karmada/docs/working-with-istio-on-non-f...

270 lines
7.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# working-with-istio-on-non-flat-network
This document uses an example to demonstrate how to use [Istio](https://istio.io/) on Karmada when the clusters reside
on the different networks.
Follow this guide to install the Istio control plane on `member1` (the primary cluster) and configure `member2` (the
remote cluster) to use the control plane in `member1`. All clusters reside on the different network, meaning there is
not direct connectivity between the pods in all clusters.
<image src="images/istio-on-karmada-different-network.png" caption="Istio on Karmada-different-network" />
***
The reason for deploying `istiod` on the `member1` is that `kiali` needs to be deployed on the same cluster as `istiod`
. If `istiod` and `kiali` are deployed on the `karmada-host`,`kiali` will not find the namespace created by `karmada`. It
cannot implement the function of service topology for application deployed by `karmada`. I will continue to provide a new
solution later that deploys `istiod` on the `karmada-host`.
***
## Install Karmada
### Install karmada control plane
Following the steps [Install karmada control plane](https://github.com/karmada-io/karmada#install-karmada-control-plane)
in Quick Start, you can get a Karmada.
## Deploy Istio
***
If you are testing multicluster setup on `kind` you can use [MetalLB](https://metallb.universe.tf/installation/) to make use of `EXTERNAL-IP` for `LoadBalancer` services.
***
### Install istioctl
Please refer to the [istioctl](https://istio.io/latest/docs/setup/getting-started/#download) Installation.
### Prepare CA certificates
Following the
steps [plug-in-certificates-and-key-into-the-cluster](https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/#plug-in-certificates-and-key-into-the-cluster)
to configure Istio CA.
Replace the cluster name `cluster1` with `primary`, the output will looks like as following:
```bash
[root@vm1-su-001 istio-1.12.6]# tree certs/
certs/
├── primary
│   ├── ca-cert.pem
│   ├── ca-key.pem
│   ├── cert-chain.pem
│   └── root-cert.pem
├── root-ca.conf
├── root-cert.csr
├── root-cert.pem
├── root-cert.srl
└── root-key.pem
```
### Install Istio on karmada-apiserver
Export `KUBECONFIG` and switch to `karmada apiserver`:
```bash
export KUBECONFIG=$HOME/.kube/karmada.config
kubectl config use-context karmada-apiserver
```
Create a secret `cacerts` in `istio-system` namespace:
```bash
kubectl create namespace istio-system
kubectl create secret generic cacerts -n istio-system \
--from-file=certs/primary/ca-cert.pem \
--from-file=certs/primary/ca-key.pem \
--from-file=certs/primary/root-cert.pem \
--from-file=certs/primary/cert-chain.pem
```
Create a propagation policy for `cacerts` secret:
```bash
cat <<EOF | kubectl apply -f -
apiVersion: policy.karmada.io/v1alpha1
kind: PropagationPolicy
metadata:
name: cacerts-propagation
namespace: istio-system
spec:
resourceSelectors:
- apiVersion: v1
kind: Secret
name: cacerts
placement:
clusterAffinity:
clusterNames:
- member1
- member2
EOF
```
Override namespace `istio-system` label on `member1`:
```bash
cat <<EOF | kubectl apply -f -
apiVersion: policy.karmada.io/v1alpha1
kind: ClusterOverridePolicy
metadata:
name: istio-system-member1
spec:
resourceSelectors:
- apiVersion: v1
kind: Namespace
name: istio-system
overrideRules:
- targetCluster:
clusterNames:
- member1
overriders:
plaintext:
- path: "/metadata/labels"
operator: add
value:
topology.istio.io/network: network1
EOF
```
Override namespace `istio-system` label on `member2`:
```bash
cat <<EOF | kubectl apply -f -
apiVersion: policy.karmada.io/v1alpha1
kind: ClusterOverridePolicy
metadata:
name: istio-system-member2
spec:
resourceSelectors:
- apiVersion: v1
kind: Namespace
name: istio-system
overrideRules:
- targetCluster:
clusterNames:
- member2
overriders:
plaintext:
- path: "/metadata/labels"
operator: add
value:
topology.istio.io/network: network2
EOF
```
Run the following command to install istio CRDs on karmada apiserver:
```bash
istioctl manifest generate --set profile=external \
--set values.global.configCluster=true \
--set values.global.externalIstiod=false \
--set values.global.defaultPodDisruptionBudget.enabled=false \
--set values.telemetry.enabled=false | kubectl apply -f -
```
### Install Istiod on member1
1. Install istio control plane
Export `KUBECONFIG` and switch to `member1`:
```bash
export KUBECONFIG="$HOME/.kube/members.config"
kubectl config use-context member1
```
```bash
cat <<EOF | istioctl install -y -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
accessLogFile: /dev/stdout
values:
global:
meshID: mesh1
multiCluster:
clusterName: member1
network: network1
EOF
```
2. Install the east-west gateway in `member1`
```bash
samples/multicluster/gen-eastwest-gateway.sh --mesh mesh1 --cluster member1 --network network1 | istioctl install -y -f -
```
3. Expose the control plane and service in `member1`
```bash
kubectl apply -f samples/multicluster/expose-istiod.yaml -n istio-system
kubectl apply -f samples/multicluster/expose-services.yaml -n istio-system
```
### Configure `member2` as a remote cluster
1. Enable API ServerAccess to `member2`
switch to `member2`:
```bash
kubectl config use-context member2
```
Prepare member2 cluster secret
```bash
istioctl x create-remote-secret --name=member2 > istio-remote-secret-member2.yaml
```
Switch to `member1`:
```bash
kubectl config use-context member1
```
Apply istio remote secret
```bash
kubectl apply -f istio-remote-secret-member2.yaml
```
2. Configure member2 as a remote
Save the address of `member1`s east-west gateway
```bash
export DISCOVERY_ADDRESS=$(kubectl -n istio-system get svc istio-eastwestgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
```
Create a remote configuration on `member2`.
Switch to `member2`:
```bash
kubectl config use-context member2
```
```bash
cat <<EOF | istioctl install -y -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
values:
global:
meshID: mesh1
multiCluster:
clusterName: member2
network: network2
remotePilotAddress: ${DISCOVERY_ADDRESS}
EOF
```
3. Install the east-west gateway in `member2`
```bash
samples/multicluster/gen-eastwest-gateway.sh --mesh mesh1 --cluster member2 --network network2 | istioctl install -y -f -
```
### Deploy bookinfo application
See module [Deploy bookinfo application](./working-with-istio-on-flat-network.md#deploy-bookinfo-application.md)