Enabling cross cluster communication using Skupper

Securely enable communications across OpenShift clusters.

This Solution Pattern uses an HTTP Hello World application with a frontend service and a backend service. The frontend uses the backend to process requests. The frontend is deployed in the west namespace of the West cluster, and the backend is deployed in the east namespace of a East cluster.

Overview

While these instructions use this particular application for demonstration purposes, the steps are the same for any Skupper deployment.

Prerequisites

  • You must have oc installed

Skupper
Red Hat OpenShift

1. Installing the Skupper cli in your local environment

The skupper command-line tool is the primary entrypoint for installing and configuring the Skupper infrastructure.

  1. Download the latest release of the Skupper command for your platform,

    For Linux or WSL on Windows, enter:

    curl -fL https://github.com/skupperproject/skupper-cli/releases/download/0.2.0/skupper-cli-0.2.0-linux-amd64.tgz | tar -xzf -

    For macOS, enter:

    curl -fL https://github.com/skupperproject/skupper-cli/releases/download/0.2.0/skupper-cli-0.2.0-mac-amd64.tgz | tar -xzf -

    This produces an executable file named skupper in your current directory.

    See the Skupper CLI release page for information on other platforms.

  2. Add skupper to your path

    For example:

    mkdir -p $HOME/bin
export PATH=$PATH:$HOME/bin
mv skupper $HOME/bin

To test your installation:

$ skupper --version

Do you see the following output:

skupper version 0.2.0

Try the steps again. If it’s still not working contact your administrator, or seek help at https://skupper.io

2. Configuring access to multiple namespaces

Skupper is designed for use with multiple namespaces, typically on different clusters. The skupper command uses your kubeconfig and current context to select the namespace where it operates.

2.1. Configure separate terminal sessions

Start a terminal session for each of your namespaces. Set the KUBECONFIG environment variable to a different path in each session.

  1. Start a terminal for the West cluster:

    export KUBECONFIG=$HOME/.kube/config-west

  2. Start a terminal for the East cluster:

    export KUBECONFIG=$HOME/.kube/config-east

2.2. Log in to your clusters

  1. Log into the West cluster.

    1. Navigate to the OpenShift Console

    2. Choose Copy Login Command from the menu displayed when you click on your username.

    3. Enter the command into the West terminal session.

  2. Log into the East cluster.

    1. Log into the East cluster using the command displayed in the output, for example:

      $ oc login -u developer -p developer https://api.crc.testing:6443

2.3. Set the current namespaces

  1. In the terminal for the West cluster:

    kubectl config set-context --current --namespace west

  2. In the terminal for the East cluster:

    kubectl new-project east
kubectl config set-context --current --namespace east

Do the following commands display the expected output?

Once you have logged in and set the current namespaces, use the skupper status command to check that each namespace is correctly configured.

  1. In the terminal for the West cluster:

     $ skupper status

    The following output is displayed:

     skupper not enabled for west

  2. In the terminal for the East cluster:

     $ skupper status

    The following output is displayed:

     skupper not enabled for east

Try the steps again. If it’s still not working contact your administrator, or seek help at https://skupper.io

3. Installing the Skupper router and connecting the namespaces

Running the skupper init command in east namespace installs the router.

Connecting namespaces requires you use the following commands:

  • The skupper connection-token command generates a secret token that signifies permission to connect. The token also carries the connection details.

  • The skupper connect command then uses the connection token to establish a connection to the namespace that generated it.

Anyone who has the connection token can connect to your namespace. Make sure that only those you trust have access to it.

3.1. Install the router in both namespaces

  1. In the terminal for the West:

     $ skupper init

    The following output is displayed:

     Skupper is now installed in namespace 'west'.  Use 'skupper status' to get more information.

  2. In the terminal for the East:

     $ skupper init --edge

    The following output is displayed:

     Skupper is now installed in namespace 'east'.  Use 'skupper status' to get more information.
Using the --edge argument in the east namespace disables network ingress at the Skupper router layer.

3.2. Connect your namespaces

  1. Generate a token in the west:

    skupper connection-token $HOME/secret.yaml

  2. Use the token in the east to form a connection

    skupper connect $HOME/secret.yaml

Do the following commands display the expected output?

Use the skupper status command to check that each namespace is correctly configured.

  1. In the terminal for the West cluster:

     $ skupper status

    The following output is displayed:

     skupper enabled for west.  It is connected to 1 other site.

  2. In the terminal for the East cluster:

     $ skupper status

    The following output is displayed:

     skupper enabled for east. It is connected to 1 other site.

Try the steps again. If it’s still not working contact your administrator, or seek help at https://skupper.io

4. Exposing the services

You now have a Skupper network capable of multi-cluster communication, but no services are attached to it.

This task describes how to use the skupper expose command to make a Kubernetes deployment on one namespace available on all the connected namespaces.

4.1. Deploy the frontend and backend services

  1. Start the frontend in the West cluster:

    oc create deployment hello-world-frontend --image quay.io/skupper/hello-world-frontend

  2. Start the backend in the East cluster:

    oc create deployment hello-world-backend --image quay.io/skupper/hello-world-backend

4.2. Expose the backend service

At this point, we have the frontend and backend services running, but the frontend has no way to contact the backend. The frontend and backend are in different namespaces and different clusters), and the backend has no public ingress.

Use the skupper expose command in the East to make hello-world-backend available in the West.

  1. In the terminal for the East:

    skupper expose deployment hello-world-backend --port 8080 --protocol http

  2. Check that the backend service is represented in the West:

    oc get services

    The output should be similar to the following:

    $ kubectl get services
NAME                   TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)       AGE
hello-world-backend    ClusterIP      10.96.175.18    <none>          8080/TCP      1m30s

4.3. Create a route

  1. In the West, expose a route:

    oc expose deployment hello-world-frontend --port 8080 --type LoadBalancer

  2. Navigate to the OpenShift Console

  3. Switch to the west project.

  4. In the Overview, expand the hello-world-frontend application.

  5. Click Create Route. This creates a route and displays a URL.

Click the newly created URL.

Is the output similar to the following:

I am the frontend.  The backend says 'Hello from hello-world-backend-6d58c544fc-dhzz2 (1)'.

Try the steps again. If it’s still not working contact your administrator, or seek help at https://skupper.io