Linkerd 2.10 series
- Linkerd v2.10 Service Mesh
- Tencent Cloud K8S deployment Service Mesh — Linkerd2 & Traefik2 deployment emojivoto application
- Learn about the basic features of Linkerd 2.10 and step into the era of Service Mesh
- Linkerd 2.10 – Add your service to Linkerd
- Linkerd 2.10 — Automated Canary release
- Linkerd 2.10 — Automatic rotation controls plane TLS and Webhook TLS credentials
- Linkerd 2.10 — How do I configure external Prometheus instances
- Linkerd 2.10 – Configure proxy concurrency
- Linkerd 2.10 – Configure retry
- Linkerd 2.10 — Configure timeout
- Linkerd 2.10 – Controls the plane debug endpoint
- Linkerd 2.10 – Use Kustomize to customize Linkerd configuration
- Linkerd 2.10 — Use Linkerd for distributed tracing
- Linkerd 2.10 — Debug 502S
- Linkerd 2.10 – Debug HTTP applications using each routing metric
- Linkerd 2.10 – Debug gRPC applications using request tracing
- Linkerd 2.10 — Export metrics
- Linkerd 2.10 — Expose Dashboard
- Linkerd 2.10 – Generate your own mTLS root certificate
- Linkerd 2.10 – Gets metrics for each route
- Linkerd 2.10 — Injection failures for chaos engineering
- Linkerd 2.10 — Elegant Pod shutdown
- 2.10 – Linkerd Ingress traffic
- Linkerd 2.10 – Install multiple cluster components
- Linkerd 2.10 — Install Linkerd
- Linkerd 2.10 — Install Linkerd using Helm
- Linkerd 2.10 — Linkerd and Pod Security Policy (PSP)
- Linkerd 2.10 — Manually rotate control plane TLS credentials
- Linkerd 2.10 – Changes the agent log level
Linkerd 2.10 中文 版
- linkerd.hacker-linner.com
This guide guides you through installing and configuring Linkerd so that two clusters can communicate with services hosted on both clusters. At the end of this tutorial, you will learn how to allocate traffic between services on different clusters.
You will:
- Install Linkerd with shared trust anchor (
shared trust anchor
) on both clusters. - Prepare clusters.
- Link clusters.
- Install the demo.
- Expose demo Services to control visibility.
- Verify cluster security.
- Split traffic from the source cluster (
west
The traffic of the pod on) is split to the target cluster (east
).
The premise condition
- Two clusters. We will refer to them in this guide
east
和west
. Follow along as you navigate through this guideBlog posts! The easiest way to do this for development is to run one locally on your laptopkind 或 k3dClustering, and in the cloud provider (e.gAKS) to run a cluster remotely. - Each of these clusters should be configured as
kubectl
contexts. We recommend you use iteast
和west
So that you can follow this guide. usekubectl
rename contextsIt’s easy, so don’t feel like you need to keep naming it that way forever. - Promotion permissions on both clusters. We will create the service account and grant extension permissions, so you need to be able to do this on the test cluster.
- Linkerd should be installed
viz
Extension to runstat
Command, view the Grafana or Linkerd dashboards, and runlinkerd multicluster gateways
Command. - support
east
In the clusterLoadBalancer
Type of service. View the documentation for the cluster provider or viewinlets. This is awest
The cluster will be used to communicate with the gatewayeast
The content of the communication.
Install Linkerd
Linkerd requires a shared Trust Anchor to exist between all installations in the cluster that communicate with each other. This is used to encrypt traffic between clusters and authorize requests to the gateway so that your cluster is not open to the public Internet. Instead of having Linkerd generate everything, we need to generate the credentials and use them as a configuration for the install command.
We like to use step CLI to generate these certificates. If you prefer OpenSSL, feel free to use it! To generate trust anchors using step, you can run:
step certificate create root.linkerd.cluster.local root.crt root.key \
--profile root-ca --no-password --insecure
Copy the code
This certificate will form the common basis of trust between all clusters. Each agent gets a copy of this certificate and uses it to validate the certificate received from the peer as part of the mTLS handshake. With a common foundation of trust, we now need to generate a certificate that can be used to issue certificates to agents in each cluster.
The trust anchor we generate is a self-signed certificate that can be used to create a new certificate (certificate authority). To generate issuer credentials using trust anchors, run:
step certificate create identity.linkerd.cluster.local issuer.crt issuer.key \
--profile intermediate-ca --not-after 8760h --no-password --insecure \
--ca root.crt --ca-key root.key
Copy the code
The Identity service in the cluster will use the certificate and key that you generate here to generate the certificate used by each individual agent. Although we will use the same issuer credentials for each cluster in this guide, it is best to use different issuer credentials for each cluster.
With valid Trust Anchors and issuer credentials, we can now install Linkerd on your West and East clusters.
linkerd install \
--identity-trust-anchors-file root.crt \
--identity-issuer-certificate-file issuer.crt \
--identity-issuer-key-file issuer.key \
| tee \
>(kubectl --context=west apply -f -) \
>(kubectl --context=east apply -f -)
Copy the code
Install’s output will be applied to each cluster and appear! You can use check to verify that everything is successful.
for ctx in west east; do
echo "Checking cluster: ${ctx}. \n"
linkerd --context=${ctx} check || break
echo "-------------\n"
done
Copy the code
Ready to cluster
To route traffic between clusters, Linkerd leverages Kubernetes Services, so your application code doesn’t need to change or learn anything new. This requires a gateway component that routes incoming requests to the correct internal service. The gateway is exposed to the public Internet through a Service of type LoadBalancer. Only requests authenticated by Linkerd’s mTLS (with shared trust anchor) are allowed through this gateway.
To install multi-cluster components on West and East, you can run:
for ctx in west east; do
echo "Installing on cluster: ${ctx}..."
linkerd --context=${ctx} multicluster install | \
kubectl --context=${ctx} apply -f - || break
echo "-------------\n"
done
Copy the code
The gateway is installed in the Linkerd-Multicluster namespace and is a simple NGINX proxy that has been injected with the Linkerd proxy. On the inbound side, Linkerd is responsible for verifying that the connection uses TLS certificates that are part of the trust anchor. NGINX receives the request and forwards it to the outbound side of the Linkerd agent. At this point, the Linkerd agent runs like any other agent in the data plane and forwards the request to the correct service. Ensure successful gateway startup by running the following command:
for ctx in west east; do
echo "Checking gateway on cluster: ${ctx}..."
kubectl --context=${ctx} -n linkerd-multicluster \
rollout status deploy/linkerd-gateway || break
echo "-------------\n"
done
Copy the code
Check whether the load balancer can assign public IP addresses by running the following command:
for ctx in west east; do
printf "Checking cluster: ${ctx}..."
while [ "$(kubectl --context=${ctx} -n linkerd-multicluster get service \ -o 'custom-columns=:.status.loadBalancer.ingress[0].ip' \ --no-headers)" = "<none>" ]; do
printf '. '
sleep 1
done
printf "\n"
done
Copy the code
Each cluster is now running a multicluster Control plane and ready to start the mirroring service. We now want to link clusters together!
Links to cluster
In order for West to mirror services from East, the West cluster needs to have credentials so that it can monitor the East services to be exposed. After all, you don’t want anyone to be able to introspect what’s running on a cluster! The credentials include the service account for validating the service image and the ClusterRole and ClusterRoleBinding that allow monitoring of the service. In general, the service mirroring component uses these credentials to observe services on east or the target cluster and add/remove them from itself (West). A default setting was added as part of Linkerd Multicluster Install, but if you want to have separate credentials for each cluster, you can run Linkerd Multicluster allow.
The next step is to link west to East. This creates the Credentials Secret, Link Resource, and service-mirror controller. The credentials key contains a KubeconFig that can be used to access the Kubernetes API of the target (East) cluster. A Link resource is a customized resource for configuring service mirroring, including gateway address, Gateway identity, and label selector for determining which services to mirror. The service-mirror Controller uses Link and secret to find services on the target cluster that match the given label selector and copies them to the source (local) cluster.
To link the West cluster to the East cluster, run:
linkerd --context=east multicluster link --cluster-name east |
kubectl --context=west apply -f -
Copy the code
Linkerd will look at your current East Context and extract the cluster configuration containing the server location and CA package. It then takes the ServiceAccount Token and merges these configurations into a KubeconFig secret.
Running check again ensures that the Service Mirror has found the secret and can reach East.
linkerd --context=west multicluster check
Copy the code
In addition, the East gateway should now appear in the list:
linkerd --context=west multicluster gateways
Copy the code
Link assumes that the two clusters will connect to each other using the same configuration that you use locally. If this is not the case, you will need to use the –api-server-address flag for link.
Installation test service
It’s time to test it all! The first step is to add some services that we can mirror. To add these to both clusters, you can run:
for ctx in west east; do
echo "Adding test services on cluster: ${ctx}..."
kubectl --context=${ctx} apply \
-k "github.com/linkerd/website/multicluster/${ctx}/"
kubectl --context=${ctx} -n test \
rollout status deploy/podinfo || break
echo "-------------\n"
done
Copy the code
You will now have a test namespace running two deployments – frontend and Podinfo – in each cluster. Podinfo is configured slightly differently in each cluster, with different names and colors so that we know where requests are going.
To immediately see what it looks like from the West cluster, you can run:
kubectl --context=west -n test port-forward svc/frontend 8080
Copy the code
You can now see what it looks like in the West cluster via the Podinfo login page provided at http://localhost:8080. Alternatively, running curl http://localhost:8080 returns a JSON response similar to the following:
{
"hostname": "podinfo-5c8cf55777-zbfls"."version": "4.0.2."."revision": "b4138fdb4dce7b34b6fc46069f70bb295aa8963c"."color": "#6c757d"."logo": "https://raw.githubusercontent.com/stefanprodan/podinfo/gh-pages/cuddle_clap.gif"."message": "greetings from west"."goos": "linux"."goarch": "amd64"."runtime": "go1.14.3"."num_goroutine": "8"."num_cpu": "4"
}
Copy the code
Notice that message refers to the West cluster name.
Exposed services
To ensure that sensitive services are not mirrored and cluster performance is affected by service creation or deletion, we require explicit exposure of services. For the purposes of this guide, we will export the Podinfo service from the East cluster to the West cluster. To do this, we must first export the Podinfo service in the EAST cluster. You can add mirror. Linkerd. IO/exported tags to do this:
kubectl --context=east label svc -n test podinfo mirror.linkerd.io/exported=true
Copy the code
You can configure different label selectors by using the –selector flag on the Linkerd Multicluster link command or by editing link resources created by the Linkerd Multicluster link command.
View the service created by the Service Mirror Controller.
kubectl --context=west -n test get svc podinfo-east
Copy the code
From architecture, you’ll remember that service Mirror components do more than just move services. It also manages the endpoints on the mirroring service. To verify that the Settings are correct, you can check the west endpoints and verify that they match the public IP address of the East gateway.
kubectl --context=west -n test get endpoints podinfo-east \
-o 'custom-columns=ENDPOINT_IP:.subsets[*].addresses[*].ip'
kubectl --context=east -n linkerd-multicluster get svc linkerd-gateway \
-o "custom-columns=GATEWAY_IP:.status.loadBalancer.ingress[*].ip"
Copy the code
At this point, we can access the Podinfo service in East from the West cluster. This requires griding the client, so let’s run curl from the front-end pod:
kubectl --context=west -n test exec -c nginx -it \
$(kubectl --context=west -n test get po -l app=frontend \
--no-headers -o custom-columns=:.metadata.name) \
-- /bin/sh -c "apk add curl && curl http://podinfo-east:9898"
Copy the code
You will see a message from Greeting from East! Requests from frontend Pod running in West are transparently forwarded to East. Assume that you are still in the previous step for port forwarding, you can also from the browser to http://localhost:8080/east. Refresh a few times and you can also get metrics from Linkerd Viz stat.
linkerd --context=west -n test viz stat --from deploy/frontend svc
Copy the code
We also provide a Grafana dashboard to understand what’s going on here. You can run through linkerd – context = west viz dashboard and go to http://localhost:50750/grafana/ to access it.
security
By default, requests are made over the public Internet. Linkerd extends its automatic mTLS across clusters to ensure that communications over the public Internet are encrypted. However, for a quick check, you can run:
linkerd --context=west -n test viz tap deploy/frontend | \
grep "$(kubectl --context=east -n linkerd-multicluster get svc linkerd-gateway \
-o "custom-columns=GATEWAY_IP:.status.loadBalancer.ingress[*].ip")"
Copy the code
TLS =true tells you that the request is being encrypted!
Because Linkerd Edge is resource-specific and you cannot see two clusters at the same time, you cannot currently show the edge between pods in East and West. This is why we use TAP to validate mTLS here.
In addition to ensuring that all your requests are encrypted, it is also important to prevent arbitrary requests from entering your cluster. We do this by verifying that the request comes from a client in the grid. For this verification, we rely on shared trust anchors between clusters. To see what happens when the client is outside the grid, you can run:
kubectl --context=west -n test run -it --rm --image=alpine:3 test -- \
/bin/sh -c "apk add curl && curl -vv http://podinfo-east:9898"
Copy the code
Flow separation
It is useful to have services automatically present in a cluster and be able to handle them explicitly, but this covers only one use case that operates on multiple clusters. Another scenario for multiple clusters is failover. In a failover scenario, you do not have time to update the configuration. Instead, you need to be able to ignore the application and simply change the route. If this sounds a lot like the way we deploy for Canary, you’re right!
TrafficSplit allows us to define weights between multiple services and split traffic between them. In a failover scenario, you want to do this slowly to ensure that you don’t overload other clusters or trip any SLOs due to the added delay. To make this all work for our scenario, let’s split between the Podinfo services in West and East. To configure it, you will run:
cat <<EOF | kubectl --context=west apply -f - apiVersion: split.smi-spec.io/v1alpha1 kind: TrafficSplit metadata: name: podinfo namespace: test spec: service: podinfo backends: - service: podinfo weight: 50 - service: podinfo-east weight: 50 EOF
Copy the code
Any requests to Podinfo will now be forwarded to the Podinfo-East cluster 50% of the time and to the local Podinfo service 50% of the time. Requests sent to Podinfo-East end up in the East cluster, so we have now effectively failed over 50% of the traffic from west to East.
If you are still running port-forward, you can send your browser to http://localhost:8080. The refresh page should show two clusters. Or, for command line methods, curl localhost:8080 will give you a greeting message from west and East.
You can also observe what is happening through metrics. To see the source of something (West), you can run:
linkerd --context=west -n test viz stat trafficsplit
Copy the code
It can also be observed from the target (EAST) side by running:
linkerd --context=east -n test viz stat \
--from deploy/linkerd-gateway \
--from-namespace linkerd-multicluster \
deploy/podinfo
Copy the code
There’s even a dashboard! Run the Linkerd Viz Dashboard and send your browser to localhost:50750.
Clean up the
To clean up the multi-cluster control plane, you can run:
for ctx in west east; do
linkerd --context=${ctx} multicluster uninstall | kubectl --context=${ctx} delete -f -
done
Copy the code
If you also want to remove the Linkerd installation, run:
for ctx in west east; do
linkerd --context=${ctx} uninstall | kubectl --context=${ctx} delete -f -
done
Copy the code
I am weishao wechat: uuhells123 public number: hackers afternoon tea add my wechat (mutual learning exchange), pay attention to the public number (for more learning materials ~)Copy the code