Red Hat Summit2.20.10. Joining a federated mesh
You declare the federation between two meshes by creating a ServiceMeshPeer resource. The ServiceMeshPeer resource defines the federation between two meshes, and you use it to configure discovery for the peer mesh, access to the peer mesh, and certificates used to validate the other mesh’s clients.
Meshes are federated on a one-to-one basis, so each pair of peers requires a pair of ServiceMeshPeer resources specifying the federation connection to the other service mesh. For example, federating two meshes named red and green would require two ServiceMeshPeer files.
-
On red-mesh-system, create a
ServiceMeshPeerfor the green mesh. -
On green-mesh-system, create a
ServiceMeshPeerfor the red mesh.
Federating three meshes named red, blue, and green would require six ServiceMeshPeer files.
-
On red-mesh-system, create a
ServiceMeshPeerfor the green mesh. -
On red-mesh-system, create a
ServiceMeshPeerfor the blue mesh. -
On green-mesh-system, create a
ServiceMeshPeerfor the red mesh. -
On green-mesh-system, create a
ServiceMeshPeerfor the blue mesh. -
On blue-mesh-system, create a
ServiceMeshPeerfor the red mesh. -
On blue-mesh-system, create a
ServiceMeshPeerfor the green mesh.
Configuration in the ServiceMeshPeer resource includes the following:
- The address of the other mesh’s ingress gateway, which is used for discovery and service requests.
- The names of the local ingress and egress gateways that is used for interactions with the specified peer mesh.
- The client ID used by the other mesh when sending requests to this mesh.
- The trust domain used by the other mesh.
-
The name of a
ConfigMapcontaining a root certificate that is used to validate client certificates in the trust domain used by the other mesh.
In the following example, the administrator for the red-mesh is configuring federation with the green-mesh.
Example ServiceMeshPeer resource for red-mesh
kind: ServiceMeshPeer
apiVersion: federation.maistra.io/v1
metadata:
name: green-mesh
namespace: red-mesh-system
spec:
remote:
addresses:
- ingress-red-mesh.green-mesh-system.apps.domain.com
gateways:
ingress:
name: ingress-green-mesh
egress:
name: egress-green-mesh
security:
trustDomain: green-mesh.local
clientID: green-mesh.local/ns/green-mesh-system/sa/egress-red-mesh-service-account
certificateChain:
kind: ConfigMap
name: green-mesh-ca-root-cert| Parameter | Description | Values |
|---|---|---|
| Name of the peer mesh that this resource is configuring federation with. | String |
| System namespace for this mesh, that is, where the Service Mesh control plane is installed. | String |
| List of public addresses of the peer meshes' ingress gateways that are servicing requests from this mesh. | |
| The port on which the addresses are handling discovery requests. | Defaults to 8188 |
| The port on which the addresses are handling service requests. | Defaults to 15443 |
|
Name of the ingress on this mesh that is servicing requests received from the peer mesh. For example, | |
|
Name of the egress on this mesh that is servicing requests sent to the peer mesh. For example, | |
| The trust domain used by the peer mesh. | <peerMeshName>.local |
| The client ID used by the peer mesh when calling into this mesh. | <peerMeshTrustDomain>/ns/<peerMeshSystem>/sa/<peerMeshEgressGatewayName>-service-account |
|
The kind (for example, ConfigMap) and name of a resource containing the root certificate used to validate the client and server certificate(s) presented to this mesh by the peer mesh. The key of the config map entry containing the certificate should be | kind: ConfigMap name: <peerMesh>-ca-root-cert |
2.20.10.1. Creating a ServiceMeshPeer resource
Prerequisites
- Two or more OpenShift Container Platform 4.6 or above clusters.
- The clusters must already be networked.
- The load balancers supporting the services associated with the federation gateways must be configured to support raw TLS traffic.
-
Each cluster must have a version 2.1 or later
ServiceMeshControlPlaneconfigured to support federation deployed. -
An account with the
cluster-adminrole.
Procedure from the CLI
Follow this procedure to create a ServiceMeshPeer resource from the command line. This example shows the red-mesh creating a peer resource for the green-mesh.
Log in to the OpenShift Container Platform CLI as a user with the
cluster-adminrole. Enter the following command. Then, enter your username and password when prompted.$ oc login --username=<NAMEOFUSER> <API token> https://<HOSTNAME>:6443Change to the project where you installed the control plane, for example,
red-mesh-system.$ oc project red-mesh-systemCreate a
ServiceMeshPeerfile based the following example for the two meshes that you want to federate.Example ServiceMeshPeer resource for red-mesh to green-mesh
kind: ServiceMeshPeer apiVersion: federation.maistra.io/v1 metadata: name: green-mesh namespace: red-mesh-system spec: remote: addresses: - ingress-red-mesh.green-mesh-system.apps.domain.com gateways: ingress: name: ingress-green-mesh egress: name: egress-green-mesh security: trustDomain: green-mesh.local clientID: green-mesh.local/ns/green-mesh-system/sa/egress-red-mesh-service-account certificateChain: kind: ConfigMap name: green-mesh-ca-root-certRun the following command to deploy the resource, where
red-mesh-systemis the system namespace andservicemeshpeer.yamlincludes a full path to the file you edited:$ oc create -n red-mesh-system -f servicemeshpeer.yamlTo confirm that connection between the red mesh and green mesh is established, inspect the status of the green-mesh
ServiceMeshPeerin the red-mesh-system namespace:$ oc -n red-mesh-system get servicemeshpeer green-mesh -o yamlExample ServiceMeshPeer connection between red-mesh and green-mesh
status: discoveryStatus: active: - pod: istiod-red-mesh-b65457658-9wq5j remotes: - connected: true lastConnected: "2021-10-05T13:02:25Z" lastFullSync: "2021-10-05T13:02:25Z" source: 10.128.2.149 watch: connected: true lastConnected: "2021-10-05T13:02:55Z" lastDisconnectStatus: 503 Service Unavailable lastFullSync: "2021-10-05T13:05:43Z"The
status.discoveryStatus.active.remotesfield shows that istiod in the peer mesh (in this example, the green mesh) is connected to istiod in the current mesh (in this example, the red mesh).The
status.discoveryStatus.active.watchfield shows that istiod in the current mesh is connected to istiod in the peer mesh.If you check the
servicemeshpeernamedred-meshingreen-mesh-system, you can find information about the same two connections from the perspective of the green mesh.When the connection between two meshes is not established, the
ServiceMeshPeerstatus indicates this in thestatus.discoveryStatus.inactivefield.For more information on why a connection attempt failed, inspect the Istiod log, the access log of the egress gateway handling egress traffic for the peer, and the ingress gateway handling ingress traffic for the current mesh in the peer mesh.
For example, if the red mesh cannot connect to the green mesh, check the following logs:
- istiod-red-mesh in red-mesh-system
- egress-green-mesh in red-mesh-system
- ingress-red-mesh in green-mesh-system
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}