Shulou(Shulou.com)05/31 Report--

This article mainly explains "how to use Istio for multi-cluster deployment management". The explanation in this article is simple and clear, easy to learn and understand. Please follow the ideas of Xiaobian and study and learn "how to use Istio for multi-cluster deployment management" together.

In a multi-control plane topology configuration, each Kubernetes cluster installs the same Istio control plane, and each control plane only manages service endpoints within its own cluster. Multiple cluster configurations can be grouped into a logically single service grid by using Istio gateways, common root certification authorities (CAs), and service entries ServiceEntry. This approach has no special network requirements and is therefore generally considered to be the simplest approach when there is no common network connectivity between Kubernetes clusters.

In this topology configuration, Kubernetes cross-cluster communication requires mutual TLS connectivity between services, and to enable mutual TLS communication between clusters, Citadel of each cluster will be configured with intermediate CA certificates generated by the shared root CA, as shown in the figure.

(Multiple control planes)

Deployment control plane

Intermediate CA certificates are generated for Citadel for each cluster from a shared root CA that enables mutual TLS communication across different clusters. For illustrative purposes, we will use the sample root CA certificate provided in the Istio installation in the samples/certs directory for two clusters. In a real deployment, you might use different CA certificates for each cluster, all signed by a common root CA.

Implement the following steps in each Kubernetes cluster to deploy the same Istio control plane configuration in all clusters.

Create a Kubernetes key for the generated CA certificate using the following command, as follows:

kubectl create namespace istio-system kubectl create secret generic cacerts -n istio-system \ --from-file=samples/certs/ca-cert.pem \ --from-file=samples/certs/ca-key.pem \ --from-file=samples/certs/root-cert.pem \ --from-file=samples/certs/cert-chain.pem

Install Istio's CRDs and wait a few seconds for them to be submitted to the Kubernetes API server, as follows:

for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done

Deploying the Istio control plane: If helm dependencies are missing or not up to date, they can be updated via helm dep update. Note that since istio-cni is not used, it can be temporarily removed from the dependency requirements.yaml before performing the update operation. The specific execution orders are as follows:

helm template install/kubernetes/helm/istio --name istio --namespace istio-system \ -f install/kubernetes/helm/istio/values-istio-multicluster-gateways.yaml > ./ istio.yaml kubectl apply -f ./ istio.yaml

Ensure that the above steps are successfully performed in each Kubernetes cluster. Of course, the command to generate istio.yaml by helm can be executed once.

set the DNS

Providing DNS resolution for services in remote clusters allows existing applications to run without modification, since applications typically expect to resolve services by their DNS names and access the resulting IP addresses. Istio itself does not use DNS to route requests between services; services in the same Kubernetes cluster share the same DNS suffix (e.g. svc.cluster.local). Kubernetes DNS provides DNS resolution capabilities for these services. In order to provide similar settings for services in remote clusters, the services in remote clusters are marked with.. The global format is named.

Istio comes with a CoreDNS server that will provide DNS resolution capabilities for these services. To take advantage of this DNS resolution capability, Kubernetes DNS service needs to be configured to point to the CoreDNS service. The CoreDNS service will act as a DNS server for the.global DNS domain.

For clusters that use kube-dns, create the following CI or update existing CI:

kubectl apply -f -

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.