- Requirements Capture to Drive Mesh Adoption & Configuration
- User Governance Capture
The requirements below are a summary of the Kick-Off Meeting Requirements
& Targeted Outcomes
session where stakeholders have stated the capabilities they would like to benefit with Servce Mesh:
-
The Development Team want to be able to trace (every) request during development, and a sample of
20%
of traffic in Production -
The Product Team want to see metrics around performance/usage (storing them for up to 1 week)
-
The Security team wish to enable mTLS in all intermesh and intramesh communications
-
The Platform Team want to centrally manage security
-
The Development Teams want to implement some resiliency to make the overall application more stable and reliable.
The personas, roles and responsibilities are greatly affected by certain organizational, operational and governance choices around cloud application platforms. These involve (but are not limited to):
-
Type of clusters (multi domain app clusters vs focused clusters) and by extension type of meshes (multi-tenant meshes vs single cluster meshes).
-
Choices of automation for cloud service configuration (Pipelines, GitOps, other(Ansible/Scripting/ACM), none).
-
Platform (Service Mesh) Operating Model (producer-consumer platform -where admins/ops deploy all configs and devs consume- vs self-service platform).
-
Dev(Sec)Ops adopted culture for application and cloud configuration delivery (including
Istio
configs).
For the purpose of the provided scenarios the travel agency has selected the following options determining the Model of Operation.
# | Strategy | Option |
---|---|---|
1 |
Cluster Type |
Focused Clusters |
2 |
Automation |
GitOps |
3 |
Operating Model |
|
4 |
Dev(Sec)Ops |
GitOps |
Self-service (restricted): In this Model of Operation the teams will be able to create Istio
configurations in a self-service manner with the exception of Gateway
resources which will be handled by the OSSM
operating admin.
The outcome of the User Governance Capture workshop and the team Requirements for Mesh Adoption is the definition of the following enterprise personas to be described as those that will interact with the Service Mesh (OSSM). As Upstream Istio, and so OpenShift Service Mesh, do not define standard or default user roles this often causes confusion on what capabilities and responsibilities inside Openshift these personas should have. We have created 3 Roles for the personas and applied them to OCP
See Execute Role & User Creation for the creation of users and roles in DEV
and PROD
environments.
Enterprise Persona | Role | Who he is? | What he does? | Role Setup |
---|---|---|---|---|
Platform Admin |
|
Owner of multiple OCP clusters, sets organizational policies |
Cluster Admin is the Platform Owner & Operator. S/he is a cluster admin who can The The The |
|
Mesh Operator |
|
Operates parts of the cluster and the domain based service mesh for the hosted services |
The The The The |
|
Domain Owner (Tech Lead) |
|
Onboards developers in the team and understands inter/intra dependencies |
The The |
|
Developer |
|
Consumes platform, mesh and application configurations, reviews and troubleshoots application functionality and performance via KIALI UI, Jaeger telemetry, Prometheus metrics and POD logs |
The The The |
|
Application Ops Team |
|
The Application Ops team monitor and maintain the applications in operation in the deployed cluster and within the domain hosted mesh ( |
The Application Ops team will review The Application Ops team can extract the information (logs, traces, proxy configs) and collaborate with the Developer and Mesh Operator to determine possible application, mesh or configuration issues The Application Ops team does not create |
|
Product Owner |
|
Monitors (metrics, telemetry, dashboards) applications (in and out of the mesh) from a domain that makeup the product |
The _Product Owner _ will keep himself aware of the health, usage, cost as well other metrics around the domain their solution is part of by accessing the observability stack components (dashboards in |
See Execute Role & User Creation for the creation of users and roles in DEV
and PROD
environments.
DEV
Environment
Name | Enterprise Persona | Role Bindings | Namespace |
---|---|---|---|
phillip |
Platform Admin |
|
|
emma |
Mesh Operator |
|
|
cristina |
Travel Portal Domain Owner (Tech Lead) |
|
|
farid |
Travel Services Domain Owner (Tech Lead) |
|
|
john |
Developer (TP) |
|
|
mia |
Developer (TS) |
|
|
mus |
Product Owner |
|
See Execute Role & User Creation for the creation of users and roles in DEV
and PROD
environments.
PROD
Environment
Name | Enterprise Persona | Role Bindings | Namespace |
---|---|---|---|
phillip |
Platform Admin |
|
|
emma |
Mesh Operator |
|
|
cristina |
Travel Portal Domain Owner (Tech Lead) |
|
|
farid |
Travel Services Domain Owner (Tech Lead) |
|
|
craig |
Platform (Application Ops) Team |
|
|
mus |
Product Owner |
|
-
Create User Roles
oc apply -f ./roles-resources/mesh-operator.yaml oc apply -f ./roles-resources/mesh-developer.yaml oc apply -f ./roles-resources/mesh-app-viewer.yaml
-
Create Users in Cluster
htpasswd
(See Adding or removing a user inhtpasswd
)./scripts/add-dev-environment-htpasswd-users.sh <htpasswd-secret-name>
-
Add roles to the mesh users in
DEV
namespacesWarningNamespaces must be created first (see in next scenario Setting up a DEV environment for the Travel Portal and Travel Agency Teams #./create-admin-roles.sh phillip (*ADD YOUR OWN CLUSTER ADMIN USER*) ./scripts/create-mesh-operator-roles.sh emma dev-istio-system dev-travel-portal:dev-travel-control:dev-travel-agency ./scripts/create-mesh-dev-roles.sh cristina dev-istio-system dev-travel-portal:dev-travel-control ./scripts/create-mesh-dev-roles.sh farid dev-istio-system dev-travel-agency ./scripts/create-mesh-viewer-roles.sh john dev-travel-portal:dev-travel-control:dev-istio-system ./scripts/create-mesh-viewer-roles.sh mia dev-travel-agency:dev-istio-system ./scripts/create-mesh-viewer-roles.sh mus dev-travel-portal:dev-travel-control:dev-travel-agency:dev-istio-system
-
Execute the following to add additional users for
PROD
in Clusterhtpasswd
for PROD (See Adding or removing a user inhtpasswd
)./add-prod-environment-htpasswd-users.sh <htpasswd-secret-name>
-
Add roles to the mesh users in
PROD
namespaces
Warning
|
Namespaces must be created first (see in Adding Operators, Namespaces, User/Roles Preparation Actions for PROD |
./create-mesh-operator-roles.sh emma prod-istio-system prod-travel-portal:prod-travel-control:prod-travel-agency ./create-mesh-dev-roles.sh cristina prod-istio-system prod-travel-portal:prod-travel-control ./create-mesh-dev-roles.sh farid prod-istio-system prod-travel-agency ./create-mesh-viewer-roles.sh craig prod-travel-portal:prod-travel-control:prod-travel-agency:prod-istio-system
The final step in the requirements analysis phase is to determine an architecture based on the expected functional and non-functional requirements for the DEV
and PROD
environments
DEV
Service Mesh Components
Name | Instances | Operator | Sizing |
---|---|---|---|
grafana |
1 |
|
Default |
istiod |
1 |
|
Default |
istio-egressgateway |
1 |
|
Default |
istio-ingressgateway |
1 |
|
Default |
jaeger |
1 |
|
Default |
kiali |
1 |
|
Default |
prometheus |
1 |
|
Default |
wasm-cacher-client-side-tenant |
1 |
|
Default |
PROD
Service Mesh Components
Name | Instances | Operator | Sizing |
---|---|---|---|
grafana |
1 |
|
|
istiod |
1 |
|
|
istio-egressgateway |
2 |
|
|
istio-ingressgateway |
2 |
|
|
jaeger |
1 |
|
|
kiali |
1 |
|
Default |
prometheus |
1 |
|
Default |
elastic-search |
1 |
|
Important
|
Next in Scenario-2 Help the Travel Agency to Setup a Development Environment |