This guide explains how to set up Anthos Service Mesh with multiple Anthos clusters on VMware and on bare metal. You can extend this process to incorporate any number of clusters into your mesh.
This guide assumes that you already have Anthos clusters on VMware or on bare
metal installed using the steps provided in
Installing Anthos Service Mesh on premises.
If you have a previous version of Anthos Service Mesh installed, refer to Upgrading
Anthos Service Mesh on-premises.
This guide refers to the clusters as cluster1
on network1
and cluster2
on
network2
. It also uses environment variables to define the cluster contexts as
CTX_CLUSTER1
and CTX_CLUSTER2
.
A multi-cluster Anthos Service Mesh configuration can solve several crucial enterprise scenarios, such as scale, location, and isolation. For more information, see Multi-cluster use cases. In addition, you should optimize your applications to get the most benefit from a service mesh. For more information, see Preparing an application for Anthos Service Mesh.
Requirements
Before you begin, this guide assumes you are using new or existing clusters that were created by using the steps described in Installing Anthos Service Mesh on premises.
The requirements for this guide are in addition to those listed in Installing Anthos Service Mesh on premises.
You will need the configuration package used previously to install Anthos Service Mesh on your cluster. If you need another copy, you can download it by using the command:
kpt pkg get \ https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages.git/asm@release-1.10-asm asm
Installing the east-west gateway
Install a gateway in cluster1 that is dedicated to east-west traffic. By default, this gateway will be public on the Internet. Production systems may require additional access restrictions, for example firewall rules, to prevent external attacks.
asm/istio/expansion/gen-eastwest-gateway.sh \ --mesh mesh1 --cluster cluster1 --network network1 --revision asm-1106-2 | \ istioctl --context="${CTX_CLUSTER1}" install -y -f -
Install a gateway in cluster2 that is dedicated to east-west traffic for cluster1.
/asm/istio/expansion/gen-eastwest-gateway.sh \ --mesh mesh1 --cluster cluster2 --network network2 | \ istioctl --context="${CTX_CLUSTER2}" install -y -f -
Exposing services
Since the clusters are on separate networks, you need to expose all services
(*.local
) on the east-west gateway in both clusters. While this gateway is
public on the Internet, services behind it can only be accessed by services with
a trusted mTLS certificate and workload ID, just as if they were on the same
network.
Expose services via the east-west gateway for cluster1.
kubectl --context="${CTX_CLUSTER1}" apply -n istio-system -f \ asm/istio/expansion/expose-services.yaml
Expose services via the east-west gateway for cluster2.
kubectl --context="${CTX_CLUSTER2}" apply -n istio-system -f \ asm/istio/expansion/expose-services.yaml
Enabling endpoint discovery
Install a remote secret in cluster2 that provides access to cluster1's API server.
istioctl x create-remote-secret \ --context="${CTX_CLUSTER1}" \ --name=cluster1 | \ kubectl apply -f - --context="${CTX_CLUSTER2}"
Install a remote secret in cluster1 that provides access to cluster2's API server.
istioctl x create-remote-secret \ --context="${CTX_CLUSTER2}" \ --name=cluster2 | \ kubectl apply -f - --context="${CTX_CLUSTER1}"