuit breaking - productpage (logicalCloud02)
Code Block |
---|
language | yml |
---|
theme | Eclipse |
---|
title | DestinationRule |
---|
linenumbers | true |
---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: bookinfo-productpage-dr
namespace: <namespace_of_productpage>
spec:
host: "productpage"
trafficPolicy:
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
loadbalancer:
consistentHash:
httpCookie: "user2"
connectionPool:
tcp:
maxConnections: 10
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 100
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
|
4. Gateway and Virtual Service resource to allow specific host headers and expose the service outside the cluster
Code Block |
---|
language | yml |
---|
theme | Eclipse |
---|
title | DestinationRule |
---|
linenumbers | true |
---|
|
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
namespace: namespace02
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*.local"
- ".*logicalcloud01"
- ".*logicalcloud02"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- "*.local"
- ".*logicalcloud01"
- ".*logicalcloud02"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
prefix: /productpage.k8s.com
route:
- destination:
port:
number: 8000
host: productpage.namespace02.local
|
5. AuthorizationPolicy for bookinfo-productpage - (logicalCloud02)
Code Block |
---|
language | yml |
---|
theme | Eclipse |
---|
title | DestinationRuleAuthorizationPolicy |
---|
linenumbers | true |
---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: sleep-dr
namespace: <namespace_of_sleep>
spec:
host: "sleep"
trafficPolicyapiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: <namespace_of_prodfuct-page>
spec:
selector:
matchLabels:
app: <name_used_for_productpage>
rules:
- from:
- source:
principals: ["cluster.global/ns/default/sa/sleep", "cluster.global/ns/default/sa/bookinfo-user" ]
to:
tls- operation:
modemethods: MUTUAL["GET"]
serverCertificate paths: /etc/certs/cert-chain.pem
["/static*"]
- operation:
privateKeymethods: /etc/certs/key.pem["GET"]
caCertificates paths: ["/etcapi/certs/root-cert.pem
|
...
Cluster 02 Resources
1. ServiceEntry - To enable access to bookinfo-productpage - (logicalCloud01)
Code Block |
---|
language | yml |
---|
theme | Eclipse |
---|
title | DestinationRuleServiceEntry |
---|
linenumbers | true |
---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: bookinfo-productpage-dr
namespace: <namespace_of_productpage>
spec:
host: "productpage"
trafficPolicy:
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
loadbalancer:
consistentHash:
httpCookie: "user2"
connectionPool:
tcp:
maxConnections: 10
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 100
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
|
4. AuthorizationPolicy for bookinfo-productpage - (logicalCloud02)
Code Block |
---|
language | yml |
---|
theme | Eclipse |
---|
title | AuthorizationPolicy |
---|
linenumbers | true |
---|
|
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: <namespace_of_prodfuct-page>
spec:
selector:
matchLabels:
app: <name_used_for_productpage>
rules:
- from:
- source:
principals: ["cluster.global/ns/default/sa/sleep", "cluster.global/ns/default/sa/bookinfo-user" ]
to:
- operation:
methods: ["GET"]
paths: ["/static*"]
- operation:
methods: ["GET"]
paths: ["/api/v1/products"]
|
Cluster 02 Resources
...
|
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: service-entry-bookinfo-productpage
namespace: namespace01
spec:
hosts:
- productpage.namespace01.logicalcloud01 // format is <svc>.<namespace>.<logical_cluster_domain>
# template for the remote service name - <servicename.namespace.global>
# Treat remote cluster services as part of the service mesh
# as all clusters in the service mesh share the same root of trust.
location: MESH_INTERNAL
ports:
- name: http1
number: 8000
protocol: http
resolution: DNS
addresses:
# the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to
# must be unique for each remote service, within a given cluster.
# This address need not be routable. Traffic for this IP will be captured
# by the sidecar and routed appropriately.
- 240.0.0.3
endpoints:
# This is the routable address of the istio ingress gateway in cluster02
# routed to this address.
- address: 172.25.55.210
ports:
http1: 15443 //Sni. Do not change this
|
2. DestinationRule for TLS - sleep - (logicalCloud01)
Code Block |
---|
language | yml |
---|
theme | Eclipse |
---|
title | ServiceEntryDestinationRule |
---|
linenumbers | true |
---|
|
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntryDestinationRule
metadata:
name: service-entry-bookinfo-productpagesleep-dr
namespace: namespace01
spec:
hostshost: "sleep"
- productpage.namespace01.logicalcloud01 // format is <svc>.<namespace>.<logical_cluster_domain>
# template for the remote service name - <servicename.namespace.global>
# Treat remote cluster services as part of the service mesh
# as all clusters in the service mesh share the same root of trust.
location: MESH_INTERNAL
ports:
- name: http1
number: 8000
protocol: http
resolution: DNS
addresses:
# the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to
# must be unique for each remote service, within a given cluster.
# This address need not be routable. Traffic for this IP will be captured
# by the sidecar and routed appropriately.
- 240.0.0.3
endpoints:
# This is the routable address of the istio ingress gateway in cluster02
# routed to this address.
- address: 172.25.55.210
ports:
http1: 15443 //Sni. Do not change this
|
2. DestinationRule for TLS - sleep - (logicalCloud01)
Code Block |
---|
language | yml |
---|
theme | Eclipse |
---|
title | DestinationRule |
---|
linenumbers | true |
---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: sleep-dr
namespace: namespace01
spec:
host: "sleep"
trafficPolicy:
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
|
...
trafficPolicy:
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
|
3. DestinationRule for bookinfo-user - (logicalCloud01)
Code Block |
---|
language | yml |
---|
theme | Eclipse |
---|
title | DestinationRule |
---|
linenumbers | true |
---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: sleep-dr
namespace: namespace01
spec:
host: "bookinfo-user"
trafficPolicy:
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
|
4. DestinationRule for simple TLS, Loadbalancing and circuit breaking for httpbin - (logicalCloud02)
Code Block |
---|
language | yml |
---|
theme | Eclipse |
---|
title | DestinationRule |
---|
linenumbers | true |
---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: httpbin-dr
namespace: namespace02
spec:
host: "httpbin"
trafficPolicy:
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
loadbalancer:
consistentHash:
httpCookie: "user1"
connectionPool:
tcp:
maxConnections: 10
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 100
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
|
5. AuthorizationPolicy for httpbin - (logicalCloud02)
Code Block |
---|
language | yml |
---|
theme | Eclipse |
---|
title | DestinationRuleAuthorizationPolicy |
---|
linenumbers | true |
---|
|
apiVersion: networkingsecurity.istio.io/v1alpha3v1beta1
kind: DestinationRuleAuthorizationPolicy
metadata:
name: sleepdeny-drall
namespace: namespace01namespace02
spec:
host: "bookinfo-user"
trafficPolicy:
tls:
mode: MUTUALselector:
matchLabels:
serverCertificate: /etc/certs/cert-chain.pemapp: <app_Name_of_httpbin>
rules:
- privateKey: /etc/certs/key.pemfrom:
- caCertificates: /etc/certs/root-cert.pem
|
4. DestinationRule for simple TLS, Loadbalancing and circuit breaking for httpbin - (logicalCloud02)
Code Block |
---|
language | yml |
---|
theme | Eclipse |
---|
title | DestinationRule |
---|
linenumbers | true |
---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: httpbin-dr
namespace: namespace02
spec:
host: "httpbin"
trafficPolicy:
tls:
source:
principals: ["cluster.local/ns/default/sa/sleep"]
to:
- operation:
methods: ["GET"]
paths: ["/status*"]
- operation:
modemethods: MUTUAL["GET"]
serverCertificate: /etc/certs/cert-chain.pem
privateKeypaths: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
loadbalancer:
consistentHash:
httpCookie: "user1"
connectionPool:
tcp["/headers"]
|
6. Gateway and Virtual Service resource to allow specific host headers and expose the service outside the cluster
Code Block |
---|
language | yml |
---|
theme | Eclipse |
---|
title | DestinationRule |
---|
linenumbers | true |
---|
|
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
namespace: namespace02
spec:
selector:
maxConnectionsistio: 10
ingressgateway # http:
http2MaxRequests: 1000use Istio default gateway implementation
servers:
- port:
number: 80
maxRequestsPerConnection: 100
outlierDetectionname: http
consecutiveErrorsprotocol: 7HTTP
intervalhosts: 5m
- baseEjectionTime: 15m
|
5. AuthorizationPolicy for httpbin - (logicalCloud02)
Code Block |
---|
language | yml |
---|
theme | Eclipse |
---|
title | AuthorizationPolicy |
---|
linenumbers | true |
---|
|
apiVersion: security"*.local"
- ".*logicalcloud01"
- ".*logicalcloud02"
- "onap.k8s.org"
---
apiVersion: networking.istio.io/v1beta1v1alpha3
kind: AuthorizationPolicyVirtualService
metadata:
name: deny-all
namespace: namespace02httpbin-gateway
spec:
selectorhosts:
matchLabels:
app: <app_Name_of_httpbin>
rules- "*.local"
- ".*logicalcloud01"
- ".*logicalcloud02"
- "onap.k8s.org"
gateways:
- httpbin-gateway
http:
- frommatch:
- sourceuri:
principalsprefix: ["cluster.local/ns/default/sa/sleep"]/httpbin.k8s.com
toroute:
- operationdestination:
methods: ["GET"]port:
paths: ["/status*"]
- operation: number: 8000
methodshost: ["GET"]
paths: ["/headers"]httpbin.namespace02.local
|