In this Code Pattern, we will create a hybrid cloud by connecting services between IBM Cloud Private (ICP) and IBM Cloud Kubernetes Service (IKS) Kubernetes clusters using Istio. We assume that the ICP is not accessible from outside of the organization network but can still access the IKS cluster. Therefore allows us to setup a bi-directional communication between services running on ICP and IKS through a VPN tunnel initiated by the ICP cluster.
When you complete this Code Pattern, you will understand how to:
- Connect a private and a public cloud using a VPN tunnel
- Distribute micro-services between the private and public clusters yet maintain bi-directional connectivity
- Use Istio to conduct the multi-cluster traffic routing
While the example application used by this Code Pattern requires an IBM Cloud for its Watson Tone Analyzer, the pattern presented here can be used to integrate most of the private and public cluster.
We will deploy Istio on each cluster so that the communication between services will be routed according to the location of the service. When calling a remote service, Istio will route the traffic from the local calling service to the local egress, from there to the ingress of the remote cluster and eventually the remote destination service.
In this Code Pattern we took IBM's
Guestbook v2 example application
and configured our Multi-Cluster so that the Guestbook
and Redis
micro-services are running on an IKS cluster and the Analyzer
service is
running on the ICP cluster. This demonstrates communication between the
clusters as Guestbook
is calling the remote Analyzer
service while
Analyzer
itself is calling the Watson Tone Analyzer
service from the IBM
Cloud.
- Users of the Guestbook app use their browser to access the Guestbook web page
served by the
guestbook
service from the public cloud. - Upon submission of a guest comment, the
guestbook
service needs to enrich it with an emoticon base on the submitted text tone. Theguestbook
service calls theanalyzer
service with the submitted text for the tone analysis. Theguestbook
service calls theanalyzer
service as if it was a local service. I.e. the service/app hasn't been modified to support remote services. analyzer
service is running on the remote private cloud therefore call is routed by Istio through the VPN tunnel into the Ingress gateway of the private cloud.analyzer
service calls the Watson Tone Analyzer service with the received text payload and get back the tone analysis result from the public service.- Once response from
analyzer
service has arrived theguestbook
adds the matching emoticon to the submitted text in the web page.
- Kubernetes Cluster: Create and manage your own cloud infrastructure and use Kubernetes as your container orchestration engine.
- Istio: An open platform to connect, manage, and secure micro-services.
- Containers: Virtual software objects that include all the elements that an app needs to run.
- Hybrid Integration: Enabling customers to draw on the capabilities of public cloud service providers while using private cloud deployment for sensitive applications and data.
- Micro-services: Collection of fine-grained, loosely coupled services using a lightweight protocol to provide building blocks in modern application composition in the cloud.
- Clone the repo
- Setup strongSwan VPN
- Setup Kubeconfig
- Setup Watson Tone Analyzer with IBM Cloud
- Download Istio
- Configure
- Install
- Verify
Clone the istio-hybrid
locally. In a terminal, run:
$ git clone https://github.com/IBM/istio-hybrid
strongSwan
is used to setup a IPSec VPN tunnel between clusters and share
subnets of Kubernetes Pods and Services to remote clusters. As such, the
deployment has two parts where in one the strongSwan is deployed on the public
cluster as a VPN "server" and the other part installing the strongSwan as a
"client" on the private cluster. Because the private cluster can access the
public one but not vice versa, the "client" is the one that initiates the VPN
tunnel.
If you require faster error recovery, higher security level or a more elaborate high availability solution than strongSwan, consider using a VPN solution that runs outside of the cluster on dedicated hardware or one of the IBM Cloud Direct Link service options.
Instructions below connects an ICP cluster that has no public access to an IKS cluster.
-
Set up Helm in IBM Cloud Kubernetes Service by following these instructions.
-
Install strongSwan to public IKS Cluster using Helm chart. Example configuration parameters (from
config.yaml
) for the strongSwan Helm release on an IKS (the rest as default):- ipsec.auto:
add
- remote.subnet:
10.0.0.0/24
- ipsec.auto:
-
Execute:
$ kubectl get svc vpn-strongswan
And write down the External IP of the service as you will need it when installing on ICP.
-
Install the strongSwan from the Catalog in the management console.
Example configuration parameters for the strongSwan Helm release on an ICP:- Chart name:
vpn
- Namespace:
default
- Operation at startup:
start
- Local subnets:
10.0.0.0/24
- Local id:
on-prem
- Remote gateway: Public IP of IKS VPN service that you wrote down earlier
- Remote subnets:
172.30.0.0/16,172.21.0.0/16
- Remote id:
ibm-cloud
- Privileged authority for VPN pod: checked
- Chart name:
-
Verify that ICP connected to IKS by running the following against the IKS:
$ export STRONGSWAN_POD=$(kubectl get pod -l app=strongswan,release=vpn -o jsonpath='{ .items[0].metadata.name }') $ kubectl exec $STRONGSWAN_POD -- ipsec status
If configured correctly the output of the command will list one established connection:
Security Associations (1 up, 0 connecting): k8s-conn[10]: ESTABLISHED 65 minutes ago, 172.30.0.107[ibm-cloud]...10.113.87.181[on-prem] k8s-conn{34}: INSTALLED, TUNNEL, reqid 9, ESP in UDP SPIs: c46d5d8d_i c688564f_o k8s-conn{34}: 172.21.0.0/16 172.30.0.0/16 === 10.0.0.0/24
Make sure the two target clusters are available as contexts in the Kubeconfig path:
$ export KUBECONFIG=[location_of_kubeconfig_for_IKS_context]:[location_of_kubeconfig_for_ICP_context]
$ kubectl config get-contexts
The kubeconfig context name for each one of the clusters will be used as configuration parameters to the installation scripts.
You can test that both clusters are accessible with the context name by executing the command:
$ kubectl get nodes --context=<cluster_IKS_context>
$ kubectl get nodes --context=<cluster_ICP_context>
Watson Tone Analyzer detects the tone from the words that users enter into the Guestbook app. The tone is converted to the corresponding emoticons.
-
Use
bx target --cf
orbx target -o ORG -s SPACE
to set the Cloud Foundry org and space where you want to provision the service. -
Create Watson Tone Analyzer in your account.
$ ibmcloud service create tone_analyzer lite my-tone-analyzer-service
-
Create a service key for the service.
$ ibmcloud service key-create my-tone-analyzer-service myKey
-
Show the service key that you created and note the password and username.
$ ibmcloud service key-show my-tone-analyzer-service myKey
Save the username and password for your
config.sh
file in the next step.
Download Istio v1.0.0 for your platform and extract to your location of choice.
Edit the config.sh
file with the necessary settings:
# Cluster A Kubeconfig context
CLUSTER_A=<cluster_IKS_context>
# Cluster B Kubeconfig context
CLUSTER_B=<cluster_ICP_context>
# Watson Tone Analyzer service credentials
TONE_ANALYZER_USERNAME="username"
TONE_ANALYZER_PASSWORD="password"
# Istio v1.0.0 folder path
ISTIO_DIR="<PATH_TO>/istio-1.0.0"
Execute the installation script:
$ ./install.sh
The script will pause after installing Istio v1.0.0 on both clusters and wait for you to press any key. Before continuing, make sure all Istio pods are running on both clusters:
$ kubectl get pods -n istio-system --context=<cluster_IKS_context>
$ kubectl get pods -n istio-system --context=<cluster_ICP_context>
The script continues and the Guestbook web page URL will be printed at the end. You can open this URL in your browser.
If the integration between the two clusters has been established you should see the Tone Analyzer service response added in the form of text emoticons to the Guestbook history.
- Launch the Guestbook web page by opening in your browser the URL printed at the end of the installation
- Type in the Guestbook text field a sentence (e.g.
I just love this app
) and hit the submit button - The history text at the top should show the sentence you entered along with a text emoticon based on the result from the Analyzer service.
Sample result:
Steps below will uninstall the demo app, Istio and it's cross-cluster configuration and strongSwan.
- Uninstall the Guestbook demo app and Istio:
$ ./cleanup.sh
- Uninstall strongSwan from ICP by logging into the ICP Management Console and then navigate to
Menu
→Workloads
→Helm Releases
. Look forvpn
and from theAction
menu chooseDelete
- Uninstall strongSwan from IKS by executing:
$ helm delete --purge vpn
-
Error: the server doesn't have a resource type "nodes"
If you get this kind of error on any
kubectl get
with the ICP context then your session is probably expired. Log into the ICP management console and from the user menu chooseConfigure Client
to reconfigure your Kubeconfig with a valid context. -
Error from server (NotFound): error when deleting ... not found
If you get these errors when running the
cleanup.sh
then you can ignore those as the resources have been already deleted when removing the Istio namespace earlier in the script.
- IBM Cloud Kubernetes Service
- IBM Cloud Private
- IBM Cloud Direct Link
- Watson Tone Analyzer
- strongSwan OpenSource IPSec VPN
- Istio
- With Watson: Want to take your Watson app to the next level? Looking to utilize Watson Brand assets? Join the With Watson program to leverage exclusive brand, marketing, and tech resources to amplify and accelerate your Watson embedded commercial solution.
- Kubernetes on IBM Cloud: Deliver your apps with the combined the power of Kubernetes and Docker on IBM Cloud
The concepts of Istio Multi-Cluster used in this repo are based on works done by the Istio community.
Specifically two similar public proof of concepts done separately by Shriram Rajagopalan and Zack Butcher.
This code pattern is licensed under the Apache Software License, Version 2. Separate third party code objects invoked within this code pattern are licensed by their respective providers pursuant to their own separate licenses. Contributions are subject to the Developer Certificate of Origin, Version 1.1 (DCO) and the Apache Software License, Version 2.