API
1) Inbound Intent
POST
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/inbound-intent/ "metadata": { "name": "<>" // unique name for each intent "description": "connectivity intent for inbound communication" "userdata1": <>, "userdata2": <> } "spec": { // update the memory allocation for each field as per OpenAPI standards "application": "<app1>", "servicename": "httpbin" //actual name of the client service - {istioobject - serviceEntry of client's cluster} "externalName": "httpbin.k8s.com" // Can be IP address also "port" : "80", // port on which service is exposed "protocol": "HTTP", "headless": "false", // default is false. Option "True" will make sure all the instances of the headless service will have access to the client service "serviceMesh": "istio", // SIMPLE - No Istio "sidecar-proxy": "yes", // Traffic management fields below are valid only if the sidecar-proxy is set to "yes" "traffic-management-info" : { // LaodBalancing "loadbalancingType": "ConsistenHash", // "Simple" and "consistentHash" "loadBalancerMode": "httpCookie" // Modes for consistentHash - "httpHeaderName", "httpCookie", "useSourceIP", "minimumRingSize", Modes for simple - "LEAST_CONN", "ROUND_ROBIN", "RANDOM", "PASSTHROUGH" "httpCookie": "user1" // Name of the cookie to maitain sticky sessions // Circuit Breaking "maxConnections": 10 //connection pool for tcp and http traffic "concurrenthttp2Requests": 1000 // concurent http2 requests which can be allowed "httpRequestPerConnection": 100 // number of http requests per connection. Valid only for http traffic "consecutiveErrors": 8 // Default is 5. Number of consecutive error before the host is removed "baseEjectionTime" : 15 // Default is 5 "intervalSweep": 5m, //time limit before the removed hosts are added back to the load balancing pool. } "mutualTLS": "MUTUAL", // default is simple. Option MUTUAL will enforce mtls // credentials for mTLS. "cert-info": { "Servicecertificate" : "" // Present actual certificate here. "ServicePrivateKey" : "" // Present actual private key here. "caCertificate" : "" // present the trusted certificate to verify the client connection, Required only when mtls mode is MUTUAL } "egressgateway": "true" , // Optional, default = false, All the outbound traffic from this service will flow through a dedicated egress gateway // Authentication fields "externalAuthenticationissuer": "https://accounts.google.com", "externalAuthenticationjwksURI" : "https://www.googleapis.com/oauth2/v3/certs", }
ClientÂ
POST
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/inbound-intent/<intent-name>/clients POST BODY: { "metadata": { "name": "<>" // unique name for each intent "description": "connectivity intent for inbound communication" "userdata1": <>, "userdata2": <> } "spec" : { "application": "<app2>", "deployment": "sleep", "accessPoints": [{"url": "/health","access": ["GET", "POST"]}, {"url": "/status","access": ["GET"]}] // For Authorization Policy // Separate resource "namespaces": [] // Workloads from this namespaces can access the inbound service } }
2) Outbound Intent
POST
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/outbound-intent/ POST BODY: { "name": "<name>", "description": "<description>", "application": "<app1>", "service": "httpbin", "protocol": "HTTP", "mutualTLS": "MUTUAL", // Support 2 modes. SIMPLE, MUTUAL with external client. For inter and intra cluster, mtls is enabled by default "port" : "80", // port on which service is exposed as through servicemesh, not the port it is actually running on // mTLS fields "egressgateway": "true" , // Optional, default = false, All the outbound traffic from this service will flow through a dedicated egress gateway "servicecertificate" : {serverCertificate.pem} // Present actual certificate here. Optional, default "", required only if mTLS is set to "MUTUAL" "servicePrivateKey" : {serverPrivateKey.pem} // Present actual private key here. Required only if mTLS is "MUTUAL" }
POST
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/onbound-intent/<intent-name>/servers POST BODY: { "name": "<name>", "description": "<description>" "externalServiceName": "cnn.edition.com" // Only the FQDN of the service name is required "externalCaCertificate" : "<whole certificate>" // Present the actual client certificate }