From 326415787113d0197eda80a4baa34b583197b9d7 Mon Sep 17 00:00:00 2001 From: kchiranjewee63 Date: Fri, 26 Jul 2024 16:41:25 -0400 Subject: [PATCH] Refactor intro page --- content/docs/_index.md | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/content/docs/_index.md b/content/docs/_index.md index 1445c33..bca79b2 100644 --- a/content/docs/_index.md +++ b/content/docs/_index.md @@ -12,27 +12,35 @@ weight: 1 } -Welcome to the documentation for Tratteria, an open-source Transaction Tokens (TraTs) Service. TraTs are short-lived JWTs that assure identity and context in a microservices call chain. Learn more about TraTs [here](/docs/transaction-token). The example below describes the salient features of a TraT: +Welcome to the documentation for Tratteria, an open-source Transaction Tokens (TraTs) Service. This guide will help you understand what Tratteria is, how it works, and how to implement it in your microservices architecture. -What Is a TraT - -## Tratteria approach -Tratteria provides two ways of verifying TraTs: An interception option and a delegation option -* **The interception option**: Enables existing applications to adopt TraTs without (almost) any code changes. It injects Tratteria sidecar containers into each Kubernetes pod, and the application continues to operate the way it used to, except the path, query and body of each call are verified against an associated TraT. +## TraT - If a service needs to forward a TraT to a downstream service, then it needs to add the `Txn-token` HTTP header and include the TraT as the value of that header in outbound calls. If a microservice does not make any downstream calls, then it does not need to change. +TraTs (Transaction Tokens) are short-lived JWTs that assure identity and context in a microservices call chain. Learn more about TraTs [here](/docs/transaction-token). The example below describes the salient features of a TraT: -* **The delegation approach**: In this approach, the application explicitly calls the Tratteria agent within its Kubernetes pod to verify TraTs. As a result, the application needs to make this change to its code to use Tratteria. This approach is more secure, because it does not suffer from the [sidecar bypass attack](https://github.com/istio/istio/discussions/48994) that Kubernetes sidecars in general suffer from. In addition, a delegation based approach allows the application to pack the call parameter information in the Txn-Token header, and can potentially eliminate having to send it separately through query parameters or the body. +What Is a TraT -## Tratteria architecture +## Tratteria Architecture -Tratteria is designed to facilitate secure and convenient TraTs issuance and verification in microservices systems. +Tratteria is designed to facilitate secure and convenient TraT issuance and verification in microservices systems. It involves the Tratteria Service for issuing TraTs, the Tratteria Agent sidecar for verifying TraTs, and Tratteria Kubernetes resources for specifying generation and verification rules for TraTs. Tratteria Workflow
-Tratteria supports TraTs generation and verification using Kubernetes resources and Tratteria sidecar agents. Tratteria lets you define how to generate the TraT for an external API and how to verify the TraT for the resulting internal requests of the external API. Additionally, Tratteria supports access evaluation for external APIs. +## Tratteria Modes + +Tratteria can operate in two modes: + +* **The Interception Mode**: Enables existing applications to adopt TraTs without (almost) any code changes. It injects Tratteria Agent sidecar containers into Kubernetes pods, and the application continues to operate the way it used to, except the path, query and body of each call are verified against an associated TraT. + + If a service needs to forward a TraT to a downstream service, then it needs to add the `Txn-token` HTTP header and include the TraT as the value of that header in outbound calls. If a microservice does not make any downstream calls, then it does not need to change. + +* **The Delegation Mode**: In this approach, the application explicitly calls the Tratteria Agent within its Kubernetes pod to verify TraTs. As a result, the application needs to make this change to its code to use Tratteria. This approach is more secure, because it does not suffer from the [sidecar bypass attack](https://github.com/istio/istio/discussions/48994) that Kubernetes sidecars in general suffer from. In addition, a delegation based approach allows the application to pack the call parameter information in the Txn-Token header, and can potentially eliminate having to send it separately through query parameters or the body. + +## Tratteria Resource + +Tratteria lets you define how to generate the TraT for an external API and how to verify the TraT for the resulting internal requests of the external API using Kubernetes resources. Additionally, it supports specifying access evaluation for external APIs. Below is a sample Tratteria Kubernetes resource for the `POST api/order/trade/{#stockId}` external API. Hover your mouse over the text below to find out more about what each line means: @@ -121,7 +129,7 @@ pre { azdMapping: stockId: required: trueAs noted above, the stocks service overrides defaults for TraT verification - value: "{$id}"List of services that use this TraT type. They may use defaults specified above or override them. + value: "{$id}"The list of microservice APIs that are invoked while processing this external API. They may use defaults specified above or override them. accessEvaluation: subject: id: "${subject_token.email}"