Inbound Intents
draw.io Diagram |
---|
border | true |
---|
| |
---|
diagramName | uService-uService |
---|
simpleViewer | false |
---|
width | |
---|
links | auto |
---|
tbstyle | top |
---|
lbox | true |
---|
diagramWidth | 1041 |
---|
revision | 1 |
---|
|
draw.io Diagram |
---|
border | true |
---|
| |
---|
diagramName | uService-uService without Istio |
---|
simpleViewer | false |
---|
width | |
---|
links | auto |
---|
tbstyle | top |
---|
lbox | true |
---|
diagramWidth | 911 |
---|
revision | 3 |
---|
|
draw.io Diagram |
---|
border | true |
---|
| |
---|
diagramName | Inbound TG |
---|
simpleViewer | false |
---|
width | |
---|
links | auto |
---|
tbstyle | top |
---|
lbox | true |
---|
diagramWidth | 891 |
---|
revision | 9 |
---|
|
Traffic group intents
Code Block |
---|
language | bash |
---|
title | POST |
---|
linenumbers | true |
---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{composite-app-version}/deployment-intent-groups/{deployment-intent-group-name}/traffic-group-intent
POST BODY:
{
"metadata": {
"name": "<name>", //unique for each traffic group
"description": "<description>",
"userData1": "<user data>",
"userData2": "<user data>"
}
}
|
Code Block |
---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{composite-app-version}/deployment-intent-groups/{deployment-intent-group-name}/traffic-group-intent/{traffic-group-intent-name}/inbound-intentintents/
"metadata": {
"name": "<>" // unique name for each intent
"description": "connectivity intent for inbound communication"
"userdata1": <>,
"userdata2": <>
}
"spec": {
"application": "<app1>",
"servicename": "httpbin" //actual name of the client service
"externalName": "httpbin.k8s.com" // Can be IP address also
"port" : "80", // port on which service is exposed
"protocol": "TCP" //protocol of the exposed service
"serviceMesh": "istio", // SIMPLE - No Istio
"istio" : {
"sidecar-proxy": "yes",
"mutualTLS": "MUTUAL", // default is simple. Option MUTUAL will enforce mtls
// Traffic management fields below are valid only if the sidecar-proxy is set to "yes"
"loadbalancing" : {
// LaodBalancing
"loadbalancingType": "ConsistentHash", // "Simple" and "consistentHash"
"loadBalancerMode": "httpCookie" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH"
"httpCookie": "user1" // Name of the cookie to maintain sticky sessions
},
"circuitBreaking": {
"maxConnections": 10 //connection pool for tcp and http traffic
"concurrenthttp2Requests": 1000 // concurent http2 requests which can be allowed
"httpRequestPerConnection": 100 // number of http requests per connection. Valid only for http traffic
"consecutiveErrors": 8 // Default is 5. Number of consecutive error before the host is removed
"baseEjectionTime" : 15 // Default is 5
"intervalSweep": 5m, //time limit before the removed hosts are added back to the load balancing pool.
}
},
"external-support": "true"
"external": {
"cert-info": {
"servicecertificate" : "" // Present actual certificate here.
"servicePrivateKey" : "" // Present actual private key here.
"caCertificate" : "" // present the trusted certificate to verify the client connection
},
"auth-info": {
// Authentication fields
"externalAuthenticationissuer": "https://accounts.google.com",
"externalAuthenticationjwksURI" : "https://www.googleapis.com/oauth2/v3/certs",
}
}
"protocol": "HTTP", // Support for other protocols
"headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service
// TODO: Add any FW/SNAT/LB specific fields
}
|
Client
Code Block |
---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{composite-app-version}/deployment-intent-groups/{deployment-intent-group-name}/traffic-group-intent/{traffic-group-intent-name}/inbound-intentintents/<intent-name>/clients
POST BODY:
{
"metadata": {
"name": <> // unique name for each intent
"description": <>
"userdata1": <>,
"userdata2": <>
}
"spec" : {
"application": "<app2>",
"deploymentservicename": "sleep",
"namespaces": [], // Workloads from this namespaces can access the inbound service
"ipRange": [<cidr>, <cidr>]
}
//Client certificate?
} |
Code Block |
---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{composite-app-version}/deployment-intent-groups/{deployment-intent-group-name}/traffic-group-intent/{traffic-group-intent-name}/inbound-intentintents/<intent-name>/clients/<client-name>/access-points
POST BODY:
{
"metadata": {
"name": "<>" // unique name for each intent
"description": <>
"userdata1": <>,
"userdata2": <>
},
"spec" : {
"url": "/status",
"access": ["GET"]
}
} |
Outbound Intent
draw.io Diagram |
---|
border | true |
---|
| |
---|
diagramName | Outbound Intent |
---|
simpleViewer | false |
---|
width | |
---|
links | auto |
---|
tbstyle | top |
---|
lbox | true |
---|
diagramWidth | 741 |
---|
revision | 3 |
---|
|
...
Code Block |
---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{composite-app-version}/deployment-intent-groups/{deployment-intent-group-name}/traffic-group-intent/{traffic-group-intent-name}/outbound-intentintents/
POST BODY:
{
"namemetadata": "<name>",
{
"descriptionname": "<description>",<>" // unique name for each intent
"applicationdescription": "<app1>",<>
"microserviceuserdata1": "httpbin"<>,
"egressgatewayuserdata2": "true"<>
, // Optional},
default = false, All the outbound traffic from this service will flow through a dedicated egress gateway
"application": "<app1>",
"serviceName": "httpbin",
"appLabel": "<label>"
} |
Code Block |
---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{composite-app-version}/deployment-intent-groups/{deployment-intent-group-name}/traffic-group-intent/onbound{traffic-group-intent-name}/outbound-intents/<intent-name>/serversserver
POST BODY:
{
"metadata": {
"name": "<name>",
<>" // unique name for each intent
"description": <>
"<description>" "userdata1": <>,
"userdata2": <>
},
"externalServiceName": "cnn.edition.com" // Only the FQDN of the service name is required
"port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on
"externalCaCertificate" : "<whole certificate>" // Present the actual client certificate
"clientcertificate" : {serverCertificatecertificate.pem} // Present actual certificate here. Optional, default "", required only if mTLS is set to "MUTUAL"
"clientPrivateKey" : {serverPrivateKeyprivateKey.pem} // Present actual private key here. Required only if mTLS is "MUTUAL"
"protocol": "HTTP",
"mutualTLS": "MUTUAL", // Support 2 modes. SIMPLE, MUTUAL with external client. For inter and intra cluster, mtls is enabled by default
// TODO: Add any FW/SNAT/LB specific fields
} |
Network Policy
Based on the inbound intent as described above Network Policy will be created to allow traffic from the client to the service within the same cluster.
Action controller based on the client intent will create Network Policy as below in all the clusters where the applications are deployed. Check if the cluster is same for the service and client. If so add the Network Policy.
Open: Between clusters,
Code Block |
---|
language | yml |
---|
title | Network Policy |
---|
|
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow
spec:
podSelector:
matchLabels:
app: httpbin
ingress:
- from:
-
}podSelector:
matchLabels:
app: sleep |