Versions Compared

Old Version 3

changes.mady.by.user user-00d66

Saved on

compared with

New Version Current

changes.mady.by.user user-00d66

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Inbound Intents

draw.io Diagram
bordertrue
diagramNameuService-uService
simpleViewerfalse
width
linksauto
tbstyletop
lboxtrue
diagramWidth1041
revision1

Table of Contents

API

...

draw.io Diagram
bordertrue
diagramNameuService-uService without Istio
simpleViewerfalse
width
linksauto
tbstyletop
lboxtrue
diagramWidth911
revision3


draw.io Diagram
1
bordertrue
diagramNameInbound TG
simpleViewerfalse
width
linksauto
tbstyletop
lboxtrue
diagramWidth8911041
revision9


Traffic group intents

Code Block
languagebash
titlePOST
linenumberstrue
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{composite-app-version}/traffic/deployment-intent-groups/{deployment-intent-group-intentname}/uservicetraffic-togroup-uservice-intent/
POST BODY:
{
	  "metadata": {
    "name": "<name>",
	 //unique for each traffic group 
    "description": "<description>",
    "applicationuserData1": "<app1>",<user data>",
    "userData2": "<user data>"
   }
}


Code Block
titleInbound
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{composite-app-version}/deployment-intent-groups/{deployment-intent-group-name}/traffic-group-intent/{traffic-group-intent-name}/inbound-intents/

   "metadata": {
    "name": "<>" // unique name for each intent
    "servicedescription": "httpbin"connectivity intent for inbound communication"
    "userdata1": <>,
    "protocol"userdata2": <>
    }
 
    "spec": { 
    	"application": "HTTP<app1>",
    	"mutualTLSservicename": "MUTUALhttpbin", // Support 2 modes. SIMPLE, MUTUAL with external client. For inter and intra cluster, mtls is enabled by default
actual name of the client service 
        "externalName": "httpbin.k8s.com" // Can be IP address also
        "port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on

        "protocol": "TCP" //protocol of the exposed service 
        "accessPointsserviceMesh": ["/healthistio", "//status"] //SIMPLE For- AuthorizationNo PolicyIstio
     
}
Code Block
titlePOST
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/<intent-name>/clients
POST BODY:
{
	"name	"istio" : {
			"sidecar-proxy": "<name>yes", 
 			"descriptionmutualTLS": "<description>"
    "application": "<app2>",MUTUAL", // default is simple. Option MUTUAL will enforce mtls 
			// Traffic management fields below are valid only if the sidecar-proxy is set to "yes"
			"loadbalancing" : {
    			// LaodBalancing
    			"deploymentloadbalancingType": "sleep"
}

2) Inbound Intent

...

Code Block
titlePOST
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/inbound-intent/
POST BODY:
{
	"name": "<name>",
	"description": "<description>",
    "application": "<app1>",
    "service": "httpbin",
    "protocol": "HTTP",
    "mutualTLS": "MUTUAL", // Support 2 modes. SIMPLE, MUTUAL with external client. For inter and intra cluster, mtls is enabled by default
    "port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
    "accessPoints": ["/health", "/status"], // For Authorization Policy
    // mTLS fields
     "egressgateway": "true" ,  // Optional, default = false, All the outbound traffic from this service will flow through a dedicated egress gateway
    "servicecertificate" : {serverCertificate.pem}ConsistentHash", // "Simple" and "consistentHash" 
    			"loadBalancerMode": "httpCookie"      // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN",    "RANDOM", "PASSTHROUGH" 
    			"httpCookie": "user1" // Name of the cookie to maintain sticky sessions 
			},
	    	"circuitBreaking": {
	    		"maxConnections": 10 //connection pool for tcp and http traffic
    			"concurrenthttp2Requests": 1000 // concurent http2 requests which can be allowed 
    			"httpRequestPerConnection": 100 // number of http requests per connection. Valid only for http traffic 
    			"consecutiveErrors": 8 // Default is 5.  Number of consecutive error before the host is removed 
    			"baseEjectionTime" : 15 // Default is 5
    			"intervalSweep": 5m, //time limit before the removed hosts are added back to the load balancing pool.
			}
    	},
	 "external-support": "true"
	 "external": {
     	"cert-info": {
	    	"servicecertificate" : "" // Present actual certificate here.
 Optional,  default 		"servicePrivateKey", required: only"" if// mTLSPresent isactual setprivate to "MUTUAL"key here.
    		"servicePrivateKeycaCertificate" : {serverPrivateKey.pem}"" // Presentpresent actualthe privatetrusted keycertificate here.to Requiredverify onlythe ifclient mTLS is "MUTUAL"
    connection
	 	},
	 	"auth-info": {
	 		// Authentication fields
     		"externalAuthenticationissuer": "https://accounts.google.com",
     		"externalAuthenticationjwksURI" : "https://www.googleapis.com/oauth2/v3/certs",
		}
	}
    "headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
	// TODO: Add any FW/SNAT/LB specific fields
 }


Client 

Code Block
titlePOST
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{composite-app-version}/deployment-intent-groups/{deployment-intent-group-name}/traffic-group-intent/{traffic-group-intent-name}/inbound-intentintents/<intent-name>/clients
POST BODY:
{
	"metadata": {
    	"name": <> "<name>",
	"description
    	"description": <>
    	"userdata1": <>,
    	"userdata2": <>
    }
  "spec" : {
    "application": "<description><app2>",
    "externalServiceNameservicename": "cnn.edition.com" sleep",
	"namespaces": [], // Only the FQDN ofWorkloads from this namespaces can access the inbound service 
    "ipRange": [<cidr>, <cidr>]
  }
  //Client certificate?
    
}



Code Block
titlePOST
URL: /v2/projects/{project-name is required}/composite-apps/{composite-app-name}/{composite-app-version}/deployment-intent-groups/{deployment-intent-group-name}/traffic-group-intent/{traffic-group-intent-name}/inbound-intents/<intent-name>/clients/<client-name>/access-points
POST BODY:
{
	"metadata": {
    	"externalCaCertificatename" : "<whole certificate>" // Present the actual client certificate
<>" 
    	"description": <>
    	"userdata1": <>,
    	"userdata2": <>
    //TODO - ADD USER INFORMATION??},
  "spec" : {
    //TODO   - Add URL Access per User"url": "/status",
		"access": ["GET"]
  }
    
}

...

Outbound Intent

draw.io Diagram
bordertrue
diagramNameOutbound Intent
simpleViewerfalse
width
linksauto
tbstyletop
lboxtrue
diagramWidth741
revision23


Code Block
titlePOST
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{composite-app-version}/deployment-intent-groups/{deployment-intent-group-name}/traffic-group-intent/{traffic-group-intent-name}/outbound-intentintents/
POST BODY:
{
"metadata": {
    	"name": "<name>",
	"description": "<description>"<>" // unique name for each intent
    	"description": <>
    	"userdata1": <>,
    	"userdata2": <>
    },
    "application": "<app1>",
    "serviceserviceName": "httpbin",
	"appLabel": "<label>"
}


Code Block
titlePOST
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{composite-app-version}/deployment-intent-groups/{deployment-intent-group-name}/traffic-group-intent/{traffic-group-intent-name}/outbound-intents/<intent-name>/server
POST BODY:
{
	"metadata": {
    	"protocolname": "HTTP",<>" // unique name for each intent
    	"mutualTLSdescription": "MUTUAL", // Support 2 modes. SIMPLE, MUTUAL with external client. For inter and intra cluster, mtls is enabled by default
    <>
    	"userdata1": <>,
    	"userdata2": <>
    },
    "externalServiceName": "cnn.edition.com" // Only the FQDN of the service name is required
	"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
    // mTLS fields
     "egressgateway""externalCaCertificate" : "true" , <whole certificate>" // Optional, default = false, All Present the outboundactual traffic from this service will flow through a dedicated egress gateway
    "servicecertificateclient certificate
	"clientcertificate" : {serverCertificatecertificate.pem} // Present actual certificate here. Optional, default "", required only if mTLS is set to "MUTUAL"
    "servicePrivateKeyclientPrivateKey" : {serverPrivateKeyprivateKey.pem} // Present actual private key here. Required only if mTLS is "MUTUAL"
	"protocol":   
}"HTTP",
    "mutualTLS": "MUTUAL", // Support 2 modes. SIMPLE, MUTUAL with external client. For inter and intra cluster, mtls is enabled by default
    
	// TODO: Add any FW/SNAT/LB specific fields
}

Network Policy

Based on the inbound intent as described above Network Policy will be created to allow traffic from the client to the service within the same cluster. 

Action controller based on the client intent will create Network Policy as below in all the clusters where the applications are deployed. Check if the cluster is same for the service and client. If so add the Network Policy. 

Open: Between clusters, 

Code Block
languageyml
titleNetwork Policy
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow
spec:
  podSelector:
    matchLabels:
      app: httpbin
  ingress:
  - from:
      - podSelector:
          matchLabels:
            app: sleep
Code Block
titlePOST
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/inbound-intent/<intent-name>/servers
POST BODY:
{
	"name": "<name>",
	"description": "<description>"
    "externalServiceName": "cnn.edition.com" // Only the FQDN of the service name is required
    "externalCaCertificate" : "<whole certificate>" // Present the actual client certificate
    
}