Traffic Group
Traffic Groups allow grouping the proxy workloads in a set of namespaces
owned by its parent workspace. Networking and routing related
configurations can then be applied on the group to control the
behavior of these proxy workloads. The group can be in one of two modes:
BRIDGED
and DIRECT
. BRIDGED
mode is a minimalistic mode that
allows users to quickly configure the most commonly used features
in the service mesh using Tetrate specific APIs, while the DIRECT
mode provides more flexibility for power users by allowing them to
configure the proxy workload behavior using a restricted subset of Istio
Networking APIs.
The following example creates a traffic group for the proxy workloads in
ns1
, ns2
and ns3
namespaces owned by its parent workspace
w1
under tenant mycompany
and sets up a TrafficSetting
defining the resilience properties for proxy workloads in these
namespaces.
apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
name: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
namespaceSelector:
names:
- "*/ns1"
- "*/ns2"
- "*/ns3"
configMode: BRIDGED
And the associated traffic settings for the proxy workloads in the group
apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
resilience:
circuitBreakerSensitivity: MEDIUM
Under the hood, Service Bridge translates these minimalistic
settings into Istio APIs such as Sidecar
, DestinationRule
,
etc. for the namespaces managed by the traffic group. These APIs
are then pushed to the Istio control planes of clusters where the
workspace is applicable.
It is possible to create a traffic group for namespaces in a specific cluster as long as the parent workspace owns those namespaces in that cluster. For example,
apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
name: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
namespaceSelector:
names:
- "c1/ns1" # pick ns1 namespace only from c1 cluster
- "*/ns2"
- "*/ns3"
configMode: BRIDGED
In the DIRECT
mode, it is possible to directly attach Istio APIs
such as VirtualService
, DestinationRule
, and Sidecar
to the
traffic group. These configurations will be validated for
correctness and conflict free operations and then pushed to the
appropriate Istio control planes.
The following example declares a DestinationRule
with two
subsets, for the ratings
service in the ns1
namespace:
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: ratings-subsets
namespace: ns1
annotations:
tsb.tetrate.io/organization: myorg
tsb.tetrate.io/tenant: mycompany
tsb.tetrate.io/workspace: w1
tsb.tetrate.io/trafficGroup: t1
spec:
host: ratings.ns1.svc.cluster.local
subsets:
- name: stableversion
labels:
app: ratings
env: prod
- name: testversion
labels:
app: ratings
env: uat
The namespace where the Istio APIs are applied will need to be part of the parent traffic group. In addition, each API object will need to have annotations to indicate the organization, tenant, workspace and the traffic group to which it belongs to.
Group
A traffic group manages the routing properties of proxy workloads in a group of namespaces owned by the parent workspace.
Field | Description | Validation Rule |
---|---|---|
namespaceSelector | tetrateio.api.tsb.types.v2.NamespaceSelector | message = { |
configMode | tetrateio.api.tsb.types.v2.ConfigMode | – |
deletionProtectionEnabled | bool | – |
configGenerationMetadata | tetrateio.api.tsb.types.v2.ConfigGenerationMetadata | – |