Multi cluster setup with istio

openssl req -newkey rsa:2048 -nodes -keyout root-key.pem -x509 -days 36500 -out root-cert.pem openssl genrsa -out ca-key.pem 2048openssl req -new -key ca-key.pem -out ca-cert.csr -sha256openssl x509 -req -days 36500 -in ca-cert.csr -sha256 -CA root-cert.pem -CAkey root-key.pem -CAcreateserial -out ca-cert.pem -extensions v3_reqcp ca-cert.pem cert-chain.pem
kubectl create secret generic cacerts -n istio-system \
--from-file=cluster1/ca-cert.pem \
--from-file=cluster1/ca-key.pem \
--from-file=cluster1/root-cert.pem \
--from-file=cluster1/cert-chain.pem
...
meshConfig:
proxyMetadata:
ISTIO_META_DNS_CAPTURE: "true"
ISTIO_META_DNS_AUTO_ALLOCATE: "true"
...
global:
meshID: mesh1
multiCluster:
enabled: true
clusterName: cluster1
network: network1
...
...
meshConfig:
proxyMetadata:
ISTIO_META_DNS_CAPTURE: "true"
ISTIO_META_DNS_AUTO_ALLOCATE: "true"
...
global:
meshID: mesh1
multiCluster:
enabled: true
clusterName: cluster2
network: network1
...
# cluster 1
istioctl manifest install -f default1.yaml
# cluster 2
istioctl manifest install -f default2.yaml
kubectl -n istio-system get podsNAME                                    READY   STATUS    RESTARTS   AGEistio-egressgateway-6c9c945447-wq4qf    1/1     Running   0          46histio-ingressgateway-6f9c7ffd8b-fsfqv   1/1     Running   0          46histiod-67fb45b754-dktvh                 1/1     Running   0          46h
bin/istioctl x create-remote-secret    --context="<context_name_1>"    --name=cluster2 |    kubectl apply -f - --context="<context_name_2>"bin/istioctl x create-remote-secret    --context="<context_name_2>"    --name=cluster2 |    kubectl apply -f - --context="<context_name_1>"
kubectl -n istio-system get secret istio-remote-secret-<name>  -o yaml
# Cluster 1kubectl label namespace test istio-injection=enabled --overwrite# Cluster 2kubectl label namespace secure istio-injection=enabled --overwrite
# Cluster 1kubectl -n test create deploy shell--image=nginx --port 80# Cluster 2kubectl -n secure create deploy lax --image=nginx --port 80
kubectl -n secure expose deploy lax
istiod-67fb45b754-dktvh discovery 2021-10-18T07:58:08.700207Z info ads Full push, new service secure/lax.secure.svc.cluster.localistiod-67fb45b754-dktvh discovery 2021-10-18T07:58:08.700221Z info ads Full push, service accounts changed, lax.secure.svc.cluster.local
kubectl -n test exec shell-646599f59c-r2s6r -- curl lax.secure.svc.cluster.local -s<!DOCTYPE html><html><head><title>Welcome to nginx!</title><style>
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: mtls
namespace: test
spec:
mtls:
mode: STRICT
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: mtls
namespace: secure
spec:
mtls:
mode: STRICT
kubectl -n test exec shell-646599f59c-r2s6r -- curl lax.secure.svc.cluster.local -s<!DOCTYPE html><html><head><title>Welcome to nginx!</title>
kubectl -n secure create deploy lax --image=nginx --port 80
kubectl -n secure expose deploy lax
  1. I tried this on an existing cluster that did not have this configured originally, these steps all works but I needed to restart the pod for it to take effect. New services seems to work fine though after that.
  2. You should see the discovered endpoint using istioctl, if it’s not in there then istio can’t discover it and route traffic to it. Check logs and or firewall settings.
istioctl pc all shell-646599f59c-r2s6r -n test  | grep laxlax.secure.svc.cluster.local                                                80        -          outbound      EDS172.20.218.71  80    Trans: raw_buffer; App: HTTP                                             Route: lax.secure.svc.cluster.local:80172.20.218.71  80    ALL                                                                      Cluster: outbound|80||lax.secure.svc.cluster.local
istioctl pc all <pod> | grep -i ROOTCA

--

--

--

DevOps Engineer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Using Rectangle to Manage MacOS Windows

Drupal 9 Porting Weekend

Deploy your app with database to Heroku

CS373 Spring 2022: Ruchi Bhalani Week 9

C# — Async Pipeline using Observer Design Pattern

Ultiverse — How to whitelist

Why Reinvent Deduplication? Isn’t Cloud Storage Cheap?

What Are Design Patterns And Why Would You Want To Take Time Away From Flappy Bird To Learn Them?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chris Haessig

Chris Haessig

DevOps Engineer

More from Medium

Kubernetes Ingress and Services troubleshooting

Removing Rancher 2.6.x Resources From Kubernetes Cluster

Secure Docker-in-Kubernetes

Common Issues wi+th Container