Orchestrating advanced Applications Deployments across multiple Kubernetes clusters with Istio, ArgoCD, and Argo Rollouts

This lab will setup an Istio Multi-Primary architecture on different networks with ArgoCD and Argo Rollouts to upgrade and test application in multiple clusters at the same time, with the same source of trust.

View project on GitHub

Take a look at Istio requirements.

Configure clusters

export CTX_CLUSTER1=k8s-1-admin@k8s-1
export CTX_CLUSTER2=k8s-2-admin@k8s-2

Create certificates

Open a new terminal, clone the Istio repository and go to istio folder (new cloned repo). The steps under Create certificates section must be executed from istio folder.

Plug in certificates in both clusters. Istio doc:

mkdir certs
pushd certs
make -f ../tools/certs/Makefile.selfsigned.mk root-ca
make -f ../tools/certs/Makefile.selfsigned.mk k8s-1-cacerts
make -f ../tools/certs/Makefile.selfsigned.mk k8s-2-cacerts

Create a secret in both clusters:

cluster k8s-1

kubectl create namespace istio-system
kubectl create secret generic cacerts -n istio-system \
      --from-file=k8s-1/ca-cert.pem \
      --from-file=k8s-1/ca-key.pem \
      --from-file=k8s-1/root-cert.pem \
      --from-file=k8s-1/cert-chain.pem

cluster k8s-2

kubectl create namespace istio-system
kubectl create secret generic cacerts -n istio-system \
      --from-file=k8s-2/ca-cert.pem \
      --from-file=k8s-2/ca-key.pem \
      --from-file=k8s-2/root-cert.pem \
      --from-file=k8s-2/cert-chain.pem

popd

Install Istio

Install Istio in both clusters by executing:

cluster k8s-1

kubectl --context="${CTX_CLUSTER1}" get namespace istio-system && \
kubectl --context="${CTX_CLUSTER1}" label namespace istio-system topology.istio.io/network=network1
istioctl install --context="${CTX_CLUSTER1}" -f istio/k8s-1.yaml
istio/gen-eastwest-gateway.sh --mesh mesh1 --cluster k8s-1 --network network1 | istioctl --context="${CTX_CLUSTER1}" install -y -f -

Create cross gateway:

kubectl --context="${CTX_CLUSTER1}" apply -f istio/gw.yaml

cluster k8s-2

kubectl --context="${CTX_CLUSTER2}" get namespace istio-system && \
kubectl --context="${CTX_CLUSTER2}" label namespace istio-system topology.istio.io/network=network2
istioctl install --context="${CTX_CLUSTER2}" -f istio/k8s-2.yaml
istio/gen-eastwest-gateway.sh --mesh mesh1 --cluster k8s-2 --network network2 | istioctl --context="${CTX_CLUSTER2}" install -y -f -

Create cross gateway:

kubectl --context="${CTX_CLUSTER2}" apply -f istio/gw.yaml

Enable Endpoint Discovery

istioctl x create-remote-secret --context="${CTX_CLUSTER1}" --name=k8s-1 | kubectl apply -f - --context="${CTX_CLUSTER2}"
istioctl x create-remote-secret --context="${CTX_CLUSTER2}" --name=k8s-2 | kubectl apply -f - --context="${CTX_CLUSTER1}"

Verify installation

Run the script below to verify the Istio installation:

istio/files/verify.sh

Kiali (Optional)

If you want to install Kiali, just run:

kubectl apply --context="${CTX_CLUSTER1}" -n istio-system -f istio/kiali.yaml