Merge pull request #36045 from JStickler/OSSMDOC-394

JStickler · web-flow · commit 757c40d6c07d · 2021-09-16T22:52:35.000-04:00
OSSMDOC-394: Misc Federation topics.
diff --git a/modules/ossm-federation-across-cluster.adoc b/modules/ossm-federation-across-cluster.adoc
@@ -0,0 +1,33 @@
+////
+This module included in the following assemblies:
+* service_mesh/v2x/ossm-federation.adoc
+////
+
+[id="ossm-federation-across-clusters_{context}"]
+= Mesh federation across clusters
+
+To connect one instance of the OpenShift Service Mesh with one running in a different cluster, the procedure is not much different as when connecting two meshes deployed in the same cluster. However, the ingress gateway of one mesh must be reachable from the other mesh. One way of ensuring this is to configure the gateway service as a `LoadBalancer` service if the cluster supports this type of service.
+
+The service must be exposed through a load balancer that operates at Layer4 of the OSI model.
+
+== Exposing the federation ingress on clusters running on bare metal
+If the cluster runs on bare metal and fully supports `LoadBalancer` services, the IP address found in the `.status.loadBalancer.ingress.ip` field of the ingress gateway `Service` object should be specified as one of the entries in the `.spec.remote.addresses` field of the `ServiceMeshPeer` object.
+
+If the cluster does not support `LoadBalancer` services, using a `NodePort` service could be an option if the nodes are accessible from the cluster running the other mesh. In the `ServiceMeshPeer` object, specify the IP addresses of the nodes in the `.spec.remote.addresses` field and the service's node ports in the `.spec.remote.discoveryPort` and `.spec.remote.servicePort` fields.
+
+== Exposing the federation ingress on Amazon Web Services (AWS)
+By default, LoadBalancer services in clusters running on AWS do not support L4 load balancing. In order for {ProductName} federation to operate correctly, the following annotation must be added to the ingress gateway service:
+
+service.beta.kubernetes.io/aws-load-balancer-type: nlb
+
+The Fully Qualified Domain Name found in the `.status.loadBalancer.ingress.hostname` field of the ingress gateway `Service` object should be specified as one of the entries in the `.spec.remote.addresses` field of the `ServiceMeshPeer` object.
+
+== Exposing the federation ingress on Azure
+On Microsoft Azure, merely setting the service type to `LoadBalancer` suffices for mesh federation to operate correctly.
+
+The IP address found in the `.status.loadBalancer.ingress.ip` field of the ingress gateway `Service` object should be specified as one of the entries in the `.spec.remote.addresses` field of the `ServiceMeshPeer` object.
+
+== Exposing the federation ingress on Google Cloud Platform (GCP)
+On Google Cloud Platform, merely setting the service type to `LoadBalancer` suffices for mesh federation to operate correctly.
+
+The IP address found in the `.status.loadBalancer.ingress.ip` field of the ingress gateway `Service` object should be specified as one of the entries in the `.spec.remote.addresses` field of the `ServiceMeshPeer` object.
diff --git a/modules/ossm-federation-checklist.adoc b/modules/ossm-federation-checklist.adoc
@@ -0,0 +1,29 @@
+////
+This module included in the following assemblies:
+* service_mesh/v2x/ossm-federation.adoc
+////
+
+[id="con-my-concept-module-a_{context}"]
+= Federation implementation checklist
+
+Federating services meshes involves the following activities:
+
+* [ ] Configure networking between the clusters that you are going to federate.
+
+** [ ] Configure the load balancers supporting the services associated with the federation gateways to support raw TLS traffic.
+
+* [ ] Installing the {ProductName} version 2.1 Operator in each of your clusters.
+
+* [ ] Deploying a version 2.1 `ServiceMeshControlPlane` to each of your clusters.
+
+* [ ] Configuring the SMCP for federation for each mesh that you want to federate:
+
+** [ ] Create a federation egress gateway for each mesh you are going to federate with
+** [ ] Create a federation ingress gateway for each mesh you are going to federate with
+** [ ] Configure a unique trust domain
+
+* [ ] Federate two or more meshes by creating a `ServiceMeshPeer` resource for each mesh pair.
+
+* [ ] Export services by creating an `ExportServiceSet` resource to make services available from one mesh to a peer mesh.
+
+* [ ] Import services by creating an `ImportServiceSet` resource to import services shared by a mesh peer.
diff --git a/modules/ossm-federation-remove-mesh.adoc b/modules/ossm-federation-remove-mesh.adoc
@@ -0,0 +1,17 @@
+////
+This module included in the following assemblies:
+* service_mesh/v2x/ossm-federation.adoc
+////
+
+[id="ossm-federation-remove-mesh_{context}"]
+= Removing a mesh from the federated mesh
+
+If you need to remove a mesh from the federation, you can do so.
+
+. Edit the removed mesh's `ServiceMeshControlPlane` resource to remove all federation ingress gateways for peer meshes.
+
+. For each mesh peer that the removed mesh has been federated with:
+
+.. Remove the `ServiceMeshPeer` resource that links the two meshes.
+
+.. Edit the peer mesh's `ServiceMeshControlPlane` resource to remove the egress gateway that serves the removed mesh.
diff --git a/modules/ossm-federation-remove-service.adoc b/modules/ossm-federation-remove-service.adoc
@@ -0,0 +1,17 @@
+////
+This module included in the following assemblies:
+* service_mesh/v2x/ossm-federation.adoc
+////
+
+[id="ossm-federation-remove-service_{context}"]
+= Removing a service from the federated mesh
+
+If you need to remove a service from the federated mesh, for example if it has become obsolete or has been replaced by a different service, you can do so.
+
+== To remove a service from a single mesh
+
+Remove the entry for the service from the `ImportedServiceSet` resource for the mesh peer that no longer should access the service.
+
+== To remove a service from the entire federated mesh
+
+Remove the entry for the service from the `ExportedServiceSet` resource for the mesh that owns the service.
diff --git a/modules/ossm-federation-security.adoc b/modules/ossm-federation-security.adoc
@@ -0,0 +1,14 @@
+////
+This module included in the following assemblies:
+* service_mesh/v2x/ossm-federation.adoc
+////
+
+[id="ossm-federation-security_{context}"]
+= Federation security
+
+Red Hat OpenShift Service Mesh federation takes an opinionated approach to a multi-cluster implementation of Service Mesh that assumes minimal trust between meshes. Data security is built in as part of the federation features.
+
+* Each mesh is considered to be a unique tenant, with a unique administration.
+* You create a unique trust domain for each mesh in the federation.
+* Traffic between the federated meshes is automatically encrypted using mutual Transport Layer Security (mTLS).
+* The Kiali graph only displays your mesh and services that you have imported. You cannot see the other mesh or services that have not been imported into your mesh.
diff --git a/service_mesh/v2x/ossm-federation.adoc b/service_mesh/v2x/ossm-federation.adoc
@@ -9,12 +9,16 @@ _Federation_ is a deployment model that lets you share services and workloads be
 
 // The following include statements pull in the module files that comprise the assembly.
 
-include::modules/ossm-federation-planning.adoc[leveloffset=+2]
+include::modules/ossm-federation-overview.adoc[leveloffset=+2]
 
-include::modules/ossm-federation-config-export.adoc[leveloffset=+2]
+include::modules/ossm-federation-features.adoc[leveloffset=+2]
 
-include::modules/ossm-federation-create-export.adoc[leveloffset=+3]
+include::modules/ossm-federation-security.adoc[leveloffset=+2]
 
-include::modules/ossm-federation-config-import.adoc[leveloffset=+2]
+include::modules/ossm-federation-across-cluster.adoc[leveloffset=+2]
 
-include::modules/ossm-federation-create-import.adoc[leveloffset=+3]
+include::modules/ossm-federation-checklist.adoc[leveloffset=+2]
+
+include::modules/ossm-federation-remove-service.adoc[leveloffset=+2]
+
+include::modules/ossm-federation-remove-mesh.adoc[leveloffset=+2]
