Skip to content

sridhargaddam/istio-workspace

BranchesTags

Repository files navigation

istio-workspace

📝 This is a continuation of the work from Jacek Ewertowski and includes steps to verify the following use-cases in a multi-mesh deployment.

Setup KIND clusters with locality info configured on the nodes.

  1. Create the first cluster with region set to east and two nodes in different zones.
kind create cluster --config=east-cluster.yaml
  1. Create a second cluster with region configured as west and a single node with zone set to zone3
kind create cluster --config=west-cluster.yaml
  1. Setup contexts:
kind get kubeconfig --name east > east.kubeconfig
alias keast="KUBECONFIG=$(pwd)/east.kubeconfig kubectl"
kind get kubeconfig --name west > west.kubeconfig
alias kwest="KUBECONFIG=$(pwd)/west.kubeconfig kubectl"
  1. Install MetalLB on and configure IP address pools:
keast apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.7/config/manifests/metallb-native.yaml
kwest apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.7/config/manifests/metallb-native.yaml

Before creating IPAddressPool, define CIDR based on kind network:

docker network inspect -f '{{.IPAM.Config}}' kind

Define east/west CIDRs as subnets of the kind network, e.g. if kind subnet is 172.18.0.0/16, east network could be 172.18.64.0/18 and west could be 172.18.128.0/18, which will not overlap with node IPs.

CIDRs must have escaped slash before the network mask to make it usable with sed, e.g. 172.18.64.0\/18.

export EAST_CLUSTER_CIDR="172.18.64.0\/18"
export WEST_CLUSTER_CIDR="172.18.128.0\/18"
sed "s/{{.cidr}}/$EAST_CLUSTER_CIDR/g" ip-address-pool.tmpl.yaml | keast apply -n metallb-system -f -
sed "s/{{.cidr}}/$WEST_CLUSTER_CIDR/g" ip-address-pool.tmpl.yaml | kwest apply -n metallb-system -f -

Trust model

  1. Download tools for certificate generation:
wget https://raw.githubusercontent.com/istio/istio/release-1.21/tools/certs/common.mk -O common.mk
wget https://raw.githubusercontent.com/istio/istio/release-1.21/tools/certs/Makefile.selfsigned.mk -O Makefile.selfsigned.mk

Common root

  1. Generate certificates for east and west clusters:
make -f Makefile.selfsigned.mk \
  ROOTCA_CN="East Root CA" \
  ROOTCA_ORG=my-company.org \
  root-ca
make -f Makefile.selfsigned.mk \
  INTERMEDIATE_CN="East Intermediate CA" \
  INTERMEDIATE_ORG=my-company.org \
  east-cacerts
make -f Makefile.selfsigned.mk \
  INTERMEDIATE_CN="West Intermediate CA" \
  INTERMEDIATE_ORG=my-company.org \
  west-cacerts
make -f common.mk clean
  1. Create cacert secrets:
keast create namespace istio-system
keast create secret generic cacerts -n istio-system \
  --from-file=root-cert.pem=east/root-cert.pem \
  --from-file=ca-cert.pem=east/ca-cert.pem \
  --from-file=ca-key.pem=east/ca-key.pem \
  --from-file=cert-chain.pem=east/cert-chain.pem
kwest create namespace istio-system
kwest create secret generic cacerts -n istio-system \
  --from-file=root-cert.pem=west/root-cert.pem \
  --from-file=ca-cert.pem=west/ca-cert.pem \
  --from-file=ca-key.pem=west/ca-key.pem \
  --from-file=cert-chain.pem=west/cert-chain.pem

Install Istio

helm template -s templates/istio.yaml . \
  --set localCluster=east \
  --set remoteCluster=west \
  | istioctl --kubeconfig=east.kubeconfig install -y -f -
helm template -s templates/istio.yaml . \
  --set localCluster=west \
  --set remoteCluster=east \
  --set eastwestIngressEnabled=true \
  | istioctl --kubeconfig=west.kubeconfig install -y -f -

Try out

  1. Load-balancing in Mesh Federation
  2. Locality based load-balancing
  3. Importing a Service with multiple ports
  4. Using custom domains as part of service discovery

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages