# create two k8s clusters, cluster1 and cluster2
# prepare environment
istio-root=fmeng
# create root CA and intermediate certs for both clusters
mkdir -p certs
pushd certs
make -f ../tools/certs/Makefile.selfsigned.mk root-ca
make -f ../tools/certs/Makefile.selfsigned.mk cluster1-cacerts
make -f ../tools/certs/Makefile.selfsigned.mk cluster2-cacerts
kubectl create namespace fmeng
kubectl create secret generic cacerts -n fmeng \\
--from-file=cluster1/ca-cert.pem \\
--from-file=cluster1/ca-key.pem \\
--from-file=cluster1/root-cert.pem \\
--from-file=cluster1/cert-chain.pem
kubectl --context cluster2 create namespace fmeng
kubectl --context cluster2 create secret generic cacerts -n fmeng \\
--from-file=cluster2/ca-cert.pem \\
--from-file=cluster2/ca-key.pem \\
--from-file=cluster2/root-cert.pem \\
--from-file=cluster2/cert-chain.pem
# prepare istioOperator spec
cat cluster1.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
accessLogFile: /dev/stdout
trustDomain: fmeng
rootNamespace: fmeng
values:
global:
meshID: mesh1
multiCluster:
clusterName: cluster1
network: network1
istioNamespace: fmeng
istioctl install --context=cluster1 -f cluster1.yaml
# Install the east-west gateway in cluster1
cat cluster1-ew.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: eastwest
spec:
revision: ""
profile: empty
components:
ingressGateways:
- name: istio-eastwestgateway
label:
istio: eastwestgateway
app: istio-eastwestgateway
topology.istio.io/network: network1
enabled: true
k8s:
env:
# sni-dnat adds the clusters required for AUTO_PASSTHROUGH mode
- name: ISTIO_META_ROUTER_MODE
value: "sni-dnat"
# traffic through this gateway should be routed inside the network
- name: ISTIO_META_REQUESTED_NETWORK_VIEW
value: network1
service:
ports:
- name: status-port
port: 15021
targetPort: 15021
- name: tls
port: 15443
targetPort: 15443
- name: tls-istiod
port: 15012
targetPort: 15012
- name: tls-webhook
port: 15017
targetPort: 15017
values:
global:
meshID: mesh1
network: network1
multiCluster:
clusterName: cluster1
istioNamespace: fmeng
istioctl install -f cluster1-ew.yaml
# Expose the control plane in cluster1
# remove namespace from samples/multicluster/expose-istiod.yaml
kubectl apply --context="${CTX_CLUSTER1}" -f \\
samples/multicluster/expose-istiod.yaml
# Expose services in cluster1
# remove namespace from samples/multicluster/expose-services.yaml
kubectl --context="${CTX_CLUSTER1}" apply -f \\
samples/multicluster/expose-services.yaml
# Set the default network for cluster2
k --context cluster2 label ns fmeng topology.istio.io/network=network2
# Enable API Server Access to cluster2
istioctl x create-remote-secret \\
--context="${CTX_CLUSTER2}" \\
--name=cluster2 | \\
kubectl apply -f - --context="${CTX_CLUSTER1}"
# Configure cluster2 as a remote
cat cluster2.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
profile: remote
meshConfig:
accessLogFile: /dev/stdout
trustDomain: fmeng
rootNamespace: fmeng
values:
global:
meshID: mesh1
multiCluster:
clusterName: cluster2
network: network1
remotePilotAddress: 192.168.2.221
istioNamespace: fmeng
istioctl install --context=cluster2 -f cluster2.yaml
nsenter -t 1889023 -n iptables -A OUTPUT -t nat -p tcp -d 10.0.0.48 -j DNAT --to-destination 10.169.161.85:30540
30540