apiVersion: apps/v1 kind: Deployment metadata: name: data-consumer namespace: istio-nonrtric spec: selector: matchLabels: app: data-consumer template: metadata: labels: app: data-consumer apptype: nonrtric-ecs version: v1 spec: containers: - name: data-consumer image: hashicorp/http-echo ports: - containerPort: 5678 args: - -text - "Hello data-consumer" --- apiVersion: v1 kind: Service metadata: name: data-consumer namespace: istio-nonrtric labels: app: data-consumer service: data-consumer spec: type: ClusterIP selector: app: data-consumer ports: - port: 80 name: http-80 targetPort: 5678 --- apiVersion: apps/v1 kind: Deployment metadata: name: data-producer namespace: istio-nonrtric spec: selector: matchLabels: app: data-producer template: metadata: labels: app: data-producer apptype: nonrtric-ecs version: v1 spec: containers: - name: data-producer image: hashicorp/http-echo ports: - containerPort: 5678 args: - -text - "Hello data-producer" --- apiVersion: v1 kind: Service metadata: name: data-producer namespace: istio-nonrtric labels: app: data-producer service: data-producer spec: type: ClusterIP selector: app: data-producer ports: - port: 80 name: http-80 targetPort: 5678 --- apiVersion: apps/v1 kind: Deployment metadata: name: a1-policy namespace: istio-nonrtric spec: selector: matchLabels: app: a1-policy template: metadata: labels: app: a1-policy apptype: nonrtric-pms version: v1 spec: containers: - name: a1-policy image: hashicorp/http-echo ports: - containerPort: 5678 args: - -text - "Hello a1-policy" --- apiVersion: v1 kind: Service metadata: name: a1-policy namespace: istio-nonrtric labels: app: a1-policy service: a1-policy spec: type: ClusterIP selector: app: a1-policy ports: - port: 80 name: http-80 targetPort: 5678 --- apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: nonrtric-istio-gateway namespace: istio-nonrtric spec: selector: istio: ingressgateway # use Istio istio-nonrtric gateway implementation servers: - port: number: 80 name: http protocol: HTTP hosts: - "*" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: nonrtric-istio-vs namespace: istio-nonrtric spec: hosts: - "*" gateways: - nonrtric-istio-gateway http: - name: "dc-routes" match: - uri: prefix: "/data-consumer" rewrite: uri: "/" route: - destination: port: number: 80 host: data-consumer.istio-nonrtric.svc.cluster.local - name: "dp-routes" match: - uri: prefix: "/data-producer" rewrite: uri: "/" route: - destination: port: number: 80 host: data-producer.istio-nonrtric.svc.cluster.local - name: "a1-routes" match: - uri: prefix: "/a1-policy" rewrite: uri: "/" route: - destination: port: number: 80 host: a1-policy.istio-nonrtric.svc.cluster.local --- apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: "jwt-ecs" namespace: istio-nonrtric spec: selector: matchLabels: apptype: nonrtric-ecs jwtRules: - issuer: "ECSISSUER" jwks: | { "keys":[{"e":"AQAB","kty":"RSA","n":"xgeWM1YuAL7xlzf309vzjUtEkP6iZ5pVqzpu8XLh-vAsX4wqCBAUGElAzXVd3QNfjgYv6fwNDNPwugkaFWu-QAllFaS0eBBsZrvJzE2TlVC6jrtrerheE40rUGI0c9OsJGTMN9_w6XxqQ4gXbyN4dueFDMboq_KFpwhU0vq7lspe9ywgv_cfYwqmvzF_wXmNS6t6X7OgltLFNaEcRqH_msXPOtx1EDoC0U3FGRnT3zOYb31tXwuC2oxF1wC6tnlCReE2iYBSvHKjmzw5lmBM2bBgGMwKQTdb2Fhi14qYiWG-bVfHnNEy1EwPWVmpI02r5kdxTgd23Hww60FHzOZkdQ"}]} --- apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: "jwt-pms" namespace: istio-nonrtric spec: selector: matchLabels: apptype: nonrtric-pms jwtRules: - issuer: "PMSISSUER" jwks: | { "keys":[{"e":"AQAB","kty":"RSA","n":"nsnxKde9-_GUQqzkUJhxUmawdfJUIefJpytDRfTTuWJZd6wpzFvy6hzeJ0ahVgEfZWCKJWb2sykOQhsVe8N9NTGzLts0ZRrAPb5JLq3ZWK3zUpAyiHWVE_tS3yrAj0SgONFw-Ff5gdirAYGB1XhEx44cP1u7pHtQayPp8TRmCtMd47tW0A6z-b2rNTCxsScvRVy6nggG34fMDB7sg7dHZ6tax4Uv2K9baF8XT3ELgFD9JZ5sOH_QyLlYbpyP4iCYaVIFpppDR5vm5xGv2xbtyMu_eU2VVzVZz1nzfChE_m2VivgiChKCy07ohg2hWZh98gBWRbx2q7XP87EKvx14NQ"}]} --- apiVersion: "security.istio.io/v1beta1" kind: "AuthorizationPolicy" metadata: name: "ecs-policy" namespace: istio-nonrtric spec: selector: matchLabels: apptype: nonrtric-ecs action: ALLOW rules: - from: - source: requestPrincipals: ["ECSISSUER/SUBJECT"] --- apiVersion: "security.istio.io/v1beta1" kind: "AuthorizationPolicy" metadata: name: "pms-policy" namespace: istio-nonrtric spec: selector: matchLabels: apptype: nonrtric-pms action: ALLOW rules: - from: - source: requestPrincipals: ["PMSISSUER/SUBJECT"]