Istio for DCM
- Itohan Ukponmwan (Deactivated)
The Distributed Cloud Manager (DCM) uses Istio to manage each logical cloud. It installs a control plane per cluster per logical cloud and it uses Istio Replicated Control Planes for this. For each logical cloud, it will install istio in an istio namespace for that logical cloud
Steps Required to Install Istio for DCM
- Install Istio in custom namespace
After creating the custom namespace and the secrets using the instructions in the Istio Replicated Control Planes. Add the following lines to the Istio manifest file before applying the Istio Manifest in order to install it in the custom namespace
##########Original File###############
values:
global:
# Provides dns resolution for global services
podDNSSearchNamespaces:
- global
- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
##########Modified File###############
values:
global:
istioNamespace: istio-lc1
# Provides dns resolution for global services
podDNSSearchNamespaces:
- global
- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
- Add stub domain with suffix for the logical cloud to the kube-system coredns configmap
In order to tell the kubernetes coredns to forward traffic to the Istio coredns, a stud domain is added to the kubernetes coredns configmap as shown in Setup DNS. The default suffix for istio is "global". With the DCM, we want to have a different suffix for each logical cloud, so we need to add a similar entry for each logical cloud
Example
The example below shows how the kubernetes configmap will look with the default global stud domain
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
data:
Corefile: |
.:53 {
errors
health
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
upstream
fallthrough in-addr.arpa ip6.arpa
}
prometheus :9153
forward . /etc/resolv.conf
cache 30
loop
reload
loadbalance
}
global:53 {
errors
cache 30
forward . $(kubectl get svc -n istio-system istiocoredns -o jsonpath={.spec.clusterIP}):53
}
Assuming we have two logical clouds lc1 and lc2 with their istio namespaces installed in istio-lc1 and istio-lc2 respectively, then we would add the following stub domains to the kubernetes coredns configmap
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
data:
Corefile: |
.:53 {
errors
health
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
upstream
fallthrough in-addr.arpa ip6.arpa
}
prometheus :9153
forward . /etc/resolv.conf
cache 30
loop
reload
loadbalance
}
lc1:53 {
errors
cache 30
forward . $(kubectl get svc -n istio-lc1 istiocoredns -o jsonpath={.spec.clusterIP}):53
}
lc2:53 {
errors
cache 30
forward . $(kubectl get svc -n istio-lc2 istiocoredns -o jsonpath={.spec.clusterIP}):53
}
- Enable forwarding Traffic to custom suffix
By default, when istio is installed, it only allows forwarding traffic to services in the remote cluster with the "global" suffix. In order to enable istio to forward traffic, we need to change the suffix in some of its resources. Get the following istio resources and edit them (kubectl edit <resource-type> <resource-name> -n <resource-namespace>), change all occurences of the global suffix in each of these resources to your custom suffix.
- Add lc1 stubdomain in kube-system coredns cm
- Change istio coredns cm to new suffix
- Edit envoyfilter to use customsuffix
- Edit istio ingressgateway to use custom suffix
- Edit istio destination rule to use custom suffix
- Make sure service entry uses the right suffix
Note: I have only tested using one custom suffix (e.g) lc1 at a time, I have not tested adding multiple custom suffixes.
The Link below can also provide guidance on how to enable forwarding traffic to custom suffix, the method i used above is slightly different though Guide: https://gist.github.com/aattuluri/baf6b8aac10471acc73aa1d6262a65bb.