Description: - Connect two microservices belonging to stateless applications
Add Inbound service
The intent for this scenario
POST - traffic intent for the inbound service (service hosted behind the cluster)
POST
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-intent-set/us-to-us-intents/ POST BODY: { "metadata": { "name": "servicehttpbin" // unique name for each intent "description": "connectivity intent for stateless micro-service to stateless micro-service communication" "userdata1": <>, "userdata2": <> } "spec": { // update the memory allocation for each field "application": "<app1>", "servicename": "httpbin" //actual name of the client service "protocol": "HTTP", "headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service "mutualTLS": "SIMPLE", // Support 2 modes. SIMPLE, ISTIO_MUTUAL. For external Client, it is MUTUAL "port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on "serviceMesh": "istio", // get it from cluster record "istio-proxy": "yes", // The features(mTLS, LB, Circuit breaking) are limited to services without istio-proxy // Traffic configuration "loadbalancingType": "ConsistenHash", // "Simple" and "consistentHash" are the two modes "loadBalancerMode": "httpCookie" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" // choices of the mode must be explicit "httpCookie": "user" // Input for Hash in "ConsistenHash" LB and mode as "httpCookie" . Name of the cookie to maitain stick sessions "httpHeader": "john-user" // must be filled only if "loadBalancerMode" is "httpHeader" "maxConnections": 10 //connection pool for tcp and http traffic "timeOut" : 5 // in Seconds. Connection timeout for tcp and idleTimeout for http // credentials for mTLS in "SIMPLE" mode "Servicecertificate" : {serviceCertificate.pem} // Present actual certificate here. "ServicePrivateKey" : {servicePrivateKey.pem} // Present actual private key here. // Access Control namespaces: [] // Workloads from this namespaces can access the inbound service } } RETURN STATUS: 201 RETURN BODY: { "name": "servicehttpbin" "Message": "Inbound service created" }
Add Clients
POST - traffic intent to add clients for accessing a specific inbound service
POST
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients POST BODY: { "clientServiceName": "sleep", // Name of the client service "headless": "false", // default is false. Option "True" will generate the required configs for all the instances of headless service "egressgateway": "true" , // Optional, default = false, All the outbound traffic from this service will flow through a dedicated egress gateway } RETURN STATUS: 201 RETURN BODY: { "name": "sleep" "Message": "Client created" }
Add Security details
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
GET
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/traffic/traffic-intent { serviceAccountAccess : {[ "cluster.local/ns/default/sa/bookinfo-ratings-v2": ["GET": "/health_check"], "cluster.local/ns/default/sa/sleep" : ["GET": "/status"]} // template [sa: portNum] for TCP traffic } RETURN STATUS: 204
Generate Istio object resources
Name of the Cluster | Microservice | Istio Configuration | Comments | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Cluster01 |
|
| |||||||||||
Cluster02 | httpbin |
|