{"id":13625505,"url":"https://github.com/kwonghung-YIP/setup-istio-multi-primary-diff-network","last_synced_at":"2025-04-16T06:32:50.595Z","repository":{"id":155671851,"uuid":"377260632","full_name":"kwonghung-YIP/setup-istio-multi-primary-diff-network","owner":"kwonghung-YIP","description":"This post is about how to run the Istio “Install Multi-Primary on different networks” example on an old, low-end PC. The instruction started from creating the Ubuntu VM for cluster nodes till verified the Istio mesh, and with the minimal configuration, the whole exercise will take around 2 to 3 hours to complete.","archived":false,"fork":false,"pushed_at":"2022-12-30T23:34:05.000Z","size":92,"stargazers_count":3,"open_issues_count":1,"forks_count":4,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-08-01T22:05:23.364Z","etag":null,"topics":["cross-cluster","istio","kubernetes","mesh","ubuntu"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kwonghung-YIP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2021-06-15T18:34:23.000Z","updated_at":"2023-03-05T11:06:29.000Z","dependencies_parsed_at":"2024-01-14T08:41:32.578Z","dependency_job_id":"28e7b209-274a-4693-a5d9-de6a68fc974e","html_url":"https://github.com/kwonghung-YIP/setup-istio-multi-primary-diff-network","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kwonghung-YIP%2Fsetup-istio-multi-primary-diff-network","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kwonghung-YIP%2Fsetup-istio-multi-primary-diff-network/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kwonghung-YIP%2Fsetup-istio-multi-primary-diff-network/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kwonghung-YIP%2Fsetup-istio-multi-primary-diff-network/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kwonghung-YIP","download_url":"https://codeload.github.com/kwonghung-YIP/setup-istio-multi-primary-diff-network/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223700535,"owners_count":17188340,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cross-cluster","istio","kubernetes","mesh","ubuntu"],"created_at":"2024-08-01T21:01:56.940Z","updated_at":"2024-11-08T14:31:38.478Z","avatar_url":"https://github.com/kwonghung-YIP.png","language":null,"funding_links":[],"categories":["Others"],"sub_categories":[],"readme":"# Introduction\n\nThe [Istio/Install Multi-Primary on different network example](https://istio.io/latest/docs/setup/install/multicluster/multi-primary_multi-network/) is about to form an Istio mesh on top of two kubernetes clusters. In this guide, we will go through how to set up these two clusters from scratch, and finally implement the example on it.  \n\n\n## 1. Configuration\n\n#### 1.1 Component Version\nComponent | Version\n-- | --\nVMWare workstation | 16.1.2 build\nLinux distribution | Ubuntu 20.04.2 LTS (focal)\nContainer runtime | Docker Engine 20.10.7\nKubernetes | v1.21.2\nCNI | Weavenet v2.8.1\nLoad Balancer Implementation | MetalLB v0.10.2\nIstio | v1.10.1\n\n#### 1.2 VMWare Network config (NAT - VMnet8):\nConfig | Value\n-- | --\nNetwork Address | 194.89.64.0/24\nDefault Gateway | 194.89.64.2/24\nBoardcast Address | 194.89.64.255\nDNS Server | 1.1.1.1, 8.8.8.8\nDHCP Range | 194.89.64.128/24 - 194.89.64.254/24\nCluster1 MatelLB Ext IP Range | 194.89.64.81/24 - 194.89.64.100/24\nCluster2 MatelLB Ext IP Range | 194.89.64.101/24 - 194.89.64.120/24\n\n#### 1.3 Worker Nodes VM Settings:\nHostname | static IP | Core | Ram | Disk\n-- | -- | -- | -- | --\nubuntu-20042-base | 194.89.64.10/24 | - | - | -\ncluster1-ctrl-plane | 194.89.64.11/24 | 2 | 4G | 20G\ncluster1-worker-node01 | 194.89.64.12/24 | 2 | 4G | 20G\ncluster2-ctrl-plane | 194.89.64.13/24 | 2 | 4G | 20G\ncluster2-worker-node01 | 194.89.64.14/24 | 2 | 4G | 20G\n\n## 2. Prepare the base image\n\n#### 2.1 Create an Ubuntu 20.04.2 LTS Virtual Machine\n- Enable DHCP to get IP address\n- Create an admin account, for my case is **hung**\n- Install ssh server \n\n#### [take a VM snapshot as checkpoint]\n\n#### 2.2 Apply the ssh public key for passwordless login \n\n1. Generate a ssh key with PuTTY Key Generator  \n1. Save the private key with or without passphase protection  \n1. Copy the public key into the file `~/.ssh/authorized_keys`  \n1. Launch Pagent and add the private key just saved  \n1. Save a new session and append the login before the hostname (e.g. hung@194.89.64.128)  \n\n#### 2.3 Stop sudo to prompt for password again \n_*References:*_  \n[Ask Ubuntu - Execute sudo without password](https://askubuntu.com/questions/147241/execute-sudo-without-password)\n\n1. Run `sudo visudo`  \n1. Append `hung ALL=(ALL) NOPASSWD: ALL` at the end of the file  \n\n#### 2.4 Disable the swap \n_*References:*_  \n[ServerFlaut - Best way to disable swap in linux](https://serverfault.com/questions/684771/best-way-to-disable-swap-in-linux)\n\n1. The step is necessary for initiate Kubernetes cluster\n1. Run `sudo swapoff -a`  \n1. Comment out swap setting in `/etc/fstab` to make the permanent change  \n1. Run `free -h` to check the swap size\n\n#### 2.5 Switch the netplan config from dhcp client to static IP\n_*References:*_  \n[How to Assign Static IP Address on Ubuntu 20.04 LTS](https://www.linuxtechi.com/assign-static-ip-address-ubuntu-20-04-lts/)\n  \n1. Update the netplan config `/etc/netplan/00-installer-config.yaml`:\n```yaml\n# This is the network config written by 'subiquity'\nnetwork:\n  ethernets:\n    ens33:\n      addresses: [194.89.64.10/24] # \u003c= the static IP assigned to this node\n      gateway4: 194.89.64.2        # \u003c= the default gateway\n      nameservers:\n        addresses: [1.1.1.1,8.8.8.8] # \u003c= the nameserver entries here will be added as the DNS server in systemd-resolved\n  version: 2\n```\n  \n2. Run the following to apply the change without reboot\n```bash\nsudo netplan apply \n```\n\n#### [take a VM snapshot as checkpoint]\n\n## 3 Install container runtime - Docker Engine  \n_*References:*_  \n[Kubernetes - Container runtimes: Docker](https://kubernetes.io/docs/setup/production-environment/container-runtimes/#docker)  \n[Docker Install Docker Engine on Ubuntu](https://docs.docker.com/engine/install/ubuntu/)  \n \n#### 3.1 Install packages to allow apt download packages from HTTPS channel\n```bash\nsudo apt-get update\nsudo apt-get install \\\n  apt-transport-https \\\n  ca-certificates \\\n  curl \\\n  gnupg \\\n  lsb-release\n```\n  \n#### 3.2 Add Docker’s official GPG key\n```bash\ncurl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg\n```\n  \n#### 3.3 Add apt repository for Docker's stable release\n```bash\necho \\\n  \"deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \\\n  $(lsb_release -cs) stable\" | sudo tee /etc/apt/sources.list.d/docker.list \u003e /dev/null\n```\n  \n#### 3.4 Install docker engine\n```bash\nsudo apt-get update\nsudo apt-get install docker-ce docker-ce-cli containerd.io\n```\n  \n#### 3.5 Verify docker engine by running the hello-world\n```bash\nsudo docker run hello-world\n```\n  \n#### 3.6 Update the docker daemon config, particular to use systemd as the cgroup driver\n```bash\nsudo mkdir /etc/docker\ncat \u003c\u003cEOF | sudo tee /etc/docker/daemon.json\n{\n  \"exec-opts\": [\"native.cgroupdriver=systemd\"],\n  \"log-driver\": \"json-file\",\n  \"log-opts\": {\n    \"max-size\": \"100m\"\n  },\n  \"storage-driver\": \"overlay2\"\n}\nEOF\n```\n\n#### 3.7 Grant current user into docker group\n```bash\nsudo usermod -aG docker $USER\n```\n  \n#### 3.8 Update systemd setting to auto start the docker service after reboot\n```bash\nsudo systemctl enable docker\nsudo systemctl daemon-reload\nsudo systemctl restart docker\n```\n  \n## 4. Install kubeadm\n_*References:*_  \n[Kubernetes - Installing kubeadm](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/)\n\n#### 4.1 Let iptables see bridged traffic\n[Forwarding IPv4 and letting iptables see bridged traffic](https://kubernetes.io/docs/setup/production-environment/container-runtimes/#forwarding-ipv4-and-letting-iptables-see-bridged-traffic)\n```bash\ncat \u003c\u003cEOF | sudo tee /etc/modules-load.d/k8s.conf\noverlay\nbr_netfilter\nEOF\n\nsudo modprobe overlay\nsudo modprobe br_netfilter\n\ncat \u003c\u003cEOF | sudo tee /etc/sysctl.d/k8s.conf\nnet.bridge.bridge-nf-call-iptables  = 1\nnet.bridge.bridge-nf-call-ip6tables = 1\nnet.ipv4.ip_forward                 = 1\nEOF\nsudo sysctl --system\n```\n  \n#### 4.2 Install kubeadm, kubelet and kubectl\n```bash\nsudo apt-get update\nsudo apt-get install -y apt-transport-https ca-certificates curl\n  \nsudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg\n  \necho \"deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main\" \\\n  | sudo tee /etc/apt/sources.list.d/kubernetes.list\n  \nsudo apt-get update\nsudo apt-get install -y kubelet kubeadm kubectl\nsudo apt-mark hold kubelet kubeadm kubectl\n```\n\n#### [take a VM snapshot as checkpoint] - snapshot#1\nUpto this point, we had installed all necessary components and this snapshot is ready to clone for worker node  \n\n## 5. Install Istio\n_*References:*_  \n[Istio - Getting Started](https://istio.io/latest/docs/setup/getting-started/)  \n\n```bash\ncurl -L https://istio.io/downloadIstio | sh -\n  \nsudo rm /usr/local/bin/istioctl\nsudo ln -s `pwd`/istio-1.10.1/bin/istioctl /usr/local/bin/istioctl\n```\n\n## 6. Install k9s\n```bash\ncurl -s https://api.github.com/repos/derailed/k9s/releases/latest | \\\ngrep browser_download_url | \\\ngrep Linux_x86_64 | \\\ncut -d : -f 2,3 | \\\ntr -d \\\" | \\\nwget -i - -O k9s.tar.gz\n\nmkdir ~/k9s\ntar -zxvf k9s.tar.gz -C ~/k9s\nrm k9s.tar.gz\n\nsudo rm /usr/local/bin/k9s\nsudo ln -s `pwd`/k9s/k9s /usr/local/bin/k9s\n```\n\n#### [take a VM snapshot as checkpoint] - snapshot#2\nOn top of the worker node snapshot, we installed the istio and k9s and this snapshot is ready to clone to control plane\n\n## 7. Clone snapshot to the control plane and work node\n\n- Clone from snapshot#2 to nodes: cluster1-ctrl-plane, cluster2-ctrl-plane\n- Clone from snapshot#1 to nodes: cluster1-worker-node01, cluster2-worker-node02\n\nThe following example takes cluster1-ctrl-plane node as example\n#### 7.1 Change the hostname\n```bash\nsudo hostnamectl set-hostname cluster1-ctrl-plane\n```\n\n#### 7.2 Change the static IP in netplan config `/etc/netplan/00-installer-config.yaml`\n```yaml\n# This is the network config written by 'subiquity'\nnetwork:\n  ethernets:\n    ens33:\n      addresses: [194.89.64.11/24] # \u003c= the static IP assigned to this node\n      gateway4: 194.89.64.2        # \u003c= the default gateway\n      nameservers:\n        addresses: [1.1.1.1,8.8.8.8] # \u003c= the nameserver entries here will be added as the DNS server in systemd-resolved\n  version: 2\n```\n\n#### 7.3 Update the `/etc/hosts` to algin the hostname and static IP address\n```bash\n127.0.0.1 localhost\n#127.0.1.1 cluster1-ctrl-plane\n194.89.64.11 cluster1-ctrl-plane\n...\n```\n\n#### 7.4 Regenerated and get a unique machine-id\n```bash\nsudo rm /var/lib/dbus/machine-id\nsudo dbus-uuidgen --ensure=/var/lib/dbus/machine-id\nsudo rm /etc/machine-id\nsudo systemd-machine-id-setup\nsudo systemd-machine-id-setup --print\n```\n\n#### 7.5 Verify the network setup: route table, systemd-resolved \n\nThe node now should have the correct hostname, IP address, unique MAC \u0026 machine ID, and able to resolve the www.google.com domain and ping it.\n```bash\nip link\nip addr show ens33\nip route\nsudo resolvectl dns\ncat /etc/hosts\nping www.google.com\n```\n\n#### [take a snapshot of all 4 nodes as checkpoint]\n\n## 8. Create Kubernetes cluster: cluster1 and cluster2\n_*References:*_  \n[Kubernetes - Creating a cluster with kubeadm](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)\n\n#### 8.1 Create cluster1 in cluster1-ctrl-plane  \n```bash\nsudo kubeadm config images pull\nsudo kubeadm init\n```\n\n#### 8.2 Join worker node cluster1-worker-node01 into cluster1  \n```bash\n# in case you need to print the kubectl join cluster command and token again \nsudo kubeadm token create --print-join-command\n```\n\n#### 8.3 Install the CNI - weave net\n_*References:*_ \n[Weaveworks - Integrating Kubernetes via the Addon](https://www.weave.works/docs/net/latest/kubernetes/kube-addon/#install)  \n```\nkubectl apply -f \"https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\\n')\"\n  \nwatch kubectl get pods -A\n```\n\n## 9. Install MetalLB  \n_*References:*_  \n[MetalLB - Installation](https://metallb.universe.tf/installation/)  \n[MetalLB - Layer 2 Configuration](https://metallb.universe.tf/configuration/)  \n  \n#### 9.1 Edit the `kube-proxy`\n```bash\nkubectl edit configmap -n kube-system kube-proxy\n```\n  \n#### 9.2 Find and update the strictARP property in kube-proxy from false to true\n```yaml\napiVersion: kubeproxy.config.k8s.io/v1alpha1\nkind: KubeProxyConfiguration\nmode: \"ipvs\"\nipvs:\n  strictARP: true\n```\n  \n#### 9.3 Install MetalLB with manifest\n```bash\nkubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.10.2/manifests/namespace.yaml\nkubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.10.2/manifests/metallb.yaml\n  \nwatch kubectl get pods -A\n```\n  \n#### 9.4 Assign external IP range to MetalLB Load Balancer for cluster1\n```bash\ncat \u003c\u003cEOF | kubectl apply -f -\napiVersion: v1\nkind: ConfigMap\nmetadata:\n  namespace: metallb-system\n  name: config\ndata:\n  config: |\n    address-pools:\n    - name: default\n      protocol: layer2\n      addresses:\n      - 194.89.64.81-194.89.64.100\nEOF\n```  \n\n#### 9.5 Assign external IP range to MetalLB Load Balancer for cluster2\n```bash\ncat \u003c\u003cEOF | kubectl apply -f -\napiVersion: v1\nkind: ConfigMap\nmetadata:\n  namespace: metallb-system\n  name: config\ndata:\n  config: |\n    address-pools:\n    - name: default\n      protocol: layer2\n      addresses:\n      - 194.89.64.101-194.89.64.120\nEOF\n```\n\n## 10. Verify the kubernetes DNS service  \n_*References:*_  \n[Debugging DNS Resolution](https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/)  \n[Troubleshooting Kubernetes Networking Issues](https://goteleport.com/blog/troubleshooting-kubernetes-networking/)  \n\nTest the DNS service in both cluster1 and cluster2\n```bash\nkubectl apply -f https://k8s.io/examples/admin/dns/dnsutils.yaml\nkubectl exec -i -t dnsutils -- nslookup kubernetes.default\n```  \n#### [take a snapshot of all 4 nodes as checkpoint]\n\n## 11. Merge cluster1 and cluster2 kubeconfig and place it into cluster1-ctrl-plane\n_*References:*_  \n[Kubernetes - Configure Access to Multiple Clusters](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)\n\n```yaml\napiVersion: v1\nkind: Config\npreferences: {}\ncurrent-context: admin@cluster1\n\ncontexts:\n- context:\n    cluster: cluster1\n    user: cluster1-admin\n  name: admin@cluster1\n- context:\n    cluster: cluster2\n    user: cluster2-admin\n  name: admin@cluster2\n\nclusters:\n- cluster:\n    certificate-authority-data:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EWXlNVEUyTVRNeU1Gb1hEVE14TURZeE9URTJNVE15TUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTjNvClErLzFqd21wWHBWd0tNZUx5ME51cHBsYlBvRjZYMW12azg0SUlDVGlGQS9DS3k5eGdrVWZkV2E4cDFjK3Y1NFMKa1hMWE1xN01tN3hwZXFxZ2xXRE4zbncxNmlwTDBGSzk3Yk8zeVJKQTlNTWR1aTQzZnhlZzBjS1Vpc3F3L29JSQppNHRoTTRTOGNMT3NiaGhwNXlIVnVaczEwQkhDT21yQlhDTElLb01icHFlNjZtMTI2ZGZ3a0FYVWlSTmg0dFhwCkNNT0RKZDBLeE5Mc0RGRnR6SmZGWkVmUGJWald4SVRCb3VUWnRYV3QwSWlFa0JRb051LzZDaGlrUUEwSE1PS1QKVktCTVJQa3BZdTFCaTJCRmkrQlFyT1hkVmVtTHN3T3BuYlFZQXQrTzNBMnNtRVNzbzk4U1Q5aDR6VlRwd2tqNApMU0tGK3M0WjJLNlppWnR3bjdNQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZDb0UxTitTd2pURndxZk13dWVwUFRJRkNiRlhNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCTnJoWC94WDFxNzJDY2cvYnhzajVjTjZMVk1ZTEEvRXB0aE5mLzdEa2JHdlh4OW1rTApvOW5scUJkNXMxZExNaU1aRWNBWkVLY3ZYd25uNC9rYWZuZ01UdzlxdWl5SWo3Z2VzcUFTUlJmUm9CbG0vUk5TCmd3eG1ZQ1pXYnlQRmtENElKYmNmUjFBK2FYSWdDSlNVZkJFSWUvU1JlUk5UQStnWlpqeDlJRjNZdk1iRU00RXkKZjdIU3NjbGtkbkxNbG05anJXSFR1U3N5cXR4NlVMd1ZoK0FjYmYzMnY1S1F2KzhYbTF1SHU5elAwUmFiWGpQOQpibGxDRHNMdlhnVFNkWExsajNaRmd0alZiK0FMMHEySDZUSGdVZjNhV0pUS2NJZjFZL0VZQWpCcEVxdnVxSGp3CnhmK2xFL05IYmt1b2t0a2ZYTFBzK3NIazY5TU5KVDRyN1d1MAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==\n    server: https://194.89.64.11:6443\n  name: cluster1\n- cluster:\n    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EWXlNVEUzTkRFME9Gb1hEVE14TURZeE9URTNOREUwT0Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTFFmCnpTZzVaMjFRR2FlMXF3TUlyVmZDRVlMTWpFNmkrZDZzM3Z1eGNhS205M2NnMnFoUkplNnNhVXJIdVkwSnJZMm4KYmRkQU1LbXYvZW5vVCtjZzM4L2dXdnVrQ0J1U1pVRG9wNVlnR3RTdWk3ZDRFVHJySE8wZG03Mk1NLzBWelQrNwptTEpTekd3YlpLWWVIR254eGJOU2UzbTFvQVRoUjhLMXNaNUQ5ZXMzdW14UHIvUmJEejkrTVc5VzFjSXJyNWs5CklwSE53T3Qya1pIWi8xTy9lRGVaZlZzYTU0SUVNSXRRK1VDbHAzVEo3V1NmbXAvcGl0R2hMeGNGZGhweE1kcHkKSkMrMVNZaGFlU1dVMnJJYVBFL3NaSUpWb3lxR0lWU0ZpdEJlTHlKNVdreWtwZktPbm81V05PRnJ1ZXl2b0U4agpMWEEvYk5odk9zc2xPbnRtZU9jQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZFL0FBL3RXUjBWbVprZkVIMzVsNTNDWUJRaVhNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCdmZLbnlnNEFxNXFrRHphT2t4WmxLbFc2ZTlvMUplTGEzUzY5SlV1LzYzVDlwR3pacwpXb2d1Q3BwUjk0eFB6clRzRkxPSlFwWkVvdXBoNFJCK241Snp2MTNub1BHbG1tWDF0dlRJZEUxcVkrQ2I4MVpuCm0rTnRLNXplVVdOZlFIL2NpaVQzTW9vOGY3ZDJyYk5yUFoyZU14b1o4MkVlV2JrYzRxa0VmQzdlak9ieXJDalYKUkl6SnQ1QWIwSzZGTWJuL3FibkJ0ZFY2S2owYStHK1NjRXhMaFpEdVdmRlVMc052K2x2TVRlaGJWVmQrSmlKeQp3cDVDRUkreUM1dDE5WmNzQldhMEFRbVE2cTdsK0s3MFZRd0l1TWlRaWpTUGIvUWRtNy9RUlRpVW9PRmRDYlRZCkV4UVZ0RU5DZkdiL3k2aHp2N0JXY0dHb0FrM1FsN0NZSDAvZgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==\n    server: https://194.89.64.13:6443\n  name: cluster2\n\nusers:\n- name: cluster1-admin\n  user:\n    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJQmJOYTJKdmpKSUF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRBMk1qRXhOakV6TWpCYUZ3MHlNakEyTWpFeE5qRXpNak5hTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTZYZ1dqWEZlTE13NGZJZGsKZkV1TVVKTzRmcFFaUmFqd000RVFqcXJwT05iVGRiUmltYURGYVBuRnY3OHZCejI4S2hNa3pYemtNd3NTMVM2aQo1OGdzd3pmdk5rd2FYTmVaQ3FoSEVNOGVVaUNoVC9oTExPdmdhRmFleGlLVEU3c0NlVFdGMXVnS0R1RHRhdXl0CkVqYlJzVTl3TEhJeCtiSjNJN2lZcjNZTHBFaDZ5eEtCeVFXSGJrYmRGOGJHMVJSbHhySndZMEc4Qms0SGtKaysKcFp3b0ZGdk03TDIyNHlCaU50RkNwSWg0UXN0Vk4rditGQk12K1BDdHNzcE5BM0ZyVUFFd1hXbGdyMVJyR1Q3ZQpURHJYYUZJa01sWWhUUzkwYlUxb0s4eXJEM21NZmdNOWZ1Yi9CWnE4MlV1U0g5ZmNQUHMwRXZZR0FZWjZ1MW9DCndQcHpBd0lEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRcUJOVGZrc0kweGNLbnpNTG5xVDB5QlFteApWekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZDc5dXhXbHpNSkFJREo2em8vckw1QnRKRTVEU1JoSzVWaDBwCkJvRVJ0cHo0KzZWS3N0dFdncGpoRnN5dkZ4M1AzR1RqVUNoWTdvOXNrL0xTSCtiTDM3MUh4WFdQUllHYk5meVAKeDd3SGNWZFB5Slo2dVBxVHpUTEExWGhoSE02MDlEYWlEMDI3L1Y1M25OK3NOSHIvbm1sSHE2bWtvdHVFMDZoWQprMFZTNExYOW9lK0tjeEozMGJTNmVqWnlFMWtJNDdsSVJHUkF6Y2NDUlN1RUxxMDZVNjhNdk1TY2RxUVVpRXlsCmVTUFBkeG80T1RQVXhiVldPcUVhOVFkOExMdTF3RVRSaG1RMzErNUh5ZXZXbDJjNy9Lbk0xUEljWUt3S1F4eWMKUmNJcEpIYkNTYTJIR0w3Q1U2RldlcXVCdThnakVFNmg1NXRRTnVRR05BOWJucFk2b3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==\n    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNlhnV2pYRmVMTXc0Zklka2ZFdU1VSk80ZnBRWlJhandNNEVRanFycE9OYlRkYlJpCm1hREZhUG5Gdjc4dkJ6MjhLaE1relh6a013c1MxUzZpNThnc3d6ZnZOa3dhWE5lWkNxaEhFTThlVWlDaFQvaEwKTE92Z2FGYWV4aUtURTdzQ2VUV0YxdWdLRHVEdGF1eXRFamJSc1U5d0xISXgrYkozSTdpWXIzWUxwRWg2eXhLQgp5UVdIYmtiZEY4YkcxUlJseHJKd1kwRzhCazRIa0prK3Bad29GRnZNN0wyMjR5QmlOdEZDcEloNFFzdFZOK3YrCkZCTXYrUEN0c3NwTkEzRnJVQUV3WFdsZ3IxUnJHVDdlVERyWGFGSWtNbFloVFM5MGJVMW9LOHlyRDNtTWZnTTkKZnViL0JacTgyVXVTSDlmY1BQczBFdllHQVlaNnUxb0N3UHB6QXdJREFRQUJBb0lCQVFEajlVTmYrOCtPUWlEdApSbTJSQjFzTDJoQ01WeUtONTdRUk5mWHF0MnBjK3pVaGVtM0R2enpCa1EvS2QydjkwQU9IdVlWM3RuaENkbzkrCjQ3aGdSQTJnMTE2VVQ1NTJCSFVEK09iYXZNRElROS85NjF2TGtzeGNWQ2RYSXE4azFyWkZqME1OWVNkZys3SVYKY3Q1U0tJQjZkaXY2MmMxK0Z3bEpNWmF6eTdqMlA0a3MwWCtmR1BLMGJlQXl5M1VGWlBzdldmeDB4SkRKRFlkWQpvaHpJNXAvNStuaW9tMEdmOXNFNWZ4MkM1U1JnbFhobVNocldONHpqMUlodzhnTURjd04wTnpyRzVBaVoxeGp4CkdsM1VSSnJ4WmwxNGhydHBvU0xQNXgxT2lYUmJtRldqdm5oVnlSdVkzU2dkT1VkRjc4Tkg5dzZuUlZCRTU4bHkKeDI4a0xhWHhBb0dCQVB4dXIzcStMR2U1bytyaHd3UmN4NkNhUFZydUFhTmpaTnBtczIyYW1wUS9EdHJNZ0FGMgpnUHFEMUpGYjF6UnNoVmszYW10K0RBajR5Q3lJWHkzYUFpTGFpNS9YZWlRLytUUlFFWmtFelVhejNIaVpPQ0RjCk0wclo2Sy9wYU1ueXY4WTlXMjh2UTJyT2F2VThScXpJdkFmZHJPd0dvaWhLRFkrdHRJdFkyZEJ0QW9HQkFPekUKeXQyd2hRNDFtU3lSeGo4c2kwWU9kTHVIYUx5QzhkRHd5NExEUU5rTXN3NGlUa01wWE5hQjZmOWdTUmQwaGRCOQovTnYvQ09oL1VQOXZmYzRJQlhpTXB2Rzg1bDFlWHZDQWh6dWlqVy80eHU5K1A0a0RZOExGZzNqRFIzekJudVN1ClZoQ1hxUlFMTFQ5WHNOTWg3NjZMSUpWMWZQaG9jWnFHeGhSdzJvc3ZBb0dBZVZoNzRuVW93M1BwNkM4K29BbzUKckdwNHRBMVZuRVZiWmVHWXYwZGlwNERva3lWYkkxamtCNGozMWloZiswTnZsc09jMUs5eStaMGVITW94ZHNrbAozYnRSQXpXQjhZc1BNS2FNenhJUDI3ejZicjY0ekpNTjFSMkxUWVRXYXIzV2ttVk1YdFpKZ2o1WURDczlqakd3CnNkZE9HT2ZYYTZhdGZqUHlaa24vNnNFQ2dZRUExSVF1c3AxbVVFSzdvYzJXYTgzSGxMSVZCTjJkbk5iTHhnYmMKSkJxdGNpUjc4d3ZIdzNDMDY3VGdHMkNKT294VUw3ZGw1dkViUmRSQkY0VXpIbU1FeGhjNUlYRzBNOG9vM1NZQQpPLzdEaE9WL2FpZWZUNVBEVDJlSmdqT0ZUdTFiZVZjaDJQTEh5RDNmOXlMMmpBdkIzcUR5TmpTbVh6RWdCdHRCCm44ZEw0ZkVDZ1lBZXpTS01PWlIwM2kxNWY3VTFibGFNbEMxWjdmbTVDVFpXYmxHS2U0WjdJK0V6S3llLzBWM08KQXc3cEtzbW43UkZmTk5ZMytkM1hRQ2N6UTJvV1BBWURhNldYRkdKRU9CQ3oySjJqbGxxcXA1NkdmaHI1VGpLNAp5TGdQL0VmWllvR3BZTUw1YWZFN1liS1lzcHFwdVI1a09zOVhDdVo1T0tUSWdDaTBJand5MWc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=\n- name: cluster2-admin\n  user:\n    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJWGpwd2NrbjdiTVl3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRBMk1qRXhOelF4TkRoYUZ3MHlNakEyTWpFeE56UXhOVEJhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTRRalE3ME05OTJXWXY5WEQKQ2hyWlpkTUNJZkdnRldjb1RMWk1SM09oc1luTkhYZ0IreUlRZXZFRjIxcXdMbkdHS0syZmowS0U1eWtIcHhBeQptM1QyUUlNS2dweGtBamJwNE1ENWFYNjBzaW1QRmtFRFJBeTNGRytZVEwrdU45WUE3QzhhaldPakNpUkhNTHgyCkdOeXNMOFJvdHNUWnhaZVdpNTlMTmhPaXdZT2RBNkdRQWJ5UEhITUgxUzQ0UXdmN2RodHBBdWZmWWRkc1pRS00KSEdjQXh2NndnN2Jjd1JvakZTY3duTTdDYkpUeUFOOENDMWd5M0xuU044RDRWRy8wNEZNVWEyOTU2U3dlSnloRgpKb2JqVWd1MVRVVGxBZFBjRUYza3MxSE5PVWRuK1d6STFySE5CYnQ2TENVbHpWL0pkMFJoM1dseU9WSHNSZWduClFDd3JCUUlEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JSUHdBUDdWa2RGWm1aSHhCOStaZWR3bUFVSQpsekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBUXE0YnoxYnFoaUFjK3liM0NpdHp1YWhYK2dGbXlNY1NoQlBNCkZ4RktYY1o5dEJlMmNLc0czdlFxRnBZVDl0UlcwZ2Z2THZ4K1JDVExYMGZOTW5ISTdGQnE3QmxRVkZjWVpodmwKVGlqOEJUSjlPTFZyc2l4dm5zWG12NVkxR1pVaGpNc3hNWHBBRVpVTW56OVlwczREMkpmZThPU29iRzFUazIwQgo4Wm14emE0eld3bXhHMnB0cWhyV1RteUxyc0REcFhJV1huaWNIWmNCZWpaak1ITHhBQk9NVUFFblc4MjdxZHRwCnc0WmRJTVRrcGlyQmlNMmVNZlg5K09mSTR1U2l5MDh6YXFuNzh0YjRYN3ltWmFLMlROTGx6ZVI4em55VmFIRGUKQytwN1Rudm9oSlZRdUxKbitYOHpjUGkvYlEvMXdpUWhIUllBU0tiVy9JdkdWaEFNTkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==\n    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBNFFqUTcwTTk5MldZdjlYRENoclpaZE1DSWZHZ0ZXY29UTFpNUjNPaHNZbk5IWGdCCit5SVFldkVGMjFxd0xuR0dLSzJmajBLRTV5a0hweEF5bTNUMlFJTUtncHhrQWpicDRNRDVhWDYwc2ltUEZrRUQKUkF5M0ZHK1lUTCt1TjlZQTdDOGFqV09qQ2lSSE1MeDJHTnlzTDhSb3RzVFp4WmVXaTU5TE5oT2l3WU9kQTZHUQpBYnlQSEhNSDFTNDRRd2Y3ZGh0cEF1ZmZZZGRzWlFLTUhHY0F4djZ3ZzdiY3dSb2pGU2N3bk03Q2JKVHlBTjhDCkMxZ3kzTG5TTjhENFZHLzA0Rk1VYTI5NTZTd2VKeWhGSm9ialVndTFUVVRsQWRQY0VGM2tzMUhOT1VkbitXekkKMXJITkJidDZMQ1VselYvSmQwUmgzV2x5T1ZIc1JlZ25RQ3dyQlFJREFRQUJBb0lCQUhLL1ZockxCT3dFQ0ZHNQpwSXlnaUQ1ZHpIYVdpUFNnOTNHMmUwcnI4WVZnS1JGZndsTFdXZVQyeGUvR1hKUXlHeURlOTcvTFFZM0Y1RHNTCkRWd3IxZTJyWkU2WmhIMkVsdG1lVFErNEpsZTZ6VldoclJLa0VTOEFnSDZTTnpvTmk4YmpkZnltMDlvMkNYOFcKZW5uTy9KWVc1dlpiaGxnMUpmVG9NeWZOOTI0SXczWXJDcFdVNDl4KzZLdllSalNDeTIzY0E1a25pbTZLL0plVAovMW1QdTVsL05RWUwwTGlvellQYWRpWWs2djFaTUZRUEo2RUE1eHo3YjgxYzdEVmVuelNIK0xQOFJ0MEZQUHkzCnkxK1N0bkJLYmVVWFFJSk5IenBHM1VPWlZ3QXJVRGs1MHRPUURram1TUXJzQTM0dTFEeG5tdWMxS21SQ0N4TFUKZlRNMVFqa0NnWUVBL2tCVWJNT3NzMHJrSDlPT0wvQ3hKRndxWFVrdTZjbW1BVjlkQURzRXlkc1Njak5mMGFSbApwMUFFZ2hNZVhwU1ExOW9oREt5N1pEWlNZUlVCUDR1NEkwcENVNmZwZGpFbysybUdDN09SWS9BTzE1S04rK3NXClJoU2R5aFowRHVjNFBObWRwTFRndHJDTWFJd0ozYldZRkNJV1I1YlQ2UTJvbGJrRXZCT0tEZE1DZ1lFQTRwVUwKQ1dnRDNkU1NFWnpWOWx2NzNUV2RvR3hIOEZxakt4ME5naGYyNGFaN1F3SC9NNlhvc2tjSEhuL3IyNWRqN0RXTAowS0RmUk9vU3RkZzhwemxPYTZsWWZmNnJzcWtLOHd2ckh4WVk0NkxobDlxREpNU1RrRkczWDl4S2RROFN0R0c0ClY4eXJ0SGc3OEdKK0RhLzZNQ2NFMVR1UlYwWXh1ME96OERtWFpNY0NnWUF1TG9FblFHT2VMWHhDUzZzSUNqQWkKNnBySFZ3T3VjM0l6elo2VzdDRnlpTmhRNWdRQmtGcm1pU0pJZmpDRi9YWlJ2czFDQUI0SmxkUmd6ZS9zR3ZUWApkQ1dZREdmYmtCSmhtRWxBMXQwUnlnam9IemFyQzRpQU1qNTI5cDBlRitHZksrZjJndVJPU3NNMk9qbVFpK3VUCnZKMVBZNVlhUHVEZ1VUc0s3b0dsQVFLQmdHdGhmU2lKRGdRTVlPbE43YXppclB1S0ZGaloyRUlWZ216RlNRaVYKZU9BNStRS3BxSnQramtnbkZ6MmlIRkltYmltY3V0VTEySG9kZ0o2RGkwTXBDbnhGZG5YSHd2Rlo0YUdMelhNZgpFczZXKzlqdXF1WTY3MEFmS2d1WktBUlFEMnBEUVkwQ3A0RlExZjgzZmt2WVVYYU9sMkRDNlQ5Mk9jMW82WmI0CmhFSXpBb0dCQUxQRDNxc2l5ZVhQYUlSNHp4eWc1WFNOS3kwdFkyVzBDcnM0MlVxQ3JYODVLb3U4aWc3dGI3VjgKWHJzS1ZlZlFuaGdRNTExd3FwZEE1Tk1ld0xqZ3RZbFUweGdwR1lGakgwLy9BL0NrSThrRkxwSXo2UVVsLzNEKwpZVHh3T0h5M3JRc1NLNEFUaHFiZXhZU1BzU3huT3ZuRUNMcW1XSG9kMkg0VzlRcHcxS2hQCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==\n```\n#### [take a snapshot of cluster1-ctrl-plane as checkpoint]\n\n## 12. Create common Root CA and intermediate CA for cluster1/2\n_*References:*_  \n[Istio - Plug in CA Certificates](https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/)  \n\n#### 12.1 Create top Root CA cert and key\n```bash\nmkdir -p ~/istio-certs\nsudo apt install make\ncd istio-certs\nmake -f ~/istio-1.10.1/tools/certs/Makefile.selfsigned.mk root-ca\nmake -f ~/istio-1.10.1/tools/certs/Makefile.selfsigned.mk cluster1-cacerts\nmake -f ~/istio-1.10.1/tools/certs/Makefile.selfsigned.mk cluster2-cacerts\n```\n\n#### 12.2 Create cluster1 intermediate CA cert and key\n```bash\nkubectl create namespace istio-system --context ${CTX_CLUSTER1}\nkubectl create secret generic cacerts \\\n    --context ${CTX_CLUSTER1} \\\n    -n istio-system \\\n    --from-file=cluster1/ca-cert.pem \\\n    --from-file=cluster1/ca-key.pem \\\n    --from-file=cluster1/root-cert.pem \\\n    --from-file=cluster1/cert-chain.pem\n```\n\n#### 12.3 Create cluster1 intermediate CA cert and key\n```bash\nkubectl create namespace istio-system --context ${CTX_CLUSTER2}\nkubectl create secret generic cacerts \\\n    --context ${CTX_CLUSTER2} \\\n    -n istio-system \\\n    --from-file=cluster2/ca-cert.pem \\\n    --from-file=cluster2/ca-key.pem \\\n    --from-file=cluster2/root-cert.pem \\\n    --from-file=cluster2/cert-chain.pem\n```\n\n#### 12.4 Compare the CA root cert of two cluster\n```bash\ndiff \\\n  \u003c(kubectl --context=\"${CTX_CLUSTER1}\" -n istio-system get secret cacerts -ojsonpath='{.data.ca-cert\\.pem}')\\\n  \u003c(kubectl --context=\"${CTX_CLUSTER2}\" -n istio-system get secret cacerts -ojsonpath='{.data.ca-cert\\.pem}')\n```\n\n## 13. Install istio on multi-primary clusters running on different networks\n_*References:*_  \n[Istio - install multi-primary on different network](https://istio.io/latest/docs/setup/install/multicluster/multi-primary_multi-network/)  \n[Istio - install multi-primary on the same network](https://istio.io/latest/docs/setup/install/multicluster/multi-primary/)  \n\n#### 13.1 Config cluster1 as primary\n```bash\ncat \u003c\u003cEOF \u003e cluster1.yaml\napiVersion: install.istio.io/v1alpha1\nkind: IstioOperator\nspec:\n  values:\n    global:\n      meshID: mesh1\n      multiCluster:\n        clusterName: cluster1\n      network: network1\nEOF\n  \nistioctl install --context=\"${CTX_CLUSTER1}\" -f cluster1.yaml\n```\n  \n#### 13.2 Install the east-west gateway in cluster1\n```bash\nsamples/multicluster/gen-eastwest-gateway.sh \\\n  --mesh mesh1 --cluster cluster1 --network network1 | \\\n  istioctl --context=\"${CTX_CLUSTER1}\" install -y -f -\n```\n  \n#### 13.3 Expose services in cluster1\n```bash\nkubectl --context=\"${CTX_CLUSTER1}\" apply -n istio-system -f \\\n  samples/multicluster/expose-services.yaml\n```\n\n#### 13.4 Config cluster2 as primary\n```bash\ncat \u003c\u003cEOF \u003e cluster2.yaml\napiVersion: install.istio.io/v1alpha1\nkind: IstioOperator\nspec:\n  values:\n    global:\n      meshID: mesh1\n      multiCluster:\n        clusterName: cluster2\n      network: network2\nEOF\n  \nistioctl install --context=\"${CTX_CLUSTER1}\" -f cluster2.yaml\n```\n  \n#### 13.5 Install the east-west gateway in cluster2\n```bash\nsamples/multicluster/gen-eastwest-gateway.sh \\\n  --mesh mesh1 --cluster cluster2 --network network2 | \\\n  istioctl --context=\"${CTX_CLUSTER2}\" install -y -f -\n```\n  \n#### 13.6 Expose services in cluster2\n```bash\nkubectl --context=\"${CTX_CLUSTER2}\" apply -n istio-system -f \\\n  samples/multicluster/expose-services.yaml\n```\n  \n#### 13.7 Enable Endpoint Discovery\n```bash\nistioctl x create-remote-secret \\\n  --context=\"${CTX_CLUSTER1}\" \\\n  --name=cluster1 | \\\nkubectl apply -f - --context=\"${CTX_CLUSTER2}\"\n\nistioctl x create-remote-secret \\\n  --context=\"${CTX_CLUSTER2}\" \\\n  --name=cluster2 | \\\nkubectl apply -f - --context=\"${CTX_CLUSTER1}\"\n```\n\n## 14. Verify the mesh service discovery and cross-cluster traffic\n_*References:*_  \n[Istio - verify installation](https://istio.io/latest/docs/setup/install/multicluster/verify/)  \n[Istio - Triubleshooting Multicluster](https://istio.io/latest/docs/ops/diagnostic-tools/multicluster/)  \n\n#### 14.1 Create the *sample* namespace, *helloworld* service and *sleep* deployment in both clusters\n```bash\nkubectl create --context=\"${CTX_CLUSTER1}\" namespace sample\nkubectl create --context=\"${CTX_CLUSTER2}\" namespace sample\n\nkubectl label --context=\"${CTX_CLUSTER1}\" namespace sample \\\n  istio-injection=enabled\nkubectl label --context=\"${CTX_CLUSTER2}\" namespace sample \\\n  istio-injection=enabled\n\nkubectl apply --context=\"${CTX_CLUSTER1}\" \\\n  -f samples/helloworld/helloworld.yaml \\\n  -l service=helloworld -n sample    \nkubectl apply --context=\"${CTX_CLUSTER2}\" \\\n  -f samples/helloworld/helloworld.yaml \\\n  -l service=helloworld -n sample\n    \nkubectl apply --context=\"${CTX_CLUSTER1}\" \\\n  -f samples/sleep/sleep.yaml -n sample\nkubectl apply --context=\"${CTX_CLUSTER2}\" \\\n  -f samples/sleep/sleep.yaml -n sample\n```\n  \n#### 14.2 Deploy Helloworld v1 into cluster1\n```bash\nkubectl apply --context=\"${CTX_CLUSTER1}\" \\\n  -f samples/helloworld/helloworld.yaml \\\n  -l version=v1 -n sample\n```\n\n#### 14.3 Deploy Helloworld v2 into cluster2\n```bash\nkubectl apply --context=\"${CTX_CLUSTER2}\" \\\n  -f samples/helloworld/helloworld.yaml \\\n  -l version=v2 -n sample\n```\n  \n#### 14.4 Test the *hellowworld service* in cluster1 \n\nWhile you test it repeatly, you should get return from both v1 running on cluster1 and v2 running on cluster2\n```bash\nkubectl exec --context=\"${CTX_CLUSTER1}\" -n sample -c sleep \\\n  \"$(kubectl get pod --context=\"${CTX_CLUSTER1}\" -n sample -l \\\n  app=sleep -o jsonpath='{.items[0].metadata.name}')\" \\\n  -- curl -sS helloworld.sample:5000/hello\n```\n\n#### 14.5 And do the same for cluster2\n```bash\nkubectl exec --context=\"${CTX_CLUSTER2}\" -n sample -c sleep \\\n  \"$(kubectl get pod --context=\"${CTX_CLUSTER2}\" -n sample -l \\\n  app=sleep -o jsonpath='{.items[0].metadata.name}')\" \\\n  -- curl -sS helloworld.sample:5000/hello\n```\n\n## 15. Check the istio-proxy sidecar config\n```bash\nkubectl config get-contexts\nistioctl --context admin@cluster1 ps\nkubectl --context admin@cluster1 get pod --namespace sample --output wide\nkubectl --context admin@cluster2 get service --namespace istio-system\nistioctl --context admin@cluster1 pc ep sleep-557747455f-4c7vz.sample --cluster=\"outbound|5000||helloworld.sample.svc.cluster.local\"\n\nkubectl config get-contexts\nistioctl --context admin@cluster2 ps\nkubectl --context admin@cluster2 get pod --namespace sample --output wide\nkubectl --context admin@cluster1 get service --namespace istio-system\nistioctl --context admin@cluster2 pc ep sleep-557747455f-jznfb.sample --cluster=\"outbound|5000||helloworld.sample.svc.cluster.local\"\n```\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkwonghung-YIP%2Fsetup-istio-multi-primary-diff-network","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkwonghung-YIP%2Fsetup-istio-multi-primary-diff-network","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkwonghung-YIP%2Fsetup-istio-multi-primary-diff-network/lists"}