Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "how to use Istio 1.6 to manage micro services in multiple clusters". Many people will encounter this dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

If you are working in a typical enterprise, you need to work with multiple teams and provide customers with independent software to form an application. Your team follows the micro-service architecture and has an extensive infrastructure made up of multiple Kubernetes clusters.

Because microservices are distributed in multiple clusters, you need to design a solution to centrally manage all microservices. Fortunately, you are using Istio, and providing this solution is just another configuration change.

Service grid technologies such as Istio can help you securely discover and connect micro-services distributed in multiple clusters and environments. Today we'll talk about using Istio to manage microservices hosted in multiple Kubernetes clusters.

Architecture description

Istio uses the following components to provide cross-cluster service discovery:

Istio CoreDNS: each Istio control plane has a CoreDNS. Istio uses it to discover services defined on the global scope. For example, if a microservice hosted on cluster 1 needs to connect to another microservice hosted on cluster 2, you need to make a global entry on Istio CoreDNS for the microservice running on cluster 2.

Root CA: because Istio needs to establish mTLS connections between services running on different clusters, you need to generate intermediate CA certificates for both clusters using a shared Root CA. This establishes trust between microservices running on different clusters because the intermediate CA shares the same Root CA.

Istio Ingress gateway: the communication between clusters is carried out through the Ingress gateway, and there is no direct connection between services. Therefore, make sure that the Ingress gateway is discoverable and that all clusters can connect to it.

Service discovery

Istio uses the following steps to facilitate service discovery:

There is the same control plane on the cluster to promote high availability.

Kube DNS and Istio CoreDNS are the fulcrum to provide global service discovery.

The user defines the route for the remote service through the ServiceEntries in Istio CoreDNS, in the format name.namespace.global.

The source sidecar uses a global CoreDNS entry to route traffic to the destination Istio Ingress gateway.

The destination Istio Ingress gateway routes traffic to the correct micro-service pod.

Preparation in advance

This article assumes that you already have a basic understanding of Kubernetes and how Istio works. If you want to learn more about Istio 1.5 and 1.6, click here to view the related videos. In order to keep up with our next demonstration, please make sure:

You have at least two Kubernetes clusters, and the version of Kubernetes is 1.14,1.15 or 1.16

You have permission to install and configure Istio in the cluster

You have cluster administration permissions on both Kubernetes clusters.

Ingress gateways can connect to other clusters through a network load balancer or similar configuration. A flat network is unnecessary.

Install Istio

On both clusters, install Istio 1.6.1 using the following command:

Curl-L https://istio.io/downloadIstio | ISTIO_VERSION=1.6.1 sh-cd istio-1.6.1export PATH=$PWD/bin:$PATH

Since we need an intermediate certificate generated by the shared root certificate to start our Istio service grid, we use the intermediate certificate to create a secret.

In this example, we use the sample certificate provided. However, I do not recommend that you use these certificates in production, as they are generally readily available and well known. It is best to use your organization's Root CA to generate intermediate CA certificates.

Run the following command on both clusters to use the sample certificate. If you are using your certificate, please replace the applicable file path.

Kubectl create namespace istio-systemkubectl create secret generic cacerts-n istio-system\-- from-file=samples/certs/ca-cert.pem\-- from-file=samples/certs/ca-key.pem\-- from-file=samples/certs/root-cert.pem\-- from-file=samples/certs/cert-chain.pemsecret/cacerts created

Since we need to install Istio for multi-cluster setup, we use the provided Istio multi-cluster gateway manifest file on both clusters.

$istioctl manifest apply-f install/kubernetes/operator/examples/multicluster/values-istio-multicluster-gateways.yaml- Applying manifest for component Base... ✔ Finished applying manifest for component Base.- Applying manifest for component Pilot... ✔ Finished applying manifest for component Pilot. Waiting for resources to become ready...- Applying manifest for component AddonComponents...- Applying manifest for component IngressGateways...- Applying manifest for component EgressGateways... ✔ Finished applying manifest for component EgressGateways. ✔ Finished applying manifest for component IngressGateways. ✔ Finished applying manifest for component AddonComponents. ✔ Installation complete configuration KubeDNS

The next step is to move DNS parsing from Kube DNS federation to Istio CoreDNS. Let's configure a stub domain by defining a ConfigMap for kube-dns. Apply the following manifest on both clusters:

$kubectl apply-f-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.