Alauda Service Mesh v2 Docs

Multi-Cluster configuration overview

To configure a multi-cluster topology you must perform the following actions:

  • Install the Alauda Container Platform Networking for Multus plugin for each cluster.
  • Install the Alauda Service Mesh Operator for each cluster.
  • Create or have access to root and intermediate certificates for each cluster.
  • Apply the security certificates for each cluster.
  • Install Istio for each cluster.

TOC

Creating certificates for a multi-cluster mesh

Create the root and intermediate certificate authority (CA) certificates for two clusters.

Prerequisites

  • OpenSSL is installed locally.

Procedure

Create the root CA certificate

  1. Create a key for the root certificate by running the following command:

    openssl genrsa -out root-key.pem 4096

  2. Create an OpenSSL configuration certificate file named root-ca.conf for the root CA certificates:

    Example root certificate configuration file
    encrypt_key = no
prompt = no
utf8 = yes
default_md = sha256
default_bits = 4096
req_extensions = req_ext
x509_extensions = req_ext
distinguished_name = req_dn
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
[ req_dn ]
O = Istio
CN = Root CA

  3. Create the certificate signing request by running the following command:

    openssl req -sha256 -new -key root-key.pem \
    -config root-ca.conf \
    -out root-cert.csr

  4. Create a shared root certificate by running the following command:

    openssl x509 -req -sha256 -days 3650 \
    -signkey root-key.pem \
    -extensions req_ext -extfile root-ca.conf \
    -in root-cert.csr \
    -out root-cert.pem

Create the intermediate CA certificate for the East cluster

  1. Create a directory named east by running the following command:

    mkdir east

  2. Create a key for the intermediate certificate for the East cluster by running the following command:

    openssl genrsa -out east/ca-key.pem 4096

  3. Create an OpenSSL configuration file named intermediate.conf in the east/ directory for the intermediate certificate of the East cluster. Copy the following example file and save it locally:

    Example configuration file
    [ req ]
encrypt_key = no
prompt = no
utf8 = yes
default_md = sha256
default_bits = 4096
req_extensions = req_ext
x509_extensions = req_ext
distinguished_name = req_dn
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
subjectAltName=@san
[ san ]
DNS.1 = istiod.istio-system.svc
[ req_dn ]
O = Istio
CN = Intermediate CA
L = east

  4. Create a certificate signing request by running the following command:

    openssl req -new -config east/intermediate.conf \
  -key east/ca-key.pem \
  -out east/cluster-ca.csr

  5. Create the intermediate CA certificate for the East cluster by running the following command:

    openssl x509 -req -sha256 -days 3650 \
  -CA root-cert.pem \
  -CAkey root-key.pem -CAcreateserial \
  -extensions req_ext -extfile east/intermediate.conf \
  -in east/cluster-ca.csr \
  -out east/ca-cert.pem

  6. Create a certificate chain from the intermediate and root CA certificate for the east cluster by running the following command:

    cat east/ca-cert.pem root-cert.pem > east/cert-chain.pem && cp root-cert.pem east

Create the intermediate CA certificate for the West cluster

  1. Create a directory named west by running the following command:

    mkdir west

  2. Create a key for the intermediate certificate for the West cluster by running the following command:

    openssl genrsa -out west/ca-key.pem 4096

  3. Create an OpenSSL configuration file named intermediate.conf in the west/ directory for the intermediate certificate of the West cluster. Copy the following example file and save it locally:

    Example configuration file
    [ req ]
encrypt_key = no
prompt = no
utf8 = yes
default_md = sha256
default_bits = 4096
req_extensions = req_ext
x509_extensions = req_ext
distinguished_name = req_dn
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
subjectAltName=@san
[ san ]
DNS.1 = istiod.istio-system.svc
[ req_dn ]
O = Istio
CN = Intermediate CA
L = west

  4. Create a certificate signing request by running the following command:

    openssl req -new -config west/intermediate.conf \
  -key west/ca-key.pem \
  -out west/cluster-ca.csr

  5. Create the intermediate CA certificate for the West cluster by running the following command:

    openssl x509 -req -sha256 -days 3650 \
  -CA root-cert.pem \
  -CAkey root-key.pem -CAcreateserial \
  -extensions req_ext -extfile west/intermediate.conf \
  -in west/cluster-ca.csr \
  -out west/ca-cert.pem

  6. Create a certificate chain from the intermediate and root CA certificate for the west cluster by running the following command:

    cat west/ca-cert.pem root-cert.pem > west/cert-chain.pem && cp root-cert.pem west

Applying certificates to a multi-network multi-cluster mesh

Apply root and intermediate certificate authority (CA) certificates to the clusters in a multi-network multi-cluster topology.

NOTE

In this procedure, CLUSTER1 is the East cluster and CLUSTER2 is the West cluster.

Prerequisites

  • You have access to two clusters with external load balancer support.
  • You have created the root CA certificate and intermediate CA certificates for each cluster or someone has made them available for you.

Procedure

Environment Variables

The following environment variables will be used throughout to simplify the instructions:

VariableAliasDescription
CTX_CLUSTER1EastThe context name in the default Kubernetes configuration file used for accessing the cluster1 cluster.
CTX_CLUSTER2WestThe context name in the default Kubernetes configuration file used for accessing the cluster2 cluster.

Set the two variables before proceeding:

export CTX_CLUSTER1=<your cluster1 context>
export CTX_CLUSTER2=<your cluster2 context>

Apply the certificates to the East cluster of the multi-cluster topology

  1. Create a namespace called istio-system by running the following command:

    kubectl --context "${CTX_CLUSTER1}" create namespace istio-system

  2. Configure Istio to use network1 as the default network for the pods on the East cluster by running the following command:

    kubectl --context "${CTX_CLUSTER1}" label namespace istio-system topology.istio.io/network=network1

  3. Create the CA certificates, certificate chain, and the private key for Istio on the East cluster by running the following command:

    kubectl get secret -n istio-system --context "${CTX_CLUSTER1}" cacerts || kubectl create secret generic cacerts -n istio-system --context "${CTX_CLUSTER1}" \
  --from-file=east/ca-cert.pem \
  --from-file=east/ca-key.pem \
  --from-file=east/root-cert.pem \
  --from-file=east/cert-chain.pem
    NOTE

    If you followed the instructions in Creating certificates for a multi-cluster mesh, your certificates will reside in the east/ directory. If your certificates reside in a different directory, modify the syntax accordingly.

Apply the certificates to the West cluster of the multi-cluster topology

  1. Create a namespace called istio-system by running the following command:

    kubectl --context "${CTX_CLUSTER2}" create namespace istio-system

  2. Configure Istio to use network2 as the default network for the pods on the East cluster by running the following command:

    kubectl --context "${CTX_CLUSTER2}" label namespace istio-system topology.istio.io/network=network2

  3. Create the CA certificates, certificate chain, and the private key for Istio on the East cluster by running the following command:

    kubectl get secret -n istio-system --context "${CTX_CLUSTER2}" cacerts || kubectl create secret generic cacerts -n istio-system --context "${CTX_CLUSTER2}" \
  --from-file=west/ca-cert.pem \
  --from-file=west/ca-key.pem \
  --from-file=west/root-cert.pem \
  --from-file=west/cert-chain.pem
    NOTE

    If you followed the instructions in Creating certificates for a multi-cluster mesh, your certificates will reside in the west/ directory. If your certificates reside in a different directory, modify the syntax accordingly.

Next Steps

Install Istio on all the clusters comprising the mesh topology.