Working with Istio on non-flat network

This document uses an example to demonstrate how to use Istio on Karmada when the clusters reside on the different networks.

Follow this guide to install the Istio control plane on member1 (the primary cluster) and configure member2 (the remote cluster) to use the control plane in member1. All clusters reside on the different network, meaning there is not direct connectivity between the pods in all clusters.

Istio on Karmada-different-network


The reason for deploying istiod on the member1 is that kiali needs to be deployed on the same cluster as istiod . If istiod and kiali are deployed on the karmada-host,kiali will not find the namespace created by karmada. It cannot implement the function of service topology for application deployed by karmada. I will continue to provide a new solution later that deploys istiod on the karmada-host.


Install Karmada

Install karmada control plane

Following the steps Install karmada control plane in Quick Start, you can get a Karmada.

Deploy Istio


If you are testing multicluster setup on kind you can use MetalLB to make use of EXTERNAL-IP for LoadBalancer services.


Install istioctl

Please refer to the istioctl Installation.

Prepare CA certificates

Following the steps plug-in-certificates-and-key-into-the-cluster to configure Istio CA.

Replace the cluster name cluster1 with primary, the output will looks like as following:

  1. [root@vm1-su-001 istio-1.12.6]# tree certs/
  2. certs/
  3. ├── primary
  4. ├── ca-cert.pem
  5. ├── ca-key.pem
  6. ├── cert-chain.pem
  7. └── root-cert.pem
  8. ├── root-ca.conf
  9. ├── root-cert.csr
  10. ├── root-cert.pem
  11. ├── root-cert.srl
  12. └── root-key.pem

Install Istio on karmada-apiserver

Export KUBECONFIG and switch to karmada apiserver:

  1. export KUBECONFIG=$HOME/.kube/karmada.config
  2. kubectl config use-context karmada-apiserver

Create a secret cacerts in istio-system namespace:

  1. kubectl create namespace istio-system
  2. kubectl create secret generic cacerts -n istio-system \
  3. --from-file=certs/primary/ca-cert.pem \
  4. --from-file=certs/primary/ca-key.pem \
  5. --from-file=certs/primary/root-cert.pem \
  6. --from-file=certs/primary/cert-chain.pem

Create a propagation policy for cacerts secret:

  1. cat <<EOF | kubectl apply -f -
  2. apiVersion: policy.karmada.io/v1alpha1
  3. kind: PropagationPolicy
  4. metadata:
  5. name: cacerts-propagation
  6. namespace: istio-system
  7. spec:
  8. resourceSelectors:
  9. - apiVersion: v1
  10. kind: Secret
  11. name: cacerts
  12. placement:
  13. clusterAffinity:
  14. clusterNames:
  15. - member1
  16. - member2
  17. EOF

Override namespace istio-system label on member1:

  1. cat <<EOF | kubectl apply -f -
  2. apiVersion: policy.karmada.io/v1alpha1
  3. kind: ClusterOverridePolicy
  4. metadata:
  5. name: istio-system-member1
  6. spec:
  7. resourceSelectors:
  8. - apiVersion: v1
  9. kind: Namespace
  10. name: istio-system
  11. overrideRules:
  12. - targetCluster:
  13. clusterNames:
  14. - member1
  15. overriders:
  16. plaintext:
  17. - path: "/metadata/labels"
  18. operator: add
  19. value:
  20. topology.istio.io/network: network1
  21. EOF

Override namespace istio-system label on member2:

  1. cat <<EOF | kubectl apply -f -
  2. apiVersion: policy.karmada.io/v1alpha1
  3. kind: ClusterOverridePolicy
  4. metadata:
  5. name: istio-system-member2
  6. spec:
  7. resourceSelectors:
  8. - apiVersion: v1
  9. kind: Namespace
  10. name: istio-system
  11. overrideRules:
  12. - targetCluster:
  13. clusterNames:
  14. - member2
  15. overriders:
  16. plaintext:
  17. - path: "/metadata/labels"
  18. operator: add
  19. value:
  20. topology.istio.io/network: network2
  21. EOF

Run the following command to install istio CRDs on karmada apiserver:

  1. istioctl manifest generate --set profile=external \
  2. --set values.global.configCluster=true \
  3. --set values.global.externalIstiod=false \
  4. --set values.global.defaultPodDisruptionBudget.enabled=false \
  5. --set values.telemetry.enabled=false | kubectl apply -f -

Install Istiod on member1

  1. Install istio control plane

Export KUBECONFIG and switch to member1:

  1. export KUBECONFIG="$HOME/.kube/members.config"
  2. kubectl config use-context member1
  1. cat <<EOF | istioctl install -y -f -
  2. apiVersion: install.istio.io/v1alpha1
  3. kind: IstioOperator
  4. spec:
  5. meshConfig:
  6. accessLogFile: /dev/stdout
  7. values:
  8. global:
  9. meshID: mesh1
  10. multiCluster:
  11. clusterName: member1
  12. network: network1
  13. EOF
  1. Install the east-west gateway in member1
  1. samples/multicluster/gen-eastwest-gateway.sh --mesh mesh1 --cluster member1 --network network1 | istioctl install -y -f -
  1. Expose the control plane and service in member1
  1. kubectl apply -f samples/multicluster/expose-istiod.yaml -n istio-system
  2. kubectl apply -f samples/multicluster/expose-services.yaml -n istio-system

Configure member2 as a remote cluster

  1. Enable API ServerAccess to member2

switch to member2:

  1. kubectl config use-context member2

Prepare member2 cluster secret

  1. istioctl create-remote-secret --name=member2 > istio-remote-secret-member2.yaml

Switch to member1:

  1. kubectl config use-context member1

Apply istio remote secret

  1. kubectl apply -f istio-remote-secret-member2.yaml
  1. Configure member2 as a remote

Save the address of member1’s east-west gateway

  1. export DISCOVERY_ADDRESS=$(kubectl -n istio-system get svc istio-eastwestgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

Create a remote configuration on member2.

Switch to member2:

  1. kubectl config use-context member2
  1. cat <<EOF | istioctl install -y -f -
  2. apiVersion: install.istio.io/v1alpha1
  3. kind: IstioOperator
  4. spec:
  5. values:
  6. global:
  7. meshID: mesh1
  8. multiCluster:
  9. clusterName: member2
  10. network: network2
  11. remotePilotAddress: ${DISCOVERY_ADDRESS}
  12. EOF
  1. Install the east-west gateway in member2
  1. samples/multicluster/gen-eastwest-gateway.sh --mesh mesh1 --cluster member2 --network network2 | istioctl install -y -f -

Deploy bookinfo application

See module Deploy bookinfo application in here