Skip to content

stolostron/multicluster-mesh-addon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

99 Commits
pkg
pkg
 
 
test
test
 
 
tools
tools
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
Makefile.prow
Makefile.prow
 
 
OWNERS
OWNERS
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Multi Cluster Mesh Add On

A pluggable addon working on Open Cluster Management (OCM).

What is Multi Cluster Mesh Add On?

The Multi Cluster Mesh Add On automates the complex setup of multi-cluster service mesh deployments using the Sail Operator. It eliminates the manual, error-prone process of establishing trust between clusters, installing mesh components, and sharing credentials for endpoint discovery.

The addon acts as an infrastructure provisioner and federation broker, automating:

  • Trust Distribution: Establishes mTLS trust between clusters using cert-manager to distribute intermediate CAs
  • Operator Lifecycle: Installs and manages the Sail Operator (Istio) on managed clusters via OLM
  • Endpoint Discovery: Automates secure, rotatable token exchange between control planes using ManagedServiceAccount

Architecture

The addon leverages OCM's hub-and-spoke architecture and integrates with core OCM components:

  • ManagedClusterSet: Defines cluster membership in the mesh
  • ManifestWork: Distributes certificates and configurations to spoke clusters
  • ManagedServiceAccount: Provides short-lived discovery tokens for cross-cluster endpoint resolution
  • cert-manager: Manages Root CA lifecycle and mints intermediate certificates for each cluster

The addon manages the "plumbing" (trust and connectivity) while users configure their mesh control planes using GitOps or the Istio CR directly.

Getting Started

Prerequisites

  • OCM hub cluster
  • cert-manager installed on the hub cluster
  • Managed clusters registered with OCM

Installation

TBD

Usage

Create a namespace to host your multi cluster mesh resources. Inside the namespace, create an Issuer resource that will act as the Root CA.

Create a MultiClusterMesh resource on the hub cluster:

apiVersion: mesh.open-cluster-management.io/v1alpha1
kind: MultiClusterMesh
metadata:
  name: prod-mesh
  namespace: mesh-ns
spec:
  clusterSet: finance-prod
  controlPlane:
    namespace: istio-system
  operator:
    channel: "stable"
    source: redhat-operators
  security:
    trust:
      certManager:
        issuerRef:
          name: mesh-root-issuer
    discovery:
      tokenValidity: "1w"

The addon will:

  1. Install the Sail Operator on all clusters in the finance-prod ManagedClusterSet
  2. Generate and distribute intermediate CA certificates to establish trust
  3. Exchange discovery tokens between clusters for endpoint resolution
  4. Manage automatic rotation of certificates and tokens

Users must then create Istio Custom Resources on each spoke cluster to configure the mesh control plane.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

5 stars

Watchers

1 watching

Forks

10 forks
Report repository

Releases 1

version 1.0.0 released. Latest
Mar 1, 2022

Packages

 
 
 

Contributors

Languages