Version 1.9

Setting up a multi-cluster mesh on-premises

This guide explains how to set up Anthos Service Mesh with multiple Anthos clusters on VMware and on bare metal. You can extend this process to incorporate any number of clusters into your mesh.

A multi-cluster Anthos Service Mesh configuration can solve several crucial enterprise scenarios, such as scale, location, and isolation. For more information, see Multi-cluster use cases. In addition, you should optimize your applications to get the most benefit from a service mesh. For more information, see Preparing an application for Anthos Service Mesh.

Requirements

Before you begin, this guide assumes you are using new or existing clusters that were created by using the steps described in Installing Anthos Service Mesh on premises.

  • The requirements for this guide are in addition to those listed in Installing Anthos Service Mesh on premises.

  • You will need the configuration package used previously to install Anthos Service Mesh on your cluster. If you need another copy, you can download it by using the command:

    kpt pkg get \
    https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages.git/asm@release-1.9-asm asm
    

Installing the east-west gateway

  1. Install a gateway in cluster1 that is dedicated to east-west traffic. By default, this gateway will be public on the Internet. Production systems may require additional access restrictions, for example firewall rules, to prevent external attacks.

    asm/istio/expansion/gen-eastwest-gateway.sh \
    --mesh mesh1 --cluster cluster1 --network network1 --revision asm-195-2 | \
    istioctl --context="${CTX_CLUSTER1}" install -y -f -
    
  2. Install a gateway in cluster2 that is dedicated to east-west traffic for cluster1.

    /asm/istio/expansion/gen-eastwest-gateway.sh \
    --mesh mesh1 --cluster cluster2 --network network2 | \
    istioctl --context="${CTX_CLUSTER2}" install -y -f -
    

Exposing services

Since the clusters are on separate networks, you need to expose all services (*.local) on the east-west gateway in both clusters. While this gateway is public on the Internet, services behind it can only be accessed by services with a trusted mTLS certificate and workload ID, just as if they were on the same network.

  1. Expose services via the east-west gateway for cluster1.

    kubectl --context="${CTX_CLUSTER1}" apply -n istio-system -f \
    asm/istio/expansion/expose-services.yaml
    
  2. Expose services via the east-west gateway for cluster2.

    kubectl --context="${CTX_CLUSTER2}" apply -n istio-system -f \
    asm/istio/expansion/expose-services.yaml
    

Enabling endpoint discovery

  1. Install a remote secret in cluster2 that provides access to cluster1's API server.

    istioctl x create-remote-secret \
    --context="${CTX_CLUSTER1}" \
    --name=cluster1 | \
    kubectl apply -f - --context="${CTX_CLUSTER2}"
    
  2. Install a remote secret in cluster1 that provides access to cluster2's API server.

    istioctl x create-remote-secret \
    --context="${CTX_CLUSTER2}" \
    --name=cluster2 | \
    kubectl apply -f - --context="${CTX_CLUSTER1}"
    

What's next?