Before you go, check out these stories!

0
Hackernoon logoEnabling Multi-Cloud Kubernetes Communication with Skupper by@sudip-sengupta

Enabling Multi-Cloud Kubernetes Communication with Skupper

Author profile picture

@sudip-senguptaSudip Sengupta

Solution Architect | Technical Content Writer

Intro

There are many challenges that engineering teams face when attempting to incorporate a multi-cloud approach into their infrastructure goals. Kubernetes does a good job of addressing some of these issues, but managing the communication of clusters that span multiple cloud providers in multiple regions can become a daunting task for teams. Often this requires complex VPNs and special firewall rules to multi-cloud cluster communication.

In this post, I will be introducing you to Skupper, an open source project for enabling secure communication across Kubernetes cluster. Skupper allows your application to span multiple cloud providers, data centers, and regions. Let's see it in action!

Getting Started

This tutorial will demonstrate how to distribute theĀ Istio Bookinfo ApplicationĀ microservices across multiple public and private clusters. The services require no coding changes to work in the distributed application environment. With Skupper, the application behaves as if all the services are running in the same cluster.

In this tutorial, you will deploy theĀ productpageĀ andĀ ratingsĀ services on a remote, public cluster in namespaceĀ 

aws-eu-west
Ā and the details and reviewsĀ services in a local, on-premises cluster in namespaceĀ 
laptop
.

OverviewFigure 1 - Bookinfo service deployment

The image above shows how the services will be deployed.

  • Each cluster runs two of the application services.
  • An ingress route to theĀ productpageĀ service provides internet user access to the application.

If all services were installed on the public cluster, then the application would work as originally designed. However, since two of the services are on theĀ laptopĀ cluster, the application fails.Ā productpageĀ can not send requests toĀ detailsĀ or toĀ reviews.

This demo will show how Skupper can solve the connectivity problem presented by this arrangement of service deployments.

Figure 2 - Bookinfo service deployment with Skupper

Skupper is a distributed system with installations running in one or more clusters or namespaces. Connected Skupper installations share information about what services each installation exposes. Each Skupper installation learns which services are exposed on every other installation. Skupper then runs proxy service endpoints in each namespace to properly route requests to or from every exposed service.

  • In the public namespace, theĀ detailsĀ andĀ reviewsĀ proxies intercept requests for their services and forward them to the Skupper network.
  • In the private namespace, theĀ detailsĀ andĀ reviewsĀ proxies receive requests from the Skupper network and send them to the related service.
  • In the private namespace, theĀ ratingsĀ proxy intercepts requests for its service and forwards them to the Skupper network.
  • In the public namespace, theĀ ratingsĀ proxy receives requests from the Skupper network and sends them to the related service.

Prerequisites

To run this tutorial you will need:

Step 1: Deploy the Bookinfo application

This step creates a service and a deployment for each of the four Bookinfo microservices.

NamespaceĀ 

aws-eu-west
:

$ kubectl apply -f public-cloud.yaml
service/productpage created
deployment.extensions/productpage-v1 created
service/ratings created
deployment.extensions/ratings-v1 created

NamespaceĀ 

laptop
:

$ kubectl apply -f private-cloud.yaml 
service/details created
deployment.extensions/details-v1 created
service/reviews created
deployment.extensions/reviews-v3 created

Step 2: Expose the public productpage service

NamespaceĀ 

aws-eu-west
:

kubectl expose deployment/productpage-v1 --port 9080 --type LoadBalancer

The Bookinfo application is accessed from the public internet through this ingress port to theĀ productpageĀ service.

Step 3: Observe that the application does not work

The web address for the Bookinfo application can be discovered from namespaceĀ 

aws-eu-west
:

$ echo $(kubectl get service/productpage -o jsonpath='http://{.status.loadBalancer.ingress[0].hostname}:9080')

Open the address in a web browser.Ā ProductpageĀ responds but the page will show errors as services in namespaceĀ 

laptop
Ā are not reachable.

We can fix that now.

Step 4: Set up Skupper

This step initializes the Skupper environment on each cluster.

NamespaceĀ 

laptop
:

skupper init

NamespaceĀ 

aws-eu-west
:

skupper init

Now the Skupper infrastructure is running. UseĀ 

skupper status
Ā in each console terminal to see that Skupper is available.

Step 5: Connect your Skupper installations

Now you need to connect your namespaces with a Skupper connection. This is a two step process.

TheĀ 

skupper connection-token <file>
Ā command directs Skupper to generate a secret token file with certificates that grant permission to other Skupper instances to connect to this Skupper's network.

Note: Protect this file as you would do for any file that holds login credentials.

  • TheĀ 
    skupper connect <file>
    Ā command directs Skupper to connect to another Skupper's network. This step completes the Skupper connection.

Note that in this arrangement the Skupper instances join to form peer networks. Typically the Skupper opening the network port will be on the public cluster. A cluster running onĀ 

laptop
Ā may not even have an address that is reachable from the internet. After the connection is made, the Skupper network members are peers and it does not matter which Skupper opened the network port and which connected to it.

The console terminals in this demo are run by the same user on the same host. This makes the token file in the ${HOME} directory available to both terminals. If your terminals are on different machines then you may need to useĀ 

scp
Ā or a similar tool to transfer the token file to the system hosting theĀ 
laptop
Ā terminal.

Generate a Skupper network connection token

NamespaceĀ 

aws-eu-west
:

skupper connection-token ${HOME}/PVT-to-PUB-connection-token.yaml

Open a Skupper connection

NamespaceĀ 

laptop
:

skupper connect ${HOME}/PVT-to-PUB-connection-token.yaml

Check the connection

NamespaceĀ 

aws-eu-west
:

$ skupper status
Skupper enabled for "aws-eu-west". It is connected to 1 other sites.

NamespaceĀ 

laptop
:

$ skupper status
Skupper enabled for "laptop". It is connected to 1 other sites.

Step 6: Virtualize the services you want shared

You now have a Skupper network capable of multi-cluster communication but no services are associated with it. This step uses theĀ 

kubectl annotate
Ā command to notify Skupper that a service is to be included in the Skupper network.

Skupper uses the annotation as the indication that a service must be virtualized. The service that receives the annotation is the physical target for network requests and the proxies that Skupper deploys in other namespaces are the virtual targets for network requests. The Skupper infrastructure then routes requests between the virtual services and the target service.

NamespaceĀ 

aws-eu-west
:

$ kubectl annotate service ratings skupper.io/proxy=http
service/ratings annotated

NamespaceĀ 

laptop
:

$ kubectl annotate service details skupper.io/proxy=http
service/details annotated

$ kubectl annotate service reviews skupper.io/proxy=http
service/reviews annotated

Skupper is now making the annotated services available to every namespace in the Skupper network. The Bookinfo application will work as theĀ productpageĀ service on the public cluster has access to the details and reviewsĀ services on the private cluster and as theĀ reviewsĀ service on the private cluster has access to theĀ ratingsĀ service on the public cluster.

Step 7: Observe that the application works

The web address for the Bookinfo app can be discovered from namespaceĀ 

aws-eu-west
:

$ echo $(kubectl get service/productpage -o jsonpath='http://{.status.loadBalancer.ingress[0].hostname}:9080')

Open the address in a web browser. The application should now work with no errors.

Clean up

Skupper and the Bookinfo services may be removed from the clusters.

NamespaceĀ 

aws-eu-west
:

skupper delete
kubectl delete -f public-cloud.yaml

NamespaceĀ 

laptop
:

skupper delete
kubectl delete -f private-cloud.yaml 

Final Thoughts

Enabling a multi-cloud approach has a lot of benefits and is getting easier, thanks to tools like Skupper. If you have time, try some of Ā Skupper's other examples on itsĀ Github Repo. I hope you learned something from this post. Stay tuned for more!

About the author - Sudip is a Solution Architect with more than 15 years of working experience, and is the founder of Javelynn. He likes sharing his knowledge through writing, and while he is not doing that, he must be fishing or playing chess.

Previously posted at https://appfleet.com/.

Tags

The Noonification banner

Subscribe to get your daily round-up of top tech stories!