-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add documentation for Clustermesh setup through Helm Chart #19057
Comments
This issue has been automatically marked as stale because it has not |
@samueltorres do you have any update regarding this? |
FWIW, I tried to set this up and faced bunch of difficulties. List out the roadblocks here:
|
@datsabk any chances you could share details on how you achieved the clustermesh setup through helm chart ? |
@xinity Wasn't able to. There is too much of certificate configuration complexity and some values are just not being accepted. The approach i took was - use cilium cli to install and connect two clusters, gather the parameters from the live install and try to use that in helm chart. |
I am currently trying to achieve the cluster mesh with helm, and this needs to be a two-step process, in my opinion: For this example the final setup will be cluster01 <-> cluster02
helm upgrade cilium cilium/cilium --version 1.12.3 \
--namespace kube-system \
--reuse-values \
--set ipv4NativeRoutingCIDR=10.0.0.0/9 \
--set kubeProxyReplacement=strict \
--set l7Proxy=false \
--set k8sServiceHost=x.x.x.x \
--set k8sServicePort=6443 \
--set cluster.name=cluster01 \
--set cluster.id=1 \
--set externalWorkloads.enabled=true \
--set clustermesh.useAPIServer=true
helm upgrade cilium cilium/cilium --version 1.12.3 \
--namespace kube-system \
--reuse-values \
--set ipv4NativeRoutingCIDR=10.0.0.0/9 \
--set kubeProxyReplacement=strict \
--set l7Proxy=false \
--set k8sServiceHost=x.x.x.x \
--set k8sServicePort=6443 \
--set cluster.name=cluster01 \
--set cluster.id=1 \
--set externalWorkloads.enabled=true \
--set clustermesh.useAPIServer=true \
--set clustermesh.config.enabled=true \
--set clustermesh.config.clusters[0].name=cluster02 \
--set clustermesh.config.clusters[0].ips[0]=x.x.x.x \
--set clustermesh.config.clusters[0].port=32379 \
--set clustermesh.config.clusters[0].tls.cert=.... \
--set clustermesh.config.clusters[0].tls.key=.... \
--set clustermesh.apiserver.tls.ca.cert=.... \ This actually done using rke2, here is the apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-cilium
namespace: kube-system
spec:
valuesContent: |-
kubeProxyReplacement: strict
k8sServiceHost: x.x.x.x
k8sServicePort: 6443
ipv4NativeRoutingCIDR: 10.0.0.0/9
l7Proxy: false
cluster:
name: cluster01
id: 1
externalWorkloads:
enabled: true
clustermesh:
useAPIServer: true
config:
enabled: true
clusters:
- name: cilium04
ips:
- x.x.x.x
port: 32379
tls:
cert: ...
key: ...
apiserver:
tls:
ca:
cert: ....
Edit: The CA needs to be created in the first and passed along for it to fully function (docs). |
@dgiebert where is clustermesh-apiserver-remote-cert being used? |
It is the certificate used to connect to the apiserver of the remote cluster, so it is used in Maybe this gist will help you. |
@dgiebert thanks for explanation clustermesh:
|
On cilium01 (and on the other cluster you will need to adapt that accordingly):
Using helm they should be set in the array:
Keep in mind that I did only test it using HelmChartConfig! |
@dgiebert thanks a lot
|
I tried to follow cilium/clustermesh-apiserver/README.md#deploy-using-helm steps, but my clustermesh can't initialize:
|
@darkstarmv you can follow this blog: https://www.sobyte.net/post/2022-05/cilium-cluster-mesh/ using cilium command; |
This issue has been automatically marked as stale because it has not |
still relevant |
Hi I am still facing certificate issues wile trying to configure clustermesh between 2 clusters using helm and ArgoCD. Cant we have an init script to get the necessary certificate secrets in sync with both the clusters? |
Here is the difference in cli install and helm install. |
Hi @ALL Should i add the secrets manually like this as explained in this blog: https://docs.kubermatic.com/kubermatic/v2.25/tutorials-howtos/networking/cilium-cluster-mesh/ Is there a way to automate this using helm charts itself? |
Note: I don't use clustermesh.apiserver.tls..ca and clustermesh.apiserver.config.clusters[].tls in favour of setting it in tls.ca @mayur2281 You can create the cert/key and base64 encoded it and then have it in the helm values for both clusters. I normally just deploy the first cluster export the certs and then keep it safe (keystore). Then as i build other clusters i put the base64 encoded values in tls.ca in helm values file |
@dazmc When you deploy the first cluster you export the secret called cilium-ca right? and then put that tls.ca section? Other than that there is no other configuration? |
@samueltorres Can we have another section for clustermesh helm install in these docs?: https://docs.cilium.io/en/stable/network/clustermesh/clustermesh/#gs-clustermesh |
@dazmc Pls tell me what secrets from the first cluster are to be used in the second cluster and in which configuration blocks in the helm values! It is really confusing. Are you suggesting to use only this block here: https://github.com/cilium/cilium/blob/main/install/kubernetes/cilium/values.yaml#L2248 |
Thanks @dazmc Got the clustermesh working by having the same CA as the first cluster in my second cluster in the tls.ca section in the helm values. |
@mayur2281 yes, that's correct. If you notice here it says "These fields can (and should) be omitted in case the CA is shared across clusters" and yes it is confusing ;-) |
@dazmc Yes i saw that and was clear not to use that section, but what was confusing for me was the clustermesh.apiserver.tls section. This section is purely used for communication within the cluster for the clustermesh apiserver right? Anyways i am writing a blog regarding this and will share it here, Pls share your review on it! |
@mayur2281 i then have key/cert in a files (base64 encoded contents, don't do this in production) and use envsubst to fill a template helm values file, including other variables.
|
@mayur2281 that section is deprecated, if i look in the the clustermesh.apiserver.tls section i no longer see ca here section which ties in with it being gone in 1.15. in 1.13.9 helm values that section is there, in 1.14.9 it says the following ca: So I'm using 1.14 now so i have stuck with just using tls.ca section |
I cant do this because i'm using ArgoCD to deploy the clustermesh and have to insert the cert and key manually in the helm values and pass it to the second cluster in argocd. |
@mayur2281 there is nothing stopping you using the cert/key on both cluster1 helm values as well as cluster2. I generated that first cluster to get the cert/key format then i blew it away. Now i have the cert/key so i just put it in the helm values when i deploy cluster 1 or cluster 2 etc... You can manually create the cert/key and use it on any cluster (1, 2, 3 etc...) . So all my clusters have the same key. Sometimes i generate a new cert/key so then i can have cluster1,2,3 in one mesh and cluster4,5,6 in a different mesh. Just keep the cert/keys you need/want. Note: I don't use ArgoCD I prefer flux ;-) |
@dazmc So then what would be the best practice for Production? |
@mayur2281 Having the ca key/certs laying around in a file on your laptop isn't a good idea imho. So i would at least encrypt the files (sops) but better still store the cert/key in something like hashicorp vault or external-secrets (AWS /Azure/GCP keyvault). |
Yes will do that |
@dazmc Pls provide your feedback on this: https://notes.mayurbn.site/Blogs/Cilium-Clustermesh-Deployment-on-Helm-or-ArgoCD-on-AKS PS: If you get a 404 or if the site isnt loading, the site is most probably migrated from mayurbn.site to mayurbn.top |
Hey folks, Just created an example repo on how to configure clustermesh through the helm chart: I aim in the future as soon as I have some free time to document the clustermesh through Helm docs :) |
@mayur2281 It looks like line 13 needs indenting in first yaml and the same for line 18 in the second yaml. You also don't mention how/where you get the load balancer addresses in the yamls |
@dazmc I have made the changes. Pls take a look at it again and share the feedback. |
@mayur2281 corporate firewall blocks your website so will have to check later. @samueltorres nice, I tend to set clustermesh.apiserver.tls.auto.enabled to true
Then all the certs are autogenerated for admin, server, client etc... here for mTLS. Any reason you set it to false and provide the certs manually? just interested in another viewpoint |
Its set to false because he creates all his certs through the shell script. |
@mayur2281 yes i understand, that but I'm trying to understand why you wouldn't just leave it set to auto, then those admin, server, client are autogenerated. it seems like more work as you have to prepare create/store/manage them. You could take all those lines out of the script. I'm sure there is a reason that @samueltorres has done it that way. |
Oh yes Surely he'd have his reasons |
In my case I'd be leveraging Vault as a PKI store, so I tried to emulate the same behaviour here. In my company we install Cilium through Terraform so this is all easy to do from within our Terraform configuration. |
@dazmc I would like to store the certs in Azure Key Vault and use a Secret store CSI driver to create a secret from there. But there is no option in the values to provide a secret name all I have is tls.ca.cert and tls.ca.key. |
@samueltorres Any suggestions on the above comment? |
Follow-up issue of #17851 which introduced support to connect multiple Clustermesh clusters using the Helm Chart.
The text was updated successfully, but these errors were encountered: