-
Notifications
You must be signed in to change notification settings - Fork 10
Service Mesh
Anker Tsaur edited this page Nov 22, 2022
·
1 revision
The Service Mesh is setup using the umbrella helm chart with global value overrides.
There are three elements required to setup the Service Mesh.
- Integration your application helm chart with project titans's helm library chart. Please see (Project Titans)
- Configure the umbrella helm chart to register your application with the Service Mesh
- Use global values overrides for environment specific settings and provide common settings for simplication and consistency
apiVersion: v2
name: my-umbrella-chart
version: 1.0.1
dependencies:
- demo-app-1:
version: 1.0.0
import-values:
- child: titanSideCars.envoy.clusters.remote-myapp
parent: global.titanSideCars.envoy.clusters.demo-app-1
- demo-app-2:
version: 1.0.0
import-values:
- child: titanSideCars.envoy.clusters.remote-myapp
parent: global.titanSideCars.envoy.clusters.demo-app-2
- demo-app-3:
version: 2.0.0
import-values:
- child: titanSideCars.envoy.clusters.remote-myapp
parent: global.titanSideCars.envoy.clusters.demo-app-3 The Serice Mesh registration is achived by importing the settings titanSideCars.envoy.clusters.remote-myapp from values.yaml of each app's helm chart into the values.yaml of the umbrella helm chart under global.global.titanSideCars.envoy.clusters.{app chart name}
Exmaple of some usefaul global common settings
global:
titanSideCars:
cert: # cert update during helm install and upgrade
certHook: "pre-install,pre-upgrade"
logs:
volumeName: logs # Tell titans to use shared log volume for all logging of titans sidecars
level: warn # log level
accessLog: # access logging filter, access log will only be generated when one of following conditions is made
responseFlags: # envoy error flags
- DC
- LH
- UT
- LR
- UR
- UC
- UAEX
- SI
- DPE
- UMSDR
headers: # HTTP header match
- name: x-epmp-session-id
op: prefixMatch
value: debug-
envoy:
remoteCircuitBreakers:
maxConnections: 4096
maxRequests: 4096
maxPendingRequests: 2048
maxRetries: 2048
localCircuitBreakers:
maxConnections: 4096
maxRequests: 4096
maxPendingRequests: 2048
maxRetries: 2048
cpu:
limit: "1"
request: "250m"
memory:
limit: "512Mi"
request: "128Mi"
imageName: envoy
imageTag: v1.18.3
clusters:
local-myapp:
timeout: 61s
port: 8080
healthChecks:
path: /healthz
remote-myapp:
timeout: 62s
port: 9443
external-app:
timeout: 30s
routes:
- match:
prefix: /external-app/
egress:
port: 9565
opa:
enabled: false
cpu:
limit: "500m"
request: "125m"
memory:
limit: "512Mi"
request: "128Mi"
imageTag: 0.29.1-envoy
customPolicies: # You can specify customer opa policy outside of titans to be included into authorization enforcement
tokenSpec: |
package authz.token
import input.attributes.request.http as request
default authz_header = ""
authz_header = trim_space(request.headers.authorization)
token_raw = claims {
startswith(authz_header, "Bearer ")
[_, encoded] := regex.split("[ ]+", authz_header)
[_, claims, _] := io.jwt.decode(encoded)
} else = claims {
[_, claims, _] := io.jwt.decode(authz_header)
} else = claims {
claims := {"sub": "{}", "jti": "null", "iss": "null"}
}
token = {
"sub": json.unmarshal(token_raw.sub),
"iss": token_raw.iss,
"jti": token_raw.jti
}
ratelimit: # common ratelimiting settings
enabled: false # can be overrided in values.yaml of app's helm chart to enable the global ratelimiting
cpu:
limit: "500m"
request: "125m"
memory:
limit: "512Mi"
request: "256Mi"
imageName: ratelimit
imageTag: v1.4.0
ingress: # You can insert additional ingress routes for all applications on the mesh
additionalRoutes:
- match: # add GET /<app base API path>/.info/mesh for each app's envoy sidecar to get mesh ID. This can be used to determined current active mesh
regex: /.+?/[.]{1}info/mesh
tokenCheck: false
directResponse:
status: "200"
body: '{"id":"m1"}'Exmaple of some usefaul global environment specific settings
titanSideCars:
issuers:
- issuer: https://api.dev.int.saas.broadcomcloud.com
jwks: https://api.dev.int.saas.broadcomcloud.com/oauth2/keys
cluster: apihost
envoy:
## define per environment settings of external clusters here (outside of the service mesh)
clusters:
external-app:
address: external-app.dev.abc.com
ratelimit:
redisUrl: 123.123.123.123:6379Demo-app1 will have API /demo-app1/ and will need to call demo-app2 on /demo-app2 and demo-app3 on /demo-app3
titanSideCars:
envoy:
clusters:
local-myapp:
healthChecks:
path: /healthz
remote-myapp:
routes:
- match:
prefix: /demo-app1/
egress:
routes:
- route:
cluster: demo-app2
- route:
cluster: demo-app3