Add clusters to Anthos Service Mesh on-prem

This guide explains how to set up Anthos Service Mesh with multiple GKE on VMware. You can extend this process to incorporate any number of clusters into your mesh.

A multi-cluster Anthos Service Mesh configuration can solve several crucial enterprise scenarios, such as scale, location, and isolation. For more information, see Multi-cluster use cases. In addition, you should optimize your applications to get the most benefit from a service mesh. For more information, see Preparing an application for Anthos Service Mesh.

If you have a previous version of Anthos Service Mesh installed, refer to Upgrading Anthos Service Mesh GKE on VMware. This installation enables the supported features on your cluster.

Requirements

Before you begin, this guide assumes you are using new or existing clusters that were created by using the steps described in Installing Anthos Service Mesh on premises.

The requirements for this guide are in addition to those listed in Installing Anthos Service Mesh on premises.
Anthos Service Mesh version 1.8 or higher installed on the clusters. See Installing Anthos Service Mesh on premises to install or upgrade your clusters to the required version.
```
gkectl version
```
If you don't have gkectl installed, see GKE on-prem downloads.
All clusters are running on GKE on-prem on vSphere.
You will need the configuration package used previously to install Anthos Service Mesh on your cluster. If you need another copy, you can download it by using the command:
```
kpt pkg get https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages.git/asm@release-1.8-asm .
```
You do not need to set any values in the configuration package.

Installing the east-west gateway

Install a gateway in cluster1 that is dedicated to east-west traffic. By default, this gateway will be public on the Internet. Production systems may require additional access restrictions, for example firewall rules, to prevent external attacks.
```
asm/istio/expansion/gen-eastwest-gateway.sh \
--mesh mesh1 --cluster cluster1 --network network1 --revision asm-186-8 | \
istioctl --context="${CTX_CLUSTER1}" install -y -f -
```
Note: An external IP address won't be assigned until later, when you complete the steps described in Configuring external IP addresses for Anthos Service Mesh on-prem.
Install a gateway in cluster2 that is dedicated to east-west traffic for cluster1.
```
/asm/istio/expansion/gen-eastwest-gateway.sh \
--mesh mesh1 --cluster cluster2 --network network2 | \
istioctl --context="${CTX_CLUSTER2}" install -y -f -
```
Note: An external IP address won't be assigned until later, when you complete the steps described in Configuring external IP addresses for Anthos Service Mesh on-prem.

Exposing services

Since the clusters are on separate networks, you need to expose all services (*.local) on the east-west gateway in both clusters. While this gateway is public on the Internet, services behind it can only be accessed by services with a trusted mTLS certificate and workload ID, just as if they were on the same network.

Expose services via the east-west gateway for cluster1.

kubectl --context="${CTX_CLUSTER1}" apply -n istio-system -f \
asm/istio/expansion/expose-services.yaml

Expose services via the east-west gateway for cluster2.

kubectl --context="${CTX_CLUSTER2}" apply -n istio-system -f \
asm/istio/expansion/expose-services.yaml

Enabling endpoint discovery

Install a remote secret in cluster2 that provides access to cluster1's API server.

istioctl x create-remote-secret \
--context="${CTX_CLUSTER1}" \
--name=cluster1 | \
kubectl apply -f - --context="${CTX_CLUSTER2}"

Install a remote secret in cluster1 that provides access to cluster2's API server.

istioctl x create-remote-secret \
--context="${CTX_CLUSTER2}" \
--name=cluster2 | \
kubectl apply -f - --context="${CTX_CLUSTER1}"

What's next?

Configuring external IP addresses