-
Notifications
You must be signed in to change notification settings - Fork 10
Home
Anker Tsaur edited this page Apr 5, 2024
·
13 revisions
Click to expand!
Edit your app's Helm *Chart.yaml* to add library Helm chart as dependency, see example below
apiVersion: v2
name: demo-app-1
version: 1.0.0
kubeVersion: ">=1.10.0-0"
description: Helm chart for demo-app-1 Service
home: https://github.gwd.broadcom.net/SED/demo-app-1
sources:
- https://github.gwd.broadcom.net/SED/demo-app-1
maintainers:
- name: Anker Tsaur
email: [email protected]
url: https://github.gwd.broadcom.net/SED/demo-app-1
dependencies:
- name: titan-mesh-helm-lib-chart
version: 1.0.0
repository: https://artifactory-lvn.broadcom.net/artifactory/sbo-sps-helm-release-localStep 2: Include following template functions into your app Helm chart's kubernetes resource templates
Click to expand!
Edit your `deployment.yaml` to include `titan-mesh-helm-lib-chart.containers` function under `spec.template.spec.containers`. See example below
containers:
{{ include "titan-mesh-helm-lib-chart.containers" . | indent 6 }}Include `titan-mesh-helm-lib-chart.volumes` function under `spec.template.spec.volumes`. See example below
volumes:
{{ include "titan-mesh-helm-lib-chart.volumes" . | indent 6 }}Edit your `service.yaml` to include `titan-mesh-helm-lib-chart.ports` function under `spec.ports`. See example below
ports:
{{ include "titan-mesh-helm-lib-chart.ports" . | indent 2 }}Append to your `configmap.yaml` to include `titan-mesh-helm-lib-chart.configmap` function. See example below
{{ include "titan-mesh-helm-lib-chart.configmap" . }}-
The following step is to use cert-manager to create the kubernetes TLS secret for your app's envoy sidecar.
- How to setup cert-manager integration with your namespace is out of this document's scope.
- The name of required TLS secret will be <app_service_name>-envoy-tls-cert, e.g. tokentool-envoy-tls-cert.
- You can add this kuebrnetes TLS secret into the release namespace without using cert-manager.
-
Create a new
certificate.yamlto includetitan-mesh-helm-lib-chart.portsfunction. See example below
{{ include "titan-mesh-helm-lib-chart.certificate" . }}Click to expand!
* Route all https requests from mesh sidecar's listening port 9443 to your app **demo-app-1** on port 8080
* Setup HTTP heath check path of your app
* register my application http base path /demo-app-1/
titanSideCars:
envoy:
clusters:
local-myapp: # reserved keyword
# Settings of your local application
port: 8080
healthChecks:
path: /demo-app-1/status
remote-myapp: # reserved keyword
# Settings of your mesh sidecar proxy
port: 9443
routes: # register your app routing path
- match:
prefix: /demo-app-1/
ingress:
enabled: trueClick to expand!
In addition to example 1:
* Route outbound http requests from localhost:9565 for my app to service demo-app-2 and demo-app-3 on the service mesh
titanSideCars:
envoy:
clusters:
local-myapp: # reserved keyword
# Settings of your local application
port: 8080
healthChecks:
path: /demo-app-1/status
remote-myapp: # reserved keyword
# Settings of your mesh sidecar proxy
port: 9443
routes: # register your app routing path
- match:
prefix: /demo-app-1/
ingress:
enabled: true
egress:
routes:
- route:
cluster: demo-app-2
- route:
cluster: demo-app-3Click to expand!
In addition to example 1, 2:
* Enable token validation for all my API except **/ping/**
* Rewrite API Path **/v1/demo-app-1/** to **/demo-app-1/v1/**
titanSideCars:
envoy:
clusters:
local-myapp: # reserved keyword
# Settings of your local application
port: 8080
healthChecks:
path: /demo-app-1/status
remote-myapp: # reserved keyword
# Settings of your mesh sidecar proxy
port: 9443
routes: # register your app routing path
- match:
prefix: /demo-app-1/
ingress:
tokenCheck: true
routes:
- match:
prefix: /ping/
tokenCheck: false
- match:
prefix: /v1/demo-app-1/
route:
prefixRewrite: /demo-app-1/v1/
egress:
routes:
- route:
cluster: demo-app-2
- route:
cluster: demo-app-3Click to expand!
In addition to example 1, 2, 3:
* Enable API metrics on some of my APIs
* Enable authorization check for **/demo-app-1/purge**
titanSideCars:
envoy:
clusters:
local-myapp: # reserved keyword
# Settings of your local application
port: 8080
healthChecks:
path: /demo-app-1/status
remote-myapp: # reserved keyword
# Settings of your mesh sidecar proxy
port: 9443
routes: # register your app routing path
- match:
prefix: /demo-app-1/
ingress:
tokenCheck: true
routes:
- match:
prefix: /ping/
tokenCheck: false
- match:
prefix: /demo-app-1/purge
method: POST
metrics:
name: purge
accessPolicy:
oneOf:
- key: token.sub.scope
eq: system
- key: token.sub.scope
eq: customer
egress:
routes:
- route:
cluster: demo-app-2
- route:
cluster: demo-app-3Use helm umbrella chart to buld the service mesh with defined secured communiication between services
Click to expand!
- Import each service's values settings into global settings to build the service mesh network automatically
apiVersion: v2
name: my-umbrella-chart
version: 1.0.1
dependencies:
- demo-app-1:
version: 1.0.0
import-values:
- child: titanSideCars.envoy.clusters.remote-myapp
parent: global.titanSideCars.envoy.clusters.demo-app-1
- demo-app-2:
version: 1.0.0
import-values:
- child: titanSideCars.envoy.clusters.remote-myapp
parent: global.titanSideCars.envoy.clusters.demo-app-2
- demo-app-3:
version: 2.0.0
import-values:
- child: titanSideCars.envoy.clusters.remote-myapp
parent: global.titanSideCars.envoy.clusters.demo-app-3 - Provide good defaults and enviornment specific settings using the global settings of the values.yaml of the umbrella chart
global:
titanSideCars:
# provide default values for all services
logs:
level: warn
envoy:
imageName: envoy-alpine
imageTag: v1.15.2
clusters:
local-myapp:
timeout: 61s
remote-myapp:
timeout: 62s
egress:
port: 9565titanSideCars - In progress
- Anker Tsaur - [email protected]
- Anker Tsaur - [email protected]
- Ajit Verma - [email protected]
- Tyler Gray - [email protected]