Skip to content

Commit

Permalink
Automated merge
Browse files Browse the repository at this point in the history
* upstream/main:
  Rework Multi-Primary documentation (istio-ecosystem#456)
  • Loading branch information
openshift-service-mesh-bot committed Oct 31, 2024
2 parents 536ee6a + fbdb22d commit 4653edd
Showing 1 changed file with 134 additions and 44 deletions.
178 changes: 134 additions & 44 deletions docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -490,54 +490,117 @@ You can use the Sail Operator and the Sail CRDs to manage a multi-cluster Istio

These steps are common to every multi-cluster deployment and should be completed *after* meeting the prerequisites but *before* starting on a specific deployment model.

1. Setup env vars.
1. Setup environment variables.

```sh
export CTX_CLUSTER1=<cluster1-ctx>
export CTX_CLUSTER2=<cluster2-ctx>
export ISTIO_VERSION=1.23.0
export ISTIO_VERSION=1.23.2
```

2. Create `istio-system` namespace on each cluster.

```sh
kubectl get ns istio-system --context "${CTX_CLUSTER1}" || kubectl create namespace istio-system --context "${CTX_CLUSTER1}"
kubectl get ns istio-system --context "${CTX_CLUSTER2}" || kubectl create namespace istio-system --context "${CTX_CLUSTER2}"
```

4. Create a shared root certificate.

If you have [established trust](https://istio.io/latest/docs/setup/install/multicluster/before-you-begin/#configure-trust) between your clusters already you can skip this and the following steps.

```sh
kubectl get ns istio-system --context "${CTX_CLUSTER2}" || kubectl create namespace istio-system --context "${CTX_CLUSTER2}"
```
openssl genrsa -out root-key.pem 4096
cat <<EOF > root-ca.conf
[ req ]
encrypt_key = no
prompt = no
utf8 = yes
default_md = sha256
default_bits = 4096
req_extensions = req_ext
x509_extensions = req_ext
distinguished_name = req_dn
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
[ req_dn ]
O = Istio
CN = Root CA
EOF
3. Create shared trust and add intermediate CAs to each cluster.
openssl req -sha256 -new -key root-key.pem \
-config root-ca.conf \
-out root-cert.csr
If you already have a [shared trust](https://istio.io/latest/docs/setup/install/multicluster/before-you-begin/#configure-trust) for each cluster you can skip this. Otherwise, you can use the instructions below to create a shared trust and push the intermediate CAs into your clusters.
openssl x509 -req -sha256 -days 3650 \
-signkey root-key.pem \
-extensions req_ext -extfile root-ca.conf \
-in root-cert.csr \
-out root-cert.pem
```
5. Create intermediate certiciates.

Create a self signed root CA and intermediate CAs.
```sh
mkdir -p certs
pushd certs
curl -fsL -o common.mk "https://raw.githubusercontent.com/istio/istio/${ISTIO_VERSION}/tools/certs/common.mk"
curl -fsL -o Makefile.selfsigned.mk "https://raw.githubusercontent.com/istio/istio/${ISTIO_VERSION}/tools/certs/Makefile.selfsigned.mk"
make -f Makefile.selfsigned.mk root-ca
make -f Makefile.selfsigned.mk east-cacerts
make -f Makefile.selfsigned.mk west-cacerts
popd
for cluster in west east; do
mkdir $cluster
openssl genrsa -out ${cluster}/ca-key.pem 4096
cat <<EOF > ${cluster}/intermediate.conf
[ req ]
encrypt_key = no
prompt = no
utf8 = yes
default_md = sha256
default_bits = 4096
req_extensions = req_ext
x509_extensions = req_ext
distinguished_name = req_dn
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
subjectAltName=@san
[ san ]
DNS.1 = istiod.istio-system.svc
[ req_dn ]
O = Istio
CN = Intermediate CA
L = $cluster
EOF
openssl req -new -config ${cluster}/intermediate.conf \
-key ${cluster}/ca-key.pem \
-out ${cluster}/cluster-ca.csr
openssl x509 -req -sha256 -days 3650 \
-CA root-cert.pem \
-CAkey root-key.pem -CAcreateserial \
-extensions req_ext -extfile ${cluster}/intermediate.conf \
-in ${cluster}/cluster-ca.csr \
-out ${cluster}/ca-cert.pem
cat ${cluster}/ca-cert.pem root-cert.pem \
> ${cluster}/cert-chain.pem
cp root-cert.pem ${cluster}
done
```

Push the intermediate CAs to each cluster.
6. Push the intermediate CAs to each cluster.
```sh
kubectl --context "${CTX_CLUSTER1}" label namespace istio-system topology.istio.io/network=network1
kubectl get secret -n istio-system --context "${CTX_CLUSTER1}" cacerts || kubectl create secret generic cacerts -n istio-system --context "${CTX_CLUSTER1}" \
--from-file=certs/east/ca-cert.pem \
--from-file=certs/east/ca-key.pem \
--from-file=certs/east/root-cert.pem \
--from-file=certs/east/cert-chain.pem
--from-file=east/ca-cert.pem \
--from-file=east/ca-key.pem \
--from-file=east/root-cert.pem \
--from-file=east/cert-chain.pem
kubectl --context "${CTX_CLUSTER2}" label namespace istio-system topology.istio.io/network=network2
kubectl get secret -n istio-system --context "${CTX_CLUSTER2}" cacerts || kubectl create secret generic cacerts -n istio-system --context "${CTX_CLUSTER2}" \
--from-file=certs/west/ca-cert.pem \
--from-file=certs/west/ca-key.pem \
--from-file=certs/west/root-cert.pem \
--from-file=certs/west/cert-chain.pem
--from-file=west/ca-cert.pem \
--from-file=west/ca-key.pem \
--from-file=west/root-cert.pem \
--from-file=west/cert-chain.pem
```

### Multi-Primary - Multi-Network
Expand Down Expand Up @@ -566,22 +629,27 @@ These installation instructions are adapted from: https://istio.io/latest/docs/s
clusterName: cluster1
network: network1
EOF
```

2. Wait for the control plane to become ready.

```sh
kubectl wait --context "${CTX_CLUSTER1}" --for=condition=Ready istios/default --timeout=3m
```

2. Create east-west gateway on `cluster1`.
3. Create east-west gateway on `cluster1`.

```sh
kubectl apply --context "${CTX_CLUSTER1}" -f https://raw.githubusercontent.com/istio-ecosystem/sail-operator/main/docs/multicluster/east-west-gateway-net1.yaml
```

3. Expose services on `cluster1`.
4. Expose services on `cluster1`.

```sh
kubectl --context "${CTX_CLUSTER1}" apply -n istio-system -f https://raw.githubusercontent.com/istio-ecosystem/sail-operator/main/docs/multicluster/expose-services.yaml
```

4. Create `Istio` resource on `cluster2`.
5. Create `Istio` resource on `cluster2`.

```sh
kubectl apply --context "${CTX_CLUSTER2}" -f - <<EOF
Expand All @@ -599,22 +667,27 @@ These installation instructions are adapted from: https://istio.io/latest/docs/s
clusterName: cluster2
network: network2
EOF
```

6. Wait for the control plane to become ready.

```sh
kubectl wait --context "${CTX_CLUSTER2}" --for=jsonpath='{.status.revisions.ready}'=1 istios/default --timeout=3m
```

5. Create east-west gateway on `cluster2`.
7. Create east-west gateway on `cluster2`.

```sh
kubectl apply --context "${CTX_CLUSTER2}" -f https://raw.githubusercontent.com/istio-ecosystem/sail-operator/main/docs/multicluster/east-west-gateway-net2.yaml
```

6. Expose services on `cluster2`.
8. Expose services on `cluster2`.

```sh
kubectl --context "${CTX_CLUSTER2}" apply -n istio-system -f https://raw.githubusercontent.com/istio-ecosystem/sail-operator/main/docs/multicluster/expose-services.yaml
```

7. Install a remote secret in `cluster2` that provides access to the `cluster1` API server.
9. Install a remote secret in `cluster2` that provides access to the `cluster1` API server.

```sh
istioctl create-remote-secret \
Expand All @@ -634,7 +707,7 @@ These installation instructions are adapted from: https://istio.io/latest/docs/s
kubectl apply -f - --context "${CTX_CLUSTER2}"
```

8. Install a remote secret in `cluster1` that provides access to the `cluster2` API server.
10. Install a remote secret in `cluster1` that provides access to the `cluster2` API server.

```sh
istioctl create-remote-secret \
Expand All @@ -643,7 +716,7 @@ These installation instructions are adapted from: https://istio.io/latest/docs/s
kubectl apply -f - --context="${CTX_CLUSTER1}"
```

If using kind, first get the `cluster1` controlplane IP and pass the `--server` option to `istioctl create-remote-secret`
**If using kind**, first get the `cluster1` controlplane IP and pass the `--server` option to `istioctl create-remote-secret`

```sh
CLUSTER2_CONTAINER_IP=$(kubectl get nodes -l node-role.kubernetes.io/control-plane --context "${CTX_CLUSTER2}" -o jsonpath='{.items[0].status.addresses[?(@.type == "InternalIP")].address}')
Expand All @@ -654,11 +727,18 @@ These installation instructions are adapted from: https://istio.io/latest/docs/s
kubectl apply -f - --context "${CTX_CLUSTER1}"
```

9. Deploy sample applications to `cluster1`.
11. Create sample application namespaces in each cluster.

```sh
kubectl get ns sample --context "${CTX_CLUSTER1}" || kubectl create --context="${CTX_CLUSTER1}" namespace sample
kubectl label --context="${CTX_CLUSTER1}" namespace sample istio-injection=enabled
kubectl get ns sample --context "${CTX_CLUSTER2}" || kubectl create --context="${CTX_CLUSTER2}" namespace sample
kubectl label --context="${CTX_CLUSTER2}" namespace sample istio-injection=enabled
```

12. Deploy sample applications in `cluster1`.

```sh
kubectl apply --context="${CTX_CLUSTER1}" \
-f https://raw.githubusercontent.com/istio/istio/${ISTIO_VERSION}/samples/helloworld/helloworld.yaml \
-l service=helloworld -n sample
Expand All @@ -669,11 +749,9 @@ These installation instructions are adapted from: https://istio.io/latest/docs/s
-f https://raw.githubusercontent.com/istio/istio/${ISTIO_VERSION}/samples/sleep/sleep.yaml -n sample
```

10. Deploy sample applications to `cluster2`.
13. Deploy sample applications in `cluster2`.

```sh
kubectl get ns sample --context "${CTX_CLUSTER2}" || kubectl create --context="${CTX_CLUSTER2}" namespace sample
kubectl label --context="${CTX_CLUSTER2}" namespace sample istio-injection=enabled
kubectl apply --context="${CTX_CLUSTER2}" \
-f https://raw.githubusercontent.com/istio/istio/${ISTIO_VERSION}/samples/helloworld/helloworld.yaml \
-l service=helloworld -n sample
Expand All @@ -684,25 +762,37 @@ These installation instructions are adapted from: https://istio.io/latest/docs/s
-f https://raw.githubusercontent.com/istio/istio/${ISTIO_VERSION}/samples/sleep/sleep.yaml -n sample
```

11. Verify that you see a response from both v1 and v2.
14. Wait for the sample applications to be ready.
```sh
kubectl --context="${CTX_CLUSTER1}" wait --for condition=available -n sample deployment/helloworld-v1
kubectl --context="${CTX_CLUSTER2}" wait --for condition=available -n sample deployment/helloworld-v2
kubectl --context="${CTX_CLUSTER1}" wait --for condition=available -n sample deployment/sleep
kubectl --context="${CTX_CLUSTER2}" wait --for condition=available -n sample deployment/sleep
```

15. From `cluster1`, send 10 requests to the helloworld service. Verify that you see responses from both v1 and v2.

`cluster1` responds with v1 and v2
```sh
kubectl exec --context="${CTX_CLUSTER1}" -n sample -c sleep \
for i in {0..9}; do
kubectl exec --context="${CTX_CLUSTER1}" -n sample -c sleep \
"$(kubectl get pod --context="${CTX_CLUSTER1}" -n sample -l \
app=sleep -o jsonpath='{.items[0].metadata.name}')" \
-- curl -sS helloworld.sample:5000/hello
-- curl -sS helloworld.sample:5000/hello;
done
```

`cluster2` responds with v1 and v2
16. From `cluster2`, send another 10 requests to the helloworld service. Verify that you see responses from both v1 and v2.

```sh
kubectl exec --context="${CTX_CLUSTER2}" -n sample -c sleep \
for i in {0..9}; do
kubectl exec --context="${CTX_CLUSTER2}" -n sample -c sleep \
"$(kubectl get pod --context="${CTX_CLUSTER2}" -n sample -l \
app=sleep -o jsonpath='{.items[0].metadata.name}')" \
-- curl -sS helloworld.sample:5000/hello
-- curl -sS helloworld.sample:5000/hello;
done
```

12. Cleanup
17. Cleanup

```sh
kubectl delete istios default --context="${CTX_CLUSTER1}"
Expand Down

0 comments on commit 4653edd

Please sign in to comment.