English

Installing a primary-remote multi-network mesh

Install Istio in a primary-remote multi-network topology on two clusters.

NOTE

In this procedure, CLUSTER1 is the East cluster and CLUSTER2 is the West cluster. The East cluster is the primary cluster and the West cluster is the remote cluster.

You can adapt these instructions for a mesh spanning more than two clusters.

Topology

Service workloads across cluster boundaries communicate indirectly, via dedicated gateways for east-west traffic. The gateway in each cluster must be reachable from the other cluster.

Services in cluster2 will reach the control plane in cluster1 via the same east-west gateway.

Primary-Remote Multi-Network Topology

Prerequisites

You have installed the Alauda Container Platform Networking for Multus plugin all of the clusters that comprise the mesh.
You have installed the Alauda Service Mesh v2 Operator on all of the clusters that comprise the mesh.
You have completed Creating certificates for a multi-cluster mesh.
You have completed Applying certificates to a multi-cluster topology.
You have istioctl installed locally so that you can use to run these instructions.

Procedure

Create an `ISTIO_VERSION` environment variable that defines the Istio version to install

export ISTIO_VERSION=1.26.3

Install Istio on the East cluster

Set the default network for the East cluster by running the following command:

kubectl --context="${CTX_CLUSTER1}" label namespace istio-system topology.istio.io/network=network1

Create an Istio resource on the East cluster by running the following command:

Save the following Istio resource to istio-external.yaml:

istio-external.yaml

apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  version: v${ISTIO_VERSION}
  namespace: istio-system
  values:
    global:
      meshID: mesh1
      multiCluster:
        clusterName: cluster1
      network: network1
      externalIstiod: true

This enables the control plane installed on the East cluster to serve as an external control plane for other remote clusters.

Using kubectl to apply the Istio resource:

envsubst < istio-external.yaml | kubectl --context "${CTX_CLUSTER1}" apply -f -

Wait for the control plane to return the "Ready" status condition by running the following command:
```
kubectl --context "${CTX_CLUSTER1}" wait --for condition=Ready istio/default --timeout=3m
```

Create an East-West gateway on the East cluster by running the following command:

kubectl --context "${CTX_CLUSTER1}" apply -f https://raw.githubusercontent.com/alauda-mesh/sail-operator/main/docs/deployment-models/resources/east-west-gateway-net1.yaml

Expose the control plane through the gateway so that services in the West cluster can access the control plane by running the following command:

kubectl --context "${CTX_CLUSTER1}" apply -n istio-system -f https://raw.githubusercontent.com/alauda-mesh/sail-operator/main/docs/deployment-models/resources/expose-istiod.yaml

Expose the application services through the gateway by running the following command:

kubectl --context "${CTX_CLUSTER1}" apply -n istio-system -f https://raw.githubusercontent.com/alauda-mesh/sail-operator/main/docs/deployment-models/resources/expose-services.yaml

Install Istio on the West cluster

Save the IP address of the East-West gateway running in the East cluster by running the following command:

export DISCOVERY_ADDRESS=$(kubectl --context="${CTX_CLUSTER1}" \
   -n istio-system get svc istio-eastwestgateway \
   -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

Create an Istio resource on the West cluster by running the following command:

cat <<EOF | kubectl --context "${CTX_CLUSTER2}" apply -f -
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  version: v${ISTIO_VERSION}
  namespace: istio-system
  profile: remote
  values:
    istiodRemote:
      injectionPath: /inject/cluster/cluster2/net/network2
    global:
      remotePilotAddress: ${DISCOVERY_ADDRESS}
EOF

Annotate the istio-system namespace in the West cluster so that it is managed by the control plane in the East cluster by running the following command:
```
kubectl --context="${CTX_CLUSTER2}" annotate namespace istio-system topology.istio.io/controlPlaneClusters=cluster1
```

Set the default network for the West cluster by running the following command:

kubectl --context="${CTX_CLUSTER2}" label namespace istio-system topology.istio.io/network=network2

Install a remote secret on the East cluster that provides access to the API server on the West cluster by running the following command:

istioctl create-remote-secret \
  --context="${CTX_CLUSTER2}" \
  --name=cluster2 | \
  kubectl --context="${CTX_CLUSTER1}" apply -f -

Wait for the Istio resource to return the "Ready" status condition by running the following command:
```
kubectl --context "${CTX_CLUSTER2}" wait --for condition=Ready istio/default --timeout=3m
```
Create an East-West gateway on the West cluster by running the following command:
```
kubectl --context "${CTX_CLUSTER2}" apply -f https://raw.githubusercontent.com/alauda-mesh/sail-operator/main/docs/deployment-models/resources/east-west-gateway-net2.yaml
```
NOTE
Since the West cluster is installed with a remote profile, exposing the application services on the East cluster exposes them on the East-West gateways of both clusters.

#Installing a primary-remote multi-network mesh

#TOC

#Procedure

#Create an ISTIO_VERSION environment variable that defines the Istio version to install

#Install Istio on the East cluster

#Install Istio on the West cluster

Installing a primary-remote multi-network mesh

TOC

Procedure

Create an `ISTIO_VERSION` environment variable that defines the Istio version to install

Install Istio on the East cluster

Install Istio on the West cluster