The Linkerd 2.10 Chinese manual is being continuously revised and updated:
Multicluster support in Linkerd requires additional installation and configuration on top of the default control plane installation. This guide will cover this installation and configuration as well as common issues you might encounter. Require
Step 1: Install the multicluster control planeOn each cluster, run:
To verify that everything started successfully, run:
Step 2: Link ClusterEach cluster must be linked. This involves installing several resources in the source cluster, including a secret containing a kubeconfig that allows access to the target cluster's Kubernetes API, a service mirror control for mirroring services, and a Link custom resource to hold the configuration. To connect cluster west to cluster east, you would run:
To verify that the credentials were successfully created and the clusters can access each other, run:
You should also see a list of gateways by running the following command. Note that you need to install Linkerd's Viz extension in your source cluster to get the list of gateways:
For detailed instructions on this step, see the Linking Clusters section. Step 3: Expose servicesServices are not automatically mirrored in linked clusters. By default, only services with the mirror.linkerd.io/exported label are mirrored. For each service you want to mirror to the linked cluster, run:
You can configure a different label selector by using the --selector flag on the linkerd multicluster link command or by editing the link resource created by the linkerd multicluster link command. Leverage AmbassadorThe bundled Linkerd gateway is not required. In fact, if you have an existing Ambassador installation, it's easy to use it! By using your existing Ambassador installation, you don't need to manage multiple ingress gateways and pay for additional cloud load balancers. This guide assumes that Ambassador has already been installed into the ambassador namespace. First, you need to inject the ambassador deployment with Linkerd:
This will add the Linkerd proxy, skipping the port that Ambassador handles for public traffic and requiring identity on the gateway port. Next, you need to add some configuration so that Ambassador knows how to handle the request:
The Ambassador service and deployment definitions require some minor patching. This will add the metadata required by the service mirror controller. To patch these resources, run:
Now you can install the Linkerd multicluster components onto your target cluster. Since we are using Ambassador as our gateway, we need to skip installing the Linkerd gateway using the --gateway=false flag:
Once all setup and configuration is complete, you can link your source cluster to the Ambassador gateway. Run the link command, specifying the name and namespace of the Ambassador service:
From the source cluster (the one not running Ambassador), you can verify that everything is working correctly by running:
Additionally, the ambassador gateway is shown when listing active gateways:
Trust Anchor BundleTo secure connections between clusters, Linkerd needs to have a shared trust anchor. This allows the control plane to encrypt requests passing between clusters and verify the identity of those requests. This identity is used to control access to the cluster, so a shared trust anchor is critical. The simplest approach is to share a single trust anchor certificate between multiple clusters. If you have an existing Linkerd installation and discarded your trust anchor key, you may not be able to provide a single certificate for the trust anchor. Fortunately, a trust anchor can also be a bunch of certificates! To get the trust anchor for an existing cluster, run:
This command requires yq. If you don't have yq, feel free to use the tool of your choice to extract the certificate from the identityTrustAnchorsPEM field.` Now you need to create a new trust anchor and issuer for the new cluster:
We used step cli to generate the certificates. openssl should work just as well! Using the trust anchor of the old cluster and the trust anchor of the new cluster, you can create a bundle by running the following command:
You need to upgrade your existing cluster with the new bundle. Make sure every pod that you want to communicate with the new cluster is restarted so that it can use this bundle. To upgrade your existing cluster with this new trust anchor bundle, run:
Finally, you’ll be able to install Linkerd on a new cluster using the trust anchor bundle you just created, along with the issuer certificate and key.
Make sure to verify that the clusters started successfully by running check on each cluster.
Installing multi-cluster control plane components via HelmLinkerd's multicluster components, namely Gateway and Service Mirror, can be installed via Helm instead of the linkerd multicluster install command. Not only does this allow for advanced configuration, it also lets users bundle multi-cluster installations as part of their existing Helm-based installation pipelines. Add Linkerd's Helm repository First, let's add the Linkerd Helm repo by running
Helm multi-cluster installation process
Chart values will be picked from the chart's values.yaml file. You can override values in your own values.yaml file by providing it and using the -f option, or override specific values using the --set series of flags. The full set of configuration options can be found here The installation can be verified by running the following command
The installation of a gateway can be disabled via the gateway setting. By default, this value is true. Installing Additional Access Credentials When you install multicluster components onto a target cluster using linkerd multicluster install, a service account is created that the source cluster will use to mirror services. Using a different service account for each source cluster can be beneficial because it enables you to revoke service mirroring access from a specific source cluster. Additional service accounts and associated RBAC can be generated through the CLI using the linkerd multicluster allow command. The same functionality can also be accomplished through Helm by setting the remoteMirrorServiceAccountName value to list.
【Editor's recommendation】
|
<<: Linkerd 2.10 (Step by Step)—Ingress Traffic
>>: Mid-year review: 10 hottest web startups in 2021
UL announced this month that it has begun offerin...
At the press conference of the National Developme...
[Shenzhen, China, July 24, 2020] At a press confe...
/* Live to change the world Here, every work may ...
IoT applications have penetrated into our lives, ...
[51CTO.com original article] Entering 2017, the r...
10gbiz has released a current promotion, with 40%...
[51CTO.com original article] Recently, Internet e...
We have discussed the characteristics of HTTP and...
SDN is more than 10 years old. When it first came...
[[343143]] In daily development, we always come i...
On July 11, Wangsu Technology announced the launc...
A sudden epidemic seems to have disrupted the dev...
Among all traditional industries in China, there ...
According to the latest forecast from Future Mark...