Merge pull request #35973 from JStickler/OSSMDOC-381

OSSMDOC-381: Federation configure export/import.

Author: JStickler

modules/ossm-federation-config-export.adoc

@@ -0,0 +1,151 @@
+////
+This module included in the following assemblies:
+* service_mesh/v2x/ossm-federation.adoc
+////
+
+[id="ossm-federation-config-export_{context}"]
+= Exporting a service from a federated mesh
+
+Exporting services allows a mesh to share one or more of its services with another member of the federated mesh.
+
+//Insert ExportedServiceSet diagram here
+
+You use an `ExportedServiceSet` resource to declare the services from one mesh that you are making available to another peer in the federated mesh. You must explicitly declare each service to be shared with a peer.
+
+* You can select services by namespace or name.
+* You can use wildcards to select services; for example, to export all the services in a namespace.
+* You can export services using an alias. For example, you can export the `foo/bar` service as `custom-ns/bar`.
+// Need non foo/bar example above
+* You can only export services that are visible to the mesh’s system namespace. For example, a service in another namespace with a `networking.istio.io/exportTo` label set to ‘.’ would not be a candidate for export.
+* For exported services, their target services will only see traffic from the ingress gateway, not the original requestor (that is, they won’t see the client ID of either the other mesh’s egress gateway or the workload originating the request)
+
+The following example is for services that `red-mesh` is exporting to `green-mesh`.
+
+.Example ExportServiceSet resource
+[source,yaml]
+----
+kind: ExportedServiceSet
+apiVersion: federation.maistra.io/v1
+metadata:
+  name: green-mesh
+  namespace: red-mesh-system
+spec:
+  exportRules:
+  # export ratings.mesh-x-bookinfo as ratings.bookinfo
+  - type: NameSelector
+    nameSelector:
+      namespace: red-mesh-bookinfo
+      name: red-ratings
+      alias:
+        namespace: bookinfo
+        name: ratings
+# export any service in red-mesh-bookinfo namespace with label export-service=true
+  - type: LabelSelector
+    labelSelector:
+      namespace: red-mesh-bookinfo
+      Selector:
+        matchLabels:
+          export-service: “true”
+      alias: # exported as if they were in the bookinfo namespace
+        namespace: bookinfo
+----
+
+.ExportServiceSet parameters
+[options="header"]
+[cols="l, a, a"]
+|===
+|Parameter |Description |Values
+|metadata:
+  name:
+|Name of the ServiceMeshPeer you are exposing this service to.
+|Must match the `name` value for the mesh in the `ServiceMeshPeer` resource.
+
+|metadata:
+  namespace:
+|Name of the project/namespace containing this resource (should be the system namespace for the mesh) .
+|
+
+|spec:
+  exportRules:
+  -type:
+|Type of rule that will govern the export for this service. The first matching rule found for the service will be used for the export.
+|`NameSelector`, `LabelSelector`
+
+|spec:
+  exportRules:
+  -type: nameSelector
+    NameSelector:
+      namespace:
+      name:
+|To create a `NameSelector` rule, specify the `namespace` of the service and the `name` of the service as defined in the `Deployment` resource.
+|
+
+|spec:
+  exportRules:
+  -type: NameSelector
+    NameSelector:
+      alias:
+        namespace:
+        name:
+|To create a `NameSelector` rule that uses an alias for the service, after specifying the `namespace` and `name` for the service, then specify the alias for the `namespace` and the alias to be used for `name` of the service.
+|
+
+|spec:
+  exportRules:
+  -type: LabelSelector
+    LabelSelector:
+      namespace: <exportingMesh>
+      Selector:
+        matchLabels:
+        <label>: "true"
+|To create a `LabelSelector` rule, specify the `namespace` of the service and specify the `label` defined in the `Deployment` resource. In the example above, the label is `export-service`.
+|
+
+|spec:
+  exportRules:
+  -type: LabelSelector
+    LabelSelector:
+      namespace: <exportingMesh>
+      Selector:
+        matchLabels:
+          <label>: "true"
+      alias:
+        namespace:
+        name:
+|To create a `LabelSelector` rule that uses an alias for the service, after specifying the `namespace` and `label`, then specify the alias to be used for `name` or `namespace` of the service. In the example above, the alias is `bookinfo`.
+|
+|===
+
+//PLEASE CHECK THESE EXAMPLES
+
+.Export services with the name "ratings" from all namespaces in the red-mesh to blue-mesh.
+[source,yaml]
+----
+kind: ExportedServiceSet
+apiVersion: federation.maistra.io/v1
+metadata:
+  name: blue-mesh
+  namespace: red-mesh-system
+spec:
+  exportRules:
+  - type: NameSelector
+    nameSelector:
+      namespace: *
+      name: ratings
+----
+
+.Export all services from the west-data-center namespace to green-mesh
+[source,yaml]
+----
+kind: ExportedServiceSet
+apiVersion: federation.maistra.io/v1
+metadata:
+  name: green-mesh
+  namespace: red-mesh-system
+spec:
+  exportRules:
+  - type: NameSelector
+    nameSelector:
+      namespace: west-data-center
+      name: *
+----

modules/ossm-federation-config-import.adoc

@@ -0,0 +1,128 @@
+////
+This module included in the following assemblies:
+* service_mesh/v2x/ossm-federation.adoc
+////
+
+[id="ossm-federation-config-import_{context}"]
+= Importing a service into a federated mesh
+
+Importing services lets you explicitly specify which services exported from another mesh should be accessible within your service mesh.
+
+//Insert ImportedServiceSet diagram here
+
+You use an `ImportedServiceSet` resource to select services for import. Only services exported by a mesh peer and explicitly imported are available to the mesh. Services that you do not explicitly import are not made available within the mesh.
+
+* You can select services by namespace or name.
+* You can use wildcards to select services, for example, to import all the services that were exported to the namespace.
+* You can select services for export using a label selector, which may be global to the mesh, or scoped to a specific member namespace.
+* You can import services using an alias. For example, you can import the `custom-ns/bar` service as `other-mesh/bar`.
+// Need non foo/bar example above
+* You can specify a custom domain suffix, which will be appended to the `name.namespace` of an imported service for its fully qualified domain name; for example, `bar.other-mesh.imported.local`.
+
+The following example is for the `green-mesh` importing a service that was exported by `red-mesh`.
+
+.Example ImportServiceSet
+[source,yaml]
+----
+kind: ImportedServiceSet
+apiVersion: federation.maistra.io/v1
+metadata:
+  name: red-mesh #name of mesh that exported the service
+  namespace: green-mesh-system #mesh namespace that service is being imported into
+spec:
+  importRules: # first matching rule is used
+  # import ratings.bookinfo as ratings.bookinfo
+  - type: NameSelector
+    nameSelector:
+      importAsLocal: false
+      namespace: bookinfo
+      name: ratings
+      alias:
+        # service will be imported as ratings.bookinfo.svc.red-mesh-imports.local
+        namespace: bookinfo
+        name: ratings
+----
+
+.ImportServiceSet parameters
+[options="header"]
+[cols="l, a, a"]
+|===
+|Parameter |Description |Values
+|metadata:
+  name:
+|Name of the ServiceMeshPeer that exported the service to the federated mesh.
+|
+
+|metadata:
+  namespace:
+|Name of the namespace containing the ServiceMeshPeer resource (the mesh system namespace).
+|
+
+|spec:
+  importRules:
+    -type:
+|Type of rule that will govern the import for the service. The first matching rule found for the service will be used for the import.
+|`NameSelector`
+
+|spec:
+  importRules:
+    -type: NameSelector:
+      namespace:
+      name:
+|To create a `NameSelector` rule, specify the `namespace` of the service and the `name` of the service, as defined in the `Deployment` resource.
+|
+
+|spec:
+  importRules:
+    -type: NameSelector:
+      importAsLocal:
+|Set to `true` to aggregate remote endpoint with local services. When `true`, services will be imported as `<name>.<namespace>.svc.cluster.local`
+|`true`/`false`
+
+|spec:
+  importRules:
+    -type: NameSelector:
+      importAsLocal:
+      namespace:
+      name:
+      alias:
+|To create a `NameSelector` rule that uses an alias for the service, after specifying the `namespace` and `name` for the service, then specify the alias for the `namespace` and the alias to be used for `name` of the service.
+|
+|===
+
+
+//PLEASE CHECK MY EXAMPLES
+
+.Import the "bookinfo/ratings" service from the red-mesh into blue-mesh
+[source,yaml]
+----
+kind: ImportedServiceSet
+apiVersion: federation.maistra.io/v1
+metadata:
+  name: red-mesh
+  namespace: blue-mesh-system
+spec:
+  importRules:
+  - type: NameSelector
+    nameSelector:
+      importAsLocal: false
+      namespace: bookinfo
+      name: ratings
+----
+
+.Import all services from the red-mesh's west-data-center namespace into the green-mesh. These services will be accessible as <name>.west-data-center.svc.red-mesh-imports.local
+[source,yaml]
+----
+kind: ImportedServiceSet
+apiVersion: federation.maistra.io/v1
+metadata:
+  name: red-mesh
+  namespace: green-mesh-system
+spec:
+  importRules:
+  - type: NameSelector
+    nameSelector:
+      importAsLocal: false
+      namespace: west-data-center
+      name: *
+----

modules/ossm-federation-create-export.adoc

@@ -0,0 +1,111 @@
+////
+This module included in the following assemblies:
+* service_mesh/v2x/ossm-federation.adoc
+////
+
+[id="ossm-federation-create-export_{context}"]
+= Creating an ExportedServiceSet
+
+You create an `ExportedServiceSet` resource to explicitly declare the services that you want to be available to a mesh peer.
+
+Services are exported as `<export-name>.<export-namespace>.svc.<ServiceMeshPeer.name>-exports.local` and will automatically route to the target service.  This is the name by which the exported service is known in the exporting mesh. When the ingress gateway receives a request destined for this name, it will be routed to the actual service being exported. For example, if a service named `ratings.red-mesh-bookinfo` is exported to `green-mesh` as `ratings.bookinfo`, the service will be exported under the name `ratings.bookinfo.svc.green-mesh-exports.local`, and traffic received by the ingress gateway for that hostname will be routed to the `ratings.red-mesh-bookinfo` service.
+
+.Prerequisites
+
+* The cluster and `ServiceMeshControlPlane` have been configured for mesh federation.
+* An account with the `cluster-admin` role.
+
+[NOTE]
+====
+You can configure services for export even if they don't exist yet. When a service that matches the value specified in the ExportedServiceSet is deployed, it will be automatically exported.
+====
+
+////
+.Procedure from the Console
+This is conjecture about what the flow might look like.
+
+Follow this procedure to create an `ExportServiceSet` with the web console. This example shows the red-mesh exporting the ratings service from the bookinfo application to the green-mesh.
+
+. Log in to the {product-title} web console as a user with the cluster-admin role.
+. Navigate to *Operators* → *Installed Operators*.
+. Click the *Project* menu and select the project where you installed the control plane for the mesh that will export services. For example, `red-mesh-system`.
+. Click the {ProductName} Operator, then click *Istio Service Mesh ExportedServiceSet*.
+. On the *Istio Service Mesh ExportedServiceSet* tab, click *Create ExportedServiceSet*.
+. On the *Create ExportedServiceSet* page, click *YAML* to modify your configuration.
+. Modify the default configuration with values for your export.
+. Click *Create*. The Operator creates the export based on your configuration parameters.
+. To verify the `ExportedServiceSet` resource was created, click the *Istio Service Mesh ExportedServiceSet* tab.
+.. Click the name of the new `ExportedServiceSet`; for example, `export-to-green-mesh`.
+.. Click the *Resources* tab to see the `ExportedServiceSet` resource the Operator created and configured.
+////
+
+.Procedure from the CLI
+
+//NEED TO TEST THIS
+Follow this procedure to create an `ExportServiceSet` from the command line.
+
+. Log in to the {product-title} CLI as a user with the `cluster-admin` role. Enter the following command. Then, enter your username and password when prompted.
++
+[source,terminal]
+----
+$ oc login --username=<NAMEOFUSER> <API token> https://{HOSTNAME}:6443
+----
++
+. Change to the project where you installed the control plane; for example, `red-mesh-system`.
++
+[source,terminal]
+----
+$ oc project red-mesh-system
+----
++
+. Create an `ExportServiceSet` file based on the following example where `red-mesh` is exporting services to `green-mesh`.
++
+.Example ExportServiceSet resource from red-mesh to green-mesh
+[source,yaml]
+----
+apiVersion: federation.maistra.io/v1
+kind: ExportedServiceSet
+metadata:
+  name: green-mesh
+  namespace: red-mesh-system
+spec:
+  exportRules:
+  - type: NameSelector
+    nameSelector:
+      name:
+        namespace: red-mesh-bookinfo
+        name: red-ratings
+      alias:
+        Namespace: bookinfo
+        name: ratings
+----
++
+. Run the following command to upload and create the `ExportServiceSet` resource in the red-mesh-system namespace.
++
+[source,terminal]
+----
+$ oc create -n <ControlPlaneNamespace> -f <ExportServiceSet.yaml>
+----
++
+For example:
++
+[source,terminal]
+----
+$ oc create -n red-mesh-system -f export-to-green-mesh.yaml
+----
++
+. Create additional `ExportServiceSets` as needed for each mesh peer in your federated mesh.
+//TODO - Add sample output after the validation
+. To validate the services you've exported from `red-mesh` to share with `green-mesh`, run the following command:
++
+[source,terminal]
+----
+$ oc get exportedserviceset <PeerMeshExportedTo> -o yaml |yaml
+----
++
+For example:
++
+[source,terminal]
+----
+$ oc get exportedserviceset green-mesh -o yaml |yaml
+----