Service Mesh

OpeNgine utilizes Istio as service mesh implementation. Current supported version of Istio is 1.2.9 For cross-cluster communication Multiple control plane setup is implemented, check for more details here. Istio side car proxy injection enabled for following namespaces:

  • dmz

  • frontend

  • backend

Service Mesh Configuration

servicemesh yaml block should contain configuration for each cluster listed in k8s section:

servicemesh:
  mng-cluster:
    # mng-cluster cluster service mesh config
    # .....
  dev-cluster:
    # dev-cluster cluster service mesh config
    # .....

Cluster Configuration Schema

Example below show 2 clusters, management and application one.

servicemesh:
  mng-cluster:
  type: provision-istio-management
  manifest_url: https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml
  domain_name: example.opengine.com
  namespace:
    istio: istio-system
    dmz: opengine-dmz
    frontend: opengine-frontend
    backend: opengine-backend
  ca_cert_path: "/project/OpeNgine/env-certs/ca-key.pem"
  ca_key_path: "/project/OpeNgine/env-certs/ca-cert.pem"
  root_cert_path: "/project/OpeNgine/env-certs/root-cert.pem"
  cert_chain_path: "/project/OpeNgine/env-certs/cert-chain.pem"
  helm:
    init_chart: https://gcsweb.istio.io/gcs/istio-release/releases/1.2.9/charts/istio-init-1.2.9.tgz
    core_chart: https://gcsweb.istio.io/gcs/istio-release/releases/1.2.9/charts/istio-1.2.9.tgz
  dev-cluster:
  type: provision-istio
  manifest_url: https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml
  domain_name: example.opengine.com
  namespace:
    istio: istio-system
    backend: opengine-backend
  ca_cert_path: "/project/OpeNgine/env-certs/ca-key.pem"
  ca_key_path: "/project/OpeNgine/env-certs/ca-cert.pem"
  root_cert_path: "/project/OpeNgine/env-certs/root-cert.pem"
  cert_chain_path: "/project/OpeNgine/env-certs/cert-chain.pem"
  helm:
    init_chart: https://gcsweb.istio.io/gcs/istio-release/releases/1.2.9/charts/istio-init-1.2.9.tgz
    core_chart: https://gcsweb.istio.io/gcs/istio-release/releases/1.2.9/charts/istio-1.2.9.tgz

Element

Description

type

Define cluster type, can be provision-istio-management, provision-istio. Cluster type define mutualTLS setup profile.

manifest_url

Certificate Manager Custom Resource Definition manifest, use https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml value.

domain_name

Root domain name for TLS certificates issuing by Istio cert manager.

namespace

List of namespaces where Istio configuration and policies will be applied and side car injection will be enabled, following ‘profiles’ preconfigured:

  • dmz - namespace with publicly available services deployed.

  • frontend - namespace for non public services accessible from outside of cluster

  • backend - namespace for private backend services, those services might be used by dmz, frontend and other namespace’s services. Mutual TLS disabled.

User can pick custom name for each of listed namespaces.

ca_cert_path,ca_key_path,root_cert_path and cert_chain_path

Existing certificates and keys for Citadel, should be same for each cluster for multi cluster communication support. More details here <https:https://archive.istio.io/v1.2/docs/tasks/security/plugin-ca-cert/#plugging-in-the-existing-certificate-and-key>

helm.init_chart

Url to download Istio Helm Init Chart, recommended to be taken from Istio official release repository. Example: https://gcsweb.istio.io/gcs/istio-release/releases/1.2.9/charts/istio-init-1.2.9.tgz

helm.core_chart

Url to download Istio Helm Core Chart, should be same version as Init Chart. Example: https://gcsweb.istio.io/gcs/istio-release/releases/1.2.9/charts/istio-1.2.9.tgz