Implementing service discovery across multiple Kubernetes clusters

Introduction

In this article, I will talk about how you can setup a Service mesh using Istio which spans across multiple clusters. Although the documentation is available from Istio as well, but it gets very confusing and I had a hard time to get everything up and running. I hope this article will help others who are trying to do the same setup and are stuck because of poor documentation.

There are two ways to setup multicluster Istio mesh:

1. Shared Control Plane
2. Replicated Control Plane

You can find more details in the official docs.

I would suggest to go with Replicated control plane setup because it offers better HA, each cluster can be managed independently by different teams and any config issue in one cluster’s control plane will not affect other cluster services. So, I will be explaining about Replicated control plane setup only.

Things to Note

1. In cross cluster service mesh, communication between services require mutual TLS. This means you need a common set of certs to be created for both clusters, this includes having a common root CA cert and intermediate certs for each cluster signed using these root CA certs.
2. Even when you setup multi cluster service mesh, you cannot dynamically discover all services from one cluster to other cluster. You need to add configs for each service you want to talk to from one cluster to another(which I’ll be showing in this article).
3. Cross cluster service calls happen via the istio ingress gateway, so make sure you have a dns of second cluster for calls from first cluster.
4. I did the whole setup in Istio 1.6.4 and would suggest to use Istio version 1.6+ only because it also claims to have lower latency in traffic flow as compared to older versions.
5. The process as per official docs is mentioned here, but I would try making the process more simple and straightforward.

#istio #kubernetes #devops