Istio Multicluster Update at today's user community meeting & Survey


#1

Hi Folks,

If you missed today’s user community meeting, an update for Istio multicluster support in 1.1 was provided by Etai and Ram from IBM. If you are interested in this topic, feel free to check out the slides and video recording:

Slides: https://drive.google.com/drive/folders/0B27FD66MPBAdWjlkMjRkajNFdFE
Video: https://youtu.be/Ze5m46vkOZ8

We have also built a simple survey to gather your input on this important topic so that we can serve you better. Please take a min to fill it out and we will share the result soon. :slight_smile:

Survey: https://goo.gl/forms/GFMQ6AL0tQFbGCYx1

Thanks,

Lin


#2

Hi Lin

Can you please also share the config, or github details for the bookinfo multi-cluster demo (by Ram) that was shown at the end.

Thnx
Manish


#3

Hi Manish,

Gateway-Connectivity BookInfo: https://preliminary.istio.io/blog/2019/multicluster-version-routing/

For the Cluster-Aware/Split Horizon approach, I used these steps to set up my clusters https://preliminary.istio.io/docs/examples/multicluster/split-horizon-eds/ I then deployed all of bookinfo on cluster1 except reviews-v3 and ratings which were on cluster2. The gateway config is:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
  - port:
      number: 15443
      name: tls
      protocol: TLS
    tls:
      mode: AUTO_PASSTHROUGH
    hosts:
    - "*"

#4

Thanks Ram - That helps.

A couple of queries:

  1. The fact that the meshNetworks has a IP:Port defined per network (like 15443 in this case), how do define a gateway config to take care of multiple applications across the clusters (like both using different protocols, etc.).

  2. Also, how is the reverse side data path set-up through the gateway (from remote cluster app connecting to the main cluster app).


#5

Manish,

In response to your questions:

  1. The 15443 is a general purpose control plane port open for incoming traffic from another cluster. Because we have control plane security enabled in this setup the data from source envoy to destination envoy is encrypted without termination. The special AUTO_PASSTHROUGH mode guides the ingress gateway to route to local service based on the SNI information. Istio has custom SNI string that holds the service, port and subset.

  2. In this scenario you will need two networks defined in meshNetworks. For example, adding a network1 with CIDR range and GW IP for the primary in addition to the network2 of the remote.
    Please notice that we still need to verify this scenario and make sure there are no issues with it.

Thanks.