|
| 1 | +//// |
| 2 | +This module included in the following assemblies: |
| 3 | +* service_mesh/v2x/ossm-federation.adoc |
| 4 | +//// |
| 5 | + |
| 6 | +[id="ossm-federation-joining_{context}"] |
| 7 | += Joining a federated mesh |
| 8 | + |
| 9 | +You declare the federation between two meshes by creating a `ServiceMeshPeer` resource. The `ServiceMeshPeer` resource defines the federation between two meshes, and you use it to configure discovery for the peer mesh, access to the peer mesh, and certificates used to validate the other mesh’s clients. |
| 10 | + |
| 11 | +Meshes are federated on a one-to-one basis, so each pair of peers requires a pair of `ServiceMeshPeer` resources specifying the federation connection to the other service mesh. For example, federating two meshes named `red` and `green` would require two `ServiceMeshPeer` files. |
| 12 | + |
| 13 | +. On red-mesh-system, create a `ServiceMeshPeer` for the green mesh. |
| 14 | +. On green-mesh-system, create a `ServiceMeshPeer` for the red mesh. |
| 15 | + |
| 16 | +Federating three meshes named `red`, `blue`, and `green` would require six `ServiceMeshPeer` files. |
| 17 | + |
| 18 | +. On red-mesh-system, create a `ServiceMeshPeer` for the green mesh. |
| 19 | +. On red-mesh-system, create a `ServiceMeshPeer` for the blue mesh. |
| 20 | +. On green-mesh-system, create a `ServiceMeshPeer` for the red mesh. |
| 21 | +. On green-mesh-system, create a `ServiceMeshPeer` for the blue mesh. |
| 22 | +. On blue-mesh-system, create a `ServiceMeshPeer` for the red mesh. |
| 23 | +. On blue-mesh-system, create a `ServiceMeshPeer` for the green mesh. |
| 24 | + |
| 25 | +//TODO Insert ServiceMeshPeer diagram here |
| 26 | + |
| 27 | +Configuration in the `ServiceMeshPeer` resource includes the following: |
| 28 | + |
| 29 | +* The address of the other mesh’s ingress gateway, which is used for discovery and service requests. |
| 30 | +* The names of the local ingress and egress gateways that is used for interactions with the specified peer mesh. |
| 31 | +* The client ID used by the other mesh when sending requests to this mesh. |
| 32 | +* The trust domain used by the other mesh. |
| 33 | +* The name of a `ConfigMap` containing a root certificate that is used to validate client certificates in the trust domain used by the other mesh. |
| 34 | + |
| 35 | +In the following example, the administrator for the `red-mesh` is configuring federation with the `green-mesh`. |
| 36 | + |
| 37 | +.Example ServiceMeshPeer resource for red-mesh |
| 38 | +[source,yaml] |
| 39 | +---- |
| 40 | +kind: ServiceMeshPeer |
| 41 | +apiVersion: federation.maistra.io/v1 |
| 42 | +metadata: |
| 43 | + name: green-mesh |
| 44 | + namespace: red-mesh-system |
| 45 | +spec: |
| 46 | + remote: |
| 47 | + addresses: |
| 48 | + - ingress-red-mesh.green-mesh-system.apps.domain.com |
| 49 | + gateways: |
| 50 | + ingress: |
| 51 | + name: ingress-green-mesh |
| 52 | + egress: |
| 53 | + name: egress-green-mesh |
| 54 | + security: |
| 55 | + trustDomain: green-mesh.local |
| 56 | + clientID: green-mesh.local/ns/green-mesh-system/sa/egress-red-mesh-service-account |
| 57 | + certificateChain: |
| 58 | + kind: ConfigMap |
| 59 | + name: green-mesh-ca-root-cert |
| 60 | +---- |
| 61 | + |
| 62 | +.ServiceMeshPeer configuration parameters |
| 63 | +[options="header"] |
| 64 | +[cols="l, a, a"] |
| 65 | +|=== |
| 66 | +|Parameter |Description |Values |
| 67 | +|metadata: |
| 68 | + name: |
| 69 | +|Name of the peer mesh that this resource is configuring federation with. |
| 70 | +|String |
| 71 | + |
| 72 | +|metadata: |
| 73 | + namespace: |
| 74 | +|System namespace for this mesh, that is, where the mesh control plane is installed. |
| 75 | +|String |
| 76 | + |
| 77 | +|spec: |
| 78 | + remote: |
| 79 | + addresses: |
| 80 | +|List of public addresses of the peer meshes' ingress gateways that are servicing requests from this mesh. |
| 81 | +| |
| 82 | + |
| 83 | +|spec: |
| 84 | + remote: |
| 85 | + discoveryPort: |
| 86 | +|The port on which the addresses are handling discovery requests. |
| 87 | +|Defaults to 8188 |
| 88 | + |
| 89 | +|spec: |
| 90 | + remote: |
| 91 | + servicePort: |
| 92 | +|The port on which the addresses are handling service requests. |
| 93 | +|Defaults to 15443 |
| 94 | + |
| 95 | +|spec: |
| 96 | + gateways: |
| 97 | + ingress: |
| 98 | + name: |
| 99 | +|Name of the ingress on this mesh that is servicing requests received from the peer mesh. For example, `ingress-green-mesh`. |
| 100 | +| |
| 101 | + |
| 102 | +|spec: |
| 103 | + gateways: |
| 104 | + egress: |
| 105 | + name: |
| 106 | +|Name of the egress on this mesh that is servicing requests sent to the peer mesh. For example, `egress-green-mesh`. |
| 107 | +| |
| 108 | + |
| 109 | +|spec: |
| 110 | + security: |
| 111 | + trustDomain: |
| 112 | +|The trust domain used by the peer mesh. |
| 113 | +|<peerMeshName>.local |
| 114 | + |
| 115 | +|spec: |
| 116 | + security: |
| 117 | + clientID: |
| 118 | +|The client ID used by the peer mesh when calling into this mesh. |
| 119 | +|<peerMeshTrustDomain>/ns/<peerMeshSystem>/sa/<peerMeshEgressGatewayName>-service-account |
| 120 | + |
| 121 | +|spec: |
| 122 | + security: |
| 123 | + certificateChain: |
| 124 | +|The name of a `ConfigMap` resource containing the root certificate used to validate the client certificate(s) presented to this mesh by the peer mesh. |
| 125 | +|<peerMesh>-ca-root-cert |
| 126 | +|=== |
0 commit comments