|
| 1 | +#!/bin/bash |
| 2 | + |
| 3 | +set -eux |
| 4 | + |
| 5 | +# change the clusternames as per your need |
| 6 | +export CTX_CLUSTER1=gke_k8s-rdas_us-east1-b_member-1a |
| 7 | +export CTX_CLUSTER2=gke_k8s-rdas_us-east1-c_member-2a |
| 8 | +export CTX_CLUSTER3=gke_k8s-rdas_us-west1-a_member-3a |
| 9 | +export VERSION=1.10.3 |
| 10 | + |
| 11 | +# download Istio 1.10.3 under the path |
| 12 | +curl -L https://istio.io/downloadIstio | ISTIO_VERSION=${VERSION} sh - |
| 13 | + |
| 14 | +# checks if external IP has been assigned to a service object, in our case we are interested in east-west gateway |
| 15 | +function_check_external_ip_assigned() { |
| 16 | + while : ; do |
| 17 | + ip=$(kubectl --context="$1" get svc istio-eastwestgateway -n istio-system --output jsonpath='{.status.loadBalancer.ingress[0].ip}') |
| 18 | + if [ -n "$ip" ] |
| 19 | + then |
| 20 | + echo "external ip assigned $ip" |
| 21 | + break |
| 22 | + else |
| 23 | + echo "waiting for external ip to be assigned" |
| 24 | + fi |
| 25 | +done |
| 26 | +} |
| 27 | + |
| 28 | +cd istio-${VERSION} |
| 29 | +mkdir -p certs |
| 30 | +pushd certs |
| 31 | + |
| 32 | +# create root trust for the clusters |
| 33 | +make -f ../tools/certs/Makefile.selfsigned.mk root-ca |
| 34 | +make -f ../tools/certs/Makefile.selfsigned.mk ${CTX_CLUSTER1}-cacerts |
| 35 | +make -f ../tools/certs/Makefile.selfsigned.mk ${CTX_CLUSTER2}-cacerts |
| 36 | +make -f ../tools/certs/Makefile.selfsigned.mk ${CTX_CLUSTER3}-cacerts |
| 37 | + |
| 38 | +kubectl --context="${CTX_CLUSTER1}" create ns istio-system |
| 39 | +kubectl --context="${CTX_CLUSTER1}" create secret generic cacerts -n istio-system \ |
| 40 | + --from-file=${CTX_CLUSTER1}/ca-cert.pem \ |
| 41 | + --from-file=${CTX_CLUSTER1}/ca-key.pem \ |
| 42 | + --from-file=${CTX_CLUSTER1}/root-cert.pem \ |
| 43 | + --from-file=${CTX_CLUSTER1}/cert-chain.pem |
| 44 | + |
| 45 | +kubectl --context="${CTX_CLUSTER2}" create ns istio-system |
| 46 | +kubectl --context="${CTX_CLUSTER2}" create secret generic cacerts -n istio-system \ |
| 47 | + --from-file=${CTX_CLUSTER2}/ca-cert.pem \ |
| 48 | + --from-file=${CTX_CLUSTER2}/ca-key.pem \ |
| 49 | + --from-file=${CTX_CLUSTER2}/root-cert.pem \ |
| 50 | + --from-file=${CTX_CLUSTER2}/cert-chain.pem |
| 51 | + |
| 52 | +kubectl --context="${CTX_CLUSTER3}" create ns istio-system |
| 53 | +kubectl --context="${CTX_CLUSTER3}" create secret generic cacerts -n istio-system \ |
| 54 | + --from-file=${CTX_CLUSTER3}/ca-cert.pem \ |
| 55 | + --from-file=${CTX_CLUSTER3}/ca-key.pem \ |
| 56 | + --from-file=${CTX_CLUSTER3}/root-cert.pem \ |
| 57 | + --from-file=${CTX_CLUSTER3}/cert-chain.pem |
| 58 | +popd |
| 59 | + |
| 60 | +# label namespace in cluster1 |
| 61 | +kubectl --context="${CTX_CLUSTER1}" get namespace istio-system && \ |
| 62 | + kubectl --context="${CTX_CLUSTER1}" label namespace istio-system topology.istio.io/network=network1 |
| 63 | + |
| 64 | +cat <<EOF > cluster1.yaml |
| 65 | +apiVersion: install.istio.io/v1alpha1 |
| 66 | +kind: IstioOperator |
| 67 | +spec: |
| 68 | + values: |
| 69 | + global: |
| 70 | + meshID: mesh1 |
| 71 | + multiCluster: |
| 72 | + clusterName: cluster1 |
| 73 | + network: network1 |
| 74 | +EOF |
| 75 | +bin/istioctl install --context="${CTX_CLUSTER1}" -f cluster1.yaml |
| 76 | +samples/multicluster/gen-eastwest-gateway.sh \ |
| 77 | + --mesh mesh1 --cluster cluster1 --network network1 | \ |
| 78 | + bin/istioctl --context="${CTX_CLUSTER1}" install -y -f - |
| 79 | + |
| 80 | + |
| 81 | +# check if external IP is assigned to east-west gateway in cluster1 |
| 82 | +function_check_external_ip_assigned "${CTX_CLUSTER1}" |
| 83 | + |
| 84 | + |
| 85 | +# expose services in cluster1 |
| 86 | +kubectl --context="${CTX_CLUSTER1}" apply -n istio-system -f \ |
| 87 | + samples/multicluster/expose-services.yaml |
| 88 | + |
| 89 | + |
| 90 | +kubectl --context="${CTX_CLUSTER2}" get namespace istio-system && \ |
| 91 | + kubectl --context="${CTX_CLUSTER2}" label namespace istio-system topology.istio.io/network=network2 |
| 92 | + |
| 93 | + |
| 94 | +cat <<EOF > cluster2.yaml |
| 95 | +apiVersion: install.istio.io/v1alpha1 |
| 96 | +kind: IstioOperator |
| 97 | +spec: |
| 98 | + values: |
| 99 | + global: |
| 100 | + meshID: mesh1 |
| 101 | + multiCluster: |
| 102 | + clusterName: cluster2 |
| 103 | + network: network2 |
| 104 | +EOF |
| 105 | + |
| 106 | +bin/istioctl install --context="${CTX_CLUSTER2}" -f cluster2.yaml |
| 107 | + |
| 108 | +samples/multicluster/gen-eastwest-gateway.sh \ |
| 109 | + --mesh mesh1 --cluster cluster2 --network network2 | \ |
| 110 | + bin/istioctl --context="${CTX_CLUSTER2}" install -y -f - |
| 111 | + |
| 112 | +# check if external IP is assigned to east-west gateway in cluster2 |
| 113 | +function_check_external_ip_assigned "${CTX_CLUSTER2}" |
| 114 | + |
| 115 | +kubectl --context="${CTX_CLUSTER2}" apply -n istio-system -f \ |
| 116 | + samples/multicluster/expose-services.yaml |
| 117 | + |
| 118 | +# cluster3 |
| 119 | +kubectl --context="${CTX_CLUSTER3}" get namespace istio-system && \ |
| 120 | + kubectl --context="${CTX_CLUSTER3}" label namespace istio-system topology.istio.io/network=network3 |
| 121 | + |
| 122 | +cat <<EOF > cluster3.yaml |
| 123 | +apiVersion: install.istio.io/v1alpha1 |
| 124 | +kind: IstioOperator |
| 125 | +spec: |
| 126 | + values: |
| 127 | + global: |
| 128 | + meshID: mesh1 |
| 129 | + multiCluster: |
| 130 | + clusterName: cluster3 |
| 131 | + network: network3 |
| 132 | +EOF |
| 133 | + |
| 134 | +bin/istioctl install --context="${CTX_CLUSTER3}" -f cluster3.yaml |
| 135 | + |
| 136 | +samples/multicluster/gen-eastwest-gateway.sh \ |
| 137 | + --mesh mesh1 --cluster cluster3 --network network3 | \ |
| 138 | + bin/istioctl --context="${CTX_CLUSTER3}" install -y -f - |
| 139 | + |
| 140 | + |
| 141 | +# check if external IP is assigned to east-west gateway in cluster3 |
| 142 | +function_check_external_ip_assigned "${CTX_CLUSTER3}" |
| 143 | + |
| 144 | +kubectl --context="${CTX_CLUSTER3}" apply -n istio-system -f \ |
| 145 | + samples/multicluster/expose-services.yaml |
| 146 | + |
| 147 | + |
| 148 | +# enable endpoint discovery |
| 149 | +bin/istioctl x create-remote-secret \ |
| 150 | + --context="${CTX_CLUSTER1}" \ |
| 151 | + -n istio-system \ |
| 152 | + --name=cluster1 | \ |
| 153 | + kubectl apply -f - --context="${CTX_CLUSTER2}" |
| 154 | + |
| 155 | +bin/istioctl x create-remote-secret \ |
| 156 | + --context="${CTX_CLUSTER1}" \ |
| 157 | + -n istio-system \ |
| 158 | + --name=cluster1 | \ |
| 159 | + kubectl apply -f - --context="${CTX_CLUSTER3}" |
| 160 | + |
| 161 | +bin/istioctl x create-remote-secret \ |
| 162 | + --context="${CTX_CLUSTER2}" \ |
| 163 | + -n istio-system \ |
| 164 | + --name=cluster2 | \ |
| 165 | + kubectl apply -f - --context="${CTX_CLUSTER1}" |
| 166 | + |
| 167 | +bin/istioctl x create-remote-secret \ |
| 168 | + --context="${CTX_CLUSTER2}" \ |
| 169 | + -n istio-system \ |
| 170 | + --name=cluster2 | \ |
| 171 | + kubectl apply -f - --context="${CTX_CLUSTER3}" |
| 172 | + |
| 173 | +bin/istioctl x create-remote-secret \ |
| 174 | + --context="${CTX_CLUSTER3}" \ |
| 175 | + -n istio-system \ |
| 176 | + --name=cluster3 | \ |
| 177 | + kubectl apply -f - --context="${CTX_CLUSTER1}" |
| 178 | + |
| 179 | +bin/istioctl x create-remote-secret \ |
| 180 | + --context="${CTX_CLUSTER3}" \ |
| 181 | + -n istio-system \ |
| 182 | + --name=cluster3 | \ |
| 183 | + kubectl apply -f - --context="${CTX_CLUSTER2}" |
| 184 | + |
| 185 | + # cleanup: delete the istio repo at the end |
| 186 | +cd .. |
| 187 | +rm -r istio-${VERSION} |
| 188 | +rm -f cluster1.yaml cluster2.yaml cluster3.yaml |
0 commit comments