Skip to content
Anker Tsaur edited this page Apr 5, 2024 · 13 revisions

Enable Service Mesh On SaaS Natively Without Sweating

Deployment

Step 1: Import libary Helm chart into your app Helm chart

Click to expand!
Edit your app's Helm *Chart.yaml* to add library Helm chart as dependency, see example below
apiVersion: v2
name: demo-app-1
version: 1.0.0
kubeVersion: ">=1.10.0-0"
description: Helm chart for demo-app-1 Service
home: https://github.gwd.broadcom.net/SED/demo-app-1
sources:
- https://github.gwd.broadcom.net/SED/demo-app-1
maintainers: 
- name: Anker Tsaur
  email: [email protected]
  url: https://github.gwd.broadcom.net/SED/demo-app-1
dependencies:
- name: titan-mesh-helm-lib-chart
  version: 1.0.0
  repository: https://artifactory-lvn.broadcom.net/artifactory/sbo-sps-helm-release-local

Step 2: Include following template functions into your app Helm chart's kubernetes resource templates

Click to expand!
Edit your `deployment.yaml` to include `titan-mesh-helm-lib-chart.containers`  function under `spec.template.spec.containers`. See example below
    containers:
{{ include "titan-mesh-helm-lib-chart.containers" . | indent 6 }}
Include `titan-mesh-helm-lib-chart.volumes` function under `spec.template.spec.volumes`. See example below
    volumes:
{{ include "titan-mesh-helm-lib-chart.volumes" . | indent 6 }}
Edit your `service.yaml` to include `titan-mesh-helm-lib-chart.ports` function under `spec.ports`. See example below
ports:
{{ include "titan-mesh-helm-lib-chart.ports" . | indent 2 }}
Append to your `configmap.yaml` to include `titan-mesh-helm-lib-chart.configmap` function. See example below
{{ include "titan-mesh-helm-lib-chart.configmap" . }}

Note: Cert-Manager Dependency (Optional)

  1. The following step is to use cert-manager to create the kubernetes TLS secret for your app's envoy sidecar.

    • How to setup cert-manager integration with your namespace is out of this document's scope.
    • The name of required TLS secret will be <app_service_name>-envoy-tls-cert, e.g. tokentool-envoy-tls-cert.
    • You can add this kuebrnetes TLS secret into the release namespace without using cert-manager.
  2. Create a new certificate.yaml to include titan-mesh-helm-lib-chart.ports function. See example below

{{ include "titan-mesh-helm-lib-chart.certificate" . }}

Step 3: Edit values.yaml to enable/configure service mesh funcionalities


Use cases and examples


Example 1 - Enable inbound HTTPS requests to my HTTP only application

Click to expand!
  * Route all https requests from mesh sidecar's listening port 9443 to your app **demo-app-1** on port 8080
  * Setup HTTP heath check path of your app
  * register my application http base path /demo-app-1/
titanSideCars:
  envoy:
    clusters:
      local-myapp: # reserved keyword
        # Settings of your local application
        port: 8080  
        healthChecks:
          path: /demo-app-1/status
      remote-myapp: # reserved keyword
        # Settings of your mesh sidecar proxy
        port: 9443 
        routes: # register your app routing path
        - match:
            prefix: /demo-app-1/ 
  ingress:
    enabled: true

Example 2 - Enable outbound HTTP requests for my app to other service on the service mesh

Click to expand!
In addition to example 1:
  * Route outbound http requests from localhost:9565 for my app to service demo-app-2 and demo-app-3 on the service mesh
titanSideCars:
  envoy:
    clusters:
      local-myapp: # reserved keyword
        # Settings of your local application
        port: 8080  
        healthChecks:
          path: /demo-app-1/status
      remote-myapp: # reserved keyword
        # Settings of your mesh sidecar proxy
        port: 9443  
        routes: # register your app routing path
        - match:
            prefix: /demo-app-1/ 
  ingress:
    enabled: true
  egress:
    routes:
    - route: 
        cluster: demo-app-2
    - route: 
        cluster: demo-app-3

Example 3 - Enable token validation and API path rewrite

Click to expand!
In addition to example 1, 2:
  * Enable token validation for all my API except **/ping/**
  * Rewrite API Path **/v1/demo-app-1/** to **/demo-app-1/v1/**
titanSideCars:
  envoy:
    clusters:
      local-myapp: # reserved keyword
        # Settings of your local application
        port: 8080  
        healthChecks:
          path: /demo-app-1/status
      remote-myapp: # reserved keyword
        # Settings of your mesh sidecar proxy
        port: 9443  
        routes: # register your app routing path
        - match:
            prefix: /demo-app-1/ 
  ingress:
    tokenCheck: true
    routes:
    - match:
        prefix: /ping/
      tokenCheck: false
    - match:
        prefix: /v1/demo-app-1/
      route:
        prefixRewrite: /demo-app-1/v1/
  egress:
    routes:
    - route: 
        cluster: demo-app-2
    - route: 
        cluster: demo-app-3

Example 4 - Enable API metrics and authorization check

Click to expand!
In addition to example 1, 2, 3:
  * Enable API metrics on some of my APIs
  * Enable authorization check for **/demo-app-1/purge**
titanSideCars:
  envoy:
    clusters:
      local-myapp: # reserved keyword
        # Settings of your local application
        port: 8080  
        healthChecks:
          path: /demo-app-1/status
      remote-myapp: # reserved keyword
        # Settings of your mesh sidecar proxy
        port: 9443  
        routes: # register your app routing path
        - match:
            prefix: /demo-app-1/ 
  ingress:
    tokenCheck: true
    routes:
    - match:
        prefix: /ping/
      tokenCheck: false
    - match:
        prefix: /demo-app-1/purge
        method: POST
      metrics:
        name: purge
      accessPolicy:
        oneOf:
        - key: token.sub.scope
          eq: system
        - key: token.sub.scope
          eq: customer 
  egress:
    routes:
    - route: 
        cluster: demo-app-2
    - route: 
        cluster: demo-app-3

Step 4: Setup Service Mesh


Use helm umbrella chart to buld the service mesh with defined secured communiication between services

Click to expand!
  1. Import each service's values settings into global settings to build the service mesh network automatically
apiVersion: v2
name: my-umbrella-chart
version: 1.0.1
dependencies:
- demo-app-1:
  version: 1.0.0
  import-values:
  - child: titanSideCars.envoy.clusters.remote-myapp
    parent: global.titanSideCars.envoy.clusters.demo-app-1 
- demo-app-2:
  version: 1.0.0
  import-values:
  - child: titanSideCars.envoy.clusters.remote-myapp
    parent: global.titanSideCars.envoy.clusters.demo-app-2 
- demo-app-3:
  version: 2.0.0
  import-values:
  - child: titanSideCars.envoy.clusters.remote-myapp
    parent: global.titanSideCars.envoy.clusters.demo-app-3 
  1. Provide good defaults and enviornment specific settings using the global settings of the values.yaml of the umbrella chart
global:
  titanSideCars:
    # provide default values for all services
    logs:
      level: warn
    envoy:
      imageName: envoy-alpine
      imageTag: v1.15.2
      clusters:
        local-myapp: 
          timeout: 61s
        remote-myapp:
          timeout: 62s
    egress:
      port: 9565

Documentaion

titanSideCars - In progress


Project Creator

Co-Authors