When follow the instructions describe here to setup multicluster istio,
https://istio.io/latest/docs/setup/install/multicluster/primary-remote_multi-network/
One thing is not described in the process very clearly but will fail the process is to make sure that the kubenetes cluster config file contains the k8s API endpoint which should not use the loopback IP address 127.0.0.1. This is very important when use KinD to deploy two k8s clusters on one machine, by default, KinD will create multiple kubenetes context in the config file, each of the context will use server: https://127.0.0.1:<port number> which works fine when access from host machine, but this will fail when access the API server from any other places. To avoid this problem, once KinD sets up the cluster, going to the config file and edit the url to point to the docker container IP address with the default port which most likely be 6443. For example
server: https://172.19.0.3:6443
Doing this will ensure that the API server is not only accessible from the host but also from the apps running inside the k8s clusters.
Or simply use the following command to update, given that the cluster name is called kind-cluster1.
kubectl config set clusters.kind-cluster1.server https://172.19.0.3:6443
One other thing is also being ignored is that the two clusters should use the same root ca for their certificates. The certificate should be created in istio-system namespace and be named cacerts (if using default). The secret should have the following entries:
ca-cert.pem
ca-key.pem
cert-chain.pem
root-cert.pem
ca-cert.pem and ca-key will be the intermediate CA cert and key signed by the root cert.
That cert will be used by deployment.apps/istiod
No comments:
Post a Comment