Setting up a multi-cluster mesh on-premises

This guide explains how to set up Anthos Service Mesh with multiple GKE on VMware and on bare metal. You can extend this process to incorporate any number of clusters into your mesh.

This guide assumes that you already have GKE on VMware or on bare metal installed using the steps provided in Installing Anthos Service Mesh on premises. If you have a previous version of Anthos Service Mesh installed, refer to Upgrading Anthos Service Mesh on-premises. This guide refers to the clusters as cluster1 on network1 and cluster2 on network2. It also uses environment variables to define the cluster contexts as CTX_CLUSTER1 and CTX_CLUSTER2.

A multi-cluster Anthos Service Mesh configuration can solve several crucial enterprise scenarios, such as scale, location, and isolation. For more information, see Multi-cluster use cases. In addition, you should optimize your applications to get the most benefit from a service mesh. For more information, see Preparing an application for Anthos Service Mesh.

Requirements

Before you begin, this guide assumes you are using new or existing clusters that were created by using the steps described in Installing Anthos Service Mesh on premises.

The requirements for this guide are in addition to those listed in Installing Anthos Service Mesh on premises.
You will need the configuration package used previously to install Anthos Service Mesh on your cluster. If you need another copy, you can download it by using the command:
```
kpt pkg get \
https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages.git/asm@release-1.10-asm asm
```

Installing the east-west gateway

Install a gateway in cluster1 that is dedicated to east-west traffic. By default, this gateway will be public on the Internet. Production systems may require additional access restrictions, for example firewall rules, to prevent external attacks.
```
asm/istio/expansion/gen-eastwest-gateway.sh \
--mesh mesh1 --cluster cluster1 --network network1 --revision asm-1106-2 | \
istioctl --context="${CTX_CLUSTER1}" install -y -f -
```
Note: An external IP address won't be assigned until later, when you complete the steps described in Configuring external IP addresses for Anthos Service Mesh on-prem.
Install a gateway in cluster2 that is dedicated to east-west traffic for cluster1.
```
/asm/istio/expansion/gen-eastwest-gateway.sh \
--mesh mesh1 --cluster cluster2 --network network2 | \
istioctl --context="${CTX_CLUSTER2}" install -y -f -
```
Note: An external IP address won't be assigned until later, when you complete the steps described in Configuring external IP addresses for Anthos Service Mesh on-prem.

Exposing services

Since the clusters are on separate networks, you need to expose all services (*.local) on the east-west gateway in both clusters. While this gateway is public on the Internet, services behind it can only be accessed by services with a trusted mTLS certificate and workload ID, just as if they were on the same network.

Expose services via the east-west gateway for cluster1.

kubectl --context="${CTX_CLUSTER1}" apply -n istio-system -f \
asm/istio/expansion/expose-services.yaml

Expose services via the east-west gateway for cluster2.

kubectl --context="${CTX_CLUSTER2}" apply -n istio-system -f \
asm/istio/expansion/expose-services.yaml

Enabling endpoint discovery

Install a remote secret in cluster2 that provides access to cluster1's API server.

istioctl x create-remote-secret \
--context="${CTX_CLUSTER1}" \
--name=cluster1 | \
kubectl apply -f - --context="${CTX_CLUSTER2}"

Install a remote secret in cluster1 that provides access to cluster2's API server.

istioctl x create-remote-secret \
--context="${CTX_CLUSTER2}" \
--name=cluster2 | \
kubectl apply -f - --context="${CTX_CLUSTER1}"

What's next?

Configuring external IP addresses