English

Installing a multi-primary multi-network mesh

Install Istio in the multi-primary multi-network topology on two clusters.

NOTE

In this procedure, CLUSTER1 is the East cluster and CLUSTER2 is the West cluster.

You can adapt these instructions for a mesh spanning more than two clusters.

Topology

Service workloads across cluster boundaries communicate indirectly, via dedicated gateways for east-west traffic. The gateway in each cluster must be reachable from the other cluster.

Multi-Primary Multi-Network Topology

Prerequisites

You have installed the Alauda Container Platform Networking for Multus plugin all of the clusters that comprise the mesh.
You have installed the Alauda Service Mesh v2 Operator on all of the clusters that comprise the mesh.
You have completed Creating certificates for a multi-cluster mesh.
You have completed Applying certificates to a multi-cluster topology.
You have istioctl installed locally so that you can use to run these instructions.

Procedure

Create an `ISTIO_VERSION` environment variable that defines the Istio version to install

export ISTIO_VERSION=1.26.3

Install Istio on the East cluster

Create an Istio resource on the East cluster by running the following command:

cat <<EOF | kubectl --context "${CTX_CLUSTER1}" apply -f -
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  version: v${ISTIO_VERSION}
  namespace: istio-system
  values:
    global:
      meshID: mesh1
      network: network1
      multiCluster:
        clusterName: cluster1
EOF

Wait for the control plane to return the Ready status condition by running the following command:

kubectl --context "${CTX_CLUSTER1}" wait --for condition=Ready istio/default --timeout=3m

Create an East-West gateway on the East cluster by running the following command:

Click to expand

kubectl --context "${CTX_CLUSTER1}" apply -f https://raw.githubusercontent.com/alauda-mesh/sail-operator/main/docs/deployment-models/resources/east-west-gateway-net1.yaml

Expose the services through the gateway by running the following command:

Click to expand

kubectl --context "${CTX_CLUSTER1}" apply -n istio-system -f https://raw.githubusercontent.com/alauda-mesh/sail-operator/main/docs/deployment-models/resources/expose-services.yaml

Install Istio on the West cluster

Create an Istio resource on the West cluster by running the following command:

cat <<EOF | kubectl --context "${CTX_CLUSTER2}" apply -f -
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  version: v${ISTIO_VERSION}
  namespace: istio-system
  values:
    global:
      meshID: mesh1
      network: network2
      multiCluster:
        clusterName: cluster2
EOF

Wait for the control plane to return the Ready status condition by running the following command:

kubectl --context "${CTX_CLUSTER2}" wait --for condition=Ready istio/default --timeout=3m

Create an East-West gateway on the West cluster by running the following command:

kubectl --context "${CTX_CLUSTER2}" apply -f https://raw.githubusercontent.com/alauda-mesh/sail-operator/main/docs/deployment-models/resources/east-west-gateway-net2.yaml

Expose the services through the gateway by running the following command:

kubectl --context "${CTX_CLUSTER2}" apply -n istio-system -f https://raw.githubusercontent.com/alauda-mesh/sail-operator/main/docs/deployment-models/resources/expose-services.yaml

Create the `istio-reader-service-account` service account for the East cluster

kubectl --context="${CTX_CLUSTER1}" create serviceaccount istio-reader-service-account -n istio-system

Create the `istio-reader-service-account` service account for the West cluster

kubectl --context="${CTX_CLUSTER2}" create serviceaccount istio-reader-service-account -n istio-system

Add the `cluster-reader` role to the East cluster

kubectl --context="${CTX_CLUSTER1}" create clusterrolebinding cluster-reader-istio-reader-sa \
  --clusterrole=cluster-reader \
  --serviceaccount=istio-system:istio-reader-service-account

Add the `cluster-reader` role to the West cluster

kubectl --context="${CTX_CLUSTER2}" create clusterrolebinding cluster-reader-istio-reader-sa \
  --clusterrole=cluster-reader \
  --serviceaccount=istio-system:istio-reader-service-account

Install a remote secret on the East cluster that provides access to the API server on the West cluster

istioctl create-remote-secret \
  --context="${CTX_CLUSTER2}" \
  --name=cluster2 \
  --create-service-account=false | \
  kubectl --context="${CTX_CLUSTER1}" apply -f -

Install a remote secret on the West cluster that provides access to the API server on the East cluster

istioctl create-remote-secret \
  --context="${CTX_CLUSTER1}" \
  --name=cluster1 \
  --create-service-account=false | \
  kubectl --context="${CTX_CLUSTER2}" apply -f -

#Installing a multi-primary multi-network mesh

#TOC

#Procedure

#Create an ISTIO_VERSION environment variable that defines the Istio version to install

#Install Istio on the East cluster

#Install Istio on the West cluster

#Create the istio-reader-service-account service account for the East cluster

#Create the istio-reader-service-account service account for the West cluster

#Add the cluster-reader role to the East cluster

#Add the cluster-reader role to the West cluster

#Install a remote secret on the East cluster that provides access to the API server on the West cluster

#Install a remote secret on the West cluster that provides access to the API server on the East cluster