Inbound Intents
draw.io Diagram | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Table of Contents |
---|
API
...
draw.io Diagram | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
draw.io Diagram | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Traffic group intents
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{composite-app-version}/traffic/deployment-intent-groups/{deployment-intent-group-intentname}/uservicetraffic-togroup-uservice-intent/ POST BODY: { "metadata": { "name": "<name>", //unique for each traffic group "description": "<description>", "applicationuserData1": "<app1>",<user data>", "userData2": "<user data>" } } |
Code Block | ||
---|---|---|
| ||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{composite-app-version}/deployment-intent-groups/{deployment-intent-group-name}/traffic-group-intent/{traffic-group-intent-name}/inbound-intents/ "metadata": { "name": "<>" // unique name for each intent "servicedescription": "httpbin"connectivity intent for inbound communication" "userdata1": <>, "protocol"userdata2": <> } "spec": { "application": "HTTP<app1>", "mutualTLSservicename": "MUTUALhttpbin", // Support 2 modes. SIMPLE, MUTUAL with external client. For inter and intra cluster, mtls is enabled by default actual name of the client service "externalName": "httpbin.k8s.com" // Can be IP address also "port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on "protocol": "TCP" //protocol of the exposed service "accessPointsserviceMesh": ["/healthistio", "//status"] //SIMPLE For- AuthorizationNo PolicyIstio } | ||
Code Block | ||
| ||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/<intent-name>/clients POST BODY: { "name "istio" : { "sidecar-proxy": "<name>yes", "descriptionmutualTLS": "<description>" "application": "<app2>",MUTUAL", // default is simple. Option MUTUAL will enforce mtls // Traffic management fields below are valid only if the sidecar-proxy is set to "yes" "loadbalancing" : { // LaodBalancing "deploymentloadbalancingType": "sleep" } |
2) Inbound Intent
...
Code Block | ||
---|---|---|
| ||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/inbound-intent/ POST BODY: { "name": "<name>", "description": "<description>", "application": "<app1>", "service": "httpbin", "protocol": "HTTP", "mutualTLS": "MUTUAL", // Support 2 modes. SIMPLE, MUTUAL with external client. For inter and intra cluster, mtls is enabled by default "port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on "accessPoints": ["/health", "/status"], // For Authorization Policy // mTLS fields "egressgateway": "true" , // Optional, default = false, All the outbound traffic from this service will flow through a dedicated egress gateway "servicecertificate" : {serverCertificate.pem}ConsistentHash", // "Simple" and "consistentHash" "loadBalancerMode": "httpCookie" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" "httpCookie": "user1" // Name of the cookie to maintain sticky sessions }, "circuitBreaking": { "maxConnections": 10 //connection pool for tcp and http traffic "concurrenthttp2Requests": 1000 // concurent http2 requests which can be allowed "httpRequestPerConnection": 100 // number of http requests per connection. Valid only for http traffic "consecutiveErrors": 8 // Default is 5. Number of consecutive error before the host is removed "baseEjectionTime" : 15 // Default is 5 "intervalSweep": 5m, //time limit before the removed hosts are added back to the load balancing pool. } }, "external-support": "true" "external": { "cert-info": { "servicecertificate" : "" // Present actual certificate here. Optional, default "servicePrivateKey", required: only"" if// mTLSPresent isactual setprivate to "MUTUAL"key here. "servicePrivateKeycaCertificate" : {serverPrivateKey.pem}"" // Presentpresent actualthe privatetrusted keycertificate here.to Requiredverify onlythe ifclient mTLS is "MUTUAL" connection }, "auth-info": { // Authentication fields "externalAuthenticationissuer": "https://accounts.google.com", "externalAuthenticationjwksURI" : "https://www.googleapis.com/oauth2/v3/certs", } } "headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service // TODO: Add any FW/SNAT/LB specific fields } |
Client
Code Block | ||
---|---|---|
| ||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{composite-app-version}/deployment-intent-groups/{deployment-intent-group-name}/traffic-group-intent/{traffic-group-intent-name}/inbound-intentintents/<intent-name>/clients POST BODY: { "metadata": { "name": <> "<name>", "description "description": <> "userdata1": <>, "userdata2": <> } "spec" : { "application": "<description><app2>", "externalServiceNameservicename": "cnn.edition.com" sleep", "namespaces": [], // Only the FQDN ofWorkloads from this namespaces can access the inbound service "ipRange": [<cidr>, <cidr>] } //Client certificate? } |
Code Block | ||
---|---|---|
| ||
URL: /v2/projects/{project-name is required}/composite-apps/{composite-app-name}/{composite-app-version}/deployment-intent-groups/{deployment-intent-group-name}/traffic-group-intent/{traffic-group-intent-name}/inbound-intents/<intent-name>/clients/<client-name>/access-points POST BODY: { "metadata": { "externalCaCertificatename" : "<whole certificate>" // Present the actual client certificate <>" "description": <> "userdata1": <>, "userdata2": <> //TODO - ADD USER INFORMATION??}, "spec" : { //TODO - Add URL Access per User"url": "/status", "access": ["GET"] } } |
...
Outbound Intent
draw.io Diagram | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Code Block | ||
---|---|---|
| ||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{composite-app-version}/deployment-intent-groups/{deployment-intent-group-name}/traffic-group-intent/{traffic-group-intent-name}/outbound-intentintents/ POST BODY: { "metadata": { "name": "<name>", "description": "<description>"<>" // unique name for each intent "description": <> "userdata1": <>, "userdata2": <> }, "application": "<app1>", "serviceserviceName": "httpbin", "appLabel": "<label>" } |
Code Block | ||
---|---|---|
| ||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{composite-app-version}/deployment-intent-groups/{deployment-intent-group-name}/traffic-group-intent/{traffic-group-intent-name}/outbound-intents/<intent-name>/server POST BODY: { "metadata": { "protocolname": "HTTP",<>" // unique name for each intent "mutualTLSdescription": "MUTUAL", // Support 2 modes. SIMPLE, MUTUAL with external client. For inter and intra cluster, mtls is enabled by default <> "userdata1": <>, "userdata2": <> }, "externalServiceName": "cnn.edition.com" // Only the FQDN of the service name is required "port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on // mTLS fields "egressgateway""externalCaCertificate" : "true" , <whole certificate>" // Optional, default = false, All Present the outboundactual traffic from this service will flow through a dedicated egress gateway "servicecertificateclient certificate "clientcertificate" : {serverCertificatecertificate.pem} // Present actual certificate here. Optional, default "", required only if mTLS is set to "MUTUAL" "servicePrivateKeyclientPrivateKey" : {serverPrivateKeyprivateKey.pem} // Present actual private key here. Required only if mTLS is "MUTUAL" "protocol": }"HTTP", "mutualTLS": "MUTUAL", // Support 2 modes. SIMPLE, MUTUAL with external client. For inter and intra cluster, mtls is enabled by default // TODO: Add any FW/SNAT/LB specific fields } |
Network Policy
Based on the inbound intent as described above Network Policy will be created to allow traffic from the client to the service within the same cluster.
Action controller based on the client intent will create Network Policy as below in all the clusters where the applications are deployed. Check if the cluster is same for the service and client. If so add the Network Policy.
Open: Between clusters,
Code Block | ||||
---|---|---|---|---|
| ||||
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow
spec:
podSelector:
matchLabels:
app: httpbin
ingress:
- from:
- podSelector:
matchLabels:
app: sleep | ||||
Code Block | ||||
| ||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/inbound-intent/<intent-name>/servers
POST BODY:
{
"name": "<name>",
"description": "<description>"
"externalServiceName": "cnn.edition.com" // Only the FQDN of the service name is required
"externalCaCertificate" : "<whole certificate>" // Present the actual client certificate
} |