Adding projects to the service mesh

Introduction

To associate a project that contains your application with a Maistra Control Plane, two methods are supported:

  • Specify the project in a ServiceMeshMemberRoll object.

  • Add a ServiceMeshMember object to the project.

ServiceMeshMemberRoll

The ServiceMeshMemberRoll resource configures which projects belong to a control plane. Only projects listed in the ServiceMeshMemberRoll will be affected by the control plane. Any number of projects can be added, but a project may not exist in more than one control plane. This resource must be created in the same project as the ServiceMeshControlPlane resource and must be named default. An example resource can be seen below:

apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
  name: default
spec:
  members:
  # a list of projects that should be joined into the service mesh
  # for example, to add the bookinfo project
  - bookinfo

ServiceMeshMember

When the ServiceMeshMember is created, it causes the project to be added to the ServiceMeshMemberRoll within the control plane project it references.

An example resource can be seen below:

apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
  name: default
spec:
  members:
  # a list of projects that should be joined into the service mesh
  # for example, to add the bookinfo project
  - bookinfo

Unlike the ServiceMeshMemberRoll resource, which is created by the service mesh administrator, ServiceMeshMember resources are created by service mesh users. While project administrators are automatically given permission to create the ServiceMeshMember resource in their project, they are not allowed to point it to any ServiceMeshControlPlane until the service mesh administrator explicitly grants access to the service mesh using RBAC. This is done by modifying the mesh-users RoleBinding in the control plane project to specify the users and groups which should be granted access.

The mesh-users RoleBinding is created by the Maistra operator after the administrator creates the ServiceMeshControlPlane resource, but the administrator can also create it beforehand (for example, in the same oc apply operation as the ServiceMeshControlPlane resource).

An example of the RoleBinding is shown below:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: control-plane-namespace
  name: mesh-users
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: mesh-user
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: alice