Description: - Connect two microservices belonging to stateless applications that are deployed on the same cluster
and Istio service mesh has the sidecar proxy installed with each pod of the service.
In the below diagram,
SERVER - httpbin (If TLS Mode is "SIMPLE", it will accept both traffic for tls and plain text. TLS Mode must be ISTIO_MUTUAL for talking to other istio clients. MUTUAL when talking to other external services) istio service which use different rootca
CLIENTS - sleep (TLS Mode can be "SIMPLE" (for services with no sidecars) or ISTIO_MUTUAL(services with sidecars)). MUTUAL when talking to other external services) or istio service which use different rootca
Diagram
eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IlByYW1vZCBSYWdoYXZlbmRyYSBKYXlhdGhpcnRoIiwib3V0cHV0VHlwZSI6ImJsb2NrIiwibGFzdE1vZGlmaWVyTmFtZSI6IlByYW1vZCBSYWdoYXZlbmRyYSBKYXlhdGhpcnRoIiwibGFuZ3VhZ2UiOiJlbiIsImRpYWdyYW1EaXNwbGF5TmFtZSI6IiIsInNGaWxlSWQiOiIiLCJhdHRJZCI6Ijc5MjAyNjUzIiwiZGlhZ3JhbU5hbWUiOiJ1cy10by11cyBpbnRlbnQiLCJhc3BlY3QiOiIiLCJsaW5rcyI6ImF1dG8iLCJjZW9OYW1lIjoiU2NlbmFyaW8gMDMgLSBTdGF0ZWxlc3MgKEhUVFApIGFwcGxpY2F0aW9uIGNvbW11bmljYXRpb24gd2l0aCBjbGllbnQgYW5kIHNlcnZlciBpbiB0aGUgc2FtZSBjbHVzdGVyIHdpdGggSVNUSU9fTVVUVUFMIFRMUyIsInRic3R5bGUiOiJ0b3AiLCJjYW5Db21tZW50IjpmYWxzZSwiZGlhZ3JhbVVybCI6IiIsImNzdkZpbGVVcmwiOiIiLCJib3JkZXIiOnRydWUsIm1heFNjYWxlIjoiMSIsIm93bmluZ1BhZ2VJZCI6NzkyMDI2NTIsImVkaXRhYmxlIjpmYWxzZSwiY2VvSWQiOjc5MjAyNjUyLCJwYWdlSWQiOiIiLCJsYm94Ijp0cnVlLCJzZXJ2ZXJDb25maWciOnsiZW1haWxwcmV2aWV3IjoiMSJ9LCJvZHJpdmVJZCI6IiIsInJldmlzaW9uIjoyLCJtYWNyb0lkIjoiMDNkYmQ0ZDgtZTAxYy00NGI5LWJmZjUtMjhiODk3ZjdmOTFkIiwicHJldmlld05hbWUiOiJ1cy10by11cyBpbnRlbnQucG5nIiwibGljZW5zZVN0YXR1cyI6Ik9LIiwic2VydmljZSI6IiIsImlzVGVtcGxhdGUiOiIiLCJ3aWR0aCI6IjcwNiIsInNpbXBsZVZpZXdlciI6ZmFsc2UsImxhc3RNb2RpZmllZCI6MTU4MDc1NzA1MDAwMCwiZXhjZWVkUGFnZVdpZHRoIjpmYWxzZSwib0NsaWVudElkIjoiIn0=
Important Info - cert-chain.pem
is Envoy’s cert that needs to be presented to the other side. key.pem
is Envoy’s private key paired with Envoy’s cert in cert-chain.pem
. root-cert.pem
is the root cert to verify the peer’s cert. In this example, we only have one Citadel in a cluster, so all Envoys have the same root-cert.pem
.