Create a Public Service Using the CLI

You create a public service with the Tanzu CLI by describing its configuration in a YAML file and then applying the configuration file.

You must create the following manifests to describe the configuration of a public service:

A health check manifest. Defines the health check settings for the public service. Based on the health-check settings, Tanzu Service Mesh periodically sends requests to the service to check whether it is reachable and functional.

A public service manifest. Contains the general configuration details about the public service, including its name, the fully qualified domain name (FQDN) of the service, and its external port. For a GSLB-enabled public service, the public service manifest also contains the GSLB parameters.

A public service route manifest. Defines the name of the internal service associated with the public service and the internal port of the internal service. When a user makes a request to the public service, Tanzu Service routes the request to the internal service in the cluster for processing.

You must retrieve the template for each manifest from the Tanzu Service Mesh API, provide values for the fields in the manifest, and then combine the manifests in a single YAML file, called public service configuration file. Arrange the manifests in the public service configuration file in the following order:

Health check manifest
Public service manifest
Public service route manifest

You must then apply the resulting public service configuration file to your Tanzu Service Mesh tenant to create the public service based on the configuration.

Prerequisites

Become familiar with the concepts global namespace and public service in Tanzu Service Mesh. Also become familiar with the concepts of a GSLB-enabled public service and a non-GSLB public service.
Choose a fully qualified domain name (FQDN) at which the public service will be exposed. If this service is accessible from the Internet through a GSLB, it must be a valid FQDN that is resolvable on the Internet. If no GSLB integration exists or if the public service is not accessible from the outside, you can define any FQDN that is configured in your DNS.
(Only for a GSLB-enabled public service) In the configuration for a GSLB-enabled public service, you must include the ID of an external DNS account. For information on how to get an external DNS account ID, see Get an External DNS ID for a Public Service Configuration. For information about creating a DNS account with the CLI, see Create a DNS Account Using the CLI.
(Only for a GSLB-enabled public service) Become familiar with the following GSLB concepts that are used in Tanzu Service Mesh. For more information about these concepts, see Configure Global Load Balancing for Your Application in Tanzu Service Mesh.
- Global load balancing scheme (round robin, weighted, and active-passive)
- Health checks
(Only for a GSLB-enabled public service) If you want to use the weighted or active-passive (failover) global load balancing scheme for the public service, add the required labels to the service configuration on each cluster where the service is deployed. For instructions on how to add these labels, see Configure Global Load Balancing for Your Application in Tanzu Service Mesh.
If you want to expose the public service at an HTTPS URL, add the Transport Layer Security (TLS) certificate that you want to use for the service to Tanzu Service Mesh. You must provide the name of the certificate in the public service configuration. For information about adding a certificate to Tanzu Service Mesh, see Add a Certificate to Tanzu Service Mesh Using the CLI.

Important:

Make sure that the Common Name (CN) on the certificate is the same FQDN that you specify for the public service in the public service configuration YAML file.

Be familiar with the Kubernetes YAML manifest format.
Install the CLI.
Log in to the Tanzu Service Mesh CLI.

Procedure

Create a YAML file to contain the configuration of the public service.

The steps below refer to this file as the public service configuration file.
Retrieve the template for a health check manifest:
```
tanzu sm get spec healthchecks
```

Paste the health check manifest template into the public service configuration file that you created and provide values for the following health check settings.


Setting	Description
`projectId`	Name of the associated Tanzu Service Mesh project. Set to `default`.
`name` (under `name` and `spec`)	Provide a name to identify these health-check settings.
`protocol`	The protocol (HTTP or HTTPS) to use for health-check requests.
`domain`	The FQDN of the endpoint to which Tanzu Service Mesh will send health-check requests. By default, the domain is the FQDN of the public service in the public service manifest.
`port`	The internal port of the internal service. This port must be the same as the target_port in the public service route manifest.
`path`	The path to the endpoint for health-check requests. If you specify a path, Tanzu Service Mesh will send health-check requests to the endpoint that is determined as the FQDN (the value of `domain`) and the value of `path`. If you don’t want to specify a special path for the endpoint, set the default value `“/”`.
`healthThreshold`	The number of consecutive failed health checks for the service to be considered unhealthy, or the number of consecutive successful health checks for the service to be considered healthy. For example, set `healthThreshold` to `3`.
`certificate_id`	If `protocol` is `HTTPS`, provide the id of the certificate to use for HTTPS health checks. If `protocol` is `HTTP`, set this field to an empty string (""). Tip: To get a list of the IDs of all the certificates that exist in Tanzu Service Mesh, run: tanzu sm get certificate
`external_port`	The external port of the endpoint for health checks. If `protocol` is `HTTP`, set this field to `80`. If `protocol` is `HTTPS`, set this field to `443`.
`interval`	The amount of time between health-check requests in seconds. You can set `interval` to 10 seconds or 30 seconds. For example, if you specify 30 seconds, Tanzu Service Mesh will send health-check requests to the service every 30 seconds.

See an example of a health check manifest in the example public service configurations in the Example: Public Service Configuration Files section.

Retrieve the template for a public service manifest:
```
tanzu sm get spec publicservices
```

Paste the public service manifest template into the public service configuration file that you created and provide values for the following fields.


Field	Description
`gnsId`	The name of the global namespace that contains the public service configuration.
`projectId`	The associated Tanzu Service Mesh project. Set this field to `default`.
`name` (in metadata)	Set this field to the FQDN of the public service, that is, the value of the `fqdn` field in `spec`.
`external_port`	The external port at which the public service is exposed depending on the value of the `external_protocol` field in the public service manifest. If `external_protocol` is `HTTP`, set this field to `80`. If `external_protocol` is `HTTPS`, set this field to `443`.
`external_protocol`	The protocol at which the public service is exposed. Set to`HTTP` or`HTTPS`.
`fqdn`	The FQDN at which the public service is exposed. Make sure that this FQDN matches the values of the `primary_domain` and `sub_domain` under `public_domain`. See an example of an FQDN int the example public service configurations in the Example section.
`gslb`	This field contains the fields that describe the global load balancing (GSLB) configuration. For a non-GSLB public service, leave the `gslb` field blank. For a GSLB-enabled public service, provide values for the nested fields within the `gslb` field. See the descriptions below.
`type` (only a GSLB-enabled public service)	Specify the global load balancing (GSLB) scheme for the public service: `ROUND_ROBIN`, `WEIGHTED`, or `FAILOVER`. For a description of these GSLB schemes, see Configure Global Load Balancing for Your Application in Tanzu Service Mesh. On the destination documentation page, the FAILOVER GSLB scheme is referred to as the active-passive GSLB scheme.
`active_group` (only a GSLB-enabled public service)	If you set `type` to `FAILOVER`, under `label_values`, specify the service label for the active group of service instances and under type, specify the group loading balancing scheme (`ROUND_ROBIN` or `WEIGHTED`) for the active group instances. For detailed information about the parameters of the Failover (Active-Passive) GSLB scheme, see the description of Active-Passive in the table under step 3 in Create a Public Service. If you set `type` to `ROUND_ROBIN` or `WEIGHTED`, remove the `active_group` field.
`passive_group` (only a GSLB-enabled public service)	If you set type to `FAILOVER`, under `label_values`, specify the service label for the passive group of service instances and under type, specify the group loading balancing scheme (`ROUND_ROBIN` or `WEIGHTED`) for the passive group instances. For detailed information about the parameters of the Failover (Active-Passive) GSLB scheme, see the description of Active-Passive in the table under step 3 in Create a Public Service. If you set type to `ROUND_ROBIN` or `WEIGHTED`, remove the `passive_group` field.
`weighted_policy`	If you set type to `WEIGHTED`, under `label_to_weight`, for each service label in `label_value`, specify a weigh value in `weight`. For detailed information about the parameters of the WEIGHTED GSLB scheme, see the description of Weighted in the table under step 3 in Create a Public Service. If you set type to `ROUND_ROBIN` or `FAILOVER`, remove the `weighted_policy` field.
`ha_policy`	Deprecated field. Set this field to an empty string (“”).
`healthcheck_ids`	Set this field to the name of the health check in the health check manifest (the value of the `name` field).
`ingress_on_internal_gateways`	This field is currently not used. Remove it.
`name` (in `spec`)	Optionally provide a description for the public service or set this field to an empty string (“”).
`certificate_id`	If you set `external_protocol` for the public service to `HTTPS`, provide the name of the certificate that you want to use to secure connections to the public service. Tip: To get a list of the names of all the certificates that exist in Tanzu Service Mesh, run: tanzu sm get certificate
`external_dns_id` (only a GSLB-enabled public service)	Provide the name of the external DNS account to use for the public service. For a non-GSLB public service, remove this field. Tip: To get a list of the IDs of all the external DNS accounts in Tanzu Service Mesh, run: tanzu sm get externaldns
`primary_domain`	The primary domain in the FQDN of the public service.
`sub_domain`	The subdomain in the FQDN of the public service.
`ttl`	Specify in seconds how long the DNS resolver caches a query before requesting a new one. The default value is `300`.
`wildcard_certificate_id`	This field is currently not used. Set it to an empty string (“”).

See an example of a public service manifest in the example public service configurations in the Example: Public Service Configuration Files section.

Retrieve the template for a public service route manifest:
```
tanzu sm get spec publicserviceroute
```

Paste the public service route manifest template into the public service configuration file that you created and provide values for the following fields:


Field	Description
`fdqd`	The FQDN of the public service. This FQDN must be the same as the value of the `fqdn` field in the public service manifest.
`gnsId`	The name of the global namespace that contains the public service. This name must be the same as the value of the `gnsId` field in the public service manifest.
`name`	The name of the public service route configuration.
`paths`	This field is currently not used. Set it to the default value `"/"`.
`target`	The name of the internal service that processes requests sent to the public service.
`target_port`	The internal port at which the internal service is accessible in the cluster.

See an example of a public service route manifest in the example public service configurations in the Example: Public Service Configuration Files section.

Note:

Make sure that you put --- after the health check manifest and the public service manifest in the file.

Apply the resulting public service configuration YAML file:
```
tanzu sm apply -f {file-name.yaml}
```
The output contains messages that the specified health check, public service, and public service route were created.

Example: Public Service Configuration Files

Configuration for a non-GSLB public service

apiVersion: templates.tsm.vmware.com/v1
kind: HealthCheck
metadata:
  labels:
    projectId: default
  name: sample-healthcheck
spec:
  name: sample-healthcheck
  protocol: HTTP
  domain: my-subdomain.shopping.com
  port: 3000
  path: "/"
  healthThreshold: 3
  certificate_id: ""
  external_port: 80
  interval: 10
---
apiVersion: gns.tsm.vmware.com/v1
kind: PublicService
metadata:
  labels:
    gnsId: my-gns
    projectId: default
  name: my-subdomain.shopping.com
spec:
  fqdn: my-subdomain.shopping.com
  name: ""
  external_port: 80
  external_protocol: HTTP
  ttl: 300
  public_domain:
    primary_domain: shopping.com
    sub_domain: my-subdomain
    certificate_id: ""
  gslb:
  ha_policy: ""
  wildcard_certificate_id: ""
  healthcheck_ids:
  - sample-healthcheck
---
apiVersion: gns.tsm.vmware.com/v1
kind: PublicServiceRoute
metadata:
  labels:
    fqdn: my-subdomain.shopping.com
    gnsId: my-gns
    projectId: default
  name: my-sample-pub-svc.3000 
spec:
  paths:
  - "/"
  target: shopping
  target_port: 3000

Configuration for a GSLB-enabled public service

apiVersion: templates.tsm.vmware.com/v1
kind: HealthCheck
metadata:
  labels:
    projectId: default
  name: sample-healthcheck
spec:
  name: sample-healthcheck
  protocol: HTTP
  domain: my-subdomain.shopping.com
  port: 3000
  path: "/"
  healthThreshold: 3
  certificate_id: ""
  external_port: 80
  interval: 10
---
apiVersion: gns.tsm.vmware.com/v1
kind: PublicService
metadata:
  labels:
    gnsId: my-gns
    projectId: default
  name: my-subdomain.shopping.com
spec:
  fqdn: my-subdomain.shopping.com
  name: ""
  external_port: 443
  external_protocol: HTTPS
  ttl: 300
  public_domain:
    external_dns_id: 188aacb9-4503-486a-9818-653a9240ef7d
    primary_domain: shopping.com
    sub_domain: my-subdomain
    certificate_id: myHttpsCert
  gslb:
    type: ROUND_ROBIN
  ha_policy: ""
  wildcard_certificate_id: ""
  healthcheck_ids:
  - sample-healthcheck
---
apiVersion: gns.tsm.vmware.com/v1
kind: PublicServiceRoute
metadata:
  labels:
    fqdn: my-subdomain.shopping.com
    gnsId: my-gns
    projectId: default
  name: my-sample-pub-svc.3000 
spec:
  paths:
  - "/"
  target: shopping
  target_port: 3000

What to do next

To verify that the new public service was added to its global namespace in the Tanzu Service Mesh Сonsole, perform these steps:

Access the Tanzu Service Mesh Console.
In the navigation pane on the left, click Home.
On the GNS Overview tab, click the name of the global namespace that contains the public service.
On the global namespace details page, click the Public Services tab.
To view the details of the public service, including its configuration, click the name of the public service.

To edit the configuration of a public service, perform these steps:

Delete the public service from Tanzu Service Mesh, passing the name of the public service configuration YAML file in the tanzu sm delete command.
Recreate the configuration of the public service with the values you want in a YAML file by following the instructions in the procedure above.
Apply the configuration YAML file.

Note:

At the top of the public service details page, a health status of Syncing or Error is initially displayed for a new public service for a few minutes while the public service is starting, and Tanzu Service Mesh determines its health by sending health check requests to the endpoint specified in the health check manifest. If the public service responds successfully to the health check requests according to the specified health check settings, the health status Syncing or Error is no longer displayed.