Integrating Aspen with Binding Support Function

Perform the following steps to integrate Aspen service mesh with Binding Support Function (BSF):

To create a privileged pod security policy for BSF namespace bsfaspen, create a YAML file (bsf.priv.yaml) using the following sample code:

# permit access to all service accounts in the namespace.
apiVersion:rbac.authorization.k8s.io/v1
kind:RoleBinding
metadata:
  name:"psp:bsfaspen:cs-restricted"
  namespace:"bsfaspen"
roleRef:
  kind:ClusterRole
  apiGroup:rbac.authorization.k8s.io
  name:"psp:privileged"
subjects:- kind:Group
  apiGroup:rbac.authorization.k8s.io
  name:"system:serviceaccounts"

Add the destination-rule for mysql and prometheus services to let bsfaspen namespace be enabled with ISTIO-Injection. To do so, create a YAML file (aspendestinationrule.yaml) using the following sample code:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: mysql-mysql
  namespace: bsfaspen
spec:
  host: "mysql.mysql.mysqlaspen.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: DISABLE

---

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: prometheus
  namespace: pcfaspen
spec:
  host: "prometheus-server.infra.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: DISABLE

Apply the configuration in aspendestinationrule.yaml file by entering following command:

kubectl apply -f aspendestinationrule.yaml

Note:

You may ignore these destination roles if you are deploying Aspen without mTLS.

Then, run the following command in every MySQL node:

mysqladmin -h 127.0.0.1 -u "username" -p "password" flush-hosts

Create namespace bsfaspen by running the following command:

kubectl create ns bsfaspen
kubectl label --overwrite namespace bsfaspen istio-injection=enabled

Create secret for privileged and application database user by running the following commands:
```
kubectl create -f priv-secret.yaml -n bsfaspen;
kubectl create -f secret.yaml -n bsfaspen;
```
Create privileged pod security policy for namespace created in step 3.
```
kubectl create -f bsf.priv.yaml -n bsfaspen;
```
Set the initContainerEnable flag to false in the custom value file of occnp.
```
global:
        initContainerEnable: false
```
See Customizing Binding Support Function for detailed instructions on how to customize the custom value file of BSF.
Note:
Skip this step in case you are using CNC Console to access cm-service.
Add policy to make cm-service enable the traffic for both encrypted as well as clear-text. To do so, create a YAML file (aspenpolicy.yaml) using the following sample code:
```
apiVersion: "authentication.istio.io/v1alpha1"
kind: Policy
metadata:
  name: cmservice
  namespace: bsf-namespace
spec:
  targets:
  - name: cm-service-load-balancer-service-name
  peers:
  - mtls:
      mode: PERMISSIVE
```
Apply the configuration in aspenpolicy.yaml file by entering following command:
```
kubectl apply -f aspenpolicy.yaml
```
Then, perform the steps listed under Installation Procedure to install Binding Support Function (BSF).

Verify Aspen service mesh

After successfully installing Aspen mesh, make sure to verify:

All pods contain sidecar proxy container by running the following command:
```
kubectl describe pod <pod-name> -n <namespace>
```
Note:
Perform this step for all pods.
Internal traffic flowing between BSF services under the BSF namespace.

Note:
To perform this step, you must sign in to Aspen user interface.

Disabling Aspen service mesh

To disable Aspen service mesh, perform the following steps:

Run kubectl label command by removing last enabled value and keeping empty label for BSF namespace:
```
kubectl label --overwrite namespace <bsf-namespace> istio-injection=
```
Restart all BSF pods. The new pods will contain only service containers.
```
kubectl delete pods --all <bsf-namespace>
```