istio-ecosystem / wharf-multicluster-sync Goto Github PK
View Code? Open in Web Editor NEWwharf-multicluster-sync: User friendly Multicluster Istio configuration
License: Apache License 2.0
wharf-multicluster-sync: User friendly Multicluster Istio configuration
License: Apache License 2.0
Find a way to run the root CA on one of the clusters rather than its own.
To reproduce, create a non-default ServiceExpositionPolicy
apiVersion: multicluster.istio.io/v1alpha1
kind: ServiceExpositionPolicy
metadata:
annotations:
name: ratings
namespace: bookinfo
spec:
exposed:
- name: ratings
port: 9080
Run the CLI tool:
mc-tool --filename /tmp/ratings_sep.yaml --mc-conf-filename /tmp/mc-config.yaml
The stdout Istio config will be in the default, not bookinfo, namespace.
Use Istio's testing framework (with its preliminary support for Multi-Cluster) to conduct an e2e test.
Test should be able to run on CircleCI.
Following community feedback, examine the implications of running the same POC scenarios with:
ServiceExpositionPolicy
with service annotationsRemoteServiceBinding
with ServiceEntry
. May require modifying the ServiceEntry definition.The agents are running servers, and the servers do what is expected:
kubectl --context $CLUSTER2 -n istio-system exec -it mc-agent-6b5cd56595-5gcxc -- wget -O - mc-agent.istio-system.svc.cluster.local:8999/exposed/cluster1
However the services are not exposed to the outside. I get 503s
curl 169.62.214.226:80/exposed/cluster1
upstream connect error or disconnect/reset before headers
The error is 503.
I see a VirtualService directing /exposed
to mc-agent.istio-system.svc.cluster.local port 8999 so I don't know what is going wrong.
Deploy the bookinfo pods with *.global and configure DNS so that *.global resolves to something.
This will be a proof point that we can deploy unchanged applications and get their logs to indicate if they are making local or off-mesh service invocations.
Documentation
install_citadel.sh
depends on $ROOTCA
being defined. I think the expectation is that source ./demo_context.sh
will set this. However, this is not the case. Only $ROOTCA_NAME
is set.
Work around: ROOTCA=$ROOTCA_NAME ./demo_context.sh <args>
docs/install/install_citadal.sh should be docs/install/install_citadel.sh
(e, not a)
This includes adding support for merging existing Istio configuration with new Multicluster config.
Consider using a gRPC and protobuf to create a well defined yet generic API between the agents.
This API / agent may also be used for other design such as the Multi-Cloud.
Deployment should fail if Istio isn't there.
Because the namespace is "created" in this way (even if it exists), kubectl delete -f istio-citadel-standalone.yaml
deletes all of Istio.
The current tutorial requires 3 clusters. This work item is to change the tutorial to put Ratings on Cluster1.
It is unclear if we should replace the tutorial with the two-cluster version or keep the three-cluster version as a secondary tutorial.
This will add the support for running an mTLS connection between the agent and the other Istio components (ingress / egress).
The spec.clusterIP
field is immutable and incorrect error messages are produced.
Document the work done in this POC and steps to run it by publishing a blog about it.
Publication channel is yet to be determined.
Both if --gengo is selected and when YAML is generated.
Every second the agent logs
E1008 19:18:48.768821 1 reflector.go:205] github.ibm.com/istio-research/multicluster-roadmap/vendor/istio.io/istio/pilot/pkg/config/kube/crd/controller.go:208: Failed to list *crd.ServiceEntry: serviceentries.networking.istio.io is forbidden: User "system:serviceaccount:default:multi-cluster-agent-service-account" cannot list serviceentries.networking.istio.io at the cluster scope
and also logs the same thing for destinationrules.networking.istio.io, serviceexpositionpolicies.multicluster.istio.io, servicerolebindings.rbac.istio.io, remoteservicebindings.multicluster.istio.io, virtualservices.networking.istio.io, gateways.networking.istio.io, quotaspecs.config.istio.io, httpapispecbindings.config.istio.io, httpapispecs.config.istio.io, rbacconfigs.rbac.istio.io, envoyfilters.networking.istio.io, serviceroles.rbac.istio.io, meshpolicies.authentication.istio.io, quotaspecbindings.config.istio.io, policies.authentication.istio.io
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.